Here we are in 2016, and the state of information security (specifically the lack thereof) feels more like a bad Toxic Avenger sequel than a box office blockbuster. We’ve had major breaches, huge failures, significant doubt, speculation about new technologies being inherently insecure, and plenty more. Crazy as it seems, many seasoned security professionals are actually experiencing “breach weariness” - how in the world did this happen? Even though we’ve been a bit like broken records, playing the same security principles and practices over and over, organizations are still falling prey to many of the same old attacks. And while it would be convenient to point the finger at technology alone, that wouldn’t be fair. To many of us are still condoning risky behaviors and ignoring best practices – which has only made a difficult situation worse.
As a professional security consultant, I see both the best and worst of the information security talent and teams out there. I see highly competent professionals, as well as some that would honestly be better off pursuing another line of work. I see companies that literally ignore the problem by refusing to spend money on improving their teams and technology. I see operational practices that make the term “cowboy culture” seem like a hallmark of deep maturity. While there are most definitely cases where organizations are doing all the right things, sadly these are consistently outnumbered by instances of poor judgement and malpractice.
What’s the deal? Why can’t we get our act together? I’ve been wracking my brain about this for years. The sad truth of the matter is that we KNOW many of the core technologies and practices needed to improve the state of security, and nowhere is that more true than in vulnerability management. There are a few foundational elements to any effective vulnerability management program - configuration management and monitoring, patch management, vulnerability scanning, and occasionally pen testing…but the hits keep on coming. Are organizations simply ignoring the things we’ve learned over the years, to get vulnerabilities under control? Or are we still missing key pieces of the equation?
I think the technology to build and maintain a mature vulnerability management program is here. The biggest issues causing us frustration aren’t related to a lack of technology - they’re deep, systemic organizational issues that aren’t getting addressed. Ask any seasoned security consultant, and they’ll likely have a long list of stories to share about failures and poor practices they’ve witnessed. We can all learn from these (anonymized) stories - can you see any resemblance to your own admins, operational practices, lack of controls, or other deficiencies?
In tomorrow's webinar “Infosec Fright Night: MORE Macabre Tales of Vulnerability Management Gone Awry" we’ll share more tales of i drama and failure related to vulnerability management, which, while hilarious in some ways, also have many important lessons to teach us. What tools DON’T work? What practices do we need to follow, and what can happen when we don’t?
Register now for an entertaining session and uncover where we can improve our own vulnerability management programs.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.