Read an Excerpt
Zen and the Art of Information Security
By Ira Winkler
Copyright © 2007 Elsevier, Inc.
All right reserved.
Chapter One Zen and the Art of Cybersecurity
I was on a telephone call that I avoided for weeks. We were planning how to steal $1,000,000,000, and to me this particular planning call was more than a nuisance. The instigator of the call is one of the most talented hackers I have ever met. Frankly, I would rate his technical skills as being among the best in the world. Yet, he was asking a bunch of questions about the pending theft that were not even worth talking about. Issues such as the timing for the specific phases of the theft, the hotels to stay at, and several others, were well established during previous calls and e-mails. However, he was going through the motions to make it seem like the most important question to him was just an afterthought.
After a few annoying minutes, he asked the question that he clearly knew the answer to, but he had to segue into the guts of his real question. "Who is doing the social engineering?" he asked with a purposefully naïve tone in his voice.
To the unexposed reader, social engineering is the hacker term for performing non-technical attacks. To most hackers, these attacks are typically pretext telephone calls where the hacker pretends to be someone to dupe an unsuspecting person out of information that can get the hacker access to a computer. Sometimes social engineering refers to going into offices and looking around for information about computer systems, such as passwords taped to monitors. That is the naïve view, in my opinion, of what social engineering is.
"It's going to be me, Stew, and Stan," I replied as a matter of fact, but in a tone that left no reason for doubt.
"What do we need them for?" he replied in an irritated tone.
"Well, obviously I am clearly the person to lead the work. Stew is a former Navy SEAL who specialized in infiltrating enemy positions to lay explosives. Stan is a former GRU colonel, who was one of their top spy masters and got people to betray their country under penalty of death," I replied in what I thought should be a definitive response.
Then my technical friend tried to metaphorically jump all over my statement. "Look, I know how to check for unlocked doors and look for sticky papers with passwords on them taped to monitors. We don't need to bring in any outsiders."
I have to admit that I was dumbfounded. This was not because he countered my argument so cleverly, but because I had what was an epiphany, for lack of a better term. The only thing that went through my mind was, "My God. You don't even know what you don't know."
Again, this was a person whom I considered one of the better hackers in the world, and who I would expect to know the difference between generic social engineering, the way a little Script Kiddie would perform it, and professional social engineering, which for all practical terms is human elicitation, a.k.a, spying. I would expect this person to realize that Navy SEALs undergo what is arguably the toughest training in the world because they have to complete the toughest missions in the world. Many people are not aware that the spy operations that people believe some James Bond would perform, are usually performed by Special Operations Forces.
Likewise, a real spy, like a GRU operative, completes years of training in manipulating people to get them to commit acts that are against everything they hold dear. It goes way beyond just asking for a password, which is frequently the word "password" itself. To a real spy, asking for a password and checking doors to see if they're locked is amateur hour.
For awhile, I tried to state how these people have years of special training that makes them uniquely qualified. However, social engineering can be the most fun task of any penetration. More importantly, it became a matter of pride for my hacker friend. Nothing was going to change his mind. Luckily, when I wrote the targeting plan for the work, I put in the phrase "trained intelligence operatives." This made any other arguments moot as the hacker definitely did not attend any training by an intelligence agency.
As events would have it, Stan, the Russian spy, ended up identifying a possible Chinese Intelligence operation operating across the street from the company we were targeting. Stan walked into a Chinese restaurant and noticed a menu written in Chinese. He read the menu and noticed that there were Chinese delicacies on the menu.
"Ira, there are Black Duck Eggs on the menu," was Stan's confusing statement.
"Stan, what the hell are we paying you for? It's not to make me sick," I replied.
Stan laughed and said, "Oh my simple American friend. Black Duck Eggs are a delicacy in China. I can't get Black Duck Eggs in San Francisco, let alone this little piece of [garbage] town in the middle of nowhere. And by the way, they're cheaper here than on the streets of Beijing."
Then it started to click. Chinese intelligence operatives primarily work by recruiting people of Chinese heritage. To find as many potential people to recruit as possible, they create social situations where Chinese would want to gather. A restaurant, directly across the street from the headquarters of an extremely large global company, serving delicacies from home that cannot be found for thousands of miles, is the perfect situation to find people with access to the company and may also be more sympathetic to China than to the company. The intelligence officers just mingle with clients to find out who are those potentially sympathetic people.
There was no way in hell that my hacker friend would know how to read Chinese, let alone determine that the restaurant was a front operation for a major intelligence organization just by knowing that Black Duck Eggs are a Chinese delicacy. If this doesn't demonstrate the difference between the skills and knowledge base of hackers and trained intelligence operatives, nothing will.
I contacted the company's security manager and told him what we found and how to report it to the FBI. Oh, did I mention that this penetration was performed under contract for the targeted company to find their operational security vulnerabilities? The fact that we found an ongoing intelligence operation targeting the company was an added bonus.
