How much do you trust your users?

In 2000, the Computer Security Institute and US FBI released an influential study [PDF] that showed 80% of attacks originate from inside an organization. This oft-cited and long-outdated report highlighted a real problem that had previously been ignored by many organizations. It gave security analysts the evidence they needed to convince IT managers that the "candy bar" security model - networks with a hard and crunchy exterior, but a soft & chewy interior - didn't work.

A few days ago, another study was released that could provide further impetus to improve information security policies across the board. This more relevant data is buried in a report by the US Secret Service and Carnegie Mellon's CERT which concluded that "insider revenge is often behind cyberattacks." The somewhat-alarmist conclusions and sound bites highlighted in the report belie some very interesting statistics, particularly that "57% of the attacks were carried out by systems administrators, while 33% were caused by privileged users."

This study was rather limited and still a little dated, involving 49 cases of insider attacks between 1996 and 2002. But its results still speak volumes: 90% of all attacks in the study were performed by users with higher-than-normal privileges. If this isn't enough to take wind out of the sails of those who still believe a firewall is adequate protection, then those people are beyond the realm of rational thought.

The lessons here are twofold:
  1. The people who get administrative or elevated privileges should be limited absolutely as much as possible, and
  2. Those who have elevated privileges should be the most carefully watched.
All of us have the necessity to place a certain amount of trust in users; it is imperative for the business line of any organization to function. Even in our personal lives, we take such risks. I let friends use my computer, and have an unprivileged account set up specifically for this purpose. Sometimes I get lazy, and let them do things like surf the web with my user account logged in. One time, I found that someone had gone through my personal email. No one is immuned to this. Given that the fallibility of us as humans is at the root of the problem, the only solution is what I mention above: restrict and monitor.

Hopefully, some inquisitive minds with the necessary time and funding will be able to perform a similar, broader study on attacks by users with elevated privileges. A study with this specific focus would grab the attention of a broader audience, including IT decision makers, and further raise the bar on internal, layered security.


CISSP Practice Exams: Buyer beware

As I've said in earlier posts, in the interests of being unbiased, I try to avoid commenting on products, services, or companies directly unless it applies to a specific point. This article will be an exception.

Earlier today, I received an email forward from a coworker of mine who is studying for the CISSP. On Saturday, he spent around $100 on a practice exam produced by Boson, and his experience is worthy of note. Sean is an experienced, skilled, and knowledgeable IT professional whose opinions I respect greatly, and while I have never used the product he refers to, I have no reason to doubt the validity of his complaints. The entire contents of his email are as follows:
---------------------------- Original Message ----------------------------
Subject: CISSP practice exam a huge let-down
From: "Sean Wilkerson" <sean@xxxxx.com>
Date: Sat, May 21, 2005 4:06 pm
To: support@boson.com

Boson Support,
I am in the midst of studying for my CISSP exam, which I am due to take
in three weeks. In preparation for this exam, I have taken numerous
practice exams, including those offered directly by ISC2 (the
organization who makes, and hosts the CISSP). I did some side-by-side
analysis of your exam features vs. cram-session's and decided to go with
yours. This morning, I purchased the three exam pack which you feature
for the CISSP, and then took exam one of the series. I was miserably let
down by the content, grammar, and structure of your exam, which I found
to be counterproductive, and distracting. After about 20-30 questions
in, I realized that the problems with your exam were not limited to the
rare case of a bad question, but were throughout the entire question-set.
As this point, I started taking notes as to the major complaints I have
with your product, which I would like to share with you here.

- The UI continually messes up, by not showing entire question. To see
the entire question, you have to frequently adjust the size of the
application window. Even if the window is maximized, you still don't see
it all, without adjusting the window slightly, which results in the rest
of the text suddenly appearing. This is a glitch, flat out. I am using
Windows XP SP2, which should be supported. Being a security
professional, I also have my system entirely patched (with the latest MS
patches), firewalled, anti-virus protected, and have NO malware
installed on my system as detectable by any of the several tools I use.
- I find your questions to be vague and confusing. They are not clear or
specific (as the real CISSP questions are). I have done enough research
for the CISSP to know, what types of questions to expect on the exam and
what you provide is not it. I found that your questions were not even
remotely similar to the sorts of questions I will see on the exam. The
fill-in-the-blank non-sense, the questions about vendor specifics (see
below), the failure to use the actual terms you were describing in the
question, were all symptoms of this problem. This issue is exacerbated
by the bad grammar, (see below).
- Incredibly poor grammar throughout the test in both the questions and
answers, though mostly the questions. Lots of simple mechanics
mistakes. Extremely poor editing. This is INCREDIBLY distracting. I
found myself mentally correcting the exam's grammar, rather than
concentrating on the content. This is not a failure of me, the test
taker, but of the test content provider and editing staff.
- The CISSP uses the same format for every question. Specifically, there
is a question, with four multiple choice answers, to which the test-taker
should choose the one (read 1) choice which best answers the question.
Your test had questions with anywhere from four to six possible answers.
Furthermore, many of the questions required more than one answer. If the
intention is to prepare a customer for the CISSP, than this is
- There are too many questions on proprietary software and OS
platforms. The CISSP is software and OS agnostic, so a well-written
practice exam should be as well. Being intimately familiar with MS
Windows, for example, is not a requirement of either being a CISSP or a
security professional, and should therefore not be on a practice test
designed to prepare one for the CISSP exam.

I am not usually the one who speaks out, or complains about trivial
things, but I feel this is non-trivial. I the $99.48 I paid for these
this morning was a waste of money. Additionally, the time I spent this
morning both taking your exam, and writing this e-mail, has done nothing
to help me prepare for, or pass the CISSP exam, but has instead giving
you critical feedback which will *hopefully* help you to improve your

I have already un-installed your software from my computer, and plan to
never use it again, as I see no benefit.

Please get back to me soon and explain how you will honor the quality of
your product and customer service.

Sean Wilkerson
I'd like to thank Sean for his permission to reproduce this informative email. I know how thoroughly and meticulously he researches everything, so I'm certain that from all the information available publicly, this looked like a good exam. The only recommendation I can make to avoid this situation is to talk with people who have taken both the practice exam and the CISSP itself before spending money on any practice exam.


Malware analysis and the long days of May

The long period without an update is not without a good cause; I am currently finishing a paper on an XML Framework for intrusion detection signatures. The paper is technically finished, but not polished to where I would feel comfortable for the world+dog to read it. So, for anyone concerned I had been redirected to /dev/null, fear not.

The Internet Storm Center handler's diary for today has an excellent write-up on malware analysis by Tom Liston, one of information security's more colorful personalities. I first became familiar with Tom's work during the CodeRed outbreak in 2001, when he developed a little piece of bandwidth-saving code that later grew into the LaBrea Tarpit. If you have ever wondered what sort of work and insight go into basic (yes, I said basic) malware analysis, this article offers a peek into the field. As you might expect, the work done here is merely the tip of the iceberg when it comes to analyzing malicious code. Tom doesn't even go into the details of shellcode used to overwrite stack pointers, assembly code tracing, and packet captures often analyzed in reverse engineering malware.