Re: [PEN-TEST] Testing a "rogue site"

[Wandering One <wanderingone () CORE COM>]

> More and more, without security, companies can be (temporarily) 'made to
> not exist' - i.e. brought down, sometimes for an extended period of time
> if a sufficient hit is made.  Business will *not* continue without data
> and communications.  What's more inconvenient, a few 'extra' steps
> between users and tasks (i.e. logging procedures, periodic re-education,
> etc.) or the inability to perform those tasks at all?   After all, we
> all got used to waiting in airports to get through the metal detectors.
>
> Corporate culture eventually will change to allow the 'inconvenience' of
> security procedures.  Most people here I suspect feel way too busy to
> 'fight city hall', or work on inculcating a security mindset within a
> company that ranks security low on the totem pole.  That doesn't mean
> that I think it isn't my job to educate those around me, just that I
> wouldn't want to work where I was fighting the current.  :)

I wish to disagree with you slightly on this point, more as to the strength
of it's use not the validity of the statement.

It is the Board of Directors of the companies decision as to which risks to
mitigate.  If they feel the risk of a possible DOS (or related attack) is
slim enough that they only wish to spend enough money to hire one person and
maybe a decent firewall in this years budget, as long as they had the
relevant data as to the risk and the results to the company should the risk
be realized then it's their decision.

Security, as much as those of us who have worked in the governmental as well
as private sector may wish it, is not the be all end all.  If your company
has no data to protect and can do business without their computers for a day
without losing their shirts, and the costs of such a loss may be less then
the cost of the solution to protect them versus this loss then they are
still in the positive.

An example.  Lets say I have a company that I am performing a Security
Assessment for.  During this assessment I realize that the company's
critical assets are the telephone lines and a few critical computers that
contain their HR data.  The computers containing the HR data are behind a
secure firewall with discretionary access control and the telephone lines
have a fail-over that can be placed in place within a 2 hour window (A
Business Continuity Plan of sorts in place for a major disaster covers
this), do I necessarily need to recommend to this client that the internet
connection that they have behind a weak firewall/proxy and the analog phone
lines on every desk need to be hardened at the cost of N+$50,000 where N is
the cost for the BCP plans implementation in the even of the failed phone
services.  I wouldn't be much of a consultant (at least a consultant with
the eye on the fact that he is there for the benefit of his client not to
line his own pockets) if I were to make any recommendation that would cost
them more to implement then the damage that a possible realized risk could
cause.

I realize the above example is simplistic in the extreme and there is not a
company out there that is that simple or even remotely close, but that is
what we as security professionals need to be able to determine.  Not always
what is the best and coolest security tool on the market and/or pay top
dollar for the big 5 security companies product just because their marketing
staff is damn good at making graphs the management/Board of Directors can
understand.

There is a trade-off between having perfect security and perfect usability.
Some companies need to be closer to the usability and others to the
security, so long as the risk analysis backs up the reasoning behind that
decision.  Ensure that a knowledgeable group has prepared the risk analysis
back it with Security Audits and Penetration Tests, and include that
information in the Risk Analysis.  Remember the ultimate goal is the
continuity of the business, whether that be the latest and greatest security
tool on the market (at least what the marketing people tell us is the
greatest) or whether that is just a contingency plan for a risk that may
possibly become realized.

Just a few random thoughts from someone who works both in the Business
Continuity and Security fields.

Wandering One