The road to channel hell
Calum MacLeod cuts through the hype to expose certain long-term threats to IT security, and to business itself
Mama, I come to the valley of the rich, myself to sell.
She said: "Son, this is the road to Hell." - Chris Rea
The past several months have been an unending nightmare for the US government and its allies, as one disclosure after another has caused unimaginable damage to relationships, potentially compromising Western security to a massive extent.
We all have our opinions regarding the extent that government should be allowed to know what we are doing or what our entitlement is to full disclosure, but it's probably safe to assume that most tend to assume that what is done – and how it is done – is ultimately meant for our own good.
This also holds true in business. We trust our employers – up to the point that we discover that our jobs have been transferred to some offshore company, or outsourced to one of the many service providers that appear to offer investors the best RoI.
Although this article primarily intends to look at the IT security implications of the Snowden and Manning affairs, I believe we should ask whether the incessant drive to reduce costs and increase shareholder value will ultimately destroy our economy and our infrastructure.
The days when employees could be sure of a long-term tenure are long gone. History suggests that once any organisation becomes dependent on outsourcing and offshoring, they will cease to exist sooner rather than later.
Yet people cost less than technology.
Over the past several years, many have outsourced the day-to-day operation of their IT infrastructure. IT has traditionally been seen as a cost centre and by eliminating this cost, organisations stand to profit more by eliminating the cost of having staff and infrastructure.
The competitive nature of the outsourcing business has meant that companies are having to offer bottom-dollar pricing to win business, and they in turn try and reduce costs themselves.
Frequently work is subcontracted to countries where the labour costs are so low that organisations will not invest in automation technology – because it costs less to hire an army of IT staff.
In many cases, work is carried out in countries where it is neither possible, nor legal, to carry out adequate security screening of staff.
Technology often flatters to deceive.
We live in a society where fame and fortune appears to some to be in everyone's grasp, and the IT industry itself has often been the victim of the corporate get-rich schemes of venture capitalists who will invest in technology companies with an eye to eventual acquisition or a public offering.
The result is that far too often, the technology doesn't quite do what it claims on the tin. And in our industry, hype can often prove more important than substance; marketing machines promote nirvana when the reality should be much more sobering.
Meanwhile, staff option plans appear to offer instant gratification and, far too often, the investment is more about delivering a good-looking dashboard – rather than something that is actually useful.
As a result, most organisations end up going the "people" route simply because the technology is not fit for purpose.
This year was the year of advanced persistent threats (APTs), 2012 was BYOD; who knows what acronym 2014 will bring? One thing the buyer can be sure of: whatever the hype will be over in January, we can be sure there will be hundreds of vendors claiming a cure.
Don't trust people, especially those you don't know.
Maybe I'm paranoid or a cynic – I've been called worse – but I've never felt entirely comfortable with valet parking.
Maybe there are too many movies where a car blows up on its way to the mechanic's, and I certainly would not hand a stranger the keys to my house when I'm on holiday.
Yet senior management at organisations such as the NSA and many other government and commercial enterprises seem to have no difficulty in handing strangers access to their livelihoods, and national security.
What the NSA has woken up to is that you cannot trust people, regardless of whether like Manning they're one of your own, or Snowden who happily sold his heritage for a "mess of pottage" – a bunch of global news outlets.
The fascinating thing about both these characters is that a lack of effective automated controls allowed them to abuse their privileges. A five-year-old can access sensitive data if they have the key.
Neither Manning nor Snowden are hacking geniuses – which I'm certain the latter's new employers in Moscow are now discovering.
The first clear step that the NSA has identified is the need to regain control, and rightly so. Today, like never before, infrastructure and businesses are under cyber attack.
Their first point of attack is to attempt to gain privileged access to any part of an infrastructure. Once this is obtained, the attacker can target any and all assets, regardless of value.
To combat this threat, organisations need to automate the management of their privileged access, and this goes far beyond simply controlling an administrative account.
Even in a relatively small infrastructure, there will be an inordinate number of service accounts that have to be continually discovered, managed, propagated and delegated access to.
Service accounts cover services, tasks, COM/DCOM, SharePoint, scripts, embedded and so on and so on.
Continual discovery cannot be emphasised enough. Once anyone is given administrative access to a system, it becomes a simple task to create additional accounts that can later be used as back doors. Installing applications or modifying system registries are also relatively easy ways to create back doors.
Continuous monitoring is absolutely essential. Identifying accounts on systems is not sufficient. As the saying goes: garbage in, garbage out. This also applies to managing privileged accounts.
For example, identifying how many accounts are defined, and removing unnecessary or unused accounts, is a first basic step to ensure that potential back doors are eliminated.
When it comes to privileged accounts, an organisation can never completely expect to automate all processes, and it is necessary to implement rigorous password and key management.
Automated one-time passwords, including the automated splitting of passwords to provide "four eyes" access control, are simply no longer an option. Any large organisation that deals with sensitive data must take more appropriate action.
We face unprecedented attack, on a scale never imagined five years ago. We are not one global happy family befriending all and sundry on Facebook and Twitter. We are targets in a war between powerful and aspiring empires, both in the commercial and international sphere.
We have enemies who are ingenious and determined to win, and we must learn as quickly as possible how to protect and defend what we have worked so hard to create.
You must learn this lesson fast, and learn it well.
This ain't no upwardly mobile freeway.
Oh no, this is the road to Hell. - Chris Rea
Calum MacLeod is EMEA vice president of Lieberman Software