Back in the 1980s, when I was the networking editor at InfoWorld, one of my jobs was to write profiles of corporate networks. One of those profiles was of the Adolph Coors Brewing Company of Golden, Colorado, now known as Molson Coors Brewing. I visited the company’s one brewery at the time, interviewed the head of IT and the top network guy, then asked for a copy of the very impressive network map they had on the wall.
“Sorry, we can’t give you that,” they said. “It’s private.”
“But we always print a map of the company network,” I explained.
“Fine, then make one up.”
And so I invented my own map for the Coors network.
There’s a lesson here, trust me.
Back then there was no commercial Internet. The Coors network, like every other corporate computer network, was built from leased data lines connecting the brewery with sales offices and distribution centers in every state except Indiana at the time. Such networks were expensive to build and the people who ran them were quite proud.
Today we just find a local Internet Service Provider (ISP) and connect to the Internet, a much simpler thing. If we want secure communications we build Virtual Private Networks (VPNs) that encrypt the data before sending it across the public Internet and decrypt it at the other end. We do this because it is easy and because it is cheap.
IT used to cost a lot more than it does today and cheap Internet service helps make that possible.
Cheap Internet service also made possible every major corporate security breach including the big retail hacks and data theft at Target and Home Depot as well as the big JP Morgan Chase hack revealed just last week that compromised the banking information of at least 89 million customers.
How cheap is IT, really, if it compromises customer data? Not cheap at all.
Last year’s Target hack alone cost the company more than $1 billion, estimated Forrester Research. The comparably-sized Home Depot hack will probably cost about the same. JP Morgan Chase is likely to face even higher costs.
Here’s the simple truth: it makes no sense, none, nada, for a bank to send financial transactions over the public Internet. It makes no sense for a bank or any other company to build gateways between their private networks and the public Internet. If a company PC connects to both the corporate network and the Internet, then the corporate network is vulnerable.
At Target and Home Depot the point-of-sale (cash register) systems were compromised, customer data was gathered and sent back to the bad guys via Internet. Had there been no Internet connection the bad guys could never have received their stolen data.
Taking a bank or retail network back to circa 1989 would go a long way toward ending the current rash of data breaches. It would be expensive, sure, but not as expensive as losing all the money that Target and others have recently done.
This is the simple answer, yet few companies seem to be doing it. The reason for that, I believe, is that professional IT management in the old sense no longer exists at most companies. And public companies especially are so trained to cut IT costs that they’ll continue to do so even as their outfits lose billions to hackers. Besides, those losses tend to be charged to other divisions, not IT.
Back at Coors they loved that I designed my own incorrect network map because it would be that much harder for an outsider to gain access to their network and steal data. IT people thought about such things even then. Until we re-learn this lesson there will always be network hacks.
Some corporate and government data simply doesn’t belong on the Internet. Why is that so hard to understand?
Makes sence, but I guess it will make a lot of people feel unhappy…
1- Taking a break from work to read your column, or shop in cybermonday, or anything else will be missed (I guess until our phones allow us to do that as comfortably as our desktops).
2- You might always need contact with the exterior: emails, data (I work in an oil company, I need access to journals, partner production and data files, etc…). You are going to need 2 computers, or always need a gateway… maybe an smaller one will be easier to protect…
Of course, my happiness will take a big blow if my credit card is hacked, or the shares I bought plummet due to a hack… I guess we should pick the less of the two evils…
You would have dedicated terminal/PC for accessing the secure data and use a separate device for “on-line” communications. Maybe even bring your own tablet/phone. That’s the way it used to be done – the terminal to access the mainframe did just that and only that. A second PC was used for e-mail, etc.
But, Bob, do you know what is behind the leased line?
I worked at a small Telcom company. You could tie our PBXs (not really, but worked with the corporate phone systems) together with a T1 line. The systems would be in sync because T1 line clocks were all in sync. One day at a very large customer with multiple remote sites, the systems stopped being in sync. Why?
Turns out, to save money, the leased line they used between two setups was changed. The line to their buildings looked the same, a T1, but the long haul link had been changed to an IP network.
Would the leased line provider send their customers data over the public Internet? Probably not, but IP networks were designed for open sharing, not for secure transmission. They could, with one wrong cable connection be connected to the real wild west Internet. It is scary stuff.
Buying a true end to end dedicated data connection may not be possible anymore, sorry.
They have to do something more, IPv6 and encrypted authentication everywhere. Even then, there was the incident with rouge hardware inside credit card machines. There are some really smart criminals out there. Now I guess health information is worth more than credit cards.
Doug, the hardware inside the ATM was red? … Oh, I think you meant “rogue”, not “rouge”.
Shut up
Wow, you spotted a typo! You’re almost up to script kiddie level.
Some of us appreciate the comment. As we become more dependent on spell check, we tend to forget the wrong spelling of one word often turns it into another legitimate word, changing the meaning. Hopefully, this will help me avoid rogue roses, when I’m looking for red.
A very interesting idea, but essentially what you’re saying is that you should go back to hosting via the public telephone network a type of data which isn’t necessarily native to that network. And that’s important.
.
The problem with all of these companies sharing on the internet is that they’re using the same methods to share on the internet. That’s created a vulnerability.
