Managing the Wrong Risk

I was sent to a customer site in Colorado- a large financial institution- and they had just purchased the all-seeing eye of Sauron solution, NetWitness, and they needed me to get it setup and working for them. So there was the usual use-case workshop where I collected requirements, and I spent some time customizing their setup for them, along with their automated reporting.

But when I arrived onsite, schlepping my heavy laptop in my backpack, I was informed that I wouldn’t be allowed to put my laptop on their network. I didn’t understand why. I had all of the tools, parsers and config files I would need to get this customer up and running, and being on the local network would just make things go smoother. I asked the point of contact, a middle aged Infosec manager, if they were using port security, which is a technology that will lock down network access at the connection ports by only allowing authorized network MAC addresses on the network. He said they did not have port security. So I asked, what happens to violators who put unauthorized equipment on the network? Stern warning? Fired on the spot? If they didn’t have any consequences, what was the big deal for me using my own laptop? As it turned out, they had no way whatsoever to tell if unauthorized equipment was on their network, but their policy was policy, he explained. I sighed audibly and then told him that I would find all of the rogue equipment on his network in just a matter of hours, and after that, I was jacking into his network. I told him he was managing the wrong risk.

I’m always prepared for roadblocks like this. I keep a backup of all of my required files on a personal drop site and was able to pull down my config files, parsers, rules and more within a matter of minutes, and I began to configure the solution. But instead of focusing on the standard stuff like malware downloads, I focused my attention on clowning this clueless infosec manager. I deployed a few rules based on user-agent strings and a parser that could detect each network-connected device from laptops, to printers to gameboys. Within the hour I was able to compose a detailed report of all of the other assholes on their network that were violating their vaunted “no non-corporate devices” on the network policy.

I found Gaming systems, non-standard laptops, personal computers, and even rogue unauthorized wireless access points. I showed the report to the manager and asked again if I could put my laptop on the network. He tried to tell me no, but I waved the report in his face. “I’m here to help you. You have an unenforceable policy, and I just gave you the tools to enforce that policy. Now go and enforce your policy. Fire these guys, take them to HR or do whatever you have to do to make your policy stick with your own people first. When you are done with that, get back to me. I will have the rest of your requirements implemented and I’ll be out of your hair.”

If you are an Infosec manager and you have a policy that is written that is completely unenforceable, and worse, blind to the ability to locate offenders, you have no policy at all. Treating vendors rudely that come onsite to help just makes you look inept and dickish. Damn right I clowned that guy and got paid to do it.

I also began to make customers sign a document that would explicitly allow me to attach my gear to their network. If they objected or wouldn’t sign my doc, I just didn’t go. Manage the right risks.