I was recently involved in planning a massive Internet infrastructure upgrade. The goal: To make a nationwide network more reliable and secure for both consumers and service providers. The security piece involves massively flexible authentication methods served up in client and cloud-based form with heaping doses of WS-Trust, WS-Federation, and WS-Policy. It's a beautiful, ready-to-deliver solution. If you've read solution no. 2 of my "Fix the Internet" whitepaper, you already know the key ideas.
When we shared the proposal with one of the key stakeholders, the person asked how well the security would hold up if the attacker got inside the cloud or became one of the trusted authentication providers. I think our answer surprised him.
[ IT is a risky business. How do you avoid common catastrophes and increase your chances of success? See "The IT worst case scenario survival guide." ]
We replied that our security model assumes that all attackers are trusted insiders, fully authenticated with elevated levels of access control and privileges. In any large security system, especially one that covers a large enterprise or coast-to-coast implementation, it's absolutely true.
Administrators of smaller entities normally know all of the other privileged administrators. But in a massive system, the centralized administrators don't have a clue about the trustworthiness of the various sub-admins. They don't know their names, their motivations, or whether the have passed a background check. It's a common scenario that haunts many senior administrators today. They have to give the keys to the kingdom to people who could go off on a malicious tangent at any moment. I've been involved with many cases in which a disgruntled IT employee caused millions of dollars in damage and thought nothing of trading their future career and even freedom to extract their demented revenge.
If your computer security defense is to withstand the real test of legitimacy, it should be built with the assumption that all attackers are trusted and highly privileged insiders acting within the system. That means not relying on perimeter defenses that are bound to fail (e.g. MS-Blaster, Conficker, etc.) and assuming that every asset in your internal network is directly exposed to the Internet. The idea of external networks isolated from soft, chewy centers by perimeter defenses died in August 2003 with the appearance of MS-Blaster.
Stop assuming that undetectable computer viruses and socially engineered malware aren't readily getting to your end-users. In its place, start imagining that zero-day exploits and ultra-sophisticated malware are reaching your users every day, and that those users are double-clicking and running everything. A good defense continues to protect and thrive under a full-fledged assault. Don't allow mistaken probability calculations to ruin your defenses.
If I assumed that zero-days were executing every second of every day on every desktop I managed, I probably wouldn't rely on end-user education and an up-to-date anti-virus software program as my primary defenses. Instead, I would prevent end-users from executing anything not previously approved by management, and I would take away root or administrator privileges. I'd consider looking for buffer overflow defenses, unusual types of network activity, and unexpected traffic patterns.
Trust no one
Imagine that every one of your IT employees was up to no good and all outsiders were inside. Now how good are your defenses? I'm not saying your IT employees are unscrupulous. In fact, clearly the opposite is true; most are loyal, law abiding employees. But it only takes one. What if you have a bad apple? How would you change your defenses?
It would be by implementing stricter least privileges, minimizing opportunities for untracked privilege use, setting up internal honeypots, and using split passwords -- in general, helping the honest employee stay honest. It would mean stronger background checks and giving no one absolute trust. Today, Transportation Security Administration employees must undergo background checks and the same rigorous inspections as normal passengers every time they leave and come back to their post.
By taking a mental trip through your worst fears, you'll gain additional clarity on the fitness of a particular computer security defense. Preparing for the worst helps you build a stronger defense against external threats. And when external attackers become internal, which isn't so hard these days, your defenses will still hold up to scrutiny.
It's like planning the security for a prison. In most prisons, guards don't carry deadly weapons during the normal course of rounds. Jail management assumes that guards may be overpowered by inmates, and the last thing they want is armed prisoners. Prisons are notoriously hard to break out of with just one key or one cut in the fence. And their thick concrete walls are built to withstand forces from outside as well as from within.
The best defenses assume things could go very wrong and still work. Go ahead and pray that you'll never see an inside job, but don't make hope part of your defense.