The question posed in my last post was “what will be hacked next?”
Now we know: Federal prisons
Similar to the attack on satellites, systems that should have never been connected to the Internet… were.
And the results?
You could open every cell door, and the system would be telling the control room they are all closed
Here’s the thing…maintaining security is not easy.
It sounds easy. Just turn on these settings, turn off some others, set good passwords, etc.
But once you add users, security starts to get chipped away.
- This guy needs to access the system from home
- That admin needs a hole in the firewall to run updates.
- The client needs a new feature pushed out in two weeks, so we just need to make it work. We’ll sort out the security implications later.
When building a system the three points for security are cost, flexibility, and security. If you need it to be secure AND flexible, it will be very expensive. If you don’t have a huge budget, either the flexibility or the security will be compromised.
It seems most choose the security, and it’s easy to see why. Few people complain when the system isn’t secure enough, but if it isn’t flexible enough management will be hearing about it on a daily basis.
…and they are shocked when their organizations are compromised.
“…the researchers found that there was an Internet connection associated with every prison system they surveyed. In some cases, prison staff used the same computers to browse the Internet;” – bad idea.