RTC Group, Inc.

System Security--or Security Blanket?

By: Tom Williams, Editor-in-Chief

Let’s talk about security . . . again. I’m going to need some serious talking down from the rather jaded opinion that has been growing in my mind about the various technologies, techniques, products and claims around system and network-connected security. To put it bluntly, I ain’t buyin’ it.

I have sat through many a presentation that usually starts off with a list of horror stories about break-ins that have happened to critical sites like electrical utilities, water treatment plants, military bases or industrial facilities. To avoid this, the presenters have worked long and hard developing a technology, which, when purchased and properly installed, will allow the customer to sleep the sweet sleep of the just. And there is no doubt that these efforts do result in the discouragement of many attempts to breach security. The question is, however, what level of sophistication and determination are they able to resist before they can be breached?

Also, it appears to me that the kinds of security horror stories we see in such presentations or even hear about in the news are only the tip of the iceberg, because most companies and government agencies are loathe to publicize the number and severity of the actual breaches that take place. Could it be that we are already in the midst of some vast global cyber war of which we are only vaguely aware?

We do hear plenty about the exploits of such “amateur” hackers as WikiLeaks and Anonymous because they explicitly publicize their breaches and disseminate the looted data for the world to see. I am assuming that these folks are what could be called volunteers as opposed to actual PhD computer scientists employed and controlled by hostile national governments. However, even at what I am calling the “amateur” level, the breaches have sometimes been breathtaking.

In fact, recently a major security software vendor, Symantec, had to admit that hackers had managed to obtain the source code for its flagship Norton Antivirus security products. Even though the code itself supposedly dated from 2006, and Symantec had to say that users faced a “slightly increased security risk,” that is not the main point. The bigger issue is that a company that bases its entire existence on providing security for a whole industry was itself breached and robbed—by a non-state-supported group named Yama Tough.

I’m sorry, but that is pretty scary.

There is still a truism that access to secure systems depends on three things: what you are, what you have and what you know. What you are involves physical things like fingerprints and retina patterns that uniquely identify an individual. What you have includes things like access cards and keys, and what you know is, of course, access codes and passwords. Even the most sophisticatedly secure system is vulnerable once a hacker has access to these necessary elements.

So hacking, while mostly a technical challenge and endless digital chess game, also has an age-old human element in the form of the disgruntled insider or one who can be turned by the time-tested techniques of the spook community. A well-known example of this is Bradley Manning, who for his own ideological reasons supplied classified data to WikiLeaks. We have no idea how many more of these may be lurking in both government and industrial environments; how many blackmailed or extorted victims there may be who can be moved at a chosen time to provide that one vital key—a key that could unlock the gate to an entire infrastructure like the power grid.

And so we go about our lives and our business under what I have come to consider an illusion of security, while to paraphrase H. G. Wells, “intellects vast and cool and unsympathetic regard us with envious eyes, and slowly and surely draw their plans against us.” For all the testing and mathematical verification and the endless march of PowerPoint slides, we can never be certain of security in the vastly complex digital world we have created any more than we can be sure that a program with 35 million lines of code is bug free.