More food for thought

From: Lohkee (lohkee@worldnet.att.net)
Date: 07/12/02 

From: "Lohkee" <lohkee@worldnet.att.net>
Date: Fri, 12 Jul 2002 17:11:38 GMT

Basic Risk Analysis
Copyright (C) 2002 by Lohkee
All rights reserved

I have taken a position that the professional security community in general
has and will continue to fail because they are operating under the same
basic paradigms as those they try to protect and are therefore functionally
incompetent. The answers you provide to the following questions become the
evidence that I offer in support of this decidedly unpopular hypothesis.
Regardless of its popularity rating the bottom line is simply this: Your
system is either secure or it is not.

You do not need any specialized technical knowledge to answer these
questions. In most cases you will already know the answer to a given
question without having to actually conduct any tests simply because of
knowledge gained from prior experience working on the system. Should the
need arise, testing in order to answer a particular question should not
create any problems with regard to your continued employment as the type of
testing required is passive and cannot harm your system in any way or
attempt to circumvent whatever security controls may be in place.
Obviously, if there is any question at all in this regard, obtain the
appropriate permission before proceeding.

The following questions assume the use of Windows NT 4.0 or 2000
Professional (server or workstation); however, they are intentionally
generic and can be easily adapted to any other operating system capable of
providing a rudimentary set of access controls. It is very important that
you conduct each test without any special administrative "permissions." You
want to look at the system from the same perspective as that of any other
"normal" user. Although it is important to look at the system itself
through the eyes of the average user, it is also very important that you
contemplate your answers (and the issues raised by those answers) very
carefully through the eyes of someone who could be held accountable or
otherwise impacted in the event of a problem arising because these issues
were not dealt with. This can be difficult to do because we often tend to
think of our "stuff" as uninteresting to anyone other than ourselves (and
frequently use these thoughts to justify inadequate security for those
resources). Unfortunately, most "outsider" attacks take place because some
automated hacking tool has identified your system as vulnerable, not because
the attacker has any particular interest in you, or your organization.

One final thought before we get started. You may notice some redundancies
from one section to the next. The reason for this is that a single
vulnerability often results in multiple risks or different vulnerabilities
result in the same risks. In an effort to keep things simple and maintain
focus on the immediate topic of discussion I have chosen redundancy instead
of expecting the reader to juggle numerous and often esoteric details.

Disaster Recovery

Discovery: Do you routinely save information on your workstation's local
hard disk? This would include (but is not necessarily limited to) e-mail
messages, internal documents, customer reports, spreadsheets, databases,
images, presentations, program source code, etc.

Primary Risk: If it is a common practice for users within your organization
to save files on their workstation's local hard drive, as opposed to storing
them within a personalized folder on a centralized server, it is highly
probable that you will loose valuable information in the event of even a
relatively minor mishap, such as a hard drive failure. In the event of a
building fire or other major disaster the losses could be significant. This
possibility would also exist even if you do have a centralized file server
but have workstations configured in such a way that users are still able to
save information to the local hard drive.

Common Mistake: Many organizations simply rely on users to backup their own
"personal" files. The very notion of personal files, as opposed to
organizational assets, is completely inconsistent with a business
environment. This is Personal Computer Mentality at its very best and
generally a sure sign that the organization is utterly clueless when it
comes to security (and that they have no meaningful ability to recover an
unknown quantity of information of unknown value in the event of a
disaster). In this quixotic scenario the organization quite happily deludes
itself into believing that every one of its users is consistently and
correctly backing up all of the information on their workstations and
storing those backups safely offsite in a secure location on a daily basis.

While the organization may indeed be able to survive a disaster (assuming,
of course, that mission critical information is being backed up and stored
safely offsite on a daily basis), the overall cost will be much higher
because some portion of the information that was stored on the workstations
will have to be manually re-created and much will simply be lost. This is
information that you paid for. The pointy haired ones (that would be
management types for those of you who are not fans of Scott Adams' "Dilbert"
comic strip), at least those with highly developed survival instincts, are
usually quick to point out that sacrificing assets based on a cost/benefit
analysis may be a prudent business decision. No argument there, however,
when the quantity and value of the assets to be sacrificed are largely
unknown, which they almost always are unless you have done a complete
inventory of every file on your network, one must wonder about the quality
of the analysis and the individual who performed it. Speaking of cost, do
you really want executives, managers, analysts, or other highly paid
personnel spending some portion of each day backing up files when a single
person could easily handle this chore on a centralized server? Do you
seriously believe it is even going to happen?

Secondary Risk (Confidentiality): The very notion of intentionally allowing
information, particularly that of a sensitive or confidential nature, to be
moved from a controlled environment onto numerous removable media that will
end up scattered about in people's purses, briefcases, desk drawers, filing
cabinets, desktop disk caddies, and wherever else things tend to get put, is
extremely foolish, to say the least. Simply stated, you have given up any
semblance of control over that information. If confidential information
falls into the wrong hands under these circumstances you will have little
chance of demonstrating "due care" and could easily find yourself liable for
damages. In the event of a real disaster, how do you intend to account for
and secure sensitive information stored on hundreds of floppies scattered
about in a pile of rubble that used to be your building? Where will that
information eventually end up after scavengers have picked through the
debris?

There is also the issue of ensuring the confidentiality of sensitive
information that resides on the workstation. A negative employee evaluation
could undoubtedly cost your organization a significant amount of money if it
were to fall into the wrong hands. Can you guarantee that all of the users
on your system are consistently setting the appropriate access "permissions"
on all of their files and folders? How can you verify and document this?
Do you really know who within your organization has access to what
information? What about files or folders intended to store temporary
information (and there are many), the contents of which are generally
readable by everyone who has access to the workstation? Applications often
save copies of e-mail attachments or create "transient" work files (which
can be complete images of documents or databases) in these areas. Try
looking in C:\TEMP sometime. You might be very surprised at what you find.
Sensitive information tends to accumulate in these areas for one of two
reasons. The application that created it does not bother to clean up after
itself when the user has finished working, or, the application was unable to
clean up after itself because the system went down unexpectedly. Are you
still really one hundred percent positive that you know exactly who within
your organization has access to the confidential information on your
network?

