Mata Hari and her bridesmaids (Robert Hanssen and Aldrich Ames)
Over the years, I’ve had this recurring conversation\argument with security technologists regarding the trust lifecycle. The crux of it revolves around how you go about effectively assigning, monitoring and adjusting individual trust levels. Most of us when questioned about trust will tell you that it’s made up of behavioral elements like:
- Acting with honesty and integrity
- Not having hidden agendas
- Maintaining open communication
- Keeping your promises
- Meeting your obligations
- Looking out for other people’s interests
Indeed, these are all distinct and recognizable traits, but how can we use them to design complex security solutions? After all, how do you code a function that checks if a user has a hidden agenda.
In order for these social concepts to be of any use, we need to understand the nature of trust; we must go “Beyond good and evil”. Under the microscope, trust exhibits the following four characteristics:
- It’s transferable—We assign a higher degree of trust to individuals who come recommended by people we already trust
- It’s inheritable—we tend to trust a relative of a trusted friend
- It’s socially derived—We tend to trust individuals who share our cultural heritage and network
- It’s cumulative—We tend to increase our trust levels in individuals who previously have proved themselves trustworthy
These evaluation principals (which are essentially deterministic Turing tests) work very well in social relationships, but frequently fail in complex security environments. The source of the problem is that most of us instinctively tend to classify the world into a “friend”, “foe” or “unclassified TBD” categories. We also like to believe that once categorized, the subject in question will continue indefinitely to conform to our classifications and expectations. This tendency is hard wired into our evolutionary decision making process and to a large degree also forms the basis for many irrational behaviors like anti-Semitism.
After conducting quite a few security sweeps, pen tests, and post mortems on breaches, I have come to conclude that most individuals—given the right opportunity and motive—could spontaneously flip the color of their hat.
The concept of credential-based security (that is, non-expiring clearance) is reminiscent of cheese, especially the cheap Swiss variety, the one with too many holes. Now, don’t get me wrong, I have the same tolerance for curious mice as the next guy, but the text books are full of big rats that were—paradoxically—supposed to guard the cheesy comestibles, not eat or sell them! Recall that Aldrich Ames, Robert Hanssen and Kim Philby, just to name a few, each had the highest top-secret clearance and all the right personal and social attributes. Philby, actually wrote the chapter dedicated to Counter Espionage Methods in the SOE spy training manual used at Camp X.
So ultimately, it’s not the rogue, external, blood thirsty anarchists or money hungry crackers one needs to worry about. Rather they are the trusted senior employees responsible for the daily maintenance, administration and security of the corporate resources. This could run the gamut from as high as the CISO who spies on the CEO’s e-mail all the way down to DBA who is running Select statements on the HR compensation database.
The lesson that I have learned from all of this is that most people regardless of how trustworthy they seem, cannot be completely trusted at all times.
And you can trust me on this one.
© Copyright 2008 Yaacov Apelbaum All Rights Reserved.