IT security: still a tangible issue?

Posted by Peter Cochrane on September 5, 2011

Published on

BT’s former Chief Technologist, Dr Peter Cochrane, has penned this comical anecdote to raise awareness of just how easy it still is for hackers and thieves to breach a company's IT security defences. Especially when the back door has been left wide open... 
Security really is an all doors and windows problem
By Peter Cochrane

A while ago I was asked by a company to audit their security systems and wider operations.  From the outset I knew these folks were no slouches technically, and they were well organised and managed.  I had visited their premises many times and had a good sense of how hard this assignment should be.

In my immediate thinking were things like: Will I find anything to report at all?  Will I be able to breach their defences? How tough is this going to get? I needn’t have lost any sleep. Breaking in and finding confidential information wasn’t exactly a walk in the park, but it did involve a walk of some description.

The front entrance of the campus was guarded by a security gate and a contained reception and holding area.  Visitors were fully badged with red VISITOR stripes while the employees had plain blue badges of exactly the same design. All visitors were escorted and had to be accompanied at all times.

At one of my earlier visits I had walked out innocently forgetting to hand in my visitor badge, and there had been no follow up.  So an hour on Photoshop saw me the proud owner of an ‘Employee Badge’ in plain blue, complete with my photograph and ‘fictitious’ reference number.

I started my next visit by driving around the back of the site, and within minutes I had located an unguarded entrance.  

Within 15 minutes I had made a lucky find.  A skip of unwanted IT equipment.  Old PCs, Lap Tops, a printer or two, and an old copier.  Rather than try and remove these off site I took an item at a time to a quiet corner and removed memory cards and hard drives and slipped them into a large buff envelope. All very official looking!

I departed the site the way I had entered, went back to my office and started the forensic investigation.  I also planned my next sortie with a different set of objectives in mind.  And a few days later I was on site again, but this time with a very large travel bag.  My target?  Waste bins and waste sacks!  The on site cleaning staff had done a great job for me and I removed two full sacks of paper waste without being detected.

My final on-site sortie involved walking about open plan offices picking up what I could by observation and by asking people direct questions.  But perhaps most interesting was to just travel on the local intercity train at peak times and look out for people wearing blue security badges.  Just sitting near them was all I had to do as they did all the talking!

So my month long study was completed in three weeks and I was able to start a detailed analysis of what I had gleaned.  Those recovered hard drives and memory cards were full of confidential information including high level reports and commercially sensitive materials.  And that pile of waste paper?  It is amazing what people print and then casually throw away.

Needless to say, I was now in possession of account details, passwords, project names and references, team details including individual responsibilities.  The list of revelations seemed endless and was getting bigger as I digitally probed the company using an established identity and external communication channels.

Like all projects of this kind there comes a point where you have done enough, you have sufficient material to make your point, and more revelations won’t help the case.  So I stopped and prepared my report.

Presenting my findings was not at all easy, but was at least ‘lubricated’ by the fact that no one group could be fingered as being solely to blame.  Just about everyone in the organisation was implicated, and everyone was at fault to a greater or lesser degree.

The really good news was that I hadn’t been engaged by the IT or security departments.  And the key wake up call was highlighting the concentration of money and people on firewalls, eMail, document control systems, unnecessary and ineffective efforts to control people’s use of technology and applications, while at the same time literally leaving the back door open!

This and other security experiences led to my ‘slightly tongue in cheek’ Laws of Security:

1) Resources are deployed inversely proportional to actual risk
2) Perceived risk never equals actual risk
3) Security people are never their own customer
4) Cracking systems is 100-times more fun than defending them
5) Security standards are an oxymoron
6) There is always a threat
7) The biggest threat is always in a direction you’re not looking
8) You need two security groups - one to defend and one to attack
9) People expect 100% electronic security
10) Nothing is 100% secure
11) Security and operational requirements are mutually exclusive
12) Hackers are smarter than you - they are younger!
13) Legislation is (and will always be) > X years behind
14) As life becomes faster and chaotic - it becomes less secure - but the good news is - half-lives are getting shorter too!
15) People are always the biggest risk factor - machines are perverse - but they ain’t devious – not yet anyway!

Security is always an integrated and holistic game, and it is also one that demands a team of defenders and (perhaps most importantly), a much smaller but vital team of attackers.