As hacker organizations surpass drug cartels in terms of revenue generation, it is clear that the good guys are doing something wrong in information security Providing a simple foundational remedy for our security ills, Security De-Engineering: Solving the Problems in Information Risk Management is a definitive guide to the current problems impacting corporate information risk management It explains what the problems are, how and why they have manifested, and outlines powerful solutions • Outlines six detrimental security changes that have occurred in the past decade • Examines automated vulnerability scanners and rationalizes the differences between their perceived and actual value • Considers security products—including intrusion detection, security incident event management, and identity management The book provides a rare glimpse at the untold stories of what goes on behind the closed doors of private corporations It details the tools and products that are used, typical behavioral traits, and the two types of security experts that have existed since the mid-nineties—the hackers and the consultants that came later Answering some of the most pressing questions about network penetration testing and cloud computing security, this book provides you with the understanding and tools needed to tackle today’s risk management issues as well as those on the horizon K13108 Security De-Engineering Ian Tibble delves into more than a decade of experience working with close to 100 different Fortune 500s and multinationals to explain how a gradual erosion of skills has placed corporate information assets on a disastrous collision course with automated malware attacks and manual intrusions Presenting a complete journal of hacking feats and how corporate networks can be compromised, the book covers the most critical aspects of corporate risk information risk management TIBBLE Information Technology / IT Management Security De-Engineering Solving the Problems in Information Risk Management IAN TIBBLE ISBN: 978-1-4398-6834-8 90000 www.crcpress.com 781439 868348 w w w.auerbach-publications.com K13108 PB mech.indd 11/14/11 3:12 PM '%74+6; 'g 0)+0''4+0) 1.8+0)6*'41$.'/5+0 0(14/#6+10+5-#0#)'/'06 This page intentionally left blank '%74+6; 'g 0)+0''4+0) 1.8+0)6*'41$.'/5+0 0(14/#6+10+5-#0#)'/'06 IAN TIBBLE CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2012 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S Government works Version Date: 20110815 International Standard Book Number-13: 978-1-4398-6835-5 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint Except as permitted under U.S Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers For permission to photocopy or use material electronically from this work, please access www.copyright com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400 CCC is a not-for-profit organization that provides licenses and registration for a variety of users For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com Contents P R E FA C E ix ACKNOWLEDGMENTS xvii INTRODUCTION xix AUTHOR SECTION CHAPTER xxxvii PEOPLE AND BLAME W H O M D O YO U B L A M E ? The Buck Stops at the Top? Managers and Their Loyal Secretaries Information Security Spending—Driving Factors in the Wild Do Top-Level Managers Care about Information Security? Ignoring the Signs Summary CHAPTER TH E H A C K E R S Hat Colors and Ethics “Hacker” Defined Zen and the Art of Remote Assessment The Hacker through the Looking Glass Communication, Hyper-Casual Fridays, and “Maturity” Hacker Cries Wolf Unmuzzled Hackers and Facebook Summary CHAPTER CHECKLISTS AND S TA N D A R D S E VA N G E L I S T S Platform Security in HELL v 3 10 12 14 17 17 20 25 29 35 38 40 42 47 54 vi C O N T EN T S CASE Survival Guidelines CASEs and Network Security Security Teams and Incident Investigation Vulnerability/Malware Announcements This Land Is Our Land Common CASE Assertions Summary SECTION CHAPTER TH E D E -E N G I N E E R I N G OF 58 60 61 63 65 67 68 SECURIT Y HOW SECURIT Y CHANGED POST 20 0 Migrating South: Osmosis of Analysis Functions to Operations Teams The Rise of the Automated Vulnerability Scanner The Rise of the Checklist Incident Response and Management—According to Best Practices “Best Practices” in Security Service Provision Tip of the Iceberg—Audit-Driven Security Strategy Summary CHAPTER A U T O M AT E D V U L N E R A B I L I T Y S C A N N E R S Law of Diminishing Enthusiasm False Positive Testing Revelations The Great Autoscanning Lottery Judgment Day Automation and Web Application Vulnerability Assessment Web Application Security Source Code Testing Summary CHAPTER TH E E T E R N A L YAW N : C A R E E R S SECURITY IN P E N E T R AT I O N TE S T I N G — O L D AND Testing Restrictions Restriction 1: Source IP Address Restriction 2: Testing IP Address Range(s) Restriction 3: Exploits Testing Penetration Testing—The Bigger Picture Summary 75 83 89 93 98 99 106 111 115 121 125 129 132 136 137 I N F O R M AT I O N Information Security and Strange Attractors Specialization in Security The Instant Manager The Technical Track Summary CHAPTER 75 NEW 143 145 146 151 154 160 169 170 171 173 175 179 186 v ii C O N T EN T S CHAPTER TH E L O V E O F C L O U D S A N D I N C I D E N T S — TH E VA I N S E A R C H F O R VA L I D AT I O N Love of Incidents The