Firewall Wizards mailing list archives
Re: Kinko's Waning Security
From: "S. Jonah Pressman" <jpressman () sympatico ca>
Date: Thu, 22 Apr 2004 12:21:54 -0400
Chuck, you make excellent points and seem to be extremely passionate about corporate security. Your methodology of airing corporate dirty laundry in public leaves a lot to be desired. In fact, you've just single-handedly issued an invitation to "black-hats" to sample the fruits inside your corporate walls. If I were your manager, I'd introduce you to the corporate legal counsel ans then escort you to the door.
I am surprised that your note was posted by the moderator. Frankly, it should have been sent back to you with the suggestion to sanitize it before resubmission.
SJP Paul D. Robertson wrote:
On Wed, 21 Apr 2004, Chuck Vose wrote:I work for Kinko's and I'm beginning to worry about the security from above. I would like to hear advice on how to request greater security when you have no buying power or authority at all (the copy guy downstairs doesn't get a whole lot of say over the network decisions).Getting security budget really needs to be a culture change for most large organizations. Typically, there's a delicate balance between being the guy who informs everyone, and being that pain-in-the-rear who used to work here... For a business, the real key is risk, not security. How imenent are the threats, how much do the protections cost, and which things should be addressed first...For instance, passwords are getting weaker and weaker. It used to be mandatory to have a 4 digit password to access the register, however it's been lowered to 1 digit. This seems like an incredibly bad idea.On the surface it does, since a random attacker has a 1-in-N chance of figuring it out. However, a targeter of choice will likely get the password anyway- and the bar to doing so is pretty low (camera, yellow sticky, temp job...) So the real question is "how likely is an attacker to randomly attack and try a one character password versus using another method?" Reusable passwords suck, making them longer doesn't necessarily change your overall risk very significantly at all in terms of real-world attacks. If everyone was writing down the longer passwords, then it changes it not one bit. For a retail environment, I'd worry more about "How do I know it was employee X instead of employee Y?" for things like register passwords. The answer may well be "I have it on video."Passwords on the email system and the internal core downloads have never changed. In fact, we wrote the password on a keyboard long, long ago and it's beginning to wear off just from people typing on it. I can't rub sharpie ink off with all the grit I can muster, yet it's wearing off through I can only assume erosion.Ah, see- here we have an example of why "strong" passwords suck! Someone always writes them down- in indelible ink on the keyboard is unreal. I'd consider putting a duress password on like that, or a false password that kicked off IDS.Finally, our brand spanking new business card approval system has thesame username and password for every branch in the world. I can access my neighboring branch's system and authorize or delete all the orders I like. Were I inclines I would make a fake order for 8 million business cards at another store, access the auth page, and let the store buy the cards. Once we release the store has to buy the cards even if they aren't sold, but the authorization process isn't limited at all. Hell customers will probably start doing their own cards once they figure out the system (which knowing the internet, won't be long).This one is probably worth a risk analysis paper. If you're going to do one, and you want to stay employed, then I'd (a) never do anything that could be construed wrongly, and (b) get approval from someone in management *before* you write one. Propose it verbally first- then in writing- and explain that you're going to do it all on paper, that you're concerned for the business, etc.What do you do when your employer is getting more and more stupid about security? I could go on about the problems, they touch into physical security, VLANs being the main security, poor password systems (in more than the items mentioned). In fact, Kinko's would probably make a fine "How not to secure your company" subject.If it's "Your problem" in that you're responsible for some part of it (rather than the general "I work here, so I share responsibility," you do what you can to fix it, or you find somewhere else to go.)Compounded, I'm not sure that the manager will know or care. And I'm certain that our IT girl knows far less about it than he does. She doesn't know what spyware is nor why it's a problem for it to be on the ghost images that she uses once a month (there's viruses too). Help! Please!!I don't know if Kinkos is franchised or all company owned- if the latter, then someone has to "own" security- but they likely don't own store authority. That puts them in the fun spot. If you can figure out who it is, or if there's an internal audit department with infosec responsibility- then they're the folks who need to know. Unfortunately- talking to audit is often (and I'm speaking from experience here) taken the wrong way by executive management if they're under an audit[1]. Here's an interesting approach- If you're in school (heck, I dunno- might be worth signing up to do it...) ask if you can do a risk assessment as a research project for your classes. However, balance the shock and awe with some *easy* and *inexpensive* ways for the company to fix these problems. Handing someone a laundry list of issues without any fixes is a sure way to end up the bad guy. If the IT person isn't skilled, then educate them- but NOT by rooting their machine and "proving" how bad things are. Explain about DDoS attacks, machine hopping, and everything. Explain about spyware's use in that, as well as the general trojan threat. Then give them 4 things (or less) they can do to remove most of the risk. Make sure it's easy and repeatable. I probably wouldn't refer to them as "IT girl" either- it sets a bad tone, and layer 8[2] is more important than the first 7 layers. Success in the corporate world is measured one step at a time. Going all out with the first push is more likely to fail than getting a step a month for a year. Paul [1.] I suppose it's considered poor form if the auditor has to have you come into the CIO's office to explain the results of their audit. [2.] The political layer. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
-- S. Jonah Pressman E: jpressman () sympatico ca / jonah () pressman ca W: http://www.pressman.ca P: 905-707-8323 C: 416-894-6067 (cell) _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security S. Jonah Pressman (Apr 22)
- Re: Kinko's Waning Security Chuck Vose (Apr 22)
- Re: Waning Security Paul D. Robertson (Apr 22)
- Re: Waning Security Frederick M Avolio (Apr 23)
- Re: Waning Security Paul D. Robertson (Apr 23)
- Re: Waning Security Chuck Vose (Apr 23)
- Re: Kinko's Waning Security Ryan M. Ferris (Apr 22)
- Re: Waning Security Crispin Cowan (Apr 23)
- Re: Kinko's Waning Security Paul D. Robertson (Apr 22)
- Re: Kinko's Waning Security Marcus J. Ranum (Apr 22)