The question posed in my last post was “what will be hacked next?”

Now we know: Federal prisons

Similar to the attack on satellites, systems that should have never been connected to the Internet… were.

And the results?

You could open every cell door, and the system would be telling the control room they are all closed

Here’s the thing…maintaining security is not easy.

It sounds easy.  Just turn on these settings, turn off some others, set good passwords, etc.

But once you add users, security starts to get chipped away.

• This guy needs to access the system from home
• That admin needs a hole in the firewall to run updates.
• The client needs a new feature pushed out in two weeks, so we just need to make it work.  We’ll sort out the security implications later.

When building a system the three points for security are cost, flexibility, and security.  If you need it to be secure AND flexible, it will be very expensive.  If you don’t have a huge budget, either the flexibility or the security will be compromised.

It seems most choose the security, and it’s easy to see why.  Few people complain when the system isn’t secure enough, but if it isn’t flexible enough management will be hearing about it on a daily basis.

…and they are shocked when their organizations are compromised.