Love of Clouds Summary SECTION CHAPTER SECURIT Y PRODUCTS INTRUSION DETECTION 213 216 216 217 218 218 220 222 223 Tuning/Initial Costs Belt and Suspenders? NIDS and Denial of Service Hidden Costs Return on Investment Network Intrusion Prevention Systems Summary A Final Note C H A P T E R 10 OTHER PRODUCTS Identity Management Security Information Event Management Solutions Summary SECTION C H A P T E R 11 TH E R E -E N G I N E E R I N G OF 225 226 231 240 SECURIT Y O N E P R O F E S S I O N A L A C C R E D I TAT I O N P R O G R A M T O B I N D TH E M A L L C-Levels Do Not Trust Us Infosec Vocational Classifications Requirements of an Infosec Manager The Requirements of a Security Analyst Regaining the Trust: A Theoretical Infosec Accreditation Structure Summary INDEX 193 195 200 206 251 254 256 257 260 270 278 285 This page intentionally left blank Preface Security de-engineering is for anyone with an interest in security, but the focus is on the aspects of security that matter to businesses and how businesses security It is clear that the good guys have been doing something wrong in security There are increasing levels of fear and insecurity in the world as a result of almost daily news headlines relating to new acts of skullduggery by financially motivated bad guys Large-scale incidents now regularly make headline news even in financial publications— this is because the bottom line is now being impacted Smaller-scale malware attacks gnaw at corporate balance sheets and lead to identity theft These attacks have led to botnetz-r-us criminal gangs surpassing drug cartels in terms of revenue generation One can be led to think the world is falling apart with so many credit card fraud horror stories and so on But are we getting closer to a solution for corporate security? Not really, because we have not yet identified the problems There is no secret that the security world and its customers are in something of a quagmire All large organizations of more than 10,000 nodes will have been the victims of advanced persistent threat (APT) in some form or another Indeed, most of them are already “owned.” In Security De-Engineering, I give a simple foundational remedy for our security ills, but in order to give a prescription, one must first ix O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 71 Certified System Engineer (MCSE) certification Likewise with Unix, IBM issues an AIX certification, and other vendors such as Redhat have their own programs Cisco has a modular program of certification that is quite complex (there are five levels with seven different paths) The subject is a little too detailed to cover here, but the content of the study courses for the aforementioned accreditations is not enough for an effective information risk management program I mentioned in Chapter about differences between operational and security skills, and some of the missing content can be gleaned from there Almost all of the vendor administration courses have a security element Microsoft has some security content in their accreditation paths, and Cisco has first Cisco Certified Network Associate (CCNA) Security and then Cisco Certified Security Professional (CCSP) I am unfamiliar with the Cisco security accreditations But from what I have seen of vendor courses in general, they not cover areas such as attack vectors or local privilege escalation There is no emphasis on how attacks are manifested, so the holder of these accreditations will not be necessarily aware of threats, or for want of a better phrase, “how stuff is owned.” With the security offerings from other vendors, they tend to go overboard while missing the salient security points that actually should matter to businesses Really it is enough to cover the IT administration skills and leave the security offering as file system permissions and so on Taking Cisco accreditation as an example, I not believe there is enough security coverage of areas such as network architecture/data flows, IDS, or firewall configuration I mean the points covered not relate to actual real-world threats So can network administrators jump straight into a security analyst role just because they have the Cisco security certifications? How about Microsoft administrators? They have covered NTFS file system permissions and other areas such as Kerberos and Active Directory security; is this enough for entry-level security analysis? I believe there has to be some sort of general security accreditation program that consists of precisely one exam for which one certificate is awarded in the event of a pass Effective security analysts are a different kind of beast from IT administrators They need to be able to put themselves in the mind of an attacker, and I believe there is a 272 SEC URIT Y D E- EN GINEERIN G common, shared body of know-how that bridges all popular technologies in use by organizations, and also one that all security analysts should find familiar I not think the path to security analyst from IT admin should be one of, for example, MCSE and then some advanced Microsoftonly security certification Why? It is because the candidate security analyst has already proved his or her worth as a Microsoft person with his or her career track record to date There are some areas of Microsoft security that need to be covered on top