NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge

The importance of implementing security controls

Cyber Security was all over the news recently.

  1. Facebook revealed that it was hacked – even though it came out with the news only after a month.
  2. Then Apple said it was hacked but it admitted that no damage was made.
  3. Then Burger King admitted that its Twitter account was hacked (see picture above) and its logo was substituted with that of McDonald’s. I guess we are talking about fast food anyway!
  4. And last but not least Mandiant came up this morning with its “APT1” report allegedly uncovering the identities of Chinese hackers that supposedly hacked the New York Times.

The latter are indeed big allegations. I am not going to speculate on the merit and on the veracity of the report claiming that a Chinese-government related group continuously hacked American and foreign corporations from a building in the outskirts of Shanghai.

The interesting things about this report is that it exposes the huge gravity of the problem but it does not admit if the news release was: a) cleared with the US Government b) Confirmed with US government intelligence sources.

For sure tomorrow the US government would have to deal with a huge diplomacy hot potato and taking a stance on these allegations.

But this is not the scariest part. In all these forensic reports, security incidents, hacking episodes and dramas nobody reminded the victims that it would be wise to brace up for the worse kicking up a notch their security controls. In other words, everybody is complaining and crying wolf but nobody is doing “mea culpa” for these incidents.

If you read most forensic reports nowadays most of the intrusions happen through a combination of “spear-phishing / social engineering” attacks and technical exploits. I can only remember few years ago in the penetration testing profession when performing a pen test through a phishing email was considered “cheating”.

Nobody talked about the following points, so I do.

  1. Organizations should perform periodic vulnerability management, scanning all their assets for vulnerabilities in both unauthenticated and authenticated fashion. Unauthenticated scans help mimic hacking scenarios. Authenticated scans help figuring out how many versions of outdated Java or Adobe Reader softwares are present in the user’s workstations.
  2. It is important reviewing all configurations of the organization’s assets in all areas of the network, both wireless and wired, internal and external, specifically for those servers that are “crown-jewels” such as Domain Controllers / AD servers, database servers, Critical web sites, and data repositories.
  3. The last frontier in security is always web applications, where developers are pushed to faster releases forgetting to incorporate essential security controls which need to be incorporated later on in the SDLC.

I wonder why the media do not mention those security controls as a countermeasure to prevent catastrophic attacks.

I guess they are not so glamorous and sexy as the latest “dark-art” Chinese hacker.

To learn more about implementing security controls, please see and download our Whitepaper: SANS 20 Critical Security Controls.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.