Ignorance breeds non-security
Thursday, December 8, 2011 at 10:23AM There’s a really lame old joke about two shoe salesmen who travel to Africa. The first one comes back and tells the boss, “It’ll be a great market for us. Nobody there has any shoes.” The second guy tells the boss, “That will be a lousy market for us. Nobody there wears shoes.”
I ran into this in real life a couple of times. A couple of years ago, in Quebec, I left a meeting with two sales people who argued all the way to the airport. He said, “We’re in great shape. They have a partner in there who will want the work to install our stuff.”
SHE said, “It’s a terrible situation. The partner will want to build, so they won’t want the customer to buy.”
The second time I ran into this was upon leaving a meeting in St. Louis, in which the security crew at the customer didn’t know how LDAP really worked, what groups or queries were, what a bind was, etc. The sales guy told me, “We’re in the driver’s seat. We can sell them anything. They don’t have any security, and they need somebody to lead them by the nose.”
I disagreed. “There’s no way they’re going to spend a bunch of money based on our say-so,” I explained. “Somebody in that food chain will want some answers before they write a check. I believe they won’t make a move until they know what they don’t know.”
And twice since this summer I’ve heard a variation on this one:
“We don’t need additional security. We’ve never been breached.”
“Never? Hmm. How do you know?”
“We’ve never seen it happen.”
“Are you watching for it? Do you know what to look for?”
“We haven’t needed to. Like we said, we’ve never been breached.”
Sometimes you don’t know what you don’t know. And what you don’t know might be killing you. A couple of years back, a huge retailer didn’t know what they didn’t know, and in the meantime a sophisticated hacking ring had used a multi-layered hack, a massive Advanced Persistent Attack, to penetrate just about every corner of their IT operation. Very costly, very embarrassing. And in the past year a gaming company lost millions when they were literally brought down for days.
It’s not always apparent where to put up a defense, or what policies to build. You can put up every kind of defense, sure, but this can lead to two issues: the possible big hit on performance, and keeping out people you want to let in. You also don’t know WHERE you’re necessarily getting hit. On the front end, I employ tools like the Database Firewall, or Adaptive Access Manager (both Oracle tools) to see how people are coming in, and possibly deflect them or otherwise send out the alerts over possible malicious activity. On the back end, I use things like Audit Vault to let me know that things have happened after the fact (in what’s called near real time) so that I can examine those activities and figure out possible changes in my policies.
It’s common with Adaptive Access to set it up as a monitor-only, watch for a few weeks, and build policies based on common usage. You determine your risk level, and defend accordingly. But again, the point here is to learn what you don’t know. Knowing what you need to know is 90 percent of the battle. You can’t fix your problem unless you know you have one, and then have the will to act.
Reader Comments