Thursday, August 28, 2008

City buses are like desktops

Just yesterday I was sitting on the bus, when we pulled up to a stop where at least 20 people boarded. I happened to be sitting near the rear exit door when I saw a young'ish kid jump through the open door and land in the seat in front of me. I looked around to see if anyone else noticed..apparently they didn't or didn't care to say anything. Then, I looked up at the front of the bus where there were all of the passengers waiting to go through the "security check" where you either scan a card, wave an rfid card, use your traditional boarding pass, or pay with cash. The bus driver, though he has a few mirrors to look in to was fully pre-occupied with the boarding passengers and had no way of detecting the fare thief.

This friends is a compromise of the system, where the system is the bus. All of the good little applications on the system checked in with the bus driver and were deemed acceptable. That one sneaky application jumped in through the exposed hole in the system, and looks just like all of the other applications on the system. I, playing the role of Antivirus or other security technologies inspected, and let it happen. The bus driver, being administrator was too busy with other duties to notice.

There's a saying that it's rarely the things we fear most that kill us. That seems to be the case when it comes to security. That which we armor our systems against is rarely what leads to compromise. In this case, The bus has multiple methods of authentication, guarded and monitored by a human. However, the backdoor of the bus gets opened every time the front door does, so anyone can go out the back door, or come in. My point? Every time you open the door to your system to put new things in it, you increase the potential for compromise by opening a back door.

We build great firewalls, and have operating system security products, and plenty of gee whiz tools, but there's also another saying...
"You as a system administrator can screw up only once", that's all it takes to lead to compromise. All it takes is one misconfiguration, one step in the wrong direction, one rear door of the bus staying open 3 seconds longer than it should, and bam, you've got a compromise on your hands.

Recall the Routine Activity Theory if you will. I firmly believe that RAT defines security incident occurence. Why do security incidents occur?
1) Target of opportunity
2) lack of proper guardianship
3) a motivated offender