In our last post we looked at the threats a security czar can create. Let’s now look at another surprising threat:

William the Manager

William is concerned with his group getting their job done. He is under budget pressure, time pressure, and requirements to deliver. William is a good manager – he is concerned for his people and dedicated to removing obstacles that get in their way.

To a large degree William is measured on current performance and expectations for the next quarter. This means that he has little sympathy for other departments getting in the way of his people making the business successful! A lot of his job involves working with other groups to make sure that they meet his needs. And when they don’t, he gets them over-ruled or works around them.

When William does planning – and he does! – he is focused on generating business value and getting results that benefit him and his team. He is not especially concerned about global architecture or systems design or “that long list of hypothetical security issues”. Get the job done, generate value for the company, and move on to the next opportunity.

William sees IT departments as an obstacle to overcome – they are slow, non-responsive, and keep doing things that get in the way of his team. He sees the security team in particular as being an unreasonable group of people who have no idea what things are like in the real world, and who seem be be dedicated to coming up with all sorts of ridiculous requirements that are apparently designed to keep the business from succeeding.

William, with the best of intentions, is likely to compromise and work around security controls – and often gets the support of top management in doing this. To be more blunt, if security gets in the way, it is gone! If a security feature interferes with getting work done, he will issue orders to turn that feature off. If you look at some of my other posts on the value of IT and computer systems, such as Creating Business Value, you will see that, at least in some cases, William may be right.

And this is assuming that William is a good corporate citizen, looking out for the best interests of the company. If he is just looking out for himself, the situation can be much worse.

It is not enough to try to educate William on security issues – for one thing (depending on the security feature), William may be right! The only chance for security is to find ways to implement security controls that don’t excessively impact the business units. And to keep the nuclear option for the severe cases where it is needed, such as saving credit card numbers in plain text on an Internet facing system. (Yes, this can easily happen – for example, William might set up a “quick and dirty” ecommerce system on AWS if the IT group isn’t able to meet his needs.)

Next: Threat: Fred the System Administrator

Our previous posts looked at the stereotypical threat of hackers. Let’s now look at some less obvious threats:

What?!? The security guy is listed as a threat to system security?

Absolutely. Stan is knowledgeable. He knows that the world is filled with evil. And he is determined to protect his company from it.

There is a famous saying: The only truly secure computer system is one that is powered down, ground into a powder, melted down into slag, cast into a concrete block, and dumped into the deepest ocean trench. Even then you can’t be completely sure…

The challenge is that many things done to harden a computer system make the system more difficult to use. And the Law of Unintended Consequences always comes in to play. For example, to make passwords resistant to brute force attacks, you need to make them long and have them include different types of characters. And, for some reason, you need to change passwords regularly.

So, the answer is to require 16 character passwords with upper case, lower case, numbers, and special characters, containing no dictionary words, and to change them every 30 days – right? Ummm, no. This actually massively reduces security – we will talk about this more in a future post.

As another example, how about setting the inactivity timer in an application, which forces you to re-enter your username and password, to five minutes? Or perhaps two minutes or even one minute? After all, you can’t be too secure! Far from being effective security, this will result in computers being thrown off the roof of the building and lynch mobs looking for the person responsible! As well as a significant drop in productivity.

An excellent discussion of the behaviour of Stan the Security Czar occurs in the book “The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win” – this is an excellent book which I encourage everyone to read. It shows how a focus on technology, without taking into consideration the power of people and processes, can be very expensive and actually reduce effective security.

To bring things into a sharp focus, recall our premise that the reason for IT is to support the generation of business value, and that business value comes from people using applications to transform data. Anything that interferes with any part of this reduces the value of IT – and heavy handed security approaches can massively impact the business value of IT. Without careful consideration of human and business factors, Stan is likely to do things that hinder use of computer systems and actually reduce overall security in the name of improving security. The challenge in dealing with Stan is to achieve appropriate security while maintaining the business value of IT.

Next: Threats: William the Manager

Our previous post considered skilled hackers – but not all hackers are skilled…

Sphinx the Script Kiddie

Unlike Igor, Sphinx doesn’t have deep skills or knowledge. But he does have access to very powerful cracking toolkits that other people have developed and to people who can provide guidance and answer questions. This makes him far more dangerous than he would be if he had to rely on his own skills.

Most of the “hackers” (actually “crackers”) out there are actually like Sphinx. He may do everything from defacing web sites to identity theft and credit card fraud. In many cases he will be looking for targets of opportunity, rather that going after a specific system. He tends to use his cracking toolkits to probe every system he can find, looking for unsecured systems and common security flaws.

Much of your security strategy should be designed for Sphinx. There are a lot of them out there and they can do a lot of damage.

Next: Threats: Stan the Security Czar

The previous post explored different types of threats.

Now that we’ve taken a look at what some of the threats are, let’s look at who might be behind these threats. One goal is to determine who the greatest threat is. You may be surprised…

Igor the Hacker

Igor is who you think of when someone says “hacker”. True hackers have always been skilled. Igor is very skilled and is in it for the money. He may have the backing of considerable resources from criminal organizations or even from state entities.

There are two ways Igor may be after you. If he is building a zombie botnet for spam and ddos attacks he will be looking for systems that are easy to take over. Normal security precautions should provide a good defense.

On the other hand, if you have assets that Igor is after, you have a real problem. Almost no level of security will be enough to stop him. And he won’t stop with computer attacks; social engineering is one of his most powerful tools. In some cases he may even resort to physical penetration to get to your systems.

Fortunately, there aren’t that many Igors around. You can’t build a security strategy around nothing but stopping Igor – it isn’t cost effective and truly hardened systems are often difficult to use. We will examine how a defense in depth approach can be used to manage Igor.

(Note: Igor is actually a cracker, not a hacker. A hacker is someone with deep computer skills who makes computers do amazing things. It describes someone with exceptional knowledge and skills. Unfortunately, hacker has been hijacked by the media to refer to criminal crackers…)

Next: Threats: Sphinx the Script Kiddie

The previous article looked at operational integrity.

Let’s shift back to a security discussion and take a look at threats. Any intelligent discussion of threats starts out by looking at what you are protecting, how it can be threatened, and the impact if one of the threats actually occurs. Let’s take a look at some threats:

Defacing a Web Site

In the past this has been one of the most common and visible “hacker” threats. If you have a simple “brochure ware” site, the most reasonable approach may be to simply have a good backup you can restore. If, for example, you have a DreamWeaver site, you might simply mutter something appropriate under your breath and hit the button to republish the site.

On the other hand, if you have an ecommerce site that your company depends on… This site is obviously important and must be protected.

This is an example of considering exposure, impact and cost. You shouldn’t spend too much to protect the “brochure ware” site. You shouldn’t spend too little to protect the ecommerce site. You should do the analysis of what is appropriate!

Using a System for Other Purposes

Having your system hijacked and turned into a zombie spewing malware and spam is a bad thing. In addition to the direct impact on the system, this is likely to get your whole domain blacklisted and effectively kicked off the internet. Consider both the direct and indirect impact of someone taking over your system – this is worth defending against.

Stealing Data

Data theft can be catastrophic. The cost can go far beyond the direct costs – just ask Target about their credit card breach!

From the computer side, protecting data requires solid access controls, encryption, and operational controls. But you should ask some other questions: Why do you have that data at all? Do you need to store the data? Which computers actually need access to that data? In a uprising number of cases you may not actually need that data at all! As a simple example, don’t store passwords – store password hashes! Properly salted, of course…

Changing Data

This can be very serious. In many cases the absolute worst thing that can happen is for data to be changed. This can mean that none of the data can be trusted. Depending on the data and the change, this can range from a nuisance to life threatening. We will dig into this topic in more detail in the future.

Data Destruction

Data destruction can be malicious or accidental. What will you do if a disk drive crashes? What will you do if someone – maybe even you – “accidently” deletes a critical file? How about an evil hacker breaking in and deleting data?

Even worse, what if the evil hacker deletes every tenth record in your database? Or if there is data corruption in part of a file or database?

Data destruction can be subtle. You need to worry about preventing it, detecting it, and recovering from it.

Changing Software

Changing software is a severe and subtle risk! The bottom line is to make sure you can detect it if it occurs – yes, this is even more important than preventing it. A good example of what can happen is a recent Computerworld Sharktank article. In this cases, the people making changes to the system were authorized to do this – but the impact of those changes should have been detected.

Degraded System Availability or Performance

If a computer is performing an important business function, availability and performance have direct and measurable cost. You need to continuously measure the availability and performance of critical application services.

Next:  Threats: Igor the Hacker