Single-supplier security systems are the new critical point of failure

By | February 7, 2013
Quick, R2D2! It's surprising that star wars didn't have adaptive self-repairing bots patching discovered vulnerabilities in real time. Then again, hackers were always a step ahead of security. It also raises some interesting questions on how far we go with technological reliance for security measures. Are we building an implicit single source of failure in operational critical systems? Do we need to consider multiple hardware suppliers as a best practice to minimize the risk of a single vulnerability allowing security systems to be compromised for critical areas? Cybercrime could just get more exciting… 

Vulnerability Lets Hackers Control Building Locks, Electricity, Elevators and More | Threat Level | Wired.com
A critical vulnerability discovered in an industrial control system used widely by the military, hospitals and others would allow attackers to remotely control access systems, elevators, electricity a…

2 thoughts on “Single-supplier security systems are the new critical point of failure

  1. chris vighagen

    Hogwash.

    Yes. Hogwash.

    More often than not the best practices are completely ignored and the infrastructure bosh physical and virtual have been installed in correctly.

    Remember the Comodo SSL certificate hack a few years ago?
    A kid in college doing an bachelor of comp sci did that after having seen Hak5 on SSL hacking and read up on Moxies work on SSL.

    Criminals  are not getting "better" at hacking systems. Fortune 100 and 500 companies just do not care. Especially since they now can buy "hacker insurance" from insurance companies, having bad security could be a potential revenue stream. Just like life-insurance on employees is a potential revenue stream.

    And like both +Mark Summerfield  and +T. Pascal  pointed out, if it is on a internet connected networked it is hackable.

    I'm only tangentially involved in ITSM Security from the customer service, help-desk and service proceeses angle, and I am quite confident that I could deface the UN webpage, unless they haven't in the last month or so fixed the SQL injection hole from 2007. And this is a known hackable hole that was discovered by a defacement.

    Best practices doesn't matter when management is more interested in the missing TPS report coversheet than doing actual work.

    You don't need to have 3-5 0days in your specially, elegant even, crafted multiple payload boutique malware to own a company.

    Not when companies still use XP and dont care to patch MS 08-067 (critical and known since 2007) or MS 03-049 (critical and known since 2003).

    Hell even one of the big names of IT sec got pwned by a simple social engineering with email spoofing by the Anonymous crowds.

    No wonder most IT-Sec guys I know are cynical sarcasm-o-holics no one bothers to listen when they say "See this huge gaping hole in your security? YOU  NEED TO FIX IT! Its simple just update to SP2 and there will be no problem" year after year…

    Sorry for the rant, it just annoys me when 95% of security issues are simple to fix.

    Reply
  2. Mark Summerfield

    When the security industry decided to get away from proprietary networks and stand alone on site personnel managed systems they instantly made all there systems less secure. There are no devices connected to the internet that are secure. All the fire walls in the world won't stop a dedicated hacker. The governments of the world are just now finding this out. Anyone who has been in the security business for more than 5 minutes has known this. When the marketing people went over the security managers heads to the corporation and offered them the ability to monitor there systems from anywhere by anyone with the passwords at any time, the systems instantly became less secure. When a major part of your security system relies on a totally insecure network, you no longer have a security system. The answer is to get it back to a proprietary system that relies on onsite personnel. You will still have problems but at least you'll be able to find the problem and fix it.  

    Reply

Leave a Reply

Your email address will not be published.