Saturday, May 30, 2015
I'd say that firewalls have been relatively ineffective for quite a few years now. Keeping a single firewall patched and configured correctly is a big job all by itself, perhaps impossibly so. Keeping all the firewalls a typical enterprise has patched and configured correctly is harder by a couple orders of magnitude. Add to that the fact that by their very nature, the protections of firewalls lag behind the threats in the real world. Firewalls are never up to date, even if you have the latest patches and configurations applied. Making the publicly-exposed apps secure is the first and most obvious step; making all apps secure is the holy grail.
In my last job before retiring, I worked with over a hundred large enterprise customers. There was a wide range on competence in their approaches to security, but by far the most popular approach was something like “buy all the right stuff, know all the right buzzwords, but actually know very little”. There were a few enterprises I worked with that actually had very competent, right-on-top-of-things security teams who took their work very seriously – but these were notable exceptions. There were many occasions when I was allowed physical access to “secure” facilities with no proof whatsoever of who I was (not even an ID check!), and many is the time I was allowed to plug my laptop right into their network. On a few memorable occasions I was given access credentials (including administrative access) to the company's critical systems. One time I called into a customer – a household name that anyone would recognize – I had never personally met, and at the end of the phone call I had VPN access and their Windows Domain Administrator credentials. Crazy!
But my favorite unsecurity experience involves a government organization (of course!). I won't name the city involved, but it was a large western U.S. city with a recently centralized IT department. The IT facilities were scattered around the city, in a couple dozen places; these were the formerly standalone facilities for each of the city departments. I arrived in town to help them deploy a test version of our product, and that required setting up a server in each of these facilities. The IT manager handed me a key ring with labeled keys for each facility, a spreadsheet with credentials for each server (they had about 200), gave me a map of the facilities locations, and told me to go for it. I was never asked for any identification, never asked to maintain confidentiality, and nobody even asked me for the keys and spreadsheet back!
I was frequently amused by IT organization's focus on things like firewalls. Most of them had far worse security problems than out-of-date firewalls, and the problems didn't appear to be on anyone's schedule to be fixed...