Sie sind auf Seite 1von 26

Identifying the Worst IT Practices

Wheres the risk?

Why examine worst-practices
Occur in many organizations
Practiced in the name of efficiency
Unmanaged risks result in wasted money,
resources and loss of reputation
Whats cost-effective when:
Heavy dependence on IT to achieve goals
Organizations are increasingly subjected to vulnerabilities
Scope and magnitude of IT investments are increasing
IT can dramatically change the organization and service delivery
IT represents the organizations most valuable assets
Why organizations implement worst practices
Abdication of responsibilities
Inability to segregate activities
Calculator mentality
Putting out fires
Information overload
Expectation gap
Inadequate training
Ignorance and false pride
Whats cost-effective (revisited) ?
Technology that is capable of operating
without material error, fault, or failure during
a specified period in a specified environment

What constitutes reliability?
Per the ISO 27002 trust: Principles and Criteria
for Systems Reliability
And what if your organization uses worst-practices?

Your service delivery is not cost-effective

High probability of your information and related
resources being unreliable
Usually, if properly done, required changes are
very cost-effective and deliver high ROI on the
investment required to improve
Network not as important as physical security

Terminated Employees or Consultants

HR policy typically requires
all keys and cards be turned in
consider changing locks and combination
Security policy
may (not always) mention the need to adjust
security settings
vast majority of audit reports cite that terminated
employees and consultants still have access to
system resources
Network not as important as physical security (cont)

How To Manage The Risk

Build the responsibility into the corporate
approver is always accountable for what they
approved (user)
incorporate notifying security as part of the
termination process (HR and yes it is your job!!!)
question inactivity (security)
Estimated Cost/Benefit
Low Cost/High Return
Not enforcing need to have access
it wont happen here
the security group (or user admin) doesnt
have the time or resources
we need the flexibility for cross-training or
Marys been with us for over 30 years so she
deserves to be designated a security
we only need to worry about external hackers
Not enforcing need to have access (cont)
Consider these issues
60%-70% of unauthorized system break-ins are from internal
Based on forensic experience, this worst-practice is a primary
contributor to internal fraud and facilitates the circumvention of
management designed controls (including organizational chart
Prime Directive
Many professionals believe that it is impossible to maintain a
control environment that satisfies stakeholders expectation while
using this worst-practice
Estimated Cost/Benefit
Low Cost/High Return
Leaving factory default settings unchanged

Operating systems are often shipped with

default users with default passwords to make
setting up easier. If the systems administrator
doesnt know about the default accounts, or
forgets to turn them off, then anyone who can get
hold of a list of default accounts and passwords
can log into the target computer

Anyone who knows how to do basic research

using the internet can get hold of these lists
Leaving factory default settings unchanged (cont)

Security is not the only exposure incorrect

parameter settings in a core application could
negatively impact the business and result in:
Inappropriate access
Invalid use of validation controls
Incorrect financial reporting
Incorrect exception reporting
Regulatory compliance violations
Incorrect calculations and postings
Incorrect customer records
Loss of credibility
Poor customer service
Wasted investment in technology
Payments to consultants to get things back in order
Not applying security patches
Finding the low-hanging fruit should always be
your top priority mainly because it is the
attackers first priority. Devastating web
vulnerabilities still exist after years of being
publicly known

Typically this is what kiddie scripts use and

results in embarrassment for the organization
Not monitoring security-related advisories & updates

Respected organizations (e.g., CERT, SANS) distribute

free newsletters providing guidance on recent and
projected security threats. For example,
SANS/FBI released a Top 20 vulnerability list with appropriate
tools (free) to detect if a particular organization is exposed.
CISECURITY.ORG provides generally accepted benchmarks to
effectively manage technology risk.
These warnings/guidance are typically ignored in worst-
practices organizations
Does your organization have worst security practices?

To many these sound like a good thing to do

Vulnerability Review
Penetration Test
But to what extent do they just confirm what you
already knew (be honest!!)
And how do they help you prevent future
Popular network security testing techniques

Network Mapping
Vulnerability Scanning
Penetration Testing
Security Testing and Evaluation
Password Cracking
Log Reviews
File Integrity Checkers
Virus Detectors
War Dialing
Network mapping

Fast Does not directly identify
Efficiently scans a large known vulnerabilities
number of hosts Generally used as a prelude to
Many excellent freeware penetration testing not as a
tools available final test
Highly automated Requires significant expertise
Low cost to interpret results


Quarterly Enumerates the network
structure and whats active
Medium level of
Ids unauthorized hosts and
complexity, effort and risk
Identifies open ports
Vulnerability scanning
Fairly fast & efficient High false positive rate
Large amount of network traffic
Some freeware tools available
Not stealthy (detected)
Highly automated for known
Not for rookies
Often misses new stuff
Often provides advice for
Identifies the easy stuff
mitigating strategies
Easy to run regularly
Cost varies by tool used BENEFITS OF DOING
Enumerates the network structure
and whats active
OTHER INFO Identifies vulnerabilities on a
target set of computers
Every 2-3 months Validate up-to-date patches and
High level of complexity and software versions
effort with medium risk
Penetration testing
Employ hacker Whats a hacker methodology
methodology Requires great expertise
Goes beyond surface dangerous when conducted by
vulnerabilities to show how rookies
they can be exploited to gain Due to time requirements not all
access resources tested individually
Shows that vulnerabilities are Certain tools may be banned or
real controlled by regulations
Social engineering allows for Legal complications and
testing of procedures and organizationally disruptive
human reactions Expensive


Annually Determines how vulnerable and
High level of complexity, level of damage that can occur
effort and risk Tests IT staff response and
knowledge of security policies
Security testing and evaluation
Not as invasive or risk as some Does not generally verify
other tests vulnerabilities
Includes policies and procedures Generally does not identify newly
More comprehensive focuses on discovered vulnerabilities
prevention strategies and roots of Labor intensive & expensive
Generally requires less technical
expertise than vulnerability BENEFITS OF DOING
scanning or penetration testing Uncovers design, implementation and
operational flaws that could allow the
Addresses physical security violation of security policy or the
existence of vulnerabilities
Determines the adequacy of security
OTHER INFO mechanisms, assurances and other
Every 2-3 years properties to enforce security policies
High levels of complexity, effort Includes effectiveness & efficiency
and risk Emphasizes the process and how well
risk is managed.
Were safe, right?
Our organizations auditors engage an outside
firm to conduct an annual vulnerability test.
Last year we didnt have any major findings.
This review proves that were safe right?

Typical findings
Inappropriate policies at the macro and micro levels
Vendor provided patches not applied
Exploitable files and services not removed or disabled
Ineffective security configuration strategy
Outdated vulnerability scanning and intrusion detection
tools used
Unclear understanding of responsibilities with service
providers and vendors
Ineffective monitoring of activity and new vulnerabilities
False comfort relating to level of security and
understanding of risks to the business
How much to fix?
Not as much as you would expect
You dont necessarily need to purchase advanced
80% of the problems can be resolved very cost-
Organizational culture and behavior
modification require the greater efforts
And what of these patches we keep hearing about?

Create an organizational software inventory

Identify newly discovered vulnerabilities and security
patches (remember the free emails?)
Prioritize patch application
Create an organization-specific patch database
Test patches
Distribute patches and vulnerability information as
Verify patch installation through network and host
vulnerability scanning
Train system administrators in the use of in vulnerability
Security conclusion
A team sport that doesnt necessarily require the
most fancy equipment to win - but does require
you to understand the fundamentals of the game
and that you and your team must provide best
efforts to win!

you are playing to just give the ball to the other side.