Call him cynical, doubtful or distrusting if you like. Davey Winder won't mind. He thinks that nobody should be trusted and argues you should adopt the same approach if you really care about security.
I have been thinking a lot recently about the strange case of the Twin Twitter worms. Over the course of a weekend, the current geek’s favourite social networking site was attacked by not one, but two worms from the same author. The first publicised his website and the second publicised himself.
OK, now you might be thinking that this guy is obviously an idiot. After all, if you release worm code into the wild you really don’t usually want everyone to know who you are. But that's exactly what he wanted and it’s also exactly what he got. Sadly his plan seems to have worked, as he has been offered employment with a web development outfit as a direct result.
The poacher turned gamekeeper
Top ^
Now, I apologise if I offend anyone by saying this, but whereas there is at least a smidgeon of credibility in employing a reformed hacker in an IT security role (poacher turned gamekeeper is nothing new in the IT employment market), the same really cannot be said when it comes to giving a job to the author of a worm within days of his attack.
The 17 year old in question quite plainly told one reporter that he had launched the attack to "give the developers an insight on the problem and while doing so, promoting myself or my website." Sorry, but the way to do the former is to talk to them on a technical level and explain the vulnerability, not launch an attack exploiting it.
While I would hope that you, dear reader, would not dream of employing someone who has demonstrated such a talent for acting irresponsibly, it has got me thinking about trust in the broader sense.
That's a question that everyone working in the field of IT security needs to be asking themselves - and also the staff using the networks they protect for that matter. Not just once every few months, but constantly.
Do you trust an organisation because it carries a certain gravitas, because it has a reputation for honesty that marches a few paces ahead of it? Or do you work from the premise that nobody can be trusted and an end-to-end system of security is required to protect users from themselves and network resources from their untrustworthy actions?
The BBC’s ‘Click’ programme team demonstrated the problems with trusting brands unequivocally when (as an experiment) they spammed users with a botnet acquired for research purposes. Some 22,000 computers ended up being part of the BBC botnet, which was then used to launch a carefully controlled Distributed Denial of Service attack against a secure test site. This was made possible because people were prepared to blindly trust the BBC brand. It’s a clever demonstration, and shows in stark reality how the rules of trust are rarely inviolate.
Examining trust across the board
Top ^
Let’s start with email, then. A recent report by the Online Trust Alliance suggests that 56 percent of leading public sector websites in the US have no email authentication system, and there’s little evidence to suggest that here in the UK we’re any more prepared. The technology enabling email servers to confirm the source of an incoming email is hardly rocket science, yet it appears that many in the public sector are happy to risk their domains potentially being hijacked by phishers.
How about staff and data integrity? I ask because there have been yet more reports of another ‘confidential-documents-left-on-train’ affair. Sure, you cannot encrypt paper, but what if this had been one of the 1660 laptops, 505 mobiles or 700 other pieces of IT kit that have gone missing from the UK Government since 1997 according to Parliamentary answers revealed by the SNP this month?
Do you trust users not to lose stuff, and, if they do, for their password protected laptops to be sufficient in terms of data security? I hope the answer is “no” in both cases. All users should be treated as forgetful (they will be, and they can’t be criticised for it – it’s human nature). All confidential data must be encrypted. Full stop.
We also need to mention server virtualisation, which is rightly being hailed as a saviour of both the planet and network bandwidth. Do you trust your virtualised regime to be secure? I ask because a YouGov survey shows that 40 percent of IT managers trust it implicitly to be secure, assuming that security was built in at the platform level when it wasn't. Unless you have integrated this kind of technology into your security policy, you are probably asking for trouble.
Microsoft certainly knows a thing or three about trust, and senior security executive Scott Charney has been talking about this; arguing that the Internet itself needs to be more trustworthy, pushing back on anonymity and the lack of traceability. Charney will make the point at the RSA security conference in a keynote speech, but has gone on record in advance of this to state that "too many people do not know what software is running on their machines and often they have malware. They often don't know who they're communicating with, whether an e-mail they've received is spoofed or from some unknown sender even when it appears to come from someone they know. When they visit websites, they don't know if that website is to be trusted or not."
So there you have it, what we need is end-to-end trust. And it has to start at your end, with you. Regular readers of this column will know my advice by rote: protection, education, and constant revision. After all, you can trust me…
Author, journalist and security consultant, Davey Winder has been writing about security issues for 16 years and in 2006 won the prestigious IT Security Journalist of the Year award.