Overall, I full agree with Mr. Cohen on his various points about the security
field. I think he has a great understanding of many of the problems and
outlines them very well. However, there is only one point I disagree
with below.

Managing Network Security - "The Seedy Side of Security"

http://all.net/journal/netsec/9808.html

                          Managing Network Security
                          Third Anniversary Article
                         The Seedy Side of Security
                                by Fred Cohen

----------------------------------------------------------------------------

Series Introduction

Over the last several years, computing has changed to an almost purely
networked environment, but the technical aspects of information protection
have not kept up. As a result, the success of information security
programs has increasingly become a function of our ability to make prudent
management decisions about organizational activities. Managing Network
Security takes a management view of protection and seeks to reconcile the
need for security with the limitations of technology. 
----------------------------------------------------------------------------

Introduction:

This article represents the beginning of my fourth year of writing monthly
articles on information protection for Security Management Magazine. It
started back in August of 1995 when I write the first in the "Internet
Holes" series, and changed to the "Managing Network Security" series about
half way through 1996. Because of this anniversary, I have decided to
dedicate this month's article to something completely different - not! 

Actually, this month's article is about the seedy side of security. If
this sounds like something for the London Times or the Star, I hope they
pick it up and pay me a big royalty for it. 

In recent months, my consulting work through third party firms has picked
up considerably, and more and more I find myself teamed with 22 year old
self-proclaimed experts who charge outrageous fees, know very little about
information protection, and use off-the-shelf tools to demonstrate some
technical vulnerability that they don't understand the implications of. 

My recent experience is working with 40 year olds, who are way 
behind the times of security and system penetration, who use off-the-shelf
tools because those tools have more insight into system security than
they do. The same tools programmed primarily by 22 year olds at ISS and
NAI.

Clients seem to prefer to have 6 people who know almost nothing show up
for a week, charge $60,000, and produce a few hundred pages of unreadable
listings with little or no analysis over having two or three people show
up for a day each, charge $15,000, and produce a customized, short,
readable report indicating the business implications of what they found
and what they need to change in order to reduce the risks appropriately.
If you are a major accounting firm, you can charge $120,000 instead of
$60,000 and they will throw in a day of a senior partner who will tell you
that you need them to provide you with several million more dollars worth
of expertise to fix the problems with your network. 

Once they buy the big study, their resources are committed, and regardless
of the quality of the results, they need to declare that they have
contributed something valuable. They shelve the actual results, but make a
management presentation to tells management that all this paper supports
what they originally postulated - that they need more budget for security. 
Management, which doesn't understand the report at all, decides to cut the
baby in half. They provide limited budget increases because they know that
their employees are trying to do good things and because they trust their
employees - if for no other reason because they don't know enough to
disagree - but it usually corresponds to an article in the paper about a
big computer break-in somewhere else. 
----------------------------------------------------------------------------

Trust me

The "trust me" argument is indeed a powerful one. When the systems
administrators that run your computer complex get together as a group and
say "trust us - you need to do something about this" management usually
doesn't - trust them that is. They usually do find a compromise position
to allow the systems administrators to do whatever they say they need to
do - but at less budget than requested. The theory is really quite sound. 
Management can view this as a bonus. This year, we are giving IT a bonus
of $60,000 - and lucky us, they decided to spend it paying their friends
to do work for the company instead of taking it home and using it to fix
their kitchen. 

The real reason that management finds this compromise is quite simple -
and it has nothing to do with information security. It has to do with
corporate security. If these folks get unhappy, they could destroy the
company.  Management can either threaten them into compliance, replace
them and risk the down side, or bribe them. The bribe comes in the form of
negotiating more budget, and depending on the skills of the negotiators,
both sides can come out happy.

The "trust me" position only goes so far, however, and when it comes to
matters of corporate survival, management wants to know just enough to
make a sound decision. Of course the facts are all on a "trust me" basis
as well, but that's why management approves of outside consultants and/or
IT auditors. This is their "independent" view of the situation. But how
does management pick their "independent experts"? That's easy... at
random! 
----------------------------------------------------------------------------

How Do We Pick Our Experts?

Well, not exactly at random. Management cannot really judge who's an
expert and who is not - especially in a field like network security.
Instead, they tend to rely on three things: 

   * Popularity
   * Press
   * People they know

Popularity comes in many forms, but it usually comes from other clients
the so-called expert claims to have. But of course management almost never
checks out any of those claims, and the fact that someone else was foolish
enough to buy this person's time doesn't mean they are any good. 

Many rich people who tell their stories indicate that they started out
with resumes full of lies and as they got more experience, they filled in
the lies with truths. Resume inflation is also quite common - to the point
where it is expected. When I provide people my resume, which is all true
and accurate - perhaps even understated, they tend to believe it is
inflated, and so they discount it. Since anyone can get a copy of my
resume, it's not exactly hard for them to make one that looks about the
same as mine, and most readers will never be able to tell the difference. 

