People keep asking me, “Lee what tools do you use?” or “have you ever configured an xyz network device?” When I answer them, either they are surprised because I tell them it doesn’t matter which tools persons uses, or they look at me like I ride the short bus because I tell them I don’t care what kind of firewall they use because they’re all pretty much the same to me.
We’ll, to get off on a vendor rant for a second... Firewalls are either stateful inspection or they are not. They have well written rules or they do not. And if someone manages to set one up without logging enabled it is of no use to an Incident Responder. All of the above has nothing to do with a specific vendor (Although they will fiercely argue that point!) but the way the engineer sets it up. So it doesn’t matter to me which firewall a company uses because it’s up to the person that deploys it to do a good job.
Firewalls, platforms, and entire industries aside... the point I have the hardest time getting across is that information security is not a technical field. People generally think of hacking the Gibson or some arrogant kid with a 2 foot red Mohawk writing a virus. Sure there are technical aspects of it and it’s best if you have some of those skills but security has a lot more in common with playing football than it does with any one tool.
We’ll, to get off on a vendor rant for a second... Firewalls are either stateful inspection or they are not. They have well written rules or they do not. And if someone manages to set one up without logging enabled it is of no use to an Incident Responder. All of the above has nothing to do with a specific vendor (Although they will fiercely argue that point!) but the way the engineer sets it up. So it doesn’t matter to me which firewall a company uses because it’s up to the person that deploys it to do a good job.
Firewalls, platforms, and entire industries aside... the point I have the hardest time getting across is that information security is not a technical field. People generally think of hacking the Gibson or some arrogant kid with a 2 foot red Mohawk writing a virus. Sure there are technical aspects of it and it’s best if you have some of those skills but security has a lot more in common with playing football than it does with any one tool.
Security is a mindset. It is not the measure of a tool, the number of machines in a botnet, or the complexity of a new exploit. Security’s methodical mindset can be applied to any situation regardless of environment. It is about having an explicitly defined understanding of a goal, a clearly defined target, knowing which resources you need, and knowing how to take the correct actions.
This mentality can be described perfectly when compared to football. A linebacker’s primary goal is to prevent positive yardage for the opposing team. The secondary goal is to create negative yardage for the opposing team. To prevent positive yardage, it is important to learn the behaviors of the quarterback, running backs, and other players that are directly involved in creating positive yardage.
A successful linebacker eventually learns how the combination of body language, formations, and players on the field translates into actions performed. Achieving the second goal is generally more difficult as it may require actual research or information from a third party. The linebacker needs to search for holes in the opposing team’s defense and then test them to see if he can gain access.
To take those actions and effectively generate negative yardage, the linebacker needs good information combined with opportunity. Opportunities come and go but much the information should be gathered beforehand. The linebacker should have researched which of the opposing linemen is left-handed and which is right. He should have also Answered questions such as, ”which players are injured and where, which players stayed up too late having a good time; which, if any, are at odds with the quarterback; and finally determine the skill level of each player.” Like anywhere else, the more information that is gathered the more effectively goals can be achieved.
On the surface, the goals in an information technology environment may seem different; instead of sacking the quarterback the goal may be to deface a web site or exfiltrate data. If you step back and reduce the situation back to it’s methodology the goals are identical. The first objective in defacing a web server is to identify it’s exact location which is comparable to the linebacker figuring out who has the football. Next the attacker needs to find a method of gaining access to the server.
This would be the linebacker finding a route to the player possessing the football. Once the location is identified the attacker will typically achieve access either through the use of valid credentials or with exploits. In parallel, when the linebacker is trying to bypass all of the opposing players and gain access to the ball; he has the same options. Although highly unlikely, the linebacker can do this by wearing the other team’s uniform (using valid credentials) or he can find a hole in the in the opposing team’s defense (an exploit).
Once the attacker has access and the linebacker has found his route, it is possible to leave a “back door” or attempt to escalate privileges. This part of the attack doesn’t translate as well to the football analogy, but the linebacker essentially has the privileges he needs to make a tackle and football’s version of a back door might be identifying a weakness in the opposing team of which they are not aware then trying to prevent them from finding it. To complete the analogy, the attacker’s privilege escalation is what allows him or her to make the tackle and deface the website.
Security is a mindset. When you apply that mindset to information technology it’s important to know the underlying protocols and the basic methodology behind infrastructure deployments. It is this understanding that allows an information security specialist to know which data to look for and only then are they properly prepared to select the tools required to obtain the relevant data.
No comments:
Post a Comment