Sunday, March 9, 2008

A Red Team strikes!

Talk about an eye-opening experience! We invited a Red Team to do penetration testing on our network. A group of ubergeeks brought their laptops, tools, and toys and left with astonishing results! It's one thing to hear someone say that your server isn't up to date so "go patch it", but quite another to have someone steal a copy of your most valuable data in a short period of time, in a manner that's difficult to detect after they revealed how they did it!

The takeaway is that, if you expect to protect your data, you had better implement, maintain, and enforce Draconian policies on your network. Engineer the system from the ground up with security in mind. Implement IDS systems, baseline your network, track your user group memberships, and above all, train the heck out of all privileged users, then all users - they should be doing things like never logging in with their admin accounts, only using "run as" when necessary, like the Linux "su" mentality, and logging off of or locking their workstation when leaving for a moment. Keep updated with patches on all systems - servers, clients, printers, appliances, routers, whatever. Minimize where you can actually perform administrative tasks from. Apply your same password policy to everything that uses a password. Then: monitor, monitor, monitor. This is one of those "weakest link" deals. Powerful "server" applications like SQL databases (and many, many others) are great launching points - consider running them on "member servers" instead of domain controllers. Technically savy malicious users don't need much of a launching point. This doesn't even take "social engineering" into account, and users tend to behave stupidly from a security perspective.

After seeing what these guys did, I'd have a hard time imagining a network that wouldn't be vulnerable to that kind of crew - unless it's physically isolated, physically protected, and assured that malicious users can't get physically near it or trick actual users into inadvertently assisting them - an unrealistic network utopia. However, that said, there's a lot that you can do for network security. Don't look for a "magic bullet" - attack the low hanging fruit and take it from there.

No comments: