Den amerikanske sikkerhetseksperten John Nunes, som blant annet har vært sikkerhetsansvarlig i det amerikanske Forsvarsdepartementet, stilte torsdag opp for digi.no for å svare på spørsmål digi.nos lesere måtte ha om sikkerhet, primært i bedriftsnettverk. Nettmøtet ble arrangert i samarbeid med norske Masterminds.
Nunes fikk en rekke spørsmål og har svart på et representativt utvalg av disse. Dette kan du lese nedenfor:
Ketil Kintel: The principles laid out in BS 7799 (NS/ISO 17799) is well known and used in Norway. One of the main points in it is that security measures should be based on a risk analysis.
What kind of competence/ training does it take to be able to skip the risk analysis part and be able to say that security in a wireless network is good enough just by driving around with a laptop (as you did in Trondheim)?
Nunes: It would be impossible to just driver around and tell if a wireless network was secure or not. Saying that these networks are wide open to hackers is really good for selling newspapers...As is misquoting the person you are interviewing.
Also, determining if they were secure or not would require some active probing. That would probably cross the line between legal and illegal. I have no desire to spend time in jail in any country and would definitely not do anything illegal in front of a reporter.
I hope everyone can read between the lines and figure out here the problem lies.
Ketil Kintel:What standard methodology is the best to use to ensure a well performed security audit/ penetration test?
Nunes: I love talking about methodology since almost nobody realizes how important it is when performing a penetration test.
For an overall, well rounded methodology, I like the OSSTMM (Open Source Security Testing and Methodology Manual) which can be downloaded from www.isecom.org. While it doesn't give you the specific steps for tool usage or techniques, it will make sure that you do not miss any steps or areas when you follow it. I have used the checklists in the OSSTMM in many of my tests and also during some classes.
One other bears mentioning. If you are going to be doing web testing, check out the OWASP (Open Web Application Security Project) at www.owasp.org. This is my first stop for web security information. Take some time to browse the site and be sure to check out some of the downloads also.
Øyvind Pedersen:I know that you consider WEP useless as a security measure. What are your thoughts about WPA? How about WPA2?
Nunes: Great question, thank you for asking it...
First off, while full of problems, WEP is still better than nothing. It will make people look elsewhere if they are just looking for a target of opportunity. However, yes, it does have some serious flaws when used as a security measure.
WPA looks like it will fix many of WEP's shortcomings. I have always liked the concept employed by TKIP (Temporal Key Integrity Program) but until now it was proprietary. I will have to hold judgement until I see how it is implemented though. Many security measures are great up until the point where they are poorly implemented and someone finds and easy way around it.
One final thought on this. The 802.11i standard (which will use WPA) will still not REQUIRE encryption to be used. Never underestimate the power of poor administration!
Jan Sunde:Which firewall software would you (personal) recommend for home use? And what do you think about Blackice? Any answers are highly appreciated.
Nunes: Zone Alarm is also a great choice if you want something free. You want to download it soon though since the company was just bought out by another. I don't know if they will continue to release it free of charge.
Hope this helps!
Raymond Andre Hagen: Who will you say are to blame for the software security breaches today? The software developers or the hackers / crackers which are exploiting them ?
Nunes: The software developers would have the bear the bulk of the responsibility. There is no excuse for some of the vulnerabilities that have shown up in the last few years. Companies are rushing to get products to market and meet a deadline and that is causing poor coding and not enough time for quality assurance. The software giants know we have to use what they create so they have no motivation to go the extra mile and do really good security checking before release.
Before everyone gets upset at me though I must say that this is not an excuse for breaking the law. If the quality of the software was 100 times better, people would still attempt to break in.
Best of luck!
Rune Mydske Nielsen: Which free tools do you consider most powerful for monitoring security holes in a subnet? (Regardless of OS). Earlier I have used SAINT, but this tool is not free anymore.
Nunes: For scanning (Vulnerability Assessment) I prefer Nessus. It is free and open source. The development support for it is huge and sometimes new checks come out for Nessus before they do for commercial scanners. A new version (2.0.1 I think) was recently released. There are ports of this for the Windows operating system but I normally prefer to run it on RedHat Linux.
For true monitoring (Intrusion Detection) I use Snort. Although free, you might consider investing a small amount of money in some of the graphical interfaces and log analysis tools.
Hope this helps!
Richard Svendsen: Is there any way to crypt an entire Hard Drives and the Boot disk, to guard the data if the computer is stolen?
Nunes: Yes, there are a few disk level encryption tools on the market. Unfortunately, the one I am currently using is no longer produced so I do not know of any off the top of my head. Network Associates has made some in the past, you might to start by searching there. Also, I don’t know that I would trust and free ones you might find. If the disk is encrypted and the product stops working you probably won’t be able to recover any of the data.
Richard Svendsen: I know there is almost impossible to stop SPAM/Virus, but is there “SPAM/Virus-police” out there? In these days we and many other companies around the world are using so mush time and money on this issue?
Nunes: If I knew of a way to stop the SPAM/virus problem I would be the richest man on the planet!! Unfortunately it is up to each country to attempt to pass laws and prosecute those responsible. In the U.S. some of the major ISP’s have begun to file lawsuits against these people. However the biggest problem is international boundaries. There are also some countries that have no laws against virus development and spamming making it near impossible to do anything about it.
Richard Svendsen: How do I “destroy” the people the makes viruses? :-)
Nunes: Convince the software developers to make products that don’t have so many vulnerabilities.
Hope this helps!