Open in app

Sign in

Write

Sign in

Real World Cyber Security

Blog Introduction and Index

RealWorldCyberSecurity
11 min readApr 3, 2020

Recent Updates

  • 2020/04/27: Added a list of recommended Security RSS blogs and newsfeeds.
  • 2020/04/28: Added a list of recommended Security mailing lists.

Welcome to the Real World Cyber Security Blog!

Einstein allegedly defined insanity as “doing the same thing over and over again and expecting different results.” Well, in information security and cybersecurity, we’ve sure been doing a lot of “the same old thing” over and over again, but we continue to get hacked. I guess we’re insane then, because we expect that what we’re doing will keep us from getting breached, but it doesn’t. Yet, we keep doing more and more of it and expecting different results. Insanity? You betcha!

A few years ago, what we consider today to be a minor breach would have been headline news. Breaches have become so common that most major ones are relegated to being buried somewhere deep inside the business section of the newspaper, with only the truly monumental ones making headlines. And, the breaches keep coming, and coming at a seemingly increasing pace, each one more significant, more damaging, and more costly than the previous. Yet, we keep doing the same old things to try to prevent the hacks. Either we are actually insane, or there is something seriously wrong with what we are doing and our thought processes behind it. I choose to believe the latter.

That’s what this blog is about: What we are doing wrong in security and how we need to fix it. Looking at the problem from 65,000 feet, I see two fundamental problems: First and foremost, we are trying to treat cybersecurity problems as though they are information security problems; second, we are basing much of our security thought processes on outdated premises. Yes, there are numerous other issues we face, but until we address those fundamentals, we have no hope.

So, let’s briefly think about those two points.

First, too many security problems are caused by too narrow of a view of security, such as treating all security problems as information security problems, resulting in the failure to identify the actual security gaps associated with threats. Information security focuses on the protection of information, whereas cybersecurity focuses on the protection of everything connected by some network to something else on some network, including the networks themselves. Cybersecurity requires both a much broader focus and a somewhat different mindset than information security. These differences in focus and mindset are critical issues that are usually left unaddressed in most organizations.

And, second, most of the fundamental principles on which we base all security today have changed very little since the 1980s (or earlier). Meanwhile, the scope of what must be secured has vastly increased, and changed from its original information security focus upon which these fundamental principles were developed. Thus, it is long past time that we change our thinking regarding our approach to security — both in terms of what must be protected and how we should go about protecting it.

We also have one big practical issue we need to address as well: Simply too much of the security we have in place today is “security theater” — that is, measures intended to give the illusion of security while actually doing little or nothing to secure the assets intended to be protected, and potentially making those assets less secure. Every organization has this problem — the only question is how much of its security is real and effective, versus simply theater?

The objective of this blog is to provide some thoughts on what should be considered “security done right.” That is, how do you reduce risk in a cost-effective manner? The objective of both information and cybersecurity should be to first reduce risk to the greatest extent practical. Then, when a breach does occur, to detect it and shut it down as rapidly as possible, and in the process to have collected the information required to determine how the breach occurred, what was infiltrated, what was exfiltrated, and how to prevent a future reoccurrence.

If you are reading this blog in hopes of discovering how to prevent getting hacked, you’re not going to find that information here. In fact, I will go so far as to state that anyone who claims he or she can prevent an organization from getting hacked is either terribly naive or a liar!

This blog focuses on cybersecurity but also covers many aspects of traditional information security, and even touches on traditional corporate security as well. It includes both technical and non-technical content, and is oriented towards two different corporate audiences:

  • Information security and cybersecurity professionals and their managers, whose responsibility it is to secure the organization’s assets; and
  • C-level corporate executives and board members whose responsibility it is to define an acceptable level of security risk; and both to provide strategic direction to the organization’s security professionals, and to provide adequate funding for security.

This blog is written at a level that should be easily understood by anyone with an interest in either information security or cybersecurity, from students and interns through corporate executives and board members, and every security practitioner and manager in between. Please feel free to leave me a note if you have any questions.

The Blog Index follows in the next sections.

Thanks for reading!

Check back regularly for updates.

Topic: Everything You Know About Security Is Wrong!

Okay, maybe not everything, but a whole lot of what you think you know about security is probably either wrong, out-of-date, or both.

The biggest problem with cybersecurity is that everything in the field is changing so fast that it is nearly impossible to keep current. In fact, the insider-joke in the industry is that security follows the inverse of Moore’s Law — that is, every eighteen months, half of everything you know is now obsolete. Thus, if you are not continually reading and following security news feeds, and attending courses and conferences at least twice yearly, you are probably falling behind. Security is simply changing that fast, and a lot of what you think you know is now obsolete.

Welcome to the real world of cybersecurity!

Staying current is one problem, and it is definitely a very big problem in the industry. However, probably the most significant problem is that many of the industry’s most fundamental beliefs and principals — which most people in the industry simply take as gospel, and are what I call “security mantras” — are simply incomplete, and/or incorrect, and/or out-of-date. Worse, many of the security industry’s most sacred security mantras are flat out wrong!

“What’s wrong with what we think we know about security,” is the focus of this section of the blog.

Defining Cybersecurity

If You Can’t Properly Define Cybersecurity, How Can You Know What It Is?
It’s clear that the cybersecurity industry hasn’t been able to agree upon what cybersecurity is and isn’t. Even NIST, who is responsible for the definition of technical terms used by the U.S. Federal Government, has four different definitions of cybersecurity! At a minimum, there are dozens of different definitions of cybersecurity currently in use. Nearly all are incomplete in scope, some are horridly wrong, and nearly all fail to differentiate between cybersecurity and its information security cousin.

What Are The Fundamental Services Provided By Security? Hint: CIA Is Not The Answer

The CIA Triad Is Dangerously Obsolete and Incomplete
The CIA Triad (Confidentiality, Integrity, Availability) purports to define the services that are provided by security to defend against threats to an asset being secured. Yet, it only provides defenses for three of the seven widely-recognized categories of security threats. An incomplete definition of the security’s fundamental services means we are also dangerously incomplete in the proper securing of our assets.

There Are Only Two Ways to Authenticate

Why Biometrics Are Not Valid Authenticators
Most security courses teach there are three ways to authenticate: “What you know,” “What you have,” and “What you are.” However, authenticators must be revocable and deterministic. Biometrics (“What you are”) are probabilistic and non-revocable. Thus, biometrics cannot serve as a means of authentication.

AAA Is Missing An “I” and an “A”

(coming soon!)
Access control systems are often focused on only authentication, authorization, and accounting, and neglect identification and audit. Even identity and access management systems often neglect the audit aspect of access control. But, this incomplete view of access control can lead to critical security weaknesses.

You Should Never Change Your Password

Seriously! A Password Should Only Be Changed If There Are Indications Of Its Compromise
The decades-old practice of changing your password every 30 (or 60 or 90 or whatever) days is lousy security. You should pick a strong password and not change it without a good reason to do so. Passwords shouldn’t be the gatekeeper for logins; rather, it should be a password in combination with a “second factor,” such as an app-generated code or a hardware security token.

Two Factor Not

(coming soon!)
The good, bad, and ugly of two-factor authentication.

Single Sign-On: A Hacker’s Dream Come True

(coming soon!)
Single sign-on (SSO) without two-factor authentication (TFA) is handing the keys to your kingdom to a hacker. Even with TFA, a bad implementation of SSO can substantially increase your organization’s exposure to identity hijacking.

“sudo” and “runas” Are Not Role-Based Access Control

(coming soon!)

You Call That a Security Requirement?

Proper Requirements Are The First Step To Verifiable Security
All too often, organizations lack any appropriate definition of their security requirements. And, the alleged requirements documents that do exist are most likely design specifications, not requirements specifications. Serious security breaches are unavoidable without a proper understanding of what is to be secured and why. That is, serious security breaches are unavoidable without proper security requirements.

You Can’t Encrypt Messages Using Asymmetric Cryptography

(coming soon!)
The most data that an asymmetric cypher can encrypt is several bytes less than the length of its key. What actually occurs when using asymmetric cyphers to encrypt messages is that the asymmetric cypher is used to encrypt the key of a symmetric cypher used to encrypt the message. This blog post gives an inside look at that process.

The Internet Is Not A Seven Layer Network

RFC1122 Specifies Only Four Layers in The Internet Protocol Stack
It is a common misperception that the Internet is based upon the ISO 7-Layer Model. It is not. It is based upon a software protocol stack defined in RFC1122 that has several differences from the ISO specification.

CISSP Is A Junior-Level Security Certification

(coming soon!)

Topic: Emerging Threats

This section of the blog covers those threats which may not be headline issues today, but are bound to be headlines in the near future. It also includes some threats that are here today but are not in the headlines. But, they are serious threats you need to know about.

You Can Help Make The Internet Safer And Faster

A New Tool Detects If Your ISP Has Implemented Route Hijacking Mitigations
The Internet runs on a protocol called BGP, which determines how your data is routed from your ISP to its destination, such as Apple or Netflix. However, BGP, in its default configuration, is insecure and subject to hijacking attacks. There are mitigations for such attacks, but your ISP must explicitly implement them. A new tool from Cloudflare lets you check your ISP, and name and shame them if they haven’t implemented appropriate fixes.