of what a 5-year Microsoft veteran will know from his or her professional lives; but there is no real justification for a dedicated Microsoft security accreditation program as a prerequisite for entry as a security analyst What I think would be a useful approach to security certification would be something like a penetration testing accreditation, but it is not called penetration testing The idea is something like penetration testing, in other words, a field of knowledge that covers all popular technologies to a level that demonstrates competence and previous exposure to the technology Additionally, areas such as basic Web application testing, attack vectors and exploits should be covered I again need to apologize because to go into detail in discussing this subject is a book in itself; clearly I cannot jot down the details of the course material in this book alone, but to some extent, it may be necessary to this in order to explain my points What I think we need to test is candidates’ ability to be flexible and their ability to solve puzzles (this is effectively what attackers are doing when they are gaining unauthorized access and writing malware), and also we need to test their enthusiasm for IT So a Unix administrator needs to show some interest in something other than Unix Unix folks usually have some deep-seated revulsion for Microsoft Windows, but this does not really work if they want to be security analysts The Unix administrator would need to show some good knowledge of Windows, Cisco, Oracle, Microsoft SQL Server, firewalls, IDS, mail servers, and a few others in order to pass the security entrance exam There should also be some sort of programming challenge, although which programming language is tested is not so important All this sounds difficult? Well, this is security unfortunately We need security analyst candidates to show the kind of enthusiasm and raw O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 73 talent that is needed for the role, and a good way to this is to set a multidimensional exam such as what I just described With regard to becoming an accredited security analyst, I not believe it is so much about the technical content of the exam study material Being an effective security analyst is not so much about being a brilliant penetration tester or a reverse engineering guru; it is about the attitude This also does not mean that all security analysts have to be Hackers, but they have to have some real enthusiasm for IT and an ability to learn fast and be flexible People who have such abilities not necessarily need to be a Microsoft SQL Server guru before they perform a risk assessment on an SQL Server database; if they know how an attacker thinks, this is enough because the base security knowledge will be easily acquired for this particular product, and also if an organization has Microsoft SQL Server deployed in production, then there should also be an Microsoft SQL Server security policy somewhere If this document was thoughtfully and conscientiously drawn up with peer review, in itself it will be a very useful Microsoft SQL Server security guide Security is a wide and deep subject The focus should not be on specific products because there are too many of them, and there are always new ones, but then there are products that every company has such as Windows or Unix; the exam can test the candidate’s knowledge in these areas, but it is not important that the candidate has very deep Unix and Windows experience There are some bases that need to be covered (by the security department as a whole) that include operating system knowledge, databases, network gear and so on as I mentioned before but it is not the case that a candidate has to be a very senior Windows admin, plus also a very senior Unix admin and so on I discussed these points with people in the U.K and Australia before, and what usually comes out, after some initial reservations (the unwritten rule in most big firms is that you stick to one Operating System or Oracle or Informix or DB2 and you cannot deviate from this), was enthusiasm for the idea There are plenty of people out there in IT jobs who love IT Maybe their work environment gets them down, but they got into IT vocationally because they studied computer science as a higher education subject; there was some enthusiasm for IT in the beginning of their careers I doubt there would be a shortage of people knocking on the security door 74 SEC URIT Y D E- EN GINEERIN G What about more advanced security accreditations? It depends if the subject area deserves it I would think application security is an area that would require a further “module” to be gained Penetration testing would be another such area With other fields of security, it could be enough to get people channeled in as Security Analysts and let them find their way, as long as they have a good aptitude for learning (which they will have proved in their security entrance exam); they not need to have passed an exam in incident response, for example So then what will be the makeup of the security team? If the company has a lot of Unix boxes, then ideally at least one Security Analyst will have come into the team from a previous life as a Unix administrator If there are a lot of Oracle instances in production, then the ideal person