This is what Morpheus said to Neo in the movie "The Matrix".  And it's so very true regarding information security.  

Intruders don't care about what you're thinking about your network security. They just peek and poke until they find a hole that you would not have thought existed.

 

Check! Your! Facts! Know your network. If you're not sure - just check, don't speculate!

It's the same for general troubleshooting problems and for information security. I am seeing it all the time. Something doesn't work, they can't figure it out and so all the admins from networking, server-management and application hosting are summoned in order to discuss the problem and all they are doing is speculate. "Couldn't it be that...", "maybe it's the...", "have you thought of..."

Then I am asking: "Have you done a packet capture?".

Then they will say "no, we were hoping for you to do the packet trace and analyze it. "

This is when I am about to puke right in front of their feet.

"You're calling yourself a sysadmin and are seriously telling me that you are not able to do a frickin' tcpdump without my help? Hey folks I have a good hint for you: man tcpdump! And when you're at it, look up how to use berkeley packet filters, too! You do the packet capture and I'll help you analyze it."

Of course I will soon give in because it'd get back to me otherwise anyway. So better get done with it, as quickly as possible.

But I am getting too ranty...

What I am really trying to drive home here is if you don't have any idea about in what layer of the OSI stack the cause for a problem might be, then just begin from the bottom up. Check the facts. What is really going across the wire?

 

What does this have to do with infosec? Well about everything if you're asking me.

People don't get pwned because the don't have patch management or they don't have IDS or they don't have antivirus or  <insert random stuff here>.

Okay, they do, you are right. :) But we're already through with that discussion aren't we? ;-)

Well then, the "more advanced" people often get pwned because they think they have all that stuff but they don't put enough effort into checking what is really going on in their environment. They might have patch management for standard software but nobody is taking responsibility for patching all the other non-standard applications. Or they just don't realize that having three different versions of Java on all the PCs for compatibility issues could result in a big security risk.
They often don't even check these applications because they think they are being updated automatically.

Or they push out updates but don't enforce them. Or they even do audits but then they just set aside the open problems, go on with normal work and forget about the problems.

A lot of organizations are also running IDS or centralized AV-systems that automatically generate tickets for "critical events" whatever that might be. But creating tickets is useless unless somebody is actually reviewing and verifying these events.

And then when you go to them and ask them about those strange connections that you've detected they'd just say: "Oh no, we're fine. The IDS/AV/whatever has not generated any alert". Yeeees, that's exactly why you should worry even more!

I've had at least two IDS vendors actually looking at me disbelieving and asking "you are really analyzing IDS events on a daily basis? This is very uncommon. We don't know of many customer who is actually doing this."

It's about the tedious process of constantly reviewing stuff, learning what's going on, researching why it is going on, reporting back interesting findings, synchronizing data in the configuration management database with facts that you've learned. It's about tracking network changes over time. It's about true insight.

Do not trust a single security "solution" because there is nothing like a security "solution". It's one tool that could give you valuable information but you better should not rely on that tool, solely. Get the logs, get the pcaps, get the netflow and analyze the heck out of them! How often have we found SQLi vulns in parts of a website just because we had a close look at the website after the IDS had reported an attack against a complete other part of the webapp. 

And with regards to vuln-management, it's not about only running a Nessus scan and then giving the report to the admins "hey man you've gotta fix all the findings that are marked red". It's about really verifying the data that these tools are giving you and explaining them to the admins.

Quite often you will not even be able to figure it out all on your own. Even if you are "the security guy" you just can't know everything, can you? You'll need help from the person who is maintaining the actual system. In many recent cases when I did that, we both - the admin and I - came out flabbergasted and learned something completely new that we both did not know before. 

Sometimes admins are genuinely thankful and give you positive feedback. But you have to show them first that you are actually helping them, not vice versa. That holds true at least for those admins who are really interested in their job.

For me, this really is a major part of information security management: measure, measure again with another tool, verify, understand, estimate the effect on overall operational security.

How often have you heard the words "omfg this was not supposed to be happening...."?

What I still don't get is: why are those things we still have to explain to so many folks in IT?

This is like stating the obvious or is it not?

Go into any industry. Everywhere something is being produced you have at least some form of quality assurance and controlling. You take samples from the conveyor belt  and do measurements. You check if the part's dimensions are within the given tolerances. You do end-control where you check if everything is working as intended. In addition to everyday sampling now and then you even take some samples for extra scrutiny. If you'd find out that one car model could start burning if some other car hits it in the trunk while the right blinker is active and air humidity is over 80% you can be damn sure that some bean counter will estimate how often this could actually kill someone and how much this would cost the company in comparison to if they just fixed the problem. Okay this is cynical, but the point is that this is actual risk management and it is happening in other industries for tens of years!

Why should it be any different in information security? Doing compliance checks quite often is nothing more than checking if you have documented that you are doing the above in theory, not performing the process itself.

 

We don't need another magic device. Okay, we need good tools, that's correct. But then what we need most is real people with real brains and real dedication and the right mindset. 

Views: 376

Comment

You need to be a member of Dissecting The Hack to add comments!

Join Dissecting The Hack

Comment by Ankush kumar on February 19, 2011 at 3:56am
wow, exactly same thing >>
Comment by Dennis Lemckert on February 18, 2011 at 11:06am
Good writeup. Especially the last sentence hits home: it's the people who make a difference. The tools are just that: tools. Useless in the hands of someone who doesn't know how to use them and only buys them because they're Pretty to hang on the wall of his shack and brag about them. I think I know someone who should actually READ this posting.
Cynical me wonders if the git will actually understand it though, but one may dream, right?
Comment by Leon van der Eijk on February 18, 2011 at 8:12am
Awesome write mate ! Cried my eyes out laughing :) Nice rant.

Latest Activity

Robert Gray is now a member of Dissecting The Hack
Oct 17
Nikhil is now a member of Dissecting The Hack
Oct 8
tata 1997 is now a member of Dissecting The Hack
Oct 4
Dan Komis commented on James Fisher's blog post Stealing Passwords with FireFox 3.6.X
"How do you do this on firefox 52? I removed lines 1061-1127, and replaced it with   var pwmgr = this._pwmgr;        pwmgr.addLogin(aLogin); but it's not working."
Sep 27

© 2017   Created by Marcus J. Carey.   Powered by

Badges  |  Report an Issue  |  Terms of Service