Saturday, May 25, 2013

Holes you could drive a truck through

How many truly great Linux gurus do you know? You know the guys I mean. They build their build starting from the bottom of the kernel up, rather than stripping extra services out. They'd never touch a commercial version of Linux unless forced by enterprise mandates. I'll help...  I know a lot of really great Linux guys, but only two I'd trust to build a security device. One lives on a farm, hates cellular telephones, and (I bet a dollar) he's got tinfoil lining in every of his hats. He introduced me to the second. Another really smart, really nice guy --the kind you don't often let out of the closet. You slide pizza under the door until the box is built, then you escort him to the networking closet or data center where the box will be installed and don't ever let him come in contact with uninitiated coworkers. They just wouldn't understand.

So I'll ask the question in a different way --How many of our Linux based security devices are built by these truly genius engineers? I'm thinking very few.

Why would I raise such a topic? I commented in a white paper about ensuring your security devices have good security. Last week I ate my own dog food. It taste like sh*t! Red Sky is a small business. We have a large membership, but we're a small business.  We have a physical location, but are largely virtual. We rely on others for the security of our systems --cloud providers of applications, hosting companies, managed security service providers, colo-facilities, etc. I'd be shocked however if others in our 'small business' class of companies have the wherewithal to ensure that their vendors, supply chains, and IT providers have the ability to adequately protect their data. Not to mention attempting to do it themselves. I was especially shocked when I saw this in Forbes this morning:

"According to a recent study cited by the U.S. House Small Business Subcommittee on Health and Technology, nearly 20% of all cyber attacks hit small businesses with 250 or fewer employees. Roughly 60% of small businesses close within six months of a cyber attack." (Source: Forbes)

This is an amazing statistic. It's something we've been talking a lot about it our local Manchester, NH area. Having just opened our lab in April, we've been doing our networking. For the last several years, I've been working in and with large enterprise, global in scope corporations --both as an employee, and as a government Infosec worker. This, mostly based from the Baltimore-DC area, but now, participating in the local New England ISC2 meetings and talking with the owners of local businesses instead of the CISOs of large companies, I've come to the realization that our government (at least DoD) really has no idea just how bad it is for small and medium sized companies. I had a conversation with a global CISO who told me that nearly 60% of their critical suppliers were companies with less than 25 employees!

To the point... we're a small business. As a small business, we purchased a couple of security devices from two different vendors. One device is designed for large enterprise, one designed for use in small --the first device, an analysis machine built for large enterprise, allowed access via cURL (the new generation of wget for old unix guys like me) through a restful API without any credentials when every other access method requires them. Bad form. We're told it was by design.... bad design. We love the functionality of the machine. Heck, I'd bet it saved us from installing a half rack of other gear in our back end! The machine won't be going back online any time soon.. at least not without some serious enclaving.

To that, we purchased the second device-- a VERY popular, unified threat management (UTM) system made for small and medium sized businesses. During setup, we found it only processes two factor authentication by passing credentials unencrypted! We wanted to use the device as a proxy between other devices and the analysis machine mentioned above. This UTM is one you see at EVERY major security conference. They always have a flashy booth; lots of color; well dressed sales guys and engineers that'd make you believe they have the best machines on earth. I bought three of them to test. They look cool. Can you imagine my surprise when we tried to enclave the first box with the second, only to find this really popular machine will only pass unencrypted credential via PAP? Wow! This sexy, crazy popular device, meant for the masses, doesn't support anything newer? Really? 

Two devices, both Linux based, both insecure. 


In both cases we've informed, and are working with the vendors. We've protected the first box, and the second, well, we love the functionality and will continue to work with the company to ensure an upgrade is delivered soon.

So how does the SMB company protect itself when the devices they buy are likely inexpensive, Linux based, and are built for ease of deployment?

Red Sky does this in a couple of ways --we like having MSSPs in the Alliance. They provide security to large numbers of small and medium sized (SMB) companies that we probably will never have as alliance members. We also welcome vendors into the Alliance as associate members. Need to know what your customers are facing? Ask them in the portal.

In the mean time, test your security devices. Every one should be pen tested. If you can get through, so can others.

BT BT

It's been a good week. Two new pieces of analysis were posted to the portal.  Three new members are currently in front of the Advisory Board this week representing three different industries. We introduced a two new members into the portal, and have our first meeting next week with a global food company. Wow!

Until next week, have a great Memorial Day weekend!
Jeff