Guy Wright’s piece titled Internet Security: We were worried about the wrong things is a bit old but it’s an important point. Security is a moving target. It’s always a moving target.
I disagree, however, with the assertion that SSL (and its successor, TLS) were a waste of time.
Attackers go after the easy thing first. Encrypting your credit card number protects you not only from the scenario of someone attaching alligator clips to your phone line, but also from someone snarfing down credit card numbers as they travel through Internet providers. The fastest way to get credit card numbers in the 1990s would have been to get a job at an ISP, then add a process running on a router that sniffs traffic looking for credit card numbers and sends them off to you. And that’s not as hard to do as it sounds–I’d rate it easier than attaching alligator clips to a phone or network cable and intercepting the signal with a second computer.
Since we solved that problem, attackers have to go after the destination of all our precious data, to the companies we do business with. That’s why companies now employ small armies of Information Assurance Analysts like me who locate weaknesses in their systems and networks and drive the company bonkers with our recommendations.
Guy Wright is right–companies do need to encrypt their databases, but there’s a way around that protection as well. Target a DBA with an administrative password, and the game’s over. I know all too well.
Back in 2006, I took over patch management for an Air Force system that tracked cargo planes and tankers. Our track record wasn’t what it could have been, but within a year I had it turned around. Within 30 days of Patch Tuesday, I had my patches deployed with a success rate of better than 99%. By the standards of the day, it was a really well secured system.
Then an Air Force red team marched right around our security. They phished one of our DBAs, installed a keylogger on his desktop PC, got his password, and logged right in to our system and started messing around. On a Friday afternoon around 4, a Major was asking my boss to explain how all of this happened, and informed him that the team would try to get back in on Monday at 8, and they weren’t going to succeed. My boss didn’t say in so many words that I’d lose my job if they got in, but he sure implied it.
I cancelled my weekend plans and spent all weekend changing passwords, looking for any passwords in plaintext that might be laying around on the network, and finding and fixing any other minor security issues that turned up, with a couple of other guys helping me. And the red team didn’t get back in on Monday.
Keeping the red team out in the first place would have been harder, thanks to people opening e-mail messages that they shouldn’t open. I’m not sure I could have solved that problem, but if we’d had half a million dollars, we could have known before the Major did that we’d been compromised, and if we’d had another half million, we could have cut off the attack. The problem is, there’s almost always one more thing we could do, and it almost always costs six figures, unless it costs seven. Or eight.
My boss reminded me of that in a budget meeting last month. We had $10 million to solve five problems. I got to talking and whiteboarding, and then my boss cut me off in the middle.
“You just spent all $10 million solving one problem,” he pointed out.
Yes. Yes I did. So we scaled back and did the best we could with what we had. We’ll be back for more next year, I’m sure. And the year after that too.