Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Oh Yeah....I forgot about that - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oh Yeah....I forgot about that
An email we got today from John Moser sparked an idea for something that I thought was a great lesson learned.  So I wanted to share it with everyone.  John was participating in the collegiate cyber defense competition.   If you have never participated in capture the flag competition or a red/blue team activity, you are missing out.  You really should try to participate in one cause its a great experience and really drives lessons learned home.  Not to mention that it is an absolute blast!

What really caught my eye was this from John:  "This doesn't help when you have a full default EVERYTHING install of Fedora Core 3 and 4, Win2000, and Win2k3.  It particularly doesn't help when you don't know what EVERYTHING is and how EVERYTHING is configured, because EVERYTHING becomes an entry point for hackers who know how to exploit blatant configuration errors."

In another email exchange he said:  "What I didn't know was how every inch of every system on my network was configured. "

So by now, you probably know what I want to talk about.  John nailed it.  You can shut all the doors and windows and lock them tight, but if you forget there's a window in the basement that was secure when you looked at it a year ago and hasn't been checked since....bad things can happen.  I don't think it can be emphasized enough that you have you know your systems.  There are three things that came out of this for me and I see as issues.
  1. You can't secure something you don't know or understand.  If you don't understand what you are dealing with then you won't know what you need to do.  Do you want a surgeon operating on your brain when they specialize in orthopedic surgery?  I mean he/she could follow a manual and might get it 80% correct.  The same care should be taken with our network.  When you start installing things you don't understand or know how they work ... you might get it 80% correct. But can you afford that?  From John:  "Let's all remember today that no matter how tight your security, if you can't actually run your box you're owned."

  2. Let's say you know your system and your applications. Now you can't secure something and forget about it.  All applications need TLC.   There's bound to be a patch or upgrade that needs to happen. Many times its the small things such as a default password that get forgotten (or a weak one that doesn't get changed) or a service that doesn't get turned off.  All a hacker needs is just a small hand hold and then go from there.  Its easy to overlook the small stuff.  Constantly watching networks and checking things are a must.  

  3. The unknown.  What do I mean by this?  Well, one night Mr. Helpful SysAdmin installs something on the network that someone claimed they needed and you didn't know they put it there.  Someone installs something, makes a change etc and it doesn't get documented and/or approved.  This is something that I know has happened to everyone at some point in time.  Now good policy and procedures can help alleviate that, but we'll talk about that in a minute.  If you don't know something is there, you can't secure it and you don't know what kind of security risk its created on your network.
All in all, network security is a full time job and its still a lot of work to do it right.  There is so much to learn and attention to detail is key.  You have to be meticulous in what you are doing because the hackers who want in are being just that.  Here is another quote from John's email I would like to share:  "The pen-testers told us in the end that even some of the really secure networks they've seen sometimes pop up some minor configuration error and they know, at the end of the day, what happened to us could happen to them."  It just takes a little small weakness to turn it into something big.

Configuration management is a key piece to making sure this doesn't happen.  Documenting what is being done and what is on a system is so important especially on a large network where there are many fingers on the keyboards.  You have to stay on top of it all the time.  It's also important to realize that mistakes will be made and that is just a fact.  Hopefully they will be caught early.  Learn from them!

Stay on top of your skills and understand what it is that is going on your network.  Keep in mind that if you don't someone else out there probably is.

Lorna J. Hutcheson
CACI
Lorna

165 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!