This post is more like a rant then a post but it is what it is.
In everyday work and life I keep finding people that think that policies are good to have but not so good to follow up and I’m really struggling to comprehend that kind of thinking, especially when it’s about security. I don’t get it why is it so hard to realize one simple fact, you don’t compromise with security.
Simple as that!
If you try to compromise with security and its policies (PCI DSS, HIPA, FISMA, whatever) you will get compromised! That’s a fact. It’s just a matter of time when you will get compromised and when you do it’s too late.
Here are few examples of that.
Company-that-I-will-not-name here, has a security policy which requires that hard drives are wiped and/or destroyed to prevent data access. What they do? They dump computers with hard drives to dumpster for electronic waste. Some dumpster diving and you get hard drive to play with (or few of them).
Do you know how long time it takes to brute-force their default admin and deploy password (used for deployment of other machines as well)?
So it took me 9 minutes and 45 seconds to brute-force their 9 character password on normal machine without much hassle. Picked up another disk and guess what, same passwords are working on that one as well, so password reuse is in place in its full glory.
Next example comes from UK. UK health sector got hit really hard with WannaCry worm in May 2017. As recent report from National Audit Office shows, it could have been prevented if they had implemented basics of every security policy:
- segment network
- limit access to need-to-know basis (same for humans and machines)
- update and patch as soon updates are available
- log everything and read logs daily
This one is self-explanatory: