Thursday, May 23, 2024

Browsers, expired certs, bad defaults, and risk ASSessment

I have had to access more device/websites with expired or self-signed certs than I would like to admit. There are also those which are just plain insecure (think passwords being sent unencrypted). If you never experienced that, either you are really lucky or, well, welcome to The Planet Earth!

There are those, some of them are my friends, who think that is not acceptable and the only solution is to replace all this junk with new junk which complies with current regulations. Some of them even have CISSP and CISM certificates and have titles like "Senior Security Engineer". They all live in another world with no relationship to ours and our reality.

There, I said it. Call me heretic, but do not be disappointed if you will need to pick a number; you will not be the first or the last. But, I will not change my mind.

Secure All the Things

One of those security concepts that those who are CISSP/CISM/etc certified should know by the very reason they are certified is risk. Everything has a vulnerability, a weakness that if exploited (intentionally or accientally) may, well, hurt. If you ever got electrocuted while working on house wires or trying to repair an appliance you know what I mean. Also, boiling oil in a pan can hurt. So you deal with it. For instance, you can just buy a new electric tea kettle instead of trying to replace the old wire. Or, if you are in a business setting, you can decree all computers will have the latest operating system with the latest patches even if that mean replacing the computers

And that is where we disagree

You see, sometimes that is not feasible. Perhaps I have the skills to replace a wire and doing so is much cheaper than getting a new kettle. Or, you have an old UNIX computer connected to a multimillion dollar test device whose software is hardcoded to that specific version of UNIX; replacing it would cost 50 million and you would be throwing away a perfectly good testing system. Or, that medical device only sends data through wireless to a ftp server, so its password is shown for all to see; each of these devices goes for $15,000 on a good day and really there are no better in its class for the service it provides. What to do?

You analysize the risk and make the best choice of how to deal with it. The options are not only "do nothing" (accept the risk) or "replace it" the "Secure All Things" crowd advocates. There are more alternatives (I am using CISSP parlance here):

  • Acceptance. Decide it does not worth trying to do something about it and move on.
  • Mitigation. Come up with something to eliminate the threat, like keeping all the computers running the latest versions of their software. This is where the "Secure All Things" crowd gathers.
  • Deterrence. Can we cut down the risk? In the case of the multimillion testing device, what if we take it off the network and use an external drive to transfer test data between it and a more modern computer we can secure? Or for a network appliance that can only be accessed by a web interface which has a self-signed certificate that may have already expired: if you cannot replace the certificate (licensing cost or just plain bad coding), put these appliances in a secure network with restricted access, and with a specific web browser configure to accept connecting to that appliance using that cert (and perhaps old encryptions).
  • Avoidance. Stop doing something that causes risk. If printers can be hacked, eliminating all printers takes care of this. If people can attack your wireless, remote the wireless.
  • Transference. Make it someone else's problem. Buy cybersecurity insurance. This can get expensive quickly and insurance companies have been raising the requirements. For instance, most of them will have a clause that if they found out you were careless, no money for you.
  • Rejection. The stick-your-head-on-the-ground approach to danger. Pretend it does not exist. I know it is a very common reaction, but try not to do it; this is considered lack of due care.

So, which one should you do? It depends, and we are way ahead of ourselves. We should start finding out what we have, knowing that getting a true full inventory may not be (economically) possible? But, let's say we did find out what we have. These are our assets, and we need to assign values to them, as risk can be seen as a number (usually money): we have to compare how much each risk response (that includes the bottom one, not doing anything) cost and figure out the cheapest one. You see, business exist to make money, and how we manage risk is a cost to the business. If the cost to mitigate the risk is close to that of deter it, maybe mitigation is the best solution. This kind of thought process is expected from someone who is called "senior security engineer/architect." I myself am fine with knowing that most solutions to minimize risk end up being finding a deterrence. And sometimes, you just have to accept the risk and move on. After all, companies (and individuals) have only so much money to deal with risk; a good senior level security professional will make each dollar count.

You are still on the soapbox

Right you are. We still have not detected the vulnerabilities. And the little dirty secret is that the findings generated by the security scanners should not be taken as face value. Some of these scanners are just mindless pattern-matching scripts. A novice security professional will just the tool and sound the alarm. A senior security professional will compare the findings with the information she has about the IT infrastructure (which may have required her sitting with the IT team) and eliminate what does not make sense for her setup and then prioritize it. Even if she uses AI (there, I said it), she will never blindly follow whatever the tool says.

Don't be what I call Qualysguy, that guy who runs Qualys and then sends a ticket to the IT team saying "fix all these things"