Microcode Patches Don’t “Fix” Your Processor

Your Processor Remains Exploitable
The common perception is that if you update your processor’s microcode, your processor is “fixed.” Well, it isn’t. Every time you reset your processor (e.g., reboot), the microcode patches are wiped. This leads to exploitable security holes in your system.

Negative Rings in Intel Architecture: The Security Threats You’ve Probably Never Heard Of

Not Actual Protection Rings, But Conceptual Privilege Levels Susceptible To Exploitation
Most likely, you’re aware of the hardware “protection rings” in Intel Architecture processors — the familiar “Ring 0” for the kernel through “Ring 3” for userland. But, have you ever heard of “rings” “minus one” through “minus three”? If not, you’re missing out on three entire levels of processor vulnerabilities.

Ever Heard of MINIX?
It’s The World’s Most Widely Used Operating System

Have an Intel Processor? Then you’re a user!
MINIX: It’s the world’s most widely used operating system and another security threat that you’ve never heard of! Like all operating systems, it has bugs. Only you can’t patch the bugs in MINIX!

ME: It’s The Computer You Can’t Turn Off

(coming soon!)
The Management Engine (ME) is the “Ring -3” processor on your IA chipsets which you can’t turn off. “Powering Off” your computer does not power off the ME. The only way to power off the ME is to remove all power from the processor. Thus, even when “power is off” to your computer, but line or battery power is connected to the computer’s mainboard, the ME continues to run. And, the ME has access to everything accessible by your computer. And, that’s just the tip of this iceberg.

Branch Prediction, Threads, and Other Processor Vulnerabilities: Our Unfixable Hardware Bugs for Years To Come

(coming soon!)

Increasingly Cloudy with Severe Security Storms: Why It Is Impossible to Secure the Public Cloud

(coming soon!)

Topic: Security Policy and Politics

Ah, politics. Everyone’s favorite subject today. Or, maybe not.

Regardless, politics pay a critical role in all policy decisions. Thus, I include both topics under this one single heading.

This section discusses how policies impact security, and how politics often result in insecurity.

Trivially Defeating Crypto Backdoors: You Can’t Stuff The Crypto Genie Back Into The Bottle

Why The Cryptographic Backdoors Law Enforcement Seeks Are Worthless Against Any Minimally-Determined Adversary.
Their purported “need” for encryption backdoors is purely and simply a barefaced lie. There’s no other civilized way of putting it. Backdoors are neither necessary, nor will they solve the alleged “encryption problem.” Worse, backdoors will critically compromise everyone’s security.

Corporate Security: The Forgotten Security Domain

(coming soon!)
The lack of a formal corporate security organization creates costly gaps and overlaps in an organization’s security.

LinkedIn Is A Security Threat To Your Organization

(coming soon!)
Where does a hacker who wishes to target your organization begin her recognizance? Most likely, on LinkedIn.

The First Question I Ask When Interviewing Someone For A Security Role

A Guide To Learning How Well A Candidate Understands Security
Interviews for security roles tend to come in three flavors: How have you solved a given security problem in the past? How would you configure a particular security tool to solve a specific problem? Or, tell us about your previous experience (as though they hadn’t bothered to read my résumé). None of these approaches provide insight into a candidate’s actual understanding of basic security principals and their application. This blog post presents a guide to interviewing security candidates with a focus on whether they actually understand security fundamentals.

An H.R. Guide to Cybersecurity Job Titles and Job Descriptions

(coming soon!)
I am an architect-level and executive-level security consultant. It’s unbelievable the number of recruiters who contact me for a “Security Architect” position which only requires 5 years of security experience. When I see such a job description, it tells me two things about the organization: (1) They are most likely clueless when it comes to security, and (2) They are only willing to pay for a security engineer, and not a security architect. In this blog post, I explain security roles, responsibilities, experience, and appropriate job titles.

Hacking The Boardroom: Presenting Technical Information To Non-Technical C-Level Executives

(coming soon!)

Your CIO Is Sabotaging Security: How Your Corporate Structure Is Undermining Security

(coming soon!)

About The Blogger

Security Blogs and Newsfeeds I Follow

(and You Should Too)

All of the following blogs and newsfeeds support RSS.

The following mailing lists are worth subscribing. Choose wisely, as some are very high volume.

Security Organizations I Support

(and You Should Too)

Please Support The EFF!
Please Support The EFF!
Please Support EPIC!
Please Support EPIC!

Featured Image

Earthrise
Earthrise

Featured Image Credit: NASA

Cybersecurity
Information Security
Corporate Governance
Iot Security
Data Security

--

--

RealWorldCyberSecurity

Written by RealWorldCyberSecurity

208 Followers

A blog discussing what we are doing wrong in security and how we need to fix it.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams