The Human Firewall
External and Internal Testing on Vulnerabilities Assessments
The Logic against Attacks
Introduction
In this paper, I am documenting a brief research that I have conducted on the different internal and external testing approaches employed by the security industry for assessing information systems vulnerabilities. I surveyed different tools, and I have selected mainly vulnerabilities scanners, according to a criteria based on how frequently are in used, reviewed and recommended by security organizations and experts. The information was prepared to be thoroughly discussed during the last meeting held at The Plow of the Sea, Inc. by the security team members. (Course, 2008)
The Human Firewall
What exactly is vulnerability, or have been or could ever be a system, a person or some with the might to be invulnerable. I always remember Goliath the giant Philistine who is infamously known now because his head was cut by the comparatively small David, when in his times and up to that moment when he died was thought to be invincible. Later on, from the 8th or 7th century BC, in one of the first works of the western literature, “The Iliad”, attributed to Homer, we have learned those great duels and battles in a blow by blow fashion between the Greeks and the Trojans, much attention we have devoted to the fights and more importantly to the tactic better known as the “Trojan Horse”, a real exploit of human confidence and vanity. It is used today as much the same manner it was used almost three thousand years ago. It seems that for the most part, crackers know their history but in the Iliad there are many other examples, for example Priam, the king of Troy, we are told, found his way to the meet the mere Achilles at his very fortified and firewalled camp, just for claiming the body of his son Hector. Achilles who was a demigod and the most beautiful and best warrior described by Homer in the “Iliad” was killed in this case by a coward, Paris. Since Achilles was immortal but for one spot, hence the great lesson given by the ancients, “the Achilles’ heel”; it seems that they meant that nothing is invulnerable. The reader could be nodding his head and thinking: both the Iliad and Goliath are just legends, popular stories; nothing can be learned or applied, pragmatically speaking, from them. Well, the basic tenet is vulnerability, i.e. the weakness whereby, a system can be exploited and put at-risk of lost, harm or malfunction. Let me present a more recent example, George Koval.
Koval, posthumously honored as a Hero of the Russian Federation by president Putin just this last November (2007) for his contribution in to increase Russian , as we are told by the International Herald Tribune and the New York Times, well Koval spied for the Soviets, nothing less and nothing more that the Manhattan project, the most top secret project ever in the US was cracked by one guy who played very well basketball, as we are told by his colleagues, and who managed somehow to had access to everything. As an insider, Hero “George” eluded millions of millions of dollars invested on security of the project. He would monitor radiation levels at Oak Ridge, and Tennessee facilities where enriched uranium was converted into bomb fuel, and at Dayton factories in Ohio, he would patiently observed and documented how polonium was refined to be mixed for the so called “Fat-Man”, the plutonium bomb that was dropped in Nagasaki. Now, if we just stop to think about it a little in here, we should be a little concerned when Gregg Herken, a Professor of History at the University of California in Merced and author of “The Brotherhood of the Bomb: The tangle lives and loyalties of Oppenheimer, Ernest Lawrence and Edward Teller (aka the father of the H bomb)” was evenly surprised about Koval’s relation with the soviets. In fact Koval died in Russia at the same technology institute where he had been a student. Although, there were some documented investigations about him conducted at Oak Ridge by Federal Bureau of Investigations [FBI] in 1950s when he was already back in USSR nothing was known up to the day in which Putin anointed him as national hero (Broad, 2007).
I presented this lucubration as a preamble of our most vulnerable link or component, the human and within the human component, the insider, being the most dangerous the seemed very nice sitting at the next cubicle or office. Social engineering techniques exploit our universal needs of our psyche. The need to talk, the need to be understood and the need to be respected, just find out the methodology utilized by the well mannered WWII German master interrogator Hanns-Joachim Gottlob Scharff and Koval to understand that the weakest link could be our best friend or the least likely person like, the boss, the employee or the colleague. Who else could know how to exploit our deepest vulnerabilities? (Broad, 2007) Kotadia (2005) reported, that Kevin Mitnick and his business partner Alex Kasperavicius (this name appears to be a little suspicious to me) of the Mitnick Security Consulting, as a demonstration, are able to access many of their clients systems by using different method of Social engineering, that involved extracting passwords from naïve employees or by simply dumpster diving, et al. Mitnick indicates that any information systems are as secured as their weakest point, and for the most part those points are just the employees that are not trained too well. Most people are focused in technology or the process, explained Mitnick, but a system is managed, maintained, configured and used by human beings. The priority is to train the employees on the importance to observe closely the security policy and participate in all the company’s educative and training security activities (P. 1); Mitnick and Kasperavicius seem to be stating that the best firewall is the human firewall (Kotadia, 2005). Now, I do not know if Mitnick coined the term Human-firewall, what it has become certain that there are many organizations advocating for it, like the PentaSafe Security Technologies, Inc., which has made its business to help organizations to build human firewalls and security policies across the enterprise. However, no everything is about highly and super intelligent crackers, spies, and/or competitors stealing trade secrets or intellectual property, inflicting financial, information, or physical property theft, as sabotage or extortion; much of the havoc, for their credit, is caused by script kiddies and lamers, individuals with nothing better to do than cause pain to others. Panko (2004) reports that sites like CNN.com, eBay, Yahoo.com, Amazon.com, Dell.com, eTrade, et al. have been attacked by a 15-year-old script kiddy (p. 18-20). Panko (idem.) reminds us, “Never underestimate the power of stupid people in large numbers.” (P. 16).
Bibliography
Broad, W. J. (2007 November 12). A Spy’s Path: Iowa to A-Bomb to Kremlin Honor. U.S. New York Times. Retrieved January 19, 2008, from http://www.nytimes.com/2007/11/12/us/12koval.html?_r=1&oref=slogin.
Ciampa, M. (2005). Security + Guide to Network Security: Fundamentals, 2nd Edition.
Katterjohn, K (2002 March 8). Port Scanning Techniques. Retrieved January 23, 2008, from
http://www.milw0rm.com/papers/141.
Kotadia, M. (2005 April 14). Mitnick: 'Human firewall' a crucial defense. News.com, ZDNet News, Retrieved January 21, 2008, from http://news.zdnet.com/2100-9589_22-5671188.html.
Ollmann, G. (2007) Tools. Technical Info. Making sense of Security. Retrieve January 22, 2008, from http://www.technicalinfo.net/tools/index.html.
Panko R. R. (2004). Corporate Computers and Network Security.
Pflegeer C. P., & Pflegeer, S. L. (2003). Security in Computing, 3rd Edition.
The Fourth Amendment and Carnivore. (2000 July 28). Statement of the Electronic Frontier Foundation Before the Subcommittee on the Constitution of the Committee on the Judiciary United States House of Representatives. Retrieve January 24, 2008, from http://w2.eff.org/Privacy/Surveillance/Carnivore/20000728_eff_house_carnivore.html.
SANS Top-20 2007 Security Risks (2007 November 28). Annual Update. SANS Institute. Retrieved January 20, 2008, from http://www.sans.org/top20/.
Using people assets to protect information assets: understanding the "human factor" of information security: A Blueprint for building a "Human Firewall in your organization". (2001). Norwell, MA: PentaSafe Security Technologies, Inc. Retrieved January 24, 2008, from http://www.infopackaging.com/Brochures/humanfirewall.pdf.
Azari, R. (2003). Current Security Management & Ethical Issues of Information Technology.
Basta, A. & Halton, W. (2007 August). Computer Security and Penetration Testing.
Bellovin, S.M. (1989). Security Problems in the TCP/IP Protocol Suite.
Birkholz, E. P. (2003). Special Ops: Host and Network Security for Microsoft, UNIX, and Oracle.
Cisco IOS Security Configuration Guide Release 12.4. (2006 July 29). Corporate Headquarters.
Coakes, E. (Editor). (2003). Knowledge Management: Current Issues and Challenges.
Current Malware Threats and Mitigation Strategies. (2005 May 16). Informational Whitepaper. Multi-State Information Sharing and
Fitzgerald, M. (2001). Building B2B Applications with XML: A Resource Guide. New York, NY, USA: John Wiley & Sons. Retrieved January 21, 2008, from http://wf2dnvr3.webfeat.org:80/nDEHJ1195/url=http://site.ebrary.com/lib/cecybrary/Doc?id=10001744&ppg=32.
Göran P., Kaj J. G. , Peik Å, (2003). Network security software, Current security management & Ethical issues of information technology,
Hassing, K.,
Jackson, J. (2007 March 3). Assessing firmware vulnerability. Tech Blog, Government Computers News [GCN]. Retrieved January 21, 2008, from http://www.gcn.com/blogs/tech/43212.html.
Khosrow-Pour, M. (Editor). (2004). Annals of Cases in Information Technology, Volume 6.
Maiwald, E. (2002). Security Planning and Disaster Recovery.
Nelson, B., Phillips, F. E., & Steuart, C. (2004). Guide to Computer Forensics and Investigations.
Panko R. R. (2005). Business Data Networks and Telecommunications, 5th Edition.
Ratnasingam, P. (2003). Inter-Organizational Trust for Business To Business E-Commerce.
Reuvid, J. (2006). Secure Online Business Handbook: A Practical Guide to Risk Management and Business Continuity (4th Edition).
Russell, T. (2000). Telecommunications Pocket Reference.
SANS Top-20 2007 Security Risks (2007 November 28). Annual Update. SANS Institute. Retrieved January 20, 2008, from http://www.sans.org/top20/.
Scheneier, B. (January 18, 2007). Information Security and Externalities. Retrieved January21, 2008, from http://www.schneier.com/blog/archives/2007/01/information_sec_1.html.
Tomasi, W. (2005). Introduction to Data communications and Networking,
No comments:
Post a Comment