My normal reading was delayed by Labor Day weekend, so I just got around to a PC Magazine article from the tail end of August on Six Brazen Security Breaches, Courtesy of IT. The examples used by writer Samara Lynn range from funny to downright scary. Overall the article does a good job of highlighting an information security danger that’s all too prevalent today: IT has the keys to the kingdom, but corporate infosec often doesn’t have visibility into what they’re doing.
This brings to mind three staple clichés that we often bat round at Tripwire: one snooty Latin one; one trendy overused one; and one that speaks to the core of everything we do.
- “Quis custodiet ipsos custodes?” Any blog post that quotes Latin is bound to come off as snooty, but this one is particularly germane to the topic at hand. Roughly translated, this means “Who watches the watchmen?” It’s attributed to Juvenal, and while Juvenal was talking about politics, it speaks to the need to have constant, detailed surveillance of your critical IT infrastructure. Surveillance right down to excruciatingly detailed information on who made the change, when it was made, and what elements of the file or configuration were changed. IT is empowered to make changes, but they’re sometimes not the changes we would approve or expect.
- “We eat our own dog food.” This cliché has never been all that appealing to me (ever seen a dog food documentary?) but again it’s pretty germane. At Tripwire we monitor our infrastructure using Tripwire Enterprise, to both detect unapproved changes and to assess our configurations against CIS benchmarks. We’re a relatively small, non-public B2B organization without too many financial records and virtually no storage of credit card data. We therefore fall under very little regulatory governance. But Tripwire Enterprise lets us act as if we need to comply with SOX, PCI, ISO27001 and CIS, all at the same time.
- “Trust is not a control.” This is at the root of everything we do at Tripwire. You can adopt standards for controlling and hardening IT configurations, but if you don’t frequently assess and realign your configurations you’ve really got no control at all. A variation on this is “Trust but verify.” I believe our IT staff does all they can to harden our systems, but as Mr. Sobotka constantly reminded me in my sophomore geometry class, “Thelander, show your work or I’ll act like you didn’t answer the question at all.”
The annual Verizon Data Breach Investigation Report segments breaches between internal and external actors, and as one would expect a much higher percentage of breaches — 85% — is due to external agents rather than internal agents like IT staff or even regular non-privileged workers. Most breaches aren’t executed by our buddies. But the PC Magazine article adds interesting context to this data, showing just how painful and narrowly targeted insider breaches can be. I hope I never have to choose between being mugged by a stranger or pick-pocketed by my closest friend. That’s the kind of analogy, though, that the article called to mind.
Read the article, or jump right to this slide show highlighting 6 heinous IT-initiated breaches. I challenge you not to chuckle just a little (in either sympathy or disbelief) at Number Four.
Natalie, Michael, Mike, Miriam, John, John and John and all you other Tripwire IT folk that keep our stuff running on a daily and minute-by-minute basis: we love you to pieces, but we can’t afford to trust you. Please don’t unplug me from the netw —
If you’re interested in learning how to implement a layered security program, check out a new white paper written by Brian Honan: Layered Security: Protecting Your Data in Today’s Threat Landscape.