Reemerging from the Flood

Some of you probably wondered where the NopSec crew and I ended up these days….already tired for blog writing?

Not quite.

Most of people at NopSec live between Manhattan and Brooklyn. And most of the people at NopSec even though safe and sound suffered inconveniences and damages from hurricane Sandy. As far as I am concerned most of the trees in the garden where I live in the East Village were downed during the storm, many flooded garages and basements, for at least tree days I did not have power and running water. That makes it hard to keep wired with the business even for the most motivated person. All around from 33rd Street all the way down to Battery Park there is still no power in most of the buildings. Last night I needed to go to eat at a restaurant in midtown due to lack of power. Looking download from midtown it seemed to enter the oblivion….dark and ominous!

While walking home and stopping by any available Starbucks to recharge my phone, I could not stop thinking about the big talks preceding this hurricane in regards to the City of New York’s emergency preparedness and the massive failure to restore power and running water for most part of the lower side of the city.

In this regard, this situation reminded me our everyday work as security professionals securing our organizations. Sometimes in our security programs we focus on big budget, high-visibility security control ticket items, such DLP, SIEM, NAC, + insert any other acronym here. We often forget, like the City of New York forgot in this circumstance, to take care of most basic measures to secure our organizations which do not break the bank, such as data classification, an appropriate vulnerability management and remediation program, fixing “low handing fruit vulnerabilities” such as default passwords, exposed files, and indexable web directories.

Obviously for the City a state of the art emergency communication system costed millions of dollars but did not allow to restore basic needs such power and running water in a timely fashion.

In the same way, the security ” big ticket items” do not make the difference….discovering and fixing one vulnerability at the time does.