What Your Director of Information Security Wishes S/He Could Tell You (Part I)

A long title deserves a long post:

Information System Security Directors (and Managers) must be adept at balancing corporate policies and business objectives with the ideals of security, and the idealistic security engineers who drive them. The most obvious example is when the Director must discern whether or not to recommend a particular system. Justification should be based on the return on security investment (ROSI) but follow-on discussions will be either to management in terms of costs, or to the technical team for the “cavernous holes it leaves in the infrastructure” as one security engineer put it. If one picks a middle road, one only serves to piss off both camps.

When dollars are measured against subjective risks, it is understandable how different experts will come up with different recommendations, ROSI formulae not withstanding. The adroit Director of Security will be prepared to defend his specific position in the face of any management or technical opposition, and yet be professional enough to reconsider based on new information or priorities.

Security professionals understand that it is sometimes necessary to sacrifice security for revenue. What is harder to swallow, however, is sacrificing security for convenience.

Many security vendors take great pains to minimize user impact. Some companies have even formed around making security friendly to the end user, such as single-sign on systems and federated identity tools.

Some security tools interface only with security or IT professionals, such as vulnerability management or IDS/IPS systems. Others impact everyone yet are nearly transparent, such as firewalls and some antivirus solutions.

What happens, however, when a security implementation is changed for convenience? Let me illustrate:

A few years ago, I was tasked to perform a penetration test against a large mid-sized company. The rules of engagement were simple: do not use information unless it can be shown to be available from outside the company, and the target (the “flag”, if you will) was the password of a specific executive.

I had two weeks.

The next day, I delivered the “prize”. When asked how I did it, I explained the simple technique I used (today we would call it “phishing”, a term which didn’t exist in the late 90’s) and the reply was “that’s not ‘hacking’, that’s ‘subterfuge’”.

The first thing your Director of Information Security wishes he could tell you is, “not all hacking can be stopped with tools. Training and awareness are key components to security corporate assets, no matter what size the enterprise.” The unfortunate follow-up is the concession that it is extremely difficult and time-consuming to implement an effective security awareness program, and it is far from full-proof, but it should still be required.

Having been downgraded to a “leet subterfuger”, I set out to perform a more technical penetration test. The result was a remote access connection that was brute-forced (actually the password of an executive was guessed by me after a total of fifteen tries while I was in the process of recompiling my RAS password grinding engine), and an unpatched internal system which provided the launching point for a reverse tunnel and some serious network scanning.

Two days later, I delivered the “prize”. It should be noted that the first “prize” looked remarkably like the user’s last name sans capitalization. The second time, the user had cleverly appended “01” to the end, thus completely befuddling any brute force tools in existence prior to the late 70’s. “If I make it too difficult, my secretary will forget it,” was the rationale provided. This may be the subject of another article.

In security, as in Perl, the motto “There’s more than one way to do it” applies, maybe with the addendum, “but where should I start?” The above scenario drove the right questions, but failed by hitting only a few of the answers, and hitting them wrong.

Any competent security professional that had access to the entire scenario above would see a number of places where security should be shored up. Vulnerability scanning would be a good start, since a vulnerable internal system provided the jump-box necessary for the full-scale attack. An intrusion prevention system on the dial-up network or on the server subnet would have provided warning, if not blocked it. Remote endpoint compliance wasn’t an option back then, but it would have provided a key component to prohibit my penetration. The system I compromised through the RAS connection was a desktop which did not match the corporation’s security policy. Endpoint compliance would have identified that this system didn’t have all the appropriate patches (which allowed my penetration) and would have shown that it also didn’t have up-to-date signatures for the anti-virus product, which would have prevented my loading a reverse-tunnel application.

What was the solution of choice? It was strong authentication (in the form of SecurID fobs) for all many remote users. Understanding that this was only a starting point (read: better than nothing) the Director moved forward with this solution. It was palatable to the company, despite the cost, because many of the approved remote users already had fobs for access to critical internal systems.

Then the “convenience” shoe hit. The VIPs of the company chose not to participate in this program. While it was understood that the “gateway” to the corporate network hack had been a bad password, and that password was that of an executive (a different one this time) the VIPs could not be expected to carry one of those “fob things” around.

This brings us to the second thing your Director of security would like to tell you, “Exceptions to security for the convenience of a few undermine the security for everyone.” Or, to be (slightly) more succinct, “If you are asking for an exception, you are likely part of the problem.”

