We welcome Nick Prescot, Infomation Security Manager at ZeroDayLab as our first new blog contributor.
by Nick Prescot.
To those out there that have missed my blogs since January,
fear not, I have been in a job transition and so busy with the new job that it
has only recently become apparent that there was some point in continuing the
blog as the marketing manager pushed me to get it going again! So that’s enough about me and I hope to
continue in my observations and musings about infosecurity.
There’s one thing that hasn’t changed over the last 6 months
and that’s the continuum of breach notifications that has been hammering us on
a daily basis. On the back of the
heartbleed and poodle bug that got everyone in the industry very excited, there
seems to be a chase for the next big ‘bug’ that will get every infosec manager
in the land the magic 15 mins of attention where they can remind everyone the
importance of security and once it’s fixed, wait for the next one.
Having been the internal infosec manager for a while, and
now on the other side of the fence where I’m being the consultant in this
space, one does start to wonder about the impact that information security has
in many of today’s businesses. Every
company has a different risk/threat picture, so just because you can’t have a
scenario where email is down for more than 3 mins, or your payment gateway
requires 99.99999%, it doesn’t mean that robust and resilient systems should
take second precedence over availability and usability.
The infosec world seems to be chasing the next immediate
action to the next zero-day vulnerability so that the SOC can prove themselves
that they can react, respond, eradicate and contain any ‘bad’ that comes into
their network and system…and then brag about it!
So, before I see another vulnerability that comes across my
twitter feed, it’s always worth a look at how the airline industry and the car
industry share their safety vulnerabilities that come into play…they are not
hiding it but they are openly sharing information. The infosec world could and should a lot
better in this respect. There are many
aspects where CERT releases threats that are in the open…but the reality is
that when I’m onsite and you are looking for patches and change management in
response to the threat, quite often it’s not there because it’s too
scary/painful/bureaucratic to deal with.
Therefore, there is a big gap in the culture between many of
the teams, departments, divisions and corporations against the modus operandi
of the safety-focused culture of the airline and the car industry. To give a
classic example, the Euro NCAP rating is used as a tool to help the wider public
know if their cars are safe; there are similar measures such as the CSA STAR
alliance program that gives hosting providers that similar level of assurance
to the wider public about their security posture which goes some way towards
this but is unfortunately not widely adopted.
Going back then to the concept of breach fatigue. We know that cars (and not so much, planes)
crash or have faults the whole time, but we also learn from and adopt the
safety improvements made to ensure that the future risks are kept to a
minimum. However, the same cannot be
wholly said for the retail/commercial sector, for example. When we shop online it’s sometimes hard to
find the part on the website that shows that it’s secure. We all assume that online banking is safe, but
we are doing this on a basis of the fact that many online banking websites
force us to use 2-factor authentication….but how many people check that the
page is on HTTPS with a valid 3rd party signed certificate?
So, when you’re next reading the news about the latest
vulnerability that affects Adobe Flash and Skype, think of the basics that stem
from the security standards and apply them!
Whether you’re an infosec manager or a silver surfer…a lot of these
breaches can be mitigated against;
1) Make sure that your anti-virus is kept up-to-date
(ok, people with an Apple Mac might scoff at this!)
2) Update your laptop and phone ASAP. Yes, that little number on settings on the
iphone, there might be an update…it might be there to change things but it’s
also there to download the latest security updates.
3) If you use a browser, check for the extensions
that you are using (especially Chrome).
Same goes for internet explorer toolbars.
4) Check the padlock on HTTPS websites….and that
it’s not a self-signed cert; especially when using online payments.
5) Use verified tools that scan your computer for
unknown applications…Whilst they might not be malicious; if you don’t need
‘em..delete ‘em
Now, instead of looking like a puzzled minion when you do
get breached, because you don’t know what to do or how to react, the above are
some simple steps. You wouldn’t buy a
car without brakes or airbags on the open road, so why would one ignore the
above? This is for personal use, but if
there is a bigger security problem you’re grappling with…er…ahem…this is what I
do for a living so do
contact me if there’s a bigger issue!
More about Nick...
'Nick
Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd.
and is responsible for Governance, Risk and Compliance (GRC) and Incident
Response (IR) consultancy and advisory services at ZeroDayLab. Nick aims
to assist companies whom are looking to improve the cyber resilience and
posture in the ever ongoing battle against the emerging and continuing cyber
threats. By taking a detailed and holistic view of client's policy and
governance infrastructure entwined with incorporating information assets within
corporate risk registers, Nick is able to provide a clear strategy to client in
order that their infosec operations and processes are aligned to industry
practice.
Nick
is also a seasoned incident response manager and when there is a security
and/or availability incident, Nick is able to ensure that the incident is
remediated as soon as possible and deploy the specialist response assets can
remediate the incident. Nick also assists with the crisis management and media
elements so that all parties are correctly informed as part of the resolution
efforts.'