I am no security expert, but I have had the interesting role of sitting through presentations recently from some computer security companies on behalf of organisations at which I hold non-executive roles.
The computer security industry has always slightly surprised me with its seeming obsession with hackers and outsiders breaking in.
While such things are obviously very bad news, as can be seen from recent high-profile cases such as Sony’s PlayStation Network leaks, somehow we seem to miss the reality that a lot of what goes on is not about people breaking in, but carrying stuff out.
These days, it is far less interesting to a bad guy to bug a boardroom when he can get an employee of the target to sell gigabytes of information for a small fee. All firms suffer from wastage as things are carried out by people with legitimate access.
This has not changed since the dockers of the 1920s snuck out with whatever fell off the back of a freighter, but has become easier in the modern world. While hiding a dozen oranges under your jacket was an art-form, walking out with a memory stick is not.
Staff can now carry music players with 60GB storage and, in a few seconds, can download and walk out with millions of customer records or documents while they listen to a suitably themed track such as ‘I Shot the Sheriff’ or the ‘Ballad of Bonnie and Clyde’.
WikiLeaks’ greatest project did not come about because of an army of external hackers, but because of one internal bloke.
I fear the reason we hear so little of this type of activity from the security players is that although it is common, it is hard to stop.
Recently some of the security companies have started pushing endpoint protection or data leak prevention (DLP), the idea being to put some kind of lock on every endpoint.
The theory, which at first sight seems reasonable, is to put a lock on every window and every door. However, we are being asked to do this for the equivalent of a city, and indeed a city where buildings go up and come down rapidly, and sometimes without planning permission.
Such is the reality of the modern IT infrastructure in the era of things like SharePoint.
To take this analogy further, we are asking for the equivalent of a full body search of every Tube passenger at every station exit and entrance and we need to know exactly what we are looking for looks like. The city would grind to a halt.
As soon as security measures become too oppressive, people — in order to get their work done — start to go round them in any case, defeating the purpose. Hence the keychain memory stick.
So I was finally gratified to hear one pitch which had a different philosophy. The idea was what I like to refer to as ‘bells in the dark’. Imagine a dark room into which you have placed a series of small bells on stands. No matter how many ways in or out there are, if you hear a bell ring, you know someone is in the room and is up to no good.
The idea is to put false data all around the organisation, for example, customer records that should never be used, and to have the network become intelligent, looking for any of these non-real data elements. When one is seen to fly by, it is the equivalent of that bell ringing.
There should be no reason for that activity, so at that point the user is identified and challenged.
This process leads to a series of false positives, but each of those serves a purpose as a challenge to a legitimate user who is up to no good serves as a warning that the place is booby-trapped and cuts down on trial and error: they can get to the CEO’s expenses by probing, but then when they get hauled up and asked why they will realise there is a risk in that probing.
Pretty soon people will give up trying to get to stuff they shouldn’t or to download large chunks of data without any good reason, as it becomes too risky. Where are those damned bells?
In the case of a young sergeant with legitimate access who finds a CD burner which does not have a lock on it, it would be the oddity of him accessing a very large number of cable records that would sound the bell.
There is no panacea for such things, but a philosophy that says you will lock every door and every window in an organisation that employs more than a few hundred people may lead to an illusionary sense of security that lets you labour under the misapprehension that nothing can go wrong. Indeed, although the ‘bells in the dark’ model cannot offer that utopian perfection, in practice it’s a model that seems more realistic to me, given the modern, living IT infrastructure.
This means our thinking has to shift, our networks will need to become more intelligent and we will have to put time and thought into setting out the bells. Perhaps the security players of the future will be the network companies? Anyone for some nice oranges… fresh off the boat?
Mike Lynch is the founder and CEO of UK software company Autonomy