Small Fish, Big Pond

Techcrunch is running some stories on Twitter based off of some information given to them by a hacker. Reading how much data was gathered is shocking, some documentation I didn’t even know people would save on a hard drive; which in itself is a pretty interesting insight into how everything we do is digital now. It makes sense, it just doesn’t usually hit home so hard.

But the main thing that I noticed is how easy it is for all this information to be stolen in the first place. This is not at all shocking to me since I was on a networking security team at Cisco I’m well versed on what it takes to secure digital content. And one thing that was constantly driven home is that no matter how many firewalls, network detectors, and anti-virus/malware programs you use to plug holes and backdoor access if you leave the front door open it’s all worthless.

It’s not our fault that Google has a ridiculously easy way to get access to accounts via their password recovery question. It’s not our fault that Twitter stored all of these documents and sensitive information in the cloud and had easy-to-guess passwords and recovery questions.

This is why I’m wary about a hypothetical future where all our info is stored and processed in the cloud. The majority of security holes develop internally within a company when an employee leaks sensitive info, luckily becoming an employee serves as an initial layer of security. Think of it as a castle with a wall around it, to see what’s within you need a password to get through the gate and then you have to physically enter that castle. The real live situation is using a login on a computer on the internal company network to access the servers; you have physical security on the computer and servers in addition to logical security via authenticated login.

In the cloud our medieval castle analogy is distributed through the surrounding peasant community, you still need the password to gain access but you can gain access from anywhere. In the real world there are a few tricks that you HOPE your cloud provider is taking to mitigate this problem but the reality is you don’t have physical security over the devices storing your data anymore. All you have is a simple login standing between you and every malicious user on the internet.

In the security world your security should be layered like an onion, only having one pathetically weak layer protecting your business is what we on the internet call an “Epic Fail”.]]>