[ISN] Managing Network Security - "The Seedy Side of Security"

From: mea culpa (jerichot_private)
Date: Wed Jul 22 1998 - 00:32:02 PDT

  • Next message: mea culpa: "RE: [ISN] WIPO-H2281: Crypto Clause"

                              Managing Network Security
                              Third Anniversary Article
                             The Seedy Side of Security
                                    by Fred Cohen
    Series Introduction
    Over the last several years, computing has changed to an almost purely
    networked environment, but the technical aspects of information protection
    have not kept up. As a result, the success of information security
    programs has increasingly become a function of our ability to make prudent
    management decisions about organizational activities. Managing Network
    Security takes a management view of protection and seeks to reconcile the
    need for security with the limitations of technology. 
    This article represents the beginning of my fourth year of writing monthly
    articles on information protection for Security Management Magazine. It
    started back in August of 1995 when I write the first in the "Internet
    Holes" series, and changed to the "Managing Network Security" series about
    half way through 1996. Because of this anniversary, I have decided to
    dedicate this month's article to something completely different - not! 
    Actually, this month's article is about the seedy side of security. If
    this sounds like something for the London Times or the Star, I hope they
    pick it up and pay me a big royalty for it. 
    In recent months, my consulting work through third party firms has picked
    up considerably, and more and more I find myself teamed with 22 year old
    self-proclaimed experts who charge outrageous fees, know very little about
    information protection, and use off-the-shelf tools to demonstrate some
    technical vulnerability that they don't understand the implications of. 
    Clients seem to prefer to have 6 people who know almost nothing show up
    for a week, charge $60,000, and produce a few hundred pages of unreadable
    listings with little or no analysis over having two or three people show
    up for a day each, charge $15,000, and produce a customized, short,
    readable report indicating the business implications of what they found
    and what they need to change in order to reduce the risks appropriately.
    If you are a major accounting firm, you can charge $120,000 instead of
    $60,000 and they will throw in a day of a senior partner who will tell you
    that you need them to provide you with several million more dollars worth
    of expertise to fix the problems with your network. 
    Once they buy the big study, their resources are committed, and regardless
    of the quality of the results, they need to declare that they have
    contributed something valuable. They shelve the actual results, but make a
    management presentation to tells management that all this paper supports
    what they originally postulated - that they need more budget for security. 
    Management, which doesn't understand the report at all, decides to cut the
    baby in half. They provide limited budget increases because they know that
    their employees are trying to do good things and because they trust their
    employees - if for no other reason because they don't know enough to
    disagree - but it usually corresponds to an article in the paper about a
    big computer break-in somewhere else. 
    Trust me
    The "trust me" argument is indeed a powerful one. When the systems
    administrators that run your computer complex get together as a group and
    say "trust us - you need to do something about this" management usually
    doesn't - trust them that is. They usually do find a compromise position
    to allow the systems administrators to do whatever they say they need to
    do - but at less budget than requested. The theory is really quite sound. 
    Management can view this as a bonus. This year, we are giving IT a bonus
    of $60,000 - and lucky us, they decided to spend it paying their friends
    to do work for the company instead of taking it home and using it to fix
    their kitchen. 
    The real reason that management finds this compromise is quite simple -
    and it has nothing to do with information security. It has to do with
    corporate security. If these folks get unhappy, they could destroy the
    company.  Management can either threaten them into compliance, replace
    them and risk the down side, or bribe them. The bribe comes in the form of
    negotiating more budget, and depending on the skills of the negotiators,
    both sides can come out happy.
    The "trust me" position only goes so far, however, and when it comes to
    matters of corporate survival, management wants to know just enough to
    make a sound decision. Of course the facts are all on a "trust me" basis
    as well, but that's why management approves of outside consultants and/or
    IT auditors. This is their "independent" view of the situation. But how
    does management pick their "independent experts"? That's easy... at
    How Do We Pick Our Experts?
    Well, not exactly at random. Management cannot really judge who's an
    expert and who is not - especially in a field like network security.
    Instead, they tend to rely on three things: 
       * Popularity
       * Press
       * People they know
    Popularity comes in many forms, but it usually comes from other clients
    the so-called expert claims to have. But of course management almost never
    checks out any of those claims, and the fact that someone else was foolish
    enough to buy this person's time doesn't mean they are any good. 
    Many rich people who tell their stories indicate that they started out
    with resumes full of lies and as they got more experience, they filled in
    the lies with truths. Resume inflation is also quite common - to the point
    where it is expected. When I provide people my resume, which is all true
    and accurate - perhaps even understated, they tend to believe it is
    inflated, and so they discount it. Since anyone can get a copy of my
    resume, it's not exactly hard for them to make one that looks about the
    same as mine, and most readers will never be able to tell the difference. 
    Another popularity thing is "name dropping". "I did a security consulting
    job for the United Nations" or "My cryptosystem was approved by the NSA." 
    are common sorts of claims. What most recipients of this sort of
    information fail to realize is that cryptosystems approved for export by
    the NSA tend to be easily broken. Almost every client I have ever had has
    told me not to reveal the fact that I work for them. It's a simple matter
    of operations security - if people know I did security work for XYZ
    company - they can try to break into my site or kidnap my children or
    whatever to get information about my client's systems. 
