UN Information (In)Security
Found this blog post randomly, but it made me chuckle. A person at a UN conference (ironically, on breaking down administrative and procedural firewalls) discovered an Apple TimeCapsule that had been configured to allow guest access to the backups of a well-known UN staff member’s work information.
I like to dream up root causes when I see things like this. What I imagine is going on here is a little self-service IT. Probably, the staff member in question, who is likely of rank and has assistants, was mistrustful of the integrity or the confidentiality of the IT-provide backups — or there weren’t any. So, in an effort to “do the right thing” and get the information backed up, he either self-configured or had somebody configure a store-bought wireless router with integrated backup capability (the Apple TimeCapsule, which is a great product, BTW).
Eventually, they discovered the ability to use it to share files and it was easier and faster than relying on the IT group to set up a solution, so a working group began collaborating on documents using the time capsule. Because the IT system likely had rigidly enforced access controls, the group was only able to make it work by allowing everybody to log into the shared area as a guest. Either that, or they were unable or unwilling to configure accounts on the shared storage.
In the end, they also exposed the thing to a public network and — there you have it — a visitor to the UN has access to a bunch of privileged-access information.
The lesson here isn’t that users are stupid, either. It’s that IT departments, and especially security people, need to learn to deliver the tools that people want, and not the tools that IT managers want to buy. And, of course, the biggest lesson of all is that security people and the leaders of organizations must make security awareness one of the ingrained principles by which all staff members operate.
A lot of people are talking about the “consumerization” of IT. The trend being spotted is that, in the near future, IT innovation will be driven by consumer devices and that corporate IT will have to play catch up or allow such innovative devices to interact with traditionally stodgy corporate IT systems. The whole idea is largely driven by the phenomenal success of the Apple iPhone, which everybody wanted and no IT department was initially willing to provide.
I have a lot of thoughts on the consumerization trend. These thoughts relate also very nicely with my thought on the Advanced Persistent Threat. And while I actually admire and respect a lot of Microsoft’s software and services work, I believe that the near decade-long stagnation in IT system innovation, as well as the myriad security issues that have been realized at unprecedented scale, are a direct result of corporate IT’s failure to adequately protect itself from a software monoculture.