IT and Security Team Empowerment

Empowerment and enablement 

I find and hear far too many places, from small business to large enterprises, not really giving their teams the empowerment or capabilities to properly make their pay turn profit for the companies. IT administrators, technicians, and support staff not enabled to create safe or secure lab environments to test configurations. Admins not allowed to automate, orchestrate, or mechanize anything from regular tasks needed for their job, to health checks across the network. But my biggest concern is the emphasis on the world of cyber security, yet only using them for check boxes and never enabling your security teams.

Some generic examples of this issue:

Company 1:

In this company, there exists a small security team containing 3 analysts, 1 engineer, and 1 ciso. This team was hired on the idea that we don't have much, but we need large return on investment. As security is one of the largest ROE you can have in a modern landscape, it makes sense. Now give these people a small ticketing system used by the entire IT staff anyway, and give them a simple log aggregation tool. This isn't much, but it "should be enough". Now fast forward 3 years, this team is slightly bigger, but has the exact same toolset. This team tried to overcome limitations with not having edr by using an antivirus and some scripts defined in the group policy pushed down by active directory. They tried to overcome network flow visibility gaps by doing a scripted pull of flow data every few minutes from different switches, but never having full flow logs anywhere. Part of this is cause licensing, part of this is cause storage of events, but at the end of it all, money became the limiting factor for the company, and this team was unable to prevent ransomware from hitting their database. Sure they had backups, but they didn't have any way to audit those backups, test security configuration of those backups, so they dropped it back in place and got infected again, and again, and again.  This is not a rare event, there are thousands of companies in this exact situation. This could have been prevented with the simplest of things, you would never imagine how silly. If the security team had a real talk about business decisions, explaining that they need better visibility, they need appropriate tooling and segmentation, and the company said "lets do it, but how can we do this efficiently with the least cost." Instead the company said "use what you've got, we don't have any additional funding."

Company 2:

This company has an extremely large enterprise, full csirt capable teams, lots of specialities and functions. They even pay for the latest tools and intelligence feeds, they even have multiple security architects for each subsection of the company. In this scenario, you'd assume that people have everything they could ever want as far as empowerment. Power exists, money is paid, whats wrong? Well, as multiple large companies reporting breaches over the past few years has shown us, they're kind of like having a computer that's always turned off except when someone else finds it necessary. They don't get regular training, they aren't allowed to setup test labs or to use their own products as training tools to test exploits against. They aren't spending their time doing anything but looking at alerts, and those alerts aren't being properly controlled, leading to alert fatigue. No one sees the important alert because it's all too much noise. The analysts know this, they try to get it fixed, the engineers want to fix it but have priority to maintain the systems and not push any code changes during "freeze events". So the company goes months if not years creating backlog for themselves and never actually getting around to fixing that alerting. Analysts don't develop skills, they can't keep a job when leaving, because their experience time wasn't actually very meaningful.

Company 3:

This company is a fairly small business doesn't have a security team, but generally leaves their IT team of 3 to do the security administration as well. In this case, there's no siem, no centralized log aggregate, no edr, no centralized av, in all regards they're basically just relying on azure ad, azure sso, google workspaces and emails, then several publicly available resources for their industry to handle the job. Because they aren't doing any processing of pii themselves but relying on 3rd parties to do it, they figure the compliance/legal risks to them are offset (spoiler, this isn't true at all). One of their employees gets harassed by their ex including hacking into social media and private accounts, so that employee tries to take action with the local police. The police really can't do much, in some cases, they'll suggest making a restraining order, or submitting it to cybercrime.gov. There's really no proof, so they typically don't care. This is becomes the precedence that leads to their emails for the company getting compromised, one after another. because the team only relied on google workspaces, any of their emails getting compromised turned into attack surface against the company. their storage and ad credentials got leaked on forums, emails began getting sent from their domain in an attempt to harass a single individual. This company, not having an adequate understanding of information security, or technical grasps on solutions, and not knowing how else to protect the company, fires the individual, potentially ruining their lives. This is also a far too frequent occurrence in today's landscape. In these cases, when the small company doens't have the know-how to properly investigate an issue going on, security consulting becomes vital. bring your business folks, your tech teams, and get on a call to say this is going on and we don't know what to do. In such events, neither the company, nor the individual is safe from this occurring regardless of if they get fired, so such actions make no sense. You need to take technical measures to prevent the usefulness of the information they already have gained, and lock them out of any information they could gain. Investing in hardware keys as a two factor mechanism, or even hardware key plus generated key for two factor without password (passwordless options that a lot of people are choosing to go towards). It would even be prudent to set a standard in the company of password and secret management (there's both opensource and paid ways to do this, most browsers com with secrets manager, most operating systems (linux, mac, latest windows) comes with credential managers to the system). Finding, storing, requesting, and managing logs that show the activity for a criminal case against the attacker is also a much more active stance and protects both the company and the individual, with the right training, an IT team can be shown how to do this for their environment and make appropriate playbooks before situations like these happen. 


Anyway, that's all I've got for today, just a little rant about how business owners, decision makers, etc... aren't really leveraging the best of their teams to protect the company or it's assets. 

Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more