Do you feel powerful? Do you imagine that, were people to know you were an IT professional, they would treat you with respect and fear? As an industry we seem to have created all the data systems necessary to make destroying one’s identity easy.
An article entitled White-Hat Hackers by Dave Watson was featured on the front page of the March 25, 2004 edition of The Georgia Straight, a weekly lifestyle and entertainment newspaper in Vancouver. The article’s subtitle was, “A computer-security expert shows how easy it is to steal into a system.”
Without trying, Watson characterizes the IT industry as either inattentive or emotionally insecure. In the opening paragraph, he draws a scenario in which a server is hacked. During the process, “a record of the [hacking] activities is amassing in a log that the system’s administrator could observe at any time, if he wasn’t down the hall sorting out a problem with installing a spreadsheet program.” Further along, when discussing an external firm performing a detailed security audit, he says IT managers offer resistance to audits, “feeling that questioning the network’s security is actually a criticism of their job performance.”
It’s not that Watson’s points aren’t accurate or relevant; it’s just that implying server administrators have conflicting duties is as helpful as saying it rains in Vancouver. As for feeling criticized, I would like Watson to have The Straight say to him, “Hey, we’re having a Pulitzer Prize winning writer drop by to review your work; you don’t mind, do you?”
Watson does note that it’s just as easy, if not easier, to hack a company’s systems and facilities without the Internet. People use age-old techniques like lying, stealing, seducing and threatening to gain access to corporate assets. Impersonate an air-cooling system contractor and look around the office for passwords on stickie notes adhered to monitors. Phone up the reception desk and ask for a password. Respond to a personal ad for someone at the company, become intimate and go through their belongings. The possibilities are endless.
Since computer systems by themselves don’t create crime, I have developed formulas that include human factors to calculate risk. Formula 1 states that accessibility to a system is proportional to the security risk. Therefore, Risk = User Count ^2 (to the power of two). Build a system with one user and one password and you have security. Zero users would be completely secure. If you want people to actually use the system, you have a problem because humans are idiots. The existence of Internet scams proves that people are as gullible as guppies. Not only do they not listen; they also enter personal information to unvalidated Web sites, they don’t know how to tell a good site from a bad site, and they have foul habits like taking drugs, eating too much chocolate and watching reality TV.
Formula 2 states that risk increases as a function of the quantity, repetition and sensitivity of the data being collected: Risk = (Sensitivity * Bytes * User Count) ^Systems. So if 1,000 people have their nine-digit SIN on file with 10 institutions — and you give SIN a sensitivity rating of 9 out of 10 — then you have a Risk of (9 * 9 * 1,000) ^10 = 1.216 * 10 ^49. Now that’s a big, although subjective, number.
Sadly, people want services that require them to provide personal information. Medical benefits, online banking, offline (teller) banking, insurance of all types…the list goes on. This demand is unlikely to go away. Therefore the IT industry must certainly tighten programs and protocols. However, if it is just as easy to breach security by hoodwinking a worker as it is to hack a computer system, we need better humans too.
Ford is an optimist living in Vancouver and can be reached at Robert@quokkasystems.com or www.quokkasystems.com.