The Nature of Security

Understanding SecurityNat Torkington

Tuesday, 30 August 2011

“secure”


I’d like to start by looking at the word “secure”. We talk about something “being secure”, but to professionals in the area it’s not so simple.

“secure”“lawful”


Security is a lot like the law, in fact. Outsiders think it’s black and white, but you know that it’s an ocean of grey which requires interpretation, argument, judgement.

“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ... and I’m not even too sure about that one.”

–Denis HughesTuesday, 30 August 2011

This quote sums up the attitude of the real computer professional. Secure from what? I could follow your car to the secret location, dig up the safe, break into it, plug it back in, and access your files!

“secure”


So the word “secure” just doesn’t make a lot of sense. Instead,

“posture”


security professionals talk about your security posture. That is, what direction are you expecting an attack to come from, what form will it take, and how are you prepared to respond? Implicit is the idea that you’re going to ignore some attacks as too improbable or too hard to defend against.Imagine a street fight: you expect punches and kicks, maybe a headbutt. A knife? Possibly. Are you safe if you know how to defend against those? What about a gun? What if there’s a sniper? What if someone drives a car into you? There are always more possibilities for attack, and part of a rational defence is figuring out what to guard against.

“what do you have?”“how might you be attacked?”“how likely are those attacks?”“how could I defend against them?”“how much will that cost?”


These are the kinds of questions you have to ask yourself. But, of course, to do this you need to know how you can be attacked! I’m going to take you quickly through these questions so you can get a sense of what you might need to defend against.

What do you have of value?



client lists


contact details and phone numbers.


client lists

your credit card and other personal details


and of course, information about yourself. Maybe that’s useful to an identity thief, or someone who wants to go on a spree with your Platinum Amex


client lists


sensitive background documents for cases


internal documents from clients, confidential and commercially sensitive. Full of competitive information, plans, weaknesses, and candid observations.


client lists



notes on how you will argue in court


preparation for your arguments and presentations


client lists



notes on how you will argue in court

email and private communications that could be embarrassing if released


and, of course, your text messages and emails and whatever. You might have an affair, you might tell a partner that your client is a pain in the arse, etc.

What could happen?


So now let’s ask what a bad guy might do. (we call them “black hats” in the computer business, it’s a nice way of avoiding sounding like George Bush ranting against “the evil durrs”)

What could happen?

copy


Well, obviously they might copy the information off to their own systems. You might never know. Suddenly the competition would know what your clients were up to, or your credit card was used. Telecom ran into this last year when it was revealed that a rival had access to Telecom’s customer list via a call centre application.

What could happen?

copy

delete


A malicious attacker could simply delete the information. Imagine the chaos if, just before you rock up to court, someone blew away your online notes. Or the chaos your billing would be in without your administrative information.

What could happen?

copy

delete

prevent your access or use


This is like deleting the information, but instead of having to remove it from your system, they just have to prevent you from getting to it. So it might all exist on the hard drive, but the machine won’t start up. Or your accounts live on in Xero but they’ve changed your password and you can’t log in to get to it. Or they flood your Internet line with so much traffic that you can’t get to your Google mail.

What could happen?

copy

delete

prevent your access or use

alter


The most insidious behaviour is to subtly change your information. For example, I might quietly break in and change the settings on your email to deliver to my anonymous email address another copy of all your email. Or I might change your notes so you argue badly in court.

Attack Actions


Ok, so now we know what we’re afraid of happening to our business, how might it happen? Let’s look at scenarios in increasing order of deviousness.

Attack Actions

physically destroy


Well, I might smash your laptop or computer. I’m not going to be able to accomplish every goal this way, but I can certainly deny you access to your files in this way. All I have to do is burn your office building.Backups obviously help here, whether to the cloud or just to a DVD that’s kept somewhere else.

Attack Actions

physically destroy

physically remove


What I can’t achieve by destroying the machine, I might be able to achieve by taking it away from you--steal your laptop, break in and whisk away your server. These are some of the prime scenarios why people encrypt their hard drives. You might have my physical computer but you’ll never get the information off it, sonny!

