Earlier I posted a very hot take on ethics and infosec. I enjoy debates on ethics because it really applies critical thinking skills. Here’s my hot take on it: Ethics are 100% off the table when conducting a pentest. I was met with a rebuttal about if an employee sues because of it. Here’s my extremely hot take: if an employee sues a pentester because they let emotion get the best of them, that suit should be thrown out of court. Let me explain.
The Bad Guys Don’t Have Ethics
The guy 10 router hops away in the dark apartment filled with cigarette smoke doesn’t have any ethics when he’s trying to hack a system. He doesn’t have any ethics when he’s launching a DDoS attack on a website. How are you going to find a weakness in a system if you don’t test all the weaknesses? With this logic, it’s completely off the table to phish test a company around the holidays with a fake Amazon order email. Or it’s completely off the table to phish test a person around their birthday – “Here’s a free ice cream from McDonald’s! Click here for your coupon!”
Here’ s the thing about human psychology: we let our guard down when we’re comfortable. Most people have a person in their life they would (and do) tell anything to. Sometimes known as a Best Friend, BFF, a “ride or die”. We are so comfortable with this person, we tell them anything. We just volunteer information without thinking about it – we tell them the dumb thing our coworker did, we tell them how much our boss sucks, we tell them everything. They know some deep secrets about you. But you don’t think twice about it. They can use that information against you at any time, any place, but we trust them.
But what if they weren’t actually that person? Passwords to messaging accounts get stolen, phone numbers get hijacked and you’re none the wiser. Or how many times have you heard of someone getting a message on Facebook that says something like, “Hey! I forgot my password to my old account so I created a new one!” and then later discover they actually didn’t lose their password and someone just created a fake profile? How many people do you think carried on telling that person secrets without a second thought until suddenly they weren’t comfortable?
In order to secure, you must think like a criminal
Suppose you wanted to secure your home with an alarm system. You buy a fancy system. It hooks up to your phone line to automatically call the monitoring center or police if it triggers. It comes with some fancy sensors for detecting if a door or window opens, there’s movement, or a glass breaks. But why do you think alarm companies suddenly went cellular? Because a weakness in older security systems was cutting the phone line! No law abiding citizen just goes around cutting phone lines and then throwing a brick through a window. But how did the alarm companies think to add this wireless tech to their systems? Sure, GSM and CDMA modems got cheaper and more available, but they weren’t susceptible to having the phone lines cut. Look on any home in an area that still has copper service. I guarantee you there’s an unprotected phone cable on the side of the home that you could cut and take out phone service. And in the VoIP age, I guarantee you could cut a fiber or a coax cable.
Alarm systems improve because researchers must throw ethics out the window. One of my favorite people to learn physical security from is Deviant Ollam. He’s got some really good YouTube videos that you should watch. Specifically, they involve keys. And he talks about copying keys. And even not using keys. So let me ask you, about ethics here. You’re a pentester and you get into an office. This office is “secure” and they have doors inside the office partitioning it off, but these doors are secured with an access control system and are locked with electromagnetic locks. You reach one of these doors and you find it’s definitely locked when you pull on it and the card reader has a red LED illuminated. Do you shrug and say mission accomplished, office is secure? Or do you pick up a nearby can of air duster, turn it upside down and spray it to trigger the PIR REX sensor and let yourself in?
Since this is about ethics, entering a locked area is unethical! Hell, most of the time you don’t even need air duster! If you have a sheet of paper, you could let yourself into a “secure” area!
The office has a weakness and it’s because they didn’t properly secure their door… they didn’t put a guard under the door to prevent anyone from sliding papers under it. They didn’t put a tight seal that could make it difficult to slide the straw of an air duster through. They didn’t put the IR sensor where people would be walking to exit or put it way too close to the door. Or they could have bought a more secure sensor that is resistant to false positives.
Physical security is no different than cybersecurity
If you’ve ever had your home or car broken into and things taken from you, you feel hurt. Someone invaded. Cybersecurity is no different. In my earlier days, I’ve had websites defaced by hackers. One was even so kind as to help me learn how to secure my website better and even improved it for me after I had rebuilt it and they defaced it! But I still felt violated.
That is why I believe that in cybersecurity, ethics are off the table. In order to get people to change, they have to feel the pain. It’s going to sting, but it’s tough love.
Infosec pros are targeting the wrong people
And here’s the part that inspired me to write this post. Information security professionals are wasting time, energy, and money targeting the wrong people.
I actually let out a chuckle when I read the reply to my tweet how I could say in the same breath that pentesters should not use ethics but target a different audience.
I can say that in the same breath because it’s absolutely true. It’s called a “transition period”. Changes don’t happen overnight. I remember when a 5 character alphanumeric password was considered “good security” and now most places require at least 12 characters with upper, lower, a number, and a symbol. That change didn’t happen overnight. First it was 5 alphanumeric characters. Then it became 8, then they threw in a special character and/or a number, and then recently it started becoming the norm for at least 12.
So who the fuck should all these infosec professionals be targeting? Hint: it’s not the end user!
Information security training doesn’t work. It’s a waste of money. The end user you keep trying to stop clicking on random links doesn’t care. Let me repeat that: INFORMATION SECURITY TRAINING DOESN’T WORK. IT’S A WASTE OF MONEY. THE END USER YOU KEEP TRYING TO STOP CLICKING ON RANDOM LINKS DOESN’T CARE.
I’m going to say it for a third time and get really annoying with the font formatting: INFORMATION SECURITY TRAINING DOESN’T WORK. IT’S A WASTE OF MONEY. THE END USER YOU KEEP TRYING TO STOP CLICKING ON RANDOM LINKS DOESN’T CARE.
