Personal and maybe a little controversial article: What is missing in cyber security? Doing as you preach

Doing as you preach is not solely related to cyber security. Pick any topic and it is barely followed. Politics: speeding and getting your wife to take the points. Talking about morally repugnant investment methods and likely a lot of wealthy politicians having money stashed in the Channel Islands. Religion: following all the rules of the religion and dodging VAT & tax. Appearing religious but drinking and using prostitutes. And many more stories but I don’t want to “side track” to much.

The whole point of cyber security products and services is to secure your clients. From offering off the shelf products, security architecture design or pen testing. Yet behind the scenes are the individuals doing as they preach at home and in the office, and is the business itself actually half secure? Remember the “late” HBGary which was a U.S cyber defence firm and sold products and services to three letter U.S agencies, and the private sector.

Being a well-known defence firm, you would think it’s security would be good. No. It was hit by SQL injection, poor passwords were used, little separation of duties, no two-factor authentication and so on. This was a high-end firm dealing with secretive government agencies yet it’s security sucked. From 2004-2006 I worked at Marks and Spencer and their security even then was great. Imagine what it is like now. M&S’s security is/was likely better than HBGary’s was. Odd really for a British retailer to be more secure than a defence firm.

Over the years I have worked with or at various firms and the security of the firm it self was not great – without saying anymore…! Years ago, I was looking at cyber security competitors and you would find all they had was a free Gmail email address and a mobile number. Hardly credible. Whereas we have a self-hosted email server, patched website, two factor authentication, proper 0207 number and more.

Here are four stories for you to see what I mean:

Pen testing firm #1
9001, 27001, CREST and CBEST certified firm. Good staff with custom tools and exploits, yet:

  • Three versions of WordPress out of date
  • SSH (22/tcp) open
  • Web server four versions out of date
  • Three email protocols ports open
  • Just IMAP and POP
  • No anti brute force
  • No anti-malware or antispam on their mail server - since “they are using Linux”
  • Just self-encrypting hard drives
  • Sensitive client data stored in a server in their shared office
  • No antimalware on their laptops
Pen testing firm #2
CBEST, 27001, Cyber Essentials, Tiger Scheme, CREST and CHECK certified. Good staff and well-respected firm, yet:

  • Laptops are government certified and only have Bitlocker half configured and standard anti-malware on
  • Pen tester emails from the outside his Gmail account user and password (fairly lame) and AD credential for the FTSE 100 he was contracted to over a standard email to myself and others
“Wizz kid”
Well known in country x for over 15 years, has written books and speaks at various conferences. He preaches about how in-secure (and non-private) Hotmail, Gmail and AOL is, yet:

  • His email address is @gmail.com
  • His website has been defaced a few times
Muti-services cyber security firm
Offers pen testing, social engineering, strategy and training yet:

  • Website is run on mass market shared hosting
  • Joomla is poorly configured
  • Joomla is out of date
  • Sensitive company emails sit on shared hosting platform
  • Webmail link is findable
And I could go on for a very long time…

What does doing as you preach look like?

  1. Encrypting hard drives on desktops or laptops
  2. Ninja firewalling outbound and inbound using a hardware firewall + O/S firewall
  3. Whitelisting software
  4. Alternative and encrypted DNS
  5. Hardware encrypted USBs
  6. Encryption software for files and USBs
  7. Shredding all files never deleting
  8. Overwriting un-used MicroSD’s and USBs
  9. Anti-exploit software and anti-malware
  10. All settings tweaked on a smartphone inc. an anti-malware app
  11. Daily offsite backup
  12. Going through all settings with a fine-tooth comb
  13. Using a VPN, especially for Wi-Fi
  14. Not using Gmail, Hotmail or AOL email addresses
  15. Using a domain name for email not a freebie
  16. Using DuckDuckGo or trying to
  17. Not using virtualisation
  18. Patching websites and web server weekly at least
  19. Not using WhatsApp
  20. Little use of Facebook
  21. Logging as a user not administrator
  22. Shredding all paper even if it barely contains an address
  23. Using 2FA as much as possible
  24. TLS certs everywhere with cipher suites reduced to good ones as well as cert pinning
  25. SPF, DKIM and possibly the newer DMARC for email
  26. Running CCleaner daily
  27. And a lot more which makes the above setup likely more secure than most UK central government departments
I will let you guess who does this!

What am I getting at? If companies can’t be bothered to secure themselves, how good will they be at protecting you (the client) or protecting your data once handed over to them?/!