Carry On Regardless

Lets look at four examples I see with almost carbon copy regularity

//1. NOTHING TO SEE HERE PLEASE MOVE ALONG

Another day. Another site compromised. Although this seems strangely familiar. It is – notes suggest this happened to the same site a few weeks ago.

Checking over the notes on the tickets the end user has given their word that they have identified the issues, figured out how the attacker got in – and taken steps to remedy this.

It’s okay to not understand, to need help and advice – it is super fine. It’s not okay to lie.

//2. THIS IS UNACCEPTABLE

Another day, another site.

“My website has been compromised, again!”
“This is not acceptable”
I am moving my site to another provider

Sure. The behind the scenes work from a small army of layered mechanisms has failed to protect you from …. yourself. Repeated automated emails sent out about your WordPress (Joomla/Drupal) being out of date. But no.

//3. THIS IS NOT WHAT I PAY FOR

So you pull together some facts. Pull together one of the take down requests. Link to some of the blog articles you have put together on why this kind of thing happens – the importance of keeping patched, and you spend some time on setting the scene and options to move forwards. Today is a good day. This is going to be fine.

You ask for some come back, some log extracts, some explanation as to what steps they have taken to lock it down, maybe even for their opinion on the logs.

“This is your problem – this is what I pay you for!”

You bite hard down on your tongue and search around for the right words to use as realistically as you to outline how you have had a take down, bad things have clearly happened, and you have gone above and beyond to attempt to help them with the plight they are facing … hell you have even written previous articles on it because it is SO common, so every day – you know – to help them… because you give a monkies…. but no… lets be clear here… the package you installed and failed to maintain, update, secure, ….. care for – despite how important it may be to you… has bitten you and now you don’t want to clear up the mess. “Wake up Mr Freeman, wake up and smell the ashes”

//4. NO MATE THE CUSTOMER NO LONGER PAYS

The usual banter, takedown, yabber, yabber, badness, fix, identify first, assurances, known good backup and so on.

“Sorry mate I don’t keep that patched – the customer doesn’t pay for that.”

A small but significant pop is heard from the vacuous space between my ears and my head falls lifeless into the keys….

… be hold the MAJESTY of what we have become.

The mirror.

It is your harshest critic.

Take a long, hard, look.

Today is the day after I joined in with the local Cyber Security Cluster… felt others pain. Realised for all the high focus high skill attacks – there is an unseen, unreported, burgeoning underclass of denial and avoidance. The every day, of every shared hosting environment on the planet.

You can always do more. You will always miss something. But realistically short of unplugging it, removing human access, sticking it in a Faraday cage encased in concrete at the bottom of the Mariana Trench things still need to work.

So what do we do… well:

– Mitigation appliances;
– Unified Threat Management appliances;
– Intrusion Detection;
– Intrusion Prevention;
– Firewalls;
– Real Time Block Lists;
– Application Firewalls;
– Active analysis firewalls;
– Damage imitation through containerisation;
– Per user IO and resource throttling;
– OS patching maintenance auditing and hardening;
– Scanning, notification, auditing workflow.

*’No names,specifics, or brands there darlink’…. and not all the secrets either… ssshhh.

What you DO pay for is a fraction of a shared platform (in most situations), secure ISO compliant environment, highly skilled staff with around the clock cover, often (and despite this) on zero hour contracts and certainly with “no overtime”. You get redundant industrial power feeds, batteries, uninterruptible power supplies, generators to back those up, fuel lakes to keep them powered. You get industrial environmental control chewing through around a third of total consumption. Miles of copper and fibre cabling. Redundant geodiverse high capacity redundant internet feeds. Peering, full routing, networking infrastructure, unified threat management… and that is before the parts you get to the service you “are paying for”… web, email, dns application layer services delivered ontop of a managed and hardened OS with a licensed vendor software on enterprise grade hardware.

…deep breath…

I digress.

… the list is long and distinguished – yet still that difficult conversation looms – and the mirror is held up.

We have done our bit – how about you?

No.

Sad face.

We all make errors. We all forget things. We all “Err” as the saying goes. However there is not “Doing The Needful” as it where.

I heard it mentioned that you should “treat the online world like the real world”. I am not so sure that even holds water. I can pick my own locks yet have not bothered to upgrade them knowing if someone wants in they will centre-punch the corner of a window, or pry one off its hinges. *shakes head at the real skills market ;)

However – anything you put on line – you should assume it will be lost, or taken down.

Diligence helps. Keep on top of patching, backups to roll back to, log monitoring, keeping ontop of things… makes you a little less easy pickings for the background hum of automated attacks. But that is all. If someone WANTS in – then its just a matter of when…. and in many ways – the bigger they are the harder they fall. The quieter you are – the more you hear as it where as I read daily written on something. … and I hear plenty.

With talk of rolling out a ‘Gas Safe’ kind of certification for online business – it is something as opposed to nothing – but is it the right tool for the job? I am not so sure…..

In a world where “Turn my site back on.”
“Sorry Madam but it is attacking the Government of Ghana?”
“I don’t care – I need my shop back up.”
“I notice that you have not patched this for quite some time.”
“I tried but it broke the theme so I put it back as it was.”
“[…]”

… in a world where hosting is chosen as the product with the lowest cost – irrespective of what that delivers, and often while significant funds are being spent on say – Google Ads… there is next to NO chance they would pay for certification unless it was a legal necessity (!), or it reduced their outgoings. If it doesn’t effect people’s wallets its overlooked.

Toothless, self evaluations for a cost are not going to reap results in my opinion – not with the reality I live. Unless those very same toothless realities were binding agreements of liability if wrong… and with such things starting to be bought in as an entry bar to being on the supply chain of a larger player with something to lose.

There will always be a way in…. be it an advert on LinkedIN of an engineer with access… or an environmental subsystem … but while it is socially acceptable to just carry on regardless…. there will be no shortage of foot soldiers.

Rant ends.

I will, for my sins be giving a talk on malicious activity within the shared hosting environment at November’s North Wales Cyber Security Cluster meeting. Terrified? Much.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this:
Skip to toolbar