In for the weakness, in for the Hack
On my 1st week of the basic course in the Israeli army I was taught that in terms of information security there is no information item that is too negligible or too small to deal with.
The base location, the unit’s name, how big is my team – shall not be told.
There is no need to brag about the amazing projects we do
and
There is no reason to connect external media to computers
EVERYTHING about information security is important and must be afterthought.
That approach is based on the assumption, that a person who was educated from the very 1st moment not to disclose the name of the unit (barely the city it is located at) will be very minded and aware with information of real potential harm.
This is an excellent and well-proven attitude with regard to security, and I’d expect it to be a corner stone in mission critical cyber security organizations and industries such as: medical, energy, avionics and automotive.
You can imagine how surprised I was when I heard too many times from too senior executives in tone-dictating companies:
“The distance between weakness to hack to actually take over a vehicle and put people in jeopardy is very large. We shall not be excited by each vulnerability.”
Technically, to some extent, they are right. The transition from weakness to exploitation is significant and sometimes impossible. Not every weakness will end in ransomware massage on your airplane infotainment screen.
But this is exactly the intricate approach to security events that we must not remain indifferent to.
After all, taking control of a Jeep Cherokee was a combination of weaknesses, exploitation methods, not well protected communication, etc.
At the end of the day, each cyber incident begins with a weakness that was not well covered, or published or addressed – piling on top of that a great motivation, high technical skills and tenacity will lead to an assault that will make you wanna cry.
As Lau Tzu said ‘A journey of a thousand miles begins with a single step’
In cyber-security arena a small buffer overflow – can sometimes be this single step required
With cyber security we must go ‘All-In’ and leave nothing to luck. We must identify all the threats and evaluate the degree of exposure each one produces.
This knowledge provides us with options to tackle and resolve – some as simple as use different compilation method, some as complex as applying to the supply chain and development teams and some can be solved through an operative mechanism and processes.
I know that this ‘epiphany’ moment about the security status of your product usually causes more headaches than reliefs – since it usually brings a flood of new issues and gaps and their treatment does not make it easier to meet the schedule or increase the margins.
Much easier and more fun is to cover with the warm blanket of the blessed ignorance and practice surprised gestures.
To my opinion this is not a privilege we have in critical infrastructures and specifically in the current era of revolution. We strive for a shared, electronic and autonomous world – cyber attack will stave off the revolution and create a severe blow to the spirit of progress we all enjoy anticipating.
I know that the cyber security industry aware of these needs, there are solution (am sure that they can get better) for doing just that: Cyber Risk Assessment – mapping vulnerabilities, finding violation of security policies, competence with the emerging ISO 21434, hardening issues, mal performance of encryption and even identifying the entire software stack. Risk assessment is conducted to avoid incidents and the right measures should be devoted to do just that – Avoid incidents, not respond, avoid.
To sum up, as I was told by the first sergeant while patrolling around the base, and as ‘Ivar the Boneless’ discovered at the last season of the Vikings – A single uncovered crack and you may loose the fortress, Loose the Trust of the people and find yourself dinning with the Gods at Valhalla.
Therefore, don’t oversee your flaws and vulnerabilities – the progress starts there – you should accept yourself (and your not perfect code) as you are and strive for improvement.
Guest blog Written by Eddie Lazebnik – Brining 15 years of cyber experience – both in private and public sector and recently in a groundbreaking startup. Served for about a decade the Isreali government and military organizations of Cyber Security. Possessing education in business administration, having a proven technical execution record and great passion for technology and innovation. Very excited about the revolution of IoT and specifically in Automotive industry -connected and autonomous vehicles. These days leading strategy and strategic partnerships activity in Cybellum.