Secondary Risk (Availability): Depending on the size of your organization it
may be, from a practical perspective, virtually impossible to guarantee in
an easily provable manner that information stored within arbitrarily named
folders, on numerous machines, in numerous locations, is being properly
backed up and stored safely offsite at a secure location on a daily basis.
If you are not doing this, how exactly do you plan to restore information
when a user's hard drive fails or your building burns to the ground? How
will you be able to make a quick and accurate determination as to what was
lost or how much it was worth? Your insurance agent, among others, will
want this information.

Assuming (and this is really reaching) for the sake of argument that all of
your users are consistently doing everything exactly right, i.e., backing up
all of the information on their workstations and storing those backups
safely offsite in a secure location on a daily basis. How will you know and
be able to easily verify the location of numerous backups that have
essentially been scattered to the wind? What assurance is there that you
will have immediate access to a given backup set when the need arises?

Secondary Risk (Accountability): Given the inherent difficulty of ensuring
that reliable backups are actually being made in a distributed environment,
how will you know or be able to document with any degree of certainty that
what is arguably an extremely important task has been accomplished every
single day? Who can you hold accountable if it is not? If your policy
requires employees to backup their own files, could you then hold those
users accountable for the loss of backups containing sensitive information
taken from their homes during a burglary? Even if you cannot realistically
hold employees accountable under these circumstances, could someone hold you
or your organization accountable (in the event that sensitive information on
those stolen backups were to be published or misused in some other manner)?

Secondary Risk (Due Care): Executives in both the public and private sectors
have a fiduciary responsibility to protect resources entrusted to them by
the public or their investors. Information is an organizational asset that,
like any other, requires protection. Does a prudent individual pay a lot of
money for valuable information and then not take steps to protect that
information in a meaningful way? Simply stated, positioning your
organization to arbitrarily sacrifice an unknown quantity of resources
having unknown value could be very easily construed as gross negligence. At
the very least it will not help your case!

Requiring users to backup their own file is an unnecessarily expensive and
inherently dangerous road to travel. The cost to equip all of your
workstations with high capacity removable media can add up very quickly (the
additional cost of the media itself notwithstanding). You can build a
fairly respectable file sever (2Ghz processor, 2Gb RAM, 120Gb storage) for
about the same price as you would pay for fifteen CD R/W drives. Such a
server could easily support the work of numerous analysts (the exact number
could range anywhere from twenty-five to several hundred or more depending
on the particular type of work performed within your organization).

Mitigation: Install a centralized file-sever and systemically force all
users to store their files within a personalized folder on that server. Set
permissions on those folders so that access is restricted to the
creator/owner only. Configure all of your workstations in such a way as to
prevent users from writing to the local hard drive. Create backup sets
using an encrypted format. Backup the server on a daily basis and store
backups safely offsite in a secure location.

Configuration Management

Discovery: Can you copy files from removable media such as floppy disks or C
D ROM to your hard disk, receive e-mail from the outside world, connect to
the Internet, or access USB (or similar) hardware ports on your workstation?

Primary Risk: All of the items listed above represent largely uncontrolled
points of entry to the workstation, and ultimately, to your network. Each
implies the ability save information on the workstation or to load and run
programs. This is particularly true if the program does not need to modify
the system registry or access shared code in order to run. Allowing users
to arbitrarily save information or to load and run programs on their
workstations is an extremely effective method of eviscerating your
configuration management program as it becomes virtually impossible to
maintain a constant and known configuration or to implement any kind of an
automated configuration validation scheme. It is easily to dismiss these
types of events or changes as being insignificant; however, in the case of a
user loading executable code, you really have no idea of what might be
running on a given workstation or how it might be affecting your system. It
is impossible to define and control your environment when any user can make
arbitrary changes to that definition. There can be no security if you
cannot define and control your environment. Only a complete idiot (or a
government security analyst) would attempt to make a case for anything that
even remotely resembles a secure system under these circumstances.

Common Mistake: Many organizations operate under the mistaken belief that
configuration management is about identifying a standard set of
applications, installing them on all of the organization's workstations, and
then updating that software in a controlled manner. A solid configuration
management program will certainly include these activities, however, it is
about much more than that, for example: At the workstation level
configuration management means not only controlling what software or
versions of a particular application are loaded, but also systematically
enforcing permissions on files and folders, configuration settings (hardware
and software), program associations, services, etc. Simply stated,
configuration management is about defining the universe in its entirety and
then being able to control and validate that definition. How can you
possibly hope to accomplish this when users can make arbitrary and
unannounced changes?

Secondary Risk (Copyright and Licensing Violations): Allowing users to load
software on their workstations could easily cost your company hundreds of
thousands of dollars. Here is how it works. The Digital Theft Deterrence
and Copyright Damages Improvement Act provides penalties of up to $150,000
per infringed work in civil cases involving copyright infringement. The
Business Software Alliance is an organization that represents almost every
major software manufacturer in the world. Their mission is to seek out and
pursue software-licensing violations. The sequence of events usually goes
something like this: A disgruntled employee will contact BSA and provide a
detailed statement regarding their employer's use of unlicensed software.
If the information received appears credible BSA will then check software
registration records with the member company whose license has been
allegedly violated. BSA will then usually contact the company involved and
offer it the opportunity to cooperate with their investigation (at this
point BSA has already compiled enough evidence to file suit with a better
than average chance of collecting damages). BSA will then obtain a court
order allowing them to conduct an audit of all software installed on the
organization's systems. At this point, you had better pray that you have,
and can produce for the court, a valid license for all of the software on
your system. In the year 2000 BSA collected a combined $750,000 from five
companies in the State of Texas alone, and in 2001, collected a combined 6.2
Million dollars from several European companies. Keep in mind that, in
addition to the severe financial penalties, these companies are generally
required, as part of the settlement, to purchase legitimate copies of any
software they could not produce a license for. They BSA are very good at
what they do! It will make no difference if you have a policy forbidding
the use of unlicensed software. All it takes is for a disgruntled employee
to install a few unlicensed copies of some product on several of your
workstations and then make a phone call.

Secondary Risk (Sexual Harassment/Hostile Work Environment): Having even
mildly pornographic images or off-color jokes stored on your system can
easily lead to charges of sexual harassment or fostering a hostile work
environment. It really does not matter if the charges are true or not. It
is often less expensive, but certainly not cheap by any means, to settle out
of court. Numerous points of entry, combined with the ability to save files
on the workstation's local hard drive, make it all but impossible to prevent
inappropriate materials from appearing on your system or to audit user's
files for inappropriate content (The notion that users have some kind of a
right to privacy regarding email or other files stored on a corporate
computer system is no more than a fantasy, at least in the United States.
This is as it should be. If the courts ever extended the individual's right
of privacy to information stored on corporate systems they would effectively
outlaw secure systems in the process, not to mention the fact that it would
go way beyond absurd to suggest that an organization could be held liable
for the contents of their systems if the law prevented that organization
from policing those systems!).

Secondary Risk (Elevation of Privileges): The ability to run unauthorized
programs from removable media will, in many instances, enable users to
easily bypass restrictions imposed by folder and file permissions on the
workstation. There is very little point in denying access to a program on
the workstation's hard drive if the user can simply run the same program
from a floppy diskette or CD ROM. Of particular concern are the numerous
utilities available on the Internet that will grant a normal user
administrative "privileges" on the local workstation without leaving a
trace, or enable that user to change the password for any other user on the
system, including that of the administrator. A user with administrative
access to the local workstation is just a few simple steps away from gaining
"domain admin" or being able to hijack and use other people's accounts in a
manner that would be virtually impossible to detect.

Secondary Risk (Higher Maintenance Costs): The lack of a meaningful
configuration management program will undoubtedly hamper troubleshooting
efforts when problems arise with your system thereby causing unnecessary
delays and frustration for your customers, both internal and external.
There is nothing more aggravating for systems administrators, network
technicians, and help-desk employees than trying to troubleshoot a problem
while wearing a blindfold. The lack of a solid configuration management
program is that blindfold. Poor configuration management results in
networks that are considerably more expensive to maintain, far less
reliable, have slower response times, and are provably less secure.

Secondary Risk (Hostile Code): While the user may be well intentioned when
they download and run software from an unknown source, the same is not
necessarily true of the programmer who created the software they are
running. There are a number of programs readily available on the Internet
that appear to be useful or entertaining but, when loaded on the workstation
by an otherwise innocent user, will secretly contact a pre-designated system
and allow whoever is at the other end to gain covert access to the
workstation. Some will even allow the attacker to monitor screen display
and keyboard activity on the targeted system. These programs can be
extremely powerful and will in many cases enable the attacker to capture
passwords, often for other systems, input by anyone unfortunate enough to be
using the "bugged" workstation. If a captured password belongs to an
administrative account the game is over. Sometimes, as in the case of
computer viruses, these programs arrive on your system unsolicited. It is
naïve and foolish to believe that users are above being suckered into
running a hostile program. Just ask yourself what happened within your
organization when the Melissa, Love Bug, or Anna Kornikova viruses made
their rounds.

Secondary Risk (Due Care): Executives in both the public and private sectors
have a fiduciary responsibility to protect resources entrusted to them by
the public or their investors. Does a prudent individual, given the
severity of laws protecting intellectual property and the over abundance of
programs with hostile intent that are freely available on the Internet,
allow users to arbitrarily load or run software from an unknown source on a
mission critical production system? Systemically preventing this type of
inherently dangerous activity is simple and has the added benefit of
reducing infrastructure and operational costs significantly. Ignoring these
easily resolved issues goes far beyond gross negligence and enters the realm
of sheer stupidity.

Mitigation: Install a centralized file sever and systemically force all
users to store files within a within a personalized folder on that server.
Configure all of your workstations in such a way as to prevent users from
writing to the local hard drive. Set permissions on all workstation files
and folders based on a "need to know." Do the same with program
associations, registry permissions, and services. Remove or disable all
removable media and unnecessary hardware ports. Disallow Internet and
outside e-mail access, or, if this is not possible, compartmentalize the
workstation (I'll show you how later on). Perform routine audits on
server-side user files and remove inappropriate material immediately.

Systemically preventing users from loading and running unauthorized software
or saving information to the workstation's local hard drive, and forcing
them to save all of their data in a personalized folder on a centralized
server is an effective and very profitable means of addressing numerous
issues associated with disaster recovery and configuration management. This
method not only gives you a much higher level of security that is easy to
administer and validate, it also lends itself very well to the task of
documenting or auditing mission critical procedures and conducting policy
compliance reviews.

Information Flow Control

Discovery: Is your workstation equipped with any kind of "writeable"
removable media (floppy disk drive, zip drive, tape drive, CD burner, memory
drive, etc)?

Primary Risk: It is virtually impossible to manage the flow of information
once it leaves a controlled environment. If users can copy files to
removable media it is entirely possible that as you are reading this a great
deal of sensitive information is scattered about on unprotected floppy
diskettes sitting in purses, briefcases, desktop disk caddies, desk drawers,
automobiles, homes, and just about anywhere else people tend to leave
things. This is particularly true if you rely on users to backup their own
"personal" files. How can you guarantee the confidentiality of information
on your system, or make any kind of a rational argument for having a secure
environment, when any user with access to a workstation can simply copy
whatever they want to a floppy diskette and walk off with it? How will you
even know when this is happening?

Common Mistake: The presence of removable media on a workstation is totally
inconsistent with the concept of a secure environment and a dead giveaway
that Personal Computer Mentality is alive and well within the organization.
Even on very small networks it is like drilling hundreds of holes in a water
bucket and then expecting that bucket to somehow hold water. It is not
going to happen! You may be wondering what the big deal is since the
employee will only be able to copy data that he or she has already been
granted access to on the workstation. Access to information is not, by any
stretch of the imagination, the same as having the authorization or ability
to remove that information from the premises in an uncontrolled manner
(fundamental principal of least privilege).

Secondary Risk (Espionage): The presence of removable media provides the
dishonest employee or industrial spy with a very easy method of smuggling
large amounts of information out of the workplace that is virtually
impossible to detect (unless of course you plan on strip-searching all of
your employees as they leave the building). One could, of course, use email
or the Internet to accomplish the same task, however, both leave a trail for
the investigator to follow whereas removable media does not. One of the
more commonly overlooked source of information leakage is hardware ports,
for example: Many vendors offer devices, about the size of your thumb, that
function the same as a hard disk drive when plugged into the USB port.
These "hard drives," which are generally designed to fit on a key ring, can
provide up to 256Mb of storage space (a 256Mb ZIP file could easily contain
over one gigabyte of information). They provide an almost impossible to
detect (we are talking about body cavities here) method of smuggling large
amounts of information in or out of a building. If you are one of those
people who cannot imagine anybody going through such extraordinary lengths,
consider this: The vast majority of people on this planet, male and female,
are more than willing to have much larger items stuffed into their bodily
orifices for no other reason than the sheer joy of it - $250,000.00 tax-free
dollars is a LOT of joy.

Secondary Risk (Due Care): Executives in both the public and private sectors
have a fiduciary responsibility to protect resources entrusted to them by
the public or their investors. Does a prudent individual allow users of
their system to arbitrarily copy whatever information they desire to a
floppy diskette and then simply walk off with it? Eliminating this
vulnerability is very easy and saves the organization a significant amount
of money in the process, how could ignoring it be viewed as anything other
than negligence?

Mitigation: Remove or disable all removable media at the workstation level.
Cover or disable all USB (and similar) hardware ports. Eliminating
removable media from your environment will greatly increase your ability to
control the flow of information, help protect confidentiality, go a long way
towards preventing users from loading or running unauthorized programs, and,
as an added bonus, reduce the cost of a workstation by about twenty percent
(not to mention the money saved by not having to purchase removable media).
Removable media is an unnecessary expense that ultimately serves no purpose
other than to support numerous antiquated and inherently dangerous
practices! The days of sneaker-net in the corporate environment are long
gone. There is almost always a more secure network-based solution available
to a user who may need for some reason to move information from one system
to another. You should therefore very carefully scrutinize, with an
automatic bias towards denial, any request made by a user to move
information from your network (a controlled environment), to removable media
(an uncontrolled environment). In the rare event such a request must be
granted, it should be accomplished in a strictly controlled manner, at a
predetermined location, with administrative oversight and auditing (in this
case perhaps a logbook entry showing the type of information that was
transferred to removable media, who made the transfer, the reason for the
transfer, who authorized the transfer, date and time of the event, and who
was given custody of the media).

Vulnerability to Attack (Internet)

Discovery: Do you have access to the Internet from your workstation?

Primary Risk: Unauthorized access to your network by outsiders. There are
numerous automated tools freely available on the Internet that enable just
about anyone to scan for, and in many cases, gain access to vulnerable
systems connected to the Internet (It is not at all uncommon for a system to
be probed within a few hours of being put online). A very common outcome of
a successful attack is the theft of confidential information that the
attacker then publishes on the Internet in order to prove the attack
actually took place. These attacks, for the most part, amount to little
more than acts of electronic trespass committed by children, although
attempts to extort money and political activism are becoming much more
commonplace. Regardless of the motive the consequences can, depending on
the information published and the type of business you are in, be
significant.

Once you connect to the Internet your system is no longer your system. It
becomes just one more component of a very much larger system with millions
of users whom you have no control over. The size, complexity, and dynamic
nature of the Internet, preclude any possibility of ever defining your
universe (which is a prerequisite to achieving a secure computing
environment). Connecting your system to the Internet equates to exposing
your business to any number of highly effective attacks. Connecting a
mission critical production network to the Internet is inherently dangerous
and just one more sign of Personal Computer Mentality (not to mention sheer
stupidity).

Common Mistake: Many organizations are convinced that Internet access for
all of their employees is critical to the success of their business. The
evidence strongly disagrees. I have evaluated firewall audit trails from
numerous very large organizations (5,000 plus users each) and have
consistently found that, on average, 95% of the accesses made to the
Internet by employees were clearly not work related by any stretch of the
imagination. The remaining 5% were, at very best, highly questionable.
Essentially, these organizations were paying in a number of subtle ways,
such as increased infrastructure costs, slower response times, lost
productivity, higher operational costs, and greatly increased risk, just so
that their employees could play on company time!

Another very important aspect of Internet access as a business tool is the
nature of the beast. There is an abundance of information that is, for the
most part, free for the taking. Some of it is very good, and some of it is
very bad. The problem is that anyone can do or be pretty much anything they
want on the Internet with little, if any, oversight or accountability.
Unless you are using well-known and trusted commercial sites there is no way
of really knowing if the information you are seeing comes from a legitimate
expert or the kid next door. The point here is very simply that
information, without some reasonable assurance of quality has little value
and can in fact be dangerous when relied upon in a fast-paced business
environment.

Arguments in favor of Internet access for all employees may be well
intentioned and honest but they are more likely to be just another symptom
of Personal Computer Mentality. One test is worth a thousand expert
opinions and your audit trail will reveal the truth!

Secondary Risk (Adverse Publicity): When your employee goes to an x-rated
website or other inappropriate destination, that site knows where the
request came from. If the site chooses to make your access to their server
public knowledge, and they are entitled to do so, it can be very
embarrassing to the organization (especially if you are in the public sector
"Your hard earned taxes are paying - choose your particular agency - feds to
browse child pornography on the Internet - film at eleven!"). Inappropriate
messages, posted to Usenet newsgroups by your employees, can be
intentionally misconstrued as the "official" position of your organization.
Embarrassment is this case is a given, lawsuits become a very real
possibility.

Secondary Risk (Targeting): Even well meaning newsgroup postings by your
employees can have unintended and very serious consequences. They can give
an adversary easy access to an enormous amount of intelligence regarding
your infrastructure. Go to "Google" and do an advanced news group search
for messages originating from a specific author using "@gao.gov" as the
search criteria. This search will return numerous postings with enough
combined information (infrastructure, operating systems, applications
software, types of problems, level of expertise, points of entry, names,
email addresses, etc.) to make launching extremely effective attacks against
that organization a relatively simple process. It is absolutely shocking to
see how much sensitive information is given away in these postings and how
much more you can get by simply engaging these people in conversation under
the pretext of trying to help them solve their problems. The problem is
that most people, even the computer security experts from GAO who should
know better, simply do not expect others to be targeting them. You may want
to try the same search using your own domain to see what kinds of messages
your users have posted.

Secondary Risk (Sexual Harassment/Hostile Work Environment): Having an
Internet connection is almost an ironclad guarantee that pornographic
material will, at one time or another, find its way onto your system.
Depending on where you live and what you have, simple possession of these
materials can land you in prison for a very long time. While it is
generally the employee and not the organization that is prosecuted for this
type of offense, law-enforcement officials can (and have) seized entire
systems as evidence. Also, keep in mind, that having even mildly
pornographic images or off-color jokes stored on your system can lead to
allegations of sexual harassment or fostering a hostile work environment.
As I said before, it really does not matter if the charges are true or not.
It is often less expensive, but certainly not cheap by any means, to settle
out of court.

Secondary Risk (Malicious Code): It is a given that anyone with access to
the Internet is going to download something at some time. This raises all
of the issues previously outlined in "configuration management" when
employees can load or run software from a floppy disk or CD ROM. Remember
that while the user may be well intentioned, the same is not necessarily
true of the programmer who created the software they are running. Access to
the Internet, even with proxy servers and firewalls in place, represents a
gaping hole in your defenses. These devices are, for all intents and
purposes, useless against a creative and technically proficient attacker.

Secondary Risk (Control Circumvention): Access to the Internet can enable
users to bypass network restrictions, for example: You may have configured
your server to disallow incoming email attachments in an effort to reduce
the risk of a computer virus entering your system; however, this control can
be very easily circumvented, often unintentionally, by any employee who
retrieves messages from a web-enabled private email account. Because these
messages arrive by a different transport mechanism they will not be subject
to the rules that you have imposed on regular incoming email messages.

Once you have given users access to the Internet it becomes virtually
impossible to stop them from downloading and running unauthorized software
on your system regardless of any firewall and browser security settings
intended to prevent this from happening. The most obvious way would be for
a user to simply implant the executable code within the "comments" section
of a web page. Once the page was opened it would be trivial to extract the
program and save it to a file on the local workstation, after which, the
user would be able to run it just as they would any other program. It may
also be possible, using a slight variation of this scheme, for an outside
attacker to surreptitiously load and run code on a targeted machine in the
context of the local user.

Transferring information is a two way street. Connecting a workstation to
the Internet equates to making all of the information on that workstation
available to anyone in the world who has the technical knowledge and cunning
necessary to take advantage of this unfortunate fact. At the very least, a
competent attacker will have the same access to whatever information is
residing on the workstation that you do. Anyone can put up a website and
make it appear to be an authoritative or otherwise useful source. Anyone
can send you an email to let you know about a great new website. You roll
the dice every time you click on an icon presented by a website. Firewalls
are of little use against this type of attack. Disabling file and print
sharing services, Java, and Active X will not protect you.

Secondary Risk (Slower Response Times): Streaming audio or video files eat
up an enormous amount of bandwidth. Large file downloads do the same. Just
two or three employees listening to an Internet "radio" station or watching
a video clip can slow network response time to a crawl.

Secondary Risk (Due Care): Does a prudent individual connect a mission
critical production network to the Internet, given the numerous and
extraordinary risks involved, just so that employees can play on company
time or take care of personal business during their breaks? Connecting a
mission critical production network to the Internet is a very foolish
undertaking unless there is a compelling business reason (supported by hard
evidence, i.e., the audit trail - which can be obtained with a subpoena and
will tell the truth) for doing so.

Mitigation: Physically isolate all critical production systems from the
Internet. If you absolutely must connect to the Internet for some reason
then do so in the safest way possible. Find out who needs access and why.
Require them to prepare a business case showing exactly how Internet access
will enhance profitability or otherwise benefit the organization in some
significant (and measurable) way. Obviously this package should include a
risk analysis, security plan, cost-benefit analysis, and offer alternative
methods of achieving the same desired result (with a start-up and life-cycle
cost-comparison for each). There are two reasons for insisting on this; you
would be surprised how many people who thought Internet access was a matter
of life and death no longer seem to need or even care that much about it,
and, if you are going to put mission critical systems at risk it is (if for
no other reason than your own protection) a very good idea to have
documentation showing why an inherently dangerous venture at one time seemed
like such a brilliant idea in the event something very bad happens.

With a little creativity it is possible to provide Internet access to those
who really need it without putting your production systems in harm's way,
for example: Technicians often have a need to download device drivers and
software updates, ask for advice, or conduct research on the Internet. This
is a situation were a physically isolated mini-network consisting of three
or four workstations using an inexpensive shared DSL line will enable your
employees to get the job done without putting your network at risk. Letting
employees play on the Internet may be a perk that you want to offer. This
too is a situation were a physically isolated mini-network consisting of ten
or fifteen workstations placed in a break room (WOW an Internet Café at
work, how cool is that?) will solve the problem quite nicely. Aside from
the obvious benefit of isolating your production network from the outside
world, moving Internet access from the privacy of a cubicle to a more public
place will go a long way towards reducing inappropriate or illegal Internet
activity and the amount of work time wasted. It will also help to isolate
employee activity from the organization.

Vulnerability to Attack (E-mail)

Discovery: Can you send and receive e-mail outside of the organization,
i.e., to friends or family?

Primary Risk: The simple act of connecting an email server to the Internet
increases your chances of falling prey to a successful attack by many orders
of magnitude for no other reason than the server becomes easily accessible
to anyone in the world with an Internet connection. Think about any of the
major virus incidents in the past few years and how they impacted your
organization. Without an Internet facing email server most, if not all,
would have been non-events. Successful or not, the very nature of many
common attacks is almost an ironclad guarantee that you will be targeted.
The question is, are you up to the task of providing a viable defense? Very
few organizations are. If the best that you have to offer is a combination
of anti-virus software and filtering email attachments that have "dangerous"
file extensions, rest assured, you are not one of them.

Common Mistake: Most organizations tend to focus on the threats posed by
e-mail in terms of computer viruses and limit their efforts to running
anti-virus software or blocking attachments that have so-called "dangerous"
file extensions. There are several serious problems with this. Anti-virus
software is notoriously unreliable at detecting anything that it does not
already "know" about. You are essentially a sitting duck until such time as
your vendor becomes aware of a new threat and updates their software to
recognize it. While it is certainly true that most vendors can respond to a
new threat within a matter of hours, it is also true that a well-written
virus could easily span the globe within seconds. Blocking attachments with
"dangerous" file extensions does not really solve the problem either; it
merely forces the attacker to change tactics slightly. One of the more
common methods is to give the hostile code a "safe" extension and then
instruct recipients to rename and run the file after saving it to their hard
drive. Another technique is to simply trick the user into "becoming" the
hostile code. Users passing around a very large message, which contains an
urgent warning about some new and terrible threat, can have the same effect
on bandwidth as that of an actual virus. By far the most serious problem
with focusing on email-born viruses is that it does not address the server
itself and any applications or services running on that sever. These types
of oversights represent a dream come true for the technically proficient
attacker who is planning on launching an attack against your organization.

Secondary Risk (Confidentiality): It is a given that, regardless of how many
times you tell them not to, users can be suckered into opening e-mail
attachments sent by an unknown source. The most obvious concern is computer
viruses. Signature based anti-virus software cannot detect new viruses
until some time after their first release, and until then, those viruses can
spread with amazing speed causing major headaches within the organization.
The Melissa virus, for example, infects Microsoft's Word global startup
template (normal.dot), after which, any document created by the user is
infected with the virus and emailed to the first fifty recipients defined in
the Outlook mailing list. If any one of those first fifty entries happens
to be a group (which could consist of several hundred people or even
everyone within the organization as in an "all employee" group), Melissa
then mails the infected document to everyone within that group. It is
unlikely that people outside of your organization will have an e-mail
account on your system, however, people that do have an account often
auto-forward incoming e-mail to personal accounts when they are traveling,
ill, or on vacation. If their home PC becomes infected, which it probably
will, the cycle will repeat itself except this time the virus will be
sending those work related documents to the first fifty people (who could be
just about anyone) in their personal address book. There is no telling
where sensitive information will finally end up, how many people will have
read it, or what they will eventually do with that information. Think about
the documents stored on your workstation. What might be the consequences if
they were to show up on the Internet tomorrow? You might think that it
would never happen to you but if Melissa infected your organization, it
probably already has. Melissa generated millions of e-mails and each one
had a document attached. Did anyone within your organization even think to
analyze the documents infected by this virus to determine their contents and
where they may have went?

It is not at all uncommon, when performing compliance reviews, to identify
numerous individuals who have emailed sensitive or confidential information
to personal email accounts. Usually these are people who should really know
better. Many are executives and managers who are spending their evenings
working on employee evaluations, reading reports, or preparing for meetings.
These messages will pass through many servers before reaching their final
destination and any one of the individuals who administer these various
servers can easily read or make copies of those messages. There is really
no way, unless the perpetrator is a complete idiot, to know where the breach
occurred should your confidential messages end up scattered about on the
Internet in Usenet news groups.

Secondary Risk (Covert Operations): Outside e-mail gives the attacker (we
are talking about professionals here) an enormous tactical advantage when
launching an attack. From a technical perspective it is impossible to
prevent executable code from entering your system and arriving on a user's
workstation. This means that the only real problem, from the attacker's
point of view, is getting the code to run. History has shown repeatedly
that users can be trusted to ignore policy (not to mention common sense) and
do whatever the attacker asks them to. Scenario: The attacker wants to
plant a program on your system that will allow him to bypass your firewall
and gain covert access to your network from a remote location. Suppose the
target is GAO. Using the previous example of searching for Usenet postings
originating from GAO.GOV we have names, email addresses, and an enormous
amount of data regarding software, hardware, and the people themselves,
i.e., the type of things they are interested in, the type of communications
they would normally expect, and whom they are communicating with. If virus
writers can consistently sucker people into clicking on e-mail attachments
with poorly written/spelled generic subject lines and messages, how hard do
you think it would be to trick someone into doing this if they were to
receive an e-mail message from an individual they have "spoken" with in the
past? Relying on anti-virus software to detect this type of Trojan is
pointless. Unless it has wide distribution, which it doesn't (it is
directed at a single target), there is very little chance that your
anti-virus vender will ever know it exists. There may well be hundreds of
these "spy" programs quietly running in organizations all over the country,
including your own, as you read these lines. In many ways, bugging a
computer is much easier than bugging a room, and the chances of getting
caught, are zero! If the attacker uses any one of the numerous free
neighborhood wireless access points to the Internet the best that anyone
will be able to do is trace back to some poor computer hobbyist's server
(who will probably be more than happy to find a new hobby after being scared
to death by a small army of machinegun toting feds crashing through their
front door).

Mitigation: How to best address vulnerabilities caused by the use of email
will depend on business need and the size of your organization. The best
approach is to analyze the content of all email traffic with a source or
destination outside of your organization. The solution becomes obvious if
the content is of a personal or inappropriate nature; however, it is more
likely to be a blend of personal and business related material. In this
case you need to look carefully at the ratio and the content. Determine if
the information is time sensitive, critical or even necessary to operations,
and if it could be effectively handled by an alternative method such as
phone, fax, etc. Compare these answers to the risks involved and the answer
should, again, become self-evident. If outside email is necessary then you
will have to decide how best to handle it, i.e., an isolated server, a "text
only" based client, or a compartmentalized workstation. Preventing
unsolicited incoming email is also a viable option.

Miscellaneous Vulnerabilities (Boot From Floppy)

Discovery: Can you boot your workstation from a floppy diskette? You can
easily test this by inserting a blank diskette in the floppy drive and then
restarting the workstation. If a message appears on the screen informing
you that an operating system could not be found, or the floppy drive light
stays on for more than a few seconds before finally booting, the workstation
has probably been configured to boot from a floppy diskette.

Primary Risk: If the workstation is configured to allow booting from a
floppy diskette then anyone can get to anything on that workstation
regardless of the operating system or any file permissions by simply booting
to DOS and using a disk editor, such as Norton's Utility, to search for and
read (or copy to a floppy) whatever may be of interest. More importantly,
there will be no way to detect or capture an audit trail of this activity.

Common Mistake: Typically, security analysts recommend that you configure a
system to boot from the hard disk only and then enforce this setting by
password protecting CMOS. While this is a very good idea for other reasons,
such as accidentally booting from an infected floppy diskette, it does not
adequately address the vulnerability in question. CMOS chips often have
undocumented built-in passwords that cannot be changed by the end user.
These passwords enable technicians to override a user-defined password in
the event that it has been lost or forgotten. Many of these factory-set
default passwords are freely available on the Internet for those who know
where to look.

Secondary Risk (Boot Sector Viruses): Operating systems such as NT do not
react well to boot sector viruses. These viruses install themselves on a
system when the machine boots from an infected floppy diskette (which
usually happens when a floppy is inadvertently left in the drive and the
machine is powered on or rebooted). Most boot sector viruses were designed
for older operating systems such as DOS and do not work well in modern
environments. Operating systems such as NT will simply crash when trying to
boot from a virus-corrupted master boot record. Configuring a system to
boot from the hard disk only and then enforce this setting by password
protecting CMOS is an effective defense against boot sector viruses. Keep
in mind that the very presence of removable media is inconsistent with the
idea of a secure environment.

Secondary Risk (Elevation of Privileges): Booting from an alternative
operating system will enable the attacker to run software that can change
the password for any other user on the system, including that of the
administrator. A user with administrative access to the local workstation
is just a few simple steps away from gaining "domain admin" or being able to
hijack and use other people's accounts in a manner that would be virtually
impossible to detect.

Mitigation: Install a centralized file sever and systematically force all
users to store files within a within a personalized folder on that server.
Configure all of your workstations in such a way as to prevent users from
writing to the local hard drive. This vulnerability becomes moot if there
is nothing on the workstation's local hard drive for the attacker to see.
Remove or disable all removable media. This will prevent the attack from
ever happening in the first place.

Miscellaneous Vulnerabilities (Unsecured Clients)

Discovery: Are you using Windows 95 or 98 as the operating system of choice
on your workstations?

Primary Risk: Unauthorized access to sensitive information. Most operating
systems intended for home use do not provide a secure logon sequence or the
ability to effectively control a user's access to information. In many
cases any user can access everything on the workstation without entering a
user name or password by simply "canceling" out of the login process. Keep
in mind that most modern operating systems and applications have a nasty
habit of saving copies of e-mail attachments or creating temporary work
files (which can be complete images of documents or databases) in numerous
places on the hard disk. It is generally not too difficult to locate this
material even when the user has made a determined effort to hide or remove
it.

Common Mistake: Many organizations use Windows 95 or 98 as the workstation
client and set it up to access information on a "secure" host via some type
of terminal emulation software. Because the host may be running a secure
operating system, and applications on the host require user identification
and authentication prior to granting access, they believe their network, and
the information on that network, to be secure. Nothing could be further
from the truth, in fact, allowing unsecured clients to attach to a secure
host is an extremely effective method of invalidating whatever security may
be in place on that host. It is also a very good indicator that the
so-called "secure" host will have serious security problems of its own (and
a dead giveaway that Personal Computer Mentality is thriving within the
organization).

