Risk Management for Dummies
RSA conference press room delivers a crash course in security cost-benefit analysis
February 7, 2007
9:30 AM -- Let me start this column with an apology. You, dear reader, should have had another news story from me yesterday, but you didn't get it. The reason? Overzealous security.
I'm here at the annual RSA conference, where some of the brightest and best minds in IT security meet to exchange ideas, look at new products, and drink till they throw up. Here in the press room, there's a little space for us ugly reporters to spread out, eat catered food, and file a few stories.
This year, RSA has established a nice wireless network for the press folk -- in fact, they've got wireless access for all of the show's attendees -- and it's really keen. There's just one problem: I can't get into the damn thing.
The RSA folk have established a PEAP-authenticated network here, complete with digital certificates and the whole nine yards. Prior to the show, I received a private logon and password, which I used to access another secure list to gain a separate password to the RSA wireless network. It's all very secure -- I know this, because I've tried hacking into it seven ways to Sunday, and I've failed every time.
Yesterday, after trying for 30 minutes to get into the network using my neat-o private passwords, I finally gave up and went to the wireless help desk. They tried for about 20 more minutes, before they finally gave up and gave me a new, generic ID and password, completely obviating all the work I'd done to get authenticated in the first place.
The help desk had made a number of configuration changes to my PC in order to log me on, so I was careful to save them before I went back to the hotel for the evening. Yet, when I came back into the press room yesterday morning, all of my settings had returned to their original form. I couldn't get into the network. So I went back to the help desk and I did the whole thing all over again. I finally did get in -- almost an hour later. That, of course, was the hour in which I had planned to write you a story, which you didn't get.
I shut down my PC to go do some interviews, and of course, that was a big mistake. So now, just a few hours after I spent all that time with the help desk, my settings have once again been rendered useless and, after 20 minutes of trying, I'm still not on the wireless network.
I should add that, while I'm not the sharpest tack in the box, I'm not the only one who encountered all of these problems. Several reporters were standing with me at the help desk on both days I was there. One reporter never found a connection of any kind and was reduced to using one of the shared computers in the press room.
At least my story has a happy ending. I managed to find the wired router, and I rendered another computer helpless by stealing its port for my Ethernet cable. (The reporter sitting next to me is annoyed, but she found another machine to use.) It took less than a minute.
So what was the point of this exercise? I learned that wireless security can be very effective -- in fact, it can be so effective that it locks out the very people by whom it's intended to be used. Even with the aid of the help desk, it's taken me hours to even access it for a short period. I can only imagine what trouble a hacker might encounter trying to access this puppy.
Okay, point proven. But shouldn't there have been some sort of risk assessment made before this technology was implemented? I mean, I know there are some shady journalists in this industry, but I don't think any of them are smart enough to hack my computer over a wireless link. Even if they were, I doubt they'd really want the rough draft of my blog on wireless security.
Somehow, the math seems wrong. The RSA team has spent a good deal of time and expense to build a secure network that created no benefit for me, the intended user, and served only to protect data that nobody except me would have wanted anyhow.
It's a classic example of how security requires a real evaluation of costs and risks, along with technology. Just because you can secure a link or device with a high degree of authentication doesn't mean you always should. IT managers are seeing the sense of this with increasing frequency -- not every device has to be secured with 100 percent integrity.
As for me, I've learned my lesson in all of this, and I'd better take a class on PC configuration for wireless networks. But first, I'd better find my notes. I've got a story to write.
— Tim Wilson, Site Editor, Dark Reading
You May Also Like