Security practices today. Or lack thereof
By: Erik Parker - Bio
Mind Security
Companies are not giving computer security the attention that it needs.
I have interviewed several System Administrators and Security
Administrators. What I found was what I had expected, that things just
aren't getting done the way they should be.
Most companies that have over 100 employees have their own computer
operations staff. Unix Administrators, NT Administrators, Novell
Administrators, Etc., of course all depending on the individual
network. Companies that are computer companies, making software, doing
internet business, or depend on every single user using their computer
usually have larger network staffs, makes sense right?
All too often network security is not a concern on these smaller
networks. Even more sad than that, all to often it isn't a concern on
larger networks. Networks with thousands of users, and a fulltime
staff of administrators, or companies who have permanent in house
contractors. "Network Security" is left up to the Administrators. That
isn't so bad if your administrators happen to be security specialists.
However, most of the time that isn't the case.
Companies expect their network to be secure, or just don't expect. Many
places don't have policies, or have a plan to someday start one, but
don't want to bother until it becomes a problem, after they have been
hacked, or an inside info starts leaking out, and the SEC is coming
down their throat.
We interviewed 7 Unix Administrators, and 3 NT Administrators. We
didn't gain any worthwhile knowledge from the NT Administrators, as
none of them knew about security or were concerned with it. If I had
more time, I could have interviewed some that dealt with their own
firewalls and all the network security. So from here on out, I will
refer to only Unix Admins. All of the Unix Admins we interviewed
were in charge of keeping their machines secure. Some were in charge of
their firewall, some weren't.
The Most common security practice was simply shutting down services
that weren't needed. End of story. Other cases the Admins would keep
lists of patch levels, and every couple of months go out and check
for new versions of their daemons they were running. Many of them
didn't know how to search their machines for SUID binaries, and
couldn't understand why it would matter. Several others claimed
that they didn't bother to shut down services, because the firewall
blocked all incoming connections to those machines except on specific
ports, like SMTP and HTTP. When I asked those Admins if they were in
control of their entire network, some were, and some weren't. The ones
who weren't, claimed to know that there were other points of entry into
the network besides the firewall that controls direct access to their
specific server cluster.
I asked a specific set of questions to each person, I never went on to
ask questions to counter their responses. Mainly because if I had, I
would have been teaching them security, and putting thoughts into their
head. Well, that is why this article is being written. I was surprised
to hear a few administrators tell me that they didn't worry about
security breaches, because there was nothing on their network that
hackers or crackers would care about. I guess I had to chuckle about
that.
There doesn't have to be top-secret files, some new operating system,
or something that is plainly obvious. Most of the hacks and cracks that
you hear about, are done for web page changes. That seems to be
what is in the media most often. Many hacks go unreported as well, for
reasons of the stock market, embarrassment, and several Admins won't
even admit to their own boss after finding out about the hack, as they
think it will be thought of as their fault. Which, unless they are the
security admin, and properly trained in it, it shouldn't be their
fault.
Companies often hire Security Penetration engineers, or if you will,
strike teams, to break into their network, and test security. From
outside or inside. Sometimes they don't bother to give these teams
user level access, which is very stupid, since regular users could be
the very problem. Also quite often a machine will be compromised via a
daemon that isn't running as root, and only granting the hacker the
daemons user level access, and from that they can gain root access
from local exploits, the same local exploits some companies never have
the strike teams check for.
Some of the Security Administrators I spoke to, gave me a quick run
down of what they do to secure a network. Their quick list was to setup
a firewall and only allow the access that was needed. I won't go into
detail about proper firewall rules and such, I don't want to get that
technical here. They also said they would remove utilities that aren't
going to be used on the servers. For instance, an ultra 5 with Solaris
7 on it, that has one function, to run Apache and serve web pages all
day, and do nothing else. Does it need the capability to print? Does it
need Openwindows or CDE installed? No. These Admins would remove
packages not needed, and other ones that aren't in use by the
system. Others that may be used by the Admins at some point, and are
Set UID root, get their sticky bit removed. Users don't need root level
access to most of these. On most systems, if you would like to see all
of the files on it that are SUID root, issue this command:
`find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec ls -ldb {} \; >> output.log`
The other things the Admins said they would do, are to keep up to date
on all of the patches, and actively keep up with their software. I
personally get on the maker of the software's mailing list, development
lists, and user list. This makes for a pretty busy procmail, but you
will catch things early on. Other things Security Admins do are to
secure every machine, and any machine they aren't in control of they
don't trust from anywhere on their network. They of course shut off all
services not needed, like 98% of what is in /etc/inetd.conf. Any daemon
that will run properly chrooted to its own directory gets set that
way. Any program that can run as a non-privileged user get set that
way.
There is more that a dedicated Security Administrator does, but there
is just too much to go through. Keep In mind that you should never
install software from binary distributions if possible. With source
you read the source if you wish, and compile without the extra options
you may not need. Often exploits for programs are in features in the
software that you didn't really need, but got compiled in by default.
Something I am not touching on too much, but intrusion detection
can be a good way to go as well. There are many types of software and
even hardware that does it. You can monitor your systems for attacks,
attempts, or full-blown break-ins. There is a software called
"Anti-Sniff", that is just that.. It is a sniffer detector. If one
of your machines is compromised, and someone is sniffing your network
for passwords, data, or some other information, this will detect it.
