KNOW YOUR ENEMY!
With information as good as hard currency, companies have to protect themselves against data theft. Security expert Robert Schifreen offers some up-to-date advice on how to keep the bad guys at bay.
Thanks in part to the Internet, hackers have never had it so good. They no longer need to make expensive - and easily traceable - international telephone calls. Now, by dialling their local Internet connection, they can telnet any company whose systems they want to penetrate.
For malevolent employees, it can be even simpler - just a matter of wandering over to the cupboard where the backup tapes are kept, and pocketing 16Gb of business data in the blink of an eye. Preventing and detecting the misuse of corporate computer systems is a constant cat-and-mouse game; you can never rest on your laurels. If you're involved in data security, your best hope is to stay one step ahead of the hackers and try to beat them at their own game.
Unfortunately this is far more difficult than it sounds, because modern hackers now have many potential strings to their ill-intentioned bow. The faddish nature of the IT industry isn't a great help, either. For instance, vendors may tempt you to put all your security eggs into the firewall basket. But concentrating your efforts in any single area is asking for trouble. The key to security is to adopt a holistic approach, so that you cover all of your risks.
Who are the hackers?
First, let's get clear about where the threat comes from. The press and TV portray hackers as spotty, teenage boys operating from untidy bedrooms, who regard hacking rather like trainspotting; they hack simply to be able to claim to have broken into more systems than their friends. Not only is this description inaccurate, but it has never been anywhere near the truth. Of course, there are some hackers who fall into this category, but they are few and far between.
The truth is, if someone breaks into your network without permission, there's a 60% chance the perpetrator will be a member of your own work force.
Unauthorized action by staff mostly takes the form of altering data without permission, or placing fraudulent orders for goods. The employee may also attempt to look up information or copy data files, either to sell to competitors, use for personal gain, or because they're being paid to retrieve it by someone on the outside.
Former staff have also been known to access systems belonging to previous employers, again either out of curiosity or because someone is paying them to do it. I know of cases where passwords remain unchanged three years after the person who originally set them up has left the job.
Another class of so-called hacker is the security consultant, either working alone or as part of a larger company, who attempts to get work by breaking into systems and then offers, for a fee, to close the holes that allowed him in. This action is illegal (see below), and anyone employing consultants with such an unorthodox method of advertising is, to say the least, unwise.
However, the hacker who now poses probably the greatest threat to your organization is the one who, either working alone or paid by someone else, indulges in industrial espionage. With the recent drop in prices, stealing whole computers is unprofitable and risky. But the value of data just keeps going up and up.
A successful holistic defense strategy depends on successfully prioritizing your efforts against each of the above-mentioned types of miscreants. Plus, of course, guarding against accidental data loss caused by untrained users and incorrect backup procedures.
Is computer misuse illegal?
Computer hacking is illegal in most parts of the developed world. The Computer Misuse Act 1990, for example, makes it an offense, punishable by a fine and/or imprisonment, to intentionally gain unauthorized access to a computer. Anyone with a professional interest in IT security should be aware of the contents of this act.
There is other relevant legislation. The British Data Protection Act, in its newly-enacted 1998 form, defines information as a corporate asset, which company directors are legally obliged to protect.
In theory, this means that a director could end up in court if his or her company gets hacked, which is a great way for you to persuade senior management to allocate more funding for IT security.
The full text of this act, and other recent legislation, is available free from the HMSO site at www.hmso.gov.uk/acts. While you are browsing the law, also take a look at the Companies Act (which covers directors' responsibilities); the Copyright, Designs and Patents Act (software piracy); the Interception of Communications Act (monitoring of staff email); and the Children and Young Persons Act (child pornography downloaded from the Internet).
It's all too tempting to rush in heavy-handed, threatening the full force of the law against staff who misuse their access to company information and computers. By warning of the consequences of unauthorised access in employee contracts, on signs in the cafeteria, and on welcome banner screens, you can make the law work for you as an effective deterrent.
But be careful not to instill into the workforce so much fear of your security or IT support people that suspected problems go unreported for fear of the messenger being shot. If a staff member does accidentally introduce a virus on to their workstation, it's better that they admit it sooner rather than later.
How much hacking is there?
