Getting Past the Checklist Mentality in Network Security

July 12th, 2007  |  Published in etc

Besides just getting started on this blog, I manage a site called Enterprise Networking Planet. I don’t plan to post every single thing we cover over there over here, but we’ve had a run of articles in the past several weeks that are just the sort of thing I was imagining when we talked about starting this blog:

<

p>A few weeks ago, Paul Rubens handed in a story about an online course called “Offensive Security 101.”

Rather than running down a bunch of dry checklists, telling you what to do and what not to do, the course puts the same tools the black-hats are using in the hands of the students, then teaches them to get cracking. Paul’s write-up is a detailed overview of how the course is run, including the VPN students are given to run wild on, testing their new skills against virtual servers. Paul was pretty enthusiastic about it all when we discussed the assignment. Evidently students are told there’s no penalty if they see one of their classmates on the VPN and decide to take a swing at owning their machines. It sounds like a lot of fun.

Paul also picked up some interesting techniques he’s been sharing in the weeks since. It’s just as easy to fall into checklist wrangling when you’re reporting security as you are learning it, but that’s not doing a reader any favors. His latest stuff offers a better glimpse at how complex security has gotten, and how flexible you have to be in response.

Last week he did a rundown on Metasploit. It wasn’t a tutorial so much as it was an over-flight, but if you’re trying to move beyond more traditional security audit checklists and move into actual penetration testing, printing this one out and handing it to a reluctant boss might be useful. Yes, bad people use Metasploit. Liquor store robbers also use guns. We still let our police have them. Maybe Paul can help you make the case that it’s time to do some real pen testing … or form a tiger team.

This week he was back with a consideration of the many ways users can bust out of a network, even one where nothing more than port 80 is open, to get at whatever services administrators wish users would quit trying to get at. I remember feeling pretty clever when I used to let friends behind restrictive corporate firewalls tunnel to a Squid proxy over port 22, but Paul has some stuff in his article I hadn’t thought of. Looks like my little Squid trick was a pretty crude hack. And it seems I can never read about users tunneling out from behind a corporate firewall without thinking about The Beagle Boys digging their way out of prison.

Comments are closed.

© Michael Hall, licensed under a Creative Commons Attribution-ShareAlike 3.0 United States license.