The Trojan Horse still works in IT

A reminder of the tale:

The Trojan Horse is a tale from the Trojan War about the subterfuge that the Greeks used to enter the city of Troy and win the war. In the canonical version, after a fruitless 10-year siege, the Greeks constructed a huge wooden horse, and hid a select force of men inside. The Greeks pretended to sail away, and the Trojans pulled the horse into their city as a victory trophy. That night the Greek force crept out of the horse and opened the gates for the rest of the Greek army, which had sailed back under cover of night. The Greeks entered and destroyed the city of Troy, decisively ending the war.

Most everyone knows the myth (thought to be discovered 750BC) yet it has been used consistently as a tactic by those who want to get into a secure location that they are not permitted to enter.

Security breaches happen in companies all the time, the methods range from:

  • Impersonation over the phone
  • Sending an email pretending to be from the CEO
  • Fake text messages (This is possible and widespread)

These incidents have brought down businesses. Fraudulent money transfers & data leaks we keep seeing them in the media.

Yet still…nothing much has changed. The Trojan Horse approach to stealing money & data works so reliably, the bad guys don’t need to step up their game.

No matter what happens, there is a fundamental flaw with our approach to security right now, slight detour for a moment:

People still drink and drive

In 1872 it became an offence to be drunk while in charge of carriages, horses, cattle and steam engines!! The penalty for which was a fine not exceeding 40 shillings OR at the discretion of the court, imprisonment with or without hard labour for a term not exceeding one month. (UK law)

One hundred and forty four years after drink driving became illegal. We still have it happen. A huge amount of money has been spent on media campaigns, education in schools and police enforcement. Yet it still happens.

What does that have to do with security!

When a decision is made to drink & drive, one or more of the following goes through the mind.

  • I won’t get caught
  • I am in control, This is safe to do.
  • It does not affect me as much as other people

When a person chooses to ignore security the same conversation is had because security is often seen as a road block to getting things done.

  • I must take my work home with me to finish this project on time.
  • Passwords are too difficult, I won’t turn it on.
  • I trust the person on this email/phone call/text message. I know what is fake and what is real.

Spot the mirroring?

Solving the problem

Here is an example I wrote as a short story.

The Contoso technology company is continually losing money and have not made profit in two years. The CEO hires all kinds of finance experts, business gurus and they put in cost saving programs and strategies. Meanwhile an executive on the board is spending a huge amount of money on workshops, holidays, company jet. If this money was not spent, the company would be in profit immediately. This is not a business problem or a finance problem that needs to be solved. It is a people problem, 1 member of the team is sabotaging what everyone else is doing. Why is this allowed to continue?
  • Buying “State of the art” firewalls and other products.
  • Hiring experts to handle security.
  • Switching on every security setting available.

This is the exact same as not dealing with that rogue executive wasting money. Security is a people focused issue, not a technology one. We cannot under-estimate this.

The cost is high but the rewards are higher.

Expectations need to be set for every member of your team regarding security, the culture has to change and the reason why many businesses don’t do it is because of the cost. Yet there is nothing that brings greater return on investment to a business for increasing security.

What about other dangers?

This security testing company with their knowledge & tools managed to breach the US power grid almost effortlessly in a report posted 6 months ago. It gives you an insight into the levels a group could go to if they wanted access to your business.

The video is 15 minutes long. Watch it if you can. No matter how good the firewall, if the bad guys get physically inside, you are in trouble.

Security experts are really good at what they do so if security is a priority in spite of what I said, do look to engaging one.

Unless you solve the culture/people issue first, nothing you do will matter.