7 Vulnerabilities That You Can Never Patch

precious

Well-known member
Apr 22, 2024
835
542
13,471
Principles (reasons for effectiveness) objective 1.1 CompTIA Security plus Sy0-601

Authority: Having faith in those in positions of power, even when they are incorrect. An employee was duped by a CEO scam email into sending $47 million.

Intimidation: Fear forces quick, irrational actions. IRS scam calls threaten arrests for unpaid taxes.

Consensus: Adhering to the herd, even when it doesn't make sense. "Your coworkers already signed up for this!" emails lead to phishing pages.

Scarcity: Limited-time offers. Scammers use "limited deals" on phony websites to entice victims of Black Friday scams.

Familiarity: Trusting what is known, even if it is out of date. False WeTransfer emails spread viruses by using recognizable branding.

Trust: Having too much faith in people or institutions. Scammers on LinkedIn establish a rapport while sending harmful links.

Urgency: Making snap decisions without giving them enough thought. Credential theft results from "Reset your password now or lose access!" prompts.
 
  • Like
Reactions: Trevor Chandler
I beg to differ that these things cannot be "patched" or remediated.

For much of this, using the Zero Trust model within your organization deals with situations that cannot be necessarily managed through software. For other things, a solid training approach with regular testing can deal with these things. I remember an article I wrote long ago about Layer 8 security - which addresses where most vulnerabilities are.

And remember, there is those very old, near cliche "Defense in Depth" strategies that also deals with the human element.

Attached to this are what I've posted in my classrooms for security students.

/r
 

Attachments

  • twelve_commandments_of_security.pdf
    36.8 KB · Views: 7
  • Love
Reactions: precious
I beg to differ that these things cannot be "patched" or remediated.

For much of this, using the Zero Trust model within your organization deals with situations that cannot be necessarily managed through software. For other things, a solid training approach with regular testing can deal with these things. I remember an article I wrote long ago about Layer 8 security - which addresses where most vulnerabilities are.

And remember, there is those very old, near cliche "Defense in Depth" strategies that also deals with the human element.

Attached to this are what I've posted in my classrooms for security students.

/r
You're absolutely right! Zero Trust, training, and Layer 8 security can significantly reduce the risks associated with these vulnerabilities. While they can't 'patch' human nature entirely, they help mitigate how effectively these principles can be exploited.

Curious to see what you have shared in the file—Although I can't help but wonder if this is a test to see if I will click without thinking! 😉. Either way, I appreciate the additional insights and materials to learn from you.
 
Curious to see what you have shared in the file—Although I can't help but wonder if this is a test to see if I will click without thinking! 😉. Either way, I appreciate the additional insights and materials to learn from you.
While your trepidation and caution are good perspectives to have, it's just a simple PDF. Nothing to fear in that one.

/r
 
  • Like
Reactions: precious
@Rick Butler
My students usually get easily confused on command number 6 "Security through obscurity is never good policy", since during cryptography session, I teach them three principles that strong ciphers follow to ensure secrecy- Confusion, diffusion and obfuscation. For example, in symmetric encryption, obfuscation makes the ciphertext look random and hard to decipher. On other hand I also tell them that the workings of cryptographic algorithms for example in public key cryptography, like RSA, the algorithm's workings are publicly known and easy to understand—it's the private key that ensures security, not the secrecy of the algorithm itself. This contrast can be tricky for students, as they struggle to grasp why obfuscation works in some cases (like symmetric ciphers) but not in others (like RSA). Ever had similar or realted experience with your students?
 
Well, I've seen far too many times when people would try to hide assets, measures, and countermeasures to account for any perceived shortfalls. The thing is, sooner or later, the word gets out and folks know (or discover) what you want to hide.

Case in point, using tools like AnyDesk or LogMeIn. There are bots that regularly scan for those, for the simple goal of compromising them. They constantly scan every IP address out there, looking for open ports - with the speed of tech, it doesn't take much time for the bad guys to know you're out there.

So, counting on hiding stuff is pretty much a useless idea.

Now, granted you don't want to have the attitude of "come at me, bro", but at the same time, putting any confidence in increasing security by obscurity, to me, is not a good plan.
 
  • Like
Reactions: precious
You're absolutely right! Zero Trust, training, and Layer 8 security can significantly reduce the risks associated with these vulnerabilities. While they can't 'patch' human nature entirely, they help mitigate how effectively these principles can be exploited.

Curious to see what you have shared in the file—Although I can't help but wonder if this is a test to see if I will click without thinking! 😉. Either way, I appreciate the additional insights and materials to learn from you.
Then zero trust should be the alternative to deal with .