A Stray USB Stick Can Ruin the Strongest Network Security
Email
Print
The
fact is that separating the network will not provide security. The most it will
provide is the illusion of security, which is a lot worse. But after a
little while people will get complacent, catastrophe will strike, the network
will fall prey to the very people it's supposed to protect against, and no one
will be ready. After all, the network is secure, so why worry?
The
same was true with the Iranian centrifuges. They were not connected to any
external network. But when an employee found a USB memory stick in a men's room
and plugged it in to see what was on it, Iran lost its nuclear program.
Security, it would seem, is fleeting.
Worse,
the illusion of security is a trap. By making it seem as if the network or the
computer is really secure, the operators or the users will drift away from good
security practices and eventually they will plug in that fateful USB memory
stick.
While
a secure internetwork does have some advantages, the bottom line is that it's
only secure as long as all of it is secure. Several federal agencies already
know this and are using a highly secure network that allows them to share data.
These agencies are usually known by their initials, and every part of them is
highly secure. This is why you don't hear about data breaches at the NSA or the
NRO. Every part of that network and every person who uses it is secure and
cleared for access. They have full background checks. And everyone watches
everything they do.
Such
a massive security effort on a national, let alone a global scale isn't just
impractical, it's probably impossible. Until the time comes when the banks and
power companies are run by the intelligence agencies, such a thing will never
happen. In some ways it's probably better to live in the wilds of the Internet,
know you're in the wilds, and to take precautions and use great vigilance. If
you design your systems right, you can minimize damage and slow down attacks.
Henry
is correct that attacks against critical infrastructure will become more
frequent and the risks are high. But the problem with creating an allegedly
secure network is that it won't be as secure as its users think, but in the
meantime the attackers will develop better weapons. Ultimately, the real choice
is to realize that the world is dangerous and to train accordingly, take precautions
and find ways to minimize damage. To pretend otherwise is to ask for
catastrophe.
Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazineÃÃÃs Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.
