Friday, 7 March 2008

More silver bullets?

With Infosec Europe approaching fast (22-24 April) my thoughts turned to the inevitable release of even more products, products, products. Everyone in IT loves gadgets, but is this really the future of information security? As penetration testers we spend a large proportion of our time trying to break into networks, with continued success unfortunately. However, when we analyse the reasons that networks remain vulnerable, we find that it's not about Zero Day exploits but rather mistakes that could have been avoided.

The same techniques I used to break into a Windows network in 1996 still work today, for example. Why? Because, despite manufacturers such as Microsoft and Oracle spending huge efforts to improve the security of their products, organisations still use stupid passwords, fail to understand security best practice and don't think outside of the box.

Just this week we again found Windows domain administrator accounts with pathetically weak passwords and business-critical infrastructure with default SNMP read/write strings. It took just just minutes to gain complete control of a global company's network with no prior knowledge at all. Every time we are asked to conduct a social engineering exercise - walking in the back door with the smokers, strolling past reception carrying a sandwich at lunchtime, or phoning the help desk and getting remote access - we find the same thing. No security awareness amongst staff at all.

So imagine my delight when five major clients all approached me to assist with staff awareness training this year. It seems that large organisations are finally getting to grips with the "human firewall" concept and realising that they need to invest in people, not just technology. Let's hope this trend continues!