There's no shortage of surveys that document the severity of the hacking problem. Various respectable research organizations, consultancies and big City accountancy firms publish minutely detailed data. In theory, such data will tell you how often you're likely to be hacked, what will be taken, and how much you'll need to spend to correct the damage.
In practice, however, over the past few years I've spoken to hundreds of IT security managers and none of them has said that he or she would tell the truth about past hacks to someone compiling a survey. This calls into question the reliability of such research, although undoubtedly it is useful ammunition in a company's fight to gain more security-related funding from the board.
Why hackers hack
Before you can start to protect your systems, it's essential to understand the motivating factors that drive people to break into them. Looking for motives is the first thing that the police teach trainee detectives, and preventing/detecting computer misuse is no different to dealing with any other crime.
A thief, so the saying goes, is an honest person who sees an opportunity. Most data thefts and computer hacks are inside jobs, and the majority of these occur because what appears to be an irresistible opportunity presents itself.
An employee might notice that their boss has written down a password in a diary, for example, and decide to try using it in a deliberate attempt to defraud or merely as a prank. Or a worker may be asked to take a data disk to the personnel department and be unable to resist taking a copy on the way.
You can improve the security of a system easily and cheaply by removing these opportunities and by ensuring that staff know their movements on the system are monitored. It also follows that borrowing and lending of passwords should be discouraged. At one company I know, staff who are discovered to have done this lose some or all of their next Christmas bonus.
Among the other reasons why people misuse computers are curiosity, greed, the challenge, to impress colleagues, and boredom. Don't underestimate greed. Today, information is as good as hard currency. Guard your servers and laptops from physical theft, of course, but much more important is the data that they contain.
One further reason why people hack into computers is out of necessity. Consider what would happen if one of your staff kept the information on their desktop PC encrypted and was subsequently dismissed, died, or merely forgot the password. Could you recover that data?
Despite what software companies tell you, the encryption built into most off-the-shelf applications can be easily broken. It makes sense, therefore, to buy the necessary software to do this for all the applications used within your company. A browse through www.accessdata.com, www.crak.com and www.lostpassword.com should help you find the programs you need.
Basic risk analysis
In IT security, as in any other business function, manpower and funds are limited. It is therefore critical that you prioritise your efforts and that you do this correctly.
Every organization holds different types of information, and each type may need different levels of protection depending on the company's areas of business.
All companies will have customer lists and personnel data, plus other categories such as plans for new products, marketing strategies, or reports from consultants pending financial announcements such as a flotation or quarterly results.
The ultimate destination of stolen data depends both on the hacker and on the type of data. Typical customers for information include business competitors, current or past staff, rivals in a takeover, the press, private investigators, the criminal underworld, other hackers, opposing sides in a court case, regulatory agencies such as Fast, and individuals from foreign and British governments and/or intelligence agencies.
Questions you should ask yourself are:
What types of information do we have?
What is the most important?
Where is it held?
For how long could we survive without it?
Who has access to different types of data, and do they all need that access?
What would happen if the data was lost, altered, or leaked?
There should be at least two named individuals responsible for each category of data. These people should be made aware that the buck stops with them, and that it is they who will lose their jobs if anything happens to the information they are protecting.
What hackers do
Tradition has it that hackers simply steal data files and, if possible, sell them. Although this was the case 15 years ago, it is no longer true. Much of today's hacking activity is aimed at bringing about denial of service attacks. Programs such as WinNuke or ping generators are freely downloadable from the Internet and enable a hacker to crash a machine instantly if it's not running all of the latest security patches.
On average, at least two attacks are posted on the Internet every week (see below for details on how to keep up with them all).
Keep a close eye on the web sites run by your OS and application software vendors, and install any published security patches as a matter of urgency. The same goes for vendors of networking products such as Cisco and Nortel. Although the hacker mentality means that most attacks target Microsoft products, others are also vulnerable. PC Anywhere and Novell Groupwise, for example, were both subjects of recent attacks - see the relevant web sites for the patches.
Ensure that all servers are physically secured. A hacker with a Dos boot disk can copy every file from an Intel-based Unix server. Windows NT, too, is vulnerable in the same way, even if the drive is formatted with NTFS. A free driver to allow Dos to read NTFS partitions is available at www.winternals.com.