.
What is needed is diversity of data. If there was a unique method of VPN, or whatever, that each company was piping down the internet it would be hugely difficulty for anybody to hack. Rather than going back to an older system, you need simply to talk in a different language to put those walls back up.
.
Data diversity is what’s required.
What you’ve just described as alternate secret methods of VPN is encryption (the alternate methods part) using security by obscurity (the secret part).
…which is no security at all.
I’ll put my hand up and say I don’t know enough about VPNs.
.
My point really was that you have to make a system which is essentially alien to the internet and unique. High enough in the ISO model so that the internet can route your data, but low enough that you have you own unique session layer. Effectively having an 8th obscurity layer based on your own unique encryption.
.
I’m not suggesting that I’ve fully thought this one out!
Rolling your own crypto is a spectacularly bad idea. This falls under https://www.happybearsoftware.com/you-are-dangerously-bad-at-cryptography.html
It depends on what Dr. John means by “8th security layer” and “talk in a different language”. If he means “end-to-end encryption”, using established protocols that use strong encryption and long, complex, passwords, that would be ideal.
there is not now, has never been, and never will be security with magic internal systems having Internet connectivity. our outfit lost access to management tools last week because of some oopsies with the firewalls. the other color of oopsies must also be quite common. and if TJMaxx didn’t teach folks to NOT provide wifi inside the stores, I don’t know what will.
anything that connects outside the company is not secure, no matter how many layers of krep you staple on, slowing those fine core i5 computers down to Windows 95 speed.
there is a lot of good common sense in having an internal system, and an external system, and using a really good firebreak or tape-net to move any really important data.
I’m a regular reader, but not an IT professional. I do all my banking online. Are you suggesting that banks cut off all customers? Or that customers should not be doing their banking that way? Not gonna be easy to go back to the 20th century.
Read krebsonsecurity.com regarding online banking.
Good point. I used to manage a private X.25 network over leased lines in the 80’s, that tied together regional offices across the continent. It was lots of fun.
However, how would consumers access their bank accounts? 100,000 modems scattered in all cities, like old Compuserve?
Simple: use VPN or encrypted links for bank customers to manage their accounts connections and separate, off the internet secure networks for all bank-to-bank transfers.
Here in the UK, all customer interactions are encrypted SSL sessions and transfers to accounts outside the bank can only be made to pre-authotised recipients. Critical activities, such as setting up a new transfer recipient or making a high value payment, also require two-factor authentication using your chip&pin card plus a bank-supplied card reader. High-value interbank payments are made over the CHAPS network, a non-TCP/IP, fault-tolerant and highly encrypted network that is only accessable from member banks and the Bank of England. Lower value payments may either be aggregated and sent over CHAPS or the BACS network, which uses the internet, probably via VPNs, since its transfers are always bank-to-bank. Both CHAPS and BACS offer near-instant transfers.
The US also used to have private interbank networks but, like SWIFT, they only carried messages about money (on CHAPS the message IS the money) and may still work that way since a quick glance shows that they are still ‘next business day’ services. Do they still have private networks or are they using the Internet these days?
Me too (X.25 in the 90s).
Segregating the 2 systems. Spit balling here but: 1) ops system pointing inward. 2) public facing area without bridging the two indiscriminately.
Job would dictate who had access to public systems and none would be dual (internal and external) systems. The cost to the company would be minimal since most employees need the inward-facing access only (facebook surfing not qualifying as a justification). Air gap the 2 systems and do secure data sumps (synchs) through a controlled process without exposing the internal system to full-time public access.
Their customers may not have seconds-accurate data but a PR push explaining why would assuage most concerns.
Reminds me of a story:
At a tymsharing company I worked in the data center and we needed to ship a mag tape to another data center electronically. Easier cheaper, etc than snail mail. So we had matching proprietary point to point com boxes with a leased line.
Whenever we’d (very infrequently) go to use the setup it would be down. Call Ma Bell and they’d say they would run a trace on it. About 30 minutes later the line would come up just fine and then a little later we’d get a call from the Telephone guy saying they ran tests and couldn’t find any problems. Get it??
We figured they were double-dipping the lease line’s use to other customers.
Never ascribe to malice what can be explained as incompetence. 🙂
At one of my old employers, we had a small network of leased lines which crossed all over the country. These lines were in constant use, 24/7, but that didn’t stop the occasional phone tech somewhere from grabbing one of them (since these had no dial tone, they’d just assume that they weren’t in use) and trying to use it for something else. Depending on where it was and who was or wasn’t willing to talk to who (phone techs from one company refusing to talk to phone techs at other potentially competing companies was a real problem after the breakup of Ma Bell), resolving something like this could take minutes, hours, or days.
Even the best air gapped networks get breached. Just ask the Iranians.
Someone somewhere will hook something up that bridges those networks.
There are many best practises to follow, typically of the flavour of limiting access to what is needed rather than having everything/one everywhere having full access. But by definition half of IT departments are below average, and it doesn’t matter what the above average diligent folks do – the bottom half are the ones to drag up.
