Deciding how to spend a $10K windfall wisely
- 08 November, 2011 02:59
We have a lean IT department. Its budget is well below the industry average, and my security budget is only about 3% of that. So, as you can imagine, I didn't hesitate to say yes when I was asked this week if I could spend $10,000 before the end of the month.
At issue: $10,000 has unexpectedly fallen into the information security budget.
Action plan: Quickly and wisely decide what to buy with that money.
My team and I decided to make a few tactical purchases to fill in gaps in our vulnerability management program. The first purchase was a perimeter-scanning service. Our company's first choice when bringing in new technology is usually software as a service, but we had recently canceled our perimeter-scanning service because the provider's licensing model was not cost-efficient and there were limitations on the types of vulnerabilities scanned. With our windfall, we were able to sign up for a new service that we're happier with. One drawback: It doesn't offer automated email alerts, meaning that my analysts will have to log in manually to check for suspicious results.
Next, we decided to purchase BurpSuite, a tool that came to our attention over the past year as third parties conducted a number of assessments for us. BurpSuite was the one tool that consistently seemed to be used to detect Web-based vulnerabilities. It enabled us to inspect and modify traffic between the browser and Web applications and to manipulate the data sent from the browser to the server. Already, BurpSuite has identified a flaw in the change-password logic for one of our customer-facing applications.
After that, we still had enough money to buy a supported version of Metasploit. This cool tool, a valuable backup for vulnerability assessment and scanning tools, should be part of every security practitioner's toolbox. All too often, a scan will tell you about a vulnerability but won't tell you enough to positively validate the results to the satisfaction of your "customers." You tell the application or server team that you've uncovered a vulnerability that must be dealt with, and their response is: "Prove to me that this exploit is something I should be concerned about." Then you have to search the Internet for source code or some lengthy explanation on how to exploit the vulnerability. Metasploit takes the hassle out of all of that by offering a one-stop shop for many of the common exploits.
Our $10,000 was now down to a few bucks. I wasn't about to let that go to waste, so I thought about other tools that might be advantageous to the team. One thing I have long wanted to improve is our ability to detect the presence of unauthorized devices that have gotten onto our network via Wi-Fi. Our wireless access points are all configured the same way, and we have a very tight security model, which allows only "authorized" Windows devices to associate to the access points. But that doesn't stop employees from bringing in their own wireless access devices and plugging them into ports at their desks or in a conference room. We've caught a few in the act and heard excuses such as: "I didn't know we had a corporate wireless solution," "I couldn't use my iPad on the corporate Wi-Fi," and "I needed to connect my Linux laptop to wireless."
Since we haven't yet deployed network access control, and since the current scanners and sniffers don't effectively detect all types of unauthorized wireless devices, I decided to purchase a dedicated lightweight tablet PC to use as a portable Wi-Fi-detection device. Depending on what we can afford, we'll arm this tablet with something along the lines of AirMagnet from Fluke Networks or the open-source tools Kismet and NetStumbler. Then, when I or any of my analysts travel to remote offices, we can bring the dedicated rogue Wi-Fi sniffer with us.
Ten grand well spent, I think. This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.