Those sketchy infosec professionals

the_hutch

I feel like its a recurring theme in my career that I am constantly having to justify my actions now that I am familiar with the "dark side" of information security. I'm curious if anyone else has had this problem?

Recent times I've run into this problem:

1. Used Scapy in some python scripts, and as soon as I used the term "raw packet injection," heads were turning.

2. Briefing my IDS logs and explained that a flood of ARP reply packets was the result of me using Ettercap during a forensics investigation. When eyebrows raised, I had to go to ridiculous lengths to explain that Ettercap is not necessarily malicious and that it only temporarily modifies the ARP cache of two systems to monitor communications between them.

3. I recently developed a video series on Penetration Testing, and because of a recommendation by our JAG office, the entire video series had to be extensively reviewed to determine if it created a serious threat to national security.

Is this just a government thing, or does this happen in information security offices everywhere?

MSP-IT

What industry do you work in?

If I were in your position, I would feel as though my abilities as a security professional were being hindered if I had continuously explain my actions. One can only reiterate so often that they have the best intentions for their company.

RobertKaucher

I think you are going to see this sort of thing in any Industry that has a darkside. Ignorant people who are only familiar with some vocabulary terms and not with the actual practice of defense methodologies will always have seizures at the mention of these words.

I once received criticism when I was a net admin for using NMap to find hosts on a network I was solely responsible for so as to find hosts I was unaware of. There was 100% no documentation and this guy was acting like I was DDoSing every Children's Hospital cancer ward across the nation.

He had no idea what the tool actually did or how it could be used for legitimate purposes. He just knew it was "a known hacker tool".

the_hutch wrote: »

3. I recently developed a video series on Penetration Testing, and because of a recommendation by our JAG office, the entire video series had to be extensively reviewed to determine if it created a serious threat to national security.

I love your vids, btw. Keep up the good work.

tpatt100

I think an employer needs to be aware of what and why you are doing/using tools and methods. They have a right to know and part of IT is being able to communicate effectively to non technical people. I know it is a stereotype that IT people have egos that makes them think they are above having to explain themselves but I think if done correctly it will make it easier for you to do your job in the future once they learn to understand and trust your decisions and recommendations.

I have ran into ego trips where IT people use third party tools without letting anybody know and get all butt hurt when I see the stuff and ask what it is so I can document it and research it.

thegoodbye

RobertKaucher wrote: »

I think you are going to see this sort of thing in any Industry that has a darkside. Ignorant people who are only familiar with some vocabulary terms and not with the actual practice of defense methodologies will always have seizures at the mention of these words.

I once received criticism when I was a net admin for using NMap to find hosts on a network I was solely responsible for so as to find hosts I was unaware of. There was 100% no documentation and this guy was acting like I was DDoSing every Children's Hospital cancer ward across the nation.

He had no idea what the tool actually did or how it could be used for legitimate purposes. He just knew it was "a known hacker tool".



I love your vids, btw. Keep up the good work.

Well, in his defense, if you were using an enumerating tool against inside hosts without receiving prior approval, or at least notifying others, you could have done a lot of damage, especially if you don't have a good understanding of which hosts are on the network. I'm not exaggerating when I say that you could potentially kill someone.

RobertKaucher

thegoodbye wrote: »

Well, in his defense, if you were using an enumerating tool against inside hosts without receiving prior approval, or at least notifying others, you could have done a lot of damage, especially if you don't have a good understanding of which hosts are on the network. I'm not exaggerating when I say that you could potentially kill someone.

LOL. Who was I getting approval from or notifying? Please read the part of my post where I say I was solely responsible for the network. The person who had set it up had passed away. There was no documentation. It was a small, retail business of about 150 hosts. No one else knew where the the switches were. No one knew were all the PCs were or how they connected to the network. Equipment was hidden in the basement, hanging from walls.

But very good on you for making completely exaggerated assumptions regarding the network I was running at the time.


This is exactly the problem. Not knowing all the information and yet still drawing conclusions without asking pertinent questions.

For a laugh, here is one setup I found in the musty old basement of the place.

Mrock4

hutch- I feel your pain more than you know, and this is specifically why I LOVE doing commercial projects over gov't work. I thoroughly enjoyed my time working for the gov (both military and civilian), but you'd be amazed how much smoother it is away from that setting! Not saying there's not downsides as you mention on the commercial side, but it's a lot more laid back, generally speaking, at least from an IA perspective.

thegoodbye

RobertKaucher wrote: »

LOL. Who was I getting approval from or notifying? Please read the part of my post where I say I was solely responsible for the network. The person who had set it up had passed away. There was no documentation. It was a small, retail business of about 150 hosts. No one else knew where the the switches were. No one knew were all the PCs were or how they connected to the network. Equipment was hidden in the basement, hanging from walls.

