Another week and another major organization goes down. I am sure you have read the story about RSA being compromised.
If not, the gist of the story is here.
The question now becomes: What does this mean to my organization? There are a couple points that we have been hitting for the past few weeks. Number one is that traditional detection and reaction technologies are failing. Does this mean we need to throw them away and start over? No. What it means is there are limitations to these devices and technologies. There are a number of people who say that the penetration testing community is crap because all we do is break into systems and collect paychecks. Unfortunately, this is true for some of the organizations that are doing testing, but it is not indicative of our industry as a whole.
Rather, I propose this for looking at the state of penetration testing today. We are the structural engineers of the IT industry. Take a look at the building you are in right now. It does not matter if the building has Greek columns or second hand Steinways. It is a work of brilliance. The reason this brilliance is possible is because of the generations of testers that found the exact failure points of various materials such as wood, masonry and various forms of steel. In order to push the limits and build bigger and more resilient structures we need to know the limitations of the designs and the materials they use.
Today in IT there are a number of different forces that are trying to convince your organization that if you buy (DLP/AV/IPD/Firewall X) then your systems will be secure. This is total crap.


Paul made me put this in… I like Coors Light… A lot.

IT and especially Information Security is a dynamic endeavor. We need to make sure that different components interact with each other in such a way that a single compromise of one component does not lead to a total compromise of an organization. As penetration testers (if we are doing it correctly) we need to find the component, and more importantly the structural failures of organizations. For example, I think it is safe to assume that an attacker will compromise a user via social engineering. That is going to be a given for quite some time. However, is it a systematic problem for your entire organization? Can I successfully SE anyone in your company including the Systems Administrators? If so, this is a major component failing. Further, if I can compromise one system via social engineering can I compromise the rest of your organization? Can I remain persistent for weeks… If not months? This failing is unacceptable.
In short, if we built buildings like we design IT and security operations, there is a good chance that we would all still be living in one-story mud huts.
So, going forward, what can we do? First, test beyond initial expatiation. Second, test and train the human factor. Finally, train the Systems Administrators in your organization. These are the people that build and maintain the structural components of your organization. They need to know the limitations and failure points of the things they build. For too long organizations have worked to keep Systems Administration and Security separate. This is a flawed approach.
It is time to start moving beyond this. We are outgunned. The attackers have tremendous resources at their disposal. We need the help of the users and the IT staff to fully prepare for the threats we are facing.
Once again, I know we are going to get flamed by people saying their users are dumb. That working with SAs is hopeless. Because of these two “facts” there is no reason to better educate for users and SAs.
This belief is wrong.
Just because something will fail does not mean it is worthless. It just means it has a failure point. Just like steel and wood. Put enough weight on it and it will break. The point is to design your architecture in such a way that one 2×4 or a truss failing does not lead to a catastrophic failure of an entire building. The same goes for IT.
John Strand
John Strand will be teaching SANS 660 Advanced Network Penetration Testing and Metasploit for Penetration testers This April in Reston, VA April 15 – 23.

About the author