In this episode of The Deep Queue I explain why I believe the “trusted internal network” is a myth. Many of the problems that I see on consulting assignments would have been prevented by the same security measures I recommend to protect against malicious attacks. Except the incidents in question are not usually malicious, they are just human error. In most of these cases the fact that there are no secondary firewalls around Production assets, no defense in depth and no checks and balances allows a simple mistake to blossom into a full-scale incident with serious financial, and often reputational, damage.
But if companies don’t want to implement security to protect against honest mistakes, perhaps they will if there is a credible outsider threat. In this episode I argue that such a threat is real and to back that up I cite six US DOJ press releases from just the last two months describing malicious corporate network intrusions. The press releases also give us some insight into the state of tools available for cybercriminals and the degree to which the tools have been weaponized.
Links for this episode:
SAN JOSE WOMAN CHARGED WITH FRAUD IN CONNECTION WITH A PROTECTED COMPUTER
http://www.usdoj.gov/criminal/cybercrime/leotiotaIndict.pdf
FORMER IT MANAGER SENTENCED TO PRISON FOR HACKING INTO PREVIOUS EMPLOYER’S COMPUTER SYSTEM AND CAUSING DAMAGE
http://www.usdoj.gov/criminal/cybercrime/barnesSent.pdf
JUVENILE COMPUTER HACKER PLEADS GUILTY
http://www.usdoj.gov/criminal/cybercrime/dshockerPlea.pdf
Multi-Million Dollar Home Equity Line of Credit, Identity Theft and Computer Intrusion Ring Busted
http://www.usdoj.gov/criminal/cybercrime/polkCharge.pdf
HACKER CHARGED WITH PROVIDING DATA THEFT TOOL IN NATIONAL IDENTITY THEFT CASE
http://www.usdoj.gov/criminal/cybercrime/wattCharge.pdf
FORMER MASSACHUSETTS INMATE ARRESTED FOR HACKING PRISON COMPUTER TO ACCESS PRISON MANAGEMENT PROGRAM
http://www.usdoj.gov/criminal/cybercrime/janoskoIndict.pdf
Boffins bust web authentication with game consoles
http://www.theregister.co.uk/2008/12/30/ssl_spoofing/
Hi T.Rob,
This post is bang-on! People don’t realize that what one has with fully patched systems, are systems designed to share information, nothing more. In the network, there is no authorization component post-authentication, and people naively believe that authentication can somehow act as some kind of proxy for authorization. This is why protecting data ‘in use’ is so difficult.
This is what we do though. Trustifier technology is counter-espionage technology that adds internal authorizationto existing IT networks in the form of access and audit control at the data file level, for all authorized users.
You should drop me a line, because there is a Websense/IBM angle to our story.