Another popularity thing is "name dropping". "I did a security consulting
job for the United Nations" or "My cryptosystem was approved by the NSA." 
are common sorts of claims. What most recipients of this sort of
information fail to realize is that cryptosystems approved for export by
the NSA tend to be easily broken. Almost every client I have ever had has
told me not to reveal the fact that I work for them. It's a simple matter
of operations security - if people know I did security work for XYZ
company - they can try to break into my site or kidnap my children or
whatever to get information about my client's systems. 

Press is related primarily to what sells newspapers, and the biggest
believers of newspaper stories are top management. The stories that papers
tend to publish and people tend to read are not about hard working people
who do their job well day after day. They tend to be the bizarre cases -
like teen hackers getting into the Pentagon - or the 16 year old "security
consultant" that helped the local police break the codes on some
criminal's PC. When you get in the media, people call you up and ask if
you can do consulting for them. So the big accounting firms, and the
hacker organizations, and the corporations with a lot of money trying to
get into the market, all go after media. 

There are a few common strategies that work for getting media, none of
them related to network security skills. One is to commit a crime and get
caught - or better yet, commit a crime without getting caught and turn in
your partners claiming to be a security consultant. This works even better
if you have a member of the press along with you. You can make several
million dollars this way. Another common strategy is to advertise. By
advertising in a magazine or paper that is doing stories on computer
security, you can often get the stories to mention your name or include
your IP address. The press release is another popular way to get your name
in the media - just make a weekly or monthly announcement about a new
security product or service. They don't even have to be real - as long as
you get your name in the media. 

The real thing to understand about the media is that it does not know how
to evaluate information security expertise any better than your CEO. They
believe most of what you tell them and they want sensation to sell papers. 

People the CEO knows lead to personal sales. This is a very effective way
to sell, but it has its limitations too. Your friend's son Jim is looking
for work, so you tell your friend the CEO about Jim being a security
consultant and Jim gets a consulting job. If Jim is not very good, then
the employees who have to work with Jim know it pretty soon, but they
don't dare tell the CEO about it - at least not directly. 

So we pick our experts based on anything but their expertise, and that's
largely because it takes an expert to know an expert. Lacking the
expertise to tell the difference, we do the best we can, and in today's
market, that tends not to be very good. 
----------------------------------------------------------------------------

You Ain't Seen Nothin' Yet

The real problem in today's network security market is that there are
probably really only a few hundred experts in the whole world, but there
are tens of thousands of networks that are being secured. That means that
more than 90 percent of the security is being done by people who are not
very expert, and it also means that proclaiming yourself as a security
expert gets you lots of work at high pay, which means that people who
barely know how to spell computer, read a book or two and rush in to get
the high pay. 

A client of mine had an employee who read a book on firewall security,
checked out their firewall, and found it to be secure. My 15-minute
automated checking program found several vulnerabilities, including a
program allowing unauthorized users to get root access to the firewall
computer and a previously unknown computer within the firewall. The book
wasn't a bad book, but it doesn't make you an expert or substitute for
having one. 

The highest pay to expertise ratio today seems to come from the
"penetration tester" community. These are bottom crawlers that go to the
Internet, do a search for "NT Security Holes", copy all of the programs
they find, and run them against your systems. For this they charge you
between one and two thousand dollars per day for a week or two - or as
much as $20,000 to test a small corporation. If you want a report on the
findings rather than a simple listing, it might cost another several
thousand dollars and it will not be in terms that are meaningful to the
organization. They leave residual vulnerabilities, the software may tell
its original author that it is now providing a hole into the client's
system, and it may destroy data along the way, but hey, you can't make an
omlette without breaking a few eggs. 

One of my new clients recently hired one of the 'hackers' to test the
security of an NT-based firewall. The hacker claimed to spend two days and
was unable to get in. My evaluation said that the router password could be
guessed and that standard NT attacks would work against it.  There were
also a lot of other vulnerabilities, but we'll ignore them for now. After
getting the report saying that no hole could be found in two days, the
client tried an off-the-shelf NT attack from the Internet. It got right
in. The 'hacker' claimed that password guessing would take too long - it
was a 4 digit password - which means that all of the passwords could be
tried in only 9,000 guesses. My PC can easily do this in a day, and I
don't have to sit and watch it. 

Security scans are all the rage today, and I think that they have some
value, but only if you know what you are doing and why you are doing it.
The most popular programs are ISS and Balista. They go through a few
hundred common flaws that could allow trivial system entry and if they
find them, they report them. Unfortunately, the reports tend to be rather
useless unless you have an advanced degree in computer security, and they
point to technical repair information that is barely readable. Even if you
tried to fix everything they found, which nobody has budget to actually
do, you would find that the fixes would stop parts of your system from
working until you fixed other things, and these things are not documented
in the scanners. The scanner rage comes partly from the cleaver move
toward providing statistics on the number of vulnerabilities found.
Security people can justify the cost of a scanner (more than twenty
thousand dollars per copy for a program a teenager wrote in a week)
because they show a measure of improvement. But of course new
vulnerabilities show up every day, so even though an improvement in the
statistic shows up, the actual number of holes is on the increase. If you
want a consultant to run a scanner for you, that will cost between 1,000
and 2,000 dollars per day as well. If you want a CPA firm to do it for
you, count on paying between fifty thousand and one hundred thousand
dollars for their effort. The result will be a report that you cannot
fully understand, and a management report that makes you look good, but
doesn't really do anything for the corporation. 

