Posted by Craig Rickel, Compliance Specialist on July 10, 2009 5:53 PM
At least a couple times during the summer, there's a dry spell when I need to give my garden some extra water. Invariably, the cheap hoses I used last year are still hooked up to the faucet, have frozen over the winter, are cracked in three places, and instead of soaking the plants when I turn it on, soak my pants. You would think I would know to take them inside in the fall by now.
At the hardware store, I bought a brand new hose. I went back home, hooked it up, got the sprayer ready, and turned on the water. The hose promptly fell off the fitting at the spigot. After turning off the water (with soaked pants again), I inspected the design of the fitting they used. There were at least three ways they could have designed it to work properly – with ridged edges or ring clamps or finger clamps to hold the hose on. Instead, they used a smooth attachment for the hose. It could have been properly secured in many different ways, but the designers went for a durable hose with cheap fittings at either end.
This scenario reminds me of many of the computer systems I've seen in my career. When a system gets broken into, it's never just one failure. People use weak passwords on systems (strong ones are hard to remember!), authenticate using insecure protocols (https is just too slow!), don't patch their systems (it's always some update!), get infected with malware (but I cleaned it off when I found it!), and then wonder when their SQL database password is stolen.
Just like hose fittings having been refined over the past hundred years, there is nothing truly revolutionary about computer security. As security technologist Bruce Schneier recently pointed out, it's the "boring network security administration we already know how to do." Patch your systems. Run anti-virus/anti-malware software. Use firewalls. Use encrypted protocols for important connections. Review your logs. There's nothing surprising about the attacks happening; what is surprising is that systems are still vulnerable to them. Take the time and care to secure your networks - otherwise, you may end up with wet pants.
Further Reading
Schneier on Security - North Korean Cyberattacks