The Nature of Security

Understanding Security
Nat Torkington

Tuesday, 30 August 2011

“secure”


I’d like to start by looking at the word “secure”. We talk about
something “being secure”, but to professionals in the area it’s not so
simple.

“secure”
“lawful”


Security is a lot like the law, in fact. Outsiders think it’s black and white,
but you know that it’s an ocean of grey which requires interpretation,
argument, judgement.

“The only secure computer
is one that’s unplugged,
locked in a safe, and buried
20 feet under the ground in
a secret location ... and I’m
not even too sure about that
one.”
–Denis Hughes

This quote sums up the attitude of the real computer professional.
Secure from what? I could follow your car to the secret location, dig up
the safe, break into it, plug it back in, and access your ﬁles!

“secure”


So the word “secure” just doesn’t make a lot of sense. Instead,

“posture”


security professionals talk about your security posture. That is, what
direction are you expecting an attack to come from, what form will it
take, and how are you prepared to respond? Implicit is the idea that
you’re going to ignore some attacks as too improbable or too hard to
defend against.
Imagine a street ﬁght: you expect punches and kicks, maybe a headbutt.
A knife? Possibly. Are you safe if you know how to defend against
those? What about a gun? What if there’s a sniper? What if someone
drives a car into you? There are always more possibilities for attack, and
part of a rational defence is ﬁguring out what to guard against.

“what do you have?”
“how might you be attacked?”
“how likely are those attacks?”
“how could I defend against
them?”
“how much will that cost?”


These are the kinds of questions you have to ask yourself. But, of
course, to do this you need to know how you can be attacked! I’m going
to take you quickly through these questions so you can get a sense of
what you might need to defend against.

What do you have of value?


client lists


contact details and phone numbers.

client lists
your credit card and other personal details


and of course, information about yourself. Maybe that’s useful to an
identity thief, or someone who wants to go on a spree with your
Platinum Amex

client lists
sensitive background documents for cases


internal documents from clients, conﬁdential and commercially
sensitive. Full of competitive information, plans, weaknesses, and
candid observations.

client lists
notes on how you will argue in court


preparation for your arguments and presentations

client lists
notes on how you will argue in court
email and private communications that could be
embarrassing if released


and, of course, your text messages and emails and whatever. You might
have an affair, you might tell a partner that your client is a pain in the
arse, etc.

What could happen?


So now let’s ask what a bad guy might do. (we call them “black hats” in
the computer business, it’s a nice way of avoiding sounding like George
Bush ranting against “the evil durrs”)

What could happen?
copy


Well, obviously they might copy the information off to their own
systems. You might never know. Suddenly the competition would know
what your clients were up to, or your credit card was used. Telecom ran
into this last year when it was revealed that a rival had access to
Telecom’s customer list via a call centre application.

What could happen?
copy
delete


A malicious attacker could simply delete the information. Imagine the
chaos if, just before you rock up to court, someone blew away your
online notes. Or the chaos your billing would be in without your
administrative information.

What could happen?
copy
delete
prevent your access or use


This is like deleting the information, but instead of having to remove it
from your system, they just have to prevent you from getting to it. So it
might all exist on the hard drive, but the machine won’t start up. Or
your accounts live on in Xero but they’ve changed your password and
you can’t log in to get to it. Or they ﬂood your Internet line with so
much traffic that you can’t get to your Google mail.

What could happen?
copy
delete
prevent your access or use
alter


The most insidious behaviour is to subtly change your information. For
example, I might quietly break in and change the settings on your email
to deliver to my anonymous email address another copy of all your
email. Or I might change your notes so you argue badly in court.

Attack Actions


Ok, so now we know what we’re afraid of happening to our business,
how might it happen? Let’s look at scenarios in increasing order of
deviousness.

Attack Actions
physically destroy


Well, I might smash your laptop or computer. I’m not going to be able
to accomplish every goal this way, but I can certainly deny you access to
your ﬁles in this way. All I have to do is burn your office building.
Backups obviously help here, whether to the cloud or just to a DVD
that’s kept somewhere else.

Attack Actions
physically destroy
physically remove


What I can’t achieve by destroying the machine, I might be able to
achieve by taking it away from you--steal your laptop, break in and
whisk away your server. These are some of the prime scenarios why
people encrypt their hard drives. You might have my physical computer
but you’ll never get the information off it, sonny!

Attack Actions
physically destroy
physically remove
physically copy


Now we get more devious. You might never know I’ve been in and out if
I’ve physically copied the information but otherwise left things as they
were. It’s like photocopying paper ﬁles.
Even better, if you’ve encrypted documents and I copy the document, I
can then (on my own site, in my own time) throw all the computing
resources I have at breaking that encryption. Brute force (trying zillions
of plausible passwords) works almost all the time.

Attack Actions
physically destroy
physically remove
physically copy
overhear


I might physically tap your outgoing broadband to read your email or
watch your accounts, just as I might tap your phone to listen to your
conversations. I might watch as you unlock your iPhone in line at the
airport.

Attack Actions
physically destroy
physically remove
physically copy
overhear
malware


I might put software onto your computer that you can’t see, but which
works for me: it tells me what you type, it sends me the web pages you
look at, it sends me every ﬁle on your computer. From afar, I could even
instruct your computer to send spam, attack another computer, or
destroy the hard drive. Collectively this bad software is called
“malware”, and it encompasses specialist terms like “trojan”, “virus”, and
so on.

Attack Vectors


Ok, so if I were a black hat hoping to do some of those bad things to
you, what am I going to do?

Attack Vectors

B&E


Possibly the easiest to break into your office and steal the computer.
Those of you in small practices are particularly vulnerable to bricks
through the window. Before the security company arrives, I’ll have
hoofed it with your computer.
If I don’t want you to know that I have your stuff, I’ll sweep a couple of
folders off the desk but also sneak in and put a keylogger between your
keyboard and your computer. Then all I have to do is repeat the process
two weeks later and i’ll have your passwords and


This is a before and after of a keylogger installed on a computer. You
wouldn’t notice, but it’s silently listening to every keystroke.

Attack Vectors

B&E
Employees


But, to be honest, B&E is too risky. It involves leaving one’s chair. The
easiest way to get inside your computers is to have someone at your
company give it to me. At big companies with corporate IT, it’s easy
(“hi, it’s Jill here on Level 4 -- I’ve forgotten how to change my
password, could you do it for me?”).
At a smaller company, I could just call and pretend to be Microsoft
support. Well, I could until the newspapers got ahold of it. But the basic
idea is sound: pretend to be someone I’m not, get you to give me the
passwords, and I’m in. This is called “social engineering”, and is the
digital equivalent of pretending to be the pizza delivery man or cleaners
to get physical access.

Attack Vectors

B&E
Employees
Passwords


I might not even have to call you. If your computer systems are
connected to the Internet (or live in the cloud), I might just be able to try
every one of thousands of passwords until I ﬁnd the one that lets me in.
Most people aren’t imaginative about their passwords: hands up
everyone who has a password that includes a person’s name. A place
name. A date.
Once I have your password, the computer thinks I’m you. I can read
your ﬁles, log in remotely, and copy and change whatever I like.
Best of all, most people reuse passwords. Maybe I throw all my
resources against the silly Internet forum you use to read funny cat
pictures, then once I’ve found that password I’ll use it to silently and
invisibly log into your work computer.

Attack Vectors

B&E
Employees
Passwords
Phishing


Another way for me to get you to hurt your security is to try “phishing”.
That’s where I send you mail that looks like it’s from Xero, it says “as
part of our regular security audit, we detected that you have a vulnerable
password. Please log in here and change it.” Of course, the link in the
email isn’t to Xero’s web site, it’s to a blackhat website that looks like
it’s Xero. Bingo, you’ve just told me your Xero password.
Or perhaps I don’t want you to go to Xero, I want you to open this
attachment. But the attachment is deceptive and malicious: it’s a
spreadsheet but it loads something that installs malware on your hard
drive.
Even if you think you’re onto my game and you won’t open attachments
from strangers or click links that purport to be from trusted sites, I
might still be able to get you. I’ll focus in on you, and forge an email
that looks like it’s speciﬁcally from someone you know and aimed at you.
This is called “spear phishing”.
RSA, a security company whose secure tokens are password
replacements that are heavily used in the American defense industry, was
targeted by Chinese hackers in just this fashion. Employees who weren’t
high-proﬁle got mail with the subject line “2011 Recruitment Plan” and a
spreadsheet, which had malware in it. From there, attackers got the keys
to the encryption in RSA’s magic password system, and opened the
doors to Lockheed and other defence contractors.

