Houdini’s three easy lessons on breaking corporate data security
On 27th November, 1906, escape artist Harry
Houdini had himself put in manacles, elbow irons and two sets of
handcuffs before being locked in a safe that was sealed shut and
then fastened with iron bonds. At a signal from his assistant, the
safe was lowered from the Belle Isle Bridge into the freezing Detroit
River. From ferry boats that bobbed along the river, an eager press
corps, along with thousands of spectators, watched as the sealed
safe stayed submerged beneath the icy waters for more than 15 minutes,
after which Houdini emerged, in dry clothes, once again having defied
the odds of serious injury or death. Eat your heart out David Blaine. Lesson number 1: In any escape, Houdini didn’t leap to the obvious route - that was always more than adequately covered. He searched for ‘The Fundamental Flaw’. Lesson number 2:He realised that adding more and more layers of locks and bolts didn’t really increase the difficulty at all. It simply diverted attention away from the flaw. Lesson number 3: Cracking a safe from the inside is incredibly easier than from the outside! Kevin is a bit of a latter day Houdini. Kevin? You must know Kevin. He’s an IT network administrator. In fact, he is the essence of almost every administrator. Perhaps your administrator? He works long, often boring hours doing those necessary IT housekeeping jobs, such as backing up corporate data. If, as so often now, the IT role has largely been outsourced, although he works for you, he’s not even on your payroll, isn’t even in your building – in fact he may be thousands of miles away in another continent. Being bored and with little else to do during backups, it doesn’t take him long to find it - The Fundamental Flaw. It’s all inside Microsoft’s operating systems – systems that have evolved from what was originally a single-user system. The legacy of a personal productivity tool, built for ease of use and ease of access in an information environment that is inherently exposed. For all their efforts to secure the PC and its network, 85 percent of corporates report having suffered security violations in the last year alone. And the threat is growing exponentially. Kevin will also quickly come to terms with Houdini’s second law. More layers of locks don’t make a scrap of difference. All those single sign-on passwords, fingerprint recognition, iris scanning, etc, help keep the company’s corporate secrets secure from just about the whole world – except Kevin. As systems and/or data administrator, he’s the one person entrusted with the keys to board salaries, takeover plans, product research and development, redundancies – you name it, he can read it. And he has so much time to kill. By now, you will have already realised that Kevin himself is the embodiment of Houdini’s third rule. He’ll be hacking from the inside. It’s too beautiful to be true. So what’s to be done? Certainly not the knee jerk reactions Houdini liked to elicit. “I defy the police departments of the world to hold me … I challenge any police official to handcuff me!” Lots of law enforcement officials took Houdini up on his challenge, including the warden of Boston’s Somerset Street Prison - an institution regarded by city police as escape-proof. Houdini was placed in a ground floor cell and removed all his clothing. The warden clamped the department’s best handcuffs on him, fastening his left wrist high on the cell door and his right one at floor level. He then shackled Houdini’s ankles, locked the cell door and led police witnesses to his office, confident Houdini wasn’t going anywhere. Just 16 minutes later, reporters waiting outside saw Houdini, fully clothed, scale the outer wall of the prison yard, vault over the railing, and jump into a waiting car. More locks were not the answer then and the same is true for today’s highly exposed IT environment. For us, the answer could be as simple as encryption (first making sure that Kevin doesn’t have the encryption keys). Encryption is perfectly possible today without the overheads of complexity and time delays for users previously associated with the technique. And, using a ‘vault’ concept to store encryption keys, vaults can be stored off-line on smart cards or convenient USB-keyring devices. In fact, this approach offers protection even for the stolen laptop (remember the ‘MOD secrets stolen from parked car’ headlines?). I suspect that Houdini might have been rather delighted by the simplicity of this approach. The second line of defence is obvious, though very rarely adopted. Isolate management of the infrastructure and management of the data from the data itself. Elegantly simple and, today, perfectly achievable. Steve Bale is CEO of ArmourSoft, provider of The ArmourSoft Active Security Platform (TAASP) – a truly scalable, manageable foundation for enterprise-wide security that is easily deployed and managed. Armoursoft is exhibiting at Infosecurity Europe 2004 which is Europe's number one IT Security Exhibition. Now in its 9th year, the show features Europe's most comprehensive FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk
•Date:
16th January 2004 •Region: Worldwide •Type:
Article •Topic: ISM |
