Taking Time To Go Fishing (Not Phishing)

I was enjoying a relaxing day of fishing last weekend, a low-tech hobby that I have enjoyed since I was probably 5 years old. I had all of the essential components that make for a successful day of fishing: good weather, cigars, beer, and beef jerky. I set out to fish some of my favorite spots on the pond, using my tried and true artificial lures that are known to work on this pond in these conditions (I will spare you all the details). I noticed that there was one other fishing party on the pond who had navigated their small boat over to the dam and begun fishing, albeit with live bait. If there is one thing I believe in as a fisherman, it is that using live bait is cheating. I mean sure its fun every once and a while, and certainly useful for keeping the kids occupied while fishing as you tend to catch a lot more fish. In any case, I was fishing within site of the folks on the dam who were not catching any fish and caught two small fish right in front of them. On the second fish I noticed something interesting sticking out of the fish’s mouth, a set of nasty little pinchers! The fish must have been hungry because not only did it consume a crawfish, but also my imitation worm. I decided to change spots to just across the pond where there was a prime spot with some logs sticking out of the water. I changed baits to an imitation crawfish (digging through the tackle box to find one) and on my first cast as soon as the lure hit the water my line started pulling. I reached forward and then quickly leaned back to set the hook. To my pleasant surprise it was a 3 pound large mouth bass, the largest I had caught all season! Needless to say this had to frustrate the folks fishing off the dam with live bait. Am I a master fisherman headed for the professional fishing circuit? Not even close, but it speaks to common sense that we all need to have.

yellingatbass.png

Yes, I frequently yell at the fish; they like it though.

Adapting To The Changing Landscape

How does this relate to our field? It doesn’t really, i just wanted to share my fishing story with you. Just kidding (sorta)! We certainly need to exercise common sense in the security field, and there are far too many areas where we are using tried and true methods of defense (or offense) and its just not working as well as it used to. The big question is, why? The landscape and environment is constantly changing, and we need to observe what’s in our environment if we are to be successful hackers, defenders, and fisherman. For example, consider the following areas:

  • Web application assessments – Some customers may give push back about this one, but we need to continue to put this on the forefront of our penetration testing agendas. Web application testing, by real human beings, should be a part of every external penetration test. Attackers are exploiting our web applications, stealing our data, and using it to trick users, and we should too!
  • Wireless “security” – Ah yes, of course, WPA2 came out and we’re all safe, right? This is a prime example of how the crawfish is hanging out of the fish’s mouth, but we’re still fishing with worms. Attackers are exploiting wireless to gain access to your networks. Here’s another secret: the protections you’ve put in place to stop them aren’t working! WEP, WPA/WPA2, and most IDA/IPS devices do little to stop attackers, yet we see so many organizations doing little about it except recognizing that it’s broken and going off to work on the firewall upgrade project.
  • Collecting logs and not checking them – This is the equivalent of catching the fish, but never even looking in it’s mouth to see what its eating. Some organizations have spent a lot of money on solutions that collect, aggregate, and correlate their logs. Sure,it takes some work to configure and use these solutions, but how many are being used to prop open the server room door? (thanks to Carole Fennelly for that story!)
  • “Client security” – Its pretty clear that attackers are going after the client. Everything from phishing, to xss, to straight up exploiting client software (like adobe products), the client is the low hanging fruit in your network and has been for some time. Guess what? This isn’t changing! As penetration testers one theme that I gathered from many people and presentations at the penetration testing summit was we are beefing up post-exploitation, in a big way. At the center of this effort is our very own Carlos “darkoperator” Perez who is writing and maintaining several Metaspoloit Meterpreter scripts to automate post-exploitation. During our own penetration testing exercises once we’ve gained access to a client, we can use that as a jumping off point to gain access to other systems. I don’t mean jumping off exclusively from the network necessarily, but maybe that client has some piece of information that leads us to your data, like a browser history, stored password, re-used password, or spreadsheet of passwords. Don’t even get me started on anti-virus software and how its supposed to help…
  • bass-holding.png

    Conclusion

    Organizations need to take a long hard look at their overall defensive strategies on a regular basis. Adjust your strategies and be adaptive. I think the hardest part is keeping management up to speed. It seems like just when we convince them that one technology is vital to your survival from attacks, something new or different crops up and changes the landscape. Then, well, lather, rinse, repeat (we started with firewalls, to Anti-Virus, to IDS/IPS). You need to identify security strategies that stand the test of time and put effort into them, such as:

  • Well-formed security policies
  • Procedures that enforce the policies
  • Vulnerability management programs
  • System Hardening
  • The above items are like a net – they will always catch some fish regardless of the conditions.

    Paul Asadoorian
    PaulDotCom Enterprises

    About the author

    Paul Asadoorian is the Founder & CEO of Security Weekly, where the flagship show recently re-titled "Paul's Security Weekly" has been airing for over 8 years. By day he is the Product Evangelist for Tenable Network Security. Paul produces and hosts the various shows here at Security Weekly, all dedicated to providing the latest security news, interviews with the industries finest and technical how-to segments. Paul is also the founder and host of "The Stogie Geeks Show", featuring cigar reviews for cigar enthusiasts.