Attack Actions

physically destroy

physically remove

physically copy


Now we get more devious. You might never know I’ve been in and out if I’ve physically copied the information but otherwise left things as they were. It’s like photocopying paper files.Even better, if you’ve encrypted documents and I copy the document, I can then (on my own site, in my own time) throw all the computing resources I have at breaking that encryption. Brute force (trying zillions of plausible passwords) works almost all the time.

Attack Actions

physically destroy

physically remove

physically copy

overhear


I might physically tap your outgoing broadband to read your email or watch your accounts, just as I might tap your phone to listen to your conversations. I might watch as you unlock your iPhone in line at the airport.

Attack Actions

physically destroy

physically remove

physically copy

overhear

malware


I might put software onto your computer that you can’t see, but which works for me: it tells me what you type, it sends me the web pages you look at, it sends me every file on your computer. From afar, I could even instruct your computer to send spam, attack another computer, or destroy the hard drive. Collectively this bad software is called “malware”, and it encompasses specialist terms like “trojan”, “virus”, and so on.

Attack Vectors


Ok, so if I were a black hat hoping to do some of those bad things to you, what am I going to do?

Attack Vectors

B&E


Possibly the easiest to break into your office and steal the computer. Those of you in small practices are particularly vulnerable to bricks through the window. Before the security company arrives, I’ll have hoofed it with your computer.If I don’t want you to know that I have your stuff, I’ll sweep a couple of folders off the desk but also sneak in and put a keylogger between your keyboard and your computer. Then all I have to do is repeat the process two weeks later and i’ll have your passwords and


This is a before and after of a keylogger installed on a computer. You wouldn’t notice, but it’s silently listening to every keystroke.

Attack Vectors

B&E

Employees


But, to be honest, B&E is too risky. It involves leaving one’s chair. The easiest way to get inside your computers is to have someone at your company give it to me. At big companies with corporate IT, it’s easy (“hi, it’s Jill here on Level 4 -- I’ve forgotten how to change my password, could you do it for me?”).At a smaller company, I could just call and pretend to be Microsoft support. Well, I could until the newspapers got ahold of it. But the basic idea is sound: pretend to be someone I’m not, get you to give me the passwords, and I’m in. This is called “social engineering”, and is the digital equivalent of pretending to be the pizza delivery man or cleaners to get physical access.

Attack Vectors

B&E

Employees

Passwords


I might not even have to call you. If your computer systems are connected to the Internet (or live in the cloud), I might just be able to try every one of thousands of passwords until I find the one that lets me in. Most people aren’t imaginative about their passwords: hands up everyone who has a password that includes a person’s name. A place name. A date.Once I have your password, the computer thinks I’m you. I can read your files, log in remotely, and copy and change whatever I like.Best of all, most people reuse passwords. Maybe I throw all my resources against the silly Internet forum you use to read funny cat pictures, then once I’ve found that password I’ll use it to silently and invisibly log into your work computer.

Attack Vectors

B&E

Employees

Passwords

Phishing


Another way for me to get you to hurt your security is to try “phishing”. That’s where I send you mail that looks like it’s from Xero, it says “as part of our regular security audit, we detected that you have a vulnerable password. Please log in here and change it.” Of course, the link in the email isn’t to Xero’s web site, it’s to a blackhat website that looks like it’s Xero. Bingo, you’ve just told me your Xero password.Or perhaps I don’t want you to go to Xero, I want you to open this attachment. But the attachment is deceptive and malicious: it’s a spreadsheet but it loads something that installs malware on your hard drive.Even if you think you’re onto my game and you won’t open attachments from strangers or click links that purport to be from trusted sites, I might still be able to get you. I’ll focus in on you, and forge an email that looks like it’s specifically from someone you know and aimed at you. This is called “spear phishing”.RSA, a security company whose secure tokens are password replacements that are heavily used in the American defense industry, was targeted by Chinese hackers in just this fashion. Employees who weren’t high-profile got mail with the subject line “2011 Recruitment Plan” and a spreadsheet, which had malware in it. From there, attackers got the keys to the encryption in RSA’s magic password system, and opened the doors to Lockheed and other defence contractors.

