In This Chapter

Automating tasks

Watching for misbehavior

Outsourcing your security testing

Keeping security on everyone’s mind

Information security is an ongoing process that you must manage effectively to be successful. This management goes beyond periodically applying patches and hardening systems. Performing your security tests repeatedly is critical; information security vulnerabilities emerge constantly. To put it another way, security tests are just a snapshot of your overall information security, so you have to perform your tests continually to keep up with the latest issues. Ongoing vigilance is required not only for compliance with various laws and regulations but also for minimizing business risks related to your information systems.

Automating the Ethical Hacking Process

You can run a large portion of the following ethical hacking tests in this book automatically:

• Ping sweeps and port scans to show what systems are available and what’s running
• Password cracking tests to attempt access to external web applications, remote access servers, and so on
• Vulnerability scans to check for missing patches, misconfigurations, and exploitable holes
• Exploitation of vulnerabilities (to an extent, at least)

You must have the right tools to automate these tests, for example:

• Some commercial tools can set up periodic assessments and create nice reports for you without any hands-on intervention — just a little setup and scheduling time up front. This is why I like many of the commercial — and mostly automated — security testing tools, such as Nexpose and AppSpider. The automation you get from these tools often helps justify the price, especially because you don’t have to be up at 2:00 a.m. or on call 24 hours a day to monitor the testing.
• Standalone security tools, such as Nmap, John the Ripper, and Aircrack-ng, are great but they aren’t enough. You can use the Windows Task Scheduler and AT commands on Windows systems and cron jobs on Linux-based systems, but manual steps and human intellect are still required.

Links to these tools and many others are located in the Appendix.

Certain tests and phases, such as enumeration of new systems, various web application tests, social engineering, and physical security walkthroughs, simply cannot be set on autopilot. You have to be involved.

Even the smartest computer “expert system” can’t accomplish security tests. Good security requires technical expertise, experience, and good old-fashioned common sense.

Monitoring Malicious Use

Monitoring security-related events is essential for ongoing security efforts. This can be as basic and mundane as monitoring log files on routers, firewalls, and critical servers every day. Advanced monitoring might include implementing a security incident and event management (SIEM) system to monitor every little thing that’s happening in your environment. A common method is to deploy an intrusion prevention system (IPS) or data loss prevention (DLP) system and monitor for malicious behavior.

The problem with monitoring security-related events is that humans find it very boring and very difficult to do effectively. Each day, you could dedicate a time — such as first thing in the morning — to checking your critical log files from the previous night or weekend to ferret out intrusions and other computer and network security problems. However, do you really want to subject yourself or someone else to that kind of torture?

However, manually sifting through log files probably isn’t the best way to monitor the system. Consider the following drawbacks:

• Finding critical security events in system log files is difficult, if not impossible. It’s just too tedious a task for the average human to accomplish effectively.
• Depending on the type of logging and security equipment you use, you might not even detect some security events, such as IPS evasion techniques and exploits carried out over allowed ports on the network.

Instead of panning through all your log files for hard-to-find intrusions, here’s what I recommend:

• Enable system logging where it’s reasonable and possible. You don’t necessarily need to capture all computer and network events, but you should definitely look for certain obvious ones, such as login failures, policy changes, and unauthorized file access.
• Log security events using syslog, a write once read many (WORM) device, or another central server on your network. Do not keep logs on the local host, if possible, to help prevent the bad guys from tampering with log files to cover their tracks.

The following are a couple of good solutions to the security-monitoring dilemma:

• Purchase an event-logging system. A few low-priced yet effective solutions are available, such as GFI EventsManager (www.gfi.com/products-and-solutions/network-security-solutions/gfi-eventsmanager). Typically, lower-priced event-logging systems usually support only one OS platform — Microsoft Windows is the most common. Higher-end solutions, such as HP ArcSight Logger (www8.hp.com/us/en/software-solutions/arcsight-logger-log-management), offer both log management across various platforms and event correlation to help track down the source of security problems and the various systems affected during an incident.

• Outsource security monitoring to a third-party managed security services provider (MSSP) in the cloud. Dozens of MSSPs were around during the Internet boom, but only a few big ones remain, such as Dell SecureWorks (www.secureworks.com) and Alert Logic (www.alertlogic.com). Now considered cloud service providers, the value in outsourcing security monitoring is that these companies often have facilities and tools that you would likely not be able to afford and maintain. They also have analysts working around the clock and have the security experience and knowledge they gain from other customers to share with you.

  When these cloud service providers discover a security vulnerability or intrusion, they can usually address the issue immediately, often without your involvement. I recommend at least checking whether third-party firms and their services can free some of your time and resources so that you can focus on other things. Just don’t depend solely on their monitoring efforts; a cloud service provider may have trouble catching insider abuse, social engineering attacks, and web application exploits that are carried out over secured sessions (i.e., HTTPS). You still need to be involved.

Outsourcing Security Assessments

Outsourcing your security assessments is very popular and a great way for organizations to get an unbiased third-party perspective of their information security. Outsourcing allows you to have a checks-and-balances system that clients, business partners, auditors, and regulators like to see.

Outsourcing ethical hacking can be expensive. Many organizations spend tens of thousands of dollars — often more — depending on the testing needed. However, doing all this yourself isn’t cheap — and quite possibly it isn’t as effective, either!

A lot of confidential information is at stake, so you must trust your outside consultants and vendors. Consider the following questions when looking for an independent expert or vendor to partner with:

• Is your security provider on your side or a third-party vendor’s side? Is the provider trying to sell you products, or is the provider vendor neutral? Many providers might try to make a few more dollars off the deal but recommended products and services from vendors they partner with, which might not be necessary for your needs. Make sure that these potential conflicts of interest aren’t bad for your budget and your business.
• What other IT or security services does the provider offer? Does the provider focus solely on security? Having an information security specialist do this testing for you is often better than working with an IT generalist organization. After all, would you hire a general corporate lawyer to help you with a patent, a family practitioner to perform surgery, or a handyman to rewire your house?
• What are your provider’s hiring and termination policies? Look for measures the provider takes to minimize the chances that an employee will walk off with your sensitive information.
• Does the provider understand your business needs? Have the provider repeat the list of your needs and put them in writing to make sure you’re both on the same page.
• How well does the provider communicate? Do you trust the provider to keep you informed and follow up with you in a timely manner?
• Do you know exactly who will perform the tests? Will one person do the testing, or will subject-matter experts focus on the different areas?
• Does the provider have the experience to recommend practical and effective countermeasures to the vulnerabilities found? The provider shouldn’t just hand you a think report and say, “Good luck with all that!” You need realistic solutions.
• What are the provider’s motives? Do you get the impression that the provider is in business to make a quick buck off the services, with minimal effort and value added, or is the provider in business to build loyalty with you and establish a long-term relationship?

Finding a good organization to work with long-term will make your ongoing efforts much simpler. Ask for several references and sample sanitized deliverables (that is, reports that don’t contain sensitive information) from potential providers. If the organization can’t produce these without difficulty, look for another provider.

Your provider should have its own contract for you that includes a mutual nondisclosure verbiage. Make sure you both sign this to help protect your organization.

Instilling a Security-Aware Mindset

Your network users are often your first and last line of defense. Make sure your ethical hacking efforts and the money spent on your information security initiatives aren’t wasted because a simple employee slip-up gave a malicious attacker the keys to the kingdom.

The following elements can help establish a security-aware culture in your organization:

• Make security awareness and ongoing training an active process among all employees and users on your network, including management and contractors. One-time training such as when employees are initially hired is not enough. Awareness and training must be periodic and consistent to ensure your security messages are kept at the top of people’s minds.

• Treat awareness and training programs as a long-term business investment. Security awareness programs don’t have to be expensive. You can buy posters, mouse pads, screen savers, pens, and sticky notes to help keep security on everyone’s mind. Some creative solutions vendors are Greenidea, Inc. (www.greenidea.com), Security Awareness, Inc. (www.securityawareness.com), and my favorite (because of its founder, Winn Schwartau, who’s a hilarious guy who’s not afraid to tell it like it is) The Security Awareness Company (www.thesecurityawarenesscompany.com).

• Get the word on security out to management! If you keep members of management in the dark on what you’re doing, they’ll likely never be on your side. I cover getting security buy-in in Chapter 20.
• Align your security message with your audience and keep it as nontechnical as possible. The last thing you want to do is unload a bunch of geek-speak onto people who have no clue what you’re talking about. You’ll end up with opposite the desired effort you’re going for. Put your messages in terms of each group you’re speaking to: how security impacts them and how they can help.
• Lead by example. Show that you take security seriously and offer evidence that helps prove that everyone else should, too.

If you can get the ear of management and users and put forth enough effort to make security a priority day after day, you can help shape your organization’s culture. It takes work but it can provide security value beyond your wildest imagination. I’ve seen the difference it makes!

Keeping Up with Other Security Efforts

Ethical hacking via ongoing security assessment is not the be-all and end-all solution to information security. It will not guarantee security, but it’s certainly a great start. This testing must be integrated as part of an overall information security program that includes

• Higher-level information risk assessments
• Strong security policies and standards that are enforced and properly adhered to
• Solid incident response and business continuity plans
• Effective security awareness and training initiatives

These efforts might require hiring more staff or outsourcing more security help as well.

Don’t forget about formal training for yourself and any colleagues who are helping you. You have to educate yourself consistently to stay on top of the security game. There are great conferences, seminars, and online resources for this that I outline in the Appendix.