Security 2017 armchair recap

[Pic0o]

It's pretty difficult to fully gauge the scope of things broken in 2017.  Running with the armchair line in the title, there are some things you did not want to be right about and the state of operating security is one of those things.  I have some time and what I consider to be considerable experience in running and supporting systems.  The scope of things broken or data swiped away from production, really large systems in 2017 is out of scope, short of you imagination running wild.

BitCoin exchanges have been taken over multiple times since the folly of Mt. Gox, user data has rampantly been leaked, be it by opt-in systems or the more nefarious collection services like Equifax.  Vendor equipment has been found multiple times with back doors, while operating systems and integrated devices have seen more updates and bug fixes this year, than I feel like the last 4 years combined.  Retconning the current trends, it feels like development and security are still not concurrent activities.  The run to get something online and into production with the intent to harden it later, is frankly, a crock of shit.

I know that no one is perfect and there will be issues, but when the design choices dictate to move fast and fix things later, you find the foundation of that object is flawed.  Looking at the Internet of Things integrated devices, those things turn on and phone home, at best.  Patching is either a black hole or some sort of last ditch effort when you are in a bind.  Granted the IoT devices also tend to have OS-level runtime vulnerabilities that can turn them into a horde of DDoS devices.  Likely along the lines of default credentials and the combo of being largely unattended online.

Stepping back, then we have the stacking issues Intel ME vulnerabilities that run on a privilege ring higher than that operating system level.  Chip-level overseer vulnerability access is something right of of some techno-dystopia, yet here we are.

I can complain for days but instead I keep reading and trying to stay somewhat informed.  Crypto-lockers and malware are scaring businesses into their backup confirmations, but it does not seem like the inroads for fully scoping the priority of their business data and investing in people and equipment resources, is quite getting there yet.  The more 3rd party tools you rely on, the greater need to vet the chain of software used and interacting with an environment.

Ending my rant, please be conscious of information you share online.  It could be a matter of days before that mega hot new company, either gets their database popped and sold, or they have a bad quarter and sell the user data to bail them out of a debt hole.  These days the data is the big money item.  I dare say that's why so many new applications and operating systems try to phone home with diagnostic data and the like.