is one who was working as an Oracle DBA in the firm Security managers can make their own call on this, and it depends on the proportion of databases It is not the case that a company that has an estate of 80% Oracle and 20% MySQL needs two security analysts: one from an Oracle DBA background and another from a MySQL DBA background; the Oracle expert can also handle MySQL security If it is the other way around, then clearly the security manager should be looking for an ex-MySQL DBA It is hard to be specific on the numbers as it depends on the size of the organization, and of course multinationals have geographical variables in the equation Most firms will have a need for an application security guru, but if they not have in-house accredited personnel, they need to outsource this work to a service provider that does have accredited personnel The quality of the accreditation program depends on the quality of the board that makes up the questions, but if the examination contents are technically biased, there is less room for nonspecific, airyfairy content With certification programs such as CISSP, CISA, and so on, there is almost an entirely different language used for each Different terms and phrases are used to describe the same underlying principle These accreditation programs are high-level, low detailed programs that are more suitable for managers, and they are radically different from each other But with analyst exams, there is a real need for the content to be technical, and although there could be some disagreements over the exact content, at least there is no room for O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 275 misinterpretation and invention of new terms Many of the questions will be vendor-specific, and therefore vendor terminology and ideas will be used The security manager position is one that ties itself with managementlevel accreditations and these I have already discussed The CISSP and CISA type of exam is more appropriate for managers, but then with CISSP in particular, there is a lot of material that would need to be weeded out The British Computer Society ISEB Certificate in Information Security Management Principles (CISMP) is a good course for managers, and no, I have not been sponsored to make this comment I speak from my own experience of having taken the exam So overall, I believe the following path would be appropriate for the industry: security analysts are IT professionals who enter the field after a minimum of five years or so of vocational work in some other IT department, preferably from the same company (to facilitate the relationship with their previous department—this is especially important for security departments) They should also have gained a professional accreditation particular to their role such as MCSE Before entering into their new life as security analysts, they need to have gained security accreditation This accreditation currently does not exist It needs to be invented with input from ground-level technical experts in the field, with some rationalization by reputable senior folks I have given some ideas as the content of the syllabus for this exam The security team is made up of security analysts who have “core” expertise areas related to their previous position in the company Take the following as an example: a company has around 1000 nodes (roughly a medium-sized firm) of predominantly Linux operating systems They have MySQL databases in production, Lotus Notes for internal communication/collaboration, and so on The network is not surprisingly made of mostly Cisco gear So the security team in this case could be made of at least four security analysts who came into the team from each of the four areas I just mentioned; but that does not mean that in their security roles they are dedicated “Linux security analysts,” “MySQL security analysts,” and so on There will be one security architect probably, plus of course the security manager Security managers and architects “graduate” from 276 SEC URIT Y D E- EN GINEERIN G having been security analysts for at least five years, and they must have gained accreditation in security management So with all this, many readers will be thinking along the lines “there are hundreds of accreditations out there, what is so special about this one that makes it the one certification program to bind them all?” This is a good question I not know what the history behind the U.K acceptance of the Chartered Engineer accreditation is, and even if I did, I would not bore the reader with it; but I suspect that in this story, there are similarities with the way that security will eventually go I guess, overall, I cannot say for sure that if a security program of the genre I am describing in this chapter is adopted that it would be widely and universally accepted—it could perhaps need some sort of government or big four auditor impetus if this is to happen; but I would not rule out the potential for humans to “know the right thing when they see it, and then the right thing.” It is basic intuition that tells us that security is an information technology discipline If an accreditation program comes along that puts security pros in touch with the security aspects of core technologies, then it is not so obvious that the idea would not go viral There could be different