Professional Documents
Culture Documents
Does Your Firewall Have An Open Door
Does Your Firewall Have An Open Door
Does Your Firewall Have An Open Door
Doesyourfirewallhaveanopendoor?|Cactus
Chris James
Doesyourfirewallhaveanopendoor?
First Published on SCL.org: 24/03/2010
Also published in Computers & Law magazine (June / July 2010 Edition)
Googles January announcement that it has uncovered a sophisticated and
targeted attack on its infrastructure is a timely reminder that the threat
posed by hackers should not be minimised. This attack originated from China
and led to Google uncovering a systematic breach of the security of certain
Google user accounts linked to Chinese human rights activists. The attack on
Google and its implication of state surveillance may be seen as esoteric, but it
reveals a basic truth: any organisation which holds personal data on
individuals must be prepared for the fact that the data has value, and is
therefore worth stealing.
In fact data is commonly stolen with much more prosaic aims. The legitimate
collection of personal data for marketing purposes is an expensive and timeconsuming exercise. Much more attractive, especially if one is already
breaking the law by selling pirated software, fake watches or regulated
medicines without a prescription, is simply to steal that personal data from a
legitimate organisation. Or, at least, purchase that stolen data from a
pseudonymous seller in a murky Internet back-alley. This creates a ready
market for hackers ill-gotten gains.
The Data Protection Act 1998 requires organisations which process personal
data to take appropriate technical and organisational measures against
accidental loss or destruction of, or damage to, personal data.
This requirement is sometimes read as a requirement to have a firewall in
place. The risk with this interpretation is that responsibility for complying
http://www.chrisjames.me.uk/posts/firewall_open_door.html
1/5
21/12/2014
Doesyourfirewallhaveanopendoor?|Cactus
with this aspect of data protection law can fall through the gaps between the
lawyers and the engineers. Lawyers think job done when the server
engineers tell them they have installed a firewall. Those engineers
implement a firewall because they are told to do so by the lawyers. It is
entirely possible that no further thought goes into whether a firewall is the
most appropriate technical measure, let alone organisational measure, to
keep personal data safe.
Like its real world name-sake, a standard firewall is a relatively dumb device:
it maintains a barrier between the system and the outside world. Clearly, if
an organisation would like the public to use its web site and electronic
services, putting those services behind a barrier is not going to be very
helpful.
It is common practice to open a door in the firewall to allow external users to
access an organisations web site. The firewall still prevents outsiders from
directly accessing your internal systems or administrative functions (eg the
web servers root console, used for systems maintenance), but allows public
users of the site to pass through that door. However, on that basis, the
firewall offers no protection to the web site. The organisation needs to be
confident that its web site is secure in its own right.
If your web site collects and keeps personal data in a database (eg mailing list
subscriptions and e-commerce order processing) it will contain software code
to process that data. This code often follows fairly standard and well
understood patterns. It does not take long for those in the know to
interrogate the site to discover the way it works and where its weaknesses
may be. Therefore your data security is only as strong as the site softwares
ability to withstand such interrogation without revealing security
weaknesses. If that software is insecure then your compliance with the Act is
potentially compromised.
For example, last month a programmer in Birmingham discovered a way to
access the name, password, e-mail address, post code and other personal data
of over 400,000 users of a brand name e-commerce web site. This was not a
sophisticated cyber-attack against that companys firewall. This was data
that was already made available on the web site, in a downloadable XML file
http://www.chrisjames.me.uk/posts/firewall_open_door.html
2/5
21/12/2014
Doesyourfirewallhaveanopendoor?|Cactus
3/5
21/12/2014
Doesyourfirewallhaveanopendoor?|Cactus
http://www.chrisjames.me.uk/posts/firewall_open_door.html
4/5
21/12/2014
Posted on
Mar 24 2010
Doesyourfirewallhaveanopendoor?|Cactus
Written by
Chris James
Virtual Insanity?
http://www.chrisjames.me.uk/posts/firewall_open_door.html
5/5