Thursday, September 18, 2008

Dumb Luck IS a Strategy!

While still at GOVCERT.NL, I've attended a fun little presentation, describing a penetration test (I cannot provide any more details as it was a "No Press" presentation - this post is not about it, but rather was inspired by it!)

In any case, if you do pentests, think about all the RECENT cases where you break in to a major corporation through:

  • a Solaris system with Internet-exposed telnet with a guessable password OR a telnet vulnerability (circa 1994!)
  • an exposed VPN appliance with a manufacturer's administrator password
  • a router with default "enable" password
  • or, something else entirely - but something that rivals the above example in its unparalleled, unbelievable, abysmal, deep idiocy.

Indeed, many of my pentesting friends still report plenty of such cases (one was also featured in the presentation mentioned above). Whenever I hear about it from a pentester, I always ask:

Do you think "somebody bad" had already passed through the hole you just discovered?

Maybe an hour ago, a day ago - or a year ago?!

I cannot see how the answer can be "no."

Even though pentesters usually don't focus on forensics (no time for this), it is not uncommon to notice "your predecessor's" intrusion traces while you break through systems, "plant flags", change screen backgrounds [for the admins to notice that you've been there...], etc.

Let's think what this situation really means? Here are the choices I see:

  1. Nobody discovered the hole - a law of large  numbers (aka "dumb luck") have "shielded" the company from an incident. Yes, Virginia, dumb luck IS a security strategy for some companies... AND it works for them.
  2. It was discovered, but not used/abused by the attacker - maybe he was busy hacking other systems, or saved this for later and never came back due to his ADD. Congratulation, you win! The immense power of dumb luck wrapped you in a protective "security" blanket ... again :-)
  3. It was discovered; the attacker went in, looked around and compromised a few others systems, but found nothing of interest (no low hanging fruits)  - and he was not a bot herder. Again, you win. Next time you are in Vegas, bet on "00."
  4. It was discovered; the attacker went in and deployed a bot on "your" system - given how many botnets are there, this situation is clearly acceptable to many organizations. In this case, dumb luck strategy, apparently, still work: so they use your box to spam and phish somebody else ... big deal!
  5. It was discovered; the attacker went in and stole all your credit card information (it is now for sale) - even in this case, the user of "the dumb luck strategy" still "wins" (in some perverse sense)! Unless and until the stolen information IS tracked back to you OR a friendly neighborhood PCI auditor come and jams a broomstick up your ..., you can still continue to be stupid at your leisure and ignore basic security practices.
  6. It was discovered; the attacker went in and stole your CEO's Inbox, including the email related to his affair (it is now on CNN) - now, in this case, you lose AND it is time to stop being stupid! Welcome to the "0wned world." Time to launch (relaunch?) your security program and get serious.

What does this teach us about RISK? The lesson here is important:

  • For a security professional, an Internet-exposed system with "root/root" is an obvious HUGE risk!
  • For your boss's boss's boss, it is NOT!

This is exactly why I think that the most critical problem in security today is METRICS. Metrics that a) work AND mean something to decision makers and b) can be clearly communicated to said decision makers [BTW, a) and b) are two separate problems.] Metrics that cover not only threats and vulnerabilities we face, but also the effectiveness of security countermeasures we deploy. Metrics you can act on - and ones your boss (and his boss) will act on. Metrics that lead to correct decisions about which risks to accept, which to  mitigate (all while knowing with what efficiency such mitigation occurs) and which to transfer.

Until that time, the dreaded "C-word" (compliance) will trump "the other C-word" (common sense) as a driver for security ... and we will continue to live in the "0wned world."

Possibly related posts:


Anonymous said...


Yes, yes, yes, yes! Could not agree more!

After spending many months thinking about why we (the good guys in IT Security at my organisation) cannot get any traction on a number of high cost security projects after spending many years trying, Ive come to the same conclusion. Namely, our high level managers don't care about any security issue which doesn't directly lead to personal embarrassment for them or huge and obvious financial losses for the organisation. In our case, because of our particular organisational profile, that basically means an incident that hits the media. And because they don't care they don't fund security projects, and instead put the money into the newest piece of IT whiz-bang-ery around without consideration of the risk.

The problem is that we cant demonstrate that there is a problem! At least from the perspective of upper management. And that is because the metrics that we have are inadequate. As an example, a metric saying that we found 50 machines with a bot means a lot to me, but means nothing to upper management. After all, what is the impact on the bottom line, and if impact on the bottom line cannot be demonstrated, why should anything be done about this?

Further reliance on dumb luck may be required - at least for the foreseeable future. At least Im not alone in this :-)

Anton Chuvakin said...

Thanks a lot for genuinely insightful comment! Indeed, this is one of the key challenges.

Specifically, I love the following:

"As an example, a metric saying that we found 50 machines with a bot means a lot to me, but means nothing to upper management. After all, what is the impact on the bottom line, and if impact on the bottom line cannot be demonstrated, why should anything be done about this?"

Indeed... sad, but true.

jlewis said...

Hi Dr. Chuvakin,

My Name is Josh Lewis, I am a blog researcher. I came across your blog through some other blogs I was reading while I was doing some research for one my clients who is Solera network Security. I got distracted and was intrigued by your blog post about the many ways networks are able to be hacked. I think if you were able to control the time and day the event happened it would be much easier to catch the hacker. For example, kind of like a Tivo for you network.

I felt inclined to talk about you because I think Solera Networks has some products out there that are somewhat unique and new to the industry (data capture appliance devices) and would give you some great information to write about on your blog – I know how hard it is to find topics to write about sometimes. If you were interested I could even have them send you a demo version of the software if you want to check it out in more detail. Or if it would make it easy to write I could setup a time for you to ask questions from an engineer at Solera networks and transcribe the interview for you so you can post it on your blog. At the bottom of this email I will copy paste a general overview of what their products do.

If you are interested don’t hesitate to contact me, and keep up the great blog; yours was for sure one of the top in the industry that I came across.

-Thank you,
Joshua Lewis

Solera Networks DS Appliances provide protection against the unknowns. They give your organization Total Network Recall—enabling IT and security professionals to get to the root cause of a network security or performance problem, minimize the effects on your business, and ensure quality of service. By recording all data that passes over the network, Solera DS Appliances give your network a memory so you can see everything on the network and can replay any traffic when needed.

•Capture speeds up to 10 Gbps (Miercom Performance Verified™ report – March 2008 –
•Storage scalability to expand window for longer recall time
•Up to 8 gigabit ports (10/100/1000)
•Two 10Gb fiber capture ports
•Appliance platform with certified hardware configuration
•Full traffic regeneration capabilities and PCAP creation
•Open API’s for integration with third-party tools and automation of data collection

All interesting traffic can be replayed exactly as it was captured, creating a controlled environment to investigate new unknown threats. Combined with Solera DeepSee™, organizations can search through the captured data to create a real world context around a threat by rendering “artifacts.

Alex said...

Dr C
You decry those who state the obvious yet you write how security metrics are lacking. Thank you, we're aware of that. At last years RSA, I sat through a discussion session on security metrics. I left with the understanding that no one has a clear methodology for creating security metrics for their environment. Additional insight into metrics you are aware of or where to find good metric information would have been more useful.
Alex Ryan

Anton Chuvakin said...

Thanks for the comment.

Sure, people, myself included, are working on it. It just happened to not be the subject of this particular blog post.

If you want smth "more positive", look at the CIS Metrics project that will release its first set of "consensus" metrics on 4/19

Dr Anton Chuvakin