Armor Is Not Enough for Good IT Security
The value of conventional password policies is doubtful; users will always be the weakest link in IT security. Perhaps it's better to add remediation to the existing arsenal of firewalls, strong passwords and VPNs, and admit that your security measures, no matter how closely they adhere to best practices, can be bypassed by a motivated intruder.I'm not sure if I learned anything useful from the revelation that someone had compromised Google's Gaia security system last December. Undoubtedly, the company is a prime target; perhaps the only two companies that might be more impressive scores in hackers' ongoing game of capture-the-server would be IBM and Microsoft. On top of that, the way that Google's security was compromised wasn't terribly exciting. Oh boy, an engineer clicked on a link that led to a "poisoned" server; who hasn't done that? Even the most experienced of us have come close to doing something colossally dumb (with apologies to my friend Wayne Rash for stealing his line); I was there several months back, when I almost fell for the old "MacCinema Installer" exploit. Escaping from that unscathed gave me a feeling not unlike driving in the mountains, and hauling the car back on the road after nearly going off a cliff. Adrenaline's a helluva drug, as a cleaner Rick James might have said.
I've spent a good deal of time thinking about security in the weeks since I joined eWEEK's lab crew. That's partly due to being assigned a piece on identity management in the age of SAAS (software as a service), but also resulted from having to cope with a flurry of logins and passwords to various applications and systems; I stopped counting after the first dozen. After the second or third week, I was praying for a universal set of credentials that would just work everywhere. But that beast simply doesn't exist, outside of a James Bond movie; I might as well be asking for a unicorn. (That makes me wonder if Purina Unicorn Chow would be rainbow-colored, but I digress...)