Relax, We Bought Security
by Wananapaoa Uncle
I spent the last 15 years of my life in computer security as freelance, visiting lots of different customers.
Each one had specific setups, software, and network topologies; each needed some sort of security. The first point of this rant of mine is not about why they needed security - everyone has needs for security. The point is when they realized it.
You can study lots of papers discussing the security topic, each detailing aspects that may lead to some form of problem. You should prepare the networking ground by setting security cornerstones, redact documentation, teach people the right way to do things, and avoid doing the most obviously wrong ones.
I found this way of doing thing is a pure myth.
Companies need security when they have a problem. I'm not talking about data that is compromised or systems that are shut down. Most often, I found the biggest problem was some sort of local law or rule coming into your business from outside. They require you to have some level of security, so you must adhere to them, and generally very fast. Companies fear fines more than intruders.
So now you're forced to implement some sort of security. You're forced to document that you comply with these rules. No matter how, you should be fast and not interrupt daily business that, of course, has its own rules that cannot be changed. So the first people who care about security are the legal staff. They find each aspect that can exempt them from complying with rules, sometimes generating lots of absurd technology-abstracted conclusions. Then come "external" companies to assess and document your infrastructure, with no connection to the way the network itself is utilized by users and applications. They normally ask for schemes they cannot understand, policies they aren't able to read, and bring with them "hackers" with black boxes full of antennas and lights that "assess" security.
They are masters, especially in Googling and cut-and-paste. So they Google for the wrong words, find the wrong references, cut and paste them together, and send this blob to a pizza-fueled-underpaid trainee who replaces the 256 different fonts with the corporate one, applies the formal template, and here you are: your very own security guidelines. First invoice is sent.
Now they will explain to you those guidelines, and will offer some costly service to tell you how to implement them in your business. And, of course, no one needs to know anything about your business. Second document ready - "Implementation guidelines" - and second invoice is sent. You're almost there; you have documents about complying with those absurd security requirements.
It may turn out that implementing security guidelines will be a little intrusive in your business. You have to rewrite applications to support those bizarre words called passwords, you can no longer send all of your sensitive data out to a contractor in Hyderabad, you should stop using good old FTP to send transactions to your bank. They sometimes state that you must change your password twice a year. Are you serious? My cat lived 12 years, and the new one has the same name as the dead one, so the password must remain the same. Also, my bride has her birthday set - I cannot change it!
So the customer discovers that he just put a lot of "effort" (say, money) into this ridiculous thing called security, and he should put a lot more of it into changing things? Are you serious? Of course, the big consultant has the solution! Just the final touch, the one I really hate. Really. You can solve all of your security problems by buying some specialized hardware. Of course, it should be enterprise grade. It must be highly available to not interrupt work when it miserably fails. It must be costly. The thing goes in and out of the IT department, encompassing people who make financial evaluations, and yes, in X years it costs less to buy some black box than revamping the infrastructure.
Here you are.
You need a firewall, just to begin. What are you saying? Your old firewall? No, it's not "certified." Yes, you must buy new VPN licenses, and reinstall the software on each device, but you'll have a new "certified something." Just hope that the niche company that produces it doesn't go out of business too early, leaving you without the procedure to renew all the digital certificates (usually sent by mail to remote people).
Of course, you need an Intrusion Detection System (IDS/IPS). It looks in each corner of your network and finds the bad guys when they're doing bad things. This includes your corporate app that runs on the same port of Back Orifice, your database server that generates "abnormal" amounts of traffic, and IP phone traffic that can be a "hidden channel" for leaking data. Dozens of legitimate things are blocked. So you need a consultant to tune the box, of course, that switches from auto-magically adaptive to fucking costly. Of course, the IPS/IDS must be "trained" for each application you implement. To make it short, when the costly yearly contract ends, the device is put in "look-but-don't-do-anything" mode, creating an environmentally unfriendly electricity guzzler (but hey, your company is eco-friendly - certified by some obscure entity).
Another one that you must implement is the Data Loss Prevention (DLP) device or software. It scans transiting data to find potential leaks. It kills your email containing any word it sees as sensitive, it uses "heuristics" to block your Excel offers, it trashes documents containing numbers greater than 99,999 (maximum value of your standard contract) - it's better that you break your phone numbers into small chunks if you want them in your commercial emails? You cannot use your USB drives anymore, or you need a support ticket open each time. You know the procedure - after one year, DLP is set to "silent" mode.
Then, you must solve the problem of all your people around the world selling your goods. Their laptop can be stolen, can't it? So you need to buy and implement full-disk encryption to start protecting everything before the boot process. And how do you deal with people calling you via a phone booth in Kathmandu at 2 a.m. your time telling you that they need the PIN Unlock Key (PUK), or that the HD broke and they need their files back? Sooo simple! Just keep an unencrypted USB drive in the computer bag to back up the data daily, and a "do-not-open-if-not-really-necessary" envelope with the super-master unlock PUK of the whole company in it (taken directly from a customer policy for traveling workers).
So, a year afterwards, what have you got? Lots of consultants in and out (each of them having an admin password to "assess" your infrastructure), some rack full of blinking equipment (it is disabled, but corporate tours for guests must include blinking "firewalls"), and a (physical) folder full of awfully written documentation that no one will ever read (fortunately). But hey, we bought security.
I could have written hundreds of What-The-Fuck stories here, but there are sites devoted to this.
I would like to stress how wrong the belief is that you can buy some black boxes and canned documents to reach the security Eden. Security isn't a product to buy; security is all about people's culture. You must put security into every action you perform at work and, of course, it is not only technology related (someone said Kevin?).
Companies should invest money educating people more than they spend in buying assets.
Maybe they will enlighten some dormant hacker mind, an asset between the most valuable ones.