Security practices today. Or lack thereof

Companies are not giving computer security the attention that it needs. I have interviewed several System Administrators and Security Administrators. What I found was what I had expected, that things just aren't getting done the way they should be.

Most companies that have over 100 employees have their own computer operations staff. Unix Administrators, NT Administrators, Novell Administrators, Etc., of course all depending on the individual network. Companies that are computer companies, making software, doing internet business, or depend on every single user using their computer usually have larger network staffs, makes sense right?

All too often network security is not a concern on these smaller networks. Even more sad than that, all to often it isn't a concern on larger networks. Networks with thousands of users, and a fulltime staff of administrators, or companies who have permanent in house contractors. "Network Security" is left up to the Administrators. That isn't so bad if your administrators happen to be security specialists. However, most of the time that isn't the case.

Companies expect their network to be secure, or just don't expect. Many places don't have policies, or have a plan to someday start one, but don't want to bother until it becomes a problem, after they have been hacked, or an inside info starts leaking out, and the SEC is coming down their throat.

We interviewed 7 Unix Administrators, and 3 NT Administrators. We didn't gain any worthwhile knowledge from the NT Administrators, as none of them knew about security or were concerned with it. If I had more time, I could have interviewed some that dealt with their own firewalls and all the network security. So from here on out, I will refer to only Unix Admins. All of the Unix Admins we interviewed were in charge of keeping their machines secure. Some were in charge of their firewall, some weren't.

The Most common security practice was simply shutting down services that weren't needed. End of story. Other cases the Admins would keep lists of patch levels, and every couple of months go out and check for new versions of their daemons they were running. Many of them didn't know how to search their machines for SUID binaries, and couldn't understand why it would matter. Several others claimed that they didn't bother to shut down services, because the firewall blocked all incoming connections to those machines except on specific ports, like SMTP and HTTP. When I asked those Admins if they were in control of their entire network, some were, and some weren't. The ones who weren't, claimed to know that there were other points of entry into the network besides the firewall that controls direct access to their specific server cluster.

I asked a specific set of questions to each person, I never went on to ask questions to counter their responses. Mainly because if I had, I would have been teaching them security, and putting thoughts into their head. Well, that is why this article is being written. I was surprised to hear a few administrators tell me that they didn't worry about security breaches, because there was nothing on their network that hackers or crackers would care about. I guess I had to chuckle about that.

There doesn't have to be top-secret files, some new operating system, or something that is plainly obvious. Most of the hacks and cracks that you hear about, are done for web page changes. That seems to be what is in the media most often. Many hacks go unreported as well, for reasons of the stock market, embarrassment, and several Admins won't even admit to their own boss after finding out about the hack, as they think it will be thought of as their fault. Which, unless they are the security admin, and properly trained in it, it shouldn't be their fault.

Companies often hire Security Penetration engineers, or if you will, strike teams, to break into their network, and test security. From outside or inside. Sometimes they don't bother to give these teams user level access, which is very stupid, since regular users could be the very problem. Also quite often a machine will be compromised via a daemon that isn't running as root, and only granting the hacker the daemons user level access, and from that they can gain root access from local exploits, the same local exploits some companies never have the strike teams check for.

Some of the Security Administrators I spoke to, gave me a quick run down of what they do to secure a network. Their quick list was to setup a firewall and only allow the access that was needed. I won't go into detail about proper firewall rules and such, I don't want to get that technical here. They also said they would remove utilities that aren't going to be used on the servers. For instance, an ultra 5 with Solaris 7 on it, that has one function, to run Apache and serve web pages all day, and do nothing else. Does it need the capability to print? Does it need Openwindows or CDE installed? No. These Admins would remove packages not needed, and other ones that aren't in use by the system. Others that may be used by the Admins at some point, and are Set UID root, get their sticky bit removed. Users don't need root level access to most of these. On most systems, if you would like to see all of the files on it that are SUID root, issue this command:
`find / \( -perm -4000 -o -perm -2000 ! -type d \) -exec ls -ldb {} \; >> output.log`
The other things the Admins said they would do, are to keep up to date on all of the patches, and actively keep up with their software. I personally get on the maker of the software's mailing list, development lists, and user list. This makes for a pretty busy procmail, but you will catch things early on. Other things Security Admins do are to secure every machine, and any machine they aren't in control of they don't trust from anywhere on their network. They of course shut off all services not needed, like 98% of what is in /etc/inetd.conf. Any daemon that will run properly chrooted to its own directory gets set that way. Any program that can run as a non-privileged user get set that way.

There is more that a dedicated Security Administrator does, but there is just too much to go through. Keep In mind that you should never install software from binary distributions if possible. With source you read the source if you wish, and compile without the extra options you may not need. Often exploits for programs are in features in the software that you didn't really need, but got compiled in by default. Something I am not touching on too much, but intrusion detection can be a good way to go as well. There are many types of software and even hardware that does it. You can monitor your systems for attacks, attempts, or full-blown break-ins. There is a software called "Anti-Sniff", that is just that.. It is a sniffer detector. If one of your machines is compromised, and someone is sniffing your network for passwords, data, or some other information, this will detect it. You can find Anti-sniff at http://www.l0pht.com/antisniff/. We also recommend for networks with more than a couple machines, setting up a dedicated log host. This machine serves ONE function, and one alone, to log. You setup all your remote machines to have their syslog piped off to this machine. It doesn't need to be a huge box, or an expensive box. I have used a 486-100, running Linux on it, and had 35 servers logging to it. Put a 20 gig drive in it, and have it compress logs every so often. Works like a dream. If you use a big server for it, you will often find your management having this "Great Idea" to use it to run other services as well. I personally have been asked before to make our loghost the ssh gateway from the outside, I hope you can see the problems in that yourself.

Something else that is difficult for companies to understand and put up with, and many don't, and end up suffering because of it, are the fact that many skilled Administrators spend a lot of time associating them selves with what would be classified by the media and the US government as Black hat hackers. However, they are the very people we are protecting networks against, and they often get information before we do. They are often a great resource for information, and even for tips when you have questions. You have to know both sides to be successful. We aren't hurting them any by securing the networks. There will always be networks out there that aren't secure. It also gives them more of a challenge in life, which is often something they consider fun. I personally don't believe in the labeling of White hats or Black hats, as many people who are considered to be black hats, go to work every day in a suit and tie, get paid 150k a year, and are the best security administrators there are. There isn't a ton like that, but some of them are batting for both teams. What would that make them, gray hats?

There is a bigger problem that exists. It is what we call Upper Management. You know, the person who signs your purchase orders, gives you your paycheck, and the same person who never thinks about security. It costs money, and that is bad. They think because they don't see a problem, don't fix. What stupid logic that is. You won't ever see a skilled hacker, as they will come in, get what they want, and disappear and perhaps never run across your network again. I think it is much better to have a cracker hit a site, than a hacker. I'd much rather have a server erased, or a web page changed, than to have a hacker come in, and rip off software, or documents, or project plans that my company has been working on for years, and sell it to competitors, or post them on some stock board, and make my company's stock fall 50%.

Upper management doesn't care about that. They either don't understand what security is, or just don't think it could happen to them. The problem is, you will rarely, most likely never look like a hero at your company. If you do get the go ahead to do serious security work, hire an outsider, or hire a fulltime security admin, and they do a good job, you won't get hacked. Life goes on as it was, and it seems like a waste of money. Your boss doesn't lose sleep at night thinking about how insecure your network is, but you might, since it is your fault either way if it gets hacked. If you don't implement security, then you are certainly not shown off as a hero, unless you track him down, file suit, and he happens to be rich, and your company makes a boatload of money. Not likely going to happen, once its reported to the FBI, and they do their research, and maybe even raid someone, its years later, and you have moved on to a new company.

You have to think up every single problem on the network, what could happen, and show it to your boss. Make a chart, show problems, and show costs. In most cases the cost of cleanup, and potential loss of money, is far more than hiring a security staff. Some Upper Management understand more clearly if you put it simply, such as "Do you get the oil in your Porsche changed from every three to five months? Even though nothing was wrong?". Most likely they do, or at least know that they SHOULD. That is a fact, that keep up the maintenance schedule, and you have less problems. Well, same way with computers. It is difficult in most companies, very difficult. Even worse if you are working for the government, since every penny has to be cleared, and it takes time. Most of the time you either end up doing it and never getting recognized, or paid. If you don't have the time, well, that would explain why you see so many government cracks listed on web page defacement sites like attrition.org.

It is a difficult job, and if you work for a consulting company, you are in luck. It most likely isn't your job to sell the audits, you just do them for the company who was convinced that they needed it. You do have a harder job though, and that is writing up a security policy, and making the company understand they MUST follow it. Many just want their network locked down, and don't are about a policy. If you only care about the money, so be it. If you care about doing the best job you can, getting the security done right, you need to make them understand they have to make your security policy, well, policy.

Security today, and in the past, just isn't what it needs to be. Most companies consider it to be a pain, and an expense that isn't needed or justified. Companies need to focus on the area, and big companies need to hire a fulltime security admin, or keep an open account with a contractor for routine security audits, and have their administrators trained on keeping up to date on things. All companies should have someone who monitors mailing lists like Bugtraq, or NT Bugtraq, depending on what platforms you are running.

Things need to change, and if you are in a position where you can do that, I suggest you do it right now. If you firmly believe in the future of the Internet, and E-commerce, I also know that if I were the only person buying things on-line, every e-commerce site would shut down, because I just can't afford to keep them all going. I've talked to a couple of people who say they won't buy anything online. They don't think their credit cards are secure, or their personal information. People are scared of it, and they keep hearing about hackers, and all these evil things going on that they don't understand. Many web sites try to comfort people, by explaining the encryption method for the browsers, and leave it at that. For the people who have been living under rocks, and have only heard about credit card stealing, and not about hacking, and computers being compromised, or for the people who just don't understand what that means, they think their data going encrypted is all there is to it. Many people don't realize when hackers get credit card numbers, they get them in bulk usually, rarely from sniffing, but from compromising the machine that holds these plain text files, or databases holding the information.