So Shawn Moyer gave a concise Blackhat talk a few years back (which had a surprise ending ;) about 'hacking the c-suite', w/ the general idea being that it was ethical and part of the job in some situations to advocate and evangelize good security to the corp leaders in order to facilitate infosec progress.
You social engineer them for the benefit of the company and the shareholders, and everyone comes out ahead... You aren't "attacking" the leadership at your org. You're playing the game by their rules to remove roadblocks to the strategic infosec benefit of the org you work for.
Another friend of mine recently happened into a situation where he put a different twist on the benevolent corp hacking thing.
The org in question has some managers who could use some help understanding how to be leaders. Everything is bureaucratic and TPS report-ish.
If you do something w/o the proper paperwork and w/o jumping through the right hoops, then you aren't a team player and should expect a reprimand, even though you're loaded up w/ work, and everyone knows the paperwork is just CYA, and the work needs to get done right now, etc etc.
So Junior is new on the team. He's really hungry and trying to make good impressions and do good work and all of that. My buddy comes across a configuration issue that he traces back to Junior. Just a simple mistake anyone coulda made, didn't impact production systems, and didn't seem to cause ownage or anything like that. He submitted the proper paperwork for the change, it's just that the paperwork included the error but was unwittingly approved.
The problem does need to get fixed, but my friend knows that if he submits a ticket saying "fix problem X on device Y" then there will be a change control inquiry as to how the problem was introduced in the first place, and Junior will face the wrath of the managers who don't understand leadership and won't gracefully admit that they didn't do their part of the job. That will mean reprimand, pointed fingers, and all around negativity.
What Junior really needs is some positive encouragement and some gentle coaching on doing things better in the future. My friend says f this, I'm not gonna let Junior burn for no good reason. So here's how he solves the problem.
He creates the proper change paperwork to fix the mistake, but words it in a specially crafted difficult-to-comprehend fashion. He does this knowing that the manager who needs to approve the ticket is also obviously not going to review it in detail. He knows the manager will say "wtf, i don't have time to figure out what my guy is sayin here... approved" and rubber stamp it.
IMO, this is a very wicked cool hack on bureaucracy. 1st, this is altruistic. in the long run, it is the right thing to do for the infosec team at the org. 2nd, we're doing something which gets around a stupid series of access controls. 3rd, if said access controls were functional and meaningful, *THE HACK WOULDN'T WORK*... i love that last bit.
So we have an infosec guy doing something technically/maybe subversive for all of the right reasons. Kinda like hacking the c-suite. I love it... total props :D
Saturday, July 12, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment