A chain is only as strong as its weakest link; we all know that. But, today’s networks are not linear like chains; they are linked with multiple paths. If there is a flaw along any path then the entire network is at risk. What about the desktop computers and local area networks in doctors’ offices?* When they are not linked to your network, they are not a threat, but what happens when they log on to send or get information?
Let’s use a parable to illustrate some of the issues. In this story there are two main characters. A king, who represents the executives of your organization, and a woodcutter, who represents the doctors, business associates or anyone else who is a trusted user of your network.
The king was very powerful and respected by his subjects. Part of his power came from a long-standing concern for the security of his castle and the people who lived there. The castle was constantly being strengthened with the latest defenses against every type of potential attach that the king heard about from his friends and spies.
The woodcutter lived in a small hut near the edge of the woods. He lived alone with the conviction that he was quite capable of taking care of himself. He was a quiet man and slept soundly.
Every day the woodcutter would take a cartload of firewood to the castle. He and his father before him had done this for as long as anyone could remember. He was always admitted with a simple greeting from the guards at the gate.
Late one night, a rat curled up in the middle of the cart full of firewood. The next morning, the woodcutter rode the cart to the castle and delivered the wood. The rat began to scamper around the castle with fleas jumping off his back. The fleas soon found people to bite and the plague began to ravage the castle.
The king quarantined the infected occupants and ordered a thorough cleaning of the castle. Rattraps were installed throughout the castle and the king gave one to the woodcutter. The solution worked and life returned to normal.
Some time later, agents of a neighboring king made contact with a yeoman of the king’s guard who was upset about being passed over for promotion. The yeoman had access to significant information, but there didn’t seem to be a good way to get it out of the castle until he noticed that the woodcutter sat on several blankets. Thereafter, he would slip notes between the blankets while the woodcutter was unloading the cart. The agents would creep up to the woodcutter’s hut in the dark of night and remove the notes.
The king began to hear reports from his spies that people in the neighboring kingdoms were learning things about the castle’s defenses that only an insider would know. And, there were rumors that the king’s daughter had a disease that would destroy her changes for a favorable marriage.
The captain of the guards suggested getting some dogs to add another level of security. The king decided to give dogs to several people who often visited the castle, including the woodcutter. When the king gave him the dog, the woodcutter protested that he had so little that no one would bother attempting to steal anything from him, he did not need security and had no time to take care of the dog. But their long-term relationship and a deep-seated desire not to offend the king prevailed.
The agents heard about the dog so they began to visit the woodcutter’s hut every night and put out pieces of meat. Before long they would offer the dog a bit of meat and quietly retrieve the notes from between the blankets. Both the king and the woodcutter slept well knowing that the dogs were protecting them. And the yeoman and the agents continued their treachery knowing that the false sense of security made their job even easier.
The elements of this parable have real-life equivalents in network security including viruses, firewalls, intrusion detection, user identification, penetration tests, over reliance on technology, and risks of disgruntled employees. It points to the need for both technology – rattraps and dogs – and management of the human element of security. The parable illustrates the risks; it does not illustrate the technical solutions or management practices that are required.
In planning and managing network security, your staff probably already thinks like “bad guys” to identify the types of threats your organization is facing. It’s harder to think like a trusted user of your system who is not particularly concerned about security, has little or no network security expertise and already has a very busy life. The odds are that your trusted users won’t intentionally do anything to put your systems at risk. But, they may not be doing everything they should be doing to assure that their computers aren’t being used to attack yours.
As part of your security strategy, you need policies, procedures and enforcement to assure that your castle is well defended. You also need to assure that doctors, business partners and others who connect your network have adequate security for their desktop computers and office LANs. The deeper your defenses, the less likely they are to be breached. The woodcutter is probably right; he doesn’t have much to steal. But the bad guys may be able to use his computer to gain access to your network, systems and data.
* This was originally written in the context of HIPAA and doctors and their offices were a significant part of the risk. They serve as a good example of trusted outsiders that have access to your systems.