Saturday, October 25, 2008

Multiple Thoughts on Multiple Security Issues

I'm too tired to put enough effort into several blog posts even though I really want to but next week is already looking painful so I'm going tho throw several different thoughts into this post.

First Thought: The CISSP CBK aint so bad...

After spending the last week explaining what I consider core security ideals to people that should know better, I found myself really feeling that a senior security person should understand those core ideals as a minimum level of competency. To be a keyboard guy, my opinion stands that CISSP not a measure of their ability, but I would expect a "hands-on" guy to know that material as well.

The latest TaoSecurity post mentions NIST 800-27 Engineering Principles for Information Technology Security (A Baseline for Achieving Security) maybe I'll start recommending that.

Second Thought: What should a CxO know?

I'm new to the whole CxO thing, but shouldn't your CIO/CTO/CISO jobs understand the things from the first thought? I am thinking yes, they should have more than a PMP to make smart security decisions but I'd like some feedback on that. Like I said I'm new to that kind of environment. Alot of the people on the SBN that hold those positions seem to understand those concepts.

Third Thought: How do you fix a "porous" network?

By porous I mean more than one security hole at any one time and usually a LARGE security hole. Back to the first thought people seem to think if you can fix one problem the rest magically put themselves on hold while you fix that one and you can "catch up"...not! I am also new to real Incident Handling and Response (in the past I've been the guy getting to cause all the trouble) but I'm finding more and more holes and issues as we try to mitigate and fix the first issue. How do you make people understand that the problems dont stop coming in if you have poor network security or poor network design.

Fourth Thought: Initial feeling on SIMs

My initial take on Security Information Management devices are that they are great concepts. I'm starting to play with Cisco MARS and thus far I am impressed on what it SHOULD be able to do. I'll let you know later how well it does.

Fifth Thought: Another unauthenticated full remote MS exploit...SCORE!

I love bugs that are on the level of MS03-026, MS04-011, and MS06-040. Mass pwnage on pentests is awesome. I hope this new MS08-067 ends up being that bad (and the msf module comes out at some point). We need a new DCOM or LSASS exploit. I love it when we get proof that network security isnt dead.

Last Thought: Really more of a "what would you do/recommend"

In our fictional example you found pwdump on your Domain Controller (not put there by one of your admins) and the registry keys point heavily that its been run successfully and results have downloaded. What do you or recommend to the customer?

The book/draconian answer is wipe everything and start over. In people's experience is that a real option for a real network without the ability for mass downtime? Is a mass password reset considered enough of a mitigation?

Would appreciate input from the people out there on our fictional scenario.


Michael Janke said...

On AD: Assuming that the hack is contained, a password reset, followed by a shiny new DC built from the ground up, (not hard to do), remove the old DC from the tree, then another password reset. But I have to qualify that, as I'm better at Netware than AD. (In Netware, the bad guy could have created an account, cut off its inherited rights mask, and made it 'disappear' from the tree and from the sight of the other admins. That would hurt.)

But how do you know that having owned a DC, that they didn't walk through the rest of the servers?

On firewalls: It's a tough one. I'm still trying to close firewall holes that I reluctantly opened up 8 years ago 'just until we fix this app...'. I hate to say it, but I tend to piggyback ugly cleanup projects like that onto high profile 'pet' projects, just so that they get budget/resources.

Can't put that app in the data center until we get some of this old crud cleaned up....

The new data center will have to follow the new security standards......

The others apps in the data center are known vulnerable to a host of exploits, let's try to get tem clean up before we put your really important app in with them....

As for leverage to get cultural change, I've use descriptions of other peoples incidents and compared them to our current state (here's how that could happen to us....) to steer people toward sane security practices. I always ground it solidly in a current news item, preferably something that happened to a peer organization. Fortunately the news items come along often enough.

Or, if I really need to pull out an ace card with another business unit:

Look - as long as my team has to clean up the mess caused by the hacked apps, we get to make the rules. If you put your group on 24x7 and make them the responders and cleanup crew, you can make the rules.

CG said...

Michael thanks for the comments. its like you're in the office! I appreciate the advice.


Anonymous said...

First, concerning the PWDUMP situation. If the network was small enough or was a financial institution I'd really push for the wipe and rebuild from scratch.

In any other scenario this is going to be a tough sell to the decision makers. So I would reset every password, enforce a strict password policy, THEN, if at all practical change EVERY username and create a dummy limited/no logon locally administrator account. I would then stringently monitor the dummy accounts and old usernames for logon failures.

Secondly, your question, "How do you make people understand that the problems don't stop coming in if you have poor network security or poor network design."

My friend if you answer that one you will retire early. I preach the mantra that poor network design creates insurmountable INsecurity. Poor security policy is an extension of network design. Unfortunately, most organizations only learn this lesson when they experience the loss of data, the loss of time, or the arrival of a subpoena.

JF said...

2nd thought: Well, CIO and CTO often don't know a lot about security. That's where the CISO comes in. CISO and CTO know less about the information on the network, cue CIO. And what CTO knows best, CIO and CISO know less about.
Every CxO needs to know what their job is about and consult with the others on how to get everything running as smoothly (CIO), safely (CISO) and correctly (CTO) as possible. If one of them doesn't know what they are doing, one of the others should either tell him (or her, of course) to get their act together or find someone else to do the job.

3rd thought:
Hmm...'un'porous it: firewall to block off most traffic, slap admins to make them install patches on time (patchdate + 1 month max for testing), check if any apps are using any kind of administrative-or-higher-than-user-or-guest access rights and demote them.
If the hole is in the apps, get programmers to fix it and if they don't know how either send them to classes or get someone to do it for them.

5th thought:
Well, yet-another-reason-to-firewall, I guess. At least you'll keep outsiders out. Now just to find a way to stop inside attackers....UNIX maybe?

Last thought:
Put up a new master DC with all accounts and reset passwords, pull the plug on the old one (LITERALLY pull it), check it as to why it's hacked, pull plugs on other systems that were hacked after putting the legitimate contents to a new server and do the same till you get to the original one hacked. Fix all systems involved (rebuild or patch or put up new version of the software).

Lots of work, but what's the point in keeping everything on there if it will only increase the risk of it getting hacked again?

Anonymous said...

Some in the consulting biz might push for the big fancy forensics team to come in and figure out "who done it" before wiping the machines and mass password changes.

Placing blame seems to help some people sleep at night. It may even help them justify not making any changes if they catch someone.

A very expensive solution, but I thought I would push another possibility across the table.

CG said...


I havent had my coffee yet so maybe i'm just not seeing it but what is your other possibility?