End of the year thoughts on IT/InfoSec (updated)

I haven’t posted in a bit and thought I would update my site and share some quasi-random thoughts and lessons learned in IT/InfoSec in the past year or so:

1.) Having enough staff and support that handles IT/InfoSec matters is not only an operational concern but also a security concern. There have been plenty of instances of businesses being compromised or having issues during holidays when they’re running on a skeleton crew. There are businesses who try to continuously run on skeleton crews and use automation to augment them. In my humble opinion this is more of a risk than what it’s worth. Which leads me to my next point.

2.) Revenue and control are top priorities for businesses. I would even argue revenue is more important. Having and running a business is a risk/reward venture. People who take the risk of starting and growing a business are willing to do what helps the bottom line. This means that they don’t necessarily care about if they’re using vulnerable software or infrastructure. They don’t care how much you can ‘pwn’ them; they want to know how much of a risk it is and will it affect their bottom line. Adding to this point, years ago I remember seeing posts (that I can’t find at the moment) that some western businesses knowingly/assumingly let China steal intellectual property but were too afraid to report it to the western authorities because they did not want to lose the Chinese market.

3.) The world runs on vulnerable software and will continue to. If I’m a business owner and I have a Windows XP machine that is hooked up to my network with appropriate safety guards in place and this XP machine interfaces with a machine that is helping my bottom line, I really don’t care if it’s necessarily within compliance/regulations.  As a matter of fact, a lab I worked at had a blood platelet counting machine that is FDA approved, this machine still runs Windows XP.

4.) Regardless of what makes sense in the security realm, management can override controls. Try telling a CEO/founder that they need to have MFA on when they’re of an older generation and computers are just an annoyance and necessary evil for their business. Again, this person has likely taken big risks to get to where they are and make the business flourish. Additionally, auditors to this person are an annoyance and a barrier to how they want their business to operate.

5.) Rookie mistakes can lead to catastrophic failures. Recently, I was tasked with performing upgrades on a server farm and due to work, which was done on this server some years back, a loose screw was left in the chassis. The screw arced the motherboard and brought down huge sections of the network and security controls. Let us not forget what happened to MGM. Regardless of what level you’re at in IT/Infosec, having solid fundamentals is key.

6.) Documentation is almost as important if not at times more important than the work performed. We all know there’s google and ways of searching the web, however, the web can lead you down roads that are not accurate or only provide partial answers. In addition, documentation can be removed by the entities who desire this and this includes archive.org.  A robust documentation system that is up to date is key to any successful IT operation. Projects and complex issues should have well documented and reviewed processes that can be easily searched. I’m personally not a fan of documentation being stored on samba shares and prefer a solution maybe more similar to: https://itflow.org/

(This is also a good read/worthwhile mention: https://xwiki.com/en/Blog/open-source-alternatives-to-Confluence/)

7.) Skip the salesperson, reach out to an engineer. This might not necessarily be a given but anyone who doesn’t have to support a product or solution and is just peddling it, will try to sell you the moon. Contact the support engineers and see how that goes. Pick their brains and play the role of someone who may need more advanced help with the product or solution. Sales engineers could be a potential answer but to me, “sales” means we have a product or service to sell.

8.) Advanced threats or state actors will always find a way in. There’s this idea of absolute and perfect security that people may strive toward. We all appreciate their efforts but as long as there are entities with deep pockets and nearly limitless resources, they will find a way to compromise their targets. Your ransomware protection scheme has its gaps and a state actor will find flaws. Accept this reality.

9.) Your anti-ransomware backup solution isn’t bullet proof. As long as you need to perform space management on your backup solution, some sort of flag or parameter could be potentially exploited to encrypt your backups. I personally think off-line backups are a great means of deterring ransomware but again, they’re not bullet proof.

#Update 3/9/2024

10.) The software you use that relies on libraries or code from multiple sources is a huge risk. Software supply chain attacks should be a huge concern and not overlooked. Controlling the source of where you get your software from and how its verified is crucial. Hashing and using mock environments to test and monitor software might be a great means of mitigating this risk.

11.) Geofencing is a great tool but attackers adapt and errors can cause denial of service conditions. Pertaining to errors, see this reddit post regarding maxmind that I personally experienced: https://maglit.me/unngenedismist

12.) Saying, “I don’t know” is ok. If you don’t know something.. say it and don’t start speculating if you truly don’t know.

#Update 3/26/2024

13.) Air gapped security only works so long in isolation. An offline MS-DOS system that does a limited range of functions can be a victim to the sands of time. For instance, a key that this system produces may work for the intended applications of a time period or range but technology changes.

14.) All technology that is connected with some sorts of means to the internet is spyware. A device that is built with the best intentions of privacy and security, once connected to the internet is a means of exposing an almost infinite attack surface. For example, your 100% trusted device could connect to a bank and while your device is 100% secure by itself, you provide information to a compromised entity.

AV evasion fun with ChatGPT

I’ve used chatgpt for work on some SQL queries that I had troubles with and granted it worked.

I have 0 idea if this will compile or work.. I’m sharing the idea that I’m sure is not original:




#include <stdio.h> #include <stdlib.h> void execute_shellcode() { __asm__(“mov $0xff,%eax\n\t” “inc %eax\n\t” “xor %ebx,%ebx\n\t” “mov $0xff,%edx\n\t” “inc %edx\n\t” “xor %ecx,%ecx\n\t” “int $0x80”); } int main() { void (*function_ptr)() = &execute_shellcode; function_ptr(); return 0; }

My TLDR version of Zero Trust Computing/Networking

Zero Trust Computing/Networking to me means that you have to assume all end points are directly exposed to the internet and all of their services/ports/exchanges say, “Hey, we are open but refer to the control plane (layered control systems) to access our data plane but you need to verify x amount of information that is dependent on multiple semi-dislike but aligned factors that put together, are hard to reproduce”. All fellow nodes or hosting infrastructures are assumed to be compromised but regardless of how ‘secure’ the zero trust system is, if humans need to interact with it, there will be ways to exploit it. Strong and reasonable cryptography (considering computing power and what information is at stake) along with mitigating low level speculative processing exploits will be of utmost importance and telemetry/diagnostics will become harder to use unless given cascading but potentially tiered/layered permissions.

( “7 principles of zero trust security model“, is a good and short read as well.)