2|SEC Consulting – Happy 8th Birthday!
This month we celebrate 8 years of 2|SEC Consulting. To reminisce, I have been looking at some penetration test reports we took on when we started out. Before you wangle the GDPR data retention carrot at me, these reports are of course redacted with information kept for statistical purposes only. What I’m seeing, is that we are still discovering the same issues we discovered 8 years ago. Reports are riddled with SQL Injection, Cross Site Scripting, weak/default configuration and general lack of patching. Not much different to today.
So why hasn’t the industry learned?
Applications are still being rushed out the door
Security is an afterthought. As the number one listed company on the www.crest-approved.org website, being called 2-sec, which was part of the reason I coined the name many years ago, we get a huge intake of leads and general queries. They mostly go along the lines of “hello, we’re a really big brand; and are releasing a new application next week. Do you think you could squeeze in a pen test, as we didn’t realise we needed to do one?”. The second type of inbound lead, is “Ooops, we’ve been hacked”. Whilst we do of course deal with either case in a professional, agile and responsive manner, mood in the office is “hey guys, here’s another one”. The only reason for this (and it’s not an excuse), is that businesses need to make money. They need to innovate and get new products out the door as quickly as possible. Cash is king.
Businesses make money, are profitable; and don’t see why increasing operational costs is justified
Security costs money. It dents profits. Cyber hacks are an intangible thing that doesn’t quite fit on a P&L. Boards aren’t quite sure how to deal with security or where to put it. It’s too often the case that security opex costs only come to the frame once a company experiences its first major incident. That way, there’s a loss that the treasury can finally put a number to; and protect future losses by getting an insurance policy. By the way, insurers have kind of cottoned on; and won’t cover a pre-existing vulnerability that a company should have reasonably known about, so it’s a a bit too late to consider underwriting if you’ve just been hacked.
Someone else does security, don’t they?
Oh. It’s typically always somebody else’s fault. The IT guy that didn’t patch systems as he was busy preparing the new platform for the new application. The third party app developers, whom were ask to develop the app according to a detailed RFP process that missed out the words Cyber and Security. Or both.
I could go on. But cyber security is YOUR responsibility. Just as is locking your door when you leave your house. Except in the Internet world, you don’t just have a few neighbours and one or two passers-by, you have around three or four billion. Give or take.
Cyber is a very real threat to your business. The government is on the case, insurers are busy writing exclusion clauses, banks are refusing to give money back to victims of cyber fraud; and criminals are making money.
2|SEC Consulting. Telling you how it is.
Written by Tim Holman