You can find Anti-sniff at
http://www.l0pht.com/antisniff/.
We also recommend for networks with more than a couple machines,
setting up a dedicated log host. This machine serves ONE function, and
one alone, to log. You setup all your remote machines to have their
syslog piped off to this machine. It doesn't need to be a huge box, or
an expensive box. I have used a 486-100, running Linux on it, and had
35 servers logging to it. Put a 20 gig drive in it, and have it
compress logs every so often. Works like a dream. If you use a big
server for it, you will often find your management having this "Great
Idea" to use it to run other services as well. I personally
have been asked before to make our loghost the ssh gateway from the
outside, I hope you can see the problems in that yourself.
Something else that is difficult for companies to understand and put up
with, and many don't, and end up suffering because of it, are the fact
that many skilled Administrators spend a lot of time associating them
selves with what would be classified by the media and the US government
as Black hat hackers. However, they are the very people we are
protecting networks against, and they often get information before we
do. They are often a great resource for information, and even for tips
when you have questions. You have to know both sides to be successful.
We aren't hurting them any by securing the networks. There will always
be networks out there that aren't secure. It also gives them more of a
challenge in life, which is often something they consider fun. I
personally don't believe in the labeling of White hats or Black
hats, as many people who are considered to be black hats, go to work
every day in a suit and tie, get paid 150k a year, and are the best
security administrators there are. There isn't a ton like that, but
some of them are batting for both teams. What would that make them,
gray hats?
There is a bigger problem that exists. It is what we call Upper
Management. You know, the person who signs your purchase orders, gives
you your paycheck, and the same person who never thinks about security.
It costs money, and that is bad. They think because they don't see a
problem, don't fix. What stupid logic that is. You won't ever see a
skilled hacker, as they will come in, get what they want, and
disappear and perhaps never run across your network again. I think it
is much better to have a cracker hit a site, than a hacker. I'd much
rather have a server erased, or a web page changed, than to
have a hacker come in, and rip off software, or documents, or project
plans that my company has been working on for years, and sell it to
competitors, or post them on some stock board, and make my company's
stock fall 50%.
Upper management doesn't care about that. They either don't understand
what security is, or just don't think it could happen to them. The
problem is, you will rarely, most likely never look like a hero at your
company. If you do get the go ahead to do serious security work, hire
an outsider, or hire a fulltime security admin, and they do a good job,
you won't get hacked. Life goes on as it was, and it seems like a waste
of money. Your boss doesn't lose sleep at night thinking about how
insecure your network is, but you might, since it is your fault either
way if it gets hacked. If you don't implement security, then you are
certainly not shown off as a hero, unless you track him down, file
suit, and he happens to be rich, and your company makes a boatload of
money. Not likely going to happen, once its reported to the FBI, and
they do their research, and maybe even raid someone, its years later,
and you have moved on to a new company.
You have to think up every single problem on the network, what could
happen, and show it to your boss. Make a chart, show problems, and show
costs. In most cases the cost of cleanup, and potential loss of money,
is far more than hiring a security staff. Some Upper Management
understand more clearly if you put it simply, such as "Do you get the
oil in your Porsche changed from every three to five months? Even
though nothing was wrong?". Most likely they do, or at least know that
they SHOULD. That is a fact, that keep up the maintenance schedule, and
you have less problems. Well, same way with computers. It is difficult
in most companies, very difficult. Even worse if you are working for
the government, since every penny has to be cleared, and it takes time.
Most of the time you either end up doing it and never getting
recognized, or paid. If you don't have the time, well,
that would explain why you see so many government cracks listed on web
page defacement sites like attrition.org.
It is a difficult job, and if you work for a consulting company, you
are in luck. It most likely isn't your job to sell the audits, you just
do them for the company who was convinced that they needed it. You do
have a harder job though, and that is writing up a security policy,
and making the company understand they MUST follow it. Many just want
their network locked down, and don't are about a policy. If you only
care about the money, so be it. If you care about doing the best job
you can, getting the security done right, you need to make them
understand they have to make your security policy, well, policy.
Security today, and in the past, just isn't what it needs to be. Most
companies consider it to be a pain, and an expense that isn't needed or
justified. Companies need to focus on the area, and big companies need
to hire a fulltime security admin, or keep an open account with a
contractor for routine security audits, and have their administrators
trained on keeping up to date on things. All companies should have
someone who monitors mailing lists like Bugtraq, or NT Bugtraq,
depending on what platforms you are running.
Things need to change, and if you are in a position where you can do
that, I suggest you do it right now. If you firmly believe in the
future of the Internet, and E-commerce, I also know that if I were the
only person buying things on-line, every e-commerce site would shut
down, because I just can't afford to keep them all going. I've talked
to a couple of people who say they won't buy anything online. They
don't think their credit cards are secure, or their personal
information. People are scared of it, and they keep hearing about
hackers, and all these evil things going on that they don't understand.
Many web sites try to comfort people, by explaining the encryption
method for the browsers, and leave it at that. For the people who have
been living under rocks, and have only heard about credit card
stealing, and not about hacking, and computers being compromised, or
for the people who just don't understand what that means, they think
their data going encrypted is all there is to it. Many people don't
realize when hackers get credit card numbers, they get them in bulk
usually, rarely from sniffing, but from compromising the machine that
holds these plain text files, or databases holding the information.