Doing security at a university is both interesting and scary. Because you have to provide both an open environment for research and instruction, and enterprise level security for the business of the university, you really need to think way outside of the boxes that are available on the market.
It occurred to me that many of the security breaches that we see today could possibly have been stopped or mitigated by adopting some of the features used in the security model of an open network. In this model, you need to assume that every machine on the network can be a bad guy, and each and every computer needs to defend itself from the computer next door.
The assumption in many enterprise environments is that we can keep the bad guys out by buying all of these really cool boxes that look at incoming traffic and block the bad stuff. The assumption is that everything inside of “The Wall” is safe and secure, because we have a REALLY big wall (please ignore the doors and windows).
I often think about this when I’m watching a movie with big battle scenes and the hordes are attacking the castle. There is a big wall, sometimes with a moat, and they bring their ladders and catapults and attempt to break in. Once the airplane was invented, moats and big walls became ineffective. You no longer see castles with walls and moats being built.
In the early days of computer security, everyone had big firewalls to keep out the hordes, and they worked somewhat, because the prime way to break in was using buffer overflows or network bugs. Those days are really over. Now the best way to break in is social engineering. All you have to do is send some really well-worded spear phishing emails or leave a few dozen thumb drives (at least 8gigs) in the parking lot of your Target (pun intended) and you’re in.
Our system was designed around the idea that we need to protect the world from Columbia – and to do that, we look at what is leaving our network, searching for behaviors that indicate a compromised machine. The machine is removed from our network and the owner is required to rebuild it. This usually triggers the owner to learn all about security.
Another system we built looks at all authenticated logins, searching for accounts connecting from more than 5 ASNs or 2 countries in the last 72 hours. These are then analyzed based on the speed of modern aircraft (since transporters are not generally available yet). If someone logs in from both the USA and China in less than 14 hours, we shut the account down and require a password change.
I am not saying that everyone can solely use these techniques to protect their systems, but it might make sense that by looking at these indications of a problem, we may be able to reduce some of the incidents we keep reading about.
So, when you walk into work tomorrow, take a look around. You may be looking at the source of your next security breach.