Wednesday, March 11, 2015

CSOs: Does this Network Admin Work at YOUR Company!? [feedly]



----
CSOs: Does this Network Admin Work at YOUR Company!?
// A Collection of Bromides on Infrastructure

Information security is hard. Data breaches on the scale of Target, Home Depot, Sony and Anthem serve as a constant reminder that it is impossible to detect a determined attacker until it is too late. Bromium research has consistently found that the overwhelming majority of information security professionals believe end users are their biggest security headache, but we have stumbled across one network security administrator that might be his own biggest security headache.

Last month on a security section of reddit.com, a user posted this screenshot, "Not pwnd yet but This is a public facebook post by our netsec guy."

PWN 1

That's right, this network security admin posted a list of vulnerable IP addresses on a public Facebook page. There was an optimistic belief on reddit that these were the IP addresses of honey pots, but most of the comments were much more critical.

The very next day, the same user posts a follow-up screenshot, "UPDATE: Not pwnd yet but This is a public facebook post by our netsec guy."

PWN 2

It is starting to seem unlikely that these were honey pots. These vulnerable IP addresses are actually printers. Fortunately, this network security admin notes that the vulnerability does not affect printers. Unfortunately, it seems these printers are accessible via the public IP addresses he posted. This is quite bad since the worst case scenario for a compromised network printer is "fully functional general-purpose bot-nodes which give attackers a stealthy, persistent foothold inside the victim network for further recognizance, exploitation and exfiltration."

Finally, a few weeks later, the original user posted another update, "UPDATE #3 : Our brilliant netsec guy is at it again. Publicly announces vulnerable IPs, specifies their vulnerability and threatens to ban them. That's not even the best part…"

PWN 3

I'm practically at a loss for words. In what world does a network security admin think that it is a good idea to publically post the IP addresses vulnerable to a specific exploit? It turns out that these are network devices that are his responsibility, so perhaps everything will click into place for him after he blocks Internet access to them.

Or perhaps this really is all just an elaborate ploy to send traffic to a honey pot, in which case, be sure to share this blog with all of your colleagues.



----

Shared via my feedly reader


Sent from my iPhone