Thursday, August 22, 2013

Security Architecture and Leadership Review

Let's look at a few practical and examples of a Security Architecture and Leadership Review.

Lack of Proper Security Controls and  Effective Anti-Virus Solution
During a penetration test, netcat and a eichar test files were successfully uploaded to a SharePoint server as a test virus files because it is known that SEP (Symantec EndPoint Protection) would detect it.  For those in the security know how, netcat is not a virus and does not even meet  the loosest definition of a virus.  Symantec Anti-Virus, which was installed on the server, not only did not remove the file but instead kept the file on the server allowing further user downloads.  Their Security Team erroneously believed the file was an actual network virus that was spreading all across the network.  Let's take a closer look.

First, Symantec did detect it and claimed it removed the file every few minutes sending out alerts constantly. 

Symantec detected netcat as a generic 'Trojan horse/malware' and sent out an alert "Critical Network Virus Detected".  It falsely labeled netcat as a "critical network virus" without even being able to identify the alleged virus by name.  Anyone who has done half-decent virus research knows that  even a half-decent anti-virus product would identify the name of the virus that it found.  The interesting thing was that Symantec identified netcat as a network virus.  It is clearly evident that Symantec doesn't know what a virus is.  A virus is a self-propagating file.  Netcat is not such a file.  The Security Team actually believed a real network virus was uploaded without checking any facts but relying solely on Symantec email alerts told them.  Blind believers in a product.

People think that because Symantec is a popular AV product, that makes it a good solution.  Well not exactly.  That's like saying because McDonald's is one of the most successful restaurants chains ever, that what they serve must be good food.  

Clearly the security controls implemented were not even effective in handling known test files.

No Capable Forensic Investigations
The Security Team and Security Operations Center (SOC) have no need of how to properly conduct a forensic investigation.  They had no EnCase Certified (Forensic) Examiner on staff.  Instead this duty is given to the SOC (Security Operations Center),

The SOC had no experience in forensic analysis and methodology investigated and claimed that it was a real virus and not netcat, though they could not identify which alleged real virus it was and how it was a virus in the first place, or what this alleged virus did.  Their only proof was that because Symantec says so.  Real forensic skills here! lol

The SOC were challenged as to their analysis and findings.  The SOC "re-investigated"and the findings were personally verified by the Security Manager and he concurred.   Their final statement was, "That forensics don't lie."  Yes, but bad analysis does.  Lack of basic skills and detailed analysis in forensics investigations do lie.  Their bottom line, "If Symantec says so, it must be true."  This is like, "If FOX News says so, it must be true!"  lol. They have an over-reliance and belief in tools and easy answers because they lack the work ethic to do the hard work themselves. It is obvious that security management does not know how forensic investigations are conducted, understand the rudiments, nor do they have an idea of how to hire the right people as is evidenced by the results.

If the SOC investigator or Security Manager had taken time to read the actual email by SEP or the logs, they would have found out the file only existed in the Recycle Bin.  Why?  Because when the file is accessed by the SharePoint user, SharePoint pulls the file from the internal SQL Server database and makes a temporary copy on the file server in the temporary area.  This is when SEP detects it and moves it to the recycle bin and sends out an alert.  So if they actually knew how to do an investigation, they would have found out that anytime anyone attempts to download the file from SharePoint, SEP would move the file to the Recycle Bin and trigger a SEP alert.  Because SEP cannot delete a file from SQL Server, this is what happens.  A possible recommendation was that they buy a SEP SharePoint license which would resolve this problem but this was pretty much ignored because they said they had all the security controls in place.  There is no self replicating mechanism from netcat in order to be called a virus.

As you can see, the SOC and Security Teams do not have the knowledge of how technology works, in this case specifically how SEP works with SharePoint.  And if they had read the logs or the email body, instead of just the email subject line, or know how to do a forensic investigation, they would have found this out.  Even when given a second chance, they product the same results. 

What if a critical investigation had to be conducted?  They are dealing with hundreds of millions of records of personal consumer account balances, individualized transactions, social security numbers, and credit card data and have no qualified forensic examiner on staff.  Should they not have a qualified forensic examiner on staff?  How many data breach investigations have they conducted improperly?

Poor Decision Making
Clearly in the above, it is evident that Security Management makes poor decision as whose results to trust.  This is poor judgment.  They constantly make poor decision because they lack the technical ability and work ethic to do their job right.  Even when told what the real issue was, they continued on their misguided path out of some obstinate big ego high school mentality.  It cost the company a fortune financially and they forced the various teams to undergo unnecessary and often time consuming processes that make it very difficult for them to do their primary job functions.  The poor judgments made affect the company's bottom line. 

Mediocre Penetration Testing
During penetration tests, numerous high level vulnerabilities were found that existed for at least half a decade that their entire system of security architects and penetration testers never found.

Too Many High and Critical Issues Not Fixed
There are literally thousands upon thousands of identified vulnerabilities here, many of which are rated as high and critical vulnerabilities that never get fixed.  In fact, they claim they don't have time to fix them so they are never addressed for fixing.

Poor Relationships with Various Teams
The Security Team has poor relationships with other teams especially IT Operations where they make recommendations that could not even be implemented.  It is a hostile type of relationship with heavy politics.  If the security team had knowledge and experience of how technology actually works, they would have realized their recommendations could not be implemented.  The teams would get along better once they stop making recommendations that do not make sense.  This makes the jobs of the various teams much more difficult and costly.

The Security Team's whole strategy was to win at all costs and make themselves look good.  There was never a strategy of developing a working relationship and working through problems with other teams.  They didn't care.  They really never did.  It was all about them, 100% self-absorbed.  The only time they get motivated to do anything is when the other teams are getting ready to hang them with a noose.  Then they are motivated, for a short time.

Poor Secure Code Analysis
The Security Team relies fully on automated tools to find coding problems.  Unfortunately, the tool they use is not very good, has high false positives, and false negatives as well.  They make software development fix a lot of unnecessary bugs all the while ignoring real analysis of critical security issues.  This is done mainly due to their lack of skill in manual code analysis.

It seems the Security Team's strategy was to do the minimum work necessary on their part to get by.  There was never any passion or spirit on doing the right thing. 

No Effective DLP Solution
PCI and banking account information were sent in the clear on their networks.  This was never detected by their DLP (Data Loss Prevention) system.  This was only discovered because the customer reported doing so.

In conclusion, the Security Team needs much work,  they need to work on being detailed oriented, develop the discipline to do forensic analysis, get a qualified forensic examiner, learning to do the right thing instead of just trying to look good, have more interest and passion in their work, overcome their reliance on tools and easy answers, have a strong work ethic, need good decision making strategies, provide value and develop working relationships with various teams.