At one site I know of, they did a comprehensive scan for known
vulnerabilities with one of the most popular off-the-shelf scanners.  The
scans failed to indicate that several systems had user IDs that were the
same as the name of the system, and that those user IDs had passwords that
were the same as the name of the system. They discovered this only after
someone broke into the machines. In the aftermath, when asked why they
trusted a scanner which they knew had many such limitations, they
indicated (as others have to me) that the scanner provided statistics so
that as they scanned machines they had made changes to, they could show
management that improvements had been made.  It didn't matter that the
improvements were to obscure potential vulnerabilities rather than obvious
and easily exploitable ones that were completely missed. The management
report would make them look good and that was their objective. 

A level above the real low-life of the security industry are the one-time
systems administrators turned security consultants. In some sense, these
people have some bone-fide value. They once had some level of
responsibility for securing a real system, and they probably know most of
the commonly used commands and perhaps they even have some experience with
some of the programs you use. Generally, their security knowledge is
minimal, but at least they know the right words and won't look like total
idiots when they talk to your systems administrators. Of course your
systems administrator will be able to snow them into believing that their
system is completely secure, and they are not likely to ever test anything
the systems administrator says because they are not used to the trust but
verify way of doing business that is the hallmark of the security
professional. These folks, even though they are better than the others
listed above, tend to cost less! Yes, that's right. They only cost between
one thousand and fifteen hundred dollars per day and they actually know
something. 

In a recent assessment I worked on, a former AS/400 systems administrator
turned security consultant came in to review an AS/400 system. As far as
he could tell, it was more secure than any AS/400 he had ever
administered, and he could find no way to get passed the security. He
didn't bother to ask if there had been any detected incidents. There had.
When I followed up, I found that an employee had been detected accessing
salary records - caught because he tried to change one. It turned out he
should not have had access to any of those records and could have read all
the other employee information without being detected. When we dug deeper,
we found more and more, until finally, we were able to effectively
demonstrate the ability to alter arbitrary records and gain systems
administration privileges undetected starting from the Internet. All of
the detected flaws were detected by people who know security but don't
know much about AS/400s. 

----------------------------------------------------------------------------

How Do You Find Real Experts?

There are a few tell tale signs of real experts, and real experts are the
best way to find other experts. But be careful and cross-check wherever
possible. 

Real experts tend to write articles for legitimate publications. For
example, writing articles for 2600 is probably not a good reference point,
but an article in "Network Security Magazine" or "Computers and Security" 
related to the interest area of the consulting to be performed is a good
indicator. That is not to say that all the authors are good security
consultants, but most of them know something about the field. 

Real experts go to public meetings and conferences to hear what other
people have to say and give presentations of their own. For example, many
real experts will show up at "Computer Security Institute" conferences or
in "MIS Training Institute" short courses, and they will tend to be
invited to give talks and to return time and again. If someone has given
talks for several years in a row at the same conference, chances are the
audience found value in what they had to say. 

Real experts don't claim to be experts in every aspect of the information
protection field. They may assert that they are knowledgeable across the
board, but if they claim to know all about the details of security for
every operating system and every platform, chances are very good that they
are not really experts in any of them. There are just too many specifics
in today's environment for anybody to know them all. Most of the best
experts are very knowledgeable about a large number of them, but nobody
knows it all. 

Years in the field is another great indicator of expertise. I have never
met anyone with less than ten years of experience in information
protection that I would call expert even in a narrow part of the field.
Normally, it takes several years learn the basics of each of the many
subfields, several more years to understand how the fields fit together,
and several more years to get enough experience in real-world situations
to be really useful. Anybody who trusts a 24 year old with making
corporate decisions regarding billions of dollars in information assets is
probably making a big mistake. 
----------------------------------------------------------------------------

Summary and Conclusions:

There's a lot of money in the information security field today and much of
it is being spent unwisely. The large dollar values are driving large
numbers of poor quality people into the business and they are getting
outrageous pay rates when they have little to really offer. At the same
time, there are legitimate experts who are increasingly unable to
differentiate themselves from the folks with good sales teams. The
combination is a recepie for disaster to the unwary or unititated. I hope
that some of the ideas I have provided here are of some use, but I fear
that we have a long way to go in this industry. 
----------------------------------------------------------------------------

About The Author:

Fred Cohen is a Principal Member of Technical Staff at Sandia National
Laboratories and a Managing Director of Fred Cohen and Associates in
Livermore California, an executive consulting and education group
specializing information protection. He can be reached by sending email to
fc@all.net or visiting http://all.net/