    Press is related primarily to what sells newspapers, and the biggest
    believers of newspaper stories are top management. The stories that papers
    tend to publish and people tend to read are not about hard working people
    who do their job well day after day. They tend to be the bizarre cases -
    like teen hackers getting into the Pentagon - or the 16 year old "security
    consultant" that helped the local police break the codes on some
    criminal's PC. When you get in the media, people call you up and ask if
    you can do consulting for them. So the big accounting firms, and the
    hacker organizations, and the corporations with a lot of money trying to
    get into the market, all go after media. 
    There are a few common strategies that work for getting media, none of
    them related to network security skills. One is to commit a crime and get
    caught - or better yet, commit a crime without getting caught and turn in
    your partners claiming to be a security consultant. This works even better
    if you have a member of the press along with you. You can make several
    million dollars this way. Another common strategy is to advertise. By
    advertising in a magazine or paper that is doing stories on computer
    security, you can often get the stories to mention your name or include
    your IP address. The press release is another popular way to get your name
    in the media - just make a weekly or monthly announcement about a new
    security product or service. They don't even have to be real - as long as
    you get your name in the media. 
    The real thing to understand about the media is that it does not know how
    to evaluate information security expertise any better than your CEO. They
    believe most of what you tell them and they want sensation to sell papers. 
    People the CEO knows lead to personal sales. This is a very effective way
    to sell, but it has its limitations too. Your friend's son Jim is looking
    for work, so you tell your friend the CEO about Jim being a security
    consultant and Jim gets a consulting job. If Jim is not very good, then
    the employees who have to work with Jim know it pretty soon, but they
    don't dare tell the CEO about it - at least not directly. 
    So we pick our experts based on anything but their expertise, and that's
    largely because it takes an expert to know an expert. Lacking the
    expertise to tell the difference, we do the best we can, and in today's
    market, that tends not to be very good. 
    You Ain't Seen Nothin' Yet
    The real problem in today's network security market is that there are
    probably really only a few hundred experts in the whole world, but there
    are tens of thousands of networks that are being secured. That means that
    more than 90 percent of the security is being done by people who are not
    very expert, and it also means that proclaiming yourself as a security
    expert gets you lots of work at high pay, which means that people who
    barely know how to spell computer, read a book or two and rush in to get
    the high pay. 
    A client of mine had an employee who read a book on firewall security,
    checked out their firewall, and found it to be secure. My 15-minute
    automated checking program found several vulnerabilities, including a
    program allowing unauthorized users to get root access to the firewall
    computer and a previously unknown computer within the firewall. The book
    wasn't a bad book, but it doesn't make you an expert or substitute for
    having one. 
    The highest pay to expertise ratio today seems to come from the
    "penetration tester" community. These are bottom crawlers that go to the
    Internet, do a search for "NT Security Holes", copy all of the programs
    they find, and run them against your systems. For this they charge you
    between one and two thousand dollars per day for a week or two - or as
    much as $20,000 to test a small corporation. If you want a report on the
    findings rather than a simple listing, it might cost another several
    thousand dollars and it will not be in terms that are meaningful to the
    organization. They leave residual vulnerabilities, the software may tell
    its original author that it is now providing a hole into the client's
    system, and it may destroy data along the way, but hey, you can't make an
    omlette without breaking a few eggs. 
    One of my new clients recently hired one of the 'hackers' to test the
    security of an NT-based firewall. The hacker claimed to spend two days and
    was unable to get in. My evaluation said that the router password could be
    guessed and that standard NT attacks would work against it.  There were
    also a lot of other vulnerabilities, but we'll ignore them for now. After
    getting the report saying that no hole could be found in two days, the
    client tried an off-the-shelf NT attack from the Internet. It got right
    in. The 'hacker' claimed that password guessing would take too long - it
    was a 4 digit password - which means that all of the passwords could be
    tried in only 9,000 guesses. My PC can easily do this in a day, and I
    don't have to sit and watch it. 
    Security scans are all the rage today, and I think that they have some
    value, but only if you know what you are doing and why you are doing it.
    The most popular programs are ISS and Balista. They go through a few
    hundred common flaws that could allow trivial system entry and if they
    find them, they report them. Unfortunately, the reports tend to be rather
    useless unless you have an advanced degree in computer security, and they
    point to technical repair information that is barely readable. Even if you
    tried to fix everything they found, which nobody has budget to actually
    do, you would find that the fixes would stop parts of your system from
    working until you fixed other things, and these things are not documented
    in the scanners. The scanner rage comes partly from the cleaver move
    toward providing statistics on the number of vulnerabilities found.
