BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

September 11th – Lest We Forget.

Posted September 11, 2012    Marc Maiffret

Today marks the 11 year anniversary of the “September 11th” attacks. It is on these days of remembrance that our memory serves as a tool to heal us, to free us from the emotional burdens that can keep us from moving forward. This happens not by allowing these memories to fade from our consciousness, but by the juxtaposition between our past and present as a way to learn how we might grow.

Often times when extreme tragedy strikes, we search for answers of why it happened and how it could have been prevented. Much debate is given to these topics as it relates to 9/11, but at the core of such discussions is the simplicity that evil can sometimes prevail and we must fight against complacency, at all costs, in order to keep a balance of good in this world.

I often think of the balance between evil and complacency in my own profession within the computer security industry. I say this not to build the importance of one’s life work vs. an incomparable tragedy, but rather as a parallel that I might take something from the events of 9/11 to put actions of good back into this world: to find my own meaning and sense of healing like many others whom lost a friend or loved one on 9/11 or the wars thereafter which are still fought even now.

You see, the business of security is one that is truly a fight against complacency. Security is an intricate dance of not simply the forces of good and evil but of both fear-mongering rhetoric and oft ignored warnings of real dangers. So much of what a security professional does is a process of filtering out the signal from the noise. It is no doubt a taxing effort day in and out to try to make sense of the events unfolding around us and make decisions that can be proactive in preventing future disasters.

I cannot speak to the events prior to 9/11 and what could have been prevented. I say this now, not as rhetoric, but based on a career having been hired to legitimately test and compromise the security of major corporations across all major sectors of industry within the United States: it is with unmistakable belief that societies built upon a technological dependence should heed a warning that we are simply waiting for our 9/11 moment where this machine comes to a halt. Not in terms of loss of life but that of a shock and awe technological failing that cuts to the very core of the culture and economy we continue to make our keeper.

Some would say that the deadlock in Washington affects all manner of policy decisions including those on cyber security. As with so many things in life we need not wait for Washington in order to move forward. As a collective of technologists, developers, security and IT professionals, researchers and most importantly Hackers in the original, un-bastardized, definition of the word, we have but a choice to wake up each day and continue to push this fight forward regardless of this race having no end.

To those in the United States government, military, and intelligence agencies who fight tirelessly every day for the good of humanity and not party politics: we thank you.

Stay relentless,
Marc Maiffret

Tags:
, , , , , , ,

Leave a Reply

Additional articles

asp-mvc

Exploiting MS14-059 because sometimes XSS is fun, sometimes…

Posted October 17, 2014    BeyondTrust Research Team

This October, Microsoft has provided a security update for System.Web.Mvc.dll which addresses a ‘Security Feature Bypass’. The vulnerability itself is in ASP.NET MVC technology and given its wide adoption we thought we would take a closer look. Referring to the bulletin we can glean a few useful pieces of information: “A cross-site scripting (XSS) vulnerability exists…

Tags:
4bestpracticesaudits-blog

Four Best Practices for Passing Privileged Account Audits

Posted October 16, 2014    Chris Burd

Like most IT organizations, your team may periodically face the “dreaded” task of being audited. Your process for delegating privileged access to desktops, servers, and infrastructure devices is a massive target for the auditor’s microscope. An audit’s findings can have significant implications on technology and business strategy, so it’s critical to make sure you’re prepared…

Tags:
, , , ,

Bad POODLE, Don’t Bite!

Posted October 16, 2014    BeyondTrust Research Team

Researchers at Google (Bodo Moller, Thai Duong, and Krzysztof Kotowicz) have discovered that the encryption schemes used by SSL 3.0 are exploitable (CVE-2014-3566). Although the majority of web servers implement Transport Layer Security (TLS), the majority of clients will downgrade to SSL 3.0 in an attempt to maintain interoperability between protocols. For example, when a…

Tags:
,