INTERVIEW: Fred Rica, PricewaterhouseCooper's white-hat hacker
Security: It isn't a one-time task
Fred Rica is a partner in PricewaterhouseCoopers Inc.'s technology risk services group. As leader of the threat and vulnerability assessment practice, he gets to do the fun part of the job'trying to break into clients' networks.
This so-called white-hat hacking is a practical way to pinpoint systems vulnerabilities and usually represents the first step in assessing security needs. The company began offering the service in 1989 as an offshoot of its information technology audits.
'We've gone from being ethical hackers to offering a whole lifecycle of security products and services,' Rica said.
After more than a decade, he said, security remains a largely unmet challenge. The growing complexity of operating systems and networks has made the job of breaking in more complex, but it also has created more points of access for the dedicated hacker and has stretched resources thin, particularly in the government.
Rica graduated from Rutgers University and worked with a number of small consulting companies before joining PricewaterhouseCoopers three years later.
GCN senior editor William Jackson talked with Rica about security challenges at the Black Hat Briefings in Las Vegas. GCN: What kind of hacking do you do?RICA:
In the assessment practice we do three things: ethical hacking, security diagnostic reviews and Web application vulnerability testing.
I would say that 75 percent of our business comes from ethical hacking. We've probably got 200 people around the country who do almost nothing but penetration testing.GCN: How do your clients generally respond?RICA:
We get a fair bit of add-on work, particularly to assess and design. Whether it's our fault for not following up aggressively enough or our clients' thinking they can fix the problems themselves, we don't get as much as we should.
Say you're running a business, you've got a million things to focus on, someone comes in and does a penetration test and finds all these holes. You go through a reactionary cycle where you plug holes right away. You stop the bleeding, then move on to other things.
You can't do everything. But if you took care of some of the underlying problems you would reduce the amount of time you have to spend doing triage in the future. GCN: What distinguishes the government market in your work?RICA:
Price pressure. A lot of work is done through requests for proposals and bidding processes, and a lot of times the winner is the low-cost provider.
The other problem is the level of complexity. Government networks are large; they're complex; there is a lot of connectivity between organizations; and sometimes it's challenging to put a box around it and define what the perimeters are.
We had one government client with a mainframe they thought was impenetrable. We discovered that the mainframe was connected to a Unix network. We were able to crack that and found users had the same identification and password combinations on the Unix system as they did on the mainframe. So by picking some of the accounts, we were able to get into the mainframe.GCN: Overall, how good is security on federal systems? Are they ahead of the curve, behind the curve?RICA:
A lot of clients ask me that. Well, you're doing just as good as everybody else, but everybody else stinks. The problem is figuring out what level of security you actually need, irrespective of what your peers are doing.
Not everybody needs the same level of security. Not everybody is trying to protect the same kinds of assets.
Forget about best practices, forget about what the other guy is doing, let's think about what your risk tolerance is, what you're willing to spend on protective measures, and how to close the gap between where you are and where you should be.
Let's say you have a Ferrari and I have a Jeep. Who has the better car? If you want to go 150 miles an hour, you have a better car. If you want to go through the woods, I have a better car.GCN: If you were to list the top recurring security problems, what would they be?RICA:
The list has not changed in 10 years.
Over and over I see poor passwords, and most organizations today still rely on passwords to control access. Systems are misconfigured'installed out of the box'and security patches aren't applied or updated.
Another thing is lack of monitoring.
Most times when we do penetration testing we never get caught. No one notices us. Despite the fact that the client may have an intrusion detection system, they're not watching the logs. And those are the same things we saw 10 years ago.GCN: Assuming that a password can be adequate authentication, what do you need for a good password?RICA:
Depending on what you're trying to protect, you may not need smart cards or tokens or a public-key infrastructure. Passwords may be fine.
The problem with passwords is that the composition is poor, or they are stored in such a way that they are easy to obtain.
There are a lot of controls and operating systems that can reduce the risks of someone stealing a password file. With a little user awareness, a little training, a little management, people can come up with passwords that are easy to remember but hard to guess.GCN: How does someone come up with a password that can be remembered yet changed frequently?RICA:
I'm not a big fan of password changing. If I haven't been compromised, why should I change the password? There are pros and cons, but I don't know that you need to change the password every 30 days.
On the other hand, if someone has compromised your account and has been using it, and you don't know, you shut them out after some period by changing the password. But for the most part, if your account has a good password, you're probably OK.GCN: What is a good password?RICA:
You put your name together, and maybe you change the E to a 3 and the I to a 1 and you put an exclamation point in the middle. That's not overly complex, and yet that would take a sophisticated password-cracking program a while to figure out.
If someone is really determined to get into your system, they'll put forth the money, the time and effort. Nothing is impenetrable. It's a matter of not making it attractive.GCN: Is the problem of misconfigured systems a shortage of people to do the work?RICA:
There are two factors. One is the lack of understanding that when you install an operating system, typically you have to do some things to make it secure.
The second problem is, even if you harden an operating system, new vulnerabilities are discovered almost every day. I get flooded with e-mail about Unix and Microsoft Windows NT and Windows 2000 every day. Those can be fixed by a vendor patch.
Keeping abreast of all the patches, deciding which ones are relevant, can be a full-time job for two people. So it is easy to get on the systems administrator for not patching the system. But it's a big, honkin' job to do that.GCN: What's the answer?RICA:
Depends on who you talk to. The cynics will say that until you get rid of OS monopolies such as Microsoft and until you get incentives for companies to build operating systems secure out of the box, it's not going away.
It's really a question of diligence, staying on top of things. It takes time and resources. So then your question becomes: What is the value of the asset I'm trying to protect, and how much time and money do I want to spend keeping it secure?GCN: Do you see any of these things changing?RICA:
I could give you the party line and say yes. But I've been doing this for 13 years, and I could probably show you a report I wrote in 1990 that highlighted the three problems for a Fortune 500 company, and then I could show you what we wrote in 2001 with the same three things in it. So unfortunately, no, I don't think it's getting better.