Overall, I full agree with Mr. Cohen on his various points about the security field. I think he has a great understanding of many of the problems and outlines them very well. However, there is only one point I disagree with below. Managing Network Security - "The Seedy Side of Security" http://all.net/journal/netsec/9808.html Managing Network Security Third Anniversary Article The Seedy Side of Security by Fred Cohen ---------------------------------------------------------------------------- Series Introduction Over the last several years, computing has changed to an almost purely networked environment, but the technical aspects of information protection have not kept up. As a result, the success of information security programs has increasingly become a function of our ability to make prudent management decisions about organizational activities. Managing Network Security takes a management view of protection and seeks to reconcile the need for security with the limitations of technology. ---------------------------------------------------------------------------- Introduction: This article represents the beginning of my fourth year of writing monthly articles on information protection for Security Management Magazine. It started back in August of 1995 when I write the first in the "Internet Holes" series, and changed to the "Managing Network Security" series about half way through 1996. Because of this anniversary, I have decided to dedicate this month's article to something completely different - not! Actually, this month's article is about the seedy side of security. If this sounds like something for the London Times or the Star, I hope they pick it up and pay me a big royalty for it. In recent months, my consulting work through third party firms has picked up considerably, and more and more I find myself teamed with 22 year old self-proclaimed experts who charge outrageous fees, know very little about information protection, and use off-the-shelf tools to demonstrate some technical vulnerability that they don't understand the implications of. My recent experience is working with 40 year olds, who are way behind the times of security and system penetration, who use off-the-shelf tools because those tools have more insight into system security than they do. The same tools programmed primarily by 22 year olds at ISS and NAI. Clients seem to prefer to have 6 people who know almost nothing show up for a week, charge $60,000, and produce a few hundred pages of unreadable listings with little or no analysis over having two or three people show up for a day each, charge $15,000, and produce a customized, short, readable report indicating the business implications of what they found and what they need to change in order to reduce the risks appropriately. If you are a major accounting firm, you can charge $120,000 instead of $60,000 and they will throw in a day of a senior partner who will tell you that you need them to provide you with several million more dollars worth of expertise to fix the problems with your network. Once they buy the big study, their resources are committed, and regardless of the quality of the results, they need to declare that they have contributed something valuable. They shelve the actual results, but make a management presentation to tells management that all this paper supports what they originally postulated - that they need more budget for security. Management, which doesn't understand the report at all, decides to cut the baby in half. They provide limited budget increases because they know that their employees are trying to do good things and because they trust their employees - if for no other reason because they don't know enough to disagree - but it usually corresponds to an article in the paper about a big computer break-in somewhere else. ---------------------------------------------------------------------------- Trust me The "trust me" argument is indeed a powerful one. When the systems administrators that run your computer complex get together as a group and say "trust us - you need to do something about this" management usually doesn't - trust them that is. They usually do find a compromise position to allow the systems administrators to do whatever they say they need to do - but at less budget than requested. The theory is really quite sound. Management can view this as a bonus. This year, we are giving IT a bonus of $60,000 - and lucky us, they decided to spend it paying their friends to do work for the company instead of taking it home and using it to fix their kitchen. The real reason that management finds this compromise is quite simple - and it has nothing to do with information security. It has to do with corporate security. If these folks get unhappy, they could destroy the company. Management can either threaten them into compliance, replace them and risk the down side, or bribe them. The bribe comes in the form of negotiating more budget, and depending on the skills of the negotiators, both sides can come out happy. The "trust me" position only goes so far, however, and when it comes to matters of corporate survival, management wants to know just enough to make a sound decision. Of course the facts are all on a "trust me" basis as well, but that's why management approves of outside consultants and/or IT auditors. This is their "independent" view of the situation. But how does management pick their "independent experts"? That's easy... at random! ---------------------------------------------------------------------------- How Do We Pick Our Experts? Well, not exactly at random. Management cannot really judge who's an expert and who is not - especially in a field like network security. Instead, they tend to rely on three things: * Popularity * Press * People they know Popularity comes in many forms, but it usually comes from other clients the so-called expert claims to have. But of course management almost never checks out any of those claims, and the fact that someone else was foolish enough to buy this person's time doesn't mean they are any good. Many rich people who tell their stories indicate that they started out with resumes full of lies and as they got more experience, they filled in the lies with truths. Resume inflation is also quite common - to the point where it is expected. When I provide people my resume, which is all true and accurate - perhaps even understated, they tend to believe it is inflated, and so they discount it. Since anyone can get a copy of my resume, it's not exactly hard for them to make one that looks about the same as mine, and most readers will never be able to tell the difference. Another popularity thing is "name dropping". "I did a security consulting job for the United Nations" or "My cryptosystem was approved by the NSA." are common sorts of claims. What most recipients of this sort of information fail to realize is that cryptosystems approved for export by the NSA tend to be easily broken. Almost every client I have ever had has told me not to reveal the fact that I work for them. It's a simple matter of operations security - if people know I did security work for XYZ company - they can try to break into my site or kidnap my children or whatever to get information about my client's systems. Press is related primarily to what sells newspapers, and the biggest believers of newspaper stories are top management. The stories that papers tend to publish and people tend to read are not about hard working people who do their job well day after day. They tend to be the bizarre cases - like teen hackers getting into the Pentagon - or the 16 year old "security consultant" that helped the local police break the codes on some criminal's PC. When you get in the media, people call you up and ask if you can do consulting for them. So the big accounting firms, and the hacker organizations, and the corporations with a lot of money trying to get into the market, all go after media. There are a few common strategies that work for getting media, none of them related to network security skills. One is to commit a crime and get caught - or better yet, commit a crime without getting caught and turn in your partners claiming to be a security consultant. This works even better if you have a member of the press along with you. You can make several million dollars this way. Another common strategy is to advertise. By advertising in a magazine or paper that is doing stories on computer security, you can often get the stories to mention your name or include your IP address. The press release is another popular way to get your name in the media - just make a weekly or monthly announcement about a new security product or service. They don't even have to be real - as long as you get your name in the media. The real thing to understand about the media is that it does not know how to evaluate information security expertise any better than your CEO. They believe most of what you tell them and they want sensation to sell papers. People the CEO knows lead to personal sales. This is a very effective way to sell, but it has its limitations too. Your friend's son Jim is looking for work, so you tell your friend the CEO about Jim being a security consultant and Jim gets a consulting job. If Jim is not very good, then the employees who have to work with Jim know it pretty soon, but they don't dare tell the CEO about it - at least not directly. So we pick our experts based on anything but their expertise, and that's largely because it takes an expert to know an expert. Lacking the expertise to tell the difference, we do the best we can, and in today's market, that tends not to be very good. ---------------------------------------------------------------------------- You Ain't Seen Nothin' Yet The real problem in today's network security market is that there are probably really only a few hundred experts in the whole world, but there are tens of thousands of networks that are being secured. That means that more than 90 percent of the security is being done by people who are not very expert, and it also means that proclaiming yourself as a security expert gets you lots of work at high pay, which means that people who barely know how to spell computer, read a book or two and rush in to get the high pay. A client of mine had an employee who read a book on firewall security, checked out their firewall, and found it to be secure. My 15-minute automated checking program found several vulnerabilities, including a program allowing unauthorized users to get root access to the firewall computer and a previously unknown computer within the firewall. The book wasn't a bad book, but it doesn't make you an expert or substitute for having one. The highest pay to expertise ratio today seems to come from the "penetration tester" community. These are bottom crawlers that go to the Internet, do a search for "NT Security Holes", copy all of the programs they find, and run them against your systems. For this they charge you between one and two thousand dollars per day for a week or two - or as much as $20,000 to test a small corporation. If you want a report on the findings rather than a simple listing, it might cost another several thousand dollars and it will not be in terms that are meaningful to the organization. They leave residual vulnerabilities, the software may tell its original author that it is now providing a hole into the client's system, and it may destroy data along the way, but hey, you can't make an omlette without breaking a few eggs. One of my new clients recently hired one of the 'hackers' to test the security of an NT-based firewall. The hacker claimed to spend two days and was unable to get in. My evaluation said that the router password could be guessed and that standard NT attacks would work against it. There were also a lot of other vulnerabilities, but we'll ignore them for now. After getting the report saying that no hole could be found in two days, the client tried an off-the-shelf NT attack from the Internet. It got right in. The 'hacker' claimed that password guessing would take too long - it was a 4 digit password - which means that all of the passwords could be tried in only 9,000 guesses. My PC can easily do this in a day, and I don't have to sit and watch it. Security scans are all the rage today, and I think that they have some value, but only if you know what you are doing and why you are doing it. The most popular programs are ISS and Balista. They go through a few hundred common flaws that could allow trivial system entry and if they find them, they report them. Unfortunately, the reports tend to be rather useless unless you have an advanced degree in computer security, and they point to technical repair information that is barely readable. Even if you tried to fix everything they found, which nobody has budget to actually do, you would find that the fixes would stop parts of your system from working until you fixed other things, and these things are not documented in the scanners. The scanner rage comes partly from the cleaver move toward providing statistics on the number of vulnerabilities found. Security people can justify the cost of a scanner (more than twenty thousand dollars per copy for a program a teenager wrote in a week) because they show a measure of improvement. But of course new vulnerabilities show up every day, so even though an improvement in the statistic shows up, the actual number of holes is on the increase. If you