Identifying Worst Information Technology Practices

1
Identifying Worst Information Technology Practices
2
Wheres the risk?
3
Why examine worst-practices

• Occur in many organizations
• Practiced in the name of efficiency
• Unmanaged risks result in wasted money, resources
  and loss of reputation
• Whats cost-effective when
• Heavy dependence on IT to achieve goals
• Organizations are increasingly subjected to
  vulnerabilities
• Scope and magnitude of IT investments are
  increasing
• IT can dramatically change the organization and
  service delivery
• IT represents the organizations most valuable
  assets

4
Why organizations implement worst practices

• Abdication of responsibilities
• Inability to segregate activities
• Calculator mentality
• Putting out fires
• Information overload
• Expectation gap
• Inadequate training
• Ignorance and false pride

5
Whats cost-effective (revisited) ?

• Technology that is capable of operating without
  material error, fault, or failure during a
  specified period in a specified environment
• RELIABILITY

6
What constitutes reliability?

• Per the ISO 177799 trust Principles and Criteria
  for Systems Reliability (v 2.0)
• Security
• Integrity
• Availability
• Maintainability

7
And what if your organization uses
worst-practices?

• Your service delivery is not cost-effective
• High probability of your information and related
  resources being unreliable
• Usually, if properly done, required changes are
  very cost-effective and deliver high ROI on the
  investment required to improve

8
Network not as important as physical security

• Terminated Employees or Consultants
• HR policy typically requires
• all keys and cards be turned in
• consider changing locks and combination
• Security policy
• may (not always) mention the need to adjust
  security settings
• vast majority of audit reports cite that
  terminated employees and consultants still have
  access to system resources

9
Network not as important as physical security
(cont)

• How To Manage The Risk
• Build the responsibility into the corporate
  culture
• approver is always accountable for what they
  approved (user)
• incorporate notifying security as part of the
  termination process (HR and yes it is your
  job!!!)
• question inactivity (security)
• Estimated Cost/Benefit
• Low Cost/High Return

10
Not enforcing need to have access

• it wont happen here
• the security group (or user admin) doesnt have
  the time or resources
• we need the flexibility for cross-training or
  backup
• Marys been with us for over 30 years so she
  deserves to be designated a security
  administrator
• we only need to worry about external hackers

11
Not enforcing need to have access (cont)

• Consider these issues
• 60-70 of unauthorized system break-ins are from
  internal sources
• Based on forensic experience, this worst-practice
  is a primary contributor to internal fraud and
  facilitates the circumvention of management
  designed controls (including organizational chart
  responsibilities)
• Prime Directive
• Many professionals believe that it is impossible
  to maintain a control environment that satisfies
  stakeholders expectation while using this
  worst-practice
• Estimated Cost/Benefit
• Low Cost/High Return

12
Leaving factory default settings unchanged

• Operating systems are often shipped with default
  users with default passwords to make setting up
  easier. If the systems administrator doesnt
  know about the default accounts, or forgets to
  turn them off, then anyone who can get hold of a
  list of default accounts and passwords can log
  into the target computer
• Anyone who knows how to do basic research using
  the internet can get hold of these lists

13
Leaving factory default settings unchanged
(cont)

• Security is not the only exposure incorrect
  parameter settings in a core application could
  negatively impact the business and result in
• Inappropriate access
• Invalid use of validation controls
• Incorrect financial reporting
• Incorrect exception reporting
• Regulatory compliance violations
• Incorrect calculations and postings
• Incorrect customer records
• Loss of credibility
• Poor customer service
• Wasted investment in technology
• Payments to consultants to get things back in
  order

14
Not applying security patches

• Finding the low-hanging fruit should always be
  your top priority mainly because it is the
  attackers first priority. Devastating web
  vulnerabilities still exist after years of being
  publicly known
• Typically this is what kiddie scripts use and
  results in embarrassment for the organization

15
Not monitoring security-related advisories
updates

• Respected organizations (e.g., CERT, SANS)
  distribute free newsletters providing guidance on
  recent and projected security threats. For
  example,
• SANS/FBI released a Top 20 vulnerability list
  with appropriate tools (free) to detect if a
  particular organization is exposed.
• CISECURITY.ORG provides generally accepted
  benchmarks to effectively manage technology risk.
• These warnings/guidance are typically ignored in
  worst-practices organizations

16
Does your organization have worst security
practices?

• To many these sound like a good thing to do
• Vulnerability Review
• Penetration Test
• But to what extent do they just confirm what you
  already knew (be honest!!)
• And how do they help you prevent future
  occurrences

