We regularly hear chief information security officers (CISOs) lament that they have too many tools and solutions that overlap. Although layered security controls are a desirable way of reducing the risk posed to systems and data, if this is done haphazardly it can result in increased user friction and wasted resources.
Sometimes this is caused by product features that were prioritized in the selection process, but never actually made it into production. Other times, budget holders are sold the utopian promise of a single tool that will work across the diverse range of devices, platforms and systems that are typical of enterprise networks today. All too often, employees discover that the security control does not work as expected in production, or may have taken so long to deploy that its cost is more than the value of the assets it intended to protect. Organizations spend much of their budget trying to make these tools work but end up needing to buy compensating controls or start from scratch. Yet another new solution is sought to remedy to issue, with vendors presenting more tools, and the cycle starts again.
At the heart of why this cycle occurs is insufficient security control assessment. Such assessments are crucial for demonstrating that an organization has practiced due diligence by thoroughly evaluating the effectiveness of security controls. Failing to conduct rigorous evaluations could expose senior management to liability in the event of a data breach and makes it more difficult to identify gaps in an organization’s security posture. Any assessment of a security control needs to be done in the context of the organization’s existing controls. If the scope of an assessment is too narrow or performed without knowledge of the other controls, the recommendations risk missing efficiencies or underlying issues that a comprehensive review would spot. For example, an evaluation of the security controls protecting an e-commerce system shouldn’t just focus on patching and access control, but also assess any third-party services and whether the controls guard against supply chain attacks, such as if the third party is compromised by web-skimming malware.
Often the task of evaluating the effectiveness of security controls is inadequately split between several security roles:
- Auditors are critical for understanding if a security policy meets legal and regulatory requirements, but they usually don’t focus on the efficiency of the deployed solutions.
- Administrators have the challenging job of keeping existing systems working and have immense insight into how they are used but are usually siloed into work tasks to enforce a separation of duties.
- Security operations center (SOC) personnel stop attacks in motion and report lessons learned after remediating incidents. However, the scope of this feedback is limited to the controls affected by an incident.
- Assessors, such as penetration testers and red teams, are skilled at uncovering flaws in systems and applications, but the scope of their assessments and recommendations are usually narrow.
- Even purple teams, while excellent for coordinating offensive and defensive efforts, may lack the information to identify unnecessary overlaps in an organization’s security posture.
Each of these roles plays an essential part in designing, maintaining and testing an organization’s security stance, but aren’t necessarily best placed to optimize it.
So how do we break free from the cycle of tool churn? First, CISOs should recognize the importance of security control assessments and the potential benefits of reduced costs and complexity while maintaining the same level of security. With this in mind, we recommend CISOs establish a distinct role dedicated to security control assessments so that the position isn’t burdened with day-to-day functional security tasks. Where this isn’t possible, consider broadening the scope of the team that currently performs security control assessments beyond measuring security value and cost, for example by considering the impact on user experience and how easy or difficult it is to maintain a control.
Second, give the assessment team access to the organization’s security policies, procedures and incident reports so that their recommendations consider the whole security posture. This should include an inventory of all the deployed security controls, whether technical, administrative or physical. Third, as well as technical security experience, CISOs should use personnel who have experience in risk analysis, user experience and project management.
Above all, the personnel performing the assessments should be encouraged to adopt the mindset of security solution optimizers or cybersecurity inspectors, similar to the role of building inspectors in the physical world.
Figure 1 – Attributes of the Cybersecurity Inspector role.
The cybersecurity inspector looks at the components of a security posture, understands how they are being used, or misused, and then verifies each component is being used to its potential. Just like a real building inspector, they would look at the actual deployment, understand what was intended, and the gaps between the two situations. And just as a building inspector would know if a power panel was no longer in production, and therefore needed to be replaced, a cybersecurity inspector would know that a tool is no longer supported, thus obsolete in their deployment, and therefore must be replaced.
The biggest impact a building inspector can have on a construction project is to find a weakness in a building’s foundation that would deem it structurally unsafe. The strongest walls and roof on a cracked foundation are vulnerable. Similarly, the cybersecurity inspector would be keeping an eye out for warning signs, uncovering foundational issues that could make an entire deployment vulnerable, no matter how many tools are added.
Many IT systems and cybersecurity tools are misconfigured. A 2020 study by Accurics found misconfigurations in 93% of cloud storage deployments, potentially exposing data to the risk of being breached. It’s the job of the cybersecurity inspector to examine a cloud deployment for design and implementation flaws, be able to understand potential security issues to be addressed, and review the billing to optimize the deployment to reduce costs—just as if a building inspector were to find a cracked basement they would suggest options to fix it based on time, cost and effectiveness.
A cybersecurity inspector looks at the existing tools, reviews the expected benefit of each security control, and identifies overlap and redundancy. For example, they would recognize that turning on an existing feature in an already deployed product in the network is much easier and cheaper than trying to add a new product and integrating it into the current security stack. The goal is to streamline a security posture by reducing the number of tools while still protecting assets to an acceptable level of risk. If your new cloud environment has a built-in password reset tool, do you need to maintain your older existing tool, or can you retire it and simplify your operation?
As security professionals, we can all learn from building inspectors by adopting the cybersecurity inspector mindset. Networks continue to grow in complexity, and the process of securing assets is an ever-growing and evolving challenge. Optimizing an organization’s security stance requires a holistic approach—a difficult, but worthy ambition.
This article was contributed by Stuart Phillips, Global Cybersecurity Practice Lead at HP.
The post Security Control Assessments: What Security Professionals Can Learn from Building Inspectors appeared first on Bromium.
Running the IoT Hack Lab at SecTor has been a highlight of my year since 2015. Although we won’t be back this year to fill our corner of the MTCC, I’m happy to be teaching A Beginner’s Guide to Reversing with Ghidra as part of the SecTor 2020 virtual conference October 19-20. Ghidra is an […]… Read More
The post Learn Ghidra From Home at SecTor 2020 appeared first on The State of Security.
Today I will share the secret underground forum where we chat and exchange information about hacking. Here you can learn new skills and listen to the best hackers in the world talk. You should signup too.
Link to secret forum: https://twitter.com/
My account: https://twitter.com/LiveOverflow
1337List (currently not available): https://twitter.com/1337list
-=[ 🔴 Stuff I use ]=-
→ Microphone:* https://geni.us/ntg3b
→ Graphics tablet:* https://geni.us/wacom-intuos
→ Camera#1 for streaming:* https://geni.us/sony-camera
→ Lens for streaming:* https://geni.us/sony-lense
→ Connect Camera#1 to PC:* https://geni.us/cam-link
→ Keyboard:* https://geni.us/mech-keyboard
→ Old Microphone:* https://geni.us/mic-at2020usb
US Store Front:* https://www.amazon.com/shop/liveoverflow
-=[ ❤️ Support ]=-
→ per Video: https://www.patreon.com/join/liveoverflow
→ per Month: https://www.youtube.com/channel/UClcE-kVhqyiHCcjYwcpfj9w/join
-=[ 🐕 Social ]=-
→ Twitter: https://twitter.com/LiveOverflow/
→ Website: https://liveoverflow.com/
→ Subreddit: https://www.reddit.com/r/LiveOverflow/
→ Facebook: https://www.facebook.com/LiveOverflow/
-=[ 📄 P.S. ]=-
All links with “*” are affiliate links.
LiveOverflow / Security Flag GmbH is part of the Amazon Affiliate Partner Programm.