Attack Vectors

B&E
Employees
Passwords
Phishing
Internet-exploitable software vulnerability


But bugger it, if you’ve left your Windows machine plugged directly into
the Internet with no ﬁrewall running then I can probably bust in.
Chances are that one of the things your computer is running can’t deal
with the crap I can throw at it, and I’ll be able to use it to break in.

Are these reasonable?


You might be asking yourself whether you actually have something to
fear from any of these. It depends on your clients. Computer espionage
is very common between business rivals, and is very common between
nation states. As the stakes and the stature of the clients goes down,
the odds of attacks you’ll attract because of them go down. Two farmers
in Warkworth aren’t going to attract the same interest as, say, the
barrister for Julian Assange of Wikileaks.
Then again, as a computer user (regardless of your profession) on the
Internet you have to watch out for attempts to trick you into divulging
passwords or installing software: your credit card number and the use of
your computer is enough for many out there.

Reasonable Precautions


So here are seven reasonable precautions that you should take.

Firewall, antivirus, automatic updates, and (secure)
backups


First, these are the basics. If you don’t do these, don’t even bother with
anything else. You might as well just mail your files to the Kremlin.
Firewall keeps unwanted Internet connections out. It’s like bright lights
around your building at night.
Antivirus software is now generally anti-malware. It’ll scan your
downloads and attachments and keep the bad stuff out.
Automatic updates keep your computer secure. You can’t do this once
and then walk away. Pay the money to the bloodsuckers at the antivirus
company and get the updates: no point being 2005-secure in 2011.
There’s no such thing as “2005-secure in 2011”.
Backups are to keep your files safe should your computers be stolen,
lost, or destroyed. Don’t keep your backups with your computers (fires).
If you’re worried about information being stolen, physically secure those
backups.

backups
Use locks and passwords


Lock your office doors and window. Lock your laptop too: enable
passwords and swipe codes and whatever else your gizmos have to keep
people out. Here you’re protecting against someone stealing your
laptop, opening it up, and realizing they can sell or use your ﬁles for
their advantage.
Consider enabling “two factor authentication” if you use Google apps like
gmail. When you go to log in, Google will text you a passcode that you
have to enter before you can actually use the service.

backups
Make the passwords hard to guess


You wouldn’t use a plasticine padlock; don’t use a weak password.
Use a different password on each service.
Use a system for your passwords (e.g., three random words and the
name of the service, separated by punctuation).
Consider using 1Password if all these passwords are too hard to
remember. It’s an app for your iPhone (or laptop or other smartphone) to
keep your passwords encrypted, revealing them as you need them
(assuming you can provide The Master Password).

backups
Encrypt your ﬁles


If I steal your computer, I can take the hard drive out, put a cable on it,
and look at the ﬁles from my computer. Encrypt that sucker. Modern
operating systems come with this, use it.

backups
Encrypt your files
Prevent shoulder-surfing


Treat your password like a PIN: look around to see who’s watching.
Shoulder surfing is the fine art of looking at people as they type in
passwords. Just as you’re supposed to shield your hand as you type in
your PIN at the supermarket (but who does), you should be aware of
your surroundings every time you unlock your phone or computer.
Similarly, don’t read work stuff on the plane. I *am* that guy who
always tries to read the stuff you’re looking at.

backups
Encrypt your ﬁles
Encrypt your Internet trafﬁc


If you’re going to work outside the office, get a VPN (Virtual Private
Network). This makes sure that I can’t watch your Internet messages zip
past and pull out the passwords.

backups
Encrypt your files
Encrypt your Internet traffic
Train employees


It does you no good to be paranoid if your secretary lets the black hat
in. Educate everyone about the perils of shoulder surfing and social
engineering for physical or online access. Establish procedures for
controlling access, and enforce them (no “look, it’s someone you don’t
know, but I have a great sob story that means you should bend the
rules ....”).

Thank you
nathan@torkington.com


The Nature of Security

Recomendados

Recomendados

Más contenido relacionado

Más de gnat

Más de gnat (9)

Último

Último (20)

The Nature of Security