Security Illusions

I also worked on a very large software development project for one of the government's more security conscious departments. They installed an expensive security oriented menuing system that was supposed to control access to and track what system users, including programmers, could run. The technical staff was challenged to try to "break" the menuing system.

There was widespread knowledge among the technical staff of multiple copies of a "Trojan horse" program on the system that let any user who knew of the existence of this program change the access controls on any file on the system. Following the challenge, I used the Trojan program to give myself access to the user file which contained passwords and changed the password for the person who issued the challenge. I then informed him of what and how I had done this. The response was that what I had done didn't count and I was told not to do it again.

No steps were ever taken to locate and remove the Trojan horse programs. Other programmers used these to change the name of the program that was run when they logged in. The name looked like the menuing system initial program but a zero was substituted for an "O". The program that was actually run was one of the programmer's own devising which let them roam the system without tracking or restriction.

The site had procedures that due to the security setup, severely impeded technical staff from the timely completion of their assigned tasks. If established procedures were followed, specific tasks could not be completed without the assistance of managers who might not be available when needed. Further, managers had to know that staff had workarounds as tasks were often completed without the manager's assistance.

In retrospect, it's clear that I had broken the real but unofficial security policies by acknowledging the existence of workarounds that made the systems usable. This is a perfect example of attempting to implement a security policy without the support of staff, including managers.

It's also an example of an organization that went to considerable time and expense to provide only the illusion of security. They had all the disadvantages of a secure system, extra costs in both procurement of security software and administration of it and reduced user convenience because most users were significantly restricted in how they could use the system but none of the advantages. It's roughly analogous to installing an expensive home security system but leaving it off all the time because you want to leave your back door open for ventilation.

Top of Page - Site Map

Copyright © 2000 - 2006 by George Shaffer. This material may be distributed only subject to the terms and conditions set forth on http://GeodSoft.com/terms.htm. These terms are subject to change. Distribution is subject to the then current terms, or at the choice of the distributor, those defined in a verifiably dated printout or electronic copy of http://GeodSoft.com/terms.htm at the time of the distribution. Distribution of substantively modified versions of GeodSoft content is prohibited without the explicit permission of George Shaffer. Distribution of the work or derivatives of the work, in whole or in part, for commercial purposes is prohibited unless prior permission is obtained from George Shaffer. Distribution in accordance with these terms, for private, unrestricted and uncompensated public access, non profit, or internal company use is allowed.