I was talking to a peer over at an OWASP chapter meeting recently about proposed talks I've got in mind. And since I got my soapbox right here, I've deciced I am going to start posting about my big gripes about basic security controls which I see as not in place or broken. Nothing tricky like reverse engineering of malware or 0 days.
Basic stuff that we are still doing wrong 20+ years on. Stuff that tells me that 0 days stuff means nothing when people don't keep basic logs, still use default admin passwords, haven't patched production systems for 2 years+. That sort of stuff.
It may sound boring to you but guess what, you better read it - your half a million firewall refresh, your new beaut enterprise anti virus and integrating vulnerability management solution - it means nothing. Sorry. Likewise, I appreciate reading about 0-days but it doesn't fascinate me when 99.9999% of all people are never going to be exploited with them. No. Most people are going to be exploited by their own laziness or ineptitude. Nearly everywhere I look, it is always the same and its time people start paying attention.
Risk management is intended as a way to prioritise our time and efforts, not fob off our responsibilities for running a clean ship indefinitely. But too often I see risk acceptance used as a corporate catch-cry for "can't be f**ked" or "TL/DR".
Yes, I use strong language. The molly coddling has gone on too long. If you are capable enough to read this blog then you are capable of hearing the truth.
Well guess what - my blog will soon become a Wall of Shame very, very soon. Not just to security folk like myself who haven't done our jobs right when we could have but to IT managers and admins everywhere. To the senior managers who ignore it. To the CIOs who fail to ask the right questions or honestly don't care to hear the truth. To people who make up excuses why they can't get shit right. For fear of breaking production, for insufficient budget, for overwhelmed staff, or because they just can't be f**ked.
Watch this space.