Something that is often forgotten are audit trails. While it is virtually impossible to prevent everything, it should be possible to keep track of what has happened. That at least allows anomaly detection, figuring out what was improperly accessed, etc. This is one of the more frustrating things about cloud services like Google’s Apps for Business. As an admin it won’t even tell me who accessed which documents and when.
I had a situation once where I was ordered (over my objections and against my better judgement) by upper management to give full access to our entire corporate database to someone who I didn’t trust and who didn’t really need it in order to do their job. So I set up auditing/logging for this user and watched them like a hawk for quite a while. Nothing unusual showed up at first, and eventually I got busy with other things and didn’t watch their logs quite so closely.
.
Fast forward a few months, and this person gets fired. It was only at this point that we discovered that they had pretty much helped themselves to all of the valuable data in our database, once they’d decided what was and was not of actual value. We never did learn exactly how much of our data walked out the door with them, but we did discover that they’d made a habit of doing this their entire career – walking in the door making big promises about what kinds of magical analysis they could do if just given access to the entire database, then sucking that dry and taking parts of it with them to their next employer, who was usually also a competitor.
.
We would have taken them to court, except that it turned out that’s one reason why they’d been hired in the first place – because they had access to a treasure trove of competitors’ data! It seems the person who hired them didn’t stop to consider that they would probably do the same thing to us – not until it was too late, anyway, by which point the damage was already done.
.
So, I am no IT professional either, just a dumb gear head, but love this column/blog. I learn a lot and enjoy the connection. So here is my take for those more enlightened and knowledgable than I:
My stepfather has no debit card. Has never used the machine for banking. Does not go online for balance info, etc. when you have plenty, I guess that makes snail mail monitoring and a trip to the branch for cash a safer security existence?? Lots of rich old guys are like that. Our esteemed Jerry J of the D-boys is mocked on sports radio for his flip phone. But does he really need a smart phone? His version of Siri is an actual $50k a year Siri walking talking assistant – he is also know as a cheap B-tard too 😉 But I digress, what I am saying is for the masses, that lifestyle is not a reality. A 100 years ago, there were people who would not put a phone in their house or even a toilet – that was to be done outside the house. But like dinasours, most of those people are gone and the Matrix is our future. I cannot imagine what my lovely daughters or Bob’s sticky fingered gaming son will deal with 50 years from now. Hell, same sex marriage is no biggie for me today, but in college I was pretty, pretty conservative, yet TIME keeps marching on. Us dinosaurs of the 70’s and 80’s who still respect privacy and security and value’s are now part of a changing culture.
Culture shifts on a global scale are effecting and driving the current business and technology identity. Nothing you smart guys don’t know, but for me just this week, I made a personal decision and change: To not really care. To understand my kids will never know the greatness of the 80’s. The conservative technology revolution has morphed into a global liberal explosion. The idea of privacy and safety is changing as more outsiders come to the US and bring their ideas of government. I cannot stop it. I cannot go backwards. I cannot go back to the Commodore 64 and dial up. I can only go forward. Relax and smell the roses. Make smart choices and let time keep on ticking. I am lucky to carry more cash today. If someone steals my stuff, it will super suck, but I can make more, I can move on.
The data breaches are because we are letting the animals of the world win. We have lost our fight – even me. The greatness for me is that I am a US citizen and still have it better than 50% or more than the rest of the world. The data is going to go deeper into our privacy and lives, get more corrupted and eventually controlled by someone outside of the US – we know that is a reality.
My kids have more to worry about than me, but they really do not seem worried and I cannot convince them they should be. Just like Bob is writing here, we all should be more concerned more involved, but we can’t. The monster is out of the box. We can be smart, maybe be like my stepfather or Jerry, if we can afford it. Just live our lives, be insured and carry more cash. Yeah you can get robbed, but what is the difference?
This is probably the worst advice anyone could give and is obviously spoken from the precipice of a life of silver spoons.
I’ll add my own anecdotal frustration with internetworking. Where I work, we accept credit cards for the purchase of our goods, and periodically throughout the day we submit batches of these transactions to our payment card processor (who shall be nameless except for the hint that its parent company is mentioned in Bob’s text above). For years (decades maybe) these batches were sent via modem, using a phone line leased for $15/month. Last year, said payment card processor informs us that for “compliance reasons” modem transfer would be phased out and we had three months to move to their new form of data exchange, which involves sending the data through, guess what, the Internet. (Yes, the data is encrypted, but all we are doing essentially is uploading and downloading files to an FTP site). Never got a straight answer as to how this is more secure than a modem and phone line. I did get a bill from my software vendor for $25,000 in customizations to keep our legacy order processing system PCI compliant.
So, Bob, I agree with you wholeheartedly. The Internet was not intended for this kind of stuff. You’d think, of all entities, the credit card industry would grasp that, but it appears not.
I work in said industry Mo Dem and can tell you that security is looooooow priority. It’s all about making money, cutting costs and hoping that nothing goes wrong.
The US still hasn’t implemented EMV due to the cost and that’s just the tip of the iceberg. I will guarantee you that somewhere in the life of your credit card, that data will be sent unencrypted over the Internet at some stage.
Even before you get your card the data has been all over the Internet as it gets personalised. The Internet is just too damn convenient
Re: “(Yes, the data is encrypted, but all we are doing essentially is uploading and downloading files to an FTP site)” The important point is that the so-called “data” is gibberish to anyone except the intended target (no pun intended 🙂 ) Before the Internet, during the 30 year period from ’65 to ’95 our credit card data was floating around in the clear on slips of paper and plastic. Based on my experience, I’d rather pay my restaurant bill over the internet through Amazon than hand the waiter my card. The internet plus encryption solves the transmission and eavesdropping problems, just not the trustworthiness of the recipient, which has always been a problem.
It’s a great premise and there really is no argument against it. A lot of really, really tech people know all there is to know about IP protocols and VPN and … But the truth is as Bob points out. Don’t send a letter and you can’t have your posted cheque stolen by highwaymen. Don’t use the Internet and people don’t have access to the data.
Realistically we are so 21st-C that going back would be hard because we all take for granted Internet banking and online shopping. The point Joe F makes about Leased Line sharing shows that you’d need to be a pretty big player to get an exclusive line guarantee. Even if you could… Is the infrastructure still there or has it all been shared out among the Internet ISPs because it’s deemed more attractive?
It seems an intractable problem. Have we advanced too far in the wrong direction?
But let’s not forget the human element. At a small Credit Union, our business requires a mixture of locally hosted and remote services. Our employees cannot do their jobs without internet access. However, we take care that they are well trained and understand the implications of using PCs at work that have access to PII and FII data. And they care. Our helpdesk gets a call whenever something unexpected pops up. They are also on the lookout for human-engineering exploits. We (so far) have yet to have one of these escape our notice.
Well paid, well trained, and highly motivated employees make a difference. Every time one of these bricks-and-mortar retailers goes down, I think is reasonable to suppose that a poorly trained and poorly motivated employee has something to do with it. Odds are, that employee was also poorly compensated.
IT does not live in the crystal palace. We are partners in getting the job done and protecting the interests of both the business and our customers. Getting it done cheaper and better, while maintaining security, is why we get paid the big bucks.
What gets overlooked with this is how much of the IT has been outsourced or offshored in the name of “shareholder value” *cough*. I have always, always said – when you outsource your mission critical business processes, you are giving up control of your business. You are now dependent on a contract written in 1s and 0s on an electronic storage device somewhere that is only as good as the iron oxide or optical media it’s stored on, and you have now added an additional level of managerial bureaucracy to emergency responses. Plus, the contracted company’s employees get their paycheck not from you, but their bosses. And if their bosses say to pull a fast one like Joe F (and I have heard similar stories from many sources in the 1980s), even if it’s a breach, they’re going to listen to them.
And if the breach is noticed, it will still take hundreds of billable hours for a financial settlement, and it may not even be enough to save the business. (Plus there are apocryphal stories of offshored businesses stealing software and data.)
Data can be encrypted at various levels. If a company is relying on the public Internet, then they must do their best that once the data is sent out to the provider, it’s wrapped not only inside VPN encryption, but also more encryption. Data entry terminals need to encrypt before it goes into the LAN, to make packet sniffing harder. The LAN must encrypt before putting it onto the WAN, and the WAN as well, before putting it into the VPN. Yes, that seems like a whole lotta encryption, but triple-decoding takes more time than single-decoding, and you just won’t be able to do it with a bunch of massively parallel 8-core Xeons. (Maybe with a couple of unkneecapped 120-way IBM z/Architecture machines, but a customer buying one of those won’t be secret for long.) And for extra, you could add some data compression before encryption.
It’s more difficult to defend against external physical intrusion, but safeguards can be taken. Internal employee sabotage is the hardest, but if companies start treating them again like human beings and not like cattle (stop calling that department human resources for one), the rate of incidence will be a lot less.
As a pilot, I am frequently asked by non-pilots about what are the risks? My standard spiel is to compare the different risks of automobile driving to piloting a small aircraft. Most mistakes while driving an automobile bring instantaneous consequences: you look down at your phone for a bit to long, a telephone pole jumps out in front of you, and WHAM! The consequences in aviation are much more delayed. An incident may be caused by a decision you made an hour ago, a day ago, a month ago. This is what makes aviation safety such a challenge: human psychology is not very good at connecting actions to consequences separated by a significant amount of time.
I’m wondering if the same sort of disconnect is happening in these data breach cases. IT (or in my experience, company management) is making decisions that put company data at risk, but the decisions are too far removed from the consequences.
Aviation magazines are filled with accounts of accidents, almost accidents, near misses, etc. This is not just lurid copy to sell magazines. The aviation industry has recognized that we need constant reinforcement of connecting actions to consequences as an important factor in improving safety. The current crop of data breaches has garnered a lot of attention, perhaps enough to start making the connection. The biggest risk I fear is a backlash that will not in fixing the problems, but restricting information about future breaches. By hiding the problem, we may actually do ourselves more harm.
I was once asked about 15 years ago to work on the ATC (Air Traffic Control) system of a major Eastern European nation that was once behind the proverbial iron curtain. When I realized that their entire ATC message system ran on User Datagram Protocol (UDP) I quickly extricated myself out of the project and took a train back to Vienna and never looked back.
Ross brings up a good point. In aviation, a disaster is thoroughly studied and an analysis of what went wrong is published, allowing all to learn from the past. In the case of information breaches, you rarely see anyone (Brian Krebs being the lone exception I know of) generating a detailed analysis of how the breach took place. For a variety of reasons (liability, potential loss of business, plain old fashioned embarrassment) nothing comes out, and no one learns from the mistakes. Would Home Depot, P.F. Changs, and others not have been vulnerable if they had known the lessons learned from Target?
Except when they don’t want you to know what happened. Do you think the crash after 9/11 out of JFK was mechanical failure, or the government just reassuring the public and not revealing it was a shoe bomber? How about Ron Brown’s plane just flying into a mountain, with the guy in charge of the radar found dead before he could be interviewed? TWA 800 going down on Iraqi Independence Day, just a fuel tank explosion?
In cases like that, it’s not important that I know the truth. It’s only important that someone in a position to do something about it knows the truth.
Post some more analysis today, in fact, regarding the economics behind the Target and Home Depot breaches. See the second half of this story
http://krebsonsecurity.com/2014/10/seleznev-arrest-explains-2pac-downtime/
I live in Ottawa. The Department of National Defence’s secure network is not attached to the internet. I don’t work for DND, and I don’t know much about their IT infrastructure, but that much I do know. I assume the smarter parts of the Pentagon are the same way.
You’d be dumb not to these days.
The Canadian CSE folks are not dumb and don’t like all their traffic feeding into the SIGINT of their southern “senior partner”, just the traffic they want the yanks to see, unlike the Europeans.
I heard a story many years ago that relates to this….
Apparently the Soviet ambassador to Canada decided that he had such a stressful job that he needed a place in the country to relax. He bought a house on the Ottawa River, about an hour east of the city.
He was required to register every time he went outside the city limits, and someone noticed that, having bought this nice place, he almost never visited it. Someone drove down to look at it, and discovered it had sprouted a lot of antennas. Then they got out a map, and drew a line between DND headquarters in Ottawa and their offices in Montreal. The ambassador’s estate was directly on the line.
I was told that DND resolved the problem by swamping the data channels with so much junk that it was impossible for the spooks to separate out the real stuff.
If you’ve been keeping up with the latest, it seems all you need is a single infected USB thumb drive plugged into the wrong place and you’re toast. Such USB devices are programmable micro-computers in their own right, and can be loaded with mal-ware which is virtually undetectable – or so they’re saying.
.
https://www.wired.com/2014/07/usb-security/
.
In my humble opinion, the problem isn’t faulty IT practices. The problem is incompetent or uncaring management that permits (or even encourages) the faulty IT practices. The big boys in mega business firms who mainly care about their undeserved bonuses and stock options will be the death of our high tech civilization.
sure it would be secure. It would also be largely unusable. The world economy now depends on interconnected data. If corporate networks were really airgapped from the internet, then every user would have to have 2 or more devices on their desk. One for the corporate network, one for the rest of the universe. Wildly impractical at the very least. And what about companies whose entire business resides on the internet? Amazon, Apple (iTunes), etc, gone w/o a trace apparently?
It’s an interesting idea, but unfortunately it doesn’t work. Access from the public internet is definitely an opening, but these big data breaches didn’t happen because the attackers broke into the VPN like an army with a battering ram. They got in by infecting PCs on the internal network and using them to steal credentials, like a spy inside the fort opening a side door.
Even a small network between two locations has too many points of entry to secure this way. Assume the two locations are connected through a completely secure, completely private leased line that isn’t routed over the internet in the middle… Does either location have wifi? Do any of the employees use laptops they connect to the company network during the day and the internet at night (at home)? Do any of the employees use a flash drive they plug into both a work PC and an internet PC? Does anyone at either location need internet access to browse the web or check their email?
You get the point. And this has been tried. SIPRNET and JWICS are secure networks run by the DoD and are completely separate from the internet. They’ve still been infected by internet viruses, several times. Google “SIPRNET virus” for lots of details.
The real answer is defense-in-depth. Each server AND service must to be built to assume it’s under attack. No systems or users can be blindly trusted. This means internal firewalls, packet filters, ratelimiting, auditing, enforcing strong credentials, honeypots, etc.
Unfortunately, all that stuff is really hard and very expensive, which is why no one does it. I think you’ve made this point before — the only way they’ll spend the money is when they’re forced to do so by a law or because it’s cheaper than paying for the consequences.
Networking issues aside, something that I’d like to know (and I have yet to see addressed) is how much of this newly breached data was pulled off of “relatively secure” mainframes vs. “insecure from the ground up” client/server architectures. IIRC, for example, the Target breach was executed as some type of memory search attack against their Windows servers. I’m not sure that you could easily pull off such an attack on a mainframe, if at all.
Where I work we’ve outsourced our IT support to an outside local vendor. One day during a support call, they asked me for my password. “I won’t share it with anyone.” With that they could gain plenary access to all corporate data. When I mentioned this to one of our internal IT managers, he was stunned. “They should never ask for that.” Of course they did, and I had no idea what the policy was supposed to be. It bothers me that we use an outside contractor for core IT functions. It bothers me that they felt they could ask for my password. It bothers me that I hadn’t been told not to give it to them. And it bothers me that there is so much data that we store, which can have no other purpose than to be a repository of personal data for a criminal to steal. Oh well.
