Skip to content ↓ | Skip to navigation ↓

If you work in an enterprise defense role, chances are your day is comprised of coffee, email, meetings, crises, coffee, interruptions, coffee, and meetings (and, most likely, alcohol). The meetings seem useless and the interruptions unceasing. Your stress piles up while your family time dwindles, and you find yourself wondering at the end of the day (or during it) if your job is having any impact in terms of your organization’s information security.

If I just laid bare your infosec soul, it’s because I sat in that same chair for eight years – never really knowing if I was actually contributing to the security of our customer’s data and constantly wondering when we were going to end up in the news. Even worse than the uncertainty and stress is the drain it takes on your passion.

Information Security is an industry where innovation is driven by passionate enthusiasm. If you don’t have it, you are destined to be a cranker of widgets, a perpetual unlocker of user accounts, a commander of access control spreadsheets (unless of course, you are passionate for these things, in which case, crank on :-).

Then something mysterious and wonderful happened: we had an internal penetration test. Privileges were escalated, pwnage was had, security people were depressed. Even though I was one of those depressed, I experienced something that I had forgotten about long ago—curiosity. I was intensely curious as to the methods and techniques used to compromise our systems, as well as why our controls failed.

A friend suggested I go for my OSCP (Offensive Security Certified Professional), which I did. Through many tears and sleepless nights, I finally passed, and a new perspective was born.

Having taken the red pill, I followed my newfound passion into a career of full-time penetration testing and research, and the result has been nothing short of enlightening. I now get to battle and sidestep the controls I worked so hard to implement, and this has given me a new respect for certain security solutions while simply confirming the uselessness of others. Take, for example, DLP.

Organizations spend millions in time and money implementing a DLP solution, which is most likely so hopelessly neutered in order to get it into production that it will never stop an intruder from exfiltrating your data (it’s certainly never stopped me, and I’m just a pentesting n00b).

What about anti-virus? Yes, it’s necessary to stop drive by downloads and known malware but AV bypass is as simple as a checkbox in Metasploit Pro, or running your payload through Shellter (free).

One of the most dangerous and understated attack avenues is Social Engineering. Most enterprises “treat” this problem with annual seminars (useless) or computer-based training (more useless); next-gen email gateways are implemented, which attackers can easily bypass. All the while, the user is left completely vulnerable to both the malicious payload in their email box and the friendly voice on the other end of the phone.

One of my customers had me on site for a pentest of their corporate network. My time was extremely limited, so I cranked Nessus up to 11 and fired off a bunch of port scans. The phone in my cubicle immediately rang, so I picked it up, amazed because no one other than my contact knew I was there. The conversation literally went like this:

Him: “Hello, this is John from networking. Are you running a port scan?”
Me: “Yeah.” (I’m not gonna lie at this point. He knows what I’m doing.)
Him: “Why?”
Me: “Just some routine maintenance.”
Him: “Oh! You mean this is all routine?”
Me: “Yup.”
Him: (relieved) “Great! Does that mean I can ignore all these alerts I’m getting?”
Me: (dumfounded) “…. ….. Yes.”
Him: “Great! Thanks!”

This organization had controls sophisticated enough that they matched up the offending network port to a phone extension within minutes and called me to find out what was going on, but through some extremely simple social engineering, I relieved their concern and they hung up happy. I went on to effectively pillage their network steal their data.

I say all this not to leave you hopeless, but with real advice from someone who has sat in your chair and knows the struggle.

To summarize:

  1. Corporate InfoSec programs generally focus on the wrong things for two reasons:
    1. Corporate InfoSec serves the business. They must adhere to whatever the business wants and sometimes that involves making critical compromises that leave them vulnerable.
    2. Those in charge are removed from current attack methods. Industry FUD clouds their judgement which compromises their decisions or creates knee-jerk reactions.
  2. Have your security staff and managers take technical, offensive training. It may sound radical to have a manager with technical know-how, but if you don’t get sponsorship at a high level, you will not be able to successfully implement the controls necessary to stop an attacker. You won’t get sponsorship until they understand. They won’t understand until they truly know what an attacker can do and how it’s done.
  3. If you are a manager/director, you *must* trust your people or you will be a lousy leader and most likely end up in the news. If your staff says they do or don’t need a specific control, listen to them and make it happen.
  4. If you don’t couple your security awareness training program with continuous offensive testing (e.g. penetration testing, phishing campaigns, etc), you are doing it wrong. Setup quarterly phishing campaigns and your user awareness will truly skyrocket!
  5. You must give your users a way to say “no” to a request. We spend countless hours giving our users soft skills training to help the person on the other end of the line, but we never give them one single, corporate sanctioned way to say “no”. If we don’t give our users a safe way to question or deny a request coming to them (either email or phone based), they will give up sensitive information to an attacker.

If this has aroused your curiosity and want to hear more, I’ll be giving a talk entitled “From Blue To Red: What Matters and What (Really) Doesn’t” at BSides Detroit on Saturday, July 18. You’ll get more hilarious stories, as well as a deeper dive into controls that really do stop (or at least slow down) a determined attacker.

5608516About the Author: Jason Lang (@curi0usJack) has been working in Information Security for over 10 years in both offensive and defensive roles, currently as a Sr. Information Assurance Consultant with SynerComm. He loves woodworking, fly fishing, and helping others in their Information Security journey.

Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.