un-earthed

I just had a meeting with the Finance Manager and Security Manager of a State government agency and I recommend that if you are responsible for providing security or signing off requests for security budget in your organisation it will be well worth your time to read about my experience.

I was attempting to better understand their business, assets, risks, likely threats and their potential impact so one of the questions I asked the Finance Manager was “What is your ability to detect and respond to threats before your assets are compromised?”.

The Security Manager jumped in and said “We have got all that covered. “I asked “Can you please elaborate?”

She said “Well we have an Intrusion Prevention system, we log everything and we use a Security Information and Event Management tool amongst other things.”

At this point I knew I had work to do to help them understand the reality of their situation.

“If you don’t mind I would like to run through a few basic scenarios and see if you’re able to detect and respond against them.” I said. She said “Go ahead”.

1)  “If I was to drop 20 USB’s around your office and car park with the file name “StateGovernmentSalaries.exe” how many of your staff would pick it up, stick it in their PC and click on the file?”

She said “Probably all of them.” During our risk assessments the best case we have had is about 65%; meaning, in all other cases more than 65% of people plugged it in to their PC and clicked on the file which is programmed to connect back to the CIO’s office and identify who logged on and from which PC.  This could easily be laced with modern malware.

2) “If a workstation or a server in your environment was remotely being controlled, would you know?” She said ‘No.” – the earthwave Security Operations Centre identifies 4-6 such incidents per client on average per month. In many of these cases data is going off-shore through the Firewall and IPS using common Firewall ports.  It all looks like normal traffic.

3) “If your Email or Network Administrator was reading your email or that of the CEO and other board members every night would you know?” the Finance Manager looked at the Security Manager.

She shook her head from side to side.

4) “If someone was logged on locally to the network using your login but you hadn’t even come to work yet, would you know?” Again she said “No.” I said, “How about if you were logged on twice, once from home and once locally? How could you be in two places at the same time?” She said “No.”

5) “If your staff or other managers were taking work home and saving it on the home shared computer in the My Documents folder would you know? Furthermore, would you know if that folder was being shared on a peer to peer file sharing network by one of the kids and consequently this information was able to be leaked on to the Internet? She said “No.”

6) “How about if one of your staff was about to leave and had been sending out their CV, copying sensitive files to USB, printing documents after 6pm, emailing or FTP’ing files out of the company, etc?”

She said “No.”

Finally I said, “Let me now use a basic technical example. If someone conducted reconnaissance on your DNS server (which was logged in the DNS server logs), followed by a port scan against your network perimeter (which was logged by the Firewall) and then they launched some well-known exploit against your Web or SQL server (which triggers an IPS alert). In such an example what is your ability to detect and respond to such a threat?” She said “None.”

By now the Finance Manager had enough and turned to the Security Manager and said “You really don’t have much covered at all do you?”

I said “The FBI, CIA, NSA, RSA, Sony, and the Pentagon, with all of their might and resources were all breached this year and some more than once. Do you really think you have it all covered better than them?” She said “No.”

To my surprise at this point, the Finance Manager turned to her and said “I want you to listen to them and buy what they’re selling because you don’t seem to know what you’re talking about.” She said “Yes.”

He was obviously annoyed to express himself in that way but the thought that went through my head was “I wish all customers were this easy to convert.”