While you are protecting your own servers, look at your web site to see if it runs on your own hardware or is hosted externally. Many organisations have had their web sites attacked in recent months. In some cases, these have been high-profile hacks, with wholesale changes to the site content which included replacing most of the images with pornographic pictures. In other cases, web-site hacks have been very minor, such as changing a couple of entries in an online price list, or altering the specifications of a product to make it appear less competitive. It is arguable that these minor hacks are more dangerous, in the long term, because they often go unnoticed. If your site was subject to minor changes such as these, would you notice?
Of course, hackers don't just obtain data by breaking into systems - there are much easier ways of discovering confidential information. How many times have you heard people discussing private matters on the train into the office, for example? Also, what would your staff do if someone claiming to be from the support department telephoned and asked for their ID and password in order to upgrade their accounts? If you're not sure, try it for yourself.
Audit! Audit!
Carry out regular audits on workstations, laptops and servers. Perform text searches, and use a program such as Imagecensor to look for pornographic images. In the case of pornography involving minors, possession of just one image is an offense and can land the computer user and/or the company's directors in court.
Keep a lookout for pirated software, and perhaps use metering to ensure that you stay within the rules. Remember that Fast's biggest source of tip-offs is disgruntled employees.
While looking for pirated software, don't forget font files. Also, look out for MP3 files downloaded from the Internet as these may be audio tracks that have been pirated from commercial CDs.
Viruses
The latest virus scanners can detect some 23,000 viruses. Only around 2% of these are ever in the wild at any one time - the vast majority exist only in the research labs, having been contributed by virus authors. Unfortunately, however, because no one knows which 2% of those viruses will be in the wild, there's no option but to ensure that your scanners are always up to date.
Some scanners are easier than others to roll out in a corporate environment, and you should take this into account when buying anti-virus software.
Beware of those top-10 lists of viruses that some companies put out and which get printed in various magazines. Dr Solomon's, for example, recently published a list which suggested that seven of the 10 most commonly encountered viruses were boot-sector ones.
Everyone knows, of course, that macro viruses are by far the most common sort, so why the discrepancy? Dr Solomon's was compiling the list according to the number of calls to its helpline, and removing a boot-sector virus is more tricky than removing a macro one and therefore generated many more calls.
Vendors of anti-virus software try hard to make their products score well in magazine reviews, and this means scanning quickly. By default, therefore, most scanners won't look in TXT files, for example, because they are assumed to be incapable of holding macro viruses.
But this means that a .DOC file, which is renamed with a .TXT extension, won't be found. So set your virus software to scan all files at least once a month - and not just the files ending with DOC, EXE and so on.
Whatever scanner you use, if your users are not trained in how to deal with a virus outbreak, you are just asking for trouble. Try distributing to a small number of staff a Word document with an autoexec macro that puts up a jovial virus-like message on the user's screen.
If it takes longer than half a day for all copies to be reported to your support department, some virus awareness training is urgently called for.
Forensics
If your firewall logs suggest that you've become the target of a hacker, or if you suspect that a staff member is using their desktop PC for illegal activities, it's tempting to play detective yourself. However, if you don't know the rules of admissibility of evidence in court, you're likely to destroy any possibility of being able to prosecute the perpetrator.
For example, if you're examining a user's PC, the rules state that you must take an exact image of the hard disk and then do all your examinations on that copy.
The advice here is simple. As soon as your suspicions are raised, consult one of the growing number of computer forensics companies for advice. Don't do anything on your own, unless you are totally sure of your actions. Although there are tools designed for carrying out forensic searches of hard disks, such as looking for incriminating evidence in deleted files, steer clear of them and leave this to experts.
Firewalls
Too many companies assume that installing a firewall will bring everlasting peace of mind and total security, and many firewall vendors do little to counter this image. However, nothing could be further from the truth. A firewall is an essential string to the security bow of any company with links between its Lans and the Internet. But a firewall is not a fit-it-and-forget-it product. It's crucial to keep a close eye on the firewall's log files, as these will tell you whether hackers or any other unauthorised activities have been detected.
