Photo Credit: novumpack - systemy pakujące Flickr via Compfight cc
On-line shopping can be the source of some frustrating experiences holding several parallels with the world of InfoSec. I am in this case talking about Amazon parcel deliveries (and in the style of Wikipedia for disambiguation, I should say other online shopping vendors and their delivery agents are available and are just as guilty of these practices.)
I would like to concentrate on four points of comparison: firewalls, demilitarised zones (DMZs), packet size and delivery notifications.
Not to get all Sound of Music, but let’s start at the very beginning with Case 1; when is a firewall not a firewall. When Amazon “delivers” my package by throwing it over the fence into the back garden (two instances this year) I am somewhat aggrieved. You may think your delivery will be secure as you have provided a letter box, a secure place to put oversized packets and very helpful neighbours, but no this is ignored. Your garden fence or firewall, is not sufficient to protect your perimeter and unfortunately, your defences are breached. Ignoring aspects such as the parcel being exposed to the elements there is the secondary effect; anything that can be delivered through a circumvented firewall can be quickly undelivered again by someone else. A delivered parcel in this fashion is anything but guaranteed.
Ok, moving on, let us now look at Case 2; when is a DMZ, not a DMZ. Purchasing online gives you a great deal of flexibility to pick up at a collection point using a third party such as Doddle, deliver to home or if you are out, define a safe place; often a porch or neighbour. At some point, your guaranteed delivery agent contacts you and states the location of your package is a secure location as previously defined. However, when you return home, you find the package on the door step, beside the side gate or my personal favourite, wedged under one of the cars on the drive. We don’t live in the inner city in a suburb twinned with Beirut or Aleppo, but it is only through luck that we have not lost a parcel so far. If the DMZ is not secure and insulated from the outside world, then it is not a guaranteed delivery.
We now come on to my personal bug bear, Case 3; matching your packet size to your requirements. How many times has your packet been undelivered and you have had to provide an alternate delivery mechanism due to the rejection. The benefit of the delivery is lost. Time and effort is wasted. In InfoSec parlance, if information is not delivered in a timely sense, the value of the information may itself decrease. In the case of Amazon this year, the worst case has been a package the size of a Vinyl record in height and width and the depth of ten fag packets to receive a jar of jam, (very good Grape Jelly from the US, the better half has a taste for it). The wastage alone is annoying, the implications for undelivered packages, far worse. It also puts excessive strain on the delivery system itself; in this case the postman, in the InfoSec case, the internet bandwidth, with packet sizes being too big and wasteful or too small and having excessive overhead in the transmission process.
My final example is something I find is common across many IT theatres of operations, Case 4; misleading instructions. Ah, now I know what junior doctors are doing when they are striking, they are taking the time off to moonlight for Amazon and the Post Office on the delivery service. I know this as I have read the hand writing. I receive a screwed up and incoherent note to tell me the alternative location for my item. Analogous to InfoSec is a corrupted or even worse, spoofed header. These items could say anything, and often are scrawled with one piece of information, but the package is delivered elsewhere. My next degree is probably going to be in Sanskrit to try and alleviate this issue.
In closing, the rise of online shopping has paralleled the increased use of electronic communication and information transfer. The key to the success of this is reliable and predictable guaranteed delivery. If this fails, all the cheap, Black Friday bargains and electronic encrypted traffic in the world will not help us achieve our end goals.