    Security people can justify the cost of a scanner (more than twenty
    thousand dollars per copy for a program a teenager wrote in a week)
    because they show a measure of improvement. But of course new
    vulnerabilities show up every day, so even though an improvement in the
    statistic shows up, the actual number of holes is on the increase. If you
    want a consultant to run a scanner for you, that will cost between 1,000
    and 2,000 dollars per day as well. If you want a CPA firm to do it for
    you, count on paying between fifty thousand and one hundred thousand
    dollars for their effort. The result will be a report that you cannot
    fully understand, and a management report that makes you look good, but
    doesn't really do anything for the corporation. 
    At one site I know of, they did a comprehensive scan for known
    vulnerabilities with one of the most popular off-the-shelf scanners.  The
    scans failed to indicate that several systems had user IDs that were the
    same as the name of the system, and that those user IDs had passwords that
    were the same as the name of the system. They discovered this only after
    someone broke into the machines. In the aftermath, when asked why they
    trusted a scanner which they knew had many such limitations, they
    indicated (as others have to me) that the scanner provided statistics so
    that as they scanned machines they had made changes to, they could show
    management that improvements had been made.  It didn't matter that the
    improvements were to obscure potential vulnerabilities rather than obvious
    and easily exploitable ones that were completely missed. The management
    report would make them look good and that was their objective. 
    A level above the real low-life of the security industry are the one-time
    systems administrators turned security consultants. In some sense, these
    people have some bone-fide value. They once had some level of
    responsibility for securing a real system, and they probably know most of
    the commonly used commands and perhaps they even have some experience with
    some of the programs you use. Generally, their security knowledge is
    minimal, but at least they know the right words and won't look like total
    idiots when they talk to your systems administrators. Of course your
    systems administrator will be able to snow them into believing that their
    system is completely secure, and they are not likely to ever test anything
    the systems administrator says because they are not used to the trust but
    verify way of doing business that is the hallmark of the security
    professional. These folks, even though they are better than the others
    listed above, tend to cost less! Yes, that's right. They only cost between
    one thousand and fifteen hundred dollars per day and they actually know
    In a recent assessment I worked on, a former AS/400 systems administrator
    turned security consultant came in to review an AS/400 system. As far as
    he could tell, it was more secure than any AS/400 he had ever
    administered, and he could find no way to get passed the security. He
    didn't bother to ask if there had been any detected incidents. There had.
    When I followed up, I found that an employee had been detected accessing
    salary records - caught because he tried to change one. It turned out he
    should not have had access to any of those records and could have read all
    the other employee information without being detected. When we dug deeper,
    we found more and more, until finally, we were able to effectively
    demonstrate the ability to alter arbitrary records and gain systems
    administration privileges undetected starting from the Internet. All of
    the detected flaws were detected by people who know security but don't
    know much about AS/400s. 
    How Do You Find Real Experts?
    There are a few tell tale signs of real experts, and real experts are the
    best way to find other experts. But be careful and cross-check wherever
    Real experts tend to write articles for legitimate publications. For
    example, writing articles for 2600 is probably not a good reference point,
    but an article in "Network Security Magazine" or "Computers and Security" 
    related to the interest area of the consulting to be performed is a good
    indicator. That is not to say that all the authors are good security
    consultants, but most of them know something about the field. 
    Real experts go to public meetings and conferences to hear what other
    people have to say and give presentations of their own. For example, many
    real experts will show up at "Computer Security Institute" conferences or
    in "MIS Training Institute" short courses, and they will tend to be
    invited to give talks and to return time and again. If someone has given
    talks for several years in a row at the same conference, chances are the
    audience found value in what they had to say. 
    Real experts don't claim to be experts in every aspect of the information
    protection field. They may assert that they are knowledgeable across the
    board, but if they claim to know all about the details of security for
    every operating system and every platform, chances are very good that they
    are not really experts in any of them. There are just too many specifics
    in today's environment for anybody to know them all. Most of the best
    experts are very knowledgeable about a large number of them, but nobody
    knows it all. 
    Years in the field is another great indicator of expertise. I have never
    met anyone with less than ten years of experience in information
    protection that I would call expert even in a narrow part of the field.
    Normally, it takes several years learn the basics of each of the many
    subfields, several more years to understand how the fields fit together,
    and several more years to get enough experience in real-world situations
    to be really useful. Anybody who trusts a 24 year old with making
    corporate decisions regarding billions of dollars in information assets is
    probably making a big mistake. 
    Summary and Conclusions:
    There's a lot of money in the information security field today and much of
    it is being spent unwisely. The large dollar values are driving large
    numbers of poor quality people into the business and they are getting
    outrageous pay rates when they have little to really offer. At the same
    time, there are legitimate experts who are increasingly unable to
    differentiate themselves from the folks with good sales teams. The
    combination is a recepie for disaster to the unwary or unititated. I hope
    that some of the ideas I have provided here are of some use, but I fear
    that we have a long way to go in this industry. 
    About The Author:
    Fred Cohen is a Principal Member of Technical Staff at Sandia National
    Laboratories and a Managing Director of Fred Cohen and Associates in
    Livermore California, an executive consulting and education group
    specializing information protection. He can be reached by sending email to
    fct_private or visiting http://all.net/
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:59:25 PDT