If you're considering installing a firewall, resist the temptation to do the job yourself. Specialist firewall installation consultants typically take two days to install and configure one. By trying to save money and doing it yourself, you have no guarantee that it's working correctly. Just because users don't come to you complaining that they can't get into the system, doesn't mean that the firewall is working properly.
If you get sales calls from firewall vendors and you already have a firewall in place, don't tell the salesman which one you use. Equally, ensure that your firewall vendor doesn't include your organisation on its publicly-available client list.
Ensure, too, that your firewall is tested at least once every three months, and that this is done by a company other than the one that installed it. This will involve employing the services of a penetration testing team, which can comprise hackers, consultants, or both.
Make sure, when hiring such a team, that you are authorised to do so, or you risk prosecution for inviting the team into your company's systems without permission. Insist also on being able to watch the team at work, and don't be afraid to ask questions. Change all sensitive passwords after the team leaves, and ensure that any weakness they discover is corrected as soon as possible.
Penetration test teams can break through a surprisingly large number of the firewalls. In almost every case this is not because of a weakness in the firewall product, but because it has not been configured correctly. Various consultancies, such as Computer Crime Consultants, headed by the former head of the Computer Crime Unit at Scotland Yard, John Austen, offer penetration testing. Email him at jausten@compcrim.demon.co.uk. Don't run any other software on the firewall machine. This may not only slow down the machine and thus hit performance, it's also a security risk. Hackers have been known to write ActiveX programs that turn off firewalls and then email these programs to companies. The recipient clicks on the message to execute it and, in so doing, turns off the company's firewall and gives the hacker free access.
Intrusion detection
While a firewall and an audit act as proactive security, you also need some reactive measures. The best takes the form of an intrusion de-tection system, such as Realsecure from ISS (www.iss.net). Once set up, Realsecure will email or page you if any condition that meets a pre-specified criteria is detected. This can include external users attempting to telnet into a system on certain ports, access by any users to certain key files, and hundreds of other combinations.
Intrusion detection systems usually work by using a database of known hacker attacks. It's important, therefore, to keep your software up to date, in order to prevent hackers using the latest techniques from slipping through the net. The software should take care of this itself, usually by connecting to its home web site and copying the database when required.
Encryption
It's advisable to use some form of data encryption, especially on laptops. Thieves and muggers target laptops especially if, as is worryingly common, people carry them in smart, padded bags clearly labelled with Dell, Compaq, Toshiba and the like. The moral here is to shun the posing pouches and to carry your laptop in a briefcase.
Use the strongest form of encryption that you're permitted. However, if you're transferring data to or from France, you must seek permission from the authorities before using such a program. If your encryption program offers a choice of proprietary algorithm or a well-known one such as DES or Idea, always use the well-known one; security that relies on the algorithm staying secret isn't sec-urity at all.
Any encryption algorithm is going to be sufficient to protect your half-finished resignation letter to the boss, or your competitors from seeing your plans for new products - at least for a month or two, which is normally long enough. But you may as well accept that law enforcement and intelligence agencies are quite capable of cracking all known encryption, even with the longest key lengths, in close to real time.
The US Department of Energy, for example, announced a couple of years ago that it had bought some machines, each containing 4096 Pentium processors - officially for 'modelling the effects of nuclear explosions'.
Legislation is planned for the next British parliamentary session in which some form of key escrow will be 'encouraged'. This will not be mandatory, but digital signatures on encrypted data that is not escrowed will not be legally admissible or enforceable.
Under the scheme, users of 'strong' encryption will have to lodge part of the encryption key with a 'trusted third party'. Few security experts, however, including myself, trust any of these organisations. After all, an intelligence agency that wants to spy on its citizens could do a lot worse than set up as a TTP or plant staff in the offices of other TTPs.
Keeping yourself informed
Computer hackers succeed by staying one step ahead of the security administrators.
You can never make a system 100% hacker proof, but you can drastically reduce your chances of an attack if you can get one step ahead of the hackers and remain there.
By far the best way of staying informed is to use the Internet. By regularly scanning the right newsgroups and mailing lists, you can find out where the most recent risks to your company's data lie. You can also obtain and download security patches for the systems on which your information resides.
