Hack The Planet

This made me laugh because I love cheese and computer security.

This makes me laugh because you deserve to get a trojan if you go to (don’t go here because there is a trojan on it) parishilton.com.

Having a strong password policy is one of the first things you should work on, whether personal or corporate. If you need an example of poor password policy then just look at all of the articles and blogs referencing Twitter’s recent hack.

A hacker was able to get admin access into Twitter and take over accounts from the likes of President-elect Obama, Britney Spears and many others. The hacker was able to do this because a certain Twitter employee had the password “happiness” and Twitter has no policy for locking an account after multiple failed login attempts.

This is just one of the epic fails in this case but quite possibly the biggest. Have a strong password policy because if you don’t, it will cost you.

What is the greatest risk to your network? It may not be the teenage hacker sitting in his room trying to figure out how to get into your network. It might just be your administrative assistant and the websites she visits, maybe even from home on her work laptop.

Case in point. A fellow Security Engineer arrived on site at a potential customer’s site to do an evaluation with them but was quickly moved down the priority ladder because earlier in the day a person had come in and infected the entire network with the GAObot.AO worm. It took most of the day and all of the customers IT resources to get the worm under wraps and even then having to recover for days.

So instead of working with a vendor to evaluate software that may have stopped this from happening in the first place, they had to spend resources and time fixing an issue that never should have happened.

When I hear people talk about insider threats it often seems that they picture someone sitting at their desk stealing company secrets and then selling them off. Or they see a sysadmin as a possible risk because he may have built in backdoors into all of their systems. I believe that the true insider threat comes from your users that don’t know any better and are unaware of all the risks they present to the company.

This year was a very interesting one from my perspective. Many (including just yesterdays CCC MD5 hack) big vulnerabilities were discovered (Kaminsky DNS) or proven this year. The funny thing is that these vulnerabilities and attacks were not against new systems or systems that we thought were secure. I think the big lesson from 2008 is that it isn’t the new thing that will kill you, it is not securing the old and heavily used protocols, applications, etc.

The Joker from the first Batman movie said “And now, folks, it’s time for “Who do you trust!” and I can’t agree with him more. The security landscape has changed over the last year, due to the economy and a severe lack of experienced security professionals, to make more companies look at out sourcing their security needs.

This is an interesting change in how people have viewed security in the past. The landscape is scarier now and companies are staring to realize that they are unable to employ a team of security professionals that are capable of keeping up with the entire scope of security issues in the wild. So how do they keep themselves safe?

I mentioned MSSPs in a previous post and I think that many more companies in the next few years are going to go that route. In the end, it comes down to cost and “Who do you trust?”

I am a big fan of open source software and have been using it for most of my career to do one thing or another. I find that it is just a starting point, not the end of the road. When using an open source solution you have to plan for some customizations to fit your environment, just like you would with a standard commerical product.

I have found that many individuals don’t have the security resources to really deploy any free open source solution or the budget to purchase a full blown commerical solution. This usually leads to them trying to use the open source tools but inevitably leaving themselves extremely vulnerable.

With the lack of security resources and budget I have found a lot of customers are looking towards MSSPs to bridge the gap. It will be interesting to see how this affects the security market among small businesses over the next few years.

Thought for the day:

If I don’t know about an issue, it can’t hurt me.

This seems to be a major factor in many companies overall security policy. Management has a responsibility to keep costs down and one way to do that is ignore issues until something bad enough happens for them to open their wallets.

For the person in charge of securing the data and systems on the network this is a very big headache. How can this security person be able to perform their job adequately without the proper tools or people? The correct answer is that they can’t. This person has to make it clear to management what issues they are seeing and why it is critical that they get resolved.

To do this you need to have visibility into your network and the ability to present that to your management team. Where do you find the tools or resources to do this though? The internet of course.

www.secviz.org

www.nmap.org

www.nessus.org

www.stillsecure.org

www.snort.org

www.darknet.org.uk

All of these give you free options to help build visual evidence to deliver to the management team. It is hard to keep your head in the sand when someone keeps clearing it away.

In an interview with Marcus Ranum, CSO online asked him what he sees as the weakest link in the network security chain. He said “Not knowing what’s on your network is going to continue to be the biggest problem for most security practitioners.”

All I have to say to that is, “Duh”.

As a species we are hard wired to do threat assessment in our day to day lives. We do many forms of threat assessment without recognizing it as such. You do it when you are changing lanes, or commenting on your wife’s outfit or even when you take that first sip of hot coffee. How dangerous is this thing I am about to do?

There is something that we need to be good at threat assessment. I am going to call it Danger Awareness. If you are not aware of some impending danger then you will have no way to correctly assess your threat level. One example of not having danger awareness is when you are in a car and you don’t check your blind spot before merging or changing lanes. I am going to refer to it this way when I discuss danger awareness on the Internet. When you change lanes and a car is in your blind spot it can end very badly, the same is true when you use the Internet without being aware of what is waiting for you.

To really be able to do a true threat assessment you must be aware of all of the dangers (or as many as humanly possible as there are more than enough to keep us all busy for many life times) and then build a plan to help you avoid the dangers that you are aware of and even some you may not be.