Recently in Security Articles Category

Recently, I've seen several pieces which fall into this category, and would like to toss my own two cents on the pile. The one that sort of kicked off my initiative to write this was a posting by Adriel Desautels which appeared on the Snosoft blog and on the pentesting mailing list. The post asserts that vulnerability scanners don't work. The point is made that vulnerability scanning is not an effective tool because the core pieces fall on the tail end of vulnerability research and the scanners themselves aren't accurate. On the accuracy part, the claim is made that his best case experience with scanning tools is 30% accuracy (that's obviously a guesstimate, as no hard data is provided). Adriel's conclusion is that the best replacement for a vulnerability scanner is a well-trained penetration testing team which conducts its own research.

Of course, as with many outlandish claims, I disagree. Going down the list, I'd have to say first that of course vulnerability scanners have a huge amount of value, and definitely have their place. His estimate of 30% accuracy I suspect to be completely made up, and will continue to until I see some sort of data to back it up. Also, no reference point is given on that number. Is it 30% of all vulnerabilities that ever have been or ever will be known about a system? What is 100% then? Is this counting false positives and negatives (or just one of them, or neither)?

My experience with Nessus, Saint, nCircle, and others has shown the whole class of tools to be hugely useful, so long as you look at them in the right context. What's important to keep in mind is exactly the title of this post. All tools have their place, and all needs have a set of tools which address them best. Vulnerability scanners are generally useful in two roles. The first is in a one-time look at a network. I use Nessus whenever I assess a client's network for the first time. That's because in addition to pointing out vulnerabilities, it gathers tons of data. What's best is that it does this automatically. I could use a collection of 20 or more tools to enumerate hosts and poll their various services for data, but that's a waste of time when a vulnerability scanner will do all of it for me. While the vulnerability scanner is doing its thing, I'm free to do a walk of the premises, talk to staff, or take a nap. All of these are much better uses of my time than running individual tools manually. When the initial scan is done, I can then take closer looks at specific hosts and services with more specific tools if need be. My time at a client site is usually quite limited, so it's important for me to make the best use of it.

The other case where a vulnerability scanner is very useful is where a whole network needs to be monitored for change. Because the vulnerability scanner is pretty consistent in what it does and very broad in what it covers, and because the whole process is automated, scans can be done in intervals very easily. Data sets can then be compared over time to show trends in vulnerability and give hard data about where the most vulnerability probably is. I want to key in on the fact that I say "probably" in the last sentence for a reason. Vulnerability scanners are plenty of useful, but what they aren't is perfect. Adriel's article is pretty much centered around the main weakness of any automated security tool, which is that they can't see everything, and a good deal of security is in the soft/squishy part (the people and organization). Additionally, he makes the point of the lag time between vulnerability discovery and detection by scanner, but we'll get back to that. Backing up a bit, the reason you can't use a vulnerability scanner to identify where vulnerability in your network definitely is, is because of a lack of comprehensiveness of the tool, and the sheer complexity of vulnerability.

Vulnerability scanners can't tell you that your policy is terrible or that the structure of your network is poor. They can't tell you that Frank in accounting took home all of your company's customer data, and they can't even begin to detect your lack of visibility into the traffic flowing across your WAN. What they can do for you (and me), however, is catch low-hanging vulnerabilities and report them in an automated manner and allow us to use our time handling other tasks. As with all tools in all industries, you can't expect a tool meant for one task to be the end-all, be-all solution to something as conceptually large and complex as "security."

To address the issue of lag time between vulnerability discovery and detection by a vulnerability scanner, I believe this is a moot point. This lag exists in all tools and solutions in one form or another, and where one tool or solution might have a lower lag than others, it can't be considered comprehensive. Specifically, Adriel suggests that teams of security professionals replace vulnerability scanners functionally in organizations. This is just plan silly for a variety of reasons. First is cost. an internal team of security professionals is simply out of the question financially for most organizations. Contracting out the service just once is also expensive compared to even the most expensive vulnerability scanners (Nessus goes for $1200/year/scanner, nCircle is upwards of $30k for the initial installation). Getting a team of specialists to do even the basics of what a vulnerability scanner can do is a waste.

However, sticking to the title of this article, I believe that all tools and solutions have their place and that there is a proper process to attack any problem. For security, you first need to perform gap analysis. In the early stages of reaching a secure state, tools like vulnerability scanners are extremely useful, because they allow you to efficiently identify and address the most numerous and obvious flaws. A security professional's role here shouldn't require much direct interaction with the systems at all. Automated tools will churn up enough information to get an idea of where things stand, and help to identify major problems. This is your typical Vulnerability Assessment; a broad process which should take a shallow look at the whole organization, identify major and core issues, and develop a plan for action. This sets the current state and outlines a goal state.

The middle parts of the process require different tools for different reasons. The vulnerability scanner is still very useful here for the tracking of remediation and detection of new minor issues, but gives way to higher-end planning and consulting which aims to set up controls which proactively secure the network, and do so in intelligently redundant layers. The latter parts of a security ramp-up are where the vulnerability scanner becomes a minor player in that it is used to catch smaller issues which fall through the more proactive steps put in place to take care of issues before they cause vulnerability. Also, this phase of the process is where penetration testing becomes relevant. As is stated in this rather controversial prediction by Brian Chess, penetration testing should be used as testing is in the scientific process. That is, penetration testing should be used to test a theory. The theory should be something along the lines of: "security control ABC should stand up to XYZ types of attack, and those attacks should trip some sort of alarm when a certain point is reached." In other words, a security control is designed and put in place earlier in the process, then needs to be stress tested to prove that it is working as expected. This is exactly how we've approached penetration testing (especially since we make it very distinct from our vulnerability assessment service) since day one here at White Badger.

So to sum up, early in the security ramp-up process (where most organizations haven't even started), automated tools like vulnerability scanners have a huge amount of value because they allow for a large amount of data to be collected and acted on in a very efficient manner. As the process goes on, the more automated tools give way to more specialized tools used to assess certain specific hosts/services/vulnerabilities. At the end of the process, penetration testing is performed, and that is almost entirely manual. The best (in my opinion, the best are the most realistic, regardless of scale) penetration tests will combine attack methods from all different angles to properly estimate the success rate of exploiting a vulnerability.

Vulnerability scanners aren't worthless. That's like saying that a table saw is worthless because all woodworking can be done with a screwdriver and a utility knife. The worth of a tool is directly proportional to its cost and benefit. Vulnerability scanners generally have a low cost relative to their closest alternatives, and a high payoff so long as the expectation is reasonable. They have their place in the security process and won't be replaced functionally by an adjacent tool any time soon.

Compliance is just the beginning!

Know your enemy. Know your weaknesses. Have a plan.

Behind these seemingly simple statements lies a lot of thought. Firstly, we talk about compliance. By definition, compliance means that you comply with standards. These standards are set up as a bare minimum operating level for any given industry so that all the players meet some standard set of rules and can work together based on them. With cars, it's state inspection. With food preparation, it's health inspection. With any structure, it's building code. In every one of these, the bare minimum is almost always just that, and the gross majority strive to be better. If your car only barely passes inspection, it's likely not very safe or efficient. If your food was cooked in a kitchen that got the lowest allowable score on a health inspection, there's a good chance that you'll be sick in the near future. If your house only meets building code minimums, it likely won't hold up very well in a wind storm.

So, given that compliance is just the bare minimum, and that the bare minimum is not something you should be aiming for, why is it that so much effort is spent in the financial industry on being compliant? Almost all of the security breaches in recent memory and likely in to the future have been and will be at organizations compliant with security requirements. Compliance is a minimum, and the minimum is never good enough when you're dealing with other people's money. Striving for compliance is like trying to come in last place.

Real security should be approached just like all other parts of the business. You need to have a metric, you need to measure it, and you need to manage it. In security, the metric is risk, and it is measured against cost and the risk mitigated. That's the theory anyways. In reality, it's so much more than just cost vs reward. Something we try and make clear to our customers is that there is a balanced security level for every organization, system, and situation. It is reached when security reaches a level where it complements all other parts of the business and is maintainable.

In the end, your goal should be security, not compliance. Compliance is a byproduct of good security practices and good corporate stewardship.

So, as many in the IT and security fields know, it's bad practice to have any one device touching more than one network. The exceptions to this rule are usually security devices like firewalls and IDS sensors, all of which need to be specially hardened as any one vulnerability would go against the point of having multiple networks to separate groups of devices. In the process of evaluating devices from all the top vendors in the arena, I set up a test network on which to run each of the platforms. As part of this testing, I wanted to be sure that straddling a firewall and connecting to several network segments wouldn't be an issue. As it turns out, one of the boxes I tested had an issue. (As I'm under NDAs with pretty much every company I dealt with, I'm not going to comment on which product had the issue. I have been told that a patch is on its way and will hit in several weeks.)

The device in which I found an issue did meet all of my criteria. It had almost zero footprint on the network. It communicated only in encrypted tunnels, which were outbound from the appliance only. It had no listening ports. However, what I did find is that the device responded to ICMP pings (standard echo request/reply). I can see where this functionality would be useful for the end users, but from the standpoint of super-hardening, it should be disabled, or at least have an option to be disabled.

The specific flaw I found was that the OS's kernel didn't perform proper source checking on packets. For example, if interface 1 is on 10.1.1.0/24, and interface 2 is on 10.2.2.0/24, it should drop packets claiming to come from 10.2.2.2 which arrive on interface 1, and vice versa. Failing to do this, the device I was testing happily replies back out the other interface. Spoofing packets from both directions allows us to set up an ICMP tunnel, over which we can move just about anything. Unless the backbone is set up to detect excessive ICMP traffic (monitor port + IDS, or switch-based IDS), or if the traffic needs to pass over standard security devices (an upstream firewall/IDS/IPS/router), this would be pretty difficult to track down. Most organizations I've been in do not have the infrastructure to watch for this kind of tunneling when it is used specifically to bypass the firewall.

This attack isn't exactly l33t or hardcore, it's quite basic. It's unfortunate that some of the basics do get missed when most attention is paid to higher level attacks and other threats, but it does happen quite often. Fortunately, the vendor had an excellent response in terms of time and quality, and hopefully will give me many discounts in the future for doing some QA work for them ;-).

Every good security professional has a healthy respect for the unknown, which usually is tagged as paranoia. An appropriate amount of paranoia in the right area leads to being quite effective in securing the network you're in charge of. The key is education. This doesn't mean that you need a degree in watching over your shoulder, but you should know what to be afraid of, and how to make sure you know if/when trouble is happening.

Listening to a recent Pauldotcom podcast, the point was made that most people don't really get serious about securing their code or systems until they've personally been attacked. The other side of this is that actually doing some of the attacking and seeing it work firsthand usually has the same effect. As such, it's important that all IT professionals get that experience some time in their careers.

I find it very interesting how human psychology impacts the information security industry. To me, it seems very straightforward. You have something of value, bad people want it, you need to protect yourself. There's nothing outlandish or new there, that concept has existed since the beginning of life. But somehow, despite our advanced intelligence and civilized society, we all seem to have a default naiveté when it comes to information and IT security. I suppose this effect also occurs elsewhere, such as when a person doesn't regularly wear a seat belt until he/she has been in a serious car accident.

Given the above, it's not difficult to understand why FUD-style (fear, uncertainty, doubt) marketing is necessary and does work. Placing someone in a scared mode is an incredibly effective method for switching them from actively opposing security to actively embracing it.

To be an effective information security professional, what you need is a balanced, aware, and fact-driven sense of paranoia. A proper balance is struck when your paranoia drives you have a constant need for security while not blinding you to the reality of your environment. As such, you need to be incredibly aware of the organization you are working within. While security is important, it needs to coexist with functionality, usability, and visibility, while also making the political, budgetary, and regulatory parts of the equation work. Because paranoia is a 100% emotional response, it's important to keep it properly in check. All decisions need to be passed through a filter of reasonability and facts, so that you don't spend all of your resources defending unevenly against the threat that scares you the most.

I think all good security professionals possess the right kind of paranoia that drives them to stay effective and not become stagnant or complacent. I personally think every IT professional would do well to acquire a bit of the paranoia. While this usually comes as a result of a negative experience, it can also be had by way of a class with hands-on hacking. However you get it, your effectiveness and career will benefit greatly, as will the security of everything you touch.

Closed Circuit TV (CCTV) systems installed in most banks and other facilities are there to catch thieves with guns and ski masks. They can and do serve other purposes, like accounting for everyone entering/exiting a building, and watching accident-prone areas, but for the most part, they're only there to try and get a shot of a robber's face good enough to put on the evening news.

In this day and age, while there is still a significant amount of robbery at gunpoint, there are much more costly thefts and intrusions that need to be watched for by CCTV systems. I can't tell you how many times I've been in some financial institution (as a customer, not doing work for them) and been left alone in a room with a network-connected PC with full access to the rear of the machine. Furthermore, because of the camera coverage in the building being geared heavily towards the lobby, I was unwatched.

Given this level of access, one could easily use a pocketable USB device (a USB hacksaw, for example) that would steal credentials and leave an agent capable of stealing even more data, all without the victim organization knowing.

According to this article about bank robbery, the average bank robbery costs about $25,000 when it is all said and done (including turnover, lost time, etc.). The average ID theft usually ends up costing between $90 and $305 per record, according to this page. This can vary wildly based on how high- or low-profile the incident is. If we were wanting to make it an average, let's say that 5,000 records were lost (that's a very conservative size for a small bank or credit union). That would be between $450,000 and $1,525,000 in total cost for that breach. A bit of a difference, huh? Now, imagine the public backlash at an organization that just "let" someone walk in and take data, versus the relative empathy the organization would receive because of losses due to gun-wielding robber.

So, given the absolutely enormous difference in the financial damage able to be done between the two attacks, why do financial organizations not seem to take the more costly attack seriously? Well, the big reason is lack of knowledge. Despite cybercrime and hacking being buzzwords in today's society, most of the defensive effort goes into antivirus and perimeter security. My experience in performing security assessments for these organizations says that they rarely have a thorough and consistent approach to security. A secondary reason is inertia. It's the same reason that banks still have large vaults, despite their most valuable items being in the server room. It's just that financial institutions have a long history of needing physical security to stop intruders with guns, jackhammers, torches, and crowbars, but have relatively little history in dealing with thieves bent on stealing data. Displaying a large number of cameras in the front lobby can often deter an attacker before anything happens.

Given all of the above, what should your cameras be looking at? Well, here's a quick list:

You very simply can't fix what you can't see. This is something that nearly everyone in the IT field struggles with at some point. This is largely due to the lack of proper tools being used to manage the network (see part 1 about consistency). This is also usually the fault of network structure.

Data flows around a network can be difficult to observe and control except on the edges, where there are devices like firewalls and routers which are made for this exact purpose. Monolithic (or flat) networks are particularly bad in this case because of the lack of borders between parts of the network which should be separate. When dealing with such a network, you only have a few options if you are interested in watching the traffic flowing internally. The first is to have a large number of span/monitor/mirror ports which copy the traffic from the ports to which your network devices are connected. Unfortunately, this breaks down rather quickly when the number of used ports and the bandwidth used gets to be too high. The second option is to use Cisco's NetFlow (or similar). Of the networks I've seen, many do run Cisco switches, so this is a viable option. For those running lesser switches, you're pretty much stuck with mirroring ports, or with nothing. Of course, there is always the option of installing a physical tap for every single port, but that's pretty well unreasonable for the average organization.