Video Rating: / 5
HomeDevelopmentLearn Ethical Hacking From Scratch
LEARN ETHICAL HACKING FROM SCRATCH
Download resources here:
ARKit, AWS Credit, beginners, compromise, CoreML, Ethical Hacking, exploitation, Hackers Academy – Online Ethical Hacking Tutorials, hacking, hosts, identify vulnerable, Instagram, Learn the basics, Metasploit, Network Security, port scanning, real apps, Swift 4, Uber, Xcode 9
Become an ethical hacker that can hack computer systems like black hat hackers and secure them like security experts.
What you’ll learn
130+ ethical hacking & security videos
Start from scratch up to a high-intermediate level
Learn what is ethical hacking, its fields and the different types of hackers
Install hacking lab & needed software (works on Windows, OS X and Linux)
Hack & secure both WiFi & wired networks
Discover vulnerabilities & exploit them hack into servers
Hack secure systems using client-side and social engineering attacks
Use 30+ hacking tools such as Metasploit, Aircrack-ng, SQLmap…..etc
Understand how websites work, how to discover and exploit web application vulnerabilities to gain full control over websites
Secure systems from all the attacks shown
Install Kali Linux – a penetration testing operating system
Install windows & vulnerable operating systems as virtual machines for testing
Learn linux basics
Learn linux commands and how to interact with the terminal
Learn Network Penetration Testing
Network basics & how devices interact inside a network
A number of practical attacks that can be used without knowing the key to the target network
Control connections of clients around you without knowing the password.
Create a fake Wi-Fi network with internet connection & spy on clients
Gather detailed information about clients and networks like their OS, opened ports …etc.
Crack WEP/WPA/WPA2 encryptions using a number of methods.
ARP Spoofing/ARP Poisoning
Launch Various Man In The Middle attacks.
Gain access to any account accessed by any client in your network.
Sniff packets from clients and analyse them to extract important info such as: passwords, cookies, urls, videos, images ..etc.
Discover open ports, installed services and vulnerabilities on computer systems
Gain control over computer systems using server side attacks
Exploit buffer over flows and code execution vulnerabilities to gain control over systems
Gain control over computer systems using client side attacks
Gain control over computer systems using fake updates
Gain control over computer systems by backdooring downloads on the fly
Create undetectable backdoors
Backdoor normal programs
Backdoor any file type such as pictures, pdf’s …etc.
Gather information about people, such as emails, social media accounts, emails and friends
Use social engineering to gain full control over target systems
Send emails from ANY email account without knowing the password for that account
Read, write download, upload and execute files on compromised systems
Capture keystrokes on a compromised system
Use a compromised computer as a pivot to gain access to other computers on the same network
Understand how websites & web applications work
Understand how browsers communicate with websites
Gather sensitive information about websites
Discover servers, technologies and services used on target website
Discover emails and sensitive data associated with a specific website
Find all subdomains associated with a website
Discover unpublished directories and files associated with a target website
Find all websites hosted on the same server as the target website
Exploit file upload vulnerabilities & gain full control over the target website
Discover, exploit and fix code execution vulnerabilities
Discover, exploit & fix local file inclusion vulnerabilities
Discover, fix, and exploit SQL injection vulnerabilities
Bypass login forms and login as admin using SQL injections
Writing SQL queries to find databases, tables and sensitive data such as usernames and passwords using SQL injections
Read / Write files to the server using SQL injections
Learn the right way to write SQL queries to prevent SQL injections
Discover reflected XSS vulnerabilities
Discover Stored XSS vulnerabilities
Hook victims to BeEF using XSS vulnerabilities
Fix XSS vulnerabilities & protect yourself from them as a user
Basic IT Skills
No Linux, programming or hacking knowledge required.
Computer with a minimum of 4GB ram/memory
Operating System: Windows / OS X / Linux
For WiFi cracking (10 lectures ONLY) – Wireless adapter that supports monitor mode (more info provided in the course)
Hacking: How to Hack, Penetration testing Hacking Book, Step-by-Step implementation and demonstration guide Learn fast how to Hack any Wireless … methods and Black Hat Hacking (3 manuscripts)
Price List: £31.38
Only for today on Amazon: £31.38