Thursday, November 10, 2011

Lets Get Real

We work in a variety of large environments, networks from 30k hosts up to 100k hosts and like many of you one of our jobs is to provide security advice to our customers. In the infosec industry many times this advice involves recommending things like patching, AV selection, FW rules, SEIMs, reverse engineering tools, app review, etc. (and most often purchasing more assessments ;)

However what we are finding most often is many places aren't even ready to deal with implementing advanced security as their basic IT operations are not in order. How many times have you pen tested a customer and heard "oh yeh that belongs to the desktop support group, good luck getting anything done there"?

Many times we have generated a number of serious alerts on a sensitive server including the use of stolen cached domain admin credentials, password dumping tools and even rebooting the server itself. We will see a ticket generated in the support system, an admin looks at the sever, fills out the ticket and says: "AV caught the attempt and the server came back up fine" ticket closed. Often users won't report anything suspicious, even when our actions are blatant, because they are so accustomed to everything being broken and unstable.

Beyond automating patch Tuesday and keeping AV up to date, and definitely beyond exploits, memory protections and reverse engineering, the most serious problem in security is that organizations lack even basic capabilities in managing their enterprises. Who's running still running XP SP2 (a vastly less secure OS than Win7) because of the expense involved in updating the enterprise? Businesses need security help that is willing to negotiate the maze of business concerns and understand enterprise IT needs in addition to being technically astute in security.

We've been to large companies where getting a network port to plug into to start testing can take 2 weeks. Where finding someone who understands how servers are configured or even how many servers there are can be a challenge. Environments that don't know what computers are on their own networks. Sure security needs to be built into the whole process, but I wonder, have we focused too much on what we want to do and not enough on what the customer's actually need?

Its not sexy or headline generating work, but little is more critical.




Anonymous said...

I have two clients that make me laugh with their tech choices.

Client A: Approx 45k hosts. User facing is all win 2000. Back is a combination of win svr 2k and 2k3.

Client B: 25k hosts. combo win2k and vista for end users. Backend is NT4

Its a joke on getting anything done. Firewall rule change to common sense setting? 12 weeks. 3 committees. and a prayer.

Anonymous said...

Welcome to the desert of the real.

Anonymous said...

Must agree with what is said. Sadely.
Companies wont act until 'something has happened', and when there is something, the tip of the iceberg, everyone is happy to down play it. The fundamental flaw is not only money related, but, as often, is also due to a lack of commitment and concern of the management (and staff) as well as a lack of competency in the mot fundamental system and network administration tasks.

The trues is that I am the admin of swiss cheese full of holes.

Dark Floyd said...

Be frank, from IT perspective, they would like to keep systems and network "running' and "available" but not about confidentiality and integrity at the first sight.

Unless there is a nationwide security guideline and standard the company should fulfill and comply with, otherwise, they will suffer a severe financial and legal risk if outbreaks are reported, otherwise, they will keep themselves loose indeed.

We keep our work rolling but it readily takes time.