Techno-Exegesis

by Joseph Battaglia

If things were easy, we wouldn't have hackers.  Much of our time is spent tinkering with technology that we don't fully understand - precisely because we want to understand it.  Sometimes, it's because the cutting-edge technology is being tightly controlled by the proprietors' unwillingness to release specifications to open developers.  Other times it's because we have a desire to modify some device or software that doesn't quite do what we'd like it to.  Very often, especially in recent times, it's because we want to understand the systems that are internal to the corporations and organizations which seem to govern much of our lives.  No matter what the end goal of our explorations may be, assumptions about how things work usually guide us until more concrete conclusions are reached.  But how do we know when our assumptions are correct? Many times, it's not so clear.

I recently had the opportunity to work in the Information Security Office for a very large corporation.  It was an tough choice, and most of the work I had done up to that point had been for much smaller organizations.  I was pushed and pulled from all directions when making this decision - from friends claiming that I was somehow "selling out," to others calling me a fool for even considering looking elsewhere.  But I wasn't the only one who had to make a decision; they had their doubts about hiring a hacker as well, and I certainly got my share of "warnings" which no doubt stemmed from common misconceptions of the groups I associate with.  Regardless of any of that, I promised that I would try my best to make it a mutually rewarding experience.

One of the most important security considerations of today is the protection of customer data.  Nobody wants the headlines touting about how their company lost the personal records of millions of customers.  At the same time, business can't stop if nobody's figured out the best way to securely transport data.  As a result, the poor (or simply lack of) mitigating controls that are put in place to pseudo-secure the data don't always work.  That's when it winds up lost or stolen and the company ends up with billions of dollars of liability along with some really, really pissed-off customers.

Meanwhile, we all observe the same mistakes being made time after time, and we're all usually appalled.  We're appalled because these mistakes really shouldn't happen.  Secure transport mechanisms are widely available, and we have little trouble securing our own personal communications - so why can't multi-billion dollar companies do the same?  Worse, we're their customers!  It's our data that's being tossed around cyberspace in the clear!  When that data gets into the wrong hands, we're the ultimate victims! For all we can tell, they're just as technically ignorant as our grandparents.

So we're presented with two vastly different perspectives of the same problem.  Big businesses see information security as one of the greatest challenges they've yet to face, while we see it as a hurdle that should have been cleared a long time ago.  But what if we're making the wrong assumptions?

Getting back to my corporate experience, I started work there in a tiny department which dealt with nearly every security issue faced by the company.  Just a few of us sat at our desks in the corner of the building, pretty well segregated from the rest of the IT department.  They're probably one of the most pleasant groups of people I've yet to work with, but I doubt that others saw it that way.  I'd be surprised if a single business phone call made to our department resulted in the caller hanging up with a smile on his or her face.  These infosec guys were strict as hell, and if something had to enter or leave the office over the network, it was going to do so in a secure manner.  Period.

Without getting into too many technical details, I can honestly say that it's one of the most secure environments I've seen so far.  Everything is locked down, all actions are accounted for, and it's all logged - thousands of log entries per second, all retained.  And yes, it is manageable - I wrote some of the software to sift through it all.  Everything that goes in or out must do so in a manner approved by the infosec department, and the controls are damn strict.  You're not permitted (both technically and politically) to access any resource you don't need for your job function.  You can forget about personal e-mail or chat clients too - most of it is blocked, and what isn't blocked usually gets caught by one of the many IDSes or the Investigations department while sifting through the logs.  As a matter of fact, you're lucky if it gets blocked by the proxy, because if it's not, and you get caught, you're likely to be out of a job sometime shortly after.  Yep.  Seem like a hostile environment?  Well, it is, and I bet many of you wouldn't expect it to be that way.  But this is all typical stuff, and after all, most of the employees are dealing with incredibly sensitive information that needs to be treated in the most responsible manner possible.  That's not to say that there aren't security holes, but it certainly approaches the limit of practicality in a real-world production environment.  So where's the problem?

Well, technically, something that approaches the limit for practicality in a real-world environment isn't always enough.  It's usually possible to find at least one way to outsmart some aspect of even the best security systems.  You've got to be smart, creative, and ambitious to this end.  Most people aren't.  The technical limitations of security systems are far from the biggest threat when the human factor is taken into consideration.  There's a fundamental limitation with all security systems: employees need access to data to do their job.  As such, an authorized employee no longer needs to circumvent any security controls to gain access to said data - the fact the he or she has access to it is an intrinsic part of the entire system.  The human being now becomes the weakest link, and ignorance and morality become the two biggest factors in keeping the company's data safe.

Everybody struggles with morality - it's an arbitrary measure of values, and there are not likely to be many people who share precisely the same views regarding any particular topic.  It's something that's simply left up to human nature, and security in this area is not likely to improve any time soon.  However, ignorance is something we've all played with.  Ignorance can be purposely exploited very easily and is an incredibly convenient way of obtaining information - Social Engineering 101.  Whether you realize it or not, we've all manipulated people into getting something we want, and in doing so were actively exploiting ignorance.  It can also be accidentally exploited.  What an employee does with information once the security framework has done all its work and has authorized access is beyond any technical solution - misplacing printouts, improper disposal of records, etc.  However, they're things that can be addressed with education.  In observing many of the recent stories of data leaks, it becomes obvious that the overwhelming majority of cases involve the exploitation (accidental or intentional) of morality or ignorance, as opposed to that of any technical system.

So where do we go from here? Security is improving, but it seems as though it's becoming time to focus more on the human factor than anything else.  The technical side still needs work, as it always will, but it no longer seems to be the weak point when it comes to the larger entities.  As I've experienced first-hand, financial institutions and other large businesses whose primary focus is dealing with sensitive information seem to have the technical side fairly well taken care of, as much as it may appear to be to the contrary.  The human factor doesn't have a simple solution, though, and therein lies the current challenge.  Educating employees is probably the correct first step, but certainly not the final one.  The challenge of keeping data secure without becoming Big Brother is a tough one, and it seems as though INGSOC may become the new language of the corporate world.  Working for such entities certainly isn't for everyone but it's full of challenges and, if you can accept the restrictions that go along with it, you'll find that it's a great arena in which to test your skills.  It's a new challenge, and we're all hackers.  Let's get to work.