It would be worth noting that I built a simple tool that spidered websites (well, performed automated search engine lookups, actually, since they already did all the spidering I needed) looking for the name of the company, and two consecutive capitalized words in the same sentence. My tool then compared the capitalized words against name databases and attempted to form first/last name pairs. Out of the 300+ unique pairs it formed, roughly 90 were actual employees at the company. These formed the username list I was going to use for grinding the RAS passwords. Based on that information, do you think these 90 people were low-level people, or high-profile people at the company? Against an attack like this, therefore, whose passwords need to be strongest? If you said, “the very ones who asked to be exempt from the system,” then move to the head of the class.

That easily guessed password wasn’t much of an anomaly. After all the password audits I’ve done at numerous companies, human nature shows obvious patterns when it comes to password selection. In this case, the numbers (and lack of password strength enforcement) were in favor of me blindly guessing some passwords. With a little effort, discerning even more passwords was simple.

For example, while having a discussion with a VIP at a large company over security issues, he turned to his system and entered his password to unlock his screen. My habit is to not just avert my eyes, but to turn my body away. He chuckled and said, “If you wanted to learn my password, you would have to watch me type it, because you sure aren’t going to guess it.”

Keep in mind this was an exceptional event, but it still bears telling. I looked around his office, at his posters and models, and awards, and took a shot. “67 Vette”?

“Well,” he harumphed, “how would you spell it?”

My purpose with that visit was to make some recommendations, but I realized this person may not have paid attention to previous security guidance. My final words on behalf of your Director of Security are, “trust your security staff. If you can’t, then hire ones you can,” especially if your eyes glazed over when I started talking about vaguely technical things such as spidering websites.

That’s not to say that an executive need bow to every recommendation, but consider that each recommendation has been carefully thought out, and even though it may impact your user experience, it’s your assets that are on the line.

Comments

Post a Comment

Popular posts from this blog

Capsaicin Intolerance

Okay, so this is neither about God, nor is it about security, but it's too important for me to not post, so here goes. I have had debilitating headaches for years. Probably 6 or 7. They would typically hit one side of my head, often behind the eye, or to the side at the temple. My neck would sometimes hurt as if it were "out of whack". For years I had a "cure." I would take 3 Advil and one red Sudafed pill, then I would lie on my back for 45 minutes. It seemed that, usually, at the 45 minute mark I would feel my sinuses crackle and drain, and my headache would go away. Recently, about a year ago, this stopped working. I'd still do it, in hopes that it was lessening the pain, but it became a case of having to wait them out. This was unfortunate, as they used to also disappear without treatment overnight. Now, they would last for over 24 hours with alarming regularity. They were also happening much more frequently. What used to be an occasional (eve
Read more

STFU - A Guide For People Who Talk Too Much

Ask anyone who knows me, and they'll say I'm a talker. Ask anyone who has known me for a few years, and they will likely say I talk too much. Ask someone who just met me, and they might wonder where you got that idea. Years ago, I started to evaluate TTM Syndrome (Talk To Much... don't look for it in medical journals, it ain't there, I'm sure) and as I started to look at other TTMs, I was surprised. Yes, my self-diagnosis started with someone who actually talked more than I did (and had less of a filter; something I wasn't sure was possible). Make no mistake, this was one of the smartest people I had ever met. In our more meritocratic communities (my work in Technology, for example) this wasn't (always) seen as a bad thing, but that kind of behavior doesn't foster brainstorming and creative problem solving in others. So, in light of the fact that I just "talked too much" in the intro, here is a guide I made for myself. Edited and upd
Read more

Capsaicin Headaches - A Cure?

Okay, "cure" might be a bit optimistic, but permit me to relate to you the events of the last two days: I took my family out to Old Chicago. Now, I have not been avoiding restaurants which have hot food because I don't ever want to be "that person". You know, the one where you have to watch what you serve because he doesn't eat fish (which I don't), doesn't eat Chinese (which I don't), doesn't eat meat (which I do!), or has some other dietary restrictions which always seem to be imposed on those around him. Buuuut, after trying to get my family to go to Three Margaritas or another fine Mexican restaurant (knowing I'd have to probably eat off the kids menu), we decided on Old Chicago. For those who are unfamiliar with it, it's an awesome pizza-and-beer joint. I ordered their "Double Deckeroni" pepperoni pizza. No big deal. I took my first bite, and *hot*. Yes, it was too hot to be spiced with Italian spices. I knew righ
Read more