Why Microsoft Shops Have to Worry About Security

Wednesday, January 26, 2011

Danny Lieberman

959779642e6e758563e80b5d83150a9f

I am putting together a semester-long, hands-on security training course for a local college.

The college asking me for the program showed me a proposal they got from a professional IT training company for a 120 hour information security course.

They are trying to figure how to decide, so they send me the competing proposal and lo and behold, 92 out of 120 hours is about certifying people for Checkpoint firewalls and Microsoft ISA server.

Here is what I told the college:

This course focuses on two Checkpoint courses CCSA and CCSE – which counts for 80 hours out of a total of 120.   Then they spend another 12 hours on Microsoft ISA server.

The course only spends 8 hours on Information security management and 8 hours on application security.  From a marketing perspective, the course brochure looks slick. But not more than that.

Because of courses like this – companies have so many data breaches. After the course, the students  will know  a few buzz words and how to click through the Checkpoint UI, but they won’t understand anything about hacking software.

If you want to understand data security you have to get down into the dirt and roll up your sleeves instead of learning how to click through the Checkpoint user interface.

Microsoft system administrators in particular, need to understand security and how to think about threat response and mitigation, because their thought processes have been seriously weakened by the Microsoft monoculture.

They need to think about network , data security and software security threats and how to tie it all together with a practical threat analysis and Information security management approach.

They can always train on Checkpoint afterwards...

This reminds me of what Paul Graham writes in his article Beating the averages

The first thing I would do… was look at their job listings… I could tell which companies to worry about and which not to. The more of an IT flavor the job descriptions had, the less dangerous the company was. The safest kind were the ones that wanted Oracle experience. You never had to worry about those.

You were also safe if they said they wanted C++ or Java developers. If they wanted Perl or Python programmers, that would be a bit frightening– that’s starting to sound like a company where the technical side, at least, is run by real hackers. If I had ever seen a job posting looking for Lisp hackers, I would have been really worried.

So – if you are a real hacker, look for companies with security administrators who are certified for Microsoft ISA server and you will have nothing to worry about. But if your target security administrators are facile with Wireshark, Ratproxy and Fiddler and Metasploit, then you should be really worried.

Cross-posted from Israeli Software

Possibly Related Articles:
13624
Operating Systems
Microsoft Operating Systems Metasploit Networks Administration WireShark
Post Rating I Like this!
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst If you look at ISO27001 (and even that is not complete ;) you will not find checkpoint or ISA.

You won't even find the word firewall.

In ISO27002 it's only mentioned a couple of times. So spending 66% of the time on just firewalls is a waste of time. You can have a nice checkpoint UI clicked to perfection but if you leave the door to your serverroom open or leave unencrypted backup disks lying arround you will lose data.
Once people can get their hands on stuff you've lost (most of the time)
1296070222
959779642e6e758563e80b5d83150a9f
Danny Lieberman Franc

totally. right on man. The point is not to confuse information security products with information security.

Danny
1296071702
314f19f082e69886c20e31c70fe6dceb
Rod MacPherson Great post. And Franc, your comment is spot on. There is a LOT more to security than firewalls and proxy servers.
1296142780
7ff7b9daf5a7bb448a822d95d28153a5
JT Edwards Grad student in IA.. I am getting the 10,000 foot view but not the in the trenches view. I knew this going in, which means I am going to have to lean that on my own..

What tools beside Wireshark do you recommend and am I most likely to need on the job. Also any books, website or anything else you recommend for a practical perspective?
1296168132
C787d4daae33f0e155e00c614f07b0ee
Robb Reck If you're looking for security tools, and a good book, there's a great marriage of the two in "Security Power Tools" by O'Reilly. It goes into detail on many security tools, how they are useful, and how to use them. Worth checking out.
1296171604
959779642e6e758563e80b5d83150a9f
Danny Lieberman Joel,
In addition to Security power tools, I would also recommend "The art of software security assessment" - it's a big book but the best in its space, and you will benefit from it especially if you have a programming background.

1296203296
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst Joel,

I guess it depends on the trenches you will hit, wireshark can be fun but with it you will be checking the power on the cables in the basement of your trench :)

One of the best tools are your feet. We do regular SBWA checks (Security By Walking Arround). One of the pitfalls is creating an ISMS (Information Security Management System) with beautifully written policies but if you don't check up it's a waste of time. Check if people actually do clean their desks or if gates are locked and fences have not been cut. You can wireshark 24/7 but if people walk out of the office with secret files you will not see it.
So is that afe locked (at all times)

What you should have a look at is stuff like metasploit (see the tools of the "bad guys") and one i use a lot zenmap a gui front for nmap.
But always start from what risk you want to manage. It's fun to buy great powertools but in the end you want to build a kitchen not become the curator of the cool tools museum ;)
1296203867
959779642e6e758563e80b5d83150a9f
Danny Lieberman Get out into the field and do - that's the best.I'm always gratified by how much really good data you get from people in the office or on the shop floor.

Getting started with Metasploit can be a bit steep. Look into Armitage, an application written by Raphael Mudge which provides a GUI to Metasploit - it recommends exploits and makes executing attacks a lot easier. Here - http://www.fastandeasyhacking.com/manual
1296205560
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst Thanks Danny good tip! Installing now... :D
1296206553
959779642e6e758563e80b5d83150a9f
1296212087
3c66e7e9308d6d674f331fb1d4507c4d
Franc Schiphorst Well have played a bit with Armitage now and it makes it a bit easier but still not something for the easily scared :D
Nice feature that you can import nmap files.
1296544198
959779642e6e758563e80b5d83150a9f
Danny Lieberman Franc
Give me a break. Metasploit is not for the timid. Period.
1296544919
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.