While this whole case of a penetration test leading to the identification of a hostile intelligence operation is relatively unique, the concept that even highly skilled security professionals, like my hacker friend, not even realizing what they don't know is not. As a matter of fact, I contend that the major problem with computer security as a whole is that people in general are completely unaware of the basic issues of security. Again, as this case demonstrates, even experts in one aspect of information security may be naive about many other aspects.
I realize that my hacker friend will be pretty upset about my talking about him in this way. While it is true that I believe he had a lack of knowledge in social engineering, the issue is that he was never exposed to what social engineering can be. If I was not directly exposed to human intelligence tactics, I would likely not know too much about the difference.
Frankly, I have worked with several security consulting managers at different companies, who all seem to take exception to the fact that I believe that trained intelligence and Special Forces operatives provide knowledge, skills, and abilities that even the best standard security consultants do not. They are as offended as my hacker friend.
It is not that I think less of people who don't have a special background, but that the operatives have years of highly specialized training that others do not. That training includes testing of implementing the skills in highly stressful life and death situations. Not only do they have the training, they have likely performed their work in real life and death circumstances. The average consultant who has not received this level of training and performed in the field just doesn't have anywhere near this skill level.
While it is true that the level of experience of the operatives is not typically necessary on a standard penetration, it is there when required. When you perform a penetration test, or espionage simulation in my case, 90 percent of the time it is so easy to compromise a company that a child could do it. Five percent of the remaining time, there is some situation that requires some additional skill that many skilled security consultants could perform. In the remaining 5 percent of the cases, the project will fail or be aborted without having that skill available.
However, while the above represents getting the basic work accomplished, it does not account for the fact that more than half of the time I perform the work, my team finds actual cases of criminal activity or espionage being performed against the client, like the case of the Chinese restaurant. Sadly, the clear majority of skilled consultants completely miss the crimes against the client. They don't know what they don't know about what they are missing. They can't find the activity, and they would not know the appropriate steps to take even if they did identify the crimes.
Philosophy of Security
Frankly, most of security is mental. How do you perceive what you are securing? How do you perceive the enemy? Do you believe the situation is manageable, or do you believe the situation is overwhelming? Are you willing to implement security into your daily operations? Do you consider security a ubiquitous part of overall operations? The list can go on.
How you answer these questions determines whether you will be secure. For example, a car is extremely complicated, probably more complicated than computers. Not only do you have to worry about the car itself, you have to worry about other drivers on the road, criminals who will vandalize or steal the car, failure of different components of the car, filling the car with gas, changing the oil, red lights, street signs, emergency vehicles, and so on. There is an infinite number of ways that you can be hurt either through your own actions or those of others. This could be very overwhelming, yet people get in their car every day and generally survive.
However, for some reason, people want to believe that computers are different. Despite the fact that scams have been going on in the real world for years, you would believe that scams were invented with the Internet. While it is not inconceivable that a savvy Internet user would be taken in by a scam, it is extremely rare. The only things that the savvy users have are common sense and some very basic knowledge.
Likewise, if you want to believe that computer hackers are invincible, you will do nothing in return to protect yourself. After all, why waste your money trying to stop someone you can't stop?
If you approach information and computer security like they are manageable, then they are. If you throw up your hands in defeat, you will be defeated. The way you think affects the way that you perceive and approach the problem. If you believe security is manageable, you will perform basic research, determine reasonable security measures, and implement those measures. I would say most importantly, you are taking personal responsibility for your security.
Once you understand the underlying principles of security, you can take reasonable security precautions. You don't have to have the training of a Navy SEAL or Russian spy to know how to protect yourself. This is true for both individuals and organizations, including multi-billion dollar corporations and large government agencies. If you understand why, the technologies and processes will follow. This book answers the Why of security.
Chapter Two Why I Don't Like the Title of This Book
Actually, I do like the title of this book. It is catchy. It also brings up connotations of the book, Zen and The Art of Motorcycle Maintenance, which gives the concept that there is a mental aspect to security. However, the title implies that security is an art. Security should be a science.
Art implies that there is no repeatable process. It implies that results can vary depending on the mental state of the practitioner. If something is an art, it cannot be truly learned. We then have to search for artists to do security work. We must then accept mediocre security professionals, because true artists are a rare commodity.
However, when something is a science, we can expect reliable results. We can find a variety of people to provide generally the same type of security architectures and services. Your company does not come to a halt when some people leave. Other people can then pick up where they left off, when they come onboard. Most importantly, if people are unskilled, you can train them to do an acceptable job.
Excerpted from Zen and the Art of Information Security by Ira Winkler Copyright © 2007 by Elsevier, Inc. . Excerpted by permission of Syngress. All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.