Security audits

04.05.2006
Hong Kong seems to have a difficult time understanding the fundamental issues of security, but at least we are not alone. This was once attributed to the lack of a local military, but I am not so certain. Over the past few years I have had ample opportunity to observe many Hong Kong attitudes regarding security matters.

To put it politely, they are less than ideal.

Two years ago, I became friends with someone who specializes in something called 'deep security'. The nature of his work is clearly specialized and, naturally, rather secretive. I was able, however, to get a tiny glimpse of what he does. and it was fascinating.

One of the tasks of a 'deep security' expert is to perform a security audit of a computer system--both network and applications. This entails examining a firm's entire IT system for security holes. It is a difficult task for many reasons. Most IT people are not security experts, so when they put a system together they naturally concentrate on the job at hand: focusing on such issues as scalability, reliability, uptime and all those other things that fall within the umbrella of 'mission critical'. Security, if it comes into it at all, comes as an afterthought.

I am tempted to call this the 'Microsoft Security Syndrome' (MSS), for that has always been the approach of the world's largest software company: create a product and then (maybe) add on some kind of security afterwards.

For clearly obvious reasons, I cannot sit in and watch a complete security audit, but I have been able to get an idea of how it works. My friend begins with a simple examination of the network. In every case (and it does not matter if it is a multi-billion-dollar global player or a small regional bank) whatever the IT people show him is wrong. This is not out of any desire to deceive but is due to the fact that IT systems grow and change. Documentation is not always up to date, department heads do not always follow 'security policy' (assuming there is one and, well, there usually is not) and sometimes a job has to be done quickly and security would just "get in the way."