The world of Infosec is a divided world. Divided between the glamorous and mundane.
The glamorous world of Infosec is abound with the hackers with fancy names. They go by names like ‘d3m0n’, ‘de^il’, etc. They have probably been to the dark side and back. They are the ones who belong to anonymous (pun intended) hacking groups. They are the ones who have the audience swooning when they execute (again, pun intended) that flamboyant code and take remote control of some server, leaving the IT administrator sweating. They are the ones who have esoteric conferences that again go by fancy names. The wide-eyed-just-out-of-college kid who wants to enter Infosec as a profession has this in mind. Probably, he already has a fancy name (from his Counterstrike days?). The work done by this glamorous lot is sure to get the media eyes and ears. They are the poster boys of Infosec!
Then, there are the mundane professionals. They do not have a fancy name (though I am sure they would have played Counterstrike). They are the ones who write policies and processes and tell organisations how they should be doing stuff. They are generally disliked. Organisations do not pay much attention to these type of people. “Anyone can write a policy and a process! I have downloaded one from NIST myself.”, organisations say. They are the ‘compliance guys’. The dull guys who face auditors and plough through reams and reams of paper documents. Generally, they do not serve any other purpose.
It has been like that for more than a decade, and is not about to change.
Now, let me just shift focus to some of the key Infosec incidents that have been in the news recently (in India). An accounting intern hacked into the income tax website and looked at returns filed by celebrities. My first reaction was that this intern must be moonlighting as ‘1nt3rn’. Anonymously, of course. However, the modus operandi was much simpler. The intern merely clicked the ‘forgot password’ link and guessed the secret questions. Apparently, the answer to these questions were in the public domain. Of course, celebrities’ pets are celebrities too! Schools that celebrities went to are also easily found. The process for resetting the password of a user had standard questions that could be set. Probably, a way to avoid this incident could have been allowing the user to set his own question and answer, like some websites already do. This was a process failure. The mundane guy’s area.
The second incident was more common. Phishing. A user clicked a link that was sent to him, that looked suspiciously like his bank’s website. It asked to reset the password. He reset it and his money was not his anymore. This, you must be thinking, is a hacker’s doing. There is no way that the average joe can create a website and then get your password unless he or she goes by the name ‘d3v1l’. Hold your thought. Copying a website is very easy. Go to ‘view source’ in your browser, copy the contents and paste it in another document. A few basic html commands later, you have a replica of any site you want. Providing a link that has a password change form is again html 101. Of course, if you have a keen eye, you will notice that the link that appears on your browser does not have ‘that little lock’ on it. The link does not contain any words that have your bank’s domain name in it, or if it does, there are a few characters here and there. Of course, the bank sends you mails saying “We will never ask you to change your password”, but it is just one mail against another! The problem was not in the bank’s website at all! The attacker simply set up his own replica of the website and got the user there. Solution? Proper training to end users. Clear communication with end users. Better monitoring of your systems. There are ways in which this type of thing can be found out using certain software, but the mundane guy needs to sit down and look at all the logs being generated from the software and take immediate action.
The problem, as you can see, is with the mundane guy. Either he does not do his job well, or no one listens to him.
Message to Organisations: Please get your processes in order. They are as important as the vulnerability scans and the penetration tests that you get done ever so often. Don’t ignore the processes because they are not the sexy type of Infosec!