| Every computer system relies on people. People introduce all sorts of vulnerabilities into computers and networks. We like to classify vulnerabilities into three types, based on how people interact with the system: -
People design the system and the network to comply with its envisioned business purpose . Designers, developers, and architects are highly educated people. They have advanced degrees and years of professional experience. Because perfection continues to elude humanity, however, even these highly skilled and capable people can and do make mistakes. Most of these mistakes are caught during the testing phase, but occasionally a few aren't. The overlooked mistakes are invariably caught and sometimes become code vulnerabilities for which a patch or other mitigating action becomes necessary. -
People build and deploy the system and the network according to its design . In an ideal world, those tasked with deployment precisely follow the exact designs produced by the developers. But who lives in an ideal world? Designs often incorporate assumptions that the deployers have no idea about. So they make their own assumptions, and because no one has yet mastered mind-reading [1] (contrary to what late-night cable television might claim), their assumptions will differ . Or the people deploying the network might be working 15- hour days in freezing cold computer rooms following some 97-step checklist. We challenge anyone not to make a mistake in an environment like that. Regardless, deployment mistakes become configuration vulnerabilities that, if left ignored, will very likely get exploited. [1] Although 13 Steps to Mentalism , by Corinda, can help you demonstrate otherwise and would be good for you to read if you want to have a lot of fun at your next boring office party or in the chill-out room at a rave. Google to find a copy; neither Amazon nor Barnes & Noble list it. -
People use the system and the network accidentally or intentionally against its design . The two people-computer interactions above are stated positively, because the people involved have a vested interest in a successful outcome of their endeavors. The third category, however, is different. Designers and deployers construct their creations for the benefits of a business and its usersbut sometimes the users are ambivalent or don't want anything to do with the creation. Or they desperately do want it but can't figure out how to use it. Or they want it, can figure it out, and are interested in trying to break itor at least exercise the edges. [2] And when users interact with a system, regardless of whether their intention is accidental or malicious, they will introduce circumvention vulnerabilities into the system, ripe for an attacker to exploit. It's this third attack vector that we explore more fully in this chapter. [2] This is the original definition of "hacking." A hacker was someone who liked to explore the boundaries of a system with the intent of figuring out how the thing worked. Hackers were universally good because if they found a flaw they would often volunteer to fix it, for free. Alas, as the world changes, so does the language. |
