Identifying the Worst IT Practices

Wheres the risk?

Why examine worst-practices
Occur in many organizations
Practiced in the name of efficiency
Unmanaged risks result in wasted money,
resources and loss of reputation
Whats cost-effective when:
Heavy dependence on IT to achieve goals
Organizations are increasingly subjected to vulnerabilities
Scope and magnitude of IT investments are increasing
IT can dramatically change the organization and service delivery
IT represents the organizations most valuable assets
Why organizations implement worst practices
Abdication of responsibilities
Inability to segregate activities
Calculator mentality
Putting out fires
Information overload
Expectation gap
Inadequate training
Ignorance and false pride
Whats cost-effective (revisited) ?
Technology that is capable of operating
without material error, fault, or failure during
a specified period in a specified environment

RELIABILITY
What constitutes reliability?
Per the ISO 27002 trust: Principles and Criteria
for Systems Reliability
Security
Integrity
Availability
Maintainability
And what if your organization uses worst-practices?

Your service delivery is not cost-effective

High probability of your information and related
resources being unreliable
Usually, if properly done, required changes are
very cost-effective and deliver high ROI on the
investment required to improve
Network not as important as physical security

Terminated Employees or Consultants

HR policy typically requires
all keys and cards be turned in
consider changing locks and combination
Security policy
may (not always) mention the need to adjust
security settings
vast majority of audit reports cite that terminated
employees and consultants still have access to
system resources
Network not as important as physical security (cont)

How To Manage The Risk

Build the responsibility into the corporate
culture
approver is always accountable for what they
approved (user)
incorporate notifying security as part of the
termination process (HR and yes it is your job!!!)
question inactivity (security)
Estimated Cost/Benefit
Low Cost/High Return
Not enforcing need to have access
it wont happen here
the security group (or user admin) doesnt
have the time or resources
we need the flexibility for cross-training or
backup
Marys been with us for over 30 years so she
deserves to be designated a security
administrator
we only need to worry about external hackers
Not enforcing need to have access (cont)
Consider these issues
60%-70% of unauthorized system break-ins are from internal
sources
Based on forensic experience, this worst-practice is a primary
contributor to internal fraud and facilitates the circumvention of
management designed controls (including organizational chart
responsibilities)
Prime Directive
Many professionals believe that it is impossible to maintain a
control environment that satisfies stakeholders expectation while
using this worst-practice
Estimated Cost/Benefit
Low Cost/High Return
Leaving factory default settings unchanged

Operating systems are often shipped with

default users with default passwords to make
setting up easier. If the systems administrator
doesnt know about the default accounts, or
forgets to turn them off, then anyone who can get
hold of a list of default accounts and passwords
can log into the target computer

Anyone who knows how to do basic research

using the internet can get hold of these lists
Leaving factory default settings unchanged (cont)

Security is not the only exposure incorrect

parameter settings in a core application could
negatively impact the business and result in:
Inappropriate access
Invalid use of validation controls
Incorrect financial reporting
Incorrect exception reporting
Regulatory compliance violations
Incorrect calculations and postings
Incorrect customer records
Loss of credibility
Poor customer service
Wasted investment in technology
Payments to consultants to get things back in order
Not applying security patches
Finding the low-hanging fruit should always be
your top priority mainly because it is the
attackers first priority. Devastating web
vulnerabilities still exist after years of being
publicly known

Typically this is what kiddie scripts use and

results in embarrassment for the organization
Not monitoring security-related advisories & updates

Respected organizations (e.g., CERT, SANS) distribute

free newsletters providing guidance on recent and
projected security threats. For example,
SANS/FBI released a Top 20 vulnerability list with appropriate
tools (free) to detect if a particular organization is exposed.
CISECURITY.ORG provides generally accepted benchmarks to
effectively manage technology risk.
These warnings/guidance are typically ignored in worst-
practices organizations
Does your organization have worst security practices?

To many these sound like a good thing to do

Vulnerability Review
Penetration Test
But to what extent do they just confirm what you
already knew (be honest!!)
And how do they help you prevent future
occurrences
Popular network security testing techniques

Network Mapping
Vulnerability Scanning
Penetration Testing
Security Testing and Evaluation
Password Cracking
Log Reviews
File Integrity Checkers
Virus Detectors
War Dialing
Network mapping

STRENGTHS WEAKNESSES
Fast Does not directly identify
Efficiently scans a large known vulnerabilities
number of hosts Generally used as a prelude to
Many excellent freeware penetration testing not as a
tools available final test
Highly automated Requires significant expertise
Low cost to interpret results

OTHER INFO BENEFITS OF DOING

Quarterly Enumerates the network
structure and whats active
Medium level of
Ids unauthorized hosts and
complexity, effort and risk
services
Identifies open ports
Vulnerability scanning
STRENGTHS
Fairly fast & efficient
Some freeware tools available
Highly automated for known
vulnerabilities
Often provides advice for
mitigating strategies
Easy to run regularly
Cost varies by tool used
OTHER INFO
Every 2-3 months
High level of complexity and
effort with medium risk
WEAKNESSES
High false positive rate
Large amount of network traffic
Not stealthy (detected)
Not for rookies
Often misses new stuff
Identifies the easy stuff
BENEFITS OF DOING
Enumerates the network structure
and whats active
Identifies vulnerabilities on a
target set of computers
Validate up-to-date patches and
software versions
Penetration testing
STRENGTHS
Employ hacker
methodology
Goes beyond surface
vulnerabilities to show how
they can be exploited to gain
access
Shows that vulnerabilities are
real
Social engineering allows for
testing of procedures and
human reactions
WEAKNESSES
Whats a hacker methodology
Requires great expertise
dangerous when conducted by
rookies
Due to time requirements not all
resources tested individually
Certain tools may be banned or
controlled by regulations
Legal complications and
organizationally disruptive
Expensive

OTHER INFO BENEFITS OF DOING

Annually Determines how vulnerable and
High level of complexity, level of damage that can occur
effort and risk Tests IT staff response and
knowledge of security policies
Security testing and evaluation
STRENGTHS
Not as invasive or risk as some
other tests
Includes policies and procedures
More comprehensive focuses on
prevention strategies and roots of
problems
Generally requires less technical
expertise than vulnerability
scanning or penetration testing
Addresses physical security
OTHER INFO
Every 2-3 years
High levels of complexity, effort
and risk
WEAKNESSES
Does not generally verify
vulnerabilities
Generally does not identify newly
discovered vulnerabilities
Labor intensive & expensive
BENEFITS OF DOING
Uncovers design, implementation and
operational flaws that could allow the
violation of security policy or the
existence of vulnerabilities
Determines the adequacy of security
mechanisms, assurances and other
properties to enforce security policies
Includes effectiveness & efficiency
Emphasizes the process and how well
risk is managed.
Were safe, right?
Our organizations auditors engage an outside
firm to conduct an annual vulnerability test.
Last year we didnt have any major findings.
This review proves that were safe right?

WRONG!!!!!!!!
Typical findings
Inappropriate policies at the macro and micro levels
Vendor provided patches not applied
Exploitable files and services not removed or disabled
Ineffective security configuration strategy
Outdated vulnerability scanning and intrusion detection
tools used
Unclear understanding of responsibilities with service
providers and vendors
Ineffective monitoring of activity and new vulnerabilities
False comfort relating to level of security and
understanding of risks to the business
How much to fix?
Not as much as you would expect
You dont necessarily need to purchase advanced
technology
80% of the problems can be resolved very cost-
effectively
Organizational culture and behavior
modification require the greater efforts
And what of these patches we keep hearing about?

Create an organizational software inventory

Identify newly discovered vulnerabilities and security
patches (remember the free emails?)
Prioritize patch application
Create an organization-specific patch database
Test patches
Distribute patches and vulnerability information as
appropriate
Verify patch installation through network and host
vulnerability scanning
Train system administrators in the use of in vulnerability
databases
Security conclusion
A team sport that doesnt necessarily require the
most fancy equipment to win - but does require
you to understand the fundamentals of the game
and that you and your team must provide best
efforts to win!

Otherwise
you are playing to just give the ball to the other side.