Years of Security Neglect - Solved in 24 Hours of Panic?

Thursday, June 16, 2011

Rafal Los


Let me paint you a scenario:

You walk into work tomorrow morning, coffee in hand at 8:30am only to see everyone huddled in your manager's office.

He motions for you to join them, and reveals that it's been uncovered that your company is the next target of a hacktivist organization. You know the type, because you've read about them in the press.

Then panic sets in as everyone realizes the network that's been neglected for the last decade and a half is suddenly under a painful microscope. The panic gets deeper as you realize that the applications that are responsible for 75% of your business revenue will likely be the front line of attack.

Now what?  You have been given 24 hours warning, so at least you have time to prepare, right?

This is a simple case of too little, way, way too late. If you've got any delusions of being able to thwart this attack you're in the wrong business. Worse yet, this could impact you and your organization negatively in a number of ways that you can't even anticipate beyond the obvious press fallout.

In the short term, you'll likely get handed an incredibly loose budget, which means you'll be expected to spend money like it's going out of style or your organization prints it.  Unless you're the Federal Reserve, you don't actually have that luxury.  

The burden with being handed a large sum of spending cash is that you'll be expected to "keep the organization safe" with this money.  

You and I both know this won't happen... so there will be negative ripples that go forward from here on out. In the impossible case where you do thwart the attack completely, I suggest you sleep with one eye open.

The long-term impact of a situation like this on the security team can be catastrophic.  On top of the loss of reputation (if you've ever had any) you will be questioned on why security can't protect the organization from attack.  

If your security team is funded reasonably then you're in even deeper trouble.  You'll probably hear "all that budget and you can't keep us safe?"... that's not good.  It may appear as though pretty much no matter what happens - you lose.


Reality is that this has happened, and will continue to happen, over and over out there in the real world. Hopefully this never happens to you - but when it does remember the following things...

  • If we've learned anything from recent events - it's that attackers take the path of least resistance
  • No magic box will save you from the years of neglect you've shown your network
  • Scanning, patching, or rain dances won't make your vulnerabilities disappear
  • Money won't make the bad guys go away
  • You don't have time for risk analysis, shut down what's not absolutely necessary, defend the rest
  • If you're not in this position now - start preparing for it now

In the end, and this may sound cold and strange... but, you're probably best off sending everyone home to get some sleep for when the feces really hits the fan in a couple of hours.

Cross-posted from Following the White Rabbit
Possibly Related Articles:
Enterprise Security
Information Security
Enterprise Security Web Application Security Attacks Network Security Hacktivist Mitigation
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.