Our group, Cyber-Living specializes in not only research, recovery and recommendations – 3 good R’s of security work. Cyber security is as much a part of life as door locks are these days.
We aren’t the first company to purposefully decide to “eat our own dogfood” as they say. We use what we sell and we work with it constantly – and our products were not mentioned in many of these big cyber attack, hacking news releases over the 2020-2021. There is good reason – hubris – ego – mismanagement. Its why some cyber security companies end up using products other than they sell … to protect themselves. If they are honest at least to themselves they want to stay secure.
I tell people “the community based aka open source” products are usually best. In fact the commercial products are mostly built out of or on top of these parts. A friend says, what that doesn’t make sense, thinking its all about how much money it costs and having a big company on board. Most big profitable companies are stacked with experts but mostly they aren’t there to help you – they are there to fleece you. We are friends, consultants from small and medium business world. We’ve watch Microsoft, Linux, Apple computer users and products get broken by security research and hacking [much the same thing those 2].
Hubris (defn: Overbearing pride or presumption; arrogance)
Hubris comes in our industry the way image supplants the honest truth. In the way that people worship arrogance but it leads them to defeat and failure. It leaves openings which in our industry are the very antithesis of why one invests in and trusts security appliances. Firewalls are only the start these days – but they are built upon and segregated from general purpose computers that we all use at the desktop or in the hand.
It started back after McAffee sold his innovative antivirus software and walked away. They built it into a big product but then for me, users with McAffee because almost like “oh, I see, you’ll be loaded up with hacks and malware”. McAffee was the target to bypass or disable. So I’d move people to lesser-known products with actual security workers running them seriously and voila – disinfect things that should have been easily prevented.
I don’t have to act like I’m a reporter – I tend to report what I read from sources but not trust it. For example this tidbit “Only users of the Orion software platform are affected, and specifically only those that loaded their March update – SolarWinds has confirmed that 18,000 customers have done this.” (found at www.neuralegion.com) sounds good but its a typical tactic to diminish the extent of a hack. If a computer company is breached then you don’t want to assume its all good as soon as you get this kind of statement. Its almost inevitable you’ll see other stories like “oh it was more extensive than first thought” as I’ve seen all over the internet. I’m reporting this more as a historical event than current news.
You want to learn from huge cases of espionage instead of just worrying and then not adapting to the way the world has changed since then. This was more of an espionage type attack than just a chance to do as much damage as possible. So that means that a lot of tracks will have been covered and there will be long term concerns about cleaning away back-doors and changes that aren’t known.
Solarwinds are a good company with a big set of products but – well mostly it sits on top of other software and brings it together into a behemoth security suite. Once someone found a way around that it became perhaps a suggestion that by using their software now you were hacked or very much at risk. It turns so fast and I suspect they have fixed things and figured it out – but you never can be sure that they really knew how they got hacked. Hubris will demand that their corporate “PR spinners” rewrite history if they didn’t actually figure it all out.
Open Source products are often much slower to come into their own. They are a labour of love that learned from everyone’s experience and mistakes. Anyone can contribute or advise of bugs – its all available to be seen by hackers and the hackers are likely to take a bounty by revealing the vulnerabilities. Its not always the same with corporate software which is probably guarded and protected. Its a bit like Bitcoin versus Banking .. banking gets hacked, Bitcoin hasn’t really been hacked, it had a few close calls but then they made it stronger because it has no real owner – just a community. It lives in the wild – its known as a sewer rat – immune to effluent or the honey badger that can tollerate vast abuse as it just takes the honey. Banking software lives in protected environments and is often easy peasy to hack if anyone gets past those boundaries. The proof is in the results – constant theft and hacks and its payed for by insurance overheads.
Sure – you can still use commercial products but one or two layers of your defense should be open source. If you are serious about security then you’ll be using a linux replacement for windows/apple. However, its not so simple if you want software that runs on those commercial systems. So at least have a PFsense based firewall – that is always our first recommendation and I’ll explain that in further blogs and show-case articles.
One advice is “Implement (or improve) a third-party risk management program with particular focus on vendor access of any kind. ” What does that mean … it means that relying on commercial providers always has a benefit and a risk. I recommend using a smaller team that is accountable rather than a large group that tends to just shuffle around risky staff and problems to conceal them.