want a consultant to run a scanner for you, that will cost between 1,000 and 2,000 dollars per day as well. If you want a CPA firm to do it for you, count on paying between fifty thousand and one hundred thousand dollars for their effort. The result will be a report that you cannot fully understand, and a management report that makes you look good, but doesn't really do anything for the corporation. At one site I know of, they did a comprehensive scan for known vulnerabilities with one of the most popular off-the-shelf scanners. The scans failed to indicate that several systems had user IDs that were the same as the name of the system, and that those user IDs had passwords that were the same as the name of the system. They discovered this only after someone broke into the machines. In the aftermath, when asked why they trusted a scanner which they knew had many such limitations, they indicated (as others have to me) that the scanner provided statistics so that as they scanned machines they had made changes to, they could show management that improvements had been made. It didn't matter that the improvements were to obscure potential vulnerabilities rather than obvious and easily exploitable ones that were completely missed. The management report would make them look good and that was their objective. A level above the real low-life of the security industry are the one-time systems administrators turned security consultants. In some sense, these people have some bone-fide value. They once had some level of responsibility for securing a real system, and they probably know most of the commonly used commands and perhaps they even have some experience with some of the programs you use. Generally, their security knowledge is minimal, but at least they know the right words and won't look like total idiots when they talk to your systems administrators. Of course your systems administrator will be able to snow them into believing that their system is completely secure, and they are not likely to ever test anything the systems administrator says because they are not used to the trust but verify way of doing business that is the hallmark of the security professional. These folks, even though they are better than the others listed above, tend to cost less! Yes, that's right. They only cost between one thousand and fifteen hundred dollars per day and they actually know something. In a recent assessment I worked on, a former AS/400 systems administrator turned security consultant came in to review an AS/400 system. As far as he could tell, it was more secure than any AS/400 he had ever administered, and he could find no way to get passed the security. He didn't bother to ask if there had been any detected incidents. There had. When I followed up, I found that an employee had been detected accessing salary records - caught because he tried to change one. It turned out he should not have had access to any of those records and could have read all the other employee information without being detected. When we dug deeper, we found more and more, until finally, we were able to effectively demonstrate the ability to alter arbitrary records and gain systems administration privileges undetected starting from the Internet. All of the detected flaws were detected by people who know security but don't know much about AS/400s. ---------------------------------------------------------------------------- How Do You Find Real Experts? There are a few tell tale signs of real experts, and real experts are the best way to find other experts. But be careful and cross-check wherever possible. Real experts tend to write articles for legitimate publications. For example, writing articles for 2600 is probably not a good reference point, but an article in "Network Security Magazine" or "Computers and Security" related to the interest area of the consulting to be performed is a good indicator. That is not to say that all the authors are good security consultants, but most of them know something about the field. Real experts go to public meetings and conferences to hear what other people have to say and give presentations of their own. For example, many real experts will show up at "Computer Security Institute" conferences or in "MIS Training Institute" short courses, and they will tend to be invited to give talks and to return time and again. If someone has given talks for several years in a row at the same conference, chances are the audience found value in what they had to say. Real experts don't claim to be experts in every aspect of the information protection field. They may assert that they are knowledgeable across the board, but if they claim to know all about the details of security for every operating system and every platform, chances are very good that they are not really experts in any of them. There are just too many specifics in today's environment for anybody to know them all. Most of the best experts are very knowledgeable about a large number of them, but nobody knows it all. Years in the field is another great indicator of expertise. I have never met anyone with less than ten years of experience in information protection that I would call expert even in a narrow part of the field. Normally, it takes several years learn the basics of each of the many subfields, several more years to understand how the fields fit together, and several more years to get enough experience in real-world situations to be really useful. Anybody who trusts a 24 year old with making corporate decisions regarding billions of dollars in information assets is probably making a big mistake. ---------------------------------------------------------------------------- Summary and Conclusions: There's a lot of money in the information security field today and much of it is being spent unwisely. The large dollar values are driving large numbers of poor quality people into the business and they are getting outrageous pay rates when they have little to really offer. At the same time, there are legitimate experts who are increasingly unable to differentiate themselves from the folks with good sales teams. The combination is a recepie for disaster to the unwary or unititated. I hope that some of the ideas I have provided here are of some use, but I fear that we have a long way to go in this industry. ---------------------------------------------------------------------------- About The Author: Fred Cohen is a Principal Member of Technical Staff at Sandia National Laboratories and a Managing Director of Fred Cohen and Associates in Livermore California, an executive consulting and education group specializing information protection. He can be reached by sending email to fc@all.net or visiting http://all.net/