Ibecame very dis-turbed after attend-ing several audit

and security confer-ences last summer. Itseems that the profes-sion slowed downtheir efforts over thisvacation period, Junethrough the end of August. Inmany of my conversations anddiscussions, it was mentionedthat staff shortages due to vaca-tions are causing businesses topostpone security discovery andremediation efforts and IT auditsuntil after Labor Day. This infor-mation was confirmed by ourproject bookings. Our bookingsthen took off after the Labor Dayholiday as people rush to com-plete their audit and securitywork by year-end. For many ofus, year-end is the deadline formeeting our performance objec-tives and earning our bonuses. Asa result, everyone was nowredoubling their efforts to com-plete their assignments by theend of their performance year.

WHO NEVER QUITS?

Well, here is some news:Hackers did not take a vacation

over the summer. In fact, itappears that they were workingovertime. You just have to take ashort Internet visit to the Attri-tion.org Data Loss Archive andDatabase (http://attrition.org/dataloss/dataloss.csv) to see theactivity over the past summer.For the purposes of this article,I excluded items like lost lap-tops and lost or stolen media(backup tapes), and focusedsolely on Web or hacking inci-dents. The total number ofreported lost identities in thesecategories was 2,513,317. Thiswas just over the summermonths. Let me emphasize thatthese are only the reported inci-dents. If an organization lackseffective intrusion detection, itwill not notice the breach untilafter their customers arescammed, resulting in theauthorities tracking the loss ofconfidential information back toa specific organization.

Thank goodness forthe FBI and the localcommercial crime divi-sions of our policeforces! Without them,we would not know ofmany of the breachesdue to the failure toimplement effective

incident prevention, detection,and investigation procedures.The rest of this article will pro-vide you with my opinions onthe reasons many organizationsare not effectively secured. Justtoday, as I write this article, anew announcement was pub-lished at Consumerist.com thatdemonstrates the efforts ourlaw enforcement agencies aremaking:

Forever21 announcedFriday that the SecretService found crimi-nals had illegallyaccessed 98,930credit and debit cardnumbers from storecustomers. (See thefull article at http://consumerist.com/5050173/98930-affected-in-forever-21-data-breach.)

Cutting costs is good—but don’t scrimp on infor-mation technology security. The author of this arti-cle warns that you may take vacations, but hack-ers never do. And he discusses other commonmistakes that can place your firm in danger.

© 2008 Canaudit, Inc. Reprinted with permission.

featur

e artic

le

19

© 2009 Wiley Periodicals, Inc.Published online in Wiley InterScience (www.interscience.wiley.com).DOI 10.1002/jcaf.20480

Hackers Don’t Take Vacations

Gordon Smith

JCAF20-3_20480.qxp 2/17/09 7:18 PM Page 19

It must have been a surprisefor Forever21 management tofind out from the Secret Servicethat they had a control breach!

SECURITY FUNCTION OFTENINEFFECTIVE

But management vacationsaren’t the only reason hackersare a danger. One of my petpeeves is that many IT securityfunctions focus on policies andprocedures. They do an excellentjob of creating new policies andprocedures and updating existingones. My concern is that policiesand procedures alone do not pro-tect our information infra-structure, software, anddata. While they are cer-tainly required, we needmore enforcement of thepolicies and procedures.We also need mechanismsto detect incidents anddetermine if the installedsecurity products are work-ing properly. When we doour first remediation testfor a client after an ITSecurity Baseline or Net-work Penetration Audit,management is oftenshocked to find that itemsreported as corrected are, infact, not remediated. This is usu-ally caused by a failure to com-municate up and down the com-mand structure. When we askthe people on the bottom of thestructure, they usually tell us theway things actually are—in needof a significant securityenhancement. When we ask peo-ple in the middle of the struc-ture, they tell us how theybelieve things are. The differ-ence is the filtering that goes onas information moves up thechain of command.

Let me be frank. The CEOand other senior executives wantto have a secure environment.

The people on the bottomknow the environment is notsecure. The people between thetwo groups want to please theirsuperiors and put a favorablespin on the issues. The “Seriousitems that are not remediated”become “Audit items that areunder control” or “We are han-dling the issues.”