Attack Vectors

B&E

Employees

Passwords

Phishing

Internet-exploitable software vulnerability


But bugger it, if you’ve left your Windows machine plugged directly into the Internet with no firewall running then I can probably bust in. Chances are that one of the things your computer is running can’t deal with the crap I can throw at it, and I’ll be able to use it to break in.

Are these reasonable?


You might be asking yourself whether you actually have something to fear from any of these. It depends on your clients. Computer espionage is very common between business rivals, and is very common between nation states. As the stakes and the stature of the clients goes down, the odds of attacks you’ll attract because of them go down. Two farmers in Warkworth aren’t going to attract the same interest as, say, the barrister for Julian Assange of Wikileaks.Then again, as a computer user (regardless of your profession) on the Internet you have to watch out for attempts to trick you into divulging passwords or installing software: your credit card number and the use of your computer is enough for many out there.

Reasonable Precautions


So here are seven reasonable precautions that you should take.

Reasonable PrecautionsFirewall, antivirus, automatic updates, and (secure) backups


First, these are the basics. If you don’t do these, don’t even bother with anything else. You might as well just mail your files to the Kremlin.Firewall keeps unwanted Internet connections out. It’s like bright lights around your building at night.Antivirus software is now generally anti-malware. It’ll scan your downloads and attachments and keep the bad stuff out.Automatic updates keep your computer secure. You can’t do this once and then walk away. Pay the money to the bloodsuckers at the antivirus company and get the updates: no point being 2005-secure in 2011. There’s no such thing as “2005-secure in 2011”.Backups are to keep your files safe should your computers be stolen, lost, or destroyed. Don’t keep your backups with your computers (fires). If you’re worried about information being stolen, physically secure those backups.


Use locks and passwords


Lock your office doors and window. Lock your laptop too: enable passwords and swipe codes and whatever else your gizmos have to keep people out. Here you’re protecting against someone stealing your laptop, opening it up, and realizing they can sell or use your files for their advantage.Consider enabling “two factor authentication” if you use Google apps like gmail. When you go to log in, Google will text you a passcode that you have to enter before you can actually use the service.



Make the passwords hard to guess


You wouldn’t use a plasticine padlock; don’t use a weak password.Use a different password on each service.Use a system for your passwords (e.g., three random words and the name of the service, separated by punctuation).Consider using 1Password if all these passwords are too hard to remember. It’s an app for your iPhone (or laptop or other smartphone) to keep your passwords encrypted, revealing them as you need them (assuming you can provide The Master Password).




Encrypt your files


If I steal your computer, I can take the hard drive out, put a cable on it, and look at the files from my computer. Encrypt that sucker. Modern operating systems come with this, use it.




Encrypt your files

Prevent shoulder-surfing


Treat your password like a PIN: look around to see who’s watching. Shoulder surfing is the fine art of looking at people as they type in passwords. Just as you’re supposed to shield your hand as you type in your PIN at the supermarket (but who does), you should be aware of your surroundings every time you unlock your phone or computer.Similarly, don’t read work stuff on the plane. I *am* that guy who always tries to read the stuff you’re looking at.




Encrypt your files


Encrypt your Internet traffic


If you’re going to work outside the office, get a VPN (Virtual Private Network). This makes sure that I can’t watch your Internet messages zip past and pull out the passwords.




Encrypt your files


Encrypt your Internet traffic

Train employees


It does you no good to be paranoid if your secretary lets the black hat in. Educate everyone about the perils of shoulder surfing and social engineering for physical or online access. Establish procedures for controlling access, and enforce them (no “look, it’s someone you don’t know, but I have a great sob story that means you should bend the rules ....”).

Thank [email protected]


The Nature of Security

Technology

Transcript of The Nature of Security