2018 was the year in which we encountered thenewishterm ‘Digital Transformation’ take a grip in computing vocabulary, which on occasions has even crossed the conversational lines onto the lips of some involved in the Cyber Security Industry – and this I must admit concerns me deeply for multiple reasons.
As we have observed in the last 12 months, banking systems have been brought to their knees by ill-conceived upgrades which clearly did not take account of the outcome, let alone any modicum of a backout plan, not to mention an outage which implicated global users of a telco-service, caused by, what would seem to be amisunderstanding, ormismanagementof a third party application/service (Critical Asset) which encountered a revoked/out of date X509 – all of which impacted the poor old user who relies on such services to maintain their daily lifestyle which have become so very interwoven with forced technology by default. And this is leaving to one side all the other such failures and systems outages which have had a very real impact on that end user’s life – from Global Banking Systems, though to lines of customers at the Supermarket tills who have just discovered on-mass, their credit cards are being declined as a result of some chaotic systems outage. In fact, only this week, I attempted to pay my Vodaphone bill on no less than 5 occasions – 1 and 2. The Automated Payment Systems failed twice (but this is not uncommon), 2. I called to make a Payment to set up a new Direct Debit, and was sent to a text link which was no use whatsoever – so I called, only to be told that all their payment systems were having issues, and that they would call me back – they never did!
In my humble opinion, based on more years than I care to mention working in bothhorizontalandverticalindustries, including Government, Oil and Gas, Financial, Betting, Legal to name but a few, I have some obvious, and worrying awareness when it comes tocommercialisationandcost cutting, that those little luxuries likeGovernance,Compliance, and of course security do tend to be included, notwithstanding they can be placed on the back-burner oflip-service. As an example of this, I recall when working for an East Midlands based Credit Reference Agency. One day, after a successful sales venture, one of the sales team returned to the office having sold a high earner solution to a client – the problem was, the solution in the form as sold didnotexist, but a commercial commitment had been made – and more than that, the financial reward looked to be avery lucrative deal. Given here that money was king, the development team quickly set about bending the system to meet the client expectation with workarounds, and several convolutedsystem-to-system, andcross-applicationbuilds, culminating in a solution which at least met the operational needs. However, unlike the good advice that was given way back in the world of computing in the CESG Memorandum Number 10 – the building in of security from the basic concept was not considered – it was, as I have stated the ‘money’ which was the king of the conversation. That being the case of the time, this very same organisation left a DNS setting with an Open Zone Transfer, which gave access to several internal servers along with the ability to extract hard-coded User ID and Password from a secure side script – Not good I am sure you agree, and yet another example of none compliant OWASP advice.
In this age of Digital Transformation, which can also be known as AKA ‘Cost Reduction’ I am hopeful that those Security Professionals amongst this conversation remember just what their role is in such a migration change of delivering services and business – it is their role to be that elephant in the room who askes those awkward questions to ensure the world becomes a much more secure place, as opposed to following the tracks on deeper engrained insecurity.
John is the Principle at Shadow-Intelligence (Si), partnering with PALISCOPE, BreachAware and iStorage. He is a Visiting Professor at the School of Science and Technology, Nottingham, Trent University (NTU) and holds the appointment of Editor in Chief for the International Journal of Cyber Forensics and Advanced Threat Investigations (CFATI). For the last decade he has delivered training courses in the Middle, and Far East to Commercial, Industrial, the Financial Services Sector, and Military Agencies, including the UAE, US, Pakistan, Saudi Arabia, Malaysia (KL), Singapore, Argentina, and Sao Paulo
He served in the Royal Air Force 22 years’, specialising in Counterintelligence, working with UK Agencies such as GCHQ/CESG, and others in the fields of SIGINT, COMINT and Satellite Communications, holding appointments such as System ITSO for a CIA SCIF.
In the commercials sectors of IT/Cyber he has worked for/with Logica, Bae, T5, GM, Experian, Betfair, Palace of Westminster, House of Lords/Commons, TSol (Treasury Solicitors) and provided Consultancy to the Saudi Arabian MOD, TRA (Telecommunications Authority (Dubai) and the Military Academy of Malaysia (KL) on SOC, CSIRT, Digital Forensics and OSINT. Within the last 5 years he has focused on Geopolitics, with global expertise around the UAE and Russia, Anti-Terrorist Operations (ATO), Cyber-Warfare, Dezinformatsiya (Disinformation) and Maskirovka (Military Deception).
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.