Slashdot Mirror
How To Suck At Information Security
wiedzmin writes "Great entry in today's SANS Internet Storm Center Handler's Diary — How to suck at Information Security. Some of my favorite points include: 'Assume the users will read the security policy because you've asked them to. Assume that policies don't apply to executives. Make someone responsible for managing risk, but don't give the person any power to make decisions. Expect end-users to forgo convenience in place of security. Hire somebody just because he or she has a lot of certifications. Expect your users to remember passwords without writing them down.' Very entertaining and informative read with total of about 4 dozen points. Now if I could only find a way to get management to read it." There's also a one-page PDF on the author's site.
I work for $LARGE_US_BANK and our Infosuck guys do exactly all these things. Manage by magazine article, hire 'architects' who think portscanning is the same as pen-testing, and come up with policy upon policy that tries to limit what people can do - it does by mostly limiting the work people can do.
This thing nails it.
I want to delete my account but Slashdot doesn't allow it.
I once wrote a program that did a weekly dictionary attack (using a standard *nix cracking utility) on the site's passwd file, and then sent out a notice (containing the password, so that it *had* to be changed) to the offending users and the head of IT (I was in another department, but had root access since I ran the majority of the gear).
Needless to say, it didn't make me very popular. But it sure as fuck made my point, both to management and to the users.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
They'd just modify their password to meet the minimum requirement to avoid your detection. Usually by taking the passwords they already use and prepending or appending whatever will get them past the scan. And then ALWAYS using that same technique.
_9%january
_9%february
_9%march
Yes, it appears to be more secure ... until you realize that you don't have to crack the CURRENT password. You can crack any of the sequence and then have a pretty good idea what the current one is.
People hate passwords and they particularly hate passwords that they have to change every 30 days or so. So they'll find a way to to (unintentionally) break your security just to make their life easier.
If I'm reading it correctly, they mean;
"Seeking a non-existent silver bullet (shiny object syndrome) while not considering that part of the solution is to follow known good practices".
If I mod you up, it doesn't necessarily mean I agree with what you've said, sorry.
I'm surprised they didn't fire you after the first time. Most management types would see that as a threat and a violation of their security policy rather than a dedicated employee trying to make a point about security.
God, schmod. I want my monkey man!
Funny that you mention it, I did the same when I was working for a company that, let's say, should be very security conscious. No hour after I sent out those letters (I was the IT department head, so there wasn't anyone but the respective users to mail to) I was called upstairs and my boss (who appearantly got one of the mails as well, I don't know, it was automated and I wrote it so that only the system and the person with the insecure password knew that their password was easily hackable) told me in very unmistakable terms that I will be fired if I try to hack our own system again.
Trying to explain that it is in my job description to ensure corporate security and that insecure passwords are a severe security risk did not help. He wanted security to be comfortable and nothing to worry about, and certainly not something that would require him to have anything to do with it.
I handed in my 2 weeks notice the very same day. It was a very well paying job, but I somehow felt that I will be fired eventually anyway when (not if) the company has to deal with a security breach. It did happen to my replacement no year later, and i guess it doesn't look good on your resume if you're dealing in IT security and have to admit you were fired for a severe security breach.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's pretty easy to write a dictionary generator in perl if you have a good dictionary file to start with. Just take the original, perform however many permutations on it that you'd like, and output to generate a fairly comprehensive dictionary.
PC moderators can suck my White pierced, tattooed dick. If you think pride == hate, s/dick/Aryan meat mallet/g.
Too true. I've seen similar to what you say. However, in my education, it is not been book driven and learned in a scholastic setting. In fact, I have no degree to speak of.
First thing is, as you said, a sane security policy. 1 email acct, same login/passwd, security-unconscious snooping owner all causes these horrendous problems. However, I'd also highlight one very nasty catchup: licensure. I'm guessing that he (the owner) bought the machines piecemeal as he needed them. And he probably bought them from different outfits, no less.
One rogue user could turn them in to the Boy Sco^H^H^H^H^H^H^H BSA. Go look at that guitar string maker up north of us, here in Indiana. He went the Linux route with smart terminals from the old machines incapable of running Windows NewVersion. Still, he avoided, after being sued, from ever again allowing that kind of liability in their building again.
As per the snooping email: explain to him that hidden snooping will let him observe without alerting the user of being watched. On your side, create an account, and duplicate every users email settings into that account. Make it only receivable, and delete after 10 days (unless you have a beefy mailserver, which I doubt). I'd say it'd be stupid not to have a nice RAID1+0 server with 1-3 TB storage with Linux, admined via Webmin, but those things cost. I'd wait on that kind of proposal unless you can show immediate gain for him and his employees.
And on the desktop snooping end, install VNC (if you use windows) as a service and "ignore remote mouse/keyboard" so he can watch as he pleases with only very minimal lag seen on the user end. The linux side, if you can convince him to switch, is just as easy. It uses x11vnc and is a one-line command. If you're running KDE, you can make a script that shows a pretty dialog box, asks for computer (ip/name) and logs in via ssh. The linux one is by fair more secure, but requires switching.
And on the snooping, I'd also recommend DansGuardian so he can ban "bad sites", allow them for himself, and have a log of bad sites for each user. This could easily be used as a tool to remove bad employees, in that they violate a "No porn/gambling/auction" sites, it can selectively be enforced. Yes, I do consider a tool like that to be unethical, but he makes the hiring/firing decisions: not you. The more power you can land in his control, the better for you as you support it.
And the Stupid Admin issue: once you put that much control in his fingertips, he will not let it go. Explain to him that if it would be disasterous if his users got a hold on this power.. In essence, scare the bejezzus out of him. Trust me, it works.
That doesn't make sense. Unless the tech guy is above the pay guy, the pay guy should not listen to the tech's security advice, and unless the pay guy is above the tech guy, the tech guy should not listen to the pay guy's advice on how to fill out time sheets? Expertise = authority. Power to fire might appear to be authority, but it isn't. All having power means is that you expect respect. I've never had a problem telling a boss when they are wrong, but you can be sure I'm nice about it.
If it makes you feel any better, my degree is in International Relations. IT is one of those hobby turned vocation things.
Also, licensing is no longer an issue, although it once was. We are a 100% linux shop except for the accountant and the graphic artist, who have some software requirements that linux does not meet (btw, if anybody knows of a drop in linux replacement for winbooks that would be really helpful; I'm willing to pay).
Anyway, for the boss it really is not about snooping, its about laziness. The stmp password reset was a result of him wanting to be able to log in without having to remember a password. He sends email from other people's accounts because it is easier than having them auto-forward when they leave for a day. It is not just email, he does it with our other systems as well, notably our client management db and the vacancy tracker for our student accommodation.
Oh, and trust me, the fear thing doesn't work for everybody. I already worked that angle, but laziness takes precedence every time.
weirdest thing I ever saw: scientology advertising on slashdot.
If you don't have authority over people, you can just lock the children down. That's annoying when people have work to do, but IT won't let anything happen.
My favorite point in the article was "Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles."
The IT in my shop refuses to let devs install programs (any programs) because the whole network is a production system. It can take weeks to get an SDK installed, because some IT admin has to get around to installing it. Could the devs get a dev network? Nah, it's easier to keep them working with access to the production network - which needs to be locked down because it is mission critical ... bastards.