The recent vulnerability in the Microsoft® Exchange server application has sparked many discussions. One of the topics is connected to the skills of IT departments responsible for patching systems in time. How can n weeks or months pass until upgrades are rolled out and in place? Well, the answer is easy. Some upgrades do not work flawlessly. In anticipation of problems during the change, IT departments need a copy of the live system and time to test the updates. This takes time, even if you have the budget to run additional copies of your systems. Furthermore, sometimes upgrades go wrong. Theoretically, these changes should just eliminate security problems and enable the application to work as before. IT departments bitten by the “this should not have happened but it did anyway” situation will hesitate to deploy upgrades. Putting more pressure on the IT people won’t speed up the process. Instead, vendors should make sure that security-critical updates do not break anything. It’s simple psychology.
Another discussion is the eternal “you should have moved to the Cloud” proposal. The “Cloud” is not a magical paradise where everything is taken care of. Yes, it is usually better connected, has more bandwidth, scales well, and you pay as you go. However service level agreements cost extra, and basically it’s just shifting the blame to some faceless IT crowd somewhere who might do the job of patching things better or not. “Cloud” can disappear, too. Bugs do exist there. The infrastructure can be disconnected from the network. The “Cloud IT Team” can do stupid mistakes (whole content distributors have pushed themselves off the Internet with a well-time and elegant configuration deployment). Plus the crowd is no Schrödinger’s cat. When it’s gone, it is really gone. And the elastic scaling property also applies to deleting data and purging whole servers.
From the perspective of information security, there is one constant: You need skills to accomplish your tasks. A lot of things go wrong due to a lack of training or lack of knowledge of your own infrastructure. Experience from audits tells that the question for security procedures is usually answered with a list of gadgets that do something security-wise in the network. The proverbial machine the goes ping is not the best defence mechanism of choice. Auditors and penetration testers can tell a lot of stories about the configuration of filters, firewalls, and networks. In case of emergency everything boils down to the skill pool of the team and the experience in out-of-the-ordinary situations. Make sure to gather practice befoe the lightning strikes. During a conference the CIO of an Austrian organisation running 14 different communication systems was asked which of the 14 teams performed best. The idea was to find out which one the the products could deal with the malicious software attack. The CIO’s answers was: The teams with the most skills and the most experience were doing well. The product did not matter.
DeepSec 2021 will enable you to gain more skills and increase the experience with attacks and bugs by exchanging ideas with the experts. Have a look at our trainings to get your hands dirty and your mind sharp!
Originally published at https://blog.deepsec.net on March 19, 2021.