Update: Welcome, visitors from Pajamas Media! The number of people visiting my corner of cyberspace jumped this afternoon because of a link those nice folks posted this afternoon. I hope that while you’re here, you’ll look around a little. There are lots of things to explore here, from political scribblings, science and technology thoughts, to photos of our travels and our collection of animals. And much more!
Update II: Will wonders never cease? Now there’s a link (broken at the moment <sob>) to this post from Instapundit! Assuming Glenn fixes that link, I suspect I’ll have even more visitors. Welcome, one and all — please take a look around while you’re here!
Bruce Schneier has a wonderful little story on his blog (original article here) about a test of an attack method that combines technical means and a little social engineering. It’s a clever exploit that (unfortunately) is just one example of bazillions of possible clever exploits. In this one, the testers went onto the streets of London and handed out CDs that supposedly contained a Valentine’s Day promotional. Many of the people who were given the CDs carried them straight into their (allegedly “secure") offices and ran the programs right of the CD. Any IT guy could tell you that by doing so, they bypassed nearly all of the security measures the companies had in place; had the software been hostile, it could have done a lot of damage — either by stealing confidential information, modifying critical information, or even by taking down internal systems.
Not good. And oops.
The original article basically blames the employees' bad security attitude, or lack of security education. Bruce draws a better lesson: that the real problem is insecure infrastructure. While I agree with every one of Bruce’s points, in a practical sense it doesn’t seem likely that they’re going to be addressed anytime soon. To use Bruce’s example, this particular attack could have been prevented by not giving every employee a worksation or laptop that could just run any old software from a CD. True enough. But … I don’t know any company that is actually going to run out and put that restriction in place…
I’ll draw another (fairly obvious) lesson from this story: that many IT organizations are throwing their security money at the wrong problems. In particular, except in the most sophisticated IT security environments, the emphasis is almost 100% on “border security": firewalls, multi-element identification, etc. And almost nothing is done about security inside the firewall — even though it’s demonstrable that the biggest threats for most companies are of internal origin. The CD attack is a great example, though theoretical. Already happening are worm and virus attacks — and many (I suspect most) companies are woefully unprepared for these. I’ve worked at two companies — and I know of many more — where all the company’s servers are fully exposed to the LANs that host the company’s workstations. That means that any worm or virus that infected a workstation has free access to those servers — and in these days of laptops and employees VPNing in from home, if you’ve got more than about three employees, the chances are pretty good that some of them are infected. The fact that more damage isn’t done this way is testament to the bad design of worms and viri, not that the risk doesn’t exist.
Yet changing the way company’s secure their IT infrastructure isn’t easy, as my personal experience attests. I’ve had one boss (the CEO) who, after my presentation of things we needed to do to secure ourselves internally, said “Let’s just get SecureID!”. When I told him that would be like putting a padlock on a wet paper bag, he countered with “I don’t care if it really does anything — what I care about is how secure we’ll appear to our customers.” Customers who are, more than likely, equally uninformed about security. This company ended up doing precisely nothing about internal security, despite my tiresome railing on the subject. And to this day they have not been hit with any big problems, which reinforces that illogical behavior. Sometimes I’ve thought that a small “demonstration” was in order, just for the educational value…
I don’t have any good answers for this challenge. My suspicion is that it’s similar to corporate behavior with respect to backups: the issue will be ignored until the company gets burned, then it will be addressed. Companies sometimes seem to be incapable of learning from the pain of others…