If you run a Unix system, you really must keep up-to-date with what's on www.cert.com and www.ciac.com. These are the homes of the Computer Emergency Response Team and the Computer Incident Advisory Capability, two US-based organisations to which Unix vendors report security vulnerabilities.
Much to the irritation of some in the industry, Cert and Ciac tend not to disclose details of loopholes until the OS vendor involved has released a patch, but these sites are still a good source of intelligence. As for Usenet newsgroups, look at comp.security.misc alt.security and comp.risks. By far the most useful security advice can be had via email. Send a blank message to microsoft - security-subscribe-request@announce. microsoft.com, for example, and Microsoft will send you email each time the company discovers a security-related bug in one of its products, or publishes a security-related fix. Most of such fixes tend to be for Internet Explorer, as that's where some of the most prolific hackers are concentrating their efforts.
A mailing list dealing with the legal aspects of computer crime is LACC, which is inhabited by a good mix of IT security people, police officers and lawyers. Although very US-centric, there's still a lot of useful generic information available. To subscribe, send email to lacc-request@suburbia.net with 'subscribe lacc' in the body of the message. To remove yourself from the list, change subscribe to unsubscribe. By far the most useful resource on the Internet for NT-oriented security personnel is the ntbugtraq list. Recent topics included problems with Service Pack 4 and a security hole in Firewall-1. It's very efficiently moderated, so the percentage of junk messages is virtually zero. Among the participants are senior NT security developers from many major software companies, including Microsoft.
Many of the stories about NT security problems that you read in the press will have originated on ntbugtraq.
To subscribe, send an email to listserv@listserv.ntbugtraq.com and in the body of the message put 'subscribe ntbugtraq firstname lastname'. To unsubscribe, change the body of the message to 'unsubscribe ntbugtraq'.
Robert Schifreen is an independent security consultant, writer and lecturer. In 1985, in the first case of its kind in the UK, he was convicted of hacking (into Prince Philip's email, since you ask) but was subsequently acquitted by the House of Lords. The Computer Misuse Act 1990 was introduced as a direct result of the case. You can contact Robert Schifreen at hex@cix.co.uk
AT A GLANCE SECURITY IN A NUTSHELL
The only way to guarantee total security, or at least as near to total security as it's possible to get without making the system unusable, is to adopt a holistic approach.
For this, you must identify all the possible angles of attack used by hackers, and to act appropriately against each of those threats. Although it's tempting to view effective IT security as another cost centre, the real costs are in not having adequate security. But by the time many companies discover this, it's often too late
CAN YOU HACK IT?
Even the US military isn't immune to hackers. British computer enthusiast and X-Files fan Mathew Bevan walked free from a London court last year after prosecutors decided it was not in the public interest to pursue what looked like being a lengthy and costly case. In an interview, Bevan admitted gaining access to computers belonging to the US Air Force, Nasa, and the defence contractors Lockheed, but strongly denied ever altering data.
'I was after information about UFOs,' he said. 'I just wanted to find evidence of alien abductions, the 1947 Roswell landings and Nasa faking the moon landings - and where better to look than their computer files?'
ARTICLE TWO OF TWO. The Dark Side of White Hat Hacking: Being "Owned" By White Hat Hackers
By: Anonymous
I've attended a number of security conferences and conventions this year, and as I
wandered around through all of the vendor exhibits, seminars, and training
sessions I discovered that a lot of companies are offering white hat hacking
services. Marketing types have further sanitized the term and now the politically
correct offering is referred to as "ethical hacking". While I am all for people making
a buck, doing so by cashing in on the security hype is not necessarily a good thing.
I have seen dozens of incidents of poor frightened middle management folks
scrambling to get their sites "fixed" before the inevitable hack attack after listening
to the security gurus at the various booths and podiums. Of course those fixes are
only owned by the security vendors and consulting firms.
I consider myself fortunate that I at least know a little bit about security and can see
through some of the hype. Usually I know what I want technically when looking for
security tools, and I just start zoning out when the marketing drivel starts. But the
average Joe/Mary middle manager in the IT department has no idea or clue about
what is hype and what is not, and that is where my concern is.
So I've collected my thoughts and am submitting this article to you, the weary
middle manager. As I am currently involved in heavy contract negotiations with
three firms competing with each other tooth and nail for my employer's business, I
submit it anonymously. Maybe my experiences will give you some insight. And as
for you hackers out there, take this to your weary boss and demand a raise and a
promotion.
The "White Hack" Methodology
The biggest purveyors of what I'd call questionable ethical hacking come in the
form of large respected accounting or information services consulting firms. While
some firms are better than others, in fact I've personally dealt with some firms are
actually okay, a lot of them are absolute cash vampires. These hungry firms will
usually offer you a vast array of services from penetration testing to security policy
development. Most of these firms have hired up slick hackers who "know the
basics", and can usually gain access to most systems through conventional
hacking means. They usually operate like this:
You are told that danger is everywhere, and that to properly test your security
and see your limits, you need to have an outside firm hack your system for you.
Your regular administrators cannot possibly do this penetration test, because they
"know too much" about the system, or they are not up on the latest "attack
methods".
The sales pitch for doing the penetration will involve pointing out some of the high
profile hacks that have recently made the papers. The odds are good that the
firm's pitch person will hint at "how" the hacks are done, implying they are "in the
know" about the latest hacking techniques.
You pay for a penetration test. The fee is huge (the bigger firms command six
figure fees), and they totally get into your company's systems. If your site is
protected enough to prevent them from gaining access, then you are probably
smart enough to not need an outside firm to confirm your security posture.
The report they produce outlines not only how they got it, but illustrates every
conceivable hole in your systems. The report is usually a gigantically huge
document with an "Executive Summary" that is in itself a good 50 pages long. It is
also a very scary report. Sometimes on a security scale of one to five you are lucky
if you get a two. Per this report, bad things could happen at any second.
You are now faced with the "reality" of a system that is riddled with holes. It is
implied you have MASSIVE problems and that your current staff, while competent in
basic administrative issues, cannot handle the wild and wooly world of information
security.
You are told the most important thing you need is a comprehensive security
policy. While a security policy is a good thing to have, it is only a piece of what you
need.
You will be offered either a rewrite of an existing policy or a completely new
security policy by the firm. If they are aggressive they will start the pitch to do this
during their executive briefing after the penetration test. The fee will be another
huge amount, and it will be "obvious" that the only people smart enough to develop
your new policy are the ones that did the penetration test. After all, who knows your
systems better? Obviously not your own staff, because the outside firm's hackers
got in.
It will take weeks of meetings and interviews with your systems people for a policy
to be developed. All this time will be billable.
The firm will leverage your own people's knowledge with their boilerplate policies
to develop your new security policy.
If you thought the report on the penetration test was big and complex, wait until
you get the new security policy. No single person could ever implement it. It will be
huge - most of it tangled with a lethal combination of legalese and techno-jargon.
For a fee, the firm will offer to implement it. This is another huge fee, but who
better to implement it than the people who wrote it? The implementation will take
many billable manhours.
Once implemented, for it to "work" you need to periodically "re-assess" your
posture and perform checklist audits to ensure compliance. Guess who will offer up
these services (for another huge fee)? By this time you've probably given someone
from the firm a permanent desk in your company. To use the hacker vernacular,
you are "owned". The firm by now knows your budgets, your spending habits, who
the decision makers are, who are their allies, and who are their enemies.
Can you see the pattern? A consulting firm's job is not to protect your company, a
consulting firm's job is to make money selling protection from demons, real or
imagined. A good consultant doesn't sell one job, they sell a relationship that
involves many jobs.
White Hack System Cleansing
Let's look at that first option. The best place to look for that expertise is within your
own company ranks. Of course you cannot simply make one of the system
administrators the security guy, they probably already have enough to do as it is.
No, you need to form a group within your company to handle security full time. Start
by asking around. Ask who the "security" guy is. Did some pierced and tatooed
computer geek bring this article to your attention? Odds are you probably have
some oddball coder or analyst who is a closest hacker, or they know who one is.
Find out whom the system engineers hate. If it is someone who keeps forwarding
them "tips" on security from Internet security mailing lists, particularly if they are
re-edited to match your company's environment, you've found your man/woman.
