“Strutting and fretting his hour upon the security industry stage, And then being heard no more” Trois
The Playing Field:
In my previous installments of this series 1 & 2, I discussed the general environment and the players within the infosec business, now lets talk about the specific playing field, or more to the point, the rules of the game thus far. It would seem that the playing field is always changing and never really defined because of the nature of the technologies involved. Technology is evolving quickly and so are the security risks to those technologies.
Given that we have a moving target to begin with, you have to then look at the methodologies used to “audit” a company/facility/system/network/processes What once may have worked very well, may no longer work because the technology has changed or been made redundant. You also have a large “human” element to deal with in any security assessment not only from the point of view wherein social engineering is used, but also the vagaries of human nature such as sloth. Laziness as well as clueless-ness can destroy the security values quicker than a new Microsoft vulnerability in the wild.
Also, as I said before in the previous posts, the management and the ego’s/political chicanery that also goes on within a company is also a major factor in having a successful audit cycle where the recommendations are actually carried out. If you have a bunch of C level louts who want nothing to do with the proscribed fixes, then they will not get done and the security picture is a truly broken one. This too also points back to the human nature factors.. and well, no need to beat the horse, it’s already dead huh?
What it all boils down to is this; There are just way too many ways that a company can open itself up to vulnerabilities and it takes a rounded approach to do the due diligence for that company’s security posture. Just as important is the fact that the information security business has become a leviathan full of competing entities from the quacks to the bleeding edge and what you need to do as the auditor as well as the client, is separate the wheat from the chaff to do what’s best for the “security” of the company/client.
Current Approaches to Security Auditing:
Information security as it is today has been evolving since the dawn of time. Everyone’s got secrets that they want to keep.. Well.. Secret. Anything from the secrets of how to make a strong steel sword to the secret sauce used in a chicken recipe. Over the centuries methods of protecting these secrets have evolved. From simple hiding places cut out within books to elliptical encryption schemes, they are all seeking the same thing, to keep what they have from getting out in the open.
Today, we have a set of technologies that are evolving by the minute that all potentially place all our data that we want to keep to ourselves, out to everyone able to connect to the network. In a way, oddly enough, it seems to me lately that if you really want to keep something secret you have two choices for doing so:
1) Keep it in your head, never write it down, and never utter it aloud
2) Create a one time pad, encrypt it, and eat the pad… Yeah, you will never be able to decode it, but, it will stay “secret and safe”
All other methods, well even these, can be subverted and your secrets accessed. Whats even more readily so, is if you house that data on networks, hard drives, papers, post it notes etc. All you can really do is take due care to insure that it will be that much harder to access the data in the first place and to encrypt it so that it would take someone a considerable time to decrypt it. Remove that layer of encryption today, and you might as well make a truck based billboard and drive around with your secret sauce recipe in large bold type for everyone to see. Its just a fact that even if you take all the precautions, there is still a good chance that your data will be stolen.
Its just the nature of the beast… Ask the Pentagon…
So, with those words ringing in your ears, you might be thinking “what’s the point then?” Well, if you are doing the due diligence then the likelihood of that data not only being accessed but used, is much less likely…. And I would take much less likely over a sure thing any day really in this business. So, how we go about the process of trying to place protections into the companies, networks, and systems is a key to the overall security value that we leave them with.
These are the current methods of auditing in the business today:
- Ethical Hacking/Pentesting
The Ethical hacking is a good thing but a very narrow method of testing security. You are usually given a sliver of time and a list of targets (if you are lucky) On average though, the system that the client is wanting to test with this kind of test is something they have attempted to protect already and just want to be sure its secure. Meanwhile the back end and everything else around it may be un-secured and lead to utter compromise.
This is a good model for small testing. If you are lucky and given a whole network to check, then you have more latitude, but all too often the targets are too narrow as well as the time frames to really have great meaning to the overall security posture of a company/system/network
- Vulnerability Scanning/Reporting
Many clients do not want a hack performed. Many more times you will have clients that want to just have a vulnerability scan run to see where they may have problems. This can be beneficial in that you usually get a larger target area to scan and if you do the work right (not a fool with a tool) and hand check the results for proof, then you can reasonably tell the client where their technical problems lie. Of course this too is also basing the findings on a tool or set of tools (as you should use multiple tools) to gauge the security issues.
The vulnerability scan also gives you an ideal pov to look at the overall network architecture. This can also be used to show how vulnerabilities logically also can lead to great and small compromise. Perhaps this could be its own sub-section called “network architecture assessment” but, this often can be just tied to the vuln assessment.
Some would say at this juncture also, that unless you truly exploit the vulnerabilities and show them you can steal their data, they will do nothing. I would say that this is a little self serving in some cases on the part of those who want to just hack, but I would also say that often, it is the truth because of the lack of awareness on the clients part where the odds of compromise are concerned.
All too often the client thinks that no one else but this hacker in front of them could do that magic thing that they are warning them about… “Inconceivable!” So, even if you show them the proof of concept, they may still write it off as an acceptable risk… Human Nature at work.
- PCI/HIPAA/SOX audits (Policies & Procedures)
Here we have one of the least loved audits on the part of many in the security industry and yes, it can be tedious work. However, I would say that this is an integral part of the security picture even if the actual regulations out there are weak and toothless for all intents and purposes. Of course a hacker would say they are unimportant because they can still exploit the new 0day and game over, but, that is just one vector and relies on the technology being 0day’d
The reality though is this: All too many times there is WAY too much low hanging fruit to be found to exploit at companies because they have little to no solid security policies, procedures, and standards. Whats more, the 0day exploit that the hacker would love to use might be negated IF the company has been following processes that might block their attack.
Its been known to happen.
So for all those out there who feel that the audits are useless.. Maybe they are if you just have a non technical auditor from say, PWC. Its just a check box for them to check off as to whether or not you have them in place. They may not even take the time to really think the documents through in their heads to see if they make sense. THIS is a real disservice to the client and lends no security value whatsoever.
What needs to happen, and I have been seeing a trend of lately is that the auditors out there are including a more technical person in their teams. Someone who can map the policies, procedures, and standards maps to actual technical security maps. Once you meld the two together you can explain fully on how a missing policy can lead to a compromise of the company data.. Hell, that technical person can even show you the actual exploit at work if they are allowed.
At present though, I don’t see too many PWC teams who do this. As well, I don’t see too many teams in the industry performing this as well as hacking all in one package that MUST be tied together. So far, its been more of a buffet style menu out there in the security industry for auditing.. Never-mind the technical snake oil sales of “one product to protect you from everything” mentality today.
- Physical Security Penetration Testing & Social Engineering
Physical penetration testing is not often something that companies contract for usually. At IBM we usually had this as an “added value” assessment that you could “maybe” sometimes get to carry out. I know others who perform these tests as BAU too and in each case, I think these kinds of tests or observations, should be an integral part of a security report to any client.
It is often said that criminals take the path of least resistance.. I believe that to be true, so why am I going to lay siege to your firewall if I can just walk in and gain access to your data locally? Its basic principles of warfare here and you do what’s most expeditious to make quick work of the battle. Frankly too, the softest part of any company is its physical site, and its employees.
Without a proper perimeter, as well as aware employees, one can gain access to the keys of the kingdom fairly easily and quickly and then its game over. Just as easy may be just sidling up to an employee and playing clueless on site to get whatever you need. All you need to do is have a grasp of human nature and you can win the day.
- Coding and Code Audits
Coding… The bane of everything security. Why you ask? Because its the basis for 85% of the vulnerabilities out there. Poor coding practices from the application to the OS levels are a boon to the adversary. Lately the movement I have seen within the security literati has been to lament against the poor coding practices out there by the big companies making our applications and operating systems.
You know what? They’re right. However, what is it that they are saying here?
Hmmm… How about this “Where are your coding standards? Procedures? Policies? Due Diligence anyone?”
Yep, we are back to the level of policies, procedures, and most of all STANDARDS!
Yes Virginia, the standards are lacking from a local to a global perspective on secure practices. Just look at the whole debacle over voting machines and ATM’s *cough Deibold cough* All you really have to do is just look back a couple weeks to Black Hat and the one arm bandit talk on ATM security.. Or more to the point, lack thereof. This is a big issue that stretches from the big companies selling coded products to the companies designing and implementing poorly coded systems internally that lead to compromise. After all, how many times have we all seen hard coded passwords passed in the clear on local networks huh?
Can There Be A Holistic Security Approach?:
This brings me to the crux of my point in this article. Can we in the industry actually get a process in place where the audits cover all of these areas as mandate and lose the whole buffet approach to security? The buffet approach just does not work overall and something needs to change. We need to be able to go to a company and give them an overall fitness report on security with recommendations on how to fix the problems. Without this, the assessments will always be just CYA for a particular area of a company while the rest of it burns like Rome under Nero.
Are there any companies out there that only offer this?
Would this actually be a viable business model today?
I would like to think so, but unless there is buy off on the idea as a whole, well, we are back at square one feeling frustrated at the business and the quackery huh. However, the nature of security is at odds against us here isn’t it? After all, aren’t we all Cassandra’s here? No one really wants to hear what we have to say because its scary and requires work.
And that’s the rub isn’t it?
Can We Get Companies to Code Securely and Ethically?:
Finally, that 85% of the problem? Yeah the coding practices… Can we as a country, never mind a global community, actually force companies to code securely and perform ethically? It would seem not because of the nature of business today at the very least. Look at what has happened with corporations and the economy with regard to Wall Street and such. Sure, there’s all kinds of legislation being made now, but really, are those rules going to stop the companies from doing bad things?
So how do we enforce the secure coding of applications and operating systems if the laws are not in place to mandate they follow the standards?
Best Practices? Uh yeah, often you get a laugh out of that when you mention this as what must be done. Without a real disincentive the companies will continue on with sloppy coding to bang it out and get units on the shelf and duckets in the bank account… Oh, I can hear the Republicrats and Libertarians freaking out now…
Time For A Sea Change:
In conclusion, I think that unless we get a handle on the regulations as well as the paradigms for change within the security arena, we will be forced to just be that same hamster in the wheel. We can see the cheesy bit outside the lexan of the cage well enough, but we just can’t seem to get there to get it.
Time for some solid change.