A Stray USB Stick Can Ruin the Strongest Network Security

By Wayne Rash  |  Posted 2011-10-24 Print this article Print

  The fact is that separating the network will not provide security. The most it will provide is the illusion of security, which is a lot worse.  But after a little while people will get complacent, catastrophe will strike, the network will fall prey to the very people it's supposed to protect against, and no one will be ready. After all, the network is secure, so why worry?

The same was true with the Iranian centrifuges. They were not connected to any external network. But when an employee found a USB memory stick in a men's room and plugged it in to see what was on it, Iran lost its nuclear program. Security, it would seem, is fleeting.

Worse, the illusion of security is a trap. By making it seem as if the network or the computer is really secure, the operators or the users will drift away from good security practices and eventually they will plug in that fateful USB memory stick.

While a secure internetwork does have some advantages, the bottom line is that it's only secure as long as all of it is secure. Several federal agencies already know this and are using a highly secure network that allows them to share data. These agencies are usually known by their initials, and every part of them is highly secure. This is why you don't hear about data breaches at the NSA or the NRO. Every part of that network and every person who uses it is secure and cleared for access. They have full background checks. And everyone watches everything they do.

Such a massive security effort on a national, let alone a global scale isn't just impractical, it's probably impossible. Until the time comes when the banks and power companies are run by the intelligence agencies, such a thing will never happen. In some ways it's probably better to live in the wilds of the Internet, know you're in the wilds, and to take precautions and use great vigilance. If you design your systems right, you can minimize damage and slow down attacks.

Henry is correct that attacks against critical infrastructure will become more frequent and the risks are high. But the problem with creating an allegedly secure network is that it won't be as secure as its users think, but in the meantime the attackers will develop better weapons. Ultimately, the real choice is to realize that the world is dangerous and to train accordingly, take precautions and find ways to minimize damage. To pretend otherwise is to ask for catastrophe. 

Wayne Rash Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÔÇÖs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel