If we were to believe the marketing hype over the last 20 years, we should be in a position today, in 2011 where security is not the BIG problem that it is. Every “security” product has promised to take the pain away; make us secure, compliant (with every known standard), and to not only solve our problem today, but to future proof us also. Buy now and you need nothing else!!
As a CISO/CSO/Security Manager, you were hired by your organisation to perform a role. How many people go back to the advertisement they responded to and check-off what you are actually doing now, versus what the original role description stated the role would/should be?
The reactions to the recent LinkedIn hacking ‘scandal’ were interesting.
Has anything changed? So little to change? Well maybe a bit...
CIOs cop quite a bit of criticism from the Information Security industry and the people in it.
Rightly so I believe in most cases. We’re in 2012 now, not 1999, where ignorance of basic security could still be forgiven (somewhat). Hacking was still a dark art to many then.
When one of our clients recently threw out a challenge to their competitors in their industry to pick up their game in terms of not only security, but being more open about their security, it was the culmination to an engagement like no other we’ve ever been involved in.
It seems to be an on-going complaint from many in our industry that data breach disclosure laws are a must have if businesses are ever going to take security seriously. In Australia, this has been talked about for a long time and I cringe every time I hear it, let me clarify why. (I borrow some of the following from my own blog posts.)
"It will take a massive incident for our company to wake up to itself!"
When was the last time that you read an article by a hacker in the mainstream media that talks about what enables them to do the things that they do? And what, in their opinion, would make their life harder?
It sounds like something out of the movies, but if you’re not thinking about it, you’re getting further behind the game in terms of your corporate security. Don’t worry, there’s so few companies in the private sector in Australia doing this at the moment that you could catch up quick and promote yourselves as “thought leaders” by doing it now! Now that’s a win and something to promote to your clients.</p>
Thought that title may grab a few eyes!
There is a perception that moving to the Cloud opens up organisations to new and greater security risks than what they currently face, by maintaining a fully internal managed systems model. The security industry is telling us this – I’ve been talking about it for years but lets put some perspective to it.
When was the last time that you read an article by a hacker in the mainstream media that talks about what enables them to do the things that they do? And what, in their opinion, would make their life harder? I can’t think of too many over the years. All the articles are generally written by “generalist” specialists, who know very little about the “hacker” mindset, trying to tell you what the “hacker” mind is thinking and how the bad hackers will get you. I would do it myself, however I am surrounded by people whose technical skills just blow my mind, by what I see them achieve. Our clients love it; well that depends on the definition in context. So here’s something a bit left field. I’m writing this after speaking with one of our team - one of the most brilliant technical security people I have ever met. Handball to them – this is their perspective, their opinion and how and they see it: I have never been a CSO, CIO, CEO or in any IT Management role. I’m considered a “hacker”! I call myself that too. But before you picture me in a dark trench coat, I do have a Masters in IT with Honours. I chose to do what I do because I love it. I leave the business side of things to others, for now, who want to rise up the management tree and do what they want to do for their own reasons. At the moment, that’s not for me. There’s so much work to be done at the ground level of information security where I want to make a difference, and to be honest, it’s far more interesting – by a long way! One day, maybe I’ll do the management stuff, but for now it’s not for me. As such, I won’t profess to understanding all the management issues many of you reading this have. This article is my take on what I see from the work that I do and from my experiences with working with people and companies in IT and IT security at all levels, including clients, friends, ex-coworkers, across five different countries and for enterprises of all sizes from global investment banks through startup businesses and across many industry sectors. My view of the business world differs in my opinion to that view of IT management. While I acknowledge it's always easy to give an opinion when you don't have to face the fight within an organisation, the realities are how I see them. I can only comment on what I see and I cannot embellish it to make the reader feel better. Every time we commence a new project, our team generally does not need to be primed for a great security challenge. Sadly, and this is a serious thing to consider, what we think and discuss is how quickly we going to own this application, system, company. It’s a sorry state of affairs to expect this. Our office is in a state of genuine WTF when we actually encounter an application, system or company that is really secured and we cannot do anything to. Albeit within a defined scope of technical testing – and I add that, because we also know that we can change that “good” result with a bit of Red Cell … a number of phone calls can change that situation quickly but read the last blog from Drazen on that. As a white-hat “hacker”, companies make it easy for me to look good. I am in a position to tell you what would make my job harder. So here we go; its not rocket science, and I don’t profess to covering it all here. But, if you do want to make life harder for those with nefarious intent, do this; 1. Avoid password re-use for administrators. (I love this and defaults even better … makes my life easier to get a good result from the hacker perspective). 