If there's a law of network security, it is that disasters happen. However, some disasters are worse than others, both because of the causes and the consequences of the error. When the Canadian Air Miles loyalty card exposed subscribers' personal information on an unprotected website directory in 1999, the situation was a horror story both because the privacy of 50,000 consumers was compromised, but also because it was such a stupid error.
"Dumb mistakes are so common, but the problem is that you don't have to be dumb to make a mistake," says Justin Peltier, senior security consultant at Peltier Associates in Detroit. "Once system complexity gets to a certainly level, mistakes are virtually inevitable, and it's the mistake and not the hacker that's going to get you. Even then, defenders have to be right all the time, while attackers only have to be right once."
Although organizations that handle sensitive data -- which is to say, virtually all organizations -- have become more security savvy in the last few years, the cost of network carelessness continues to be substantial. Unfortunately, the kind of perfection that Peltier refers to is probably impossible. Accidents happen, and doors are left open despite the best intentions of even the most security-aware companies.
The biggest security horror story in recent memory was last spring's CardSystems breach that exposed the credit card and bank account information of 40 million consumers. The company dotted all of its information "i's" and crossed all of its technological "t's" but a hacker was still able to get at them. CardSystems "had passed all their audits, so they thought they were okay," says Peter Stapleton, director of Computer Associates eTrust Security Management. "The problem was that the audit was very network oriented; it wasn't an audit of the process vulnerabilities."
CardSystems had to make the effort because of the sensitive nature of its data, but companies that don't deal with millions of credit card numbers can often forget that even their data are sensitive. Together with a lack of technological savvy, that can be a recipe for disaster. Peltier recalls installing a firewall at a Midwestern industrial equipment manufacturer and supplier in 2001. The company was still paper-based at the time, so none of its critical systems were then online.
Three years later, the company had networked virtually all of its processes. Unfortunately, it had left those processes swinging in the digital wind. "The old network administrator had left at that point, and he hadn't given the passwords for the firewall to the new administrator," he says. "As a result, then couldn't configure the firewall, but because they were networking more processes, they just decided to put everything out on the raw Internet."