What Needs to be on a GOOJ Card?

If you probe networks, systems, and applications, you need a GOOJ card to protect yourself and your job.

In How to Stay Out of Jail, I recommended that anyone who scans, probes, or pokes networks, systems, or devices should always carry a get-out-of-jail (GOOJ) card. I also provided some reasons why such a card is critical.

In this post, I suggest several items that should be addressed in a GOOJ card (which isn’t really a card at all, but simply a signed document that gives you the authority to test and probe).

This is NOT intended to be legal advice. Always consult an attorney before you put your neck in a noose.

1 – Approval to use security and cracking tools and methods for the sole benefit of the company, not for personal gain. Benefits include testing security configuration; identifying weaknesses; monitoring anyone using company networks, systems, devices, and applications; and gathering data for investigations.

This provides executives the reasons and benefits behind granting such powerful access. Just make sure you don’t violate the agreement or get lazy, or it could be used against you.

Also, the agreement must explicitly name you (or all team members) so that the agreement cannot be used generically by others so as to avoid prosecution. Likewise, the agreement must have a specific start and end date to which it applies.

2 – Approval to download, store, and use security and cracking tools.

For some companies, merely downloading and/or possession of cracking tools is enough to punch your ticket. I’ve walked an employee out the door in one company when cracking tools were found on her hard drive.

3 – Types of tools and methods to be employed (e.g., scanners, sniffers, exploits, password guessing, dumpster diving, impersonation, social engineering, forced entry, and the like).

Impersonation: sometimes you have to be creative about who you are and your purposes (basically, it’s lying with permission). For example, at a remote location, to get by the receptionist, you may pretend to be a printer or utility service person.

Forced entry: Sometimes you have to go through the ceiling tiles to access a “secured” area during a red team exercise. At other times, you may be asked by senior management or Audit to obtain files, paperwork, or other evidence, which might require lock picking.

4 – Identification of where the activities will occur, which generally is everywhere (e.g., “all company wired and wireless networks, systems, applications, files, and facilities, including stand-alone systems, and the like.

Make sure you either list off-limits areas or items specified by management, or include a statement that requests management provide any such items in writing.

5 – All vulnerabilities and weaknesses will be promptly disclosed only to the appropriate management and IT staff as needed to raise awareness and/or resolve the issues.

Depending on the company, “promptly” may need to be given a definite time period, but I advise against it unless required. Sometimes extensive research is needed to determine whether a weakness can actually be exploited and what the impact could be.  Most senior managers don’t want a half-baked analysis.

6 – Indicate whether tools and methods will be tested prior to implementation if possible to avoid disruption of service.

Consider language such as “When possible, new tools and methods will be tested on test system prior to using them on production systems. In cases where activities may cause a significant risk to a target, the appropriate personnel will be notified in advance, if possible, and their guidance will be considered prior to commencement. However, normal procedure is to conduct activities without warning.”

This section is common sense, and yet it is one of the hardest to consistently perform. This section indicates you are a careful professional who always considers the risk to the business and weighs it against the benefits of a successful assessment.

7 – Securing your systems, networks, communications, and files above and beyond company policy.

Too often, companies do not keep user equipment current with patches or employ highly secure configurations. Companies also forbid the use of alternate browsers, personal firewalls, or encryption. Since you will collect and store all kinds of highly sensitive data (regarding vulnerabilities identified as well as company data accessed during security probes), you will need to secure and configure your equipment and tools above and beyond the typical configurations.

Also, don’t forget to remove all IT administrative access to your devices–sometimes you will be monitoring or investigating the administrators, and even when you are not, they do not have a need to know the weaknesses or data you discover.

8 – Right of review of security methods and equipment by management.

Since you’re asking for the right to test and attempt to penetrate your company’s entire environment AND you want all administrative access to your equipment removed, you need to be willing to open yourself and your activities up to inspection at any time.

Keep in mind that management and even most IT staff have limited understanding of security methods and cracking. You need to convince management that you’re not a loose cannon and that you are willing to be monitored or have someone look over your shoulder occasionally. This also keeps your feet to the digital fire so that you are less tempted to abuse your privileges.

9 – Logging of security and cracking activities will be maintained.

Religious logging of all your activities* not only helps with #8 above, but if IT/Legal/Audit comes to you and asks whether you were the source, you’ll know. You can also track how often your activity was actually detected.

Logs also help you measure not only your effectiveness (by how much you found), but also a measure of how the enterprise’s security stack up.

* Log the date, time, target IP address, source IP address, tools/methods used, reason for activity, results, etc.

10 – Approval by senior management or the Audit Committee.

The most important part of the card is the approval by senior management (CIO and CEO recommended) or the Audit Committee. Legal approval is also a good idea also, but expect delays. Ensure the names and titles of the approvers is typed on the agreement and the date signed is also provided.

11 – Review and reapproval of GOOJ agreement.

Whenever a named person on the agreement leaves the company or the effective period of the agreement is close to expiration, the agreement must be updated promptly.

Overall, be ready to negotiate the terms of the GOOJ card to make it fit your company. And if  management objects to these methods, remind them that attackers do not provide advance warning or test their methods on similar systems before launching their assault. Point out that while you need to be able to play by the same rules that attackers do, you have a distinct advantage over the attackers–you really care about your company’s future.

In the third post of this series, TOP 100 Network Security Tools, I recommend a few tools every auditor or security analyst should use (or at least be aware of).

9 Comments

Filed under Audit, How to..., Security, Technology

9 responses to “What Needs to be on a GOOJ Card?

  1. Excellent article.

    Enjoyed visiting your blog and reading your articles. Keep up the good work.

    Regards,

    Joel Font
    Blogger: Today’s Audit Journal

    Like

    • ITaudit

      Joel,
      Thanks for the feedback. I just discovered your blog and look forward to catching up with your posts. I like what I’ve read so far.

      Like

  2. Great stuff indeed, for newbie A&P types. ;)

    Like

    • ITaudit

      Krupo,
      These issues apply to newbies and experienced professionals. Why did you imply only newbies?

      Like

      • Oh, I didn’t mean it doesn’t – the extended implication was that experienced practitioners should already be aware of it.

        Just a different way of looking it (i.e. if you didn’t know, are you really all that experienced??). :)

        Like

      • ITaudit

        Krupo,
        Thanks for the clarification. Makes sense to me.

        Like

      • ITaudit

        Krupo,
        One other question. I would think most security analysts would know this stuff, but what about most IT auditors?

        I know some security analysts who aren’t aware of these issues (are they really security analysts, then, one would ask). Too many of the IT auditors I know don’t know IT very well, much less the ins and outs of security issues.

        What have you found?

        Like

  3. Very good point – this would be news to many, particularly to most of those who just transferred in from “regular” financial audit of course.

    Having said that, even the tests that would require a GOOJ card would be news to them. It’s excellent work which should be done, but often IT audits are limited to the standard ITGC trinity rather than this “cooler” line of testing.

    Like

    • ITaudit

      Krupo,
      So you’re seeing the same thing. The interesting thing I’m finding is that IT auditors who have IT degrees still don’t understand IT, much less security. Not just the crossovers, but those pursing IT audit as a profession.

      “Cooler” is right. It’s a heck of a lot more fun to do security testing that ITGC. But when I do ITGC and you find failures, then you can offer to look a little deeper, or suggest that certain security issues might be the cause.

      Like

Leave a Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s