Dan Blum

“I’m sorry if I’m inconveniencing you and the teachers, but I will not allow a networked computer system to be placed on the ship while I’m in command,” said Commander Adama as I watched the first episode of 2004’s re-imagined Battlestar Galactica series. Immediately, I was hooked.

You see, ever since Gartner’s internal email post mortems starting in March 2011 after the RSA SecureID breach I’ve been thinking that organizations should be more hard core about internal network security and administration than most actually are.

To understand why, consider this. The RSA breach followed a familiar pattern: intelligence gathering over social  networks -> spear phishing email -> exploitation of Flash vulnerability to compromise a company system -> more intelligence gathering from within -> compromise of additional systems -> access to systems with critical data.

It’s the last link of the chain at least that I’d like to see our clients try to cut off by putting any systems with critical data (like the RSA token seeds database) into a Restricted Zone. In such a zone, these systems aren’t accessible from the Internet, or even by administrators on the “trusted” internal network using the same endpoints employed in “dirty” email and web surfing environments.

Here I have to stop and give due credit to Gartner colleague Jay Heiser, the first of us to say in one of those internal emails: “As long as people with access to [critical data] are sitting on Internet-routed networks, and are reading email and surfing on the same systems that they use for privileged access, then simple attacks using sophisticated code are going to be commonplace.”

 I also have to stop and deal with a few potential objections:

1)      “We can’t completely cut off the critical data (e.g. customers lose their account information and call the help desk in a panic.)” Understood, provide a single heavily-restricted query service that the help desk can use from a known machine for heavily-monitored and rate-limited access into the restricted zone.

2)      “We’re augmenting our endpoint security and anti-malware filtering. That should be good enough.” It isn’t. Time and again, advanced malware has overcome endpoint security. And security departments are getting pressured to reduce endpoint security in the name of consumerization. Endpoint security is worthy goal but trying to guarantee that every one of thousands of endpoints is malware free is like trying to boil the ocean. Don’t fight this losing battle. Don’t let the systems used for email and web surfing in dirty environments have direct access to critical data.

3)      “Administrators need to get in and fix the system during an emergency.” Sorry. It’s only an “emergency” if the organization doesn’t hire and train enough administrators so that someone is always available to actually come into the highly secured building, strongly authenticate, log into the highly-secured dedicated administrative console, and manage the system in a secure way.

Yeah, I admit it, restricted zones may be a bit more expensive, a bit more inconvenient than business as usual. But breaches are even (much) more expensive and inconvenient. To pull a few more choice quotes from the 2004 pilot episode of Battlestar Galactica:

“You’ll see things that look odd or even antiquated to the modern eye. Phones with cords and computers that barely deserve the name. It was all in the face of an enemy who could infiltrate even the basic computer systems. Galactica is a reminder of a time we were so frightened by an enemy that we literally looked backward for protection.”

Maybe our “Adversary” isn’t as dangerous as the Cylons of Battlestar Galactica, but according to the Vanity Fair article Enter the Cyber-Dragon (and countless other articles about countless other breaches that I could go on all day citing) we seem to be a bit outgunned, at least for now. Let’s face this fact and use restricted zones as a starting point for enhancing the defense.

Let it be like “It’s all hands on in Galactica, Commander Adama’s orders.”

Submit a Comment »

Category: Uncategorized     Tags:

Share

Tweet