Why Common Vulnerability Scanning Practice is Useless?

I hope you will find this so obvious but unfortunately security community is highly relied on vulnerability scanning in a way which makes it totally useless or even harmful! 

Vulnerability assessment is evaluating of a System against known and potential security flaws. A System is simply a collection of processes, workflows, people, nodes, software…but traditional vulnerability scanning only focuses on individual nodes and software rather than seeing them as a whole equation. 

Today’s common vulnerability scanning which is believed to be so effective and is the center of attention for almost all type of manages security services, is actually harmful in a way that completely ignores the attack vectors coming and result from presence of link and connection and relation between many (all) components of a system, not just computers, webservers and software applications.

Penetration Testing vs. Secure Code Review

What is the best way to make sure a software product is secure? 

The easiest way is to roll out to the market and see what is going to happen and hope everything does well…no kidding, that is what most software developers do! 

Let’s forget about what majority of software community do and see what are other ways: 

1- penetration testing: for decades this was the best resort. If you are a software developer and you test your software then you are good. Of course, and I do not want to get into the type and quality and result of multiple ways of penetration testing and even talk about how business on relying on tools which are natively incapable of finding security flaws…I have been doing pen-test for more than 2 decades and never used a particular ‘tool’ out of the box for that purpose. 

But regardless of what is right and what is wrong in terms of penetration testing, introducing a software to this stage before or even after market presence is smart, but it is so expensive also: developer needs to test every time software changes, technically with each new version and of course they can normalize based on changes. 

2- secure code review: when 2 decades ago I suggested to one of my clients to migrate to a system of constant check and verification “before” even compiling the software, they though I am that much crazy to ignore great money paid for penetration testing but I just wanted to make sure a software that I am putting my verification stamp on it has the better, easier, faster and cheaper way I finding security flaws and is more reliable, more control and in one sentence, has the right way of finding and mitigating security flaws. 

Penetration testing is so good but it is after the fact. I have seen many software products where fixing discovered vulnerabilities takes a long time, expensive and in many situations even impossible to fix so then why not finding those flaws before final stages of development or even rolling out to market? 

When to do secure code review? 

  • When compliance is a factor 
  • When the budget and other resources are limited 
  • When dealing with time-sensitive software projects 
  • When releasing hundreds of new versions annually 

When to do penetration testing? 

  • Always!
  • When testing only Software is not an option and System and/or Process are targeted 
  • When Settings, Configurations and Workflows are important

Does any of them dilute another? In other words, can I skip secure code review just because I will have a comprehensive penetration testing or vice versa? 

No! Skipping any of them means skipping any of important phases of a software and corrupting a SDLC. 

Does Internet Act As A Valid Source Of Information?

Internet was built with the initial goal of providing the most validated data to the corresponding party. Today we are so far away from that mindset but still, how much we can rely on the data provided via the Net?

The answer is simply depends on the source of data. People usually believe what they read and see on the Net, especially if it’s Wikipedia, Google reviews…but in fact those are not valid source of information. Most of the times the information is not even accurate, regardless of the fact that information providers are prone to be censored in a very tricky way if what they say is not favorable.

As an example which does apply to this weblog, if I wanted to participate in Google AdSense program, I would not be able to question Google services, or criticize Wikipedia because based on Google policy, you are not eligible if you are targeting an specific group of people, companies or society.

Valid sources of information are currently so hidden and inaccessible mainly because people use portals to direct them and we know that web portal are not neutral, clearly search neutrality is a joke when more than half of a Google search result (for lack of a better word!) page is paid advertising and 80% of remaining content is repeated and duplicated. One reason is the way portals (not all of them) filter information though their broken ranking system with an algorithm which its job is not really to fidn you the best match to your search but it is mostly to find the best match to firm advertising and marketing policy.

Internet should act as a valid source of information if we could reach main source of science and pure piece of knowledge without a proxy named search engine. Sorry I meant to say Google because people even do not believe in other search engines like Bing or Yahoo!