Secondary Risk (Elevation of Privileges): It is a trivial task for even a
marginally competent user to hijack accounts belonging to other users on an
unsecured client. All the attacker needs to do is download and install a
keystroke-logging program on the workstation, wait for about a week, and
then harvest the captured accounts and their associated passwords. The
damage can be considerable if any one of the hijacked accounts have access
to a restricted host or belong to someone with administrative permissions.
Such an attack, when properly executed, is virtually impossible to detect
and even harder to prosecute (all of the "evidence" points to the innocent
user whose account was hijacked).

Mitigation: Install a secure operating system on all network clients and
configure each according to the principal of "least privilege." If you are
hearing about this massive vulnerability (that essentially undermines the
security of every system the workstation can connect to) for the very first
time then fire the CIO and your entire security staff. If you have heard
about it all before but have chosen to ignore it, then do the world a really
big favor and fire yourself.

Miscellaneous Vulnerabilities (Least Privilege)

Discovery: Can you make changes to your workstation's network configuration
or access sensitive security files?

Make sure you have a few blank floppy diskettes available. If using NT left
click on the start button and then select RUN from the pop-up menu. Enter
RDISK in the dialog box and then click on OK (If you are using Windows 2000
left click on the start button, select programs, select accessories, select
system tools, and then select backup). Follow the instructions for creating
an Emergency Repair Disk. If the workstation does not have a floppy drive,
or it has been disabled, Right click on the Start Button, select Explore,
and then go to the C:\WINNT\REPAIR directory. Highlight all of the files
within this folder and try copying them to C:\TEMP. If either of these
tests were successful you have just confirmed that any user can obtain a
copy of the workstation's backup security files. This is not a good thing.

Left click on the start button, select settings, select control panel. Here
you will find a collection of applets designed to configure many different
aspects of the workstation's mode of operation. Some have no security
implications while others can have a profound impact. Try clicking on each
these applets and wandering through whatever tabs they have to offer. If
any of the data fields on a given page are changeable (not grayed out) by a
normal user, you may, depending on the application and parameter, have a
very serious problem on your hands. I have been a little vague here simply
because there are significant differences between NT and windows 2000 with
regard to the contents of the control panel folder (and I have no way of
knowing how the workstation was configured during the installation process).
What you are looking for are applications that imply the ability to add or
delete hardware, add or delete software, change network or Internet
settings, configure the system, conduct network discovery, or access
administrative tools. The questions you should be asking yourself as you
wander around are "should a user be able to change this setting?" or "Under
normal circumstances would a user need to change this setting in order to
accomplish their assigned duties?" and "have I ever needed to change this
settings?" It is all about the principal of "least privilege."

Left click on the start button and then select Run. Try executing any of
the following programs: rdisk, rasadmin, regedit, regedt32, dcomcnfg,
ddeshare, ginasetup, inetins, cmd or musrmgr. All of these programs have
security implications and should be restricted to administrators unless
there are compelling reasons to do otherwise. I should point out that these
are by no means the only files that you need to be concerned with, only a
random sampling taken for the purpose of giving you an idea of what may be
available to your users.

Primary Risk: Any user who can create or get to the backup password file on
the local workstation represents a very serious threat. Running a password
cracker (and there are some very good ones freely available on the Internet)
will more than likely yield the passwords for most, if not all, of the local
accounts on the machine. Any user who can gain access to the administrative
account on a workstation is but a few very simple steps away from capturing
a domain administrator's account.

Common Mistake: Many organizations use "out of the box" installations. Some
make a feeble attempt to control access to resources via the use of policy
files (which in most cases can be easily circumvented by a knowledgeable
user). Most ignore setting the appropriate permissions on files and folders
according to the principal of "least privilege," and shutting down unneeded
services or program associations. They further compound this problem by
failing to properly analyze the resources needed by their users and giving
them access to many administrative functions which can be used to gather
intelligence or launch an attack.

Mitigation: Install a secure operating system on all network clients and
configure according to the principal of "least privilege."

In conclusion: Based on my experience over the past twenty years, I would be
willing to bet that you answered in the affirmative to most, if not all, of
the above questions (you are definitely in a very small minority if you were
able to answer "no" to all of them). From a security perspective, you are
in serious trouble if you are not a member of that very small minority. You
are essentially running a system incapable of guaranteeing the
confidentially, integrity, or availability of information and other critical
resources. If it is any consolation at all, many major corporations and
government agencies have paid serious money for teams of certified
professional security analysts to perform on-site security evaluations,
penetration tests, port scans, password cracks, etc., and are now sitting in
the same boat that you are! Such is the magic of Personal Computer
Mentality!

Obviously I don't a thing about the specifics of your particular system and
a few superficial questions do not a meaningful risk analysis make. There
may also exist within your organization extenuating circumstances that I
have no way of knowing about, however, if you answered in the affirmative to
any of the above questions I would strongly suggest that you take a good
long hard look at your security program. You may even want to start asking
yourself what exactly it is that you are paying for!

If you have recently paid for a formal risk assessment you may want to
compare the issues documented within the final report to whatever
information you have just discovered. It would seem reasonable to expect
that if I could help you identify numerous and serious vulnerabilities
without ever having seen your system, those same vulnerabilities would have
been readily identified and documented by someone claiming to be an expert
who had performed an on-site evaluation. If not, you may want to try asking
for your money back.

Your answers to the above questions constitute my case for mass incompetence
and the pervasive use of fundamentally flawed paradigms within the so-called
"professional" security community as a result of Personal Computer
Mentality. You have seen the evidence first hand. Weigh it carefully and
then proceed accordingly.

Lohkee!