Identifying Worst Information Technology Practices

Where’s the risk?

Why examine worst-practices

• Occur in many organizations• Practiced in the name of efficiency• Unmanaged risks result in wasted money,

resources and loss of reputation• What’s cost-effective when:

– Heavy dependence on IT to achieve goals– Organizations are increasingly subjected to vulnerabilities– Scope and magnitude of IT investments are increasing– IT can dramatically change the organization and service delivery– IT represents the organization’s most valuable assets

Why organizations implement worst practices

• Abdication of responsibilities • Inability to segregate activities• Calculator mentality• Putting out fires• Information overload• Expectation gap• Inadequate training• Ignorance and false pride

What’s cost-effective (revisited) ?

• Technology that is capable of operating without material error, fault, or failure during a specified period in a specified environment

RELIABILITY

What constitutes reliability?

• Per the ISO 177799 trust: Principles and Criteria for Systems Reliability (v 2.0)– Security– Integrity– Availability– Maintainability

And what if your organization uses worst-practices?

• Your service delivery is not cost-effective• High probability of your information and related

resources being unreliable• Usually, if properly done, required changes are

very cost-effective and deliver high ROI on the investment required to improve

Network not as important as physical security

• Terminated Employees or Consultants– HR policy typically requires

• all keys and cards be turned in• consider changing locks and combination

– Security policy• may (not always) mention the need to adjust

security settings• vast majority of audit reports cite that terminated

employees and consultants still have access to system resources

Network not as important as physical security (cont)

• How To Manage The Risk– Build the responsibility into the corporate

culture• approver is always accountable for what they

approved (user)• incorporate notifying security as part of the

termination process (HR and yes it is your job!!!)• question inactivity (security)

• Estimated Cost/Benefit– Low Cost/High Return

Not enforcing need to have access

• “it won’t happen here”• “the security group (or user admin) doesn’t

have the time or resources”• “we need the flexibility for cross-training or

backup”• “Mary’s been with us for over 30 years so she

deserves to be designated a security administrator”

• “we only need to worry about external hackers”

Not enforcing need to have access (cont)

• Consider these issues– 60%-70% of unauthorized system break-ins are from internal

sources– Based on forensic experience, this worst-practice is a primary

contributor to internal fraud and facilitates the circumvention of management designed controls (including organizational chart responsibilities)

• Prime Directive– Many professionals believe that it is impossible to maintain a

control environment that satisfies “stakeholders” expectation while using this worst-practice

• Estimated Cost/Benefit– Low Cost/High Return

Leaving “factory” default settings unchanged

• “Operating systems are often shipped with default users with default passwords to make setting up easier. If the systems administrator doesn’t know about the default accounts, or forgets to turn them off, then anyone who can get hold of a list of default accounts and passwords can log into the target computer”

• “Anyone who knows how to do basic research using the internet can get hold of these lists”

Leaving “factory” default settings unchanged (cont)

• Security is not the only exposure – incorrect parameter settings in a core application could negatively impact the business and result in:– Inappropriate access– Invalid use of validation controls– Incorrect financial reporting– Incorrect exception reporting– Regulatory compliance violations– Incorrect calculations and postings– Incorrect customer records– Loss of credibility– Poor customer service– Wasted investment in technology– Payments to consultants to get things back in order

Not applying security patches

• “Finding the low-hanging fruit should always be your top priority – mainly because it is the attacker’s first priority. Devastating web vulnerabilities still exist after years of being publicly known”

• “Typically this is what “kiddie scripts” use and results in embarrassment for the organization”

Not monitoring security-related advisories & updates

• Respected organizations (e.g., CERT, SANS) distribute free newsletters providing guidance on recent and projected security threats. For example, – SANS/FBI released a Top 20 vulnerability list with appropriate

tools (free) to detect if a particular organization is exposed.– CISECURITY.ORG provides generally accepted benchmarks to

effectively manage technology risk.

• These warnings/guidance are typically ignored in worst-practices organizations

Does your organization have worst security practices?

• To many these sound like a good thing to do– Vulnerability Review– Penetration Test

• But to what extent do they just confirm what you already knew (be honest!!)

