We are “…building an airplane [while] in flight.” - Azhari
Lesson Learn From Security Awareness
Awareness including network worms, Trojans, and more can provide equally good, and often times better, views of the network in a true production environment — and there is quite a bit an administrator can be learn from a security compromise. This does not intend for security administrators to intentionally infect machines; instead it is a guide to what an unintended infection can uncover about a network. With security companies such as Symantec reporting that 40% of Fortune 100 companies have been infected with viruses over a period of six months, it is well worth the exercise to see what can be learned from these infections. Specifically, after an infection is a time to evaluate the technical pieces of the defense perimeter (including firewalls, ACLs, etc.) and the non-technical pieces (continuity plans, emergency response, etc.).
An unwanted infection can provide real insight to the security of a network in ways that human-driven tests cannot. It will attempt things that a careful penetration tester would not. It is free from worrying about such things as whether all of your fileservers drop offline, whether you really needed those documents on your hard disk, or if the traffic it generates makes everyone’s web surfing slow. Second, a network worm is coded for one thing: exploiting as many hosts as it can reach — a worm’s life depends on propagating quickly. It will test for vulnerabilities in your network like no tool can. Unlike a vulnerability-testing package, however, a worm will have a very specific focus and normally a set of vulnerabilities that it exploits, giving you a narrow (but deep) look at only one or two facets of your network. Once the response effort is complete and the clean up is under control, it is time to take a hard look at what that infection has uncovered.
In each case mentioned above, there is at least one technical and one non-technical problem that needs to be examined. Each type of problem requires a corresponding solution. Trying to address non-technical issues with technical tools is often a frustrating game of the proverbial “square peg in a round hole” for administrators of all kinds. Security professionals know all too well that there are few technical protections that a determined user can’t undo if he hasn’t been educated. Similarly, a determined user or attacker will have little problem evading poorly configured or under engineered solutions.
If the latest worm has ravaged the organization it is certainly time to take a hard look at correcting the deficiencies in the security plan, whether they are social or technical. It should not be hard to estimate some costs of the infection, particularly downtime; that data will help a lot when it’s time to talk about funding. Furthermore, one can diagram vital systems and point out where the additional defenses are needed. This not only helps demystify the role of firewalls, IDS devices, virus scanners, and more, but also will help the security team present a clear technical request to the management team.
