a rebuttel Security Biz Thrives on Fear

[Dave Farber <dave () farber net>]

------ Forwarded Message
From: Bob Alberti <alberti () sanction net>
Date: Wed, 16 Apr 2003 14:13:17 -0500
To: dave () farber net
Subject: RE: [IP] Security Biz Thrives on Fear 

As a security consulting professional, I find such articles annoying and
irresponsible.  Annoying because the biggest obstacle to security that I
encounter out in the field is DENIAL.  Irresponsible because so many
organizations turn a blind eye towards security, and articles with this tone
only serve to justify this irrational behavior.  Fear is hardly
inappropriate when there is something to be afraid of.

But denial IS inappropriate.  One prospective client refused any assistance
with security until the day they were compromised:  then they phone for
immediate assistance.  However the next day they had convinced themselves
that having once been hacked they would never be attacked again, and refused
further help.  This "lightning never strikes twice" denial persisted,
despite the fact that their IP was listed on the hacker defacement sites
such as http://lists.insecure.org/lists/alldas/2002/Oct/ (outdated site
deliberately referenced.)

Another client wanted their external firewall scanned to determine why their
internal network kept becoming unusable every day at 2:00 p.m.  When I
suggested their internal network be examined I was angrily accused of trying
to "upsell", and shown the door.

In many ways security consulting is like being a doctor:  you can't force
someone to seek your help, accept your diagnosis, or take their medicine.
And a lot of people and organizations deny their symptoms until it is too
late.  Articles like the one quoted reinforce the "ignore the problem"
attitude that so many companies adopt.

If the security profile of the typical company were not, frankly, abysmal,
then charges of fearmongering would be hard to refute.  Unfortunately it is
all too easy to discover glaring security vulnerabilities in most corporate
networks.  You don't have to believe me, you can check for yourself:
  -Download a sniffer (http://www.ethereal.com) and find ids and passwords
traveling in cleartext on your network.
  -Install a wireless card and Netstumbler (http://www.netstumbler.com) on a
laptop and see how many wide-open access points you find in your workplace
or neighborhood.
  -Change your workstation's administrator password (this takes ten minutes
and a floppy disk), then crack all the passwords on your computer in fifteen
seconds or less with L0phtcrack (available through Google search). Use the
network administration passwords that you find to log into other computers
on your network.
  -Play with the "NET SEND * MESSAGE" command and see how many of your
coworkers you can harass with bogus messages (actually I suggest you test
this one at home).

Such simple experiments, using only free software easily available on the
Internet, are easy to carry out and can begin to illuminate the security
profile of your network.

Just do me a favor and try not to ignore what you find.  The hackers won't.
And if that scares you, well, maybe it should.

Bob Alberti, CISSP, President          Sanction, Inc.
Phone: (612) 961-0507                   PO Box 583453
http://www.sanction.net           Mpls, MN 55458-3453

------ End of Forwarded Message

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/