When it comes to testing operating systems and applications for security vulnerabilities, I'm always touting tools that I can't live without. In my work, port scanners, network analyzers, password crackers and vulnerability assessment tools are a godsend. They save countless hours of legwork and perform automated tests that no one in their right mind would (or could) do manually. However, there's a dark side to automated security testing that doesn't get much coverage -– but it can make or break your network's defense.
One problem with automated security testing involves security vulnerabilities associated with files that only a trained eye can detect. Where the files are stored, which permissions are associated with them and whether or not they're encrypted can all hinder the effectiveness of security tools. I'm starting to see vulnerabilities go undetected in so-called "secure" systems residing inside the firewall, and unfortunately these things are hard to enforce using operating system policies alone.
For example, while logged into Windows as a standard user, I'm often able to browse local drives and network shares, and stumble across corporate files containing financial data, engineering designs, source code and other sensitive information. Even when the network administrator has locked down the file system and assigned appropriate permissions, users undoubtedly create their own directories, store files in places they shouldn't, and generally perform whatever short-term fix it takes for them to get their jobs done.
Users can't always be the ones to blame for this problem, since Windows and many applications save temp files containing sensitive information to various directories on local drives. These locations such as c:temp and c:windowstemp are often unsecured and forgotten about during security assessments much less cleaned out as part of ongoing network administration.
I also see situations where it's assumed encrypting file system (EFS) is being used to encrypt local directories containing sensitive information such as c:Documents and Settings. On the contrary, EFS may be "reassigned" to another directory deemed more important in order to protect the user's own personal information (pictures, MP3s, illegal movies, etc.) or has been disabled altogether! Just think of the consequences if a laptop with mismanaged EFS is lost or stolen. One quick reset of the administrator password is all it takes.
I'm sure these careless user episodes are mostly unintentional, but that doesn't ease the pain when something goes awry, such as an unauthorized employee, or perhaps worse, a contractor or other visitor gets his hands on information he doesn't need to see.
I think there are several things contributing to this problem. For starters, there's information overload. Network administrators just can't keep up with who has put what on the network and where. Building on this, there's also a general lack of data classification in most organizations. The data is scattered about with little or no attention being given to the different levels of sensitivity and appropriate countermeasures. Policies are often missing or not enforced as well. Finally, getting back to my original point, there are too many network administrators relying on automated security testing tools to paint the whole security picture. Although important, these tools are not the whole enchilada.
The moral of the story is know your network, know what looks right and what doesn't, and never count on automated security testing tools to detect all of your security vulnerabilities.
The file vulnerabilities I've talked about here are just the tip of the iceberg. As you hone your information security skills, think of yourself as a surgeon or crime scene investigator. It'll take some time but look at security vulnerabilities from a fresh perspective. Do as much manual browsing, poking, and prodding as you do automated testing. No matter what the vendors say, there's simply no replacement for a sharp, experienced eye, and only you (or a living, breathing security consultant) can find these types of weaknesses -- end of story.
About the author
Kevin Beaver is founder and principal consultant of Atlanta-based Principle Logic LLC, as well as a resident expert on SearchWindowsSecurity.com. He specializes in information security assessments and incident response and is the author of the new book "Hacking for dummies" by John Wiley and Sons. Kevin can be reached at firstname.lastname@example.org or ask him a question on Windows security threats today.
More Information from SearchWindowsSecurity.com
This was first published in December 2005