What Your Director of Information Security Wishes S/He Could Tell You (Part I)

A long title deserves a long post:

Information System Security Directors (and Managers) must be adept at balancing corporate policies and business objectives with the ideals of security, and the idealistic security engineers who drive them. The most obvious example is when the Director must discern whether or not to recommend a particular system. Justification should be based on the return on security investment (ROSI) but follow-on discussions will be either to management in terms of costs, or to the technical team for the “cavernous holes it leaves in the infrastructure” as one security engineer put it. If one picks a middle road, one only serves to piss off both camps.

When dollars are measured against subjective risks, it is understandable how different experts will come up with different recommendations, ROSI formulae not withstanding. The adroit Director of Security will be prepared to defend his specific position in the face of any management or technical opposition, and yet be professional enough to reconsider based on new information or priorities.

Security professionals understand that it is sometimes necessary to sacrifice security for revenue. What is harder to swallow, however, is sacrificing security for convenience.

Many security vendors take great pains to minimize user impact. Some companies have even formed around making security friendly to the end user, such as single-sign on systems and federated identity tools.

Some security tools interface only with security or IT professionals, such as vulnerability management or IDS/IPS systems. Others impact everyone yet are nearly transparent, such as firewalls and some antivirus solutions.

What happens, however, when a security implementation is changed for convenience? Let me illustrate:

A few years ago, I was tasked to perform a penetration test against a large mid-sized company. The rules of engagement were simple: do not use information unless it can be shown to be available from outside the company, and the target (the “flag”, if you will) was the password of a specific executive.

I had two weeks.

The next day, I delivered the “prize”. When asked how I did it, I explained the simple technique I used (today we would call it “phishing”, a term which didn’t exist in the late 90’s) and the reply was “that’s not ‘hacking’, that’s ‘subterfuge’”.

The first thing your Director of Information Security wishes he could tell you is, “not all hacking can be stopped with tools. Training and awareness are key components to security corporate assets, no matter what size the enterprise.” The unfortunate follow-up is the concession that it is extremely difficult and time-consuming to implement an effective security awareness program, and it is far from full-proof, but it should still be required.

Having been downgraded to a “leet subterfuger”, I set out to perform a more technical penetration test. The result was a remote access connection that was brute-forced (actually the password of an executive was guessed by me after a total of fifteen tries while I was in the process of recompiling my RAS password grinding engine), and an unpatched internal system which provided the launching point for a reverse tunnel and some serious network scanning.

Two days later, I delivered the “prize”. It should be noted that the first “prize” looked remarkably like the user’s last name sans capitalization. The second time, the user had cleverly appended “01” to the end, thus completely befuddling any brute force tools in existence prior to the late 70’s. “If I make it too difficult, my secretary will forget it,” was the rationale provided. This may be the subject of another article.

In security, as in Perl, the motto “There’s more than one way to do it” applies, maybe with the addendum, “but where should I start?” The above scenario drove the right questions, but failed by hitting only a few of the answers, and hitting them wrong.

Any competent security professional that had access to the entire scenario above would see a number of places where security should be shored up. Vulnerability scanning would be a good start, since a vulnerable internal system provided the jump-box necessary for the full-scale attack. An intrusion prevention system on the dial-up network or on the server subnet would have provided warning, if not blocked it. Remote endpoint compliance wasn’t an option back then, but it would have provided a key component to prohibit my penetration. The system I compromised through the RAS connection was a desktop which did not match the corporation’s security policy. Endpoint compliance would have identified that this system didn’t have all the appropriate patches (which allowed my penetration) and would have shown that it also didn’t have up-to-date signatures for the anti-virus product, which would have prevented my loading a reverse-tunnel application.

What was the solution of choice? It was strong authentication (in the form of SecurID fobs) for all many remote users. Understanding that this was only a starting point (read: better than nothing) the Director moved forward with this solution. It was palatable to the company, despite the cost, because many of the approved remote users already had fobs for access to critical internal systems.

Then the “convenience” shoe hit. The VIPs of the company chose not to participate in this program. While it was understood that the “gateway” to the corporate network hack had been a bad password, and that password was that of an executive (a different one this time) the VIPs could not be expected to carry one of those “fob things” around.

This brings us to the second thing your Director of security would like to tell you, “Exceptions to security for the convenience of a few undermine the security for everyone.” Or, to be (slightly) more succinct, “If you are asking for an exception, you are likely part of the problem.”

