I haven’t said anything about Lulzsec publicly yet and I don’t really have a good reason for the lack of comment. I have been watching their activities with great amusement. On Saturday I saw they released a large list of routers IP addresses and the username and passwords. The passwords looked like they were set to default values. This actually made me laugh out loud and I had two thoughts. First and foremost how was this allowed to happen if you are doing regular security checks? The second thought is who will take the blame for this from the offending company?
First off I've heard a lot of people say that Lulzsec did security a favor by really showing the need for security. I disagree completely. I think Lulzsec has show how ineffective the security community and marketplace really is. These were not mom and pop targets that got hit but instead were several mega corporations that spend more money on security than most people will make in a lifetime. The spending did not stop the compromise and posting of their sensitive data so what good is it?
Putting your security in the hands of tools will fail you every time.
A tool is a device that helps you accomplish a goal not a magic device that will accomplish the goal by itself. A hammer does not build a house for a carpenter nor will a vuln scanner make a network secure.
How did all those routers go with easy to guess user names and passwords and nobody in the company noticed? I have no inside knowledge but I can take an educated guess: the belief that security tools will work and that security policies will be followed. I am sure somebody somewhere is explaining to their boss that the security policy was followed to the letter and vulnerability scans were completed regularly and these were not detected. As a pentester I run into tests all the time that are suppose to be a “gloves off no limits test” and the first thing I am handed is a list of systems off limits, So although the networks may have been scanned maybe the routers were excluded because they were considered “mission critical” with no attack surface so they were excluded from vulnerability testing.
Tools like vuln scanners, IPSes, and WAFs will fail you when you need them most. I spend most of my time looking at how to get attacks by security tools and it is pretty easy. I try to explain that to clients but often times tools are easier to find than good people so they go with tools.
If you exclude anything from vulnerability testing you will fail.
I know that there are some systems that really are important and it will be an operating problem if they go down. Ask your self this: if that is true why aren’t these systems the targets of more testing so you can find the cause of your faults and not a hacker group. Anybody that thinks that Lulzsec or any other hacker will respect your no scan list you are crazy.
As a former network admin I know that complex networks are actually a hodgepodge of cross fingers and jerry rigging to get to work. Once these Frankenstein networks are working nobody wants to touch them in fear of breaking something that make take into the wee hours of the night to fix. This is no excuse for keeping some systems off limits for testing.
The second thought is who to blame. In reality I think everyone in security is to blame. I include myself in this. We don’t really prepare customers for real world risks and often focus of things that sell like compliancy. Having worked for and with a lot of security product companies I have observed the compromise of a security products ability to protect in the name of customer requests more times than I can count. We in security cater more to check writers than we do actual security. Normally the check writers don’t want security, they want a check box filled that will have the minimal impact on operations.
Security is the first business I have seen where the customer is not always right.
I will admit I have changed testing strategies to appease customers. The wide eyed “you are gonna do what?!?!” response to a testing planned has made me worried about losing a client so although I will ruffle my feathers and puff out my chest on the importance of the testing but in most cases I will acquiesce to please the clients. This is my fault and I should not do it.
Setting client expectations…for real.
I have not seen a company that is actually secure. It doesn’t matter if the threat if simple password guessing or holding a Glock 21 to the head of your network admin I can get access. Often times security testing is used to verify security to a certain point, a point of tradeoffs for the company between cost security and feasibility of attack. While the Glock approach may not be as feasible as other attacks it will work every time. At this point you should not be judging the feasibility of the attack but instead the determination of the attacker. As a company as if you really have something work stealing and if so what lengths would somebody go to steal it?
This might not be the best example but it is the first anecdote I thought of while writing this post:
I once did a pentest for a company that had a WEP encrypted wifi network. They network manager wanted to spend his budget on other things than security so it was never upgraded. The reason: we have guys with guns at the gates so no one can really get within range of out network to attack it. In my plan to executives I mentioned two possibilities to carry out the “no holds barred” testing. One idea was skydiving into the facility with my computer; the other was just having a helicopter circle close by. The executives immediately said no for various reasons. They were later forced to admit that either idea would work. Now if I had been a real attacker I would not have cleared my plans with the first and been able to compromise their network and do dirty deeds ranging from theft of IP to maintaining access for a cohort off site. I failed my client because I let their fear of success take over testing.
I am not alone in this failure. If you show me a person that says they have never dialed back testing to please a client I can show you a person reading a prepared statement from their marketing department. Make no mistake that often the hurdles thrown up in front of security are people worrying you will succeed or at least make their life more difficult. And the fear of success or just being annoyed will often motivate clients to veto an attack vector they know will work. If this were to cause a fix I would be happy but often if there is nothing in the report the client won’t fix anything.
Because of failures like these the security community does not prepare clients for real attacks by determined attackers like Lulzsec. The clients of the security industry are systematically compromised and exposed for all to see like a cadaver during an autopsy.
In the end while I see some sales guys rubbing their hands together in glee over the thought that Lulsec will drive security spending up I am absolutely convinced that the last thing this problem needs is more money.
Until there is a mindset change by executives of these companies no amount of security spending will keep them safe…and that’s our failure as an industry.