Weakness is a tool not to be ridiculed but, rather, revered. It provides a most efficient lever when lifting clouded views and burdensome restraint.
Each new technology addresses specific needs – imagined or otherwise. If one contemplates resolution when sowing creativity, purpose, and/or experience, ingenuity sprouts from fertile thought.
Not long ago, if man wished to dispatch a message to places afar, man would visit the local telegraph office, pay a fee, and listen as his communication was sent in a series of dots and dashes. The era’s advancement in technology outweighed the dependability, or lack thereof, of dispatchers via horseback, or smoke signals, and met a specific need. Smoke signals, after all, could be seen by anyone. Carriers, by horseback, were routinely intercepted by rogue bandits who plundered the hurried bounty. Not unlike today’s parasitical behavior, it was discovered how one could siphon off confidential transmissions like the notification of payroll’s route to Dry Gulch. The age of hacking was born.
Once the breech was discovered, communication was sent using coded transmissions. The letter C might actually be Y and, using the appropriate translation template, everything made sense on the other end. Encryption was born.
More than one-hundred years later, information technology continues searching for the all-elusive security panacea.
In earlier days, if one was so inclined, he or she required a visual of the mountain from where the smoke signal originated. Later, it was necessary they climb a pole, attach two wires, and decipher a coded message. Today, the same feat, with amplified implications, is attainable without ever leaving the cushy surface of a hacker’s sofa – a benefit made possible by employers for whom he or she has neither met nor worked for. Unfortunately, crime does pay.
Fortunately, for all of us, there are those who strive to thwart the efforts of would-be thieves but difficulties in doing so foster a never-ending climb up the ladder of prevention. What, then, are some of the obstacles we face?
Driving down the freeway, unlikely as it seems, provides insight into the psychology of a person capable of committing such a breach. Don’t misunderstand the following analogy as an indictment of every single person. The act of theft is built upon specific personality traits and requires motive. The analogy does, however, construct a paradigm which demonstrates opportunity.
Do you drive the speed limit when commuting? Do others? Obviously, the majority of drivers do not obey traffic laws and the reason so many are able to avoid detection is because enforcement isn’t always present. For those of us who occasionally disregard, intentionally or otherwise, posted limits, the chance of being caught increases with each mile driven. It is not those, unwittingly breaking the law, who constitute harsh dangers facing other commuters. It is the owners and users of radar detection devices in states where such use remains legal, who pose the most serious risk to others. Such devices create an umbrella of invisibility to enforcement personnel.
Consider this: The sign-on screen is something of a stop sign. It halts everyone to first check credentials before permitting forward motion. Credentialing, on the other hand, is a license to use the server’s information thoroughfare with or without limitation. Stealth exploitation is the art of circumventing all the above without detection. Who are the culprits and how do they do it?
First and foremost, everyone is suspect. Oh, I know, it isn’t popular to affix titles and it does make one seem adversarial when exercising strict enforcement. If, however, achieving popularity is important, guarding sensitive data should not be part of one’s job description. Period!
Every year, hundreds of banks suffer through the terror of robbery but prevention has not dramatically changed since the very first bank opened its doors for business, hundreds of years ago. Anyone can walk into a banking institution without first qualifying why they are there or undergoing inspection. The comfortable environment provides culprits the opportunity to investigate weaknesses and develop strong plans of attack.
WHO IS THAT PERSON AT THE KEYBOARD?
John Doe was hired two weeks ago. On day one, he’s provided a key (profile) to open the company’s data warehouse. After all, he is an employee and needs access but who was he before his hire date and what separated him from any other citizen on the street? The answer may surprise you – nothing.
The sad reality is this: Many bank robbers credit their success to what happens on the inside. That does not necessarily point to accomplice(s) – not in the literal sense of the meaning. It does, however, suggest the ease by which one can carry out a specific action is often innocently provided by well-meaning ‘inside’ staff.
There is far more security provided at airports than in most I.T. shops. That isn’t a bothersome thought unless the I.T. shop, charged with guarding your personal information, hires from temporary employment pools without so much as a blink. As the saying goes, they don’t worry about someone else’s security because, well, it’s someone else’s security.
New employee Doe sits down at his desk, flips a switch, and dives headlong into an abyss of sensitive data. Within seconds, he’s looking at the personal information of John Smith. He knows where Smith lives, the name of his family members, how much he earns, how much he spends, and where he spends it. Imagine for a moment Smith’s normal spending habits take an unexpected turn from Anyplace, Ohio to Maui, HI. Bingo! The Smith’s are on vacation. What thoughts cross your mind at this point?
Okay, let’s give Mr. Doe a break. He’s a good guy with impeccable credentials. He’s put in a long, hard day of honest work and it’s time to go home. Gathering his personal belongings, he pushes away from his desk and moves toward the door. It’s late in the evening and someone flips off the lights before he traverses the maze of individual workspaces. Not to worry. The illumination of unmonitored monitors, throughout the space, sufficiently lights the way for both Mr. Doe’s leaving and the incoming janitorial crew. The same scene repeats daily inside fortune 500 companies nationwide. But ask the I.T. staff and you will likely yawn past a resounding defense of security measures specifically outlined in the company manual. Oh brother!
The strength of weakness – for the most part, it is a battle with ourselves. Lazy attitudes, the precedence of deadlines, absence of detail, and overlooked redundancies are the underpinnings of failure. Sadly, the most defining moment of any shop or I.T. manager is the stark reality of theft. Such failure is humiliating and costly. A wise man once said: “One of the great tragedies in life is the absence of wisdom at birth.”