17
Popular network security testing techniques

• Network Mapping
• Vulnerability Scanning
• Penetration Testing
• Security Testing and Evaluation
• Password Cracking
• Log Reviews
• File Integrity Checkers
• Virus Detectors
• War Dialing

18
Network mapping

• STRENGTHS
• Fast
• Efficiently scans a large number of hosts
• Many excellent freeware tools available
• Highly automated
• Low cost
• OTHER INFO
• Quarterly
• Medium level of complexity, effort and risk

• WEAKNESSES
• Does not directly identify known vulnerabilities
• Generally used as a prelude to penetration
  testing not as a final test
• Requires significant expertise to interpret
  results
• BENEFITS OF DOING
• Enumerates the network structure and whats
  active
• Ids unauthorized hosts and services
• Identifies open ports

19
Vulnerability scanning

• STRENGTHS
• Fairly fast efficient
• Some freeware tools available
• Highly automated for known vulnerabilities
• Often provides advice for mitigating strategies
• Easy to run regularly
• Cost varies by tool used
• OTHER INFO
• Every 2-3 months
• High level of complexity and effort with medium
  risk

• WEAKNESSES
• High false positive rate
• Large amount of network traffic
• Not stealthy (detected)
• Not for rookies
• Often misses new stuff
• Identifies the easy stuff
• BENEFITS OF DOING
• Enumerates the network structure and whats
  active
• Identifies vulnerabilities on a target set of
  computers
• Validate up-to-date patches and software versions

20
Penetration testing

• STRENGTHS
• Employ hacker methodology
• Goes beyond surface vulnerabilities to show how
  they can be exploited to gain access
• Shows that vulnerabilities are real
• Social engineering allows for testing of
  procedures and human reactions
• OTHER INFO
• Annually
• High level of complexity, effort and risk

• WEAKNESSES
• Whats a hacker methodology
• Requires great expertise dangerous when
  conducted by rookies
• Due to time requirements not all resources tested
  individually
• Certain tools may be banned or controlled by
  regulations
• Legal complications and organizationally
  disruptive
• Expensive
• BENEFITS OF DOING
• Determines how vulnerable and level of damage
  that can occur
• Tests IT staff response and knowledge of security
  policies

21
Security testing and evaluation

• STRENGTHS
• Not as invasive or risk as some other tests
• Includes policies and procedures
• More comprehensive focuses on prevention
  strategies and roots of problems
• Generally requires less technical expertise than
  vulnerability scanning or penetration testing
• Addresses physical security
• OTHER INFO
• Every 2-3 years
• High levels of complexity, effort and risk

• WEAKNESSES
• Does not generally verify vulnerabilities
• Generally does not identify newly discovered
  vulnerabilities
• Labor intensive expensive
• BENEFITS OF DOING
• Uncovers design, implementation and operational
  flaws that could allow the violation of security
  policy or the existence of vulnerabilities
• Determines the adequacy of security mechanisms,
  assurances and other properties to enforce
  security policies
• Includes effectiveness efficiency
• Emphasizes the process and how well risk is
  managed.

22
Were safe, right?

• Our organizations auditors engage an outside
  firm to conduct an annual vulnerability test.
  Last year we didnt have any major findings.
  This review proves that were safe right?
• WRONG!!!!!!!!

23
Typical findings

• Inappropriate policies at the macro and micro
  levels
• Vendor provided patches not applied
• Exploitable files and services not removed or
  disabled
• Ineffective security configuration strategy
• Outdated vulnerability scanning and intrusion
  detection tools used
• Unclear understanding of responsibilities with
  service providers and vendors
• Ineffective monitoring of activity and new
  vulnerabilities
• False comfort relating to level of security and
  understanding of risks to the business

24
How much to fix?

• Not as much as you would expect
• You dont necessarily need to purchase advanced
  technology
• 80 of the problems can be resolved very
  cost-effectively
• Organizational culture and behavior modification
  require the greater efforts

25
And what of these patches we keep hearing about?

• Create an organizational software inventory
• Identify newly discovered vulnerabilities and
  security patches (remember the free emails?)
• Prioritize patch application
• Create an organization-specific patch database
• Test patches
• Distribute patches and vulnerability information
  as appropriate
• Verify patch installation through network and
  host vulnerability scanning
• Train system administrators in the use of in
  vulnerability databases

26
Security conclusion

• A team sport that doesnt necessarily require the
  
• most fancy equipment to win - but does require
• you to understand the fundamentals of the game
• and that you and your team must provide best
• efforts to win!
• Otherwise
• you are playing to just give the ball to the
  other side.