But very good on you for making completely exaggerated assumptions regarding the network I was running at the time.


This is exactly the problem. Not knowing all the information and yet still drawing conclusions without asking pertinent questions.

For a laugh, here is one setup I found in the musty old basement of the place.

Given that information, I would have notified someone in executive management and possibly some end users that could be impacted. It's fairly common that nmap will cause network latency, or even lock up some systems, especially if the network was as you describe (dilapidated, with no documentation).

I used my "could kill someone analogy" because you had mentioned a Childrens Hospital. Provided that limited information, I assumed that's what you were talking about. Having re-read it, I now see you were just using an analogy. It was not my intention to call you out if that's how It sounded. I think we're both trying to make a similar point that proper communication is very important to almost everything a person does in IT.

Zartanasaurus

RobertKaucher wrote: »

The person who had set it up had passed away.

Was it from using Nmap?

tpatt100

I think the most important thing to learn is seek approval, document approval and most importantly SAVE ALL EVIDENCE to CYOA lol.

the_Grinch

This problem usually arises when you put an analyst in a high level meeting with executive management and you have a manager unfamiliar with exactly what happens. Normally, especially in small shops, you just have a general IT Manager who is in charge of info sec workers. Ideally you should be briefing your manager/supervisor who intern would then attend said meeting and give the overview that executives need. As long as all effected parties are informed, the executives shouldn't need the nitty gritty details.

That being said, one should be ready to explain it when it happens because normally if you're an analyst explaining something at that level a screw up is occurring. As they say, KISS, keep it stupid simple. Obviously, I'm sure there is a lot more to the story so just consider what I said an observation since I don't know the specific details.

the_hutch

Zartanasaurus wrote: »

Was it from using Nmap?

LMAO...This made my day...

the_hutch

tpatt...I agree with you to an extent. I get more offended, not by having to explain my actions, but by having to explain my intentions.

And despite some of the comments here, NMAP is a safe info gathering tool if used correctly. Granted, if you blast a system with a T5 scan...you'll DOS some systems and flood your bandwidth. However, there are a lot of throttling settings that make for safe scanning.

the_hutch

RobertKaucher wrote: »

I love your vids, btw. Keep up the good work.

Thanks. Always good to get positive feedback.

thegoodbye

the_hutch wrote: »

tpatt...I agree with you to an extent. I get more offended, not by having to explain my actions, but by having to explain my intentions.And despite some of the comments here, NMAP is a safe info gathering tool if used correctly. Granted, if you blast a system with a T5 scan...you'll DOS some systems and flood your bandwidth. However, there are a lot of throttling settings that make for safe scanning.

While I agree with you mostly, I've seen a "quick scan" selected in NMAP and cause issues at a client site. It only takes one time for something to occur like that and your opinion changes. Most of the time it's safe, however, because there is still a chance that systems/users will be impacted, you should communicate your scan appropriately.

paul78

the_hutch wrote: »

Is this just a government thing, or does this happen in information security offices everywhere?

I've come across both ends of the spectrum in private sector. It largely is dependent on the risk appetite of the organization. With my current employer, if someone where to monitor communications between 2 systems that contained sensitive data without prior authorization, that would be grounds for termination. But in a previous company, if you thought it would be funny to DDOS your buddy in the next cube, I would care less and would have wondered what your buddy was planning as retaliation. Both companies had very different risk appetites and there were procedures and policies that would highlight what was acceptable.

It really doesn't have anything to do with trusting intentions of the employee but making sure that due care was exercised and that such activities would not exceed the risk tolerance of the organization.

the_hutch

Well it wasn't the fact that I didn't have authorization to see the traffic. It was just that I used Ettercap as opposed to applying a filter in wireshark and monitoring via our SPAN port on the switch. Problem is, because of the sheer volume of traffic going over that port, even with the filter applied, wireshark often crashes. So I decided to use an alternate interface and reduce the traffic to just what was going between the host and the gateway by using Ettercap. Effective...but apparently the name Ettercap leaves a sour taste in peoples mouths.

paul78

Well... That sounds like a little paranoia where you work.

But in private sector, I would again point to the risk appetite of the corporation. The "how" to accomplish a particular task may not necessarily be relevant but in some areas, the "how" (i.e. use of Ettercap) may require review before it's implemented. For example, with my current employer, the use of Ettercap would not be acceptable in certain environments unless it has been tested as a tool that would not impact the production systems. Use of new techniques in production are automatically not allowed. I don't risk the distruption to the billions of dollars that flow through our systems each day. But it you used it in a lab, corporate network, or even development networks, I wouldn't care.

coty24

Zartanasaurus wrote: »

Was it from using Nmap?

lol bro