2. Know what you have on your network and “control” with good security policy. Run something that detects new hardware on your network. (Probably the most effective security I have seen – honestly). I have lost track of the number of times a client has told us we have “x” number of Internet facing systems, only for me to find three time ”x” number of systems. If that is the case, how can one be secure? Also, only one MAC address authorized per switch port. You don’t need expensive security appliances. Just some hard work and few good Network/System Admins. Listen to your Network/System Admins (They generally know their stuff). 3. Monitor your internal network to detect weird behavior and unexpected requests. I don’t mean pay for “heuristic” systems that profess to doing it for you. They don’t, they’re rubbish! Look at the claims by security vendors and ask yourself why they’ve been saying this for 10 years but I can still own your network? Your Network Admins should know your network. They should be allowed and supported with time and resources to monitor logs of the systems they manage. They will tell you. Support them, but put the pressure on them to do it. Outsourced perimeter management providers don’t care. Their SLA’s claim that they do, but they don’t, and we’ve rarely, to the point where we cannot recall when, been stopped by them. You could save yourself significant amounts by avoiding such services and going back to basics. Build secure systems, patch them and monitor the logs/traffic, its straight forward. 4. Monitor external DNS to detect new website/hostname exposed on Internet by your company. Who does this now? 5. Let your System/Network Admins use their magic. Let them develop scripting language systems that do things to help with your security. Computers exist to compute large amounts of information quickly - nothing more annoying than wasting hours to do something that can be done with a 5 minute script. Even worse, buying something that your own team can script up relatively quickly. 6. Win small fights - one at a time. Don't try to change all the security in one big fight. Just accept that it takes time and move from one change to another. Start simple: move from FTP to SFTP, move from telnet to SSH, but be committed. It will make a difference. Even small changes like this can make a difference to being owned by an opportunistic script kiddie. 7. Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious. 8. Use open source. Most of the tools you need can be found in open source software - and let your skilled people use their skills to make it work for you. 9. Go to conferences like; Defcon, Ruxcon, Kiwicon, CCC, etc – where you will learn from industry “hackers” and see what is really happening. Why waste your time at conferences lead by big name keynote speakers who will only dribble on about what you already know? Go there if you must to network but you could use the time better. 10. As a CSO, you MUST be involved with all “critical” projects like new SOE build for laptops, servers and workstations. I call these “critical” - others may not. They may look at it from the bigger picture – that 20,000ft level. What a silly view. At the end of the day, it all comes down to the basics – work from there. 11. Spend time with your Windows team, Unix team, Network team to understand their work and to gather ideas on how to improve security. They know their systems more than you do and should be happy to give you advice if they see that you're interested in their work. Don't forget to give them credits once you managed to make some security progress. 12. Don't believe in magic. Improving technical security takes times and hard work – focus on the basics. Did I mention not to buy stuff because a vendor promised magic? 13. Get at least one good security person per team for; Network, Unix, Windows. Same for QA team and dev team. They are out there – find them. 14. And, back to magic. Don't buy security software or hardware like WAFs and IDS/IPS unless you have a full time person to work on them. We by-pass them all the time to own your systems and this demonstrate money is wasted on them. They will however make a difference though if you dedicate the time to correctly implementing and using them properly. So now you’ve read this. As I said, it’s not rocket science. If you want to make life harder as a “hacker”, you can see that it’s not really that hard if you want to make the effort and you are serious. They may still get you with a really cool 0day but that could take time. In the meantime, one can be easily put off by having good basic security controls and practices in place and go for a softer target.
Has anything changed? So little to change? Well maybe a bit... -------------------------------------------------