Like many other groups, the VRT has a morning routine. Generally it involves comparing kill board stats or raiding tips on whatever game is hot, a quick run down on the work of the day (sometimes as broad as “go break something”, sometimes more specific), and then some time set aside for discussing the morning’s news stories, generally over coffee. These conversations can get pretty rowdy, but they can also provide fodder for more productive discussions about security.
A recent story regarding NASA’s difficulties with their “Avocado” program (http://www.businessweek.com/magazine/content/08_48/b4110072404167.htm) generated a lot of discussion, and led to the creation of Mattland. Mattland is a mythical company where security concerns can trump business needs, people don’t sulk and quit because of overly intrusive security policies and the Internet is viewed with all the suspicion of a smoking gun. It is a place where security monkeys run amok, and the question is, if you were the CISO for Mattland, what would you do?
The security intrusion events at NASA reportedly included information that indicated that “billions” of dollars of rocket motor and fuel system research had been compromised by foreign governments. Which led to the incipient stage of Mattland: “What in the great blue #$&* is billions of dollars of research doing on a computer you can get to on the Internet? In Mattland you wouldn’t be on the #$@&! Internet…” and a lengthy, occasionally coherent rant that hinged on the principle of appropriate levels of separation and how the Internet was not a right but a privilege.
As subsequent random conversations and news items (the loss of the plans of Marine-1 was a doozey…) occur, Mattland is fleshed out with a finance group, researchers and even a mobile sales staff. Here are some of the more interesting “grand ideas” (semi-lucid rants) from these discussions:
- You don’t get the Internet. You can’t have it, just sit there and do your work. If you want to check your mail, on your break you can walk over to that computer wayyyyyy over there and check it. If I ever find a cable between that computer and the production network, you’re all fired.
- All USB ports will be treated with some disabling technology. The ideas have been creative; some of the ones that are appropriate for this blog would be applying 220V, filling them with super glue or just ripping them off the board. These measures will be physical in nature, rather than administrative, to reduce the chance they will be bypassed. Note to Mattland’s acquisition group, we need some PS/2 keyboards.
- All sales staff will be given a laptop as they leave the building, loaded with the approved data. They will then return the laptop to the company which will load any new data onto the network after scanning the data.
- Mattland will aggressively use alternatives to popular software. This should help avoid exploits targeting popular software packages. This certainly won’t prevent targeted attacks, but should help avoid mass-outbreak problems that target the largest vulnerability surface.
Purest fantasy? Certainly. But an interesting thought experiment. So the Vulnerability Research Team wants to know, if you catch your boss so hung over he’ll sign off on anything to get you to go away, what insane security measures would you put in place?