Risk Management: Are your engineers the companies biggest risk?

CSO Movers & Shakers: An interview with HD Moore CSO of Rapid7

HD Moore, CSO of Rapid 7 explains why engineers are more dangerous than salespeople and why email security companies are laughing all the way to the bank.

Many security professionals complain about unwieldy desktop users, but HD Moore, chief security officer of Bostonbased penetration testing firm, Rapid7, says technically adept engineers pose the organistion the bigger risk. “These are folks that are very competent at what they do, and they already think they know what they’re doing, so they’ll go about setting up things that undermine security for the rest of the organisation,” says Moore.

Sales staff with laptops might “click on anything that runs”, but it’s the engineers who will set up test sites and servers, generally without concern for security.

“They’re generally job focused. And unless you can isolate your engineering department in their own subnetwork and prevent the damage from spreading, they can be one of the biggest risks to the organisation.” Further complicating the challenge, Rapid7, quite intentionally, runs large numbers of misconfigured systems to test its application vulnerability scanner products.

“By definition, one of my largest challenges is that we know we have lots of machines that are exploitable because they’re supposed to be,” says Moore, pointing out the answer to all this is sturdy segmentation. “We have to do something to make sure they are isolated and that if a Worm gets loose, it can’t spread across all the virtual machines or escape back out to the sales network.”

Delivering good security isn’t just about fending off internal and external threats. There are simple ways security can add value to the business, in particular when the business wants to improve its communications capacities. “Your job as head of security can actually be to look for secure ways to make that happen,” he says. “We have a challenge at Rapid7, internally, about how we go about sharing files with customers, like diagnostic logs, custom builds and things like that.”

Without naming the products, Moore said he tested two appliances, both widely used in US government agencies, which had received positive reviews. “We ended up finding a remote root for the first product within two weeks of looking at it, so that got thrown out,” he says. “The second one, we beat on and beat on until we finally got to the point we were happy with it.”

In February 2011, Moore published advisory R7-0039 detailing several flaws in Accellion’s file transfer appliance that “could lead to a remote root”.

"Really, the challenge is how do you secure the network, define and actually enforce your policies without preventing the business form getting the job done."

This responsibility leaves Moore facing “constant” battles with those who deploy business and production systems. “The problem is you’re getting pressure from all sides. If you’re the person making the call, whether it’s IT, operations, a third party service or a partnership, you’re getting pressure from sales people in your own company, from management wanting the job done. And they’re all going to blame you if it doesn’t happen,” he says. But it’s possible to get the two sides working together with a little leadership.

“If you get the folks on your team on side, it’s not just the security guy pooh-poohing your decision to buy this product. “What I usually try to do is make a lot of the hard decisions about whether we use the product and how it works early on — do a lot of the deep audits in the actual buying process for the service.”

Many IT departments continue to face pressure to do more with less, but Moore says this is not the case with IT security budgets.“Anyone who works in IT in a large organisation is getting the short end of the stick these days because they’re expected to use automation technologies that hit a lot of systems at once.

“On the security side, you’re not seeing much of that. Budgets are still growing and most of that is because the devices you need to put up all the borders, to secure access to the VPN — those requirements are going up all the time as we add more users to the systems.”

Thanks to the recent focus on WikiLeaks and the fallout faced by its defenders, such as the hacking collective Anonymous, Moore is betting email encryption will now sell like hotcakes.

“Email encryption is looking like gold at the moment ...all the drama around WikiLeaks, Anonymous, HB Gary Federal... PGP should have a really good year this year,” he jokes. “There’s also an argument, when you’re using corporate email, don’t say anything that makes you look like a schmuck afterwards,” he adds.

Follow CSO Australia on Twitter: @CSO_Australia