index_20
Auerbach Publications
© 2001 CRC Press LLC
08/01
implementing an alternative route for attackers, leading them away from
the traps and triggers and pointing them to our weakest points.
The concept of alternative forms and directions of attack when faced
with considerable fortifications can be likened to medieval warfare. Cas-
tles were constructed with enormous walls to thwart intruders. Moats
were filled, traps were laid, and deadly focal points were engineered to
halt an attack. In some of these walls, typically under the surface of the
moat, a secret gateway was placed that allowed scouts and spies out of
the castle to collect information or even supplies to survive the siege. It
is this reality that has repeated itself a gateway placed facing the
world to allow allies access into the stronghold. The differentiating factor
between what is being seen now and ancient warfare is that long ago the
kingdom would not permit a general, advisor, or any person outside the
walls that could have information valuable to the enemy.
In stark contrast, today people from every level in the corporate chain
access information outside of protected space. This is equivalent to send-
ing a general with attack plans through the gateway, out of the castle, so
he can work on the plan in his tent presumably unprotected. It does
not take much effort for an attacker to pounce on the general and collect
the information that would normally require accessing the castle directly.
In reality, a modern day attacker would have so much control over the
victim that data could be easily modified or collected in a manner that
would render the owners oblivious to their activities. Exhibit 8 clearly de-
picts the evolution of the path of least resistance.
Disappointingly, the complicated labyrinthine safeguards we have
constructed are squarely pointed at the enemy; meanwhile we are allow-
ing the information out into the wild. The result is the finely honed and
tuned wall of protection is reduced to almost nothing. Where a small set
of firewalls protected information on internal networks at a single entry
point, there now exist thousands of access points with no firewalls. Not
only have we taken a step back but also the problem reduced by firewalls
has increased in scale. Early in Internet adoption a single Internet con-
nection with a firewall would suffice. Today, organizations have several
Internet connections with complicated protection measures. With the ad-
dition of VPNs for remote systems and small home offices, organizations
have thousands of Internet connections beyond reasonable control.
CASE IN POINT
Late one Friday, I received a phone call from a friend who worked for a
large national construction company as a chief engineer. Calls from him
were typical when his computer was acting up or a fishing trip was being
planned for the weekend. However, this call started very unusually. He
stated that he thought he had been hacked his hard drive runs late
into the night and the recently loaded BlackIce was logging a great deal