In the legend of the Trojan War, it is told how the Greeks tricked their opponents with the help of a so-called Trojan horse. In the following text, Advenica’s CTO draws a parallel to existing problems with modern technology for IT security.
The city of Troy had been under siege for a long time, and the Greeks had not managed to enter the city. Through a deception maneuver, the Greeks made the defending forces believe that they were retreating. At the same time, a large wooden horse was left behind. The Trojans took the wooden horse as spoils of war and took it into the city. What was not known was that inside the horse were a number of hidden warriors. These dismounted under the cover of darkness and let in the Greek warriors who were waiting outside the city gate.
The story has later come to be used in a figurative sense to describe software that is said to do one thing, but in reality also does something else (maliciously). A large part of the Trojans’ fatal decision to bring the horse into the city was based on making assumptions about what was observed without verifying the content. If they had taken care to examine the contents of the horse, they would have had the advantage of being able to meet the soldiers during the day, and perhaps more importantly – prevent the city gate from being opened to admit the rest of the force. Now the soldiers could instead freely carry out their mission under the cover of the darkness of night.
What then did the Trojans do? What they did was they accepted what looked like a horse, without checking the content. It might even be the case that any spectacular war trophy would have resulted in the same action.
How would a comparison with modern IT security technology look like?
Is there a corresponding problem also in modern IT security technology? There are actually many examples. There are many cases when protection mechanisms make decisions based on the transport method, i.e. the protocol instead of the data being transported. This also runs the risk of unwanted content being included. Firewalls often operate on ports or protocols. If, for example, you use a firewall that accepts all traffic as long as it comes over port 80, you run the risk of being exposed to the same danger as the Trojans. Nevertheless, such a procedure is common today, it is used by many IT organizations.
What is the reason for that?
In part, it is probably about historical reasons.
The development of defense mechanisms follows the development of attack methods, but is usually one step behind.
It has not been deemed justified to introduce protection against attacks that have not yet occurred. In some cases it is an acceptable strategy – in other cases it can have devastating consequences. It is always about analyzing and understanding the consequences if the protection fails.
Are there more precise ways to check the contents and not just the packaging? Yes, of course there is. By clearly defining the content you want to let in (or out!) of your network, you get a completely different level of protection. The risk of both intrusion and information leakage is significantly reduced. Content-aware firewalls are a good step on the way, but even better is policy-driven allowlisting of approved data content. With such a methodology, you can control and control on an arbitrarily granular level, down to the smallest bit of data if you so desire.
By examining the contents instead of the packaging, full control and traceability can be achieved. In this way, you can also avoid ending up in the same position as the Trojan defense.
Jonas Dellenvall, CTO, Advenica AB