programs in different countries, but just as with civil engineering, the same basic structure is adopted, pretty much because it just makes sense It starts with one company recruiting people for security out of IT operations and so on, and if the idea works, it will build momentum, but it takes an open mind to take the first steps Thus far, CISSP has been the most widely accepted accreditation to date, and over the past five or six years, there have been a growing number of CISSP program critics Certainly these days, whenever you come across forums that talk about CISSP, there are more folks in the “nay” camp as compared to the “aye” camp But also, is there any alternative? The others have not been adopted because they carry a more or equally negative perception with the masses This has nothing to with exam costs or other cosmetic features At the end of it all, the thing that matters is the syllabus What is the knowledge base that is under examination and what does it really mean (through the smoke and mirrors) to be certified under that particular examination program? The private-owned organizations that spawn these accreditation programs can use whatever marketing techniques they O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 277 want to create an image of “professionalism” or “ethics” in the eyes of prospective exam-takers and employers, but in the end, although it can take a few years, the real value of the credential will become apparent Finally in this chapter, there is the matter of finances and the whole business case for changes in security personnel Not surprisingly, there is no case study out there somewhere to show cost benefits, but one thing is for sure, this proposed model for the reengineering of security departments will absolutely not lead to massively higher costs, and would in all likelihood lead to significantly lower costs Security departments these days make huge investments in areas like SIEM and IDS that require not only six-figure sums to get up and running but also for “operations security” staff to monitor and fine-tune the systems Qualified security analysts that are able to perform technical analysis and product evaluation are in a position to give a tech pros versus cons argument to the security manager who can then weigh the business case In most cases, these product acquisitions will never have happened had the analysis been carried out with the appropriate tech and business case/return on investment input In fact, in such a futuristic model, the security products space would change beyond recognition The general security strategy premise of bare compliance I described in Chapter is one that would change quite radically No longer would the firm just acquire products as short cuts to meeting regulatory requirements, for example, the organization buys a six-digit SIEM system because an auditor tells them they need network logging Now, with the new makeover of the security team, there would be an on-going cost for the security team (which is composed of just the soft and hard costs for any employee), and compliance would occur almost transparently with “business as usual” costs There would no longer be the annual scramble to meet audit requirements, whereby the business spends in a reactionary way to pass the audit Under this new model, businesses have seamless compliance, plus they also get some return on investment in the way of reducing risk down to business-acceptable levels Overall, when things are done right, they are done cheaper Security managers no longer need to tie up their team members because they have more independence in the way of being able to answer more 78 SEC URIT Y D E- EN GINEERIN G questions themselves, presentations and reports without tech support, and so on Revenue-generating business processes are no longer shut down because of security regulations where the actual risk did not justify such an action In terms of head counts in security, intuition tells us that if we increase the levels of intellectual capital and skills held by security analysts, then we need fewer of them to achieve the same goals in information risk management Summary In this chapter, I have laid out how I think the information security world can get back in touch with the information I have lamented greatly in this book about how a loss of tech skills in security has led us down the dark alley in which we now find ourselves Basically I think the ground levels of security, as in security analysts, need to first get skilled up and then be able to use those skills to gain visibility in areas such as policy compliance, for example When I say “visibility,” of course I mean visibility of data, configurations, networks, firewalls, and applications Many of the problems have resulted from security detaching itself (and being detached) from the rest of the company, and in particular, IT operations The keys to all information resources are currently held by departments other than security because of a lack of IT skills Which operations manager in their right mind would hand a root password to a security analyst who has never even logged into a Unix computer before? But what if security analysts were once themselves IT operations staff? Then they could all speak the same language and understand each other’s