This past week, I attended a seminar titled A Road Map to Security Risk Management through System Source. The presentation was centered around building out a comprehensive plan for understanding your security risks and putting plans and procedures in place to mitigate those risks. There are many factors to consider when building such a plan and this seminar did a great job of getting you thinking about those factors.
There was one theme in particular that kept coming up in our discussions…training! The attendees of this event all felt very strongly that one of their greatest security vulnerabilities was lack of education and understanding of security matters in their own staff. It is great that we have grown up in a society where we want to be trusting of our fellow citizens. However, there still are those individuals in dark and shady corners of the world who wish to deceive you and we need to take precautions. Giving our staff a better understanding of how these deceptions occur will go a long way to improving security.
Later in the presentation, we talked about ways we as IT professionals can work to remove security vulnerabilities. For example, developers should plan to do code reviews with their peers. Another example is that network admins can periodically review their network configurations. Then it hit me…do the developers and the network admins talk and work together?
I have had the pleasure of being in environments with large IT departments and seeing what these individuals can do on a daily basis. I have also seen where the individuals in these of environments will very quickly fall into very separate and distinct roles. Unfortunately, this separation of duties often also fosters a separation of communications. We all recognize that our fellow business employees can benefit from additional training, but what about the cross training of information within the IT department.
Let me provide a good example. Recently, I had my network admin hat on and was reviewing my web server logs for any unusual amount of 404 errors. One particular source IP address had an unusually high amount, so I drilled into the detail. When I did, I quickly saw that this source was looking for the FCKEditor at any and all URL patterns imaginable. This was obviously the work of someone up to no good. I did a search on “FCKEditor vulnerability” and a found a document that outlined the exploit. (Exploiting PHP Upload Module of FCKEditor by SecurEyes) It had been identified that a hacker could make use of a null character in a file upload path in order to trick the system into uploading a malicious PHP program. Armed with this knowledge, and knowing that none of our sites made us of the FCKEditor, I took two actions. First, I blocked this particular IP from all access to our servers. Second, I coded our IDS system to recognize this pattern in the future so it could block future attempts in realtime. Another duty of the network admin completed, I moved on to my next project.
But wait, shouldn’t this information have been shared within our team? My background is largely in programming and as a programmer, I did learn something from this. Maybe this information should be shared with other programmers on our team so that they can continue to improve their own code. What about our support staff and sales team? When they talk to end users about security, the more they understand the vulnerabilities, the easier it is to talk about the overall subject. The IT manager? Are you looking to buy that latest and greatest IDS appliance for your network? Your boss should understand why they need to approve the costs for such appliances. This also helps them communicate better with the senior managers when discussing budgets and corporate strategies.
As IT professionals, we know that the learning process never ends. But let’s not forget to support each other in our learning too. The more we share this knowledge among ourselves, the better prepared we all are for any security situation.