The Wild West

A friend passed this report [pdf] into Information Systems Security from the Western Australian Auditor General.

Key findings:

  • Fourteen of the 15 agencies we tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans identified numerous vulnerabilities that could be exploited to gain access to their internal networks and information.
  • We accessed the internal networks of three agencies without detection, using identified vulnerabilities from our scans. We were then in a position to read, change or delete confidential information and manipulate or shut down systems. We did not test the identified vulnerabilities at the other 12 agencies.
  • Eight agencies plugged in and activated the USBs we left lying around. The USBs sent information back to us via the Internet. This type of attack can provide ongoing unauthorised access to an agency network and is extremely difficult to detect once it has been established.
  • Failure to take a risk-based approach to identifying and managing cyber threats and to meet or implement good practice guidance and standards for computer security has left all 15 agencies vulnerable:
    • Twelve of the 15 agencies had not recognised and addressed cyber threats from the Internet or social engineering techniques in their security policies.
    • Nine agencies had not carried out risk assessments to determine their potential exposure to external or internal attacks. Without a risk assessment, agencies will not know their exposure levels and potential impacts on their business.
    • Seven agencies did not have incident response plans or procedures for managing cyber threats from the Internet and social engineering.
  • Nearly all the agencies we examined had recently paid contractors between $9 000 to $75 000 to conduct penetration tests on their infrastructure. Some agencies were doing these tests up to four times a year. In the absence of a broader assessment of vulnerabilities, penetration tests alone are of limited value, as our testing demonstrated. Further, they are giving agencies a false sense of security about their exposure to cyber threats.
Some serious findings indeed, but it's good to see the Government performing thiese kind of assessments and trying to get some traction on remediation of findings.

Whilst reading the report consider how well your organization would have fared in this type of assessment.

I also found the link for the 2010 report [pdf]  for comparison.

breachapalooza

We're halfway through 2011 and the breachapalooza* continues unabated!

Sony have been hit so many times in fact there's a new term for it: "Sownage". Add to the ever-growing list senate.gov, Citibank, Honda Canada and the IMF.

Although it isn't really news to Security folk, the mainstream media has picked up on it (largely thanks to the scale of Sony's woes) and are continuing to report on the never ending tide of high profile defacements and smash-and-grabs. A quick look at datalossdb shows the number of incidents so far this year (322) is only slightly up on this time last year (300) and behind 2009 (376); while Sony's 77 million records lost is still well behind Heartland's 130 million back in 2008.

With mainstream media interest undoubtably leading to increased interest in boardrooms with executive asking "Can it happen to us?" and "what do we need to do to stop it happening to us?" the question has to be asked are the actions of lulzsec good or bad for the industry? Patrick Gray ruffled a few feathers with his thought-provoking "Why we secretly love LulzSec":

LulzSec is running around pummelling some of the world's most powerful organisations into the ground... for laughs! For lulz! For shits and giggles! Surely that tells you what you need to know about computer security: there isn't any.
Which lead to an equally interesting response from Adam over at the Newschool site.

I think the answer may be a little from column A and a little from column B. In Patrick's defence, he's probably right to some degree. Every Security guy or gal who has ever been overruled or just plain ignored when explaining the need for better security testing, implementation, tools, monitoring, etc etc; probably has a little voice somewhere saying 'I told you so'.
Adam is right too when he says:
We’re being out-communicated by folks who can’t spell.
Why are we being out-communicated? Because we expect management to learn to understand us, rather than framing problems in terms that matter to them. We come in talking about 0days, whale pharts, cross-site request jacking and a whole alphabet soup of things whose impact to the business are so crystal clear obvious that they go without saying.

Although I would point out that sometimes even framing the problem in the right language to the right audience still doesn't result in the desired outcome. The old 'you can lead a horse to water, but you can't make him drink' problem exists if a mentality of 'it can't happen to us' rules. The only plus out of LulzSec actions is that they may be breaking down some of that mentality.

However the most disappointing, or possibly telling, thing is that from what has been reported, is that very little of what lulzsec has accomplished has been particularly difficult or sophisticated. This is not really surprising as it matches what Verizon revealed earlier in the year [pdf] when they reported that 92% of the breaches investigated where 'not particularly sophisticated'. SQL injection may be old school, but it's more popular than ever.

In the meantime, Paul Ducklin from Spohos issued a challenge to the LulzSec group to use their skills, and there obvious spare time, to do something worthwhile like supporting Johnny Long's Hackers for Charity.

That may have to wait until after LulzSec are done warring with 4chan/anonymous, which at the very least may provide some relief to Sony and may give other companies a break.**


*just heard Patrick Gray's risky.biz podcast from last week call it the pwnpocalypse. Why didn't I think of that?

**Edit 18/6:  or maybe they're not as they're still exposing records.

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme