May 22 2006
As always, Bruce Schneier hit this one right on the head. The spokesman for Diebold, talking about the latest vulnerability in their election machines, said that there would have to be “some evil and nefarious election officials” for the latest vulnerability to be exploited. And that’s exactly what we, as security professionals have to be looking out for. It’s not some Joe off the street who’s the problem, it’s that corrupt election official we have to be on the look out for. The Diebold spokesman is an idiot.
Risk mitigation isn’t about planning for people using your system in the way it was intended, it’s about trying to cover as many of the unintended usages of the system as possible. It’s exactly situations like the use of system patching as an entry point for malicious code that you have to plan for and prevent. Almost any security professional will be the first to tell you that the insider threat is many times more likely to happen and many times harder to prevent. The insider has the keys to the kingdom, he doesn’t have to break in first.