[BreachExchange] Human Resources is the biggest tool for an IT officer today than ever before!

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 27 18:45:46 EDT 2017


https://jcgarciareyes.wordpress.com/2017/03/26/human-resources-is-the-
biggest-tool-for-an-it-officer-today-than-ever-before/


I was chatting a few weeks ago with one of the tech directors of one of the
biggest US retailers. He told me they’ve implemented encryption security to
their PoS systems to counter the latest threat they faced recently. So I
asked him, does that make you safer? Are you using standard encryption and
he said yes! I responded back: then you are going to be highly scrutinized.

I’ve said before in my other articles that pursuing compliance in security
is always a good thing but following the norm doesn’t necessarily mitigate.
The military have always manifested a desire to engage in non-standard
encryption. The reason for this is because it’s not publicly known which
makes it harder to confront exploitation. The basic criteria of hashing
hasn’t changed since Allan Turing broke the enigma. Standardization has a
double standard and today is facing more scrutiny than ever before thanks
to search engine platforms; the best tool for hackers by the way. Search
engine platforms like google, with their powerful indexation techniques,
can give you in a matter of seconds Shodan abilities by allowing you to use
very neat and intrusive search parameters. So now a days its no longer the
hacker that is constantly exploiting you its the bots themselves doing the
job of the hacker.

Sometimes going non-standard or even maintaining a legacy mindset in
applications and systems though in a way deviates you from enjoying modern
integrations, it protects you in better ways than the standard techniques
used today. I still consider OS/400 the best MainFrame operating system of
usage simply because it is Object Oriented and is one of the few successful
OoOS left in the market. This makes it very hard to exploit beacuse Object
Oriented uses signatures from the same Brand to execute code, so its not
like Windows for example which is heavily open and is PuP friendly.

Lets just go as far and say that using non-standard encryption that could
be even weaker in concept than the many standard methods can still be more
beneficial for you because its not publicly known. By not passing ISO you
are not forced to publicize the structure of such practice. Hackers read
and interpret and rely on bots now a days to exploit. Whenever you turn to
dark water operations it makes it harder for a hacker to exploit you.
Hackers are relying heavily on whats easy to exploit today than ever.
Whether it is to gain credibility or to simply learn. Even most hackers
have deviated from the concept of breaching because security protocols are
becoming multilevel and very complex. They’re simply focused on disruption.
The idea that DdoS’ing a web-server is as commendable than breaching is
widely a mischaracterization. Even though DdOS is hard to control it can be
easily tracked and reported. But you don’t gain any information by denying
service you simply disrupt operations temporarily and most DNS providers
today carry intelligent functions that detect the possibility of DoS and
instantly employ simple techniques such as Captcha validation just to slow
things down to avoid disruption.

That’s why the concept of a breach to steal data mostly rely on rogue
agents now a days; the likes of an Edward Snowden for instance. Domaining a
network is a great way to centralize, scope and secure but only until an
employee with certain privileged domain object roles decide to use them
against you. So you are never safe no matter how hard you try. But you can
at least slow things down from a certain degree to foreign intruders when
you engage in non-standard techniques so you can mostly focus on who on the
inside is willing to go rogue on you.

I think its safe to say that the most important tool an IT manager has to
protect against exploitation and breaches today is no longer endpoint
protection or other security techniques but rather the Human Resources
Department.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170327/4e915879/attachment.html>


More information about the BreachExchange mailing list