It would be worth noting that I built a simple tool that spidered websites (well, performed automated search engine lookups, actually, since they already did all the spidering I needed) looking for the name of the company, and two consecutive capitalized words in the same sentence. My tool then compared the capitalized words against name databases and attempted to form first/last name pairs. Out of the 300+ unique pairs it formed, roughly 90 were actual employees at the company. These formed the username list I was going to use for grinding the RAS passwords. Based on that information, do you think these 90 people were low-level people, or high-profile people at the company? Against an attack like this, therefore, whose passwords need to be strongest? If you said, “the very ones who asked to be exempt from the system,” then move to the head of the class.

That easily guessed password wasn’t much of an anomaly. After all the password audits I’ve done at numerous companies, human nature shows obvious patterns when it comes to password selection. In this case, the numbers (and lack of password strength enforcement) were in favor of me blindly guessing some passwords. With a little effort, discerning even more passwords was simple.

For example, while having a discussion with a VIP at a large company over security issues, he turned to his system and entered his password to unlock his screen. My habit is to not just avert my eyes, but to turn my body away. He chuckled and said, “If you wanted to learn my password, you would have to watch me type it, because you sure aren’t going to guess it.”

Keep in mind this was an exceptional event, but it still bears telling. I looked around his office, at his posters and models, and awards, and took a shot. “67 Vette”?

“Well,” he harumphed, “how would you spell it?”

My purpose with that visit was to make some recommendations, but I realized this person may not have paid attention to previous security guidance. My final words on behalf of your Director of Security are, “trust your security staff. If you can’t, then hire ones you can,” especially if your eyes glazed over when I started talking about vaguely technical things such as spidering websites.

That’s not to say that an executive need bow to every recommendation, but consider that each recommendation has been carefully thought out, and even though it may impact your user experience, it’s your assets that are on the line.

The Future of Christianity I

First, a disclaimer: I am not a prophet. I do not claim to possess any special revelation from God. I also do not claim that we have any future beyond this moment which has been given to us. For this discussion I rely solely on the facilities that God gave me, and for them I am thankful! This article is best read with the understanding that "it" all could come to an end at any moment, thus making this whole shebang moot.

Also, understand that I'm not taking a stand on issues herein, such as gays in the ministry. I'm merely using them to make my point.

There are many debates within Christianity today. Some of them are things that ancient Christians probably couldn't even imagine. From questions about the ministry (the role of women and professed, practicing homosexuals) to the science of a flat earth and a heliocentric solar system.

My question for you is this: what sociological and scientific changes are likely to occur which will impact Christianity? Furthermore, are some of these so drastic as to call into question the need for Christianity?

Sound drastic? Try telling a first-century Christian that the Earth (the home of God's chosen people) is not the center of the universe, nor the galaxy, nor even the solar system. That might shake their faith, after all wouldn't God put us at the center of all things?

Where is the future leading to? Stay with me, this is going to get weird.

Let's start with human cloning. We can fight it all we want, but eventually it's going to happen. Not every country is against this technology. My question is: what is the status of the soul of these people?

Easy enough. They have been awarded a soul by God. Cha-ching.

Now, how about completely synthetic humans? I'm not talking androids, rather I'm talking lab created humans, built from DNA lying around the lab with no fertilization happening, with DNA pulled from multiple sources. Simply taking the DNA code and building a human. Completely feasible (someday).

Let's get crazy. Looking far into the future, how about a genetically engineered half-human, half creature (say a bear) by an unethical regime for the purpose of creating a race of super laborers? Do they have souls? Does the grace of God extend to them? What about a 1/4 human? 1/8 human? Where will God draw the line?

Along the lines of grace, how about aliens? It's not unrealistic to think that we may discover intelligent life (I'm not betting on it, but this fits in with my premise here). If they look like us, great! No problem. Buuuuut, what if they don't? If we were created in God's image, how do we reconcile intelligent bug-eyed grasshopper aliens with God's image? Do we deny them salvation (as the Jews tried to deny it to the gentiles before Paul came around), or must we revisit scripture to justify the fact that our new alien friends are not hell bound? What will ol' bug-eyes say when they find out their saviour was a soft, squishy human, and not a strong exoskeleton-possessed beetle with extra limbs and no facial hair?

What about reanimating deceased people? Future science may well be up to the task of taking dear-old-grandma's corpse and literally rebuilding her. Is this the same person or a different one? If it's different, is she saved if the "old" one was, or must the new one become baptized in the Holy Spirit?

We (as Christians) cannot even agree on the simplest of items, such as the benefit (and scriptural support) for women in the ministry, or the need to dunk people during baptism. Heck, we can't even agree on things where the scriptures aren't so vague! How will future Christians handle what's coming to them?

I don't know, but I have faith that it will work out just fine :-)

-Brian

Religion and Politics I: Making Statements

(Caveat: This article was written with the understanding that the "swearing on the Bible" is more of a tradition than anything else. The actual swearing in is apparently done on the floor of Congress)

Keith Ellison, a Muslim from Minnesota elected to Congress, is making waves because he has chosen to be sworn in with his hand on a Quran, not a Bible. This article does quite a good job of covering the issue, as well as lambasting Dennis Prager, a conservative columnist and radio personality, for taking issue with this fact.

Both men make good points (really, read the article for Clarence's view, which summarizes some of Dennis' points) but I'm not here to talk about it from a constitutional standpoint, nor from a politically correct tolerance perspective.

One of my pet peeves is "making a point" at the expense of others.

Bear with me for a moment and an example or two.

I must admit that if I were elected (as a Christian) in a Muslim world, and I was asked to put my hand on the Quran to be sworn in, I would give a resounding "no". The Quran holds no meaning for me (well, no *positive* meaning, anyway).

So how can I be intolerant of Keith Ellison's choice without being a hypocrite?

Let's flip around my comment, and pose it as a question to Muslims: What does the Bible mean to you? I think many Christians (and, unfortunately some Muslims!) may be surprised at the answer.

What does the Bible mean to the world of Islam?

For those who choose not to follow the link, it discusses the Quran's own oft-repeated view of the validity of God's word as brought to us in the Old and New Testaments. There is some debate in the Muslim world on this, just as some Christians reject much of the Old Testament, or claim it no longer has any pertinence.

Now, I shall pose a new hypothetical situation. I (a Christian) am elected to a position in a Jewish nation where I am required to be sworn in with my hand on a Torah. What would I do?

What would Jesus do? (Sorry, I couldn't resist...hmm that's actually a very good question!)

I would have no qualms about swearing in on a Torah, as it is considered Scripture to me and a part of my history as a Christian. Now, I *may* choose to swear in on a Bible, but that would serve no purpose other than to make a point. My hypothetical point? In this example, I guess it would be that I'm a Christian in a Jewish nation representing Christians.

So now to bring it home, according to my logic derived from the link above and my reasoning, it would seem that Keith is a Muslim who is interested in representing Muslims, not Christian Americans. Therefore, he has turned his back on much of his constituency (dare I say a majority?). Keith could use the same logic I did to justify his swearing on a Bible as I used for swearing on a Torah, but he chose to make his point, instead...

...and I think we got his point.

Quick note on Saddam and Iraq

So, popular opinion is now going against the War in Iraq. Even those in favor are wishing it had come out differently.

I've got a quick story/question for you: A known armed robber is lurking outside a 7-11 with a hood on and his hands in his pockets. A policeman pulls up and asks to see his hands. The robber refuses, but says he doesn't have a gun. How many times is the robber allowed to deny the officer's request before the officer takes more drastic measures?

Somehow everyone seemed to forget that Saddam was acting guilty. I'm surprised that in the years since the War in Iraq started this simple fact has not been brought up by the proponents to defend their actions. I'm not a warmonger by any stretch, but after Saddam turned back the U.N. inspectors so many times and we finally invaded, I think most reasonable Americans were wondering "what took so long?"

Yeah, maybe it didn't work out the way it was supposed to, but if one has a history of crime and is acting like a crook, it's time to stop talking, and find a set of handcuffs.

Now as to whether or not that was our job or not...that's a worthy debate. To those who say it's a war about oil, I think if it were we would have acted far sooner. We had the excuses at the ready.

-Brian

Terrorists Amongst Us

No sooner did I post my "Airport Security Part I" comment when I saw in the news a foiled terrorist attack on a mall in Illinois. I am not surprised that "they" (being "us") caught an individual without any direct ties to a known terrorist group. Is he any different that the abortion-clinic bombers of the Christian right? He doesn't need a "group" to tell him what needs to be done, he simply plans and carries it out himself.

We will be seeing many more of these. Some will truly be operating alone, and others will be more like Dick Reid (the "Shoe Bomber") who had some help, but are more of a small, expendable operation.

Now here's where we get to the kicker. My intent was to say that the biggest difference between the Christian who bombs an abortion clinic and the Muslim who crashes a plane is that the Christian community condemns the Christian, while the Muslim community praises the Muslim.

