If there's a law of network security, it is that disasters happen. However, some disasters are worse than others, both because of the causes and the consequences of the error. When the Canadian Air Miles loyalty card exposed subscribers' personal information on an unprotected website directory in 1999, the situation was a horror story both because the privacy of 50,000 consumers was compromised, but also because it was such a stupid error.
"Dumb mistakes are so common, but the problem is that you don't have to be dumb to make a mistake," says Justin Peltier, senior security consultant at Peltier Associates in Detroit. "Once system complexity gets to a certainly level, mistakes are virtually inevitable, and it's the mistake and not the hacker that's going to get you. Even then, defenders have to be right all the time, while attackers only have to be right once."
Although organizations that handle sensitive data -- which is to say, virtually all organizations -- have become more security savvy in the last few years, the cost of network carelessness continues to be substantial. Unfortunately, the kind of perfection that Peltier refers to is probably impossible. Accidents happen, and doors are left open despite the best intentions of even the most security-aware companies.
The biggest security horror story in recent memory was last spring's CardSystems breach that exposed the credit card and bank account information of 40 million consumers. The company dotted all of its information "i's" and crossed all of its technological "t's" but a hacker was still able to get at them. CardSystems "had passed all their audits, so they thought they were okay," says Peter Stapleton, director of Computer Associates eTrust Security Management. "The problem was that the audit was very network oriented; it wasn't an audit of the process vulnerabilities."
CardSystems had to make the effort because of the sensitive nature of its data, but companies that don't deal with millions of credit card numbers can often forget that even their data are sensitive. Together with a lack of technological savvy, that can be a recipe for disaster. Peltier recalls installing a firewall at a Midwestern industrial equipment manufacturer and supplier in 2001. The company was still paper-based at the time, so none of its critical systems were then online.
Three years later, the company had networked virtually all of its processes. Unfortunately, it had left those processes swinging in the digital wind. "The old network administrator had left at that point, and he hadn't given the passwords for the firewall to the new administrator," he says. "As a result, then couldn't configure the firewall, but because they were networking more processes, they just decided to put everything out on the raw Internet."
While the company's vulnerability is particularly horrific because it showed a blatant ignorance of the basic principle of network security, some problems are ghosts in the machine. Some are mundane, like the apocryphal web-based company benefits system that is secured by secure sockets layer (SSL), but allows users to click the browser "back" button to see what had been entered in previous forms.
While that kind of bad code can have catastrophic consequences to the bottom line, Peltier notes that, in this age of "networked everything," ill-considered products and network configurations can lead to profoundly disturbing situations. One of the scariest situations he has confronted, involving a petrochemical company's catalytic equipment, could have been a disaster of truly horrific proportions.
The catalyst featured a network link to the manufacturer to permit periodic monitoring and maintenance. While this was certainly a boon to the company – which could count on an extended warranty and periodic upkeep --- the network connection itself was a potential problem that, fortunately, never materialized. "The manufacturer would come in over the network over an unauthenticated telnet system," Peltier recalls. "That's wide open, and you're not just dealing with a security issue if someone decides to change the equipment's operating temperature. This could have been a bomb!"
Ultimately, the bottom line is that, when dealing with their networks, organizations have to know everything. The testing of new systems and equipment is key, but so too is the attitude toward knowledge. Peltier says that the truly knowledgeable network administrator is the person who keeps asking questions. "The moral is that, if you don't know, ask," he says. "And if you don't know what questions to ask, ask someone who does. No one has all the answers, and there's nothing worse than fake knowledge. Ignorance about your systems will jump up and bite you."