What does an election audit in Arizona and a pipeline operator have to do with the security of your website? It turns out a lot.
Recently an audit of the US presidential election votes in Maricopa county in the state of Arizona started. The audit has noted for being poorly run, violating rules to ensure integrity of the process, and involving strange things, like trying to check for the presence of bamboo in ballots.
That doesn’t sound like it should relate to the security of your website and it shouldn’t, but it does. The reason for that is that the company in charge of the audit, Cyber Ninjas, is a cybersecurity company. They have no experience in doing an election audit, which is good reason for them not to be doing an election audit, but also is probably a good reason they shouldn’t be doing security either.
What seems like it should be a basic element of being a professional would be to stick to what you have expertise in. An architect wouldn’t agree to take on demolishing a building just because they know how to build them. When it comes to the security industry, we frequently see people involved in things they clearly shouldn’t be. In fact, very few people in the industry seem like they should be anywhere near it. Looking at Cyber Ninjas website, they are claiming to offer a very wide range of services, which might be a sign they are offering services without the needed expertise to properly handle them.
The other thing that stands out for us about Cyber Ninjas website is how it looks so obviously untrustworthy. A lot of it is the same stuff you see repeatedly on security companies’ websites, for example, there is the obligatory stock photo of some dressed like they are going to break in to a building at a computer:
We have a hard time understanding how anyone would look at something like that and not avoid that company, but people don’t seem to feel that way. Even the name seems like it would ward people away from the company, but it doesn’t seem to.
Part of that text next to that image reads (the weird characters are in the original):
The headlines are increasingly filled with articles about hackers compromising systems and stealing data. While it often seems like they must be utilizing some dark ninja magic to accomplish their amazing feats; the reality is that most security breaches are conducted utilizing types of security vulnerabilities weâ€™ve known how to prevent for over 10 years.
While that is mostly true, curiously if you head over to the website’s services page, the company doesn’t seem to be focused on actually addressing that. But instead on selling people on services that don’t directly address the issue and indirectly address it an ineffective way. One of the three things they highlight, and the one they provide the most specificity, is ethical hacking:
From what we can tell, ethical hacking is mostly a rip-off. You end up paying a lot of money to inefficiently review things and the issues found are not resolved.
Cyber Ninjas has gotten a fair amount of coverage because of their involvement with the audit, but there has been very little of it from security journalism outlets. What little there has been has been devoid of any discussion of what this says about the legitimacy of the security industry. There is probably a good reason for that, as companies like Cyber Ninjas are frequently the only sources for security journalists stories, despite being companies, that like Cyber Ninjas, seem like a serious journalist should be warning about, not relying on. In line with that, security journalism is quite bad, which brings in the next part of this, a pipeline company, and gets back to a claim Cyber Ninjas made.
A ransomware situation involving a US pipeline operator, Colonial Pipeline, has received a lot of news coverage. There was a claimed detail that seems rather important from a wider security perspective. Colonial Pipeline wasn’t keeping their software up to date:
Interesting forensic finding on Colonial Pipeline: They were STILL using a vulnerable version of Microsoft Exchange (the same systems exploited by Chinese hackers that was revealed in March), among other notable lapses. Per Coalition. pic.twitter.com/TvsEN8S3Ew
— Nicole Perlroth (@nicoleperlroth) May 11, 2021
It is important to note that the claim about one piece of software being the “most likely culprit” is just speculation. What is important about that is that keeping software up to date is one of the most important security steps and one that often isn’t done.
While usage of outdated software that is known to be insecure is often the source of hacks we deal with and the source of high-profile hackings, both security companies and security journalists seem rather uninterested in that be better dealt with. For security companies, that could be explained by it being bad for business. Right now they can charge a lot of money for security services that require little work and don’t actually have to work (you might have noticed despite all the money being spent on security, security doesn’t seem to get better). The reason that security journalist do this is harder to explain.
Improving Your Website’s Security
Improving the security of websites, and security in general, is more difficult than it should as long as the security industry and security journalists are taking actions counter to actually improving security. But to improve security, your focus should be addressing real threats with proven solutions. Keeping software up to date is a proven solution since it will avoid systems getting hacked because of vulnerabilities that have been fixed. By comparison, while security services frequently make extraordinary claims about the results they deliver, those are almost never backed up with evidence of their effectiveness. Based on plenty of experiencing looking at them in different ways, that is in part because they don’t deliver the results claimed, in many cases, if you just look at how they are advertised that becomes clear.
So when looking to improve security, you should ask what is the evidence that something will improve security versus looking at unsupported claims of amazing results.
Also, if claims sound extraordinary, they probably are not true.