I felt confident saying this because we have heard so little (e.g. nothing) from the Muslim community expressing outrage over the events. Rather, we see Muslims cheering on CNN.

Then *gasp* I did an Altavista search (Oh, Altavista, why doth though sucketh so much since being purchased by Yahoo?) and to my surprise, the Muslim community not only reacted with outrage over the tragedy of 9/11, but they did so immediately! Funny how this never made any of the news shows I was watching. I think had this actually made American news channels, popular opinion may have helped dictate a different series of events...Look for my next post on Saddam Hussein.

As a security expert, I see too many holes that are there of necessity because of the society we have created for ourselves. We will never cover them all, and to get that last 10% of coverage (see, I made another number up) for the airports will cost a disproportionately large sum of cash; a sum that would be better spent getting other "holes" covered 90%, *especially* since we cannot, with our society, get to the kind of security people want, but without the inconvenience.

The *only* security you will ever have is to make sure that when it's your time to go to the ticket counter in the sky, you're covered. Bring a friend.

Airport Security Part I: Security Lines

Airport security is much maligned in this country. Everyone from the joe standing in the security line wondering why he must throw away his water bottle and take off his shoes to the well respected security professional who has written tomes on everything from cryptography to hacking has besmirched the process.

I must confess that I found myself in this crowd more often than not. As I stood in line sans shoes and liquids I'd glance around at the facility about me and identify a few ways a do-badder could beat the system depending on their funding, patience and goals.

Inevitably, I would mentally get whatever items I needed through the screening process with a fair enough likelyhood of success that I felt quite comfortable joining the throngs of critics.

Then, one day while I was on the road I had an epiphany: "Some of the best minds (don't laugh) have come up with this system. What am I missing?" Therein lay the key question.

I had been mentally compromising airport security from the mindset of a terrorist who was willing to throw their life away for their cause. This is the wrong approach. Being willing to throw one's life away for Jihad is *very* different from being willing to get caught and rot in our legal system for the rest of your productive life. There is no glory in jail, only in death.

So now, what I had considered plots with a reasonable success rate (say, 3 out of 4 times) now suddenly became very risky. Even plots that I estimate would have a 90+ percent success rate don't seem worth the risk of me (the fictional terrorist) rotting in jail and not being able to bring Allah's righteousness down upon the infidels (that, apparently, is the rest of you). Allah wants me on earth being productive, or dead through Jihad, not tossing someone's salad in prison (if you don't understand it, don't look it up. Seriously).

This changes the security game. While security is (unfortunately) 90% reactive and 10% proactive (I made those numbers up) airport security screening as it is defined today (and as it is implemented in larger airports) is a necessary and effective step towards securing our airports. We don't need to eliminate threats, we just need to make them risky enough so that a terrorist isn't willing to risk their chance at death through jihad through the air carriers. In this case, "risky enough" could simply mean the possibility of catching them 1 in 10 times.

I believe we have accomplished this. So much so, in fact, that we have virtually guaranteed that the next attack will come through a different venue. The *only* reason they may continue to risk a shot at the airlines is because of the "bang for the buck" (pardon the tasteless pun) with regards to the impact it had on our economy.

I have faith, however, that the same minds that came up with our security (knowing every little detail about it and the odds of circumvention) are pondering that next possible attack.

And dare I say they have probably already foiled it.

P.S. Yes, there are still tragedies happening around the world related to this, such as the Tube and bus bombs in England. I am fully aware of these, but they only strengthen my position belief in the sufficiency (for the cost) of our airport security systems.

Now, my mental attacks are focussed elsewhere...for the most part.

-Brian

Introduction

At one time I thought that I was some wierd anomaly, an intelligent person in information technology who was also a devout Christian. In 2005 and 2006 I had the opportunity to visit many companies and get to know the people heading up IT security at some of America's largest and most influential enterprises, and I discovered that many of these security departments were headed by active Christians. Not just "yeah, I believe in God and Jesus seemed kinda cool" Christians, but people who ( in their non-existent spare time ) are pastors and assistant pastors, youth leaders and praise band members.

It's funny, but as much as these "hard core" Christians seem to get slammed in public, when it comes down to Corporate America (or even Governing America) needing to find someone with integrity to head up Information Security, they frequently find themselves choosing men and women of God.

This blog (nay, ramble!) is where I can bring together (when appropriate) my two passions of Security and the Lord. Often, they won't intersect, save to color my perceptions, but I anticipate most of my posts to be either God or Security, but rarely both.

-Brian