ES Episode107

From Paul's Security Weekly
Jump to: navigation, search

Enterprise Security Weekly #107

Recorded September 19, 2018 at G-Unit Studios in Rhode Island!


  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Matt Alderman
    Strategic Advisor at Automox, security consultant, and wizard of entrepreneurship.
  • Annoucements:

    • Check out our On-Demand material! Some of our previously recorded webcasts are now available On-Demand at:
    • DerbyCon is holding its first-ever Mental Health & Wellness Workshop - to help support their efforts, please go to
    • Join us for our Webcast with LogRhythm about "Tips & Tricks for Defending the Enterprise Using Open Source Tools". The webcast will be held September 27 @3:00PM EST!

    Topic: Audit Mistakes

    Big Time IT Audit Mistakes in the Enterprise

    - Don't get into the mindset of ticking the box to satisfy audit. - What is this control and why are using it? - What does it control?

    1) How do you manage changes in status?

    So let's talk a little about this one. Like most non revenue generating stuff it's a tough sell for any organization to do an effective audit. The minute you start pushing controls, management start pushing back with costs and such. Unlike the network, if the audit fails, business continues (until you have a major breach).

    One of my major areas I audited was Active Directory systems. Most people don't seem to have a good means to track their objects, determine what those objects do and what they should have access to at all. In fact, a lot of people don't even have a plan for this. For example: Some guy named Bob has privileges on an object called mrfoofoo. Bob leaves, what is the process that we use to determine that Bob no longer has access to mrfoofoo and whatever else Bob managed to get hold of?

    We did this with dumpacl and just literally reviewing the list of privileges for a sample.

    Sample 10% of the privileges and see if there is match. Forward is just grabbing logins from the list and tracing them to the objects and backwards is looking at objects and tracing back to the user.

    The company just wanted to tick the box that said "permissions managed effectively". What they were doing was simply comparing a list of users to permissions. That didn't even come close to letting them see the whole picture.

    So, in this example you need some mechanism that ensures privileges get updated appropriatly and in time!

    Speaking of in time, the other issue with this process was that they didn't do things quickly. So, if Bob quits on Monday, it might take a month to remove those permissions and up to a year to audit.

    So, why the rush. Well, the biggest threat to your systems is an internal user. The biggest internal user threat is a disgruntled employee with nothing to lose. So, this guy who gets terminated or quits is sitting around with privileges for how long?

    What we're control here is escalation of privilege. Same old story but we need a solid plan in place to remove Bob, before he gets even notified that his days are numbered since that is when the risk is greatest.

    2) Asset controls

    This one was unending. The resistance to drive wiping was fierce due to the time involved and I saw this over and over again. Basically, they would remove something from service and then say, well, we can wipe this or we can just stack the hard drives up down in storage. Now, I have bought a lot of these drives over the years and got a lot of good ones.

    So, now in storage after a year, someone says "what is all this junk?" Then the drives get sold or disposed of because everyone thinks they are useless or bad but no one even knew where they came from.

    Another problem in this process was disposal entities. They would dump them to a company to be "wiped" or "shredded". How can you even test that process?

    With the advent of the cloud, things get even more problematic since you don't really know what is going on and I am not sure how to audit that sort of thing.

    There is another whole issue on the disposal of mobile devices, the disposition of downed servers, what happens to that mainframe when you send it to the scrap heap, etc.

    3) The problem with backups.

    I don't think I ever audited anyone who said "backups, who needs them." They were all backing up everything, or something. But they didn't audit nor control their backups very well. There are numerous issues here:

    a) backups contain sensitive information b) backups need backups -- out of band c) how are these things disposed of? d) Can you actually restore and is that tested?

    4) The Hot Site conundrum

    Most everyone had some sort of disaster/continuity plan that involved warm sites, hot sites, cold sites, you name it. The problem in the audit was to convince the enterprise they needed to actually "exercise" that plan. They wanted to tick the box that said "hot site" but it was kind of like backups, they had them, did they work? Had anyone actually tried to switch over in say the last 5 years?

    I saw these things over and over where there was a "site". Some issues:

      1. Is it really a warm/hot site or is just a site?
      2. How long will it take to switch over to that site?
      3. Is there a personel plan for who will be there and how they will get there?
      4. Is there a backup plan for those people if they are not able to get there?
      5. How out of band is your warm/hot site? Out of band for what?
      6. Is a cold/warm site really going to do anything for you?

    Now let's talk about networking a bit. There are a lot of mistakes here and it's quite challenging sometimes to audit this kind of thing effectively.

    1. Don't neglect to look at VPNS a bit harder. I kept seeing vpns that were misconfigured. Think about it like this, what if you set up a VPN but you don't actually use it. This is one of those things I keep seeing where the networking people didn't really understand configs and never checked to see if traffic was actually using the vpn? Sometimes that works in reverse.
    2. Are VPNs required? I kept seeing this coming from management too, "We have vpns which ensures that all data is being encrypted". Ok. great but are they being used, are they required. We would see the VPN server sitting there and look at the log and see that wow, one connect in two weeks with 5000 employees? Really. How many other connects were there? 3000, how did those connect?
    3. Speaking of VPNS, how do you audit that down as well. We saw single factor authentication down to what I call half factor (which means they share the single login). What happens when Chris quits? How does his VPN access get terminated? Does it? Again, we found people who had retired, quit, been fired, all using company resources. So, let's take that one to the cloud as well. As offices get more transparent we see more employees who are working from multiple devices, multiple variable security locations, etc. just moving seamlessly through the world connected to company assets. What does that mean? Well:
      1. Are there license violations occuring?
      2. Who has access to these resources (their kids?)
      3. What controls are being used there to try and ensure that only people who should be accessing those resources are using them.

    As the cloud begins to dominate, this transparency is going to become more pronounced and complicated.

    4) The last thing here is routes. Where does your traffic go and how many routes are there? I keep seeing BIT problems (because it's there) where people maintain old drops and those become "backup" routes but using Dynamic routing or even static routing may mean that traffic is moving over segments you don't want traffic using or worse, when something fails, suddenly there is another point of access. The one I saw was an attack and they airgapped the main drop. The attack immediately started again and was coming in through another drop they didn't even know about that had no firewalling. Turned out that drop had been being used for all sorts of things. So beware of the BIT.

    Enterprise News

    1. Cisco Aims to Make Security Foundational Throughout Its Business
    2. Fidelis Looks to Grow Cyber-Security Platform With New Funding
    3. ManageEngine Announces the Launch of Browser Security Plus
    4. Owler Reports - CA Technologies: New CA Technologies research explores how artificial intelligence can improve human decision-making in IOT applications
    6. Those SCADA/ICS guys again
    7. Secureworks Announces Cybersecurity Maturity Model
    8. Forcepoint brings full weight of defence-grade cyber security portfolio to secure industrial control systems and critical infrastructure
    9. Crossmatch announces the availability of DigitalPersona v3.0
    10. Qualys : Cloud Platform 8.15.2 New Features | MarketScreener
    11. ioTium Commands $13.6 Million in Series B Funding for Industry’s First Software-Defined Converged Infrastructure for IIoT
    12. Video Fingerprinting -- Doug talking about the need to hash videos for validity