requirements If security analysts are to help bring the organization’s risk profile down to an acceptable level based on business risk, then it helps a great deal if they first have IT skills themselves (as I mentioned in Chapter 4, there is a big difference between the required security skills and IT operational skills), and then they have full unadulterated access to information assets and applications In summary, I would like to see a very simple accreditation structure in security that consists of precisely two levels of accreditation, and also I would like to see precisely two or three security positions/titles O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 79 as a maximum: Security Analyst and Security Manager Potentially there could also be such an animal as a Security Architect There are so many certifications out there from start-up private ventures, and who is to say which one is the best? There are also so many position titles It does not help to create self-proclaimed position titles such as “subject matter expert” because the reputation of the industry is so low, and this business of creating new titles for self-promotion reasons has grown thin: people see through it now Self-proclaimed “evangelists” are less likely than ever to have any advantage over plain old security analysts The idea with accreditation is to put the security world back in touch with ground-level IT operations and other IT departments So this means that the only path to security should be from other IT departments An IT operations member with five years of experience and a vendor certificate such as MCSE can get training to study for a generic security exam The security exam tests knowledge to at least a basic level in all popular technologies such as Windows, Cisco, firewalls, Web application security, penetration testing, and databases (SQL), and there has to be some sort of programming test What we need in security are enthusiastic IT people who are also flexible The content of the test is designed not so much as a test of IT knowledge but rather a test of flexibility and enthusiasm; but it is still in touch with the reality of technologies that are likely to be found in most large organizations A candidate who does not see an issue with covering several different operating systems (other than their usual comfort zone operating system) is a flexible and enthusiastic candidate The focus on products and specific technologies is not so important because there are new ones popping up regularly; we cannot keep up if we want to test employees on every technology known to man Scripting rather than programming is an important skill for Security Analysts; moreover, if the candidates have got into coding at some point in their careers, it is a good sign of enthusiasm The security manager’s role is to know the business and security management principles, and he or she should be able to wield the security analysts as a weapon to be unleashed at strategic points in the information risk management cycle As a team, they create the cycle and then maintain it into the future The structure that is followed 280 SEC URIT Y D E- EN GINEERIN G can be that of the firm’s baseline security standard, which in turn is based on ISO 27001 What we have today is a security department full of security managers who specialize in security standards, whereas really there should only be one such person, even for a largish-sized company The security manager has been the part of the puzzle that was always missing from security The security analyst skills were present in the 1990s (the Hackers), but what was missing was the IO interface between the security analysts and the rest of the organization, sort of the artists’ agent who sells their artist’s work and speaks to customers on their behalf You need a security manager who both understands their team and can talk at the same level as the security analysts, but also understands the needs of businesses Security managers must have “graduated” from a security analyst role, and they must have been in that role for at least five years To become security managers, they need to have passed a security management principles exam, not unlike the British Computer Society ISEB CISMP exam I have no vested interest in the BCS—I am not being sponsored If I go back through all of the problems laid out in this book thus far, I can relate all of them at least partially to a lack of any decent level of proof of knowledge/experience on behalf of security professionals In Chapter 4, I commented on migration of security functions to operations teams With appropriate prerequisites for entry into life as a security analyst, there would never be any need or intention to move security functions away from the security team Chapter also discussed autoscanners Use of autoscanners created a void of technical knowledge that spread through the industry in the early 2000s With verifiable (by accreditation) and appropriate levels of knowledge in security, there would be acute awareness of the shortcomings of an automated-only approach to vulnerability assessment With regard to checklists, they are still going to exist of course They serve a purpose Personally when I am engaged on security assessments of infrastructure, I not trust myself to remember everything I am supposed to check, and this is why I will use a checklist It is just that with propagation of certified IT and then security skills, the checklist will not be followed minus application of thought Security analysts, as O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 81 the name suggests, are supposed to analyze things, not parrot-fashion deliver security services with checklists and “best practices.” How about the “audit-driven security strategy” as I covered in Chapter 4? Again, with the population of suitable skills in analysis and management, organizations will move away from this approach slowly over a few years There will still be audit and regulatory compliance requirements for a long time to come, but it will no longer be the case that the security strategy is geared up to just about creep over the line in barely passing the audit However, once regulators realize how bad their audit quality has been all these years, the audits may well start getting more rigorous and detailed, also covering more real estate Does a move away from an audit-driven security strategy mean that firms will be spending more for security? I cover this aspect in greater detail at the end of this section As I covered in Chapter 8, the security industry yearns for IT innovations such as “cloud” in order to find new ways to be appreciated In the future, the accreditation structure of security will be sufficient for security professionals There will be no more creation of virtual banks of intellectual capital that lead firms to spend more on specific expertise and products where they are not needed Chartered Engineers in civil engineering not cry out for the world to respect them Why? Because they are Chartered Engineers, that’s why Likewise, there will be no more talk of incident databases in connection with proof of a security threat There could be incident databases, but the information in the databases will not be used to support decision making or decision breaking With proper accreditation and skills in security, Security analysts and managers will be able to plant their feet in the ground, look the decision maker in the eye, and confidently give their message—and the message will be received and understood What happens after that is up to the decision maker, but we in security will have given a correct, verifiable, confident message, and if people choose not to listen to us, we have done our bit However, I would not mind betting that they will listen to us With the adoption of correct skills through the chain of analyst to manager in security, the perception of management will be that security is an IT department; it is part of IT, except it does not carry so much overhead Security will carry the image of offering genuine value because it is more “in touch” with the business as compared with other 282 SEC URIT Y D E- EN GINEERIN G IT departments This has always been the intention with security, but thus far, so little of the potential of security has been realized So far, security has always been a radically too much or radically too little show Either security backs off from projects and the holes are discovered later, or security blocks innovation that can save money or generate revenue Striking the balance is a qualitative process, and it is impossible to find the correct balance point of costs versus risks; but to date, so many decisions have been horribly out of whack because there has been little or no technical risk assessment, apart from the use of automated tools that not work There is a doubt that many will have about the futuristic security accreditation program I have described in this chapter What is the unifying factor here? What will lead the security industry to adopt this scheme? Well, I would not rule out the capacity of humans to the right thing, and intuitively people know that information security is an IT discipline predominantly CISSP has been the biggest security certification known to man thus far, but more and more people are questioning the relevance of the CISSP syllabus to everyday groundlevel security requirements Currently there are no real alternatives to CISSP There are many similar types of accreditation programs that are higher-level management type of shows Currently there are no certs that come even close to meeting the needs of the industry, at least not at a security analyst level So who knows? Perhaps it could take a while, but there could be a domino effect of firms using a “security graduation scheme” such as the one I have suggested in this chapter And what of costs? How will the proposed revamping of security skills affect the bottom line of business costs? Well, one thing is for sure: the costs would not be significantly higher The industry currently has several ways in which it hemorrhages cash with security—most notably in product acquisitions that not only have huge initial integration costs but also require head count to be brought in for monitoring and fine-tuning Where proper analysis is conducted with product evaluations and managers have access to accurate tech diagnosis, they are in a position to make the right call on products based on return on investment Many of the huge product acquisitions going on in firms today would never happen under this scheme, and some product families