Skip to main content

Identifying problems vs. providing solutions

One of the things that concerns me about the direction of Information Security as a discipline is the focus on what I call "gee whiz security". This is the flashy, trendy stuff like new attacks and the marketing terms of the moment (that often are actually meaningful terms that marketing people misuse or misappropriate). It is good to stay on top of new developments, new attack vectors, new defense ideas, etc. but (for most of us that are employed by a company) our job is to provide solutions to solve these issues or provide suggestions on how to mitigate the risks associated with these threats.

If all you provide is a constant stream of risks and concerns without any meaningful solutions or ideas on how to manage a problem, your employer is likely going to have to look elsewhere. This is why when folks ask me about penetration testing as a career choice I advise them to consider a more balanced approach. You can find any number of people or companies that will tell you how bad things are, but what most enterprises want is someone that can find the problems and propose a solution or a plan to address it.

Some advice:

1) When proposing a penetration test - determine what your goal is. Maybe you are better off working with the internal audit or risk management team to understand the known issues and test to see if they have been resolved first.

2) Use a standard methodology when doing any assessments. This should be adjusted to match the policies and standards of the site you are assessing.

3) Every problem or risk you identify should have a solution that matches the companies policies or standards
It's always better to look at assessments as an opportunity to provide ideas and solutions vs. showing someone how broken things may be.

->Pierre

Comments

Popular posts from this blog

Requirements for Information Security

If you want to get into Information Security you HAVE to be a/have this skill... Why this is total BS. Almost daily I see someone posting on twitter, trying to be helpful to folks who are looking to get into InfoSec. Often I see "If you want to be in Information Security (Cyber Security) then you HAVE to be a programmer" or "If you want to be successful you have to be a hacker/have a criminal record/have abused systems without permission" etc. While having technical capabilities (such as programming) and having the ability to compromise a system shows a specific skillset neither are required. When talking to people who are interested in Information Security I often refer to it as a cake, there are tons of slices, many flavors, many pieces and parts you can sample, choose to focus on, will be expected to know something about, etc. Incident Response and Forensics (my current focus) is not the only part of Information Security, and certainly not the only part tha...

Privacy considerations for home users

In light of the recent new stories regarding the recently signed legislation allowing ISP's to be able to sell your data http://www.vox.com/new-money/2017/3/29/15107110/republican-isp-data-privacy Here are a couple ideas and tips about privacy in general. Don't panic - a lot of the info was already being gathered, this isn't that large of a change regarding scope, it's more of a change to who can profit or sell it (which is a shift for sure). Remember a lot of the services you use today already gather your browser, activity, and search info (google, bing, yahoo, facebook, etc.). ISP's haven't implemented this yet, expect to see new terms of service in an upcoming bill, or an email sent to you, etc. If you would like to take some steps to try to preserve your privacy, here are some ideas and examples: VPN (Virtual Private Network) - this in essence creates an encrypted tunnel between two points on the Internet. One point being your system...

New year, New Vulnerabilities, Old problem...

Happy New Year to everyone! May 2018 provide you with interesting problems and the patience to solve them :) On to the recent kerfuffle about the Intel processor bugs. These vulnerabilities were identified in early January by Google  (original Google security post)  CVE-2017-5715   CVE-2017-5753 CVE-2017-5754 These vulnerabilities have been named "Spectre" and "Meltdown" and are causing a certain amount of anxiety in some environments.  IBM has produced an excellent write up of the vulnerabilities and includes information about the impacts and includes the CVE ratings: https://exchange.xforce.ibmcloud.com/collection/c422fb7c4f08a679812cf1190db15441 Of course new vulnerabilities are bad, and often require work and remediation, but this should be part of your environment's standard vulnerability assessment and remediation program. It's not sufficient to just apply patches from a single vendor (e.g. Microsoft) on a monthly basis and conside...