• And how do they help you prevent future occurrences

Popular network security testing techniques

• Network Mapping• Vulnerability Scanning• Penetration Testing• Security Testing and Evaluation• Password Cracking• Log Reviews• File Integrity Checkers• Virus Detectors• War Dialing

Network mapping

• STRENGTHS– Fast– Efficiently scans a large

number of hosts– Many excellent freeware

tools available– Highly automated– Low cost

• OTHER INFO– Quarterly– Medium level of

complexity, effort and risk

• WEAKNESSES– Does not directly identify

known vulnerabilities– Generally used as a prelude to

penetration testing not as a final test

– Requires significant expertise to interpret results

• BENEFITS OF DOING– Enumerates the network

structure and what’s active– Ids unauthorized hosts and

services– Identifies open ports

Vulnerability scanning

• STRENGTHS– Fairly fast & efficient– Some freeware tools available– Highly automated for known

vulnerabilities– Often provides advice for

mitigating strategies– Easy to run regularly– Cost varies by tool used

• OTHER INFO– Every 2-3 months– High level of complexity and

effort with medium risk

• WEAKNESSES– High false positive rate– Large amount of network traffic– Not stealthy (detected)– Not for rookies– Often misses new stuff– Identifies the easy stuff

• BENEFITS OF DOING– Enumerates the network structure

and what’s active– Identifies vulnerabilities on a

target set of computers– Validate up-to-date patches and

software versions

Penetration testing• STRENGTHS

– Employ hacker “methodology”

– Goes beyond surface vulnerabilities to show how they can be exploited to gain access

– Shows that vulnerabilities are real

– Social engineering allows for testing of procedures and human reactions

• OTHER INFO– Annually– High level of complexity,

effort and risk

• WEAKNESSES– What’s a hacker “methodology”– Requires great expertise –

dangerous when conducted by rookies

– Due to time requirements not all resources tested individually

– Certain tools may be banned or controlled by regulations

– Legal complications and organizationally disruptive

– Expensive

• BENEFITS OF DOING– Determines how vulnerable and

level of damage that can occur– Tests IT staff response and

knowledge of security policies

Security testing and evaluation• STRENGTHS

– Not as invasive or risk as some other tests

– Includes policies and procedures– More comprehensive – focuses on

prevention strategies and roots of problems

– Generally requires less technical expertise than vulnerability scanning or penetration testing

– Addresses physical security

• OTHER INFO – Every 2-3 years– High levels of complexity, effort

and risk

• WEAKNESSES– Does not generally verify

vulnerabilities– Generally does not identify newly

discovered vulnerabilities– Labor intensive & expensive

• BENEFITS OF DOING– Uncovers design, implementation and

operational flaws that could allow the violation of security policy or the existence of vulnerabilities

– Determines the adequacy of security mechanisms, assurances and other properties to enforce security policies

– Includes effectiveness & efficiency– Emphasizes the process and how well

risk is managed.

We’re safe, right?

• “Our organization’s auditors engage an outside firm to conduct an annual vulnerability test. Last year we didn’t have any major findings. This review proves that we’re safe – right?”

WRONG!!!!!!!!

Typical “findings”

• Inappropriate policies at the macro and micro levels• Vendor provided patches not applied• Exploitable files and services not removed or disabled• Ineffective security configuration strategy • Outdated vulnerability scanning and intrusion detection

tools used• Unclear understanding of responsibilities with service

providers and vendors• Ineffective monitoring of activity and new vulnerabilities• False comfort relating to level of security and

understanding of risks to the business

How much to fix?

• Not as much as you would expect• You don’t necessarily need to purchase

advanced technology• 80% of the problems can be resolved very cost-

effectively• Organizational culture and behavior

modification require the greater efforts

“And what of these patches we keep hearing about?”

• Create an organizational software inventory• Identify newly discovered vulnerabilities and security

patches (remember the free emails?)• Prioritize patch application• Create an organization-specific patch database• Test patches• Distribute patches and vulnerability information as

appropriate• Verify patch installation through network and host

vulnerability scanning• Train system administrators in the use of in vulnerability

databases

Security conclusion

A team sport that doesn’t necessarily require the most fancy equipment to win - but does require you to understand the fundamentals of the game and that you and your team must provide best efforts to win!

Otherwise –you are playing to just give the ball to the other side.