I didn’t have time to write anything original this weekend. Instead, a cautionary re-run from November of 2003 about information security and how not to go about ensuring it. – Bob
# # #
Students of corporate behavior, attempting to account for the seemingly incomprehensible level of self-destruction evident everywhere in the business world, often find themselves at a loss. Why, they ask, would a business do something like this, whatever “this” is this time?
The answer is usually easy to find, if you know where to look: Businesses can’t be self-destructive, for the simple reason that businesses aren’t selves. Human beings make the decisions, either individually or in groups.
Some of these individuals and groups make their decisions with the good of the company in mind, even though “The Company” is a fictional beastie that lacks any actual intent, consciousness, or independent reality. Others focus on “shareholder value,” showing an admirable, albeit misguided altruism toward their employer’s legal owners — misguided because their altruism is rarely returned by the shareholders whose interests they hold paramount.
The majority of decision-makers do neither. They base their decisions on exactly the criteria they’re supposed to use in a capitalist society: They look out for their own best interests. Often, their best interests have nothing at all to do with what’s best for the company.
How else to explain the following event:
A character arrives from corporate headquarters. Looking in the mirror, he sees a secret agent looking back. Or maybe he thinks he lives in The Matrix. Hard to tell.
“Why are you here?” the head of security asks him.
“I can’t tell you.”
“What are you planning to do?”
“I can’t tell you that, either.”
“What can you tell us?”
“I need a work space with a network connection, telephone, desk and chair. And please don’t interfere with what I’m doing.”
He’s from the holding company’s headquarters. A quick check confirms he has the authority and the right to ask for this, and so it is done. A few weeks later, he packs up and leaves, having downloaded a number of security intrusion tools used to … keep in mind, this is a true story, not paranoid fiction … break into and damage several production servers, thereby proving, I guess, that the network is vulnerable to someone from headquarters connected inside the firewall, with no oversight or supervision, no responsibilities other than breaking into the network, and the authority to insist on being ignored regardless of his actions.
From a security audit perspective, his behavior is unprofessional on at least two counts. The first, of course, is that he did actual damage instead of simply leaving evidence of his successful entry.
But that’s the lesser example of the complete worthlessness of his efforts. The greater is that he ignored the basics. The test of an organization’s security isn’t whether it can be hacked, let alone whether it can be hacked from inside its firewall. The test … actually, the two tests of any organization’s security are (1) Does the organization’s security policy fit its needs? and (2) Does the organization’s actual security implement its security policy?
Since Mr. Bond never bothered to read the security policy, he’ll never know. All he knows is that it’s possible to penetrate his subsidiary’s firewall from inside the firewall.
An impressive performance.
How does one go about explaining behavior this bizarre? It requires neither a conspiracy theory nor a temporary shortage of Thorazine.
All it requires is an understanding that everyone in every company acts solely in their own best interests. It’s up to the company’s leaders to ensure their best interests line up with those of the company, and that they understand this alignment.
At a guess, HQ’s secret agent saw a possibility of career advantage from showing up the subsidiary’s IT staff. Viewed in this light, his behavior makes perfect sense: By engineering a situation in which he couldn’t fail to successfully intrude, he can claim to have revealed serious security deficiencies. And because he works at corporate headquarters, he figured he could use his superior access to decision-makers to paint any objections to his behavior by the subsidiary’s IT staff as nothing more than a defensive attempt to cover up incompetence.
I’m speculating, but at least this explains this odd event. Viewed from any other perspective, the behavior of this strange visitor from another city would be incomprehensible.
I take that back. There is one other perspective that would explain it.
Maybe he’s just stupid.
I think I recall reading the original article. Infoworld? I’m wondering if, after 15 years, it could be revealed where this happened?
I published the original right here, on issurvivor.com. It was after we’d called a halt to Survival Guide in InfoWorld.
You raise important issues, although in the example, I suspect it was more fear on the part of whoever sent in the white hat hacker, than stupidity.
I would suspect that incident was the product of someone with a poor or non-existent background in IT or software development wanting to think outside the box to address a very serious concern. They probably were incompetent to know which outside consultants they should hire for this kind of task, so they found someone who impressed them with their technical expertise, while not having the needed perspective, and let them operate without competent oversight.
If, instead, they had asked an experienced CIO at another company on how to address cyber security concerns, the outcome would almost certainly been constructive. But, that requires trust, which, if the fear is sufficiently large, the request for help will never be made.
Oh my. This is so close to home it hurts. We had to actually remove many barriers to allow a consulting company to conduct a penetration test from inside the corporate headquarters. Actions such as allowing untrusted devices to use both the wired and wireless networks because they couldn’t get past that first line of defense. It was crazy the many doors we had to unlock to let them continue. Then they presented a very unflattering report to the BOD about our lax security standards. Fortunately, no one at that level actually understood the report and nothing ended up changing. The thousands of dollars wasted on the consultants would have been a pleasant bonus for the guys on my staff doing their jobs well. Sigh.