6 Dumbest ideas in computer security

I'm suprised the bishop didn't much more on security testings. So, I'll mention an incident that both of us could not believe happened.

We were advised by our customer that our system had to undergo a Security Audit. To me that means someone who doesn't know the system trying to get in and see what data they can find. So, we were told when it was going to happen, and the name of the person who would be conducting the audit.

So, the day of the audit arrives. And, the gentleman mentioned appears on our doorstep! Ok, so we thought he was going to introduce himself. But, no, he had come to do the audit. So, he asked us for a) Access to our Computer Room. b) a network port he could connect to. c) A user name and Password to get to the database.

When we mentioned this to him, he advised that we was doing an internal check, and not as we thought an intrusion test!!!

Well as you can imagine, we were both unimpressed. And advised him that if someone were to try and hack our system, we wouldn't let them into the computer room, or provide them with a desk, passwords etc. The guy said nothing and disappeared quietly at the end of the day.

sooooooooooooooooo

what was the result of the audit?

That sounded a bit suspicious, Rockape...

The story is as Rockape says, but he left out the fact that this bozo, aside from consuming large quantities of our coffee, then got into terrible trouble with his test tool on his laptop which corrupted itself horribly and crashed the machine. So WE (got that, WE, the customer) had to reinstall the tool for him then download his latest exploits etc off the web and put those on for him as well. Result - out of a two-day audit he spent just over half a day actually testing us and we wasted one and a half days sorting him and his (expletive deleted) software out. His company billed us for the full two days, so needless to say we didn't use that company again. Also when the audit came back they 'identified' numerous vulnerabilites that, if they'd spent a reasonable amount of time checking our infrastrucutre, they would have realised we couldn't possibly have (i.e. don't tell me I have Windows NT specific vulnerabilties on my Solaris box!). This is what you get from 'penetration tool jockeys' as opposed to real security specialists who know what they're talking about. But the final (and for me the most satisfying) irony of the whole thing is that since in his desperation he was forced to gave me access to his laptop I was able to rip off his test tools...

No, it was a legitimate audit, requested by our Customer and the bishop can confirm it.

They found that some of our passwords were easy to crack, and that some hadn't been changed for a while. But like I said, this was all internal to the network. Stuff that we could probably have found ourselves given time to do so. But, we didn't see any evidence of an external attempt to enter our network. So, like I said, we saw no real value in the whole exercise. Except, it kept our customer happy that it had been done. And, at the end of the day "the customer is always right"!!!

Essentially what that auditor was doing is called a 'vulnerability assessment', it's different from a penetration test because its goal is to try and find *all* vulnerabilities in the network. The penetration test is objective focused -- find one hole, exploit it, gain access and prove that you could do it.

The vulnerability assessment IMHO isn't such a worthwhile exercise -- you can get the same information with much greater accuracy from doing a technical audit of the configuration of the systems rather than scanning them remotely.

Chances are your 'auditor' fired up ISS Internet Scanner or some similar high priced tool for which he has a consultants license, typed in your IP's and clicked scan.

One of my biggest arguments with clients usually revolves around the scope of the penetration test. As far as I'm concerned, if you don't make it comprehensive, you're wasting your money and my time.

You *need* to allow the hacker to include social engineering attacks, let him try and physically enter your organisation and gain access, let him hack your PBXs and voicemail boxes. These are things that a real attacker *will* do.

By the end of this you actually understand what sort of threats you face, and where you've made mistakes. These days every half competent administrator knows how to setup decent perimiter security -- heck, you just plug in an off-the-shelf firewall and it'll usually give you some measure of 'security'. This is *not* the way an attacker will try and come in.

Think about email as an attack vector -- most pen-testers I know don't even bother with it. As a proof of concept, I wrote a little trojan, and fired it off in a mail to all the clients email addresses that I scraped out of google (@client.com), The trojan was custom written, so the antivirus didn't get it, and I got a hit -- someone opened it -- in short, giving me access to the internal network. This is how it works in the real world.

As Rockape & Bishop rightly pointed out, these days everyone who can spell 'buffer overflow' wants a piece of the security audit business because of the big $$$ that you can fleece a guy out of by scaring the living hell out of him. It's distasteful, and I'm not surprised that many people who have experienced an audit have not held the auditors in much esteem.

I have a few simple rules for why most security auditing is meaningless:

[1] The average hacker by definition has above average intelligence. She is usually smarter than the average auditor

[2] The hacker is passionate and reward-motivated (money, ego etc) to break into a system. The auditor is just 'doing his job'.

[3] The hacker is an expert on the type of system she is trying to exploit, by definition she understands it better than the average person. The average auditor is just that -- average -- he's a generalist in everything and a specialist in very little.

[4] The hacker has all the time she wishes to spend. The auditor has all the time the client wishes to spend. (more days = more money.. you know what's gonna happen here).

[5] Hackers build the path of cutting edge of security. Auditors only walk down that road. In short, hackers lead, auditors follow.

Given these common situations, the auditor can never win.

Of course you'll find some really good auditors as well -- but surprise surprise -- they're usually hackers in their spare time.

I'm glad you snarfed his 'magic tools' -- sounds like he deserved it



Cheers,