Strange and Tragic Case Study #1: "Beside.net"
Human Security Failures Cause Systems Security Failures
A company we'll anonymously call "Beside.net" requests via email from us a proposal (RFP) for a full scale Security Survey and Threat Assessment, from physical facility security measures to systems, intranet, Internet and web site security measures. "Beside.net" is a firm which offers (among other services) web server-farm services to major regional and national Internet Service Providers (ISP).
The party making the request claims to be "Beside.net"'s security operations manager.
We submit to the requesting party an initial Scope of Work (SOW) document, and request that they furnish us with certification of their authority to make such a request prior to our submission of a detailed proposal.
On preliminary examination, we find "Beside.net"s web site literally overflowing with major, high-risk information leaks about both its own and its clients' critical infrastructure. The web site information includes addresses and photos of every major "Beside.net" facility, as well as their web server-farm client locations, and even photo images of the servers themselves.
Our interest piqued, we investigate further to find that "Beside.net" is among a small handful of representatives from business, industry, law enforcement, government, military, and intelligence agencies designated as members of an "elite" U.S. Y2K-impact "watch group".
Houston... We Have a Problem...
Rather than comply with our request for certification of the requesting party's identity and RFP authorization, the "Beside.net" security operations manager persists with literally dozens of email requests for details about his firm's potential security vulnerabilities - failing to acknowledge our certification request(s).
You Can't Make This Stuff Up
One month later, we receive from the "Beside.net" security operations manager a virus-infected email attachment, suggesting (in the body of the email) that we "check this out".
The following day, we find in our email box an e-message from the "Beside.net" security operations manager (which, unlike the original virus-email was) copied to a lengthy list of "Beside.net" internal security and management personnel, and urgently pleading that all recipients NOT to open the virus-email sent from his email address. The addressees also included officers of major technology crime prevention associations and other firms outside "Beside.net".
Don't Shoot Me - I'll Do It Myself
The email virus incident should have been a clear warning sign to all the security personnel and officers at "Beside.net".
Unfortunately, it wasn't warning enough.
The final insult and (monetary) injury: On 27 April, 2000, some six months after first being contacted by "Beside.net", numerous major news agencies reported that
"Beside.net" (one of the nation's leading regional web server farm hosts) had been hacked, and their server system went down for a full day...
much to the unhappy response of their clients which included several major national ISP's, such as AOL.
We take some margin of pride in pointing out that, had they done a full assessment as they'd ostensibly intended when they first
contacted us, none of this would likely have happened. And if those attacks had occurred in the wake of our assessment and remediation work,
OPSEC's security measures and reaction / recovery measures would have either stopped the attacks dead in their tracks, or (at worst) allowed
swift recovery through backup systems and measures.
Woulda, coulda, shoulda...
Can you identify some key security vulnerabilities in this anonymized case study?
Are you perfectly confident that you know precisely how to accomplish the goals implicit in sensitive "Beside.net"-type business operations without merely achieving some minor variation of the same security failures?
Are you perfectly confident that your organization is NOT committing some of the same breaches of sound security practices?
Want to bet your business on your answers?