Who is going to attack us?
Those were the words ushered to me in my very first job in IT. I want you to think back how often you have heard something similar in your career.
Small Mind Syndrome
Here in lies the problem, a company thinks that just because they are small, they are less visible or enticing to attackers. Well unfortunately, nothing could be further from the truth. The truth is you are perhaps more likely to become a target since attackers know that you have less capital to spend on security infrastructure, making you an easier target. At the end of the day, most attackers are solely motivated by money. If they are able to make money from attacking you, guess what, you are more than likely to be attacked.
Coming back to my opening statement, I had these words ushered to me after I told my boss at the time they needed a suitable firewall. Well guess what, a couple years after I left they were asked by their hosting company to shut off their porn servers. Yes, they got attacked and the attacker was using their servers to serve up porn sites. So much for "no one is going to attack us".
Another issue I come across is those who simply choose to ignore the issue. Perhaps they think by ignoring it, it will magically disappear. Well it won't!
In another role I had, I worked at a large retail firm. They had an ancient Point of Sale (POS) system which was based on a dumb terminal/client architecture. When the terminals were restarted, they would fetched and install the POS from the server. I came up with an scenario where by an attacker could manage to inject a local Linux kernel DOS exploit into the startup script. So when the terminal was restarted, it would fetch the exploit and execute this exploit.
What happened? Well the terminal effectively became frozen each time you rebooted it. And since the terminal always fetched and executed this exploit after each reboot, you effectively had an attack which "bricked" the terminal. Only once the exploit had been removed from the startup script, would the terminal be able to function again. There was a handy command on the server which instructed all terminals in the store to reboot themselves (saving the attacker the work of manually doing this on each one). Do this in every store and you have effectively killed off any means of trading. I'm sure that most would agree this would be a pretty big deal for a retail company.
After no trade means no income (they didn't have any online trading at the time). I told this to my boss at the time, and I even showed him a working Proof of Concept (PoC). His reaction? It was simply a shrug of the shoulders!
I'm Not a Security Person
Another problem I have come across is that some think that it is the responsibility for the CISO department, and other security focused groups to be responsible for all security of an organization. While true to some extent, those departments cannot be responsible for the actions carried out by individuals. They also have limited resources, so will be not able to review, monitor and audit every action carried out by every user.
It's All Our Responsibility
This brings me to the conclusion of this post. Security is the responsibility of all of us. It just takes a single person to potentially compromise the security of an organization. They may not even be aware that the actions which they are carrying out is compromising and introducing significant risk to the organization. It doesn't matter on the size of an organization, we are all fair targets to attackers. And when something is reported, you should at least triage it and determine how much of a risk it poses to your organization.
I know it may sound a bit cheesy, but the security of an organization is everyone's responsibility. After all, security is only as strong as your weakest link.