We used to call it the DMZ
Folks, I need some citizens of the day info at Keep America At Work.
Thanks,
Virgil
“We sell hammers” was the answer to the IT department from Home Depot’s management. As long as no one understands what’s going on in the server room, there will be continued data breaches.
I worked for a company that ran some web programs for Home Depot. They were good about coming in and doing a pretty decent IT Security inspection of our site and our practices. We got more hassle from them than from the major bank that was sending us the related credit card data (SANS card number info, at our insistence.)
There was a post over in the Steam thread about how credit card liability in the EU was with the banks rather than the merchants, and how it changed the attitudes about card security. This was totally true in my experience.
What I find disturbing is after all our history of programming computer language designers still haven’t developed languages that provide DEFAULT defensive language constructs and methods. Why do we still have buffer overrun bugs and SQL injection problems? Why do we stll have Windows and Unix operating system zero day exploits? Whatever happened to old fashion QA & systems engineering by the OS manufacturer?
It looks like the old saying of you get what you pay for. Low price = weak Q&A and weak Systems engineering.
There are systems out there which are (theoretically, at least) secure from the hardware up, and have been for several decades now. You rarely hear much about them these days because they are so boring and drama-free. They’re completely un-sexy, too, of course, so the kids don’t want to have anything to do with them, plus they’re “ancient” by modern definitions – hence (theoretically, at least) they’re destined for the graveyard any day now. But instead they just keep on going and going and going …
Very true! The old and unpopular always seems to be ignored and quietly does the job securely. Until recently, the majority of branch retail bank platforms worldwide were OS/2 communicating via SNA.
Security versus convenience.
Repeat, ad infinitum.
You don’t realize the joy this article gives me. This is a matter of giving up control to the carriers and the government snoops, and the law of unintended consequences has made the Internet a Wild West for hackers and other malfeasance. Once you allow physical network access, you have no security. End of story.
One of my most sensitive and secure clients used to have encrypted, secure leased lines between their sites. Because they, not the carriers, controlled timing and the protocols run over the leased facilities they had the carriers over the barrel, so to speak. They could notice every change the carrier did to their lines, including the attempts by the carrier on behalf of the government to monitor their traffic. I even have copies of the the government asking for access to their lines, which was never given.
Then came the Internet and the carriers became “service providers” and refused to provide leased lines anymore. Instead of using land lines, they went to bulk encrypted microwave and encrypted satellite links. Today they still run bulk encrypted SNA APPN links which are then session encrypted as well. These links have never been hacked and the systems are still secure. Oh, and the government still keeps wanting access to the data running on those links with subpoenas on almost a weekly basis. in response to the subpoenas, we provide them an encrypted dump (on media they must provide to us) which they then need to de-encrypt by themselves. Their feedback is that only 3 times out of hundreds were they able to decipher the data and only for a few minutes at great cost.
BTW, the internal design guidelines for all federal DHS and FEMA voice facilities in the Washington area still require TDM telephony. IP telephony is verboten in any secure, “life critical”, TSCI information level facility last I did a design in that community. So much for secure IP communications! There is no IP COMSEC, folks.
Expensive indeed.
Cringely is looking only at the cash cost to the Home Depot and other high-profile hacked companies. This does not factor the huge externalized cost to the consumer whose information was stolen.
Negative externalities in IT is a epic phenomenon. “Sure, we can do that, and the cost is half of what you’re paying now”. No brainer, right? Yes the cash cost is low, but the REAL cost (the pilfered IP from cloud storage, the stolen customer lists, the intrusions caused by security problems with the Java Runtime dependency), …those costs are never calculated.
Cloud based accounting? One quarter of our current licensing costs?! What’s the cost including indemnification against consequential damages from a security intrusion? Not cheaper. Not cheaper by far.
So why don’t companies tighten up secuirity?
As in: “Sorry users. We have to do it a harder, slower, less convenient way”.
Here’s one reason: The risk of obsolescence. If your company says NO to cheaper, faster, more cutting-edge, yet riskier solutions, but your competitors say YES to the same solutions, you run the risk of becoming irrelevant because you’re not as agile as they are. You’re not as cheap as they are. Your competitor is more than happy to push YOU out of the space by pushing those RISKS on to the customer (externalized costs) because those liabilities are hidden, and are NOT being accounted for by anyone). We get to thrive if we chuck our customers under the bus? Decision made!
By the way, to the degree that you believe Snowden’s statement that encryption actually works, it’s trivial to create Internet-based VPN, such that the hosts on the connected subnetworks have have precisely zero connection to/from the Internet. Then again, it’s not in any consultant’s interest to set up that kind of solution. It’s cheaper and faster to re-create the cookie-cutter the solution they sold to their last customer. Fewer differences means fewer quirks that will end up making the consultant look foolish/fireable. Consultants and for-hire IT personnel will always prefer to keep their job while they happily drive the IT bus right off the cliff. They’ll jump off at the last minute, right onto the next bus. Problem solved.
p.s.
I think it’s EASY to make strategic IT decisions. Strategies abound from armies of consultants.
I think it’s INCREDIBLY HARD to make GOOD strategic, long-term IT decisions because VERY FEW people have the broad and deep skill set that allows them to tell difference. Even fewer have enough skin in the game to have motivational priorities aligned with the organization. That’s a problem.
Indeed, I have never been on a consultancy job where my client has chosen the “Unglamorous, expensive, secure option” Most CEO’s, decision makers I’ve worked with are suckers for whatever the new buzz tech is and if it’s also cheaper, then there is no contest.
Cloud, Internet, VoIP?? Yes please!
Try telling someone these days they should buy servers and leased lines with competent staff to run things. You will be chased out of the building and burnt at the stake. (This actually happened to a colleague of mine)
Unfortunately, “competent staff to run things” seem to be in fairly short supply these days.
[…] By Robert X. Cringely […]
Leaving aside all the technology discussion, the other problem has to do with business processes. Most firms have outsourced a lot of their “non-core” business processes. In the case of retail organizations (T J Maxx, Home Depot, etc) this means that credit card payments are performed by third party companies and re-supply to the stores is done by third party logistics companies. These third party logistics folk need to be connected to manufacturers (Proctor and Gamble, Johnston & Johnston, Black & Decker, ete etc).
All of this needs close to real time processing.
If the Internet is not to be used as the ubiquitous network of choice (all IP, lots of standard software, lots of network providers) for these disparate companies to connect, what is the “secure” alternative?
One possibility would be for companies to bring ALL these business processes in house and to go back to a completely vertically-integrated company with NO third parties involved……but maybe not!
I work in a lab that handles confidential/secret cryptographic data. I have 2 work PCs. One for email and so on, connected to the Internet. The other, for our test work, not even connected to the corporate network (only a private LAN in our lab). I’m surprised that more companies don’t work like this.
See the comment above about Stuxnet.
The problem, or at least one of them, is people want convenience. What if your company decided that your connections were too close together, since its possible to put a 2nd nic in a computer and connect to both networks at the same time, and they moved your 2nd connection to the opposite wall. This would mean that to compare internal information to external information, you’d have to walk back and forth between the two machines. How long would it be before you bought your own 50′ patch cord and put the two computers side-by-side again?
Yes, you will still be unsecured against a country that uses commandos to physically enter the premises of a company to steal records, as well as having a library of undetected Windows vulnerabilities.
It’s true that this would be feasible but we’re audited fairly regularly and if I got caught doing that, I’d definitely get into trouble.
Of course, in the end, I have to transfer reports from the secure machine to my Internet-connected machine. And how do I do that? Using a pen drive, which as we all know is not very secure at all.
But in terms of general security, this is a setup which at least starts from a good base and forces us to think every time we move a document from the black network to the white.
And today, we learn that Dairy Queen was hacked… but (at least according to the talking heads in the newsroom) “no Social Security Numbers were stolen”. Which begs the question: Why would Dairy Queen have my Social Security Number?”
Hey, the DQ Birthday club is big business. They’re not just giving out single free sundaes once a year to anyone, you know. You gots to pony up the data to get the sweet, sweet ice cream treat. Given this background I’m sure you understand their position. (ahem…)
This is exactly how Admiral Adama kept Battlestar Galactica from being hacked by the Cylons! Just sayin”…
Instead of “To Big to Fail” how about “To Big to be Safe”, All of these breaches happen because these companies are huge targets (pun intended). If instead of network diversity we had more company diversity we would be safer.
If there were more local discount stores instead of huge global chains, then the amount of data breached would be smaller.
Right now the thieves can either hit one JP Morgan chase or 1000 small local banks or one Home Depot instead of 1000 local hardware stores…which is more time/cost effective for the thieves?
This is like the fake street maps of moscow (to confuse German spies).
Your idea may be cheaper for other, incompetent companies. But we know what we are doing – can’t ahppen to us.
“Sweet! Home Depot was hacked so we’re good through the end of 2014! Woot!”
You’re suggesting that we air-gap the company’s internal computers from the Internet? Back in 1992 we connected our automation network in a large aluminum plant to the Internet, because that’s where Allen-Bradley had posted software updates for our PLCs, and that’s where a bunch of documentation we needed now lived. I’m sure the need to access the internet is now even larger.
Even air-gapped, people will move stuff to/from the internal network by moving USB sticks between machines. USB sticks have been implicated in many successful attacks.
Your suggestion certainly wakes some of my more senior brain-cells Bob, but I think human behavior would thwart your proposal.
The latest and greatest on USB “security”: https://www.wired.com/2014/07/usb-security/
.
Interesting. And perhaps this is why Governments are so keen to be able to access data streams and repositories – to more easily find out what the bad guys are doing with all that information and money they’ve stolen. They might argue that if the bad guys are smarter and quicker than they are, they need more brute force tools to catch up with them.
.
Another interesting thought is that however smart the cryptography is, it’s often the human security that lets people down – filming of PIN entry at ATMs, weak passwords used by celebrities for their naked photos, personal USBs put into an Iranian nuclear facility PC etc. etc.
.