would perhaps cease to exist The overall market for products would shrink a great deal O NE P R O F E S SI O N A L AC C RED ITATI O N P R O G R A M 283 Generally when you have more highly skilled Analysts and Managers, there is the simple fact that fewer people are required to perform the same function At the moment, especially in markets such as the U.K., there are issues with overspecialization where you have security staff who specialize in one small part of a large task, whereas with skilled Security Analysts, the whole task can be performed with one head count and very often in a shorter time frame (because they can “just get on with it”) The thing is the security analysts out there today may be lacking in skills, but their salaries are usually consistent with national average IT salaries So what you choose, a team of five analysts to perform a task who get paid US$6000 per month each, or a skilled analyst who can it all by himself or herself, certainly not five times slower (the efficiency through teamwork thing is a myth; in practice, it does not work in most offices), with the same salary? Especially in the case of security managers, there will be economic benefits Their increased efficiency and interdependence lead to benefits across the whole team mainly because they not need help to things like write reports and deliver presentations There will be fewer questions asked and less use of team resources, which enables the whole team to focus on their own jobs The other cost-saving area is that of compliance Currently organizations base their entire security strategy on crawling over the line and just about meeting audit requirements So what happens is every year, there will be reactive spending to get through the audit, and employees are scrambling around trying to meet their audit obligations This audit-driven security strategy (as I also explained in Chapter 4) leads to major disruption for all IT departments Organizations will often buy products as a short cut to meet some critical audit point (such as SIEM to meet the network logging requirement) With the deployment of appropriate analyst and manager skills, compliance will be seamless There will be no annual scrambling around, putting everything else on hold The security team can focus on security rather than just focusing on passing the audit (they are not the same thing) So effectively the company is spending to pass the audit, but the costs are the usual on-going costs The money that goes into passing the audit can finally be used to pass the audit and, as a bonus, buy security also! This page intentionally left blank As hacker organizations surpass drug cartels in terms of revenue generation, it is clear that the good guys are doing something wrong in information security Providing a simple foundational remedy for our security ills, Security De-Engineering: Solving the Problems in Information Risk Management is a definitive guide to the current problems impacting corporate information risk management It explains what the problems are, how and why they have manifested, and outlines powerful solutions • Outlines six detrimental security changes that have occurred in the past decade • Examines automated vulnerability scanners and rationalizes the differences between their perceived and actual value • Considers security products—including intrusion detection, security incident event management, and identity management The book provides a rare glimpse at the untold stories of what goes on behind the closed doors of private corporations It details the tools and products that are used, typical behavioral traits, and the two types of security experts that have existed since the mid-nineties—the hackers and the consultants that came later Answering some of the most pressing questions about network penetration testing and cloud computing security, this book provides you with the understanding and tools needed to tackle today’s risk management issues as well as those on the horizon K13108 Security De-Engineering Ian Tibble delves into more than a decade of experience working with close to 100 different Fortune 500s and multinationals to explain how a gradual erosion of skills has placed corporate information assets on a disastrous collision course with automated malware attacks and manual intrusions Presenting a complete journal of hacking feats and how corporate networks can be compromised, the book covers the most critical aspects of corporate risk information risk management TIBBLE Information Technology / IT Management Security De-Engineering Solving the Problems in Information Risk Management IAN TIBBLE ISBN: 978-1-4398-6834-8 90000 www.crcpress.com 781439 868348 w w w.auerbach-publications.com K13108 PB mech.indd 11/14/11 3:12 PM ... Government works Version Date: 20110815 International Standard Book Number-13: 978-1-4398-6835-5 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources... Communication, Hyper-Casual Fridays, and “Maturity” Hacker Cries Wolf Unmuzzled Hackers and Facebook Summary CHAPTER CHECKLISTS AND S TA N D A R D S E VA N G E L I S T S Platform Security in... 200 206 251 254 256 257 260 270 278 285 This page intentionally left blank Preface Security de -engineering is for anyone with an interest in security, but the focus is on the aspects of security