December 31st, 2003, 12:28 AM
Good post catch, That is something I will definately file away for future reference. The only problem I have is that it assumes the company even cares. All sarcasm aside (in case you missed it ), I find that more often companies adopt the "needle-in-a-haystack" theory, and in that case you can do nothing except voice your concerns.
The company I work for regularly transmits unencrypted databases with very sensitive information. I found the problem and suggested several fixes.... that was some months ago. I even explained how burning a haystack helps you find the needle in no time, but the analogy was lost on them. There is no system of patching, or updating, or monitoring of usage.. and when spit hits the fan, I will say nothing.
I would be interested in how you compile your threat index, and how you weigh the values of each in order to plug them in to your formula. Maybe if I present it to them in that manner, it may get their attention. I'm not sure how to put a value on ID theft though.
December 31st, 2003, 02:16 AM
Companies don't care about security, they do care about money. Don't talk about security, talk about money as I stated.
Check out "Information Security Risk Analysis" by Thomas Peltier, it focuses mostly on qualitative analysis and Business Impact Anylysis (BIA), but it is quite comprehensive and even features work sheets to get you started.
I wront a tutorial on "Insecure Government Computers" (or something like that) for this site that I think will be handy to you. It also discusses on selecting attacks and threats to concern yourself with.
December 31st, 2003, 02:56 AM
Very True Catch,
To a majority of Companies (especially small to midsized) IT and Computer Jobs are a very complicated area for them to spend any type of money on. Most IT Jobs, pay more than the average employee in the company, and IT does not produce any type of Monetary gain or profit. All they see is, money going out for payroll, and servers, and cabling, and equipment, and blah blah blah... and nothing back.
Show them that this could in turn make their investment and money more secure...
Try showing a positive side to something if possible, like if you are trying to get a new or better firewall, maybe if VPN has not been done, show them the possibilities of like a Cisco Pix with VPN software, then they are getting security, you get your firewall, and now people can work from home.
You can make presentations, graphs, print thousands of files about security to try to scare them, but until they see it first hand, they will not open there eyes. It took the last company that i worked for until someone was hosting porn on the servers before they did anything.....
Hope some of this helps.
Insert whitty tagline right here.
December 31st, 2003, 03:57 AM
Good discussion and info posted here...
One selling point for security that I have been using that has been quite effective is that one aspect of security is about "keeping the systems up and online" re DOWNTIME. Ask them how much it would cost them if a security incident (re.; virus/trojan, disgruntled employee, etc) took down a whole department such as product development or sales? Or even worse if it partially crippled many departments reducing their productivity?
Then what I've done is actually show them some calculations on how much it would cost them in lost employee hours which of course is only part of the picture (ie.; does not include lost sales opportunities,etc). I will use actual incidents inside the company which disabled an employee(s) from being able to do their job(s).
I've framed the justification in the same context as UPS's to keep the servers running, building environmental controls/facilities to keep workers comfortable/content, etc etc etc. Ya know, supplying some of the bottom rung of Maslow's Triangle (re.; climate controlled space, roof over head, restroom facilities, access to water & food) so they dont focus on that and instead focus on their job.
It's been an eye opener for some of the executives and so far has been very effective.
Good luck and if you pick up any new approach not mentioned in this thread let us know - it's a constant uphill battle, never over!
December 31st, 2003, 03:59 PM
Very good pitch on maturity too!
Excellent reply Catch! I was not very comfortable with what I was reading too. As a newbie and a female I kept quiet about the attitude of wielding power over your company as a threat. I feel that is why I was hired as a technical resource. They trust that I have not only the technical skills but the maturity and communications skills to act positively in protecting the company and changing bad policy with tact and skill. I may be new at network administration but I find that managers will listen if you take the time to learn how to communicate to them logically and technically. My demonstration I posted earlier was a scheduled training time to justify some of my IT department budget requests. It made the point and I did not treat them like idiots. I see a lot of excellent skill posted here on antionline but I also see a lot of male ego and testosterone making some very dangerous suggestions on “teaching a business a lesson.” Thank you Catch for the willingness to point this out.
December 31st, 2003, 08:26 PM
As a female I'd think you'd have an easier time speaking up. A lot of guys on this site have never even seen a real woman outside of their mom delivering them tang in their basement. Seems like they'd just drool and fall over everything you say.
