AWS Community Day CPH - Three problems of Terraform
Research Paper
1. Kasha 1
Brian Kasha
AP Literature
Mrs. Corbett
10/14/11
Senior Project Paper
Information Security is critical in the world of computing. Business must be able to trust
system administrators with keeping their vital information stored on network servers. However,
with the nature of the information that administrators are tasked with holding, comes many
entities willing to obtain these secrets through illegal or even unmoral methods. This coupled
with internal security issues creates a plethora of problems for security professionals. This paper
will now proceed to analyze current threats that major companies face while attempting to offer
solutions to these conundrums.
Often issues arise from a lack of basic understanding of how to secure servers and
systems. Without this basic skill set, many company security structures are doomed to be
ineffective from their very inception. Physical security is of the utmost importance when
attempting to secure a server and is often overlooked (Dhar 1). If potential threats are allowed
direct access to a target system, only harm can ensue. For example one with direct access to a
computer could boot the system into single user administrative mode or even boot an entirely
different operating system in order to compromise the box. This catastrophe can be avoided
if, “Only authorized users have physical access to the hardware. This can typically be ensured by
the use of badges, cards, or other forms of ID” (Dhar 1).
Systems that are improperly configured during installation of the OS are another basic
target for cyber criminals. A system without proper hard drive partitioning, boot loader security,
root password security, or one with unnecessary services running is often the target of malicious
2. Kasha 2
attacks (Dhar 4). Hard drive partitioning segments a system into different parts. This means that
if someone gains unauthorized access to one partition, they wont necessarily be able to access
other parts of the box. Boot loader security should be in place in order to prevent unintended
changes to a system on boot. Passwords are also critical. Easy passwords with very few
characters are easy pickings for hackers. Finally unnecessary services are never a good thing.
They provide yet another means of entry into a improperly configured system.
In many cases, the very system set up to provide security is the reason that security never
improves. Big security companies are, by definition, reactive to their environment. This means
that they rarely attempt to proactively protect against future threats and instead focus of reacting
to threats that have already been identified (Utin 3). The time, energy, and resources spent
protecting from already known threats detract from preparation for the future.
A modest proposal would be to equally focus on both spectrum: the present and the
future. If more resources were allotted for research into predicting future threats, the security
world would be better prepared to meet this threat. In fact, the decreasing impact that future
situations would have on companies would allow these companies to focus more on eradicating
existing threats. With this mode of operation, already practiced by some, security would greatly
improve in only a 5 year span (Utin 5). This is an ideal worth striving for.
Another issue that needs discussing is that of business politics interfering in the
information security world. Hiring of security professionals is an act controlled by a business.
However, most of the decision makers have little to no knowledge of what characteristics to look
for in an adequate information security employee. Utin describes it this way, “If you look at a
typical job requirements list for a system administrator, you will see a laundry list of operating
systems, hardware, software, and so forth. If you compare that to the job requirements of a
3. Kasha 3
security specialist, you’ll see a similar if not identical laundry list. This identikit quality comes
from management’s lack of understanding of information security and its unique needs” (Utin 7).
This is a significant issue and employers need to be better educated about the positions they are
hiring.
The very nature of big business also hinders security. An exuberant amount of legality
and protocol often interfere with securities day to day job. For example, a U.S. security
contractor found 60 systems with blank administrator passwords. This task should have taken
approximately 2 days to complete. However, due to the need to inform his superiors, ask for
permission, and provide a detailed explanation of the solution to this issue, these systems went
unsecured for 60 days. If the public had found out about the incident during this time period,
it could have been catastrophic to government sector he was tasked with protecting (Utin 5).
If security professionals were allowed to do there jobs without repercussion from business,
problems could be solved much more efficiently. The practice of chain of command however is
not likely to dissipate any time in the foreseeable future.
Businesses also have a problem with keeping employees invested in the success of
the company. If a security breach takes place, how will it affect them? It will only harm the
company. How then can individuals, the most important part of any security system, be expected
to protect the company? One way is through the use of incentives. Pay people more to, in the
long run, save the company money. By connecting a persons livelihood to a job, these incentives
directly correlate with the loyalty one feels to a company and its success.
A companies profit motive also directly affects their security decisions. The most
numerous security breaches are going to cost very little in damages to the company, therefore
they just are not going to pay for a fix that may cost more money. This practice is not damaging
4. Kasha 4
to a company in the short run yet small security breaches in the past can grow into big problems
for the future.
A correlation has also been shown between information security breaches and a
companies market value. “While some studies have shown a statistically significant negative
correlation between information security breaches and the stock market returns of firms, other
studies have found no significant relation. In a similar vein, the empirical results of studies
examining the relation between specific types of information security breaches (e.g., breaches
of confidentiality) and the stock market returns of firms have also been mixed” (Gordon 2). This
conflicting data has caused many businesses to not take this threat as a serious attack on their
profits. They have in many cases just learned to deal with it and do not even try to prevent it.
This backing off by business has in itself fueled the growth of cyber crime since it is, for the first
time since the Internet’s inception, once again proving to be very profitable.
This profitability of cyber crime is supplying a constant stream of new recruits to the
underground world. Record levels of cyber crime, both large and small, is being committed. This
increase in attacks has proved strenuous on the security community. For example, companies
such as Sony, Pay pal, Visa, and Bank of America have been targeted for political, moral, and
financial reasons.
The threat of political and moral hackers, known as “Hacktavists”, has proved difficult
for security professionals. This transformation from profit motivation to political motivation
has in many cases strengthened the hacking movement. Hackers are no longer fighting uneven
battles against super wealthy corporations. Hacktavists are gaining significant monetary support
from supporters of their various causes. This has allowed them to grow in strength.
The media attention that hackers have been receiving, though negative, is actually
5. Kasha 5
supporting the movement. Hacking groups such as the now infamous LulzSec or segments of
the collective called Anonymous have been ingrained in television media due to their humorous,
though illegal, exploits. The younger viewers of such TV see them as hero’s of a sort for taking
on the all powerful corporate world. This media attention is unknowingly fueling there exploits.
In conclusion, The security industry has a long way to go. The list of problems
encountered seems to never end and is constantly growing. These problems, both internal and
external, are just a few in a violent information war going on around the world everyday. Due
to the nature of what information security experts must protect, this industry in quickly going to
become one of the most important in the world.