Perhaps I am a little biased considering what we do at Raxis, but I am convinced that it isn’t a good idea to bet the farm on the latest security gear to defend your organization.
In 2017 alone, we’ve all seen many major hacks, including substantial releases from Shadow Brokers and WikiLeaks. There’s a lot already lost, such as voter registration data and consumer credit information.
Don’t get me wrong, I think the latest fancy security solution can help. However, our team at Raxis is seeing many attacks that are not being stopped by current gear. For example, we’ve breached applications through manually fuzzing API calls using a method that most hardware can’t protect against. The latest web application firewall might be able to stop these attacks, but most organizations don’t configure it appropriately to do so. In some cases, it’s a logic error that we’re able to exploit to gain information from the backend systems without making any illegal calls.
And even worse, we’ve seen, time and time again, where security operations centers send an email out with no further action taken.
Our experience also has shown that nearly every organization has a far weaker security posture internally. Once the perimeter is breached, from using a stolen password to gaining shell access through a web service call, pivoting to other machines is often quite trivial. None of this is hard to exploit, but fortunately none of it is hard to fix.
The problem is not the difficulty of the fix, it is knowing what needs to be fixed. In almost every case, the hacks we find are very simple to execute, and our customer had no idea they existed.
The fix for these hacks usually is not spending $100K on a new fancy next generation firewall with all of the bells and whistles. It’s a simple code change or a system that was missed in patch management. Perhaps this is too good to be true; but, keep in mind that hackers go after the path of least resistance. It is far easier to breach your competitor with the Windows 2003 server install than to spend significant time researching how to get past your reasonably secure system.So keep buying your security gear. Combine it with a penetration test on every single piece of code that runs in production, and we’ll help you find the vulnerabilities you missed.