11
•
What is the company’s response if any of the claims are falsified? Are there legal
obligations for customer notifications? For product replacement? For liability?
•
Are there clear indications the product is working and doing its job properly? Are their
indications when the product is not doing its job properly? Are there diagnostics that can be
run to test the product out periodically?
Okay - why are we talking about something so specific when this whitepaper is about security as a
holistic enterprise? To ensure that everyone understands that security technology has to deal with the
Verification Problem in much the same way as scientific theories do. There may come a day when an
announcement is made that the security technology you rely on isn’t as secure as you originally
thought when you deployed it (i.e., “What do you mean that the world isn’t really flat?”). Such an
announcement may result in a “cold prickly” feeling rather than a “warm fuzzy” feeling, especially if
you relied solely on that technology without regard to the people around it.
The good news is that more than likely your security won’t be compromised by the techniques listed in
this section. The bad news is there are much easier ways of compromising your security. The really
bad news is when Security is not viewed as a Holistic Enterprise, these ways are almost trivial. Let’s
look at a few exploits of an imaginary unethical hacker.
Confessions of an Unethical Hacker – Part 1
It was hard for the last few weeks to wake up on a Friday morning and hit the bar, but that is where a
person that I will call X and his peers came in after work. They worked the late shift as a clean up
crew for Company Y – Sunday night from 11pm to 4am through Thursday night. Friday morning,
they always stopped in for a few drinks. I had got to know X and decided the time was right to show
him my fake business card – “Certified Ethical Hacker and Licensed Penetration Tester”. That
always got a laugh. You see, I told X, the company that employs you hired me to break into their
network. If I can, they’ll give me a bonus. I’m willing to give you that bonus if you help me. If you
are caught, it is okay as I’ll simply say that you work for me, and they’ve promised me that nothing
will happen – after all, they are paying me to do this. X seemed skeptical, but after I told him how
much the bonus was and showed him my fake contract, he was all for it. It is really simple, I told X,
just go by each printer and MFP they have, get the documents that are in the “to be picked up” pile –
you know, the documents that people have printed and have forgotten to pick up, place them in an
MFP, send them to this email address, and then put them back were they were before. That is it –
you don’t need to take anything or even do anything illegal. Do this once a week, preferably on
Friday, for a month and the bonus is yours! I even showed him a video on my laptop of exactly what
he needed to do on the control panel of the MFP – basically put papers in the scanner, press the
“email” button, type in the email address, and then hit “start”. A month later, I had a lot of
information for that company’s competitor – quite amazing what employees print out and don’t ever
pick up.
Confessions of an Unethical Hacker – Part 2
I love Halloween. Company Y has a few buildings, a few hundred people, and they always have a
Halloween get together where everyone dresses up. The day is pretty easy – not much real work
getting done – and the vast majority of people don’t actually know each other. People bring their
kids in, have some fun, play some games, and rarely are ever at their cubes. I always show up a bit
early dressed up like the Headless Horseman – we’ll, with a pumpkin as a head – since I don’t want
anyone to know who I am. I’m carrying a lot of trays filled with cookies – not because I’m a sweet
guy, but because I need someone to open the door for me. I have an employee badge – not a real
one, but a fake one. It doesn’t work on the card control, but I have it hanging around my neck
anyway. They are so easy to fake with modern color printers and most employees will leave them on
the dashboard of their car while at the gas station or local grocery store – so I know just what they
look like. Just have the “badge” hanging around your neck and have your hands full and the door
will get opened for you. Everyone is so helpful. Once inside, I just walk around – check out the
organizational charts posted everywhere and find where the managers are sitting. I plant a few
