We’re going into production…..regardless!
Here’s the scenario - nothing new…we see it every day….but some just stand out big time in regards to stupidity. You have to wonder if you were given 5 minutes with the CEO as to whether things like this would happen. Same old story……what do most CIOs actually do when it comes to information security?
Large multinational - rolling out large Internet based ERP/CRM system for partners and clients. ie; do your own account changes, pricing, marketing info, updates etc etc. System has been in development for 2 years. Bugger all security team involvement from the outset. Production release - now! Cost to date - millions! Business security team reckons it potentially has holes as wide as the Grand Canyon but business does not care….it’s too late and has to go into production.
Call made SA to test the system ASAP. SA told, regardless of findings, this is going live but lets test anyway. SA responds with various testing scenarios……..most don’t cut it due to costs and times to test, so it’s agreed that lets at least do a security test from the Internet and hit the main area of exposure. SA quotes about 30K for a pretty thorough job. (Even then, heavily discounting due to a relationship with the client). Response from business: Oh my god…..30K!!!! ……Management then decides to test it in-house! Millions to build but 30K to spend on security testing?????
Guaranteed owned system very quickly.
August 2nd, 2007 at 8:52 am
At the crux of this is detection. They will not even know these days if and when they are 0wnd or unintended information is leaked.
This is something I have been spending a lot of time thinking about as a combination of logs, flows, auditing, intrusion and extrusion detection, file and/or system integrity checks and good old getting to know and baselining your systems with both stats and metrics is *required* to even have a fighting chance in having faith you still own and administer your systems. Good old fashioned hard work that unfortunately even with modern technology, doesn’t really scale very well… though log and flow correlation is getting better. Maybe we could ‘crowdsource’ anonymized logs to the masses for anomaly detection
Reminds me of when an Australian federal agency contacted us to let us know our finance systems support/admin user/auth were found on a dropbox on the net after a targeted spam/malware run to our organisation had stolen auths for a range of systems. It wasn’t directly open to the net, but the network was like swiss cheese and *so* many workstations were 0wned anyway it was trivial to access.
Head and sand! Reduce the service, system and network attack surface to the most manageable degree, focus on detection and MTTR.
Pre-requisite is omniscient change management and baselining of almost all flows, messages and systems. Alternative is a form of controlled chaos (most networks today) and data objects that are self-aware! Back to the idea of a less ‘dumb’ network and intelligent packets.