Wednesday, October 10, 2007

Be the Caveman Lawyer

A few weeks ago I recommended security people to at least Be the Caveman and perform basic adversary simulation / red teaming. Now I read Australia's top enterprises hit by laymen hackers in less than 24 hours:

A penetration test of 200 of Australia's largest enterprises has found severe network security flaws in 79 percent of those surveyed.

The tests, undertaken by University of Technology Sydney (UTS), saw 25 non-IT students breach security infrastructure and gain root or administration level access within the networks of Australia's largest companies, using hacking tools freely available on the Internet.

The students - predominately law practitioners - were given 24 hours to breach security infrastructure on each site and were able to access customer financial details, including confidential insurance information, on multiple occasions.

High-level business executives from the companies surveyed, rather than IT staff, were informed of the tests so the "day-to-day network security" of businesses could be tested.
(emphasis added)

Again, my advice is simple, but now it is modified. Be the Caveman Lawyer.

One other point from the article:

Most of the 21 percent of companies who passed the penetration tests owed their success to freeware Intrusion Detection Systems (IDSs), according to Ghosh.

Snort was mentioned earlier in the article. That means you can be a Cheap Caveman Lawyer and prepare for common threats.


Alex Raitz said...

Your modern world frightens and confuses me!

When I sighup snort with a new conf file, I wonder if the text on my monitor is the rantings of the angry demons living inside my computer. When I am installing a tap in my datacenter, I wonder if the wires under the floor are actually snakes waiting to attack and eat me. My primitive caveman mind cannot grasp these concepts!

cmlh said...


I believe Ajoy Ghosh has confused the GPL with the exceptionally high “cost” of the initial build and operation of Snort.

In addition to the hardware costs, which exponentially increase depending on bandwidth, the initial build of Snort requires a significant level of technical knowledge Snort and its dependent packages, such as libpcap, MySQL, Barnyard, Sguil, etc

Furthermore, the operation of Snort is exceptionally high, based on the release cycle of Snort, updating recently released rules with Oinkmaster, writing rules specific to your technical network implementation, responding to alerts, etc. This is exponentially increased with need to repeat the same procedure for each host dedicated to Snort.

Based on the above, I would be interested if Ajoy Ghosh would publicly state that LogicaCMG would deliver Snort for “free” or reveal his hidden agenda (i.e. LogicaCMG charging "Professional Services" to build and operate Snort)?

Alex Raitz said...


I don't buy your argument. Snort is no harder to download and install (and probably takes less time and expertise to receive meaningful data from) than Nagios, Sendmail, and so on. It even has a Windows version! You are right that NSM is hard, especially to start, but the you can't argue that it is valuable to practice and can be staged.

Even if hardware costs increased exponentially by bandwidth (which they don't) and scaling wasn't 100x easier now that good hardware is largely a commodity (SourceFire boxes watching fast networks are OEM Dells or IBM), I still don't get it. Are you suggesting that closed-source commercial monitoring software takes less hardware to run than Snort? Do they have some secret alien hardware that we don't?

I am biased because I work in professional services. That said, there is nothing wrong with having a professional come in to help with an installation, provide documentation and knowledge transfer, and ensure that the client is happy. I'm pretty sure that Mr. Ghosh is not breaking any laws (or even trying to hide his agenda of making money for his employer) by charging a fee to help install widely available software, and I doubt that he is offering to put in NSM.

The bottom line is that Richard is right, this is stuff that a caveman can and should be doing but many businesses (in the face of due diligence/due care) are not.

LonerVamp said...

I think Snort has a higher maintenance and people cost than a less-refined but costly IDS/IPS appliance, at least on the surface.

Often companies pay money up front for the IDS/IPS appliance, pay some money to have someone tune it, then never look at it again. Up front, that's a lot of cost, but ongoing, they don't factor much at all for maint or keeping a watch on it.

With Snort, you can get the license free and run it on some old hardware and not pay a consultant to tune it up the first time. That looks awfully lot like zero cost! But you need people in the organization (or just one) to not just use Snort and know Snort, but also maintain the nix box it sits on.

Hell, just having a Linux box maintained properly in many orgs is a lot to ask, as most are Windows shops employing Windows admins using Windows tools.

Do I think Snort offers more value overall? Hell yes I do. Does that mean it is an easy sell to a bunch of Windows admins who may be scared or resistent to anything nix? Nope...

oleDB said...

IMO Snort is considerably cheaper then a closed-source appliance solution for about 95% of companies. Its not until you start talking about huge installations of over 50+ sensors at disparate locations like you might have in a fortune 100 company that Snort doesn't scale as well and as cheaply. It requires much more expertise at that level, whereas a closed-source IDS or commercial Snort package is much easier and comes with better support/manageability. Snort can infact be deployed with zero capital cost, on unused, older hardware and on a span port. For a company with no NIDS in place and no budget, its the best first step you can take. Some of the idiotic behavior mentioned by the other posters, is moot, because they will still be idiots whether or not they are running snort or something else. If you not going to tune or monitor your IDS, it doesn't matter what your running. If your a windows guy and you can't figure out how to setup a snort box, you need to consider a career change.

CG said...

ok i'm confused, since when does running snort = a secure server or network

"Most of the 21 percent of companies who passed the penetration tests owed their success to freeware Intrusion Detection Systems (IDSs), according to Ghosh."

you sure it wasnt:

"Organizations that couldn't be penetrated typically had Web servers were on hardened operating systems and many had done code reviews on Web pages and installed apps."

isnt snort still an IDS and not an IPS? how did running snort cause them to pass a pen test?

Richard Bejtlich said...


I think we are missing some details in this article. I'm guessing that one of the parameters of the test was time to detection and response. Those who didn't pass failed to detect and respond. Those who were using Snort appeared to have detected and responded to the activity.

Snort can be operated as an IPS if put inline or if run offline in conjunction with an app like SnortSam or even alone with flexible response.

CG said...

thanks Richard. I agree we are missing some details.

"More than half of those that passed the penetration test had freeware Intrusion Detection Systems (IDS), notably Snort; we only had two responses from security teams even though sites were down for more than an hour," Ghosh said."

quotes like that i think prove your point.

thanks for the IPS & Snort stuff.

Anonymous said...

In response to something LonerVamp said:
"Hell, just having a Linux box maintained properly in many orgs is a lot to ask, as most are Windows shops employing Windows admins using Windows tools."

This statement is rather meaningless, considering that properly maintaining a Windows box is just as difficult (or just as easy) as a Linux machine. Most "pure" Windows shops out there don't even maintain them correctly, but because the interface gives the illusion of "ease of administration" the perception is flawed.

Windows often gets slammed as having very weak security, whereas it actually can be just as secure as a Linux box (and a Linux box can be just as insecure as a Windows one) if the admin is not competent or willing to admin and/or secure it properly.