In nature, predators watch for young, weak, or isolated animals. So do attackers. So should you.
When scoping a security assessment or audit, always keep an eye out for the lone reed. In other words, take special note of the one item (process, account, device, etc.) that has the same function as others in its category or class, but is a bit different. That item often has weaknesses the others don’t have.
While visiting a friend in another state, I stopped at the local library, which had an old and interesting architecture. One staircase had rounded walls, and the doors set in those walls were also rounded (and locked, unfortunately).
At the top of the stairs I found one of several sets of computers that allowed patrons to search and reserve library materials, including those from reciprocating libraries; each floor had a group of computers dedicated to the library search function, separate from the computers that allowed patrons to surf the Internet. As I wandered around the landscape, I found a reed standing by itself among some of the book stacks.
Instead of a desktop computer, this search station one was a laptop; instead of a wired connection, it was wireless. Instead of herding with the others, this laptop was in an out-of-the-way location, away from main aisles.
All I could access was Internet Explorer. At first, it appeared that all the usual options were locked down, just like the other search stations.
Then I noticed that I could unlock (uncheck) the IE toolbars by clicking View, Toolbars, Lock the Toolbars. I could also choose Customize, which gave me all kinds of options to choose from.
Soon I was surfing the Internet, unfiltered. I could even run software from the Internet. Very handy when you want to cause trouble. I probably could have listed all computers on the network, and more, but I didn’t want to probe; I was not there to cause trouble.
I assume what happened was that someone decided to take an extra laptop and configure it like the desktops. However, the version of IE was different, so somewhere down the line, all those differences added up to a one-off configuration, which was not secure enough.
When looking for lone reeds, notice when:
- An item is isolated from the others or out-of-place (e.g., server in a closet instead of data center)
- The hardware, OS, and network connection type is different.
- A system runs different software from the others (IIS vs. Apache, AVG antivirus vs. Trend Micro).
- Accounts, servers, and devices are not named according to the required naming convention, or contain phrases like test, trial, or temp.
- Hardware or software (or both) run noticeably faster or slower than the others.
- A device, process, or system has less or more than its normal share of problems. Ask yourself WHY.
Lone reeds increase an organization’s attack surface and make trouble easier to hide. Keep security consistent.