IT and Security

I had the rare “opportunity” to sit in on a meeting with an IT vendor today. This vendor sells a Network Access Control product which works as follows:

  1. User connects to the network
  2. User’s web browser is redirected to a web page which says “Please download and run this program: <link>”
  3. User clicks the link, then runs the resulting .exe file. (There are comparable Mac and Linux versions as well.)
  4. The program scans the user’s computer, tells a network server to enable access for the computer if it passes the scan, and deletes itself. (They call this a “dissolving client.”)

I attended this meeting because I had heard this story and wanted to see if it was true. I pointed out the gaping security hole being opened here: not only does this product allow anyone capable of spoofing this web page to take control of any user’s machine (in the vendor’s screen shot the page is not even secure), but it also encourages users to download and run software just because a web page tells them to.

The vendor agreed that this was somewhat problematic, and that they’d heard this concern before. At present, the company has no particular response.

Clearly this sucks, but I can get over it. The product on offer actually doesn’t need this client software to run to do much of its job; that feature can be easily disabled. The other network monitoring and management features of the product look genuinely useful.

What concern me are the responses my comment provoked. Not those from the vendor (at least not the immediate reponses)—the technical rep was quite forthright that my point was valid. My problem is with the responses from the IT reps in the room, a handful of whom had already installed the system on their network, but most of whom were only considering it. They immediately became far more defensive than even the vendor; apparently any security hole you don’t initially spot yourself is not really a security hole.

Some comments from IT professionals—people whose jobs it is to provide secure network services to students and staff at Oxford and its colleges:

That just hasn’t been a problem for us.

We haven’t had any complaints about that.

There hasn’t been a single report of any such attack.

I suppose such an attitude can be understood when you realize that network admins don’t actually care about security at all. What they care about is malware—software that generates crippling network traffic and/or user complaints. It’s not their problem if somebody out on the internet can read the entire contents of their users’ hard drives. Not even if it’s because of their own network policies. Nobody knows about it and they don’t hear about it, so the problem doesn’t exist.

More troubling was this comment from the vendor:

Really, how common is it for an attacker to disguise his malware as a security program?

There was an awkward silence among the IT crowd after that, and a slightly apologetic “actually, a lot of infected web sites have things like that…”

The group did start to acknowledge the problem, but this was repeatedly rebutted by one admin who had already deployed the product:

The point is, this product does what I want it to do. It makes my life a lot easier. That’s the bottom line.

Apparently ease of network administration trumps any security considerations. The amazing thing is that I really liked the product. I believe that its management interface is a convenient way to monitor a network. I just think you need to untick the “install client” box on the configuration screen. But the IT guys kept setting up this absurd duality: either install the full system including the security hole, or don’t get any of the benefits.

So the discussion turned to how to mitigate this risk. Again and again, one solution kept coming up. Keep in mind that the vendor had nothing to say about any of this—I kept directing my questions to the vendor and they kept being answered by the other IT guys in the room:

We’ll definitely let everybody know about this before they connect to the network. We’ll send them a letter telling them “you’ll be sent to a web page; it will tell you to download software; download it and run it”.

No suggestions of hashes or digital signatures; just “we’ll notify them”. To IT professionals “if we could only educate the users…” is the answer to everything.

If it’s not our client, then it won’t let them on the network, right? So we just need to tell users to run it, and if they don’t get on the network, then it wasn’t ours. And if they don’t run it and do get on the network anyway, then it wasn’t ours anyway.

I’m truly worried about IT professionals who try to bodge together security solutions with spit and duct tape.

But my absolute favorite comment, which was repeated to me no less than five times when we kept getting dragged down weird technical tangents, was this:

It’s really simple. If they don’t install the client, then they can’t get on our network. Simple as that. We don’t have to worry about users who won’t install the client—they’re free to go and find an internet connection somewhere else.

There are good and thoughtful IT pros out there. There’s no question that most of the guys in this meeting really wanted to do a good job and help their users. But the culture of IT is riddled with defensiveness and political posturing.

I can’t help but think that electricians and plumbers are different. I wish I could figure out exactly what the difference is.