This is a natural tendency, asmiddle management is often iso-lated from the lower-level staff.As a result, the actual situationis distorted as it climbs the com-mand-and-control structure.Needless to say, when our testresults are reported to executive

management, there is an outcry,as the executives believe thatthey were deceived. Once theheat of the moment has passed,middle management learns tocheck their facts before theycommit a second and possiblycareer-limiting misstatement.Executive management now asksfor proof of remediation, usuallyindependent verification from anexternal party or the internalaudit department.

CALL IN THE SWEEP TEAM

This leads me to anothercritical missing element in many

IT security functions. It is whatI call a “sweep team.” In mostsmall to medium-sized organiza-tions, there should be one or twosweepers who conduct regularscans of the network. In largerorganizations, additional sweep-ers may be required. The sweep-ers’ task is to constantly scanthe network looking for poorlysecured machines and databases.We have assisted several clientsby providing the tools and train-ing necessary to identify flawsand correct them before a hackeror disgruntled insider can takeadvantage of the weakness. Webelieve that the sweepers should

be part of the IT Securitygroup to ensure that theyare independent of normaloperations. The sweepers’task is to identify issuesand turn them over to IT tofix. They then retest toensure that the issues havebeen remediated. It isessential that each securitygroup have a team specifi-cally tasked to seek out andidentify weaknesses, reportthem, and ensure that theyare remediated. Once thesweepers are in place,executive management willhave greater confidence in

the reported remediation results.

INTRUSION DETECTION ANDPREVENTION MAY NOT BE EFFECTIVE

An Intrusion Prevention System (IPS) and an IntrusionDetection System (IDS) do notalways provide the level of pro-tection required. Also, we havefound that some services thatmonitor networks and Webevents for security breaches maynot be effective. During most ofour initial IT Security Baselinesand Network Penetration Audits,we have been able to successfully

20 The Journal of Corporate Accounting & Finance / March/April 2009

DOI 10.1002/jcaf © 2009 Wiley Periodicals, Inc.

When we ask the people on the bot-tom of the structure, they usuallytell us the way things actuallyare—in need of a significant secu-rity enhancement. When we ask peo-ple in the middle of the structure,they tell us how they believe thingsare. The difference is the filteringthat goes on as information movesup the chain of command.

JCAF20-3_20480.qxp 2/17/09 7:18 PM Page 20

avoid detection. The most com-mon causes are lack of an IPS orIDS or poor configuration of theIPS and IDS. We have also beenable to remain below the horizonon remote-monitoring organiza-tions.

Let us look at the commonflaws relating to IDS and IPS. Inmany cases, they are set up toidentify the normal precursor toan attack, the network scan. Ourproject team techniques aredesigned to avoid detection. Ifwe suspect that there is an IPS inplace, we will locate a printer, avideo conferencing device, or anexploitable Voice over IP (VoIP)system. It is a simple matter toobtain these MAC and IPaddresses and masquerade oneof our machines as any ofthese systems. If this ployis successful, it means thatthe IPS was not properlyimplemented. It is commonto ignore implementingIPS on some of the devicesas they generate a largenumber of false positives.The false positives have thesecurity folks runningdown false alarms. Myresponse to ignoring trouble-some devices is that I wouldrather send fire trucks out andfind the house is not on fire thanto not send the fire trucks outwhen there is a fire.

Once we gain undetectedaccess to an IPS-protected net-work or a network running nointrusion detection at all, we avoidscanning the network. The net-work scan will normally set offalerts or hit an embedded honeypot (a device intended to attracthackers so they can be detected).Instead we use a commandprompt window and issue the netview command as shown below:

net view/domain:XYZor net view/domain:

XYZ.com, where XYZis the organization’sdomain name

This lists all of the machinesin the Active Directory orDomain. Using the IP addressesfor these machines, we run a sin-gle port scan looking for port1433, the MS-SQL port (theMS-SQL port 1433 is a servicethat “listens” for users who wantto connect to the database; it isknown as the listener service). Ifthe IDS or IPS does not flag asingle port scan, then we areable to stay under the radar froma detection standpoint. We haveseveral exploits for MS-SQL thatcan give us local system access,which is higher than administra-

tor access. The easiest is to testfor accounts with default pass-words (sa, admin, and probe).Once in, we use the local systemaccess to see the LSA (LocalSystem Access) secrets (LSAsecrets may contain unencryptedpasswords previously used to logonto the system) or capture pass-words that will help us gaindomain administrator rights.

