Monday, December 30, 2013

Breaching your Security Britches

I'm still basking in the glow of the holiday season as I write this.  It's the day before New Year's eve and things are pretty quiet in the IT world.  On the IT jobs front there's a few listings all searching for the "impossible candidate" but most of them are just duplicates from agencies trying in vain to snap up those last few contracts before the Calendar ages another year.

IT budgets are still tight and salaries still aren't where they should be.  Of course if anything's increased,  it's the strain on IT staff.  It's a perfect recipe for disaster as expectations of the impossible become the norm. 

Case in point, the botched rollout of the Obamacare website.  Political motivations aside I knew it would fail.  Not because it's a bad idea but because like many corporate IT projects, nobody bothered to ask the IT guys.  It's a government venture after all, rife with bureaucratic red tape and too many layers of management.  None of which have any  clue about managing a successful IT project. 

To a public convinced that YouTube "just works" and the Internet requires nothing more than a WiFi connection  there's no further deliberation necessary.  The chant goes, "I want this, make it happen next week!"

It's a sad but common state of affairs.  IT departments are far too often under the purview of senior management with a ready, fire, aim philosophy and bad information.

All end users know is that they want more..."something" and increasingly, IT is in no position to say no.  There's even an accepted accreditation, the ITIL, that embraces the premise.  Give them what they want and to hell with the consequences even if you have to undermine the infrastructure to do it.

I can guarantee this is the root cause of most security breaches like those we saw with Target this year and Barnes and Noble in 2012.  They all stem from somebody giving in.  I can just see the exchange now...

IT Guy: You know, we really haven't updated the servers in 5 years and I'm worried about securing our customer data. BigBoxCo just got hacked last week and they've got the same stuff we do.
Accounting Supervisor (his boss): What? did the server's stop working? I got my email today and I was able to get to Ebay...
IT Guy:  No no, they're working fine but we're doing a lot of transactions and there's known vulnerabilities in our encryption algorithms.  We need to address this.
Accounting Supervisor (his boss):  Ok, but the servers are working right?
IT Guy: Yeah but that's not the point...
Accounting Supervisor (his boss): Well, do what you can with that, maybe you can fix it on your lunch break.  Just don't spend any money and for god's sake don't take down the servers for more than 10 minutes. Customers hate that!
IT Guy: Uh, ok but we don't have any failover so that's kind of impossible...
Accounting Supervisor (his boss): Oh, and lets relax those password requirements, I don't like changing it all the time and like to use my dog's name instead.  Maybe you can do that with the customer sites as well.
IT Guy: <sigh> Yeah....
I've had these conversations and they're more common than you think.  So guess who gets the blame when bad things happen. 

You can't have it both ways.  In our example above, the IT guy is right but that has to be balanced against the so-called "business case." 

Problem is the "business case" is often one-sided and incomplete.  That leaves plenty of opportunity for disaster.  It shows up in unexpected service outages, poor performance and workarounds that leave the door wide open for social engineering.

And that's the rub...

Look deep into the root cause of these high profile security breaches and you find out that somebody cut a corner.  It's human nature to want to make others happy.  So when faced with a painful and unnecessarily complex procedure that violates that desire, social engineering takes over.

"Ok, we'll relax the password policy for you"

 or

"Well we don't know much about how secure their servers are but this hosting provider is cheaper.  Oh yeah and they host porn sites so they must know what they're doing with all that traffic!"

Users let down their guard because the bad guys know your process and take advantage of its flaws.  IT guys let down their guard because they don't have the power to say no.  It's the same failing just expressed in different contexts. 

We have IT security vulnerabilities precisely because the way we interact with technology doesn't match up with our nature.  Human nature says to take the path of least resistance and 23 character passwords with mixed case, numbers and special symbols don't cut it.  Yeah, I know there's LastPass but that's a band-aid to the core problem.

So how do we secure anything in the face of all this opposition?

 It's simple, we stop thinking about "enforcing" anything.  Nobody likes to be under anyone's "enforcement."  Instead we start taking into account how people use technology instead of getting in the way of it with some clunky authentication mechanism.

While we're at it, why are we still using payment methods directly connected to bank and credit accounts?  Why aren't pre-paid instruments more popular?  I know the reason, they're a pain to use and like our 23 character password, nobody likes that much "resistance."

You now, it wasn't so long ago you could go to a store and buy things on credit. 
Not Visa or American Express credit, I'm talking about store credit.  You paid your bill every month directly to the store.  No personal information or bank accounts involved.  You just plopped down your money and you were done.

Of course we live in a world where we're forced to live beyond our means which has parlayed itself into ever increased complexity.  Banks and credit card companies have made millions based on the fact that nobody in business is willing to handle their own credit accounts if they even bother to have them.

So there's another feat of social engineering.  Another layer of abstraction between what we're trying to accomplish and what we ultimately DO accomplish. 

Somehow, we've managed to accept the ridiculous as a reasonable premise. 

That's exactly why nothing will change and security will ultimately fail simply because it's based on building a mountain of complexity where a bit of positive social engineering would do far better.

Of course there's too much money in that mountain of nonsense we keep adding to.  Entire industries owe their existence to it and nothing will change because of it.

So you have two choices, live like a hermit and pay cash for everything or accept that till somebody gets a clue there is no security or privacy.

If you need an example, try this...

Imagine you and your 5 year old daughter are at a restaurant for lunch.  A strange man approaches her and offers her candy.  Completely ignoring all your admonitions to the contrary she reaches for it.
What do you do?

It's likely you immediately intervene.  Depending on the threat it can range from tackling the guy to a dirty look.  Either way you took control of your own security concerns and it was a pretty simple process.  Nothing was going to happen without your direct involvement.

Put that in the context of how security works now, however, and you'd spend 10 minutes trying to remember your mother's maiden name and date of birth before you lifted a finger. 

Yeah, it's really that bad and exactly why security concerns in IT or otherwise need to be reframed.  All of these heaped on layers of band-aids and bailing wire are all for naught.  In the end we're not really securing anything.  How can we? We're never allowed to participate in the process. 

It's like the old joke where the man goes to the doctor and says, "Doc, it hurts when I do this!" and the only advice from the doctor is to say, " Then don't do that..." 

The more we remove human nature from the equation, the less meaning security has.