Ineffective penetration tests and security assessments often leave CISOs and IT security teams lacking a clear strategy to correct weaknesses, according to a software security expert who is advocating the need for red teaming exercises.
It's good to know where you'll be hacked, but it's also good to know where you're systems will easily collapse like a house of cards.
Rafal Los, chief security evangelist, Hewlett-Packard Software
At the recent ISSA International Conference, Rafal Los, chief security evangelist at Hewlett-Packard Software Worldwide detailed some ways organizations can get more from their red team exercises by undergoing the intensive security risk assessment.
In his presentation, House of Cards: How Not to Collapse When Bad Things Happen, Los said most organizations operate under a false sense of security based on less than realistic audits and penetration tests. They rarely are red teaming, or have themselves attacked under conditions that are close to a real assault, Los said. “They’ll do table top drills that don’t resemble anything close to reality,” said Los in an interview at the conference with SearchSecurity.com.
“Until they’ve actively tested their systems realistically, they have no idea how well prepared, or not-so-well prepared they are, for when something bad strikes. And they have no idea what systems will strain and break when under assault,” he said.
SearchSecurity.com took a few minutes with Los to dive a little deeper into these issues, and learn how organizations can best learn from their red team efforts.
SearchSecurity.com: What inspired you to develop the talk, House of Cards: How Not To Collapse When Bad Things Happen?
Rafal Los: The talk is about how to look at something such as red teaming and how the process is more than just security and how organizations can get the most value from the exercise. For example, enterprise resiliency is a culmination of security, availability and integrity. I was inspired to do the talk because I believe that red teaming exercises can help organizations to become more resilient and prepared. It goes beyond how fast you can break into an organization. Because unless you've hired someone terrible, the red team is going to break in. In fact, red teams rarely ever fail. So it's not actually the question of whether they'll break in or not, it's what kind of value you'll get out of the red team process. That’s what I wanted to tell people.
SearchSecurity.com: What can organizations do to get more value from red team exercises?
Los: It may sound basic, but the team must take obsessively, compulsively good notes. To get more value of the work the red team has completed, the organization needs to know more than just were the team successfully hacked. They also need to know where their brittle systems are. Where the things are that will quickly devolve into an IT nightmare because of a hack. It’s when something goes down when a system it is dependent upon got hacked.
A straightforward example are database attacks. While a SQL injection attack is underway, a seemingly unrelated system goes to hell. And no one knows why they are connected, or what is actually happening. Well, through red teaming exercises you find out that certain systems are, in fact, connected, and that you’ve discovered a brittle system.
SearchSecurity.com: What are brittle systems, and what causes them?
Los: Brittle systems are the ones that are improperly interconnected. Brittle systems are those things that were cobbled together because a client demanded this new capability. Or somebody in the organization thought a new capability would be a great idea. And these systems aren’t properly vetted for their security. They’re often not properly provisioned. It’s just pushed out as quickly as possible. Once it’s deployed it’s a production system, and now nobody can touch it. Now that it’s in production and it goes down the organization gets upset. You will find these kinds of systems fairly regularly during a red team exercise.
And that's actually, sometimes, more valuable than the security aspects of the red team exercise because it's good to know where you'll be hacked, but it's also good to know where you're systems will easily collapse like a house of cards.
SearchSecurity.com: What does this tell organizations about their security posture?
Los: It tells us that we look at security completely wrong sometimes. Some view security as an on or off state: You are secure or you are not secure. There’s no in-between. But consider the analysis from a good postmortem: The first part is time to successfully breach. The second part is the amount and scope of the damage the team achieved. And the last part is criticality of the assets that were affected. So what did he team get into? Did they get into the HR system? Did they get into the company's finances? Did they get into the marketing servers?
SearchSecurity.com: That doesn’t sound like a binary analysis, where one gets a pass, fail grade. It sounds like there are considerable qualitative analysis.
Los: Exactly. Security is not binary. Consider the time component of the postmortem. The analogy I make repeatedly is to the fireproof safes that many people have at home. These safes are not outright fireproof. There is a rating where one gets a guarantee that for a certain price the safe will protect your valuables against a specific temperature for a specific period of time. That's how security really is. You invest a certain amount to attain a certain level of defense and sustainability. But many don’t think of it that way.
About the author:
George V. Hulme writes about security and technology from his home in Minneapolis. You can also find him tweeting about those topics on Twitter @georgevhulme.