What was the last time you searched (or Googled) and the result was from a university or a valid article from a scientist? Probably 1 in 10000 or actually never! Because the whole system targets only one thing: advertising and data brokery. “Web Monsters” which is literally only Google, push content providers like web loggers to comply with their searching system which is tied to ad systems which means authors are creating crap rather than what they really believe. Again consider my weblog, I won’t be able to reach a rank with a major search engine because from robots AI POV, my content is not readable. Is a good dental clinic necessary the cleanest one? Is a good restaurant necessary what Reviews say? Is a good person necessary white?!

In order to reach the valid information on the web, first we need to change our habits and look for validated sources rather than solely relying on popular web portals. Remember, in the best case possible, popular search engines are not able to crawl and index more than 25% of the Net. That means at least 75% of the content is hidden (not considering darkweb or underground) and roughly 90% of valuable and valid information.

No Silver Bullet in Computer Security

There is no silver bullet in any aspect of information security. All the answers like EDR, MFA, SIEM… might get you in a better or worse security posture, it all depends to how you implement and manage but none of them are silver bullet in their area (malware protection, authentication, monitoring…). It is all about how market is pushing the community to handle the panic attack!

The only fundamental approach, still not such a silver bullet, is Least Privilege, Least Service concept which has been saved hundreds of smart companies from spending lots of money and effort to secure their assets.

Silver bullet approach will eventually end a firm cyber security team into a dead loop where there is no end to purchase, worry, fire fighting and still more insecurities and more uncertainties.

Accurate Vendor Risk Assessment

How to have an accurate vendor risk assessment? 

Assessing your vendors, suppliers, business associates…or any other term you give to who is providing services to your firm is crucial and even might be required from a regulatory stand point (i.e. like in HIPAA). I do not want to get into detail of what would be the best questionnaire and what logic you should follow to get the best result without a spreadsheet with hundreds or thousands of questions. But I would like to emphasis is key element which could be apply to almost every single question in your RFI. 

When asking questions about security policies and procedures, “effective date” is usually overlooked during assessment or completely missed from questionnaire. However, ‘time’ in general is the most important factor in any security policy: effective date, and duration of enforcing a policy. 

Experience shows when suppliers face a VRA, the main concern and strategy is to avoid potentially negative answers to questions by fixing things overnight. This means in reality, if vendor is capable of fixing an issue, they prefer to mitigate before answering the questionnaire, so they go and put new policies, new procedures… and the fact is sometime those actions are really effective but the result won’t be an accurate risk assessment because effective date of a policy, a new security measure, even the perfect secure settings is important, and duration of an active policy is crucial. 

An analogy would be the effectiveness of vitamins consumption; while consuming vitamin might be helpful, nothing is going to change overnight even with the best multi-vitamin and we always need to give time to body to refine the equation by introducing vitamin in a regular basis for a minimum of time before seeing any benefit, and longer for eliminating all the negative effects of vitamin deficiency. 

Changing a policy or setting up a security rule would not mitigate a risk right away and for that, asking for effective dates and duration is so useful. For example: 

Do you have a policy for passwords? If yes please describe the policy briefly indicating effective date (evidence may be requested)

Vendor Risk Assessment: Hassle or Blessing?!

A Security Questionnaire, RFI, VRA (Vendor Risk Assessment), VR Management…helps customers identify and evaluate the risks of using a vendor’s product or service. Performing such a review is sometimes mandatory based on the industry (e.g. healthcare). During this standard business process, customer collects written information about security capabilities of a supplier and you could barely find suppliers or vendors or business associated that are interested to interact with this naturally revealing practice because they refuse to learn from it and ease the process so it remains stressful, time consuming and potentially exposing them to other risks like losing a contract. 

But How to learn from vendor risk assessment and turn it to a tool to improve the business relation? The first step is to have a system to handle request, write a policy and come up with a strategy. A well-defined system will automatically lead you to better interaction and improve itself over time. Study questionnaires and normalize questions, find your flaws and rather than rush to fix them look for root causes and address them accordingly. Remember, all you have to do is managing risks, not necessary mitigating, so expectation of a full green 100% risk free business partnership is showing lack of understanding how risk works.

Coding Skills and Security Administration

Do coding skills help you with the general routine and daily security administration of computer systems and networks?

Yes. Regardless of the fact that ‘scripting’ which is (used to be) a crucial skill to manage computer systems and networks, coding skills is not only fundamental to understanding the details of computer security, but also fundamental to the security administration of computer systems and network.

Cyber security ecosystem is more than CIA and describing it on the paper. In order to understand the elements of computer security we need to be fully skilled with the fundamental of computer science which is truly software and hardware.

I am not telling you need to learn machine language and assembly because that is for someone dedicated to deal with lowest level of security like finding flaws and writing patches for operating systems and kernels, but one still need more than basic level of at least some scripting languages like PS (PowerShell), WSH (Windows Scripting Host), Bash, Python… to handle the security administration if not digging into details.

Some other coding skills helps your setup, configure, troubleshoot and generally operate smoother than other admins:

Java: knowing Java even if you wouldn’t want to write one single line of code is crucial because there are hundreds of thousands of utilities and backend systems coded purely with Java so it is so easy to understand them once you master Java.

JavaScript: you may find it funny how HTML with JavaScript can help you in security administration. Once you start digging into security aspects of many applications you will find HTML crucial and super helpful.

PHP: it is helpful if you are dealing with web apps in general. There are millions of web apps running with this powerful language.

SQL: any knowledge around any flavor of SQL is so helpful and if you deal with databases regularly then it is a must to know how to code SQL directly or via a host interface like PHP.

I personally put Python as a must only if you want to develop as well. In other words, knowing Python is very helpful only if you are going to specifically develop for a customized environment and integrate other systems and utilities.

What I can tell you generally is specialty is of course very important with any aspect of computer science that you are going to be the subject matter person for it, but whether we like it or not, it is critical to know about all fields of computer science to be able to manage a tech environment sufficiently.

For example, one can’t be an expert with networking if doesn’t have full knowledge of SSH so probably won’t be able to fully operate a network securely if is not capable of administration part. Coding skill is not a preference, it is critical to security administration.

Tech Staff Justifies Incompetence!

Have you ever listened to your tech team trying to justify all the tasks left behind, delayed or procrastinated?

Do you have an IT team brining excuses for every project there are facing and try to blame everything except the root cause?

Then you are not alone! Here is a known list of IT staff excuses. Knowing the pattern and reasons behind help us managing our team smarter:

Lack of resources: we do not have enough resources!

The best of the best excuses ever, a generic excuse for all types of failure and when staff wants to show how much they are busy and swamped with everything, how much they are doing their best and the only problem why bunch of tasks and projects are delayed is that because there is not enough resources.

Actually, the best description here is lack of resourcefulness!

False positives, false negatives: cannot trust the data!

A trick to overlook an alarm and justify the reason to ignore it. Imagine you have probably missing patches, nodes which have not got their malware updates, software which has been screaming for a reason…and staff simply ignore it just because there has been some instance of false positives.

Tool limitation: we need better tools!

Being tools oriented at the first place is a flaw within most tech staff and no surprise that they want to blame tools rather than blaming themselves of not having knowledge of using tools, or choosing right tool.

Spontaneous nature: IT is so dynamic!

A very clever way of justifying every single failure. Of course, you won’t blame them for breaking things and fixing things just by luck if you believe that the nature of IT operation is being spontaneous.

Later this week/month/year!

The classic way of accepting and procrastinating, a very well-known pattern of ignorance when there is no other way around. Simply saying they are going to do it this coming week which it may end up not done for a year.

No budget: needed money!

It is hard to debate when the subject is money. Staff brings a solution which requires money. No one challenge the validity of solution, but everyone accepts the need for money so it turns super easy to rely on money and have it handy as the excuse.

The legacy: that is not what I put there, it was there before I join!

It means I won’t take ownership of something that someone else configured. Interesting, because when you are hiring them, they are going to fix everything messed up by a previous person but then everything changes.

Dedicated staff: our team is tiny!

Dedication is really good to have but in reality, we face departments where people at least have a secondary or tertiary hat to wear. Talking about size of a team is ignoring human intelligence and ignoring the fact that we have actually technology taking care of many aspect of our duties so especially as a tech savvy we need to able utilize technology to handle the quantity and we could handle the quality.

ISMS is Not equal to Real Security!

Is having an information security management system equal to actual security? 

Nop! Having an information security management system is not an indication of quality of security controls. Management systems are easier way of administration in a standard and systematic way, but they do not necessarily an indication of security control effectiveness. 

As an example, ISO 27001 as one of the most popular information security management system to date, has no effect on the quality of your controls, as there is no judgement on implementation quality, effectiveness and type of security controls. It is just the judgement of logic. 

This is no surprise though comparing to any other management system like ISO 9001 famous Quality where you can find thousands of firms holding to that certification with lowest quality of products. You will find same number of firms holding tightly to their ISO 27001 certification as an indication of “presence of quality security” but literally are at the lowest bracket of information security effectiveness in practice. 

Let’s say one has a system to fully manage firewall within an enterprise, all the rules are justified, reviewed and approved by head of your technology department (which FYI you could barely find such a well-managed system, but still let’s pretend it’s not a big deal). Does it mean firewall rules are technically security and configured in a way that address organization concerns?! 

However, an information security management system, whether globally recognized like ISO 27001 or organically internally created by your organization could be the best tool to approach your security program; it is all about execution and understanding of information security elements ‘particularly in regards to your business’. 

Simple Sign of Security Program Has Already Been Failed

The simple sign is your Trust and Confidence: Do you have faith in your security program?  

For a moment be honest and ask yourself: am I confident with my company security program? Do I have faith in our security team? Do they really know what they are doing? Does my information security officer worth pay 300 grands? How can I say my IT department is really at the top of security trends? Ami paying too much or less for security budget?  

Why I Do Not Trust in My Security Program?  

If your answer to any of above questions is shaky, you hesitate to answer, or just do not know that answer, or for any reason you are not sleeping peacefully at night, then your security program already failed!  

Has Your Security Program Stuck?  

But that is not your fault directly, not even your team, no one to blame from your side! The only thing to blame is “market”. Unfortunately, market pushes you and many top managers of security teams within big corporations to spend money on things that would not improve the security posture, otherwise you would sleep peacefully just like those who do not have any online presence.  

Market pushes us to spend and at the same time not have a peaceful mind; today is about a new trend, tomorrow even before catching up with yesterday “message” you attend a webinar and you face a new challenge, all true, but all irrelevant.  

Why with hundreds of thousands spending on my cybersecurity initiatives, still I do not feel confident?!  

You or your technology team do not have even enough time to catch up with emails and whitepapers full of useful info, let alone choosing and implementing what exactly you’re looking for. Even a week after implementation you realize there was better solution or you wish you would purchase another solution or just waited one week to buy the new one just arrived at your mailbox!  

Sounds familiar? Then you are not alone among majority of information security managers, engineers and architectures. Simply blame the “market”! Market is constantly pushing us to spend and still not being confident. Does it sound like something wrong? There has to be a different way. It does not make sense; it is not that much complicated!  

The trick is simply getting out of this sanity and leave the market flow and pass you! You won’t lose anything, do not worry. Step back, stop, relax and research more. There are very simple ways with less effort and less budget with more confident outcome. Simpler than you could imagine!