The Real Story Behind Security Breaches – Reality is Worse than it Sounds

We hear about security issues, alerts and problems every day. If you are anything like me, one of the things you want to know is "how bad is it really?" I won't talk about how often these security issues occur, but below are a few security conditions that seem reasonably representative of the types of things I have seen from my clients during just a few years in the industry. These are by no means the worst - I probably can't really talk about those. Names have been changed to protect the innocent.

1. A 1997 intrusion test (appropriately contracted) against a state agency found a path routed around their external firewall. The path was set up so that employees could reach internal systems, since, surprisingly enough, the firewall blocked such access. A 1998 test found the same path, as did subsequent tests in 2000 and 2002. A short time after the fourth test they had a breach of thousands of records, including very private employee and public information.

2. A major retailer's single server hosting their website (including the multi-million dollar online retail portion) was located under a desk in the IT area. There was no UPS, the Ethernet cable running across the hall was duct taped to the carpet, and offline backups were done to writable CDs (when they were done at all).

3. A distributed manufacturing company ran a Just-In-Time process. They posted weekly orders to remote manufacturing sites, and the remote sites were supposed to manufacture exactly what was downloaded. However, remote employees were taking up so much bandwidth browsing porn through the headquarters link that the order databases were not getting transferred, resulting in the distributed sites running at about 30% of capacity - meaning they were sitting idle for the better part of 2 days per week. They missed order points for three months and lost millions of dollars in revenue before they discovered why their orders were going unfilled.

4. A major international retailer had an externally available test environment run by their marketing department (I never did figure that one out). Since all systems still had their default passwords, unlimited network access into the core network for their World Headquarters was easily reached - even behind their internal firewalls. From there, it was simple to log onto distributed store systems and change local prices in all of their stores. $1.37 widescreen TV anyone? (Just kidding!).

5. A large energy company hired Solutionary to perform an intrusion test against their corporate web presence. As part of the test, they gave us their external IP address ranges to test. When we validated these IPs we found that they had also given us the IP range that covered their major competitor. I'm sure that was an accident, right?

6. A major manufacturer located their DR site at the eastern end of the same facility that housed their main data center on the western end of the same facility. The two facilities were located less than 300 yards from each other, were both on the same flood plain, and both in a known tornado zone. And, less than 100 feet outside the DR site wall was a gas station with a huge propane tank. To top it off, directly south of the DR site and up the hill was the community's largest water tower.

7. A major telecommunications company decided to add UPS support to one of their data centers to help protect against the consistent brown-outs the local power company was so kindly providing them. They installed a UPS made up of three computer racks of batteries and placed the units next to each other; neglecting to use a load-bearing support beam. The heavy racks warped the floor so thoroughly, that if a marble was laid on the floor near the computer room door - some 60 feet away from the UPS - it would accelerate across the floor and come to rest with a sharp "crack" at the front of the UPS.

So, if you recognize any of these, I apologize. But for the rest of you: do better, or I shall taunt you once again.

P.S. - There has been a lot of hype recently regarding the iPad security breach. Check out my article in USA Today where I discussed how the breach occurred.