Al Macintyre's Radio Weblog : Al's random interests while learning what can be done with Weblogging, and perhaps what ought to be done.

 

Home
My Friends and Family

Subscribe to "Al Macintyre's Radio Weblog" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.

 
 

EV4 2 9 Sec

2002 Sep 18 meeting of the Evansville Star Base AS/400 User Group included a presentation by Dave Titzer of Big Rivers Electric on how they are using an "Ethical Hacker" to test the integrity of their network security.   This is part of a big Security Audit that is done every few years, and they will be making a report on it to their management January 2003, after which the User Group has asked for a follow up sharing with us, of whatever they are able to share, about how well the whole process went, and any new lessons from it.

As with many companies in the Evansville *BASE User Group, they have a mixture of types of computers whose security is somewhat dependent upon end users following company guidelines like turning off equipment when no one home, and letting the computer department know when they add something to a PC that might compromise security (in most companies people add stuff to their PCs all the time with no idea what the security implications are, and the computer department does not find out until they flunk a security audit because of it). 

Another company at the meeting, that had already been through a security audit said the most common violation they found was that end users would have PC Anywhere or some such service running on their PC, with no passwords, and not turn off PC when they went home, so hacker could get in and do anything on the PC, which included connecting to the rest of the network.

The big problem apparently is the ease with which people can add stuff to PCs in which we have no idea what is going on that the vendor left there, such as back doors that intruders can abuse.

A lot of info was shared in the meeting about computer security, that I already knew, but there were also lots of interesting new gems.

  • In their risk assessment of where threats could come from, they included every way into their computer. 
    • For example, one of their partners is the Government.  You have to trust the Government, but with any organization there could be disaffected employees, or a hacker might break into the Government's computers then get to you through them.  So risk assessment must not toss out any threat as being non credible.
    • People get modems for PC but only use for fax, but those modems can also transmit other stuff.  Just because you only using it for fax not mean that a hacker might want to use it only for that purpose.
  • Big Rivers has a Honey Pot strategy of a simulation network for hackers, which includes an AS/400 dedicated to that task. 
    • When they think they have an intruder, that individual is transferred to the Honey Pot network to see how far said individual can penetrate, but this network is not connected to anything that will seriously damage the company no matter how much the intruder does.
  • Companies that supply power to the electric grid are under the Department of Energy.
    • DoE hacked into Big Rivers, then said that under current guidelines you supposed to inform DoE within 2 hours of anyone hacking in, and you missed the deadline.  Well the fact they'd been hacked was in fact in the system message logs, but they do not have people monitoring them 24 hours a day, so now they adding software to monitor that kind of stuff so they can comply with the 2 hour rule.
  • Remember the movie Wargames?  Someone dialed a bunch of phone companies looking for a sound like a modem then tried to figure out what stuff that modem connection looking for so they can get into the system at the other end.  That is called War Dialing.
    • They shopped around to find a Computer Security Company (the high bid that they did not go with was $100,000.00) to War Dial all 500 phone lines they paying the phone company to connect to any of their offices (this is done outside regular business hours) then use standard hacker tools to see how far they can penetrate into the company's computer systems.
    • In the initial part of this testing, the Security Testing Company only knows standard Electric Industry stuff, no insider information that any employee can tell them.
    • In the later part of the testing, the Testing Company combines what they could do without insider information, with insider information deliberately shared with them,

 


© Copyright 2002 Al Macintyre.
Last update: 09/18/2002; 1:29:20 PM.

Click here to visit the Radio UserLand website.