To accomplish the sameobjective another way, we set upa single port scan of port 1521,the Oracle Listener port. Thislocates the Oracle databases run-ning in the Windows environ-ment. Once this is done, we usethe Canaudit Oracle Scanner toconnect to the listener port,download relevant information,

and identify DBA (DatabaseAdministrator)–like accountsthat have default passwords.Once we have this access, wecan take the Oracle accounts andencrypted hashes (the encryptedvalue is considered a hash), aswell as access the database. Atthis point, hackers would write aquery to harvest the confidentialinformation.

These are just two tech-niques used to gain undetectedaccess to databases. There aresimilar issues with other data-bases. We test all of the majordatabases in our IT SecurityBaseline or Network PenetrationAudits. Needless to say, we nor-mally gain access to many ofthem.

MONITORING SERVICESWORK BEST WHENPROPERLY CONFIGURED

Some of our clients usean outside firm to monitortheir security. If properlyused, these services aregreat! When a reportableevent is detected, e-mailsare sent to the security

folks. That said, there are a cou-ple of common flaws that needto be discussed. We have hadseveral incidents with clientswhere our team was able toavoid detection as we kept belowthe alert thresholds. Thresholdsare usually set to ignore falsepositives. As a result, with care-ful use of hacker tools and soft-ware, we can remain under thecritical thresholds until we reachour objectives and glean confi-dential information.

Let me explain the types ofthresholds. Critical events, such asthe creation of a new domainadministrator account, generateimmediate alerts to the securityfolks. Next are medium events,which may be reported overnight

The Journal of Corporate Accounting & Finance / March/April 2009 21

© 2009 Wiley Periodicals, Inc. DOI 10.1002/jcaf

My response to ignoring troublesomedevices is that I would rather sendfire trucks out and find the house isnot on fire than to not send the firetrucks out when there is a fire.

JCAF20-3_20480.qxp 2/17/09 7:18 PM Page 21

and sent out to the security staff.It is up to the security staff todetermine if any of the eventsshould be investigated. Lastly,there are the low-level alerts.These alerts are tracked, but it isup to the security staff to log on toview these alerts. The monitoringservice may also send out weeklyreports that summarize the week’sevents. These reports are usuallyavailable online as well.

So, what is my concern?Based on our project testing, wecan usually avoid the criticalalerts. We have no need to setup an administrator-empoweredaccount when we glean thisaccess by other means. Also, themedium-level alerts may be sentovernight. This means that thesecurity folks may not see ituntil they get into work inthe morning, or even later.In most cases, we do notgenerate many medium-level alerts. Those thatare generated may be discounted by security asfalse positives.

In our testing, we dogenerate thousands of low-level alerts. These clearly showup in the daily or weekly sum-maries. Someone just has toview the alerts and act uponthem. I believe that a bettermethodology would be to triagethe medium- and low-levelalerts. Let us say that 25medium-level alerts are gener-ated on a normal day when thereare no attacks. I would use thislevel to trigger a high-level alert.As soon as 25 medium-levelalerts are identified, a singlehigh-level alert is flashed to thesecurity staff. If normally thereare 50 low-level alerts on a normal day, then I would setthis as a threshold for generatinga medium-level alert. If 100low-level alerts are encountered,

I would generate a high-levelalert. Obviously, my examplesare arbitrary. A full analysisshould be performed to deter-mine the escalation process formonitoring alerts that fits yourorganization.

Not monitoring the correctthings is another issue. We havehad clients who use the monitor-ing service solely for externalInternet threats. Other clientsmay not take the appropriatelevel of service for internalthreats, as they are budgetconscious. Well, if you aregoing to use a professionalmonitoring service, then youshould fund it properly. A visitto the Tech//404® Data Loss CostCalculator (http://www.tech-404.com/calculator.html) will let you

quickly determine the cost of anintrusion. I used the loss of25,000 records in my example,and I found the cost of notifyingthe victims and providing themwith ID theft services wasover $4,000,000. This does notinclude the cost of litigating theclass action lawsuit that is sureto follow. There are numerousexamples of class actions youcan use. TJX and Certegy CheckServices are two recent examplesthat will give your managementan estimate of the litigation costsresulting from breaches. The les-son to be learned here is that ifyou are going to use a monitor-ing service, then ensure that youpay for all of the features neededto ensure early detection and

alerting of potentially dangeroussituations.

INCIDENT RESPONSEPROCEDURES MAY NOTBE EFFECTIVE

Many of our clients haveincident response procedures;however, what concerns me isthat they do not test them untilthere is an actual incident. Ibelieve that it is essential to testincident-response procedures ona regular surprise basis. Themethod we prefer is to have thesweeper team perform randomattack simulations approximatelyonce a month from various loca-tions within the network. Thesecurity team should have todetermine that an attack is under

way and invoke the incident-response procedure. Theyshould then have to trackdown the offenders, isolate,and then “apprehend”them. The secret to earlydetection and isolation of acomputer incident isrepeated drills to ensurethat the correct methodo-

logy is followed and that eachperson on the response teamunderstands and is comfortableexecuting their role.

A key component in incidentresponse is the command center.This is a facility that is availableat all times to serve as the head-quarters for the investigation ofthe incident in question. Theincident-response team shouldassemble and work from thisfacility. Remote members of theteam should video conferenceinto the center. It is important thatvideo conferencing be available,as this creates better synergyamong the team members. Theycould also teleconference into thefacility if video conferencing isnot an option. We suggest that

22 The Journal of Corporate Accounting & Finance / March/April 2009

DOI 10.1002/jcaf © 2009 Wiley Periodicals, Inc.

I believe that a better methodologywould be to triage the medium- andlow-level alerts.

JCAF20-3_20480.qxp 2/17/09 7:18 PM Page 22

GoToMeeting or some otherremote presentation tool be usedto enable remote participants tosee what is on display or monitor.

THE HACKER MAY BE SITTINGBESIDE YOU

I mentioned earlier in thisarticle that hackers do not takevacations. They are diligent intheir activities. Often they worktogether in groups to ensure thatthey successfully attack multipletargets. These hackers maynot be just in NorthAmerica. As reported in arecent article in the BostonGlobe:

Prosecutors said bothmen were key playersin a loose-knit ringspanning countriesfrom China to Ukrainethat stole or trafficked inmore than 40 millionpayment cards in all,causing more than $400million in damages. (Seethe full article at http://www.boston.com/business/technology/articles/2008/09/12/hacker_pleads_guilty_in_breach/.)

Hackers are not necessarilyinvisible people from other

countries. They could be yourfellow employees, temporaryworkers, contractors, or out-sourced IT staff overseas. Hack-ing incidents do not only originatefrom the Internet or poorlysecured wireless networks. Theycan originate from the inside ofyour network or the network of atrusted trading partner.

YOUR SECURITY GROUPS: HOW EFFECTIVE?

I am very concerned aboutthe effectiveness of IT securitygroups. IT security is far morethan policies and procedures. Itis more than having a chiefinformation security officer.Solid IT security requires a teamthat sets standards, enforces thestandards, and regularly scoursthe network to identify poorly

secured machines, databases,and devices. Your IT securitygroup may already be perfor-ming the functions I mention inthis article. If so, congratulatethem with a dinner on the com-pany or a gift card. They cer-tainly have earned the praise.Forward-looking organizationswith an effective security teamare most likely to avoid the pub-lic embarrassment of a compro-mised network and sensitiveinformation.

If your security groupfocuses strictly on thepolicies and procedures,then it is time to rethinkthe function of this criticalgroup. Several of ourclients have needed toreinvent the security func-tion from the top down. Ihave been pleased to be apart of these efforts at our

clients and look forward toworking with more organiza-tions to ensure that their ITsecurity effort is well organ-ized, proactive, and welltrained.

The opinions expressed inthis article are mine and minealone. I am always interested inyour feedback, both positiveand negative. Please send yourcomments to Gordon@canaudit.com.

The Journal of Corporate Accounting & Finance / March/April 2009 23

© 2009 Wiley Periodicals, Inc. DOI 10.1002/jcaf

Hackers are not necessarily invisiblepeople from other countries. Theycould be your fellow employees, tem-porary workers, contractors, or out-sourced IT staff overseas.

Gordon Smith is president and CEO of Canaudit Inc. in Simi Valley, California.

JCAF20-3_20480.qxp 2/17/09 7:18 PM Page 23