SAN FRANCISCO–Security is hard and getting it right all the time is nearly impossible. But many of the mistakes that people make are simple, avoidable ones that can lead to serious intrusions and major network compromises.
“Maintaining network defenses by hand is difficult,” Mike Lloyd, chief scientist at Red Seal Systems, said in a talk at BSides San Francisco Monday on how easily common networking and security errors can turn into large incidents. “The problem is that we’re trying to automate this process and we’ve spent decades trying to figure out the right questions to ask and the right way to point software at the problem.”
Lloyd said that even the smartest networking and security teams make errors and that those mistakes can sometimes go unnoticed for years, even through professional audits and network redesigns. In one example he discussed, a large company in the United States had a connection to a foreign partner that was meant to allow the company to connect to one specific service on one port on the partner’s network. Unfortunately, the connection was configured improperly and not only allowed the intended connection, but also allowed the partner to connect to any port on the U.S. company’s firewall via that one port on its own.
“I do this for a living and it took me and the geek on the company’s team a long time to figure this out,” Lloyd said. “It came down to one keyword that they forgot in one rule. I looked at it four times before I figured out what the mistake was.”
Lloyd went through a number of other experiences with customers over the years, all with one common theme: simple, preventable mistakes that led to serious problems.
“These are smart people who know what they’re doing, who build good networks and understand how to do it,” he said. “They’re not idiots. We need to start looking at the problem differently. If you want to hunt a duck, you don’t do it by looking for the duck’s DNA. You start by looking for things that waddle and quack.
“Mistakes hide in plain sight and humans don’t do very well at checking for them. The approach in the past has been to cover a table an inch deep in printouts of firewall rules and get everyone in the room to read through them. That doesn’t work.”