Posted by: Matt Heusser
Active Directory, iPad, iPhone, ipod, IT
I’ve been running a blog series for 21st Century IT on about how new technology can change the very concept of employment, hiring, and ‘work.’
At the same time, a few things have been happening that give me pause.
Take last week, for example, when ABC News caught an airport security agent stealing an iPod in an Sting Operation. In another segment the same week, ABC News interviewed a former TSA officer, Pythias Brown, convicted of stealing over eight hundred thousand dollars of personal electronic equipment.
How was Pythias caught?
It turned out that he didn’t bother to remove the CNN labels off some cameras he was reselling on eBay.
How Did He Do It?
Most of us have gone through airport screening at one point or another. Think about that process.
You take off every single metal thing you own, stick it in a tray, go through the line, grab your stuff quickly, and run off to catch a plane. Not only are we prone to lose things, but it is likely that when we remember, we are hurtling through the skies at 500 miles per hour in the wrong direction.
If Pythias had any money problems, that provides a motive. The airport screening job gave him opportunity, and the realization that ‘everyone is doing it’ provided in a rationalization.
Motive, Opportunity and Rationalization are three elements of what investigators call the “fraud triangle.” These three are always present in fraud cases; even the psychopath has the rationalization, even if it is “other people don’t matter.”
Now let’s talk about corporate IT.
Back in the Enterprise
During August and September I worked to help create an application for a Fortune 500 corporation; it was actually in the top twenty. The work was contracted to a smaller vendor, that kept project management and some testing in the United States, and outsourced most of the development to a developing nation. I don’t have a problem with that; I logged into a VPN and pulled the source code down and got to work at home.
Now at home, I have physical security; my door is actually physically locked. I did not fly, but I did work a few days at a local co-working facility.
What about those contractors that do fly? Unless they pay equal attention to login and access security as the regular employees, then when their personal devices are stolen, the systems they work on could be compromised. Perhaps not by the TSA Agent, but anyone could buy those devices off of eBay …
For that matter, what about the contractors that have ill intent?
Real security – actual security, not theater – causes inefficiencies in the system. If you bring in a contractor for two months, then his credentials should expire in two months. Renewing the contract should take a formal request and approval process, which, most likely, means the contractor could spend a day or two waiting for access to the system he needs to do his job.
Role-based security, where we only allow people to use what they ‘need’, has the same problem. When the scope expands to include a new database, server, or, sometimes, directory, I need to send a ticket to the help desk for permission and … wait.
Giving everyone all access makes the contractor risk even higher.
How to Fix It
In my case with the subcontracting assignment, all the application really did was create a GUI wrapper for a REST API. My access was to the contracting company’s network, not the parent — so you could argue that someone did a fair amount of risk assessment and threat modeling and came to some reasonable conclusions.
As companies become more extensive, as we talk in terms of extranets, supplier networks, and the extended sales force, we will continue to create subnetworks, sand-boxes, and role based permissions — with a hard look at the company crown jewels, how to protect them … and what to let go.
Thieves will continue to operate out of airports. From a security standpoint, we have the choice of locking down everything, giving away the keys to the kingdom, or making sure that what the bad guys can get doesn’t really matter.
The middle way is going to take a fair bit of real, honest-to-goodness security work.
I wouldn’t have it any other way.