Security Illusions
I also worked on a very large software
development project for one of the government's more security
conscious departments. They installed an expensive
security oriented menuing system that was supposed to control
access to and track what system users, including programmers, could run.
The technical staff was challenged to try to "break" the menuing system.
There was widespread knowledge among the
technical staff of multiple copies of a "Trojan horse" program on
the system that let any user who knew of the existence of this
program change the access controls on any file on the system.
Following the challenge, I used the Trojan
program to give myself access to the user file which contained
passwords and changed the password for the person who issued the
challenge. I then informed him of what and how I had done this.
The response was that what I had done didn't count and I was told
not to do it again.
No steps were ever taken to locate and
remove the Trojan horse programs. Other programmers used these
to change the name of the program that was run when they logged
in. The name looked like the menuing system
initial program but a zero was substituted for an "O". The
program that was actually run was one of the programmer's own
devising which let them roam the system without tracking or
restriction.
The site had procedures that due to
the security setup, severely impeded technical staff from the
timely completion of their assigned tasks. If established procedures
were followed, specific tasks could
not be completed without the assistance of managers who might not
be available when needed. Further, managers had to know that staff
had workarounds as tasks were often completed without the
manager's assistance.
In retrospect, it's clear that I had broken the real but unofficial
security policies by acknowledging the existence of workarounds that
made the systems usable. This is a perfect example of attempting
to implement a security policy without the support of staff, including
managers.
It's also an example of an organization that
went to considerable time and expense to provide only the
illusion of security. They had all the disadvantages of a secure
system, extra costs in both procurement of security software and
administration of it and reduced user convenience because most
users were significantly restricted in how they could use the
system but none of the advantages. It's roughly analogous to
installing an expensive home security system but leaving it off
all the time because you want to leave your back door open for
ventilation.
Top of Page -
Site Map
Copyright © 2000 - 2014 by George Shaffer. This material may be
distributed only subject to the terms and conditions set forth in
http://GeodSoft.com/terms.htm
(or http://GeodSoft.com/cgi-bin/terms.pl).
These terms are subject to change. Distribution is subject to
the current terms, or at the choice of the distributor, those
in an earlier, digitally signed electronic copy of
http://GeodSoft.com/terms.htm (or cgi-bin/terms.pl) from the
time of the distribution. Distribution of substantively modified
versions of GeodSoft content is prohibited without the explicit written
permission of George Shaffer. Distribution of the work or derivatives
of the work, in whole or in part, for commercial purposes is prohibited
unless prior written permission is obtained from George Shaffer.
Distribution in accordance with these terms, for unrestricted and
uncompensated public access, non profit, or internal company use is
allowed.
|