The information security industry is broken, according to David Jacoby, senior security researcher at Kaspersky Lab, Sweden.
“We think we understand security, but we don’t. We know what we should be doing, but often we don’t do it,” he told the opening session of the (ISC)2 Security Congress, Europe, the Middle-East and Africa 2015 in Munich.
According to Jacoby, information security professionals need to start really caring about information security and ensuring the businesses they support do the same.

“We need to focus on what we are trying to do. We need to stop talking about what all our security products are doing and talk about what they are not doing,” he said.
By looking at what security products are not doing, Jacoby said information security professionals can identify what they need to concentrate on.
“We also need to stop talking about emerging and future threats, and instead first solve the problems that we have known about for 30 years and still not addressed,” he said.
Jacoby said that while a lot of attention is being devoted to the security threats of the internet of things (IoT), little or no attention is being paid to the security risks of things such as storage devices and routers.
To illustrate this, he showed how he was able to use an emailed link to a video to bypass the firewall on his home network and access his home storage device from a remote location.
While the video was running on a tablet connected to the network, javascript injected into the site hosting the video was running in the background to identify all devices connected to the network.
“Once I had the IP address of the storage device, which is really a small server, I was able to get a connection because the software is continually looking for a connection request,” said Jacoby.
He found that the factory-installed Python software on the Linux-based storage device he uses for backup provided 22 ways of executing code on the storage device with administrator status.
“This is a big security concern because an attacker could hijack the device and hook it up to a botnet, and even a factory reset would not remove the botnet malware,” said Jacoby.
Any security professional finding these kinds of vulnerabilities in software and hardware products, he said, should report them to the suppliers.
However, he said not one of the suppliers that he notified seemed willing to engage with him or keen to resolve the security issues he had found.
“We have to change this. We need to spend more time thinking and talking about how we can change the industry. We have to ensure the whole of the industry takes its responsibility seriously,” said Jacoby.

Leave a Reply