Once you've found your company hacker, hire their friends. Pay them well. And get
a team leader over them that can rein them in, speak their language, and handle
the interfacing with the rest of the company. If you're worried about hiring hackers,
go ahead and perform background checks if you wish, but realize that hackers are
no different from anyone else, and probably have as jaded a background as
anyone other person in your company.
Some companies won't hire hackers to do computer work, but never perform
background checks on the temps working in the Accounts Payable department. In
reality the risk of hiring a bad employee is no greater when hiring a hacker. In fact,
if the hacker's job is to find holes in systems full time, they will probably be too busy
loving every second of their job to do bad things to you, so you may have less risk
than you think.
Okay, assume they don't know everything, send then to some of those training
classes and teach your people how to perform penetration tests. Dozens of
companies offer courses including a few of those large firms. Ask for references
and try to speak to administrators who took the classes, not their bosses. Better
yet, ask your hackers where they should go to get training. They will know.
Give your hackers the tools they need. Most of what they need will involve fast
computers, and they should be able to download most of the hacker tools required
to do their job for free off of the Internet. But if they need specific commercial tools,
such as scanners, intrusion detection systems, firewalls, get them what they need.
This solution of building your own team has several advantages - they are
employees, not billable consultants. They will learn and KNOW your systems inside
and out. It will cost less money than those huge fees.
Asking The Devil To Dance
Okay, so if you do NOT want to go that route, then you may need to handle one of
the big firms. Consider promoting an internal employee or hiring a hacker as a
consultant just to keep the big firm in line. It helps to have a level technical head to
be able to see through the hype. While it may seem like an extra expense, it will at
least keep them from billing you for every little thing. You will not be sold on things
you can do yourself.
This is not an article against penetration tests, it is against the way they are
conducted and used as entry points into Accounts Payable records by large
money-hungry firms. It is also _not_ a statement against large fees - huge fees can
and will be expected from some smaller organizations. Penetration tests are good
for waking up upper management, and if conducted by sharp hackers they can be
excellent points of reference. So if you are in the market for some type of outside
testing, here are a few things to keep in mind.
Do you want to test to find ALL holes, or just the common ones that 99% of the
typical access attempts will involve? Unless told, the big firms will document every
conceivable hole, including the theoretical ones or the ones rarely seen in the wild.
If that is what you want, fine. Just get that information up front.
Where are your threats coming from? If you perceive the scariest threats from
ex-employees or current disgruntled ones, then you probably do NOT need to go
outside your own company for a penetration test.
Balance risk assessment and threat. If 90% of your data is only valuable for three
days, then does a sustained four week penetration test make sense? Let's put it
another way - if your security can turn away 100% of bad guys that try for 5
minutes to get in, 95% of bad guys that try for 5 hours, and 90% of bad guys that
try for 5 days, is that good enough? Is that what you want tested? You may be able
to simply run ISS' Internet Scanner to get the testing you need. By the same token,
do you want all of the exotic stuff tested for as well? If you are being charged
$300K for someone to run a commercial scanner against your site you are being
ripped off.
Do you simply want to perform a fire drill? Tell the firm if that is the case. Larger
firms may even turn YOU down at that point.
Always ask to be taught self-sufficiency. If a firm states they have to do it
themselves to maintain control, show them the door. It should be no big deal to
have a couple of your employees watch and learn. No single firm "owns" the skills,
and they all are capable of teaching security tricks and techniques.
There are some firms out there who are quite capable of performing penetration
tests, and that is all they do. Find firms who agree with the philosophy that security
engagements are not a lifetime commitment. These firms do exist, and they are
worth tracking down. Consider smaller firms. If you are worried about hiring a
rag-tag bunch of misfits, enlist a lawyer to nail down a contract you feel comfortable
with. Ask for references.
Hopefully you have gained some insight into how a few of these large firms operate,
and maybe you can secure your company a little more cost effectively. Better yet, it
gives you the opportunity to take advantage of a very sophisticated and
technologically advanced resource - the wily hacker. Who better to have on your
side?
From hackernews.com
and Infowar.Com & Interpact, Inc. WebWarrior@Infowar.Com
Submit articles to: infowar@infowar.com
Voice: 727-556-0833 Fax: 727-556-0834
