Last month I used the Maginot Line analogy to illustrate how seemingly defensible security systems can be breached. That was before the latest Wiki-leaks incident. I have done security and disaster recovery related work at more than 50 DoD and Homeland Security sites. I get to see a lot of IT security systems.

Every site I have been to had security holes. Here is rough breakdown of what I have viewed:

• Physical security: not even half had adequate physical security.
• Desktop and servers locked down: people do an adequate job locking down their system when they walk away.
• Antivirus protection: at best 70% protect properly against viruses
• Intrusion Detection: perhaps 30% of the sites could detect an intruder (some of the time)
• Data Loss Prevention: way more than half of the sites allowed CD/DVD usage and/or USB port access at the desktop
• Alerts and notifications: it’s an either or situation. Either the network operations center is alerted to everything, which becomes numbing or there are very few notifications.
• Administrative versus User rights: Good at the server and desktop, spotty at the application level.
• Data encryption: not too bad. Many sites encrypt data in transmission.

 These security holes are most vulnerable to personnel who are onsite for an extended period of time. A person with bad intentions can study the strengths and weaknesses at a site and plan accordingly. Once alone or in a trusted position a person can compromise a system in less than 5 minutes.
 
I have seen more unfinished security projects than projects completed. Security must be viewed as a series of building blocks. Until all the blocks are in place the wall is vulnerable. The line can be broken.

-Matt Hamilton, Principal, Consultant