Fortress mentality fails


Tyler Hamilton

Why should protecting a computer network be any different than securing your home, the neighbourhood jewelry store or the local bank? It's a simple question, one that computer security expert Bruce Schneier posed to his audience during a seminar in Toronto last week.

As far as Schneier is concerned, most companies miss the mark when it comes to computer security. They treat their networks like a village fortress, where the good guys hide behind a large wall —— a software firewall —— created to keep out the bad guys. The dangerous assumption here is that all the good guys really are good guys. It doesn't address the problem of rogue employees, or the fact that mistakes do happen, or what happens when the wall crumbles.

"Everyone is trying to regain a fortress around their computer centre," said Schneier, adding that much of the security technology on the market these days either creates these fortresses or attempts to plug up their holes. "This is failing miserably." Schneier, founder and chief technical officer of Counterpane Internet Security Inc. in Cupertino, Calif., said organizations have to view networks in the context of modern-day communities, where good and bad folks mingle together and where threats lurk around every corner. A place is unpredictable, as are the people in it —— this remains true whether there's a wall around it or not.

For this reason, cities call for multiple levels of security, requiring a combination of people (security firms, the police, firefighters, health-care workers), processes and procedures that technology alone can't provide. Schneier says the same thinking should apply to networks. Cure-alls such as firewalls or encryption can't do it all. He didn't always hold this view. Schneier, a veteran cryptographer, once held the belief that all security and privacy concerns could be solved through mathematics and the application of encryption technology.

It's a view he espoused in his classic work Applied Cryptography, published in 1993. But he had a change of heart in the late 1990s after realizing that technology is prone to failure and encryption offers no guarantees. This led to his book Secrets & Lies, published in 2000, which he wrote to "partly correct a mistake" —— his belief at the time that cryptography was the great "technological equalizer," capable of giving a person with a cheap computer the same security as the National Security Agency.

"It's just not true," he wrote. "Cryptography can't do any of that . . . cryptography doesn't exist in a vacuum." He repeated this message last week in Toronto, emphasizing the important role that we humans play in this complicated equation. "Automated security is flawed," he said. "Only humans can react to new situations and threats."

Take your home. Is locking the doors and windows enough these days to keep out burglars? A locked door might be a slight deterrence, but once somebody decides to break through, then what? The same can be said for a home security system. When the window is broken and the alarm goes off, what's stopping the thief from taking your stuff? The answer is "people." Somewhere in a security strategy there must be a human, 24 hours a day, who can be notified of a situation, who can analyze it, and who can respond accordingly. It may be the owner of the house, aided by a 24/7 home security firm hired to monitor all alarms. The ultimate backup is the local police or fire department.

It's not enough to try to prevent an attack or break-in. An assumption should be made that one is possible —— and likely —— turning attention to response. "What matters at the moment of the attack is who is defending you?" In this regard, Schneier says there hasn't been much change with respect to the terrorist attacks on Sept. 11 and promises to beef up security in the aftermath.

"There's a whole lot of smoke and not a lot of actual stuff being done," he says. "I've heard a whole lot of rhetoric, a whole lot of companies saying `Buy my technology and it will magically make you safe again.' "In our society it's very much give me the pill that will make me better. Give me the technology and make me safer. We want to go to the store, put down a credit card and buy the answer. And, unfortunately, the answer is more complicated than that."

Touching on the topic of airline security, he said it won't be facial recognition software and fancy scanners that will save the day, nor will it be increased government surveillance, more data-gathering by the FBI or a move to centralize all government databases. "The two most effective security measure post-9/11 is reinforcing cockpit doors and teaching the passengers to fight back," he said.

The latter point refers to the passengers on the United Airlines flight that crashed in Pennsylvania. After learning that two other planes had been hijacked and crashed into the World Trade Center, they altered their behaviour to meet the demands of a situation. Normally, passengers are inclined — indeed, they are told — to remain calm until a hijacked plane is safely landed, which happens most of the time.

This is likely what the passengers of the other three jets were thinking. Those on the fourth jet adapted, based on new information. "It's a perfect example of the human consciousness reconfiguring itself live, in real-time to a new threat," said Schneier. "If that was a software change, it would still be in beta now."

The fourth plane did crash, but the actions of those brave passengers likely prevented many more deaths. An assumption was made at the time that damage had already been done. The reaction was to minimize the damage. Network security needs the same approach. Companies should start thinking less about protecting their networks 100 per cent of the time, and start thinking more what they would do if their networks were breached.

"Complex systems are insecure, and that's not going away," said Schneier. (The Toronto Star)