INTERVIEW: Fred Rica, PricewaterhouseCooper's white-hat hacker

In the assessment practice we do three things: ethical hacking, security diagnostic reviews and Web application vulnerability testing.I would say that 75 percent of our business comes from ethical hacking. We've probably got 200 people around the country who do almost nothing but penetration testing. We get a fair bit of add-on work, particularly to assess and design. Whether it's our fault for not following up aggressively enough or our clients' thinking they can fix the problems themselves, we don't get as much as we should.Say you're running a business, you've got a million things to focus on, someone comes in and does a penetration test and finds all these holes. You go through a reactionary cycle where you plug holes right away. You stop the bleeding, then move on to other things.You can't do everything. But if you took care of some of the underlying problems you would reduce the amount of time you have to spend doing triage in the future. Price pressure. A lot of work is done through requests for proposals and bidding processes, and a lot of times the winner is the low-cost provider.The other problem is the level of complexity. Government networks are large; they're complex; there is a lot of connectivity between organizations; and sometimes it's challenging to put a box around it and define what the perimeters are.We had one government client with a mainframe they thought was impenetrable. We discovered that the mainframe was connected to a Unix network. We were able to crack that and found users had the same identification and password combinations on the Unix system as they did on the mainframe. So by picking some of the accounts, we were able to get into the mainframe. A lot of clients ask me that. Well, you're doing just as good as everybody else, but everybody else stinks. The problem is figuring out what level of security you actually need, irrespective of what your peers are doing.Not everybody needs the same level of security. Not everybody is trying to protect the same kinds of assets.Forget about best practices, forget about what the other guy is doing, let's think about what your risk tolerance is, what you're willing to spend on protective measures, and how to close the gap between where you are and where you should be.Let's say you have a Ferrari and I have a Jeep. Who has the better car? If you want to go 150 miles an hour, you have a better car. If you want to go through the woods, I have a better car. The list has not changed in 10 years.Over and over I see poor passwords, and most organizations today still rely on passwords to control access. Systems are misconfigured'installed out of the box'and security patches aren't applied or updated. Another thing is lack of monitoring.Most times when we do penetration testing we never get caught. No one notices us. Despite the fact that the client may have an intrusion detection system, they're not watching the logs. And those are the same things we saw 10 years ago. Depending on what you're trying to protect, you may not need smart cards or tokens or a public-key infrastructure. Passwords may be fine.The problem with passwords is that the composition is poor, or they are stored in such a way that they are easy to obtain.There are a lot of controls and operating systems that can reduce the risks of someone stealing a password file. With a little user awareness, a little training, a little management, people can come up with passwords that are easy to remember but hard to guess. I'm not a big fan of password changing. If I haven't been compromised, why should I change the password? There are pros and cons, but I don't know that you need to change the password every 30 days.On the other hand, if someone has compromised your account and has been using it, and you don't know, you shut them out after some period by changing the password. But for the most part, if your account has a good password, you're probably OK. You put your name together, and maybe you change the E to a 3 and the I to a 1 and you put an exclamation point in the middle. That's not overly complex, and yet that would take a sophisticated password-cracking program a while to figure out.If someone is really determined to get into your system, they'll put forth the money, the time and effort. Nothing is impenetrable. It's a matter of not making it attractive. There are two factors. One is the lack of understanding that when you install an operating system, typically you have to do some things to make it secure. The second problem is, even if you harden an operating system, new vulnerabilities are discovered almost every day. I get flooded with e-mail about Unix and Microsoft Windows NT and Windows 2000 every day. Those can be fixed by a vendor patch.Keeping abreast of all the patches, deciding which ones are relevant, can be a full-time job for two people. So it is easy to get on the systems administrator for not patching the system. But it's a big, honkin' job to do that. Depends on who you talk to. The cynics will say that until you get rid of OS monopolies such as Microsoft and until you get incentives for companies to build operating systems secure out of the box, it's not going away.It's really a question of diligence, staying on top of things. It takes time and resources. So then your question becomes: What is the value of the asset I'm trying to protect, and how much time and money do I want to spend keeping it secure? I could give you the party line and say yes. But I've been doing this for 13 years, and I could probably show you a report I wrote in 1990 that highlighted the three problems for a Fortune 500 company, and then I could show you what we wrote in 2001 with the same three things in it. So unfortunately, no, I don't think it's getting better.