Copyright © 2008 by The McGraw-Hill Companies. Click here for terms of use.
14
that he was even here meant he had to walk by the security desk and then had to have a card to gain access to the server room. Therefore, everyone figured he should be here—at least that’s what all the people said who were interviewed by the police.
“How does someone just walk out with our entire library of backup tapes?” a very nervous looking CEO asked the head of security.
Jack had been the head of security for exactly two weeks when this incident occurred.
He had been hired into a very loosely controlled organization after the former chief of security chose to retire a few years early to deal with some medical problems. As Jack looked around, he saw an organization whose secrets rested on generic access controls even though employee turnover was high. People came and went with very little screening. Nearly every day a new cafeteria worker served up the vegetable of the day, and almost every night a different janitor wandered the halls. While two weeks was enough to get the guards to at least write down the ID information for delivery personnel, it wasn’t nearly enough time to change such a poor security culture—one where far too much trust had been placed in the assumption of who would want to rip them off.
“This shouldn’t have happened,” the CEO complained. “Who steals data from a convenience store home office?”
“Competitors,” Jack suggested.
The CEO eyed the new head of security suspiciously. “The thief walked right out with our tapes.”
“All our tapes,” Jack added.
“So now what? We had our one in a million hit. The odds have got to be small that it would ever happen again.”
“Security doesn’t really work like that,” Jack explained. “We have a small attack surface. Very little is exposed to the outside. But once inside, there is very little security because nobody asks questions, nobody watches anyone, and no one responds actively to threats because no one really knows who all works here.”
“What about the ID badges and the RFID cards needed to open doors? What about the guards at the front gate? How does a box of tapes leave?”
“It doesn’t have to,” Jack said to a very puzzled CEO. “When was the last time you looked at someone’s picture ID as they walked past? You can easily follow someone as he walks in through the door. And if he used to work here, it’s even easier. What’s not so easy is getting a big box of tapes out of the building.”
“So they’re not gone?” the CEO asked hopefully.
“Not necessarily; they could be hidden. If they’re hidden, we can’t use them, which is effectively the same as being stolen. Somebody who used to work here would know that he could never get a box out the door, but the janitorial staff could. In all likelihood, the tapes were put in the trash last night after the last backup, and they were carried out to the bin in the middle of the night. The janitor wouldn’t know to question why we might throw away a bin full of tapes.”
The policeman then searched through the bins around the room and found they were indeed all empty.
15
“So they’ll be in the bin outside then, ready to be picked up with all the other trash?”
the CEO said with relief.
“No, most likely they’re already gone.”
Sure enough, the police were able to recover one tape out of the forty tapes that were stolen because it had been mixed in with the other trash. The rest had all disappeared.
“You can’t build a company security culture on security alone,” Jack explained to the CEO. “Interactive controls will allow us to protect access to our assets regardless of where that access is coming from. Right now with only authentication controls for those coming in through the doors, we are completely blind to direct interaction with assets, and if someone is clever enough to exploit our processes, like garbage collection, those assets can walk right out under our noses.”
“Fix it then,” the CEO told him.
It took Jack only a few weeks to address the missing controls, but it would still take years for the corporate culture to evolve to a point where a theft like the one that happened could be avoided.
T
he biggest problem people have with applying interactive controls is how restrictive they can be if used properly. People are accustomed to having a certain amount of freedom, but interactive controls stifle many of the freedoms they take for granted.These controls have been around since the dawn of security. They’ve been brutally applied by dictators and tyrants to rule nations for the simple reason that they work.
Fortunately, these same controls also allow you to protect systems in a pragmatic way.
Applied security means separating the asset from the threat for a particular vector.
But what happens if you also want to access those assets? What if you want to allow some people to access those assets, but not others? You somehow need to control their interaction with these assets. To do this, you apply any of the five interactive controls.