The legend of the Trojan War tells the story of how the Greeks tricked their opponents using a Trojan horse. Advenica's CTO draws a parallel to existing problems with modern technology for IT security.
Troy had been under siege for a long time and the Greeks hadn’t managed to enter the city.
Using a diversionary maneuver, the Greeks fooled the defending forces into believing they had withdrawn. Only a large wooden horse was left. The Trojans took the wooden horse to be a prize of war change and took it into the city. What they didn’t know was that Greek warriors were hidden inside the horse. They climbed out of the horse under cover of darkness and opened the gate to the Greek warriors waiting outside.
The story has been used to describe software that is said to do one thing, but which in reality does something else (maliciously). A large part of the trojan's decision to take the horse into town was based on assumptions of what was observed without verifying the content. If they had looked inside the horse, they would have had the advantage of facing the soldiers in daylight, and perhaps more importantly - preventing the city gate from being opened to let in the rest of the army. Now, the soldiers could fulfil their mission under the cover of darkness.
What did the Trojans do? They accepted what looked like a horse, without checking the contents. It could be that any spectacular war trophy could have resulted in the same actions.
What would a comparison with modern IT security technology look like?
Are there similar problems with modern IT security technology? There are many examples where protection mechanisms make decisions based on the transport method, i.e. the protocol instead of the data being transported. Therefore, they run the risk of unwanted content being transported too. Firewalls often operate on ports or protocols. For example, if you use a firewall that accepts all traffic as long as it only comes across port 80, you run the risk of being exposed to the same danger as the Trojans. Nevertheless, such a procedure is common today where it is used by many IT organisations.
What’s the reason for it?
It’s probably partly for historical reasons.
The development of defense mechanisms follows the development of attack methods, but they are usually one step behind.
People don’t think there is a motivation to introduce protection against attacks that have not yet occurred. In some cases, this is an acceptable strategy - in other cases it may have devastating consequences. It’s always about analysing and understanding the consequences if the protection falls.
Are there more precise ways to control content and not just the packaging? Yes, of course. By clearly defining the content you want to let in (or out) from your network, you obtain a completely different level of protection. The risk of both intrusion and information leakage is significantly reduced. Content-aware firewalls are a good first step, but even better is a policy-based whitelist of approved data content. Using such a methodology you can run and control at a granular level, down on the smallest data bit if you want.
By screening the content instead of the packaging, you can achieve full control and traceability. That way you avoid ending up in the same way as the victims of the Trojan defense.
Jonas Dellenvall, CTO, Advenica AB