The whole point of cyber security products and services is to secure your clients. From offering off the shelf products, security architecture design or pen testing. Yet behind the scenes are the individuals doing as they preach at home and in the office, and is the business itself actually half secure? Remember the “late” HBGary which was a U.S cyber defence firm and sold products and services to three letter U.S agencies, and the private sector.
Being a well-known defence firm, you would think it’s security would be good. No. It was hit by SQL injection, poor passwords were used, little separation of duties, no two-factor authentication and so on. This was a high-end firm dealing with secretive government agencies yet it’s security sucked. From 2004-2006 I worked at Marks and Spencer and their security even then was great. Imagine what it is like now. M&S’s security is/was likely better than HBGary’s was. Odd really for a British retailer to be more secure than a defence firm.
Over the years I have worked with or at various firms and the security of the firm it self was not great – without saying anymore…! Years ago, I was looking at cyber security competitors and you would find all they had was a free Gmail email address and a mobile number. Hardly credible. Whereas we have a self-hosted email server, patched website, two factor authentication, proper 0207 number and more.
Here are four stories for you to see what I mean:
Pen testing firm #1
9001, 27001, CREST and CBEST certified firm. Good staff with custom tools and exploits, yet:
- Three versions of WordPress out of date
- SSH (22/tcp) open
- Web server four versions out of date
- Three email protocols ports open
- Just IMAP and POP
- No anti brute force
- No anti-malware or antispam on their mail server - since “they are using Linux”
- Just self-encrypting hard drives
- Sensitive client data stored in a server in their shared office
- No antimalware on their laptops
CBEST, 27001, Cyber Essentials, Tiger Scheme, CREST and CHECK certified. Good staff and well-respected firm, yet:
- Laptops are government certified and only have Bitlocker half configured and standard anti-malware on
- Pen tester emails from the outside his Gmail account user and password (fairly lame) and AD credential for the FTSE 100 he was contracted to over a standard email to myself and others
Well known in country x for over 15 years, has written books and speaks at various conferences. He preaches about how in-secure (and non-private) Hotmail, Gmail and AOL is, yet:
- His email address is @gmail.com
- His website has been defaced a few times
Offers pen testing, social engineering, strategy and training yet:
- Website is run on mass market shared hosting
- Joomla is poorly configured
- Joomla is out of date
- Sensitive company emails sit on shared hosting platform
- Webmail link is findable
What does doing as you preach look like?
- Encrypting hard drives on desktops or laptops
- Ninja firewalling outbound and inbound using a hardware firewall + O/S firewall
- Whitelisting software
- Alternative and encrypted DNS
- Hardware encrypted USBs
- Encryption software for files and USBs
- Shredding all files never deleting
- Overwriting un-used MicroSD’s and USBs
- Anti-exploit software and anti-malware
- All settings tweaked on a smartphone inc. an anti-malware app
- Daily offsite backup
- Going through all settings with a fine-tooth comb
- Using a VPN, especially for Wi-Fi
- Not using Gmail, Hotmail or AOL email addresses
- Using a domain name for email not a freebie
- Using DuckDuckGo or trying to
- Not using virtualisation
- Patching websites and web server weekly at least
- Not using WhatsApp
- Little use of Facebook
- Logging as a user not administrator
- Shredding all paper even if it barely contains an address
- Using 2FA as much as possible
- TLS certs everywhere with cipher suites reduced to good ones as well as cert pinning
- SPF, DKIM and possibly the newer DMARC for email
- Running CCleaner daily
- And a lot more which makes the above setup likely more secure than most UK central government departments
What am I getting at? If companies can’t be bothered to secure themselves, how good will they be at protecting you (the client) or protecting your data once handed over to them?/!