Seriously though, you do bring up a good point about the need for actually justifying your requested expenses. most people just try to scare sr. management or attempt to talk over their head about why they need money, and clearly this approach is a poor one. Risk analysis is good, training sessions are good. Pen testing by itself is not good, all it shows is that holes exist... well duh! Who cares that wholes exist, what is it going to cost to have one of those holes exploited? What is the likelihood if that? What is the cost of reducing those odds to a safe level? These are questions they care about. Until they are answered sr. management will and should turn a deaf ear toward you.
As far as teaching your company a lesson, just keep in mind that if it is ever realized you have done such a thing, good luck ever getting hired to work infosec ever again if you don't end up in jail, which is really where such back-stabbing individuals belong.
December 31st, 2003, 08:56 PM
Thank you, for you the compliment. I may be a little old fashioned but I prefer to listen before I speak. I don’t mind the drooling though, how else would we know that we females were interesting to males? Most guys speak gobly gook and it hard to catch the intentions of the conversation. So I quietly interpret the antics and go from there.
On the serious side I will be taking your advise for my IT budget requirements presentation due soon.
January 2nd, 2004, 04:02 PM
I think I may have been mis-understood. Under no circumstances attempt to attack or penetrate a production network, or attempt to use any tool that you don't know how to use. I am not advocating the hacking of a production corporate network. A test network should be built to accomodate this, as any system that you attack is basically a sacrificial lamb, and should be completely re-loaded after a low-level or other data distructive disk formatting after testing is complete.
I have been a network security administrator for almost 10 years, both in the corporate and military sectors, and I have forund that the best way to find holes in your security is to actually attempt to penetrate it using the tools that the blackhats use. Keep in mind that this is not something that one should take lightly, as Catch has pointed out. If you do not know how tho use the tools and how they work, then please don't use them. You will most likely make additional problems. Also do not attempt this on anything but an isolated network (not physically attached to anything but the internet)
Provided that you know the tools, get permission from a higher authority to use them against your network, and expliain in detail to your boss(es) the risks involved, what you plan to do, etc., then you should be O.K. Notice in my post that I recommend that you set up a seperate subnet. You want to mirror your exsisting network in miniture and attempt to penetrate this isolated subnet. As stated in my last post, DO NOT USE THE TOOLS ON YOUR EXSISTING NETWORK OR PRODUCTION SERVERS. Use some old computers and servers, and just use a copy of some old backup tapes or images for data. Don't put any actual sensitive information on these systems, as we plan to hack them, and others may attempt the same and gain access to it.
As long as you do this, you will be OK legally, as it is not a crime to attack your own systems for educational purposes, as long as you have permission. Also, you will not lose your job for helping secure your network infrastructure. Just don't actually attack your production network or servers. There is a danger or leaving back doors and other holes associated with attacking a live network.
If you can't get their permission to test the waters, then there is not much you can do, unless you have a few computers you can use to simulate the network at home. Then you can do your penetration testing there, without fear of damaging any IT assets.
January 2nd, 2004, 04:10 PM
And for the record, I do not advocate holding power over the bosses heads by bringing the network to it's knees or using it as your technoslave! That was not my intention.
I was simply trying to say that the best way to find chinks in armor is to tesr the armor yourself using the weapons that your enemy will use in battle. It is better for you to do it than someone with less than honorable intentions.
Knowledge is power, but that power should be shared. I don't recommend hiding anything. The whole thing should be completely documented in explicit detail and filed.
“know thy enemy and know thyself; in a hundred battles you will never
be in peril. When you are ignorant of the enemy but know yourself, your
chances of winning or losing are equal. If ignorant both of your enemy
and of yourself, you are certain in every battle to be in peril.”
-- The Art of War. Sun Tzu
January 2nd, 2004, 04:27 PM
The point "576869746568617" was trying to make is that these are the exact same methods the blackhats will use to penetrate your system, and also the same methods most security audit firms, such as Foundstone, will use as well.
Their site, by the way, has a lot of great information, http://www.foundstone.com/
They are also authors of great books on security such as Hacking Exposed now in its fourth edition, as well as Hacking Linux Exposed , Hacking Windows 2000 Exposed , and most reciently Hacking Windows 2003 Exposed . These are a must read for any serious security admin. They go into detain on how a hack is performed, showing the actuall code, etc. as well as how to implement countermeasures to prevent or limit the damage.