Post Sat Jul 07, 2007 9:47 pm

A security flaw every network has

One of the fun things about protecting a network is that we’re fighting a never ending battle against attackers, with unlimited time, resources from almost every corner of the world on their side.
We have to sit there and attempt to deal with whatever is thrown at us.
There's one weapon that’s more devastating that any zero day attack that attackers use to bypass all our fancy high tech defences, are the one constant in any network, anywhere and one that constantly surprises us -

Users!

Yup, the very people that pay us to make sure that they can come on to the network, read their email, check the sports pages and occasionally do some profit generating work, are the biggest attack vector.

Have you ever got a call for one of them wanting to open at a file or web site with the latest celebrity scandal or forward on a chain mail to the entire company to avoid bad luck? How about add a gadget which will enhance their effectiveness performance?
With every new gadget designed to make their lives easier ours becomes harder, introducing new attack vectors and headaches to get them to work with the existing systems.
Oh, by gadgets I mean everything from simple home internet access to office system, blackberries, and mobile phones, to the business critical “need” to have iPod’s and iTunes on corporate machines.

The gleeful looks I’ve got from security researchers or penetration testers that are allow to launch social engineering attacking on the users can put you off lunch for a week.
There are dozens of stories about people swapping password for chocolate bars or even worse, usb drives. http://www.darkreading.com/document.asp ... =column1_1
But the good ol’ “Hi, I’m from your helpdesk, we’re having a problem with your account. Can you confirm your username and password?” works more times than not and doesn’t cost anything.
If your still not convinced about the powers of social engineering on your users, read the about Kevin Minick http://en.wikipedia.org/wiki/Kevin_Mitnick or listen to http://www.phonelosers.org/
Be warned, phonelosers is fairly explicit and constantly uses bad language, but proves how much sensitive, personal information can easily be obtained from a small amount of research and a phone call.

So what to do?

Well forget tech, it is people skills that fix this security issue. 
Getting your management and then the users working with you can make all the difference. Most people want to help out, so imagine having even 10 percent of the company occasionally giving a heads up when something odd happens.  Anything that makes our lives easier in the long run is worth a small amount of short term pain.
These are my top three steps to “patching” users and making defending network a heck of a lot easier.

Get Management buy in for security
This is for senior management to understand and support a security stance for your company. It’s critical to explain the risk of not having a security in business terms, not technical ones. If they stand behind the policy, no-one is going to mess with it.
So when Dave from finance wants to install his weird PDA and its awful software, smile sweetly, glance at the policy - “I’m sorry Dave, I can’t do that” Unless he can prove to the bosses it’s important for the company, it stays off the network.

This is the most important to have. If you can’t get this, you’ll spend all your time fighting security fires and getting blamed for the problems.  Not a fun place to be, if you can’t get through to them the first time, try working with one of them to put your message in their language. The rules of the road are a good analogy to use; they are there to keep everyone safe and working in the same framework. Driving down the wrong side of the street is instantly recognised as breaking the rules and dangerous. Once the management team grasp this for their company’s security, most of the resistance will go.

Help write a solid, easy to understand security policy which protects the business, not cripples it
Don’t get carried away with technical details or writing a block everything document. Talk to the different teams and find out what they need to do their jobs. Then write the policy around those conversations, find a couple of senior managers to then present and explain it to.  Doing this way will help create a policy that get you talking to other departments in your company and have them understand why security is important to protect their work and staff.
The fear, doubt and uncertainly (FUD) of the dark magic that is IT security can be dispelled by a couple for friendly chats and taking time to explain why pirated software and having full local admin rights to a machine is dangerous. It can bring up topics you may not have thought about, like modems attached to the finance desktops for banking apps, or the ad-hoc upload of files to ftp sites.

Remember this is being written for non-technical staff to understand and it’s not details procedures. Think of getting your grandparents to understand it and try to keep it to one page.

Create a security awareness program
Even a simple “security tip of the week” posted to a company news letter, notice board, and intranet or added to IT team’s email tag line is a great way to keeping user informed. You can always link to a web site for more details.
Use it to warn of new attacks and problems, like a spam flood. It helps keep everyone aware and may help to drop calls to you or the helpdesk! 
If you also throw in tips for a safer home computing use, that gets a wider audience interested. Warnings on what phishing scams are and how to deal with them affect everyone who does online transactions is an easy example.

Wrap up
User can be the easiest path in to a network and no amount of system hardening can stop someone who has a legitimate username and password accessing the system. If you give these users a policy on what’s right and wrong, how to report and deal with a possible breaking of these rules, you just gained a whole new layer of defence that has only cost you some time and effort.
Just because you're the security guy, it doesn't mean you should hide in a dark corner and turn up when there's trouble. Get out there, talk to people let them know you there to keep them safe and in a job.
Getting the backing of your company and the security front line doesn't seem so unforgiving and lonely any more.

Some excellent resources of how to create a security policy and security standard can be found at SANS http://www.sans.org/resources/policies/?ref=3731 and NIST
http://csrc.nist.gov/publications/nistp ... 0-12-html/

Training courses by SANS, ISC2 and EC-Council, to name a few, can help build security people management skills which are well worth looking into for any future career moves up the food chain.