2008 Incite: Hack Thyself
Given that there is no panacea on the horizon, security professionals start to understand the concept of risk management, as opposed to throwing money down the security toilet on the latest, shiniest widget. Security organizations must start to put a premium on prioritizing activities, based upon what’s important to the business, as well as what is really exploitable in their environment. The only way to figure out the latter is through a new function called “security assurance,” which focuses on breaking stuff (networks, systems and applications) before the bad guys do.
I have gotten a total of zero calls this year telling me that management has doubled their security budget and is hiring a full staff in 2008. That doesn’t mean it doesn’t happen, but it’s about as likely as you hitting the lottery. 2008 will be like every other year I can remember. Security professionals will be forced to continue doing more with less and staying strong in the face of innovative attacks.
We all have a long list. None of us can get through the list daily. And once you cross one thing off, it seems two new ones appear. As I mentioned in the 2007 Incite on CSO Next, the ability to prioritize may be the most important skill for practitioners. The first step in that is to understand what is important. That’s Step 1 in the Pragmatic CSO.
I call this prioritization, but you could also make a case that this is what risk management is about. You decide what to do based upon the risk it presents or mitigates for the organization. Easier said than done, of course – but it needs to be done.
Yet, there is another aspect of the prioritization process that is starting to come into vogue and that’s what I call “security assurance.” A lot of folks have a lot of different opinions about what security assurance means, but to me it’s about making sure your defenses are up to snuff. The only way to do that is testing. Basically hacking your defenses, before the bad guys do.
Big companies should have their own assurance team, whose sole responsibility is to break things. They need to work fast, they need to be candid, and they need to kill the sacred cows. You (as the security guy/gal) want them to find all sorts of stuff. Remember, it’s a race and the bad guys are searching for successful attack vectors at all times.
If you aren’t a big company, then hire someone periodically to provide this type of testing. You want them to penetrate your defenses and show you the paths of least resistance. Small company practitioners should also invest some time and become familiar with the automated pen testing tools (Metasploit, Core Impact, Canvas, etc.). You should use these tools, as often as you can. You will find stuff and then you’ll know what to fix first. You aren't going to be able to stop a determined, skilled hacker - but you can make it harder for a script kiddie, using some tools he/she downloaded from a hacker site.
I'm also a big fan of social engineering your own employees. Of course you shouldn't keep any money you manage to collect, but everyone deserves an annual trip to Morton's, no? In all seriousness, if you believe Roger Grimes’ contention (thanks to Shostack for reminding me of that) that 86% of the Windows vulnerabilities required the user to do something, that means it’s a type of social engineering. The bad guys will be social engineering your employees, count on it. You should too.
Lastly I want to draw a distinction between vulnerability and exploit. Vulnerabilities show a theoretical attack path. But you may have other defenses that don’t allow the vulnerability to be exploited. A lot of companies spend a lot of time and a lot of money to fix vulnerabilities that cannot be exploited, which of course is a waste of time and does not help us prioritize on the most important stuff.
An exploit is just what it says. It’s a real attack, in the wild, which can be used to 0wn your networks, systems and applications. This is live ammo, folks. Obviously you don’t want to shoot your foot off. But you need to know what can be exploited because that’s the only way you can figure out what to fix first.
And given the amount of stuff on your plate, you need to know what to fix first.
Photo credit: rollerboogie