In my opinion, the best way to increase security and visibility simultaneously is to separate your monolithic networks into smaller, more manageable subnets. Generally, these subnest should be cut along the lines of security, physical, and logical lines. Which mix of these will work best for your organization is something you'll need to consult a security professional to find out. In any case, once the network has been divided, the only way data should flow between any two subnets is through a firewall. Most modern firewall appliances come with the tools necessary to watch and manage the data flowing through them. Some of the better ones will provide tools for visualization and reporting to make understanding these flows easier and more efficient. Honestly, I can't get enough when it comes to tools which crunch otherwise boring data into neat little pictures, so long as detail is available when I want it.

Another incredibly helpful pile of data that your network generates is log data. The problem is that logs are tedious and boring. That's why there are log analyzers like Splunk which give you a nice web interface and search/index functionality which helps turn your log data into something useful. One of the best uses I've heard of for a log analyzer is anomaly reporting. Basically, you run your network for a while and let the analyzer collect log entries. After enough has been accumulated, you go through and mark all the normal data as being so. Once you have tagged the data which you expect to see, you can very easily filter for what you don't expect. This effectively sifts out errors and other unexpected messages from a sea of information.

Of course, doing any of the above assumes that you have time in the day to make it happen. Unfortunately, it seems to be incompatible with IT departments which work behind the curve of break/fix. 

Most organizations don't start out with the resources or immediate need to properly roll out imaged workstations or manage their networks using high-level tools. What happens more often than not is that the network is a collection of very different PCs, all of which have been built and configured individually. As a result, there are as many variations in loadout as there are workstations. As the organization grows, this practice is scaled to meet the need, and results in an IT department which works mainly in fire-extinguishing mode.

There is a certain point at which more consistent control over the network is an absolute must. The problem is that, in my experience, many medium-sized networks are being run without the proper tools. Management tools, strict domain policy, and imaging are all incredibly useful when combatting sprawl and growing pains.

Consistent network management not only makes IT staff more productive, but also allows for self-auditing and quick response to security events. Patching becomes easier (and can be more comprehensive than just WSUS or Windows Update), which allows the very common issue of third-party software vulnerabilities to be addressed in a more elegant and effective way.

Let's take a look at the basic functions that these tools need to help accomplish in order to be useful. The first is enumeration, cataloging, and inventory control. Basically, you need to know what each device is, does, and has on it. By the same token, you need to know what is on your network that shouldn't be. In addition to a simple understanding of the devices on your network, a good management system will keep track of when devices were purchased, what kind of warranty/service plan they have, and what their serial numbers are. Having all of this information in one place is the first step towards getting your network under control to the point where securing it becomes an easy task.

The second tool in your arsenal should be a package/file management tool. In order to properly manage software updates, it's important to know the loadout of each machine, to be able to verify that ONLY the software you approve is installed, to be able to perform updates to your software, and to be able to remove unauthorized installs. Many of the issues I see in security assessments come down to good patch management. I'd estimate that at least half of the vulnerabilities are a result of old software which has updates available. For those thinking that Windows Update or WSUS will cover all of these issues, you are sorely mistaken. Many of the vulnerabilities I find in assessments aren't in Microsoft products, simply because they do get automatically updated. More often than not, it's old antivirus or backup software which runs at system privileges that provides a way in. 

Overall, being consistent usually comes down to putting a bit of initial effort in to a structure, then being disciplined enough to follow it. Automation of the boring, repetitive tasks makes this worlds easier. Manually going to every device in your organization and checking for updates is very tedious and gets frustrating rather quickly for the high-IQ types who usually make up an IT department. This leads to mistakes being made and eventually to the practice being missed or avoided.

Find some good tools, become intimately familiar with their innerworkings and behavior, then use them as an extension of yourself in confidently controlling your network. Get things to be consistent across the organization, then you can begin to manage one set of common machines instead of many individuals.