Meanwhile the ultimate line of defence for financial institutions in risk management may still be that they are “too big to fail”, so when there’s a really huge loss, maybe it’ll be Joe Public who picks up the tab again.
.
But maybe there is a good business idea here for providing truly private global internetworking facilities…..
Way back when I first got online, I read some of the wisest advice given ever since – “If you don’t want to see it posted on the wall of a public toilet, don’t put it on the World Wide Web!” I absolutely agree with you. Some data just does NOT belong on the Internet. It serves no purpose or added advantage by being there. And it exponentially increases the risks/dangers of the data getting into wrong hands. This morning, I was discussing the recent hack of SnapChat with my son – and telling him that in our days, we shared naughty photos only by showing prints to our friends behind the school or in a quiet street corner – while today’s kids are posting them on the public Internet, albeit on a service that promised they’d be instantly deleted. Well, they weren’t… so whaddya gonna do about it, eh?
The real security problem is responding to everything indiscriminately. For example, in the Target hack, why should the financial records system respond when the contractor’s air conditioning system wants to talk to it? Why should any American retail system respond to a Russian request? And for the peers that a system is allowed to talk to, there should be limits on what sort of communications they are allowed to exchange.
This is bringing the idea of Mandatory Access Control to networked systems.
I remember thinking this back on my first paying IT job in ’96. My first task was to re-configure 250 computers to new static IPs so they could connect to the internet.
me: “Why do we want EVERYONES computer on the Internet?”
boss: “This is the future kid, EVERYTHING will be done on the Internet.”
me: “But why do the engineers and drafters need access? That just seems like a security issue.”
boss: “Security issue?!?!? What are you? Some kinda paranoid?”
me: “Well, all our designs are on the server, the engineers and drafters have full access to the files, if their computer is on the internet then the internet has access to our files…”
boss: “Kid! The Lawnmower Man was a MOVIE!”
“The internet isn’t alive, and it don’t care about about our designs.”
“Besides, there are maybe 100 men on earth that understand how this all works, and they make so much money they won’t be trying to steal from people!”
Silly me
If that conversation really took place in ’96, I’d agree with “boss” that you were “Some kinda paranoid”.
I still run into this mentality even today.
.
tnx for info!!
flexi Strom
[…]although internet websites we backlink to beneath are considerably not connected to ours, we feel they are truly really worth a go as a result of, so possess a look[…]
follow me
[…]very few internet sites that transpire to become comprehensive beneath, from our point of view are undoubtedly properly worth checking out[…]
Green Smoke review
[…]here are some links to sites that we link to mainly because we assume they are really worth visiting[…]
HENS NIGHT
[…]Wonderful story, reckoned we could combine a handful of unrelated information, nevertheless really worth taking a search, whoa did one particular master about Mid East has got a lot more problerms at the same time […]
web design greenwood IN
[…]below you will locate the link to some web sites that we consider you must visit[…]
http://vxlo.com/artist-hit
[…]check below, are some completely unrelated sites to ours, having said that, they may be most trustworthy sources that we use[…]
brian poncelet
[…]Here are some of the sites we suggest for our visitors[…]
best mattress for back pain “notify me when new comments are posted”
[…]we like to honor lots of other online web pages around the net, even when they aren?t linked to us, by linking to them. Underneath are some webpages worth checking out[…]
Why companies like Sony leave their corporate networks connected to the internet is reckless disregard when it is known fact that any network connected to the internet is vulnerable to attack. They could certainly save money using couriers to transfer files by hand between corporate networks than paying billions in lost profits to cyberhacks. Some say that is not practical. With solid state 1 TB drives it is fast and human couriers are cheap. They deserved what they got, pure negligence.
heating and air conditioner repair company
[…]the time to study or pay a visit to the subject material or websites we’ve linked to below the[…]
Google
The time to read or go to the subject material or web sites we’ve linked to below.
The strength in U.S. dollar added to the woes. I think IBM expects currency headwind to remain a major drag on both revenue and profitability in the unending quarter as well in 2015. The company is facing some hurdles in transforming its traditional business to strategic growth areas including cloud computing, big data and mobile security. It’s a huge trouble for them
Denture
[…]we prefer to honor many other online web sites on the net, even if they aren?t linked to us, by linking to them. Beneath are some webpages worth checking out[…]
make money online
[…]below you will obtain the link to some web sites that we feel it is best to visit[…]
MySingleFriend Reviews
[…]one of our visitors lately advised the following website[…]
My information: go shoe purchasing with her, see what she likes and what she would like. If she decides to get a pair say you give it to her but would like to offer her a little something of much better superior. Also inquire her if she has any dream boot that she would order if dollars was not an issue. Order a little something similar to what she liked(with her approval, considering she be the a single wearing them) or order her what ever dream boot she would like. Or maybe she okay with getting cost-effective boots and prefers you to give her a little something else.
giuseppe zanotti wedge sneaker http://411securitystore.com/nop/Themes/DarkOrange/Content/images/giuseppezanotti-us-99.html
fanduel promo code rules
[…]we prefer to honor quite a few other net web pages on the net, even if they arent linked to us, by linking to them. Under are some webpages really worth checking out[…]