We don’t like being told we’re wrong. I’m not any different there. So if you’re an infosec person, I’m sorry for having to hurt your feelings. But you’re screaming into a void. Want to help secure a company? Target the IT pros in that company.
As an IT pro myself, I take pride in my systems. My servers and network are like my house. Finding someone was in there uninvited is like finding someone was in my home without my knowledge. WE are your target market. WE are the ones you need to be saying, “SECURE YOUR SHIT!” to.
Instead of sending out stupid and pointless phishing test emails (and, by the way, do you ever notice that it’s typically the same people who fail those?), instead of making the company sit through mind numbing training videos that tell you every phishing email is one that has bad grammar, doesn’t use your name, implies a sense of urgency (and, fun fact, the ONE phish test I nearly failed in my entire IT career didn’t meet any of the typical criteria. It used my first and last name, it used immaculate spelling and grammar, it had the tone of a standard HR-like email – but what gave it away was it was about adding my payroll information to the company’s new HR system. But the company had just moved HR systems and the email was from a completely different HR software vendor. No way did we just switch again because it would be impossible to move all that data, configure those workflows, etc. that fast. I clicked on the “Report Phishing” button and a message came up: “Nice work! This was a phishing test. You passed!”), infosec pros need to be targeting systems and network pros.
Here’s the thing. Systems pros have the power to say what software is permitted to run on a computer. You put all the software that is allowed in a list and push that list out to all the computers. If Alice in Accounting is sent a PDF that isn’t really a PDF or it tries to run some malware, that signature isn’t in the allow list so the security software just keeps it from running. It doesn’t matter how many videos you shove in Alice’s face, she’s going to keep clicking that malicious PDF. There should be standard user accounts and elevated user accounts – and the network firewalls should be user-aware. And if they’re not that intelligent, they should at least be VLAN aware. That means if I was to login as my admin account, the network firewall should see that and prohibit me from going to the internet. In fact, many firewalls do this with RADIUS. Using something like Packet Fence can also automatically configure role based access control – meaning if a non-IT employee is trying to access RDP on the file server, that request will not be allowed but an IT employee would be permitted to RDP.
Network pros can prevent traffic from going to where it shouldn’t be going. Network segmentation is important. A computer in Accounting has no business being able to talk to a computer in Marketing. The file server should never be reaching out to any other computers. The DNS servers should only accept DNS traffic from any computer. SSH and RDP ports? Those should be restricted to a management VLAN that requires a jump box or a VPN to access. And even then, only IT or authorized users should be able to access those jump boxes or VPNs.
Home Depot Wasn’t Breached By An Email
To add further proof that infosec folks need to target IT pros and not end users, just look back to 2014 when Home Depot was breached. The attackers used a third-party’s network credentials to access systems. From there, they were able to pivot around and get access to the POS terminals. Had proper internal firewalling restrictions been in place, it would have been nearly impossible. It’s unknown what the third party contractor was for, but my guess is it had nothing to do with the payment terminals.
Neither was Target
And yet another piece of evidence, in 2013 Target also suffered a massive breach of PII and credit card details because the credentials of an HVAC (Heating Ventilation Air Conditioning) contractor were breached. Target could have prevented this breach, or at least minimized it severely, by preventing lateral movement.
Talk to who you know
Spending time as a network pro, I’ve had strange situations. Like the one time I was in one of our branch offices because of a phone problem. The complaint was they’d pick up the receiver, and there was no tone. Very strange since our phones used SIP over the Internet but the Internet was working. I knew our telecom provider was also working because this was the only office complaining. So I sat down at an empty desk, I logged into the office’s firewall, and I created a policy based firewall rule. SOURCE: LAN Network, SOURCE PORT: SIP, DESTINATION: Corporate IPSec Tunnel. That’s right, I routed SIP traffic over an encrypted IPSec tunnel to our corporate office. Want to know what happened the second I clicked the “Apply” button? The phones in the office suddenly had tone. After having a heated talk with our Comcast Business rep and being assured “Comcast doesn’t block any traffic”, I removed my routing rule from the firewall. The phones went dead again. I asked our Comcast rep if Comcast would be like to be liable if there was an emergency and our employees couldn’t dial 911 from their phones? Within the hour, the office phones magically started working again and I never had that problem in that office again.
Just as easily as I re-routed SIP traffic to our corporate office, I blocked traffic. Certain systems were only permitted to talk to others. Like I had a lab environment. This lab environment had a few servers for testing things. I place myself on an “IT” VLAN in the office. This VLAN allowed me to talk to the lab. But no one else could. This meant that my testing was isolated and it couldn’t leak out. Until that time I promoted a server from the lab to production and like 6 months of old emails came flooding out of it because it wasn’t permitted to talk to our Exchange server! Oops!
Infosec can be fixed, IF infosec is willing to change
And there it is. Ethics in infosec are completely off the table until infosec learns to target the people who do care and will actually do something. I’ve been in IT long enough to know that end users don’t care. It’s not their computer – they’ll gladly spill a Coke on it. It’s not their network – they’ll gladly try to torrent 500 GB of bootleg DVDs. It’s not their data – they’ll gladly click on that strange PDF.
In the end, it’s the IT professional’s fault that the company got ransomwared. It’s the IT professional’s fault the company suffered a data breach. We have the tools to secure our systems and networks, but some of us lack the knowledge on how to use our expensive firewalls to their full potential, lack the knowledge to put together a secure network without a “single pane of glass” holding our hand, don’t have the time because we’re busy saving Janice from changing the toner in the copier because it’s too hard for her to do, or were strong-armed by clueless management that either doesn’t understand how a few simple firewall rules will save them from losing their business because they keep buying into the false narrative that the end users need security training.
If infosec targeted IT professionals and not end users, we might be able to secure our fucking networks! And then the only ethics question in infosec will be, “do we target home users?”