Facile. A Way To Bypass Security While Trying To Bump The Bottom Line. IT Security Ignorance. Hacking Vulnerabilities.

Facile.

It is a pretty interesting word. It pretty much means ignoring the true complexities of an issue. Assuming that things are superficial. Facile generalizations.

Some synonyms: simplistic, over simple, oversimplified, black and white.

Security testing  should never be none of the above. It requires fortitude of mind, rigorous testing, humility (knowing that your code authoring is not going to be perfect and needs to be examined) and not code racing to the finish line without considering the consequences.

The word facile also has undertones of being easily influenced, affable, complacent. Think social engineering.

There is a Latin expression, “facile princeps” which means “easily the first or best”. This might take IT security, unethical hackers and script kiddies into consideration. Why?

It may be swift to be the first to turn out a product in an agile endeavour but coming in a few minutes later (or hours, days, weeks) to proactively prevent IT security breaches may be worth the time. Just because you can pump out code does not mean it is secure. Some practical advice?

– Invest time in exploration of a company’s assets. What do they really have. Do they keep a catalog of all their web servers, subdomains and other assets that could be exposed to the Internet. I once gained god admin access to a very large company because in an HTML comment was a blatant reference to the username and password. Could it get worse than that?

– Invest money in commercial vulnerability scanner[s] like products put out by Tenable, Qualys, Burp Suite, or many others like the list published by OWASP.

– Invest time in learning and executing free tools that actual hackers use.

– If the business you are testing has the appetite for you to take a vulnerability and exploit it to provide proof of breach, invest resources in manual testing which is arguably the most effective way to mimic what hackers do and prevent them from doing so. Do it, with permission.

– If possible, invest in a code scanner like Armorize.

– Think like a hacker. Scrub the Internet. Twitter. Facebook. LinkedIn. Google. Bing. Reddit, etc, etc. The discovery phase is so important in order to gain a full catalog or list of things to test. I have come across many, many, usernames and passwords that are indexed on the Internet. Many gained me access to web applications and even direct access to databases with PII/sensitive data.

– Use your checklist but do not be afraid to forget and leave it at home and get real. Hackers do not use checklists to get to your data. Talk to your IT folks, scour the Internet, your proprietary data and your sensitive data are so important that a shared document that dates from 2014 is pretty much irrelevant. Know what you have, suspect that you do not know everything about what you have and dig in to find what you actually have.

– Get very familiar with “dork searches” which work remarkably similar between Google and Bing.

– Get a company like Compass IT Compliance (I consult for them) to give your IT assets a serious in-depth check. It may be worth it for you.

Finally, understand that many “hacks” are accomplished through social engineering. If your business can afford it, send at least one smart employee to a large-scale security conference like Blackhat, DerbyCon, Defcon, and ShmooCon.

“Amateurs hack systems, professionals hack people.” — Bruce Schneier

I hope this helps!

Jock

Jock Pereira | jockpereira.com | jockster@gmail.com | 978-666-4000 | Also on WordPress, Twitter

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s