If I was a CSO – By a “Hacker”
Drazen Drazic
When was the last time that you read an article by a hacker in the mainstream media that talks about what enables them to do the things that they do? And what, in their opinion, would make their life harder?
I can’t think of too many over the years. All the articles are generally written by “generalist” specialists, who know very little about the “hacker” mindset, trying to tell you what the “hacker” mind is thinking and how the bad hackers will get you.
I would do it myself, however I am surrounded by people whose technical skills just blow my mind, by what I see them achieve. Our clients love it; well that depends on the definition in context.
So here’s something a bit left field. I’m writing this after speaking with one of our team - one of the most brilliant technical security people I have ever met. Handball to them – this is their perspective, their opinion and how and they see it:
I have never been a CSO, CIO, CEO or in any IT Management role. I’m considered a “hacker”! I call myself that too. But before you picture me in a dark trench coat, I do have a Masters in IT with Honours. I chose to do what I do because I love it. I leave the business side of things to others, for now, who want to rise up the management tree and do what they want to do for their own reasons. At the moment, that’s not for me. There’s so much work to be done at the ground level of information security where I want to make a difference, and to be honest, it’s far more interesting – by a long way! One day, maybe I’ll do the management stuff, but for now it’s not for me.
As such, I won’t profess to understanding all the management issues many of you reading this have. This article is my take on what I see from the work that I do and from my experiences with working with people and companies in IT and IT security at all levels, including clients, friends, ex-coworkers, across five different countries and for enterprises of all sizes from global investment banks through startup businesses and across many industry sectors.
My view of the business world differs in my opinion to that view of IT management. While I acknowledge it's always easy to give an opinion when you don't have to face the fight within an organisation, the realities are how I see them. I can only comment on what I see and I cannot embellish it to make the reader feel better.
Every time we commence a new project, our team generally does not need to be primed for a great security challenge. Sadly, and this is a serious thing to consider, what we think and discuss is how quickly we going to own this application, system, company. It’s a sorry state of affairs to expect this. Our office is in a state of genuine WTF when we actually encounter an application, system or company that is really secured and we cannot do anything to. Albeit within a defined scope of technical testing – and I add that, because we also know that we can change that “good” result with a bit of Red Cell … a number of phone calls can change that situation quickly but read the last blog from Drazen on that.
As a white-hat “hacker”, companies make it easy for me to look good. I am in a position to tell you what would make my job harder. So here we go; its not rocket science, and I don’t profess to covering it all here. But, if you do want to make life harder for those with nefarious intent, do this;
1. Avoid password re-use for administrators. (I love this and defaults even better … makes my life easier to get a good result from the hacker perspective).
2. Know what you have on your network and “control” with good security policy. Run something that detects new hardware on your network. (Probably the most effective security I have seen – honestly). I have lost track of the number of times a client has told us we have “x” number of Internet facing systems, only for me to find three time ”x” number of systems. If that is the case, how can one be secure? Also, only one MAC address authorized per switch port. You don’t need expensive security appliances. Just some hard work and few good Network/System Admins. Listen to your Network/System Admins (They generally know their stuff).
3. Monitor your internal network to detect weird behavior and unexpected requests. I don’t mean pay for “heuristic” systems that profess to doing it for you. They don’t, they’re rubbish! Look at the claims by security vendors and ask yourself why they’ve been saying this for 10 years but I can still own your network? Your Network Admins should know your network. They should be allowed and supported with time and resources to monitor logs of the systems they manage. They will tell you. Support them, but put the pressure on them to do it. Outsourced perimeter management providers don’t care. Their SLA’s claim that they do, but they don’t, and we’ve rarely, to the point where we cannot recall when, been stopped by them. You could save yourself significant amounts by avoiding such services and going back to basics. Build secure systems, patch them and monitor the logs/traffic, its straight forward.
4. Monitor external DNS to detect new website/hostname exposed on Internet by your company. Who does this now?
5. Let your System/Network Admins use their magic. Let them develop scripting language systems that do things to help with your security. Computers exist to compute large amounts of information quickly - nothing more annoying than wasting hours to do something that can be done with a 5 minute script. Even worse, buying something that your own team can script up relatively quickly.
6. Win small fights - one at a time. Don't try to change all the security in one big fight. Just accept that it takes time and move from one change to another. Start simple: move from FTP to SFTP, move from telnet to SSH, but be committed. It will make a difference. Even small changes like this can make a difference to being owned by an opportunistic script kiddie.
7. Don't buy expensive boxes just because you think, or have been told, they will make you secure. We’ll either by-pass that box, or own the box. Either way, you’ve prospectively wasted your money and the end result from my perspective is the same. I own you. As has been said before, you could use that money for a corporate Ferrari for team moral instead, better use of the money. Your security is rarely better from these product. Save the money to hire people with skills instead of getting magic boxes that do little or nothing. We find it amusing that in 2011 we can own 90%+ of systems that we approach first time, yet these companies all have packet filtering routers, FWs, IDS/IPS and WAFs. Isn’t that so obvious.
8. Use open source. Most of the tools you need can be found in open source software - and let your skilled people use their skills to make it work for you.
9. Go to conferences like; Defcon, Ruxcon, Kiwicon, CCC, etc – where you will learn from industry “hackers” and see what is really happening. Why waste your time at conferences lead by big name keynote speakers who will only dribble on about what you already know? Go there if you must to network but you could use the time better.
10. As a CSO, you MUST be involved with all “critical” projects like new SOE build for laptops, servers and workstations. I call these “critical” - others may not. They may look at it from the bigger picture – that 20,000ft level. What a silly view. At the end of the day, it all comes down to the basics – work from there.
11. Spend time with your Windows team, Unix team, Network team to understand their work and to gather ideas on how to improve security. They know their systems more than you do and should be happy to give you advice if they see that you're interested in their work. Don't forget to give them credits once you managed to make some security progress.
12. Don't believe in magic. Improving technical security takes times and hard work – focus on the basics. Did I mention not to buy stuff because a vendor promised magic?
13. Get at least one good security person per team for; Network, Unix, Windows. Same for QA team and dev team. They are out there – find them.
14. And, back to magic. Don't buy security software or hardware like WAFs and IDS/IPS unless you have a full time person to work on them. We by-pass them all the time to own your systems and this demonstrate money is wasted on them. They will however make a difference though if you dedicate the time to correctly implementing and using them properly.
So now you’ve read this. As I said, it’s not rocket science. If you want to make life harder as a “hacker”, you can see that it’s not really that hard if you want to make the effort and you are serious. They may still get you with a really cool 0day but that could take time. In the meantime, one can be easily put off by having good basic security controls and practices in place and go for a softer target.