Mark Seiden is a Senior Consultant with Cutter's Business Technology Strategies practice and a former Fellow of the Cutter Business Technology Council. He has consulted since 1983 in the areas of security, network, and software engineering to companies worldwide, with clients including startups, major computer and communication companies, financial institutions, law firms, UN agencies, online content providers, ISPs, research organizations, and nonprofits. As an independent consultant, and in varying roles at Securify (also known as Kroll O'Gara Information Security Group), his most recent projects have included design, architecture, and implementation for e-business systems; security for online financial transaction processing and distributed document processing systems; custom firewalls based on open-source components; finding computer criminals; and penetration testing the network and physical security of deployed systems, enterprises, and colocation facilities.
Mr. Seiden has 35 years' programming experience. He's been a Unix and mainframe system programmer; written Macintosh applications; spent time at IBM Research, Xerox Parc, Bell Labs, and Bellcore; and has taught at the university level. Time Digital named him one of the 50 CyberElite in its first annual list, and he has been regularly quoted in the New York Times and other periodicals due to involvement in high-profile activities (such as the pursuit of Kevin Mitnick and revealing the vulnerabilities in airport security systems). Mr. Seiden has written for the New York Times, Wired, Sun Expert, and Unix Review (among others) and has been technical editor of several books about computing. He has been on the board of directors of two user groups and is on the Technical Advisory Board of Counterpane Security Systems. He can be reached at firstname.lastname@example.org.
Who Can You Trust?
In every facet of life, the question of who you can trust surfaces -- though the answer often eludes us. In the information security game, we try to create mechanisms to help us answer this question, and our reputation as well as professional pride are tied up with getting it right. But is that possible?
Trust in the Business World
Since we see problems with trust in every area, from families to banks to doctors, it shouldn't be surprising that you can't trust anyone in business. Business is nasty and competitive -- or, as I've read recently: "It's a doggy dog world."
In order to make a sale, salespeople routinely lie or shade the truth about the what, when, or how. They'll give you verbal contracts while at the same time, their written contracts disclaim all warranties of merchantability or usability "for any particular purpose."
Not to put it all on the internal folks; you can't trust your customers either. Even the honest ones are always looking for a competitive edge. In the e-commerce world, the fraud rates are high -- the less tangible the goods, the more fraud. (For example, some vendors of international IP telephony services have blacklisted entire developing countries after realizing that almost all of the phone calls from them were fraudulent.)
Companies are constantly changing their business models without notice, defying your old (20th-century) expectations. Even well-intentioned companies are going out of business left and right. Insiders are a big threat because they know your secrets and sensitivities. Defenses based on "security through obscurity" are generally unsuccessful partly because so many insiders eventually become outsiders. Damage caused by insiders is more expensive than damage caused by outsiders and is often dealt with discreetly. It's hard to not trust your employees, and it's bad business to not enable them to do their jobs.
Employees are entirely mindful that there's little corporate loyalty these days. When things get lean, companies can get mean. Few enterprises are willing to take the trouble to avoid layoffs by using creative mechanisms like enforced or voluntary vacations, offers of job sharing, or part-time employment. Disgruntled ex-insiders are in the same class as unhappy ex-spouses -- you don't want to have very many of them. By treating people well, you will suffer less in the long run.
Can you trust consultants? Those who are supposedly independent may not be vendor-neutral. They naturally cannot help but promote products in which they have investments of time and energy and therefore will tend toward the safety of familiar products with the greatest market share. This is a more insidious influence than a vendor's inability to discuss flaws in the solutions that they obviously resell. Given how quickly technologies change, the best solution a few years ago may not be the best solution now.
Trusting the Inanimate
Here we cross over from trusting animate objects (like people) to trusting the inanimate and inscrutable, such as e-mail, software, hardware, and networks.
Once upon a time, you (the "user") had no control over the software on the mainframe. It was controlled by high priests in the glass room. Briefly, beginning more than 20 years ago, the "personal" computer threatened the priesthood's fundamental control over your choice of software. You could install anything you wanted -- but at your own peril, since it could screw up your machine so awfully that you might be excommunicated.
When the Internet became popular, the idea that software could be easily downloaded and installed became compelling to both users and software vendors. A software developer can now update its software on your machine dynamically, with or without your permission. Some of them are kind enough to ask for consent, but it's hardly ever "informed consent."
Will the vendors abuse your trust? Should you always trust all content from Microsoft? Probably not, particularly if you're not sure it's even really Microsoft.
Another example of abuse of vendor trust is "malware" or "spyware," which might communicate your private details to a vendor through software. You can find out about some of these by using a personal firewall of the sort that will alert you to any outward communication by an application (as well as the usual incoming attempts from crackers and anklebiters that make it as far as your PC).
Yet another example of abuse is vendor software that has "backdoor" access or preinstalled logins with weak passwords. You may not find out about these by reading the manual, and your expectation should be that they aren't built into products just for someone's convenience. These should be illegal, in my opinion.
Some enterprises dynamically update the content on their employees' PCs, attempting to install patches and software updates automatically. This can be a bit of useful paternalism, if they get it right, but the consequences are you can't be sure what software is installed on your PC from day to day and that you have to trust your company's system administrator to do the right thing.
How about the hardware? Suppose your bank account password is something you really want to keep secret. Can you be sure that your keystrokes aren't being recorded? Alas, no. There are inexpensive devices (as well as software) that can stash your keystrokes for someone to harvest at a later date. These devices can be plugged between your keyboard and computer and look like a little cable adapter, or they can hide inside the keyboard itself.
Figuring out Who to Trust
Here are some plausible, general techniques for figuring out who to trust. Ask:
- Can you rely on an independent, trustworthy authority?
- Can you test them? Can you randomly audit, in any substantial sense? Can you observe their behavior and performance or look at their reputation, their background, and their history over a long period of time?
- Do your vendors supply service-level agreements or warranties on their software and services?
- Do you rely on legal assurances which have some substantial backing, or just on empty promises from someone with empty pockets?
- Do you know, or can you find out, who the people you willingly trust are further trusting?
If you don't ask, you won't find out, and if you can't do most of these things, the first sign of a problem is often a nasty, embarrassing, and expensive incident.
Matters of human and political trust often involve complex issues of feeling more than thinking. The contrary balance is present in most business trust decisions, but don't ignore your intuitions.
Summit 2009 Keynote Information Security: Zeroing In on a Moving Target | Listen Now
Access expert insight and advice from Mark Seiden in the Cutter Consortium Online Resource Center:
- Summit 2004 Panel Debate: Security Practice Measurement -- The Future Belongs to the Quants
- Information Security and Privacy in a Fragile World
If you are not yet a client, contact us to find out how you can gain access to Mark Seiden's expertise through content, training and consulting.
Learn more about bringing Mark Seiden to your organization.Contact Us