Understanding Security Nat TorkingtonTuesday, 30 August 2011
“secure”Tuesday, 30 August 2011I’d like to start by looking at the word “secure”. We talk aboutsomething “being secure”, but to professionals in the area it’s not sosimple.
“secure” “lawful”Tuesday, 30 August 2011Security is a lot like the law, in fact. Outsiders think it’s black and white,but you know that it’s an ocean of grey which requires interpretation,argument, judgement.
“The only secure computer is one that’s unplugged, locked in a safe, and buried 20 feet under the ground in a secret location ... and I’m not even too sure about that one.” –Denis HughesTuesday, 30 August 2011This quote sums up the attitude of the real computer professional.Secure from what? I could follow your car to the secret location, dig upthe safe, break into it, plug it back in, and access your ﬁles!
“secure”Tuesday, 30 August 2011So the word “secure” just doesn’t make a lot of sense. Instead,
“posture”Tuesday, 30 August 2011security professionals talk about your security posture. That is, whatdirection are you expecting an attack to come from, what form will ittake, and how are you prepared to respond? Implicit is the idea thatyou’re going to ignore some attacks as too improbable or too hard todefend against.Imagine a street ﬁght: you expect punches and kicks, maybe a headbutt.A knife? Possibly. Are you safe if you know how to defend againstthose? What about a gun? What if there’s a sniper? What if someonedrives a car into you? There are always more possibilities for attack, andpart of a rational defence is ﬁguring out what to guard against.
“what do you have?” “how might you be attacked?” “how likely are those attacks?” “how could I defend against them?” “how much will that cost?”Tuesday, 30 August 2011These are the kinds of questions you have to ask yourself. But, ofcourse, to do this you need to know how you can be attacked! I’m goingto take you quickly through these questions so you can get a sense ofwhat you might need to defend against.
What do you have of value?Tuesday, 30 August 2011
What do you have of value? client listsTuesday, 30 August 2011contact details and phone numbers.
What do you have of value? client lists your credit card and other personal detailsTuesday, 30 August 2011and of course, information about yourself. Maybe that’s useful to anidentity thief, or someone who wants to go on a spree with yourPlatinum Amex
What do you have of value? client lists your credit card and other personal details sensitive background documents for casesTuesday, 30 August 2011internal documents from clients, conﬁdential and commerciallysensitive. Full of competitive information, plans, weaknesses, andcandid observations.
What do you have of value? client lists your credit card and other personal details sensitive background documents for cases notes on how you will argue in courtTuesday, 30 August 2011preparation for your arguments and presentations
What do you have of value? client lists your credit card and other personal details sensitive background documents for cases notes on how you will argue in court email and private communications that could be embarrassing if releasedTuesday, 30 August 2011and, of course, your text messages and emails and whatever. You mighthave an affair, you might tell a partner that your client is a pain in thearse, etc.
What could happen?Tuesday, 30 August 2011So now let’s ask what a bad guy might do. (we call them “black hats” inthe computer business, it’s a nice way of avoiding sounding like GeorgeBush ranting against “the evil durrs”)
What could happen? copyTuesday, 30 August 2011Well, obviously they might copy the information off to their ownsystems. You might never know. Suddenly the competition would knowwhat your clients were up to, or your credit card was used. Telecom raninto this last year when it was revealed that a rival had access toTelecom’s customer list via a call centre application.
What could happen? copy deleteTuesday, 30 August 2011A malicious attacker could simply delete the information. Imagine thechaos if, just before you rock up to court, someone blew away youronline notes. Or the chaos your billing would be in without youradministrative information.
What could happen? copy delete prevent your access or useTuesday, 30 August 2011This is like deleting the information, but instead of having to remove itfrom your system, they just have to prevent you from getting to it. So itmight all exist on the hard drive, but the machine won’t start up. Oryour accounts live on in Xero but they’ve changed your password andyou can’t log in to get to it. Or they ﬂood your Internet line with somuch traffic that you can’t get to your Google mail.
What could happen? copy delete prevent your access or use alterTuesday, 30 August 2011The most insidious behaviour is to subtly change your information. Forexample, I might quietly break in and change the settings on your emailto deliver to my anonymous email address another copy of all youremail. Or I might change your notes so you argue badly in court.
Attack ActionsTuesday, 30 August 2011Ok, so now we know what we’re afraid of happening to our business,how might it happen? Let’s look at scenarios in increasing order ofdeviousness.
Attack Actions physically destroyTuesday, 30 August 2011Well, I might smash your laptop or computer. I’m not going to be ableto accomplish every goal this way, but I can certainly deny you access toyour ﬁles in this way. All I have to do is burn your office building.Backups obviously help here, whether to the cloud or just to a DVDthat’s kept somewhere else.
Attack Actions physically destroy physically removeTuesday, 30 August 2011What I can’t achieve by destroying the machine, I might be able toachieve by taking it away from you--steal your laptop, break in andwhisk away your server. These are some of the prime scenarios whypeople encrypt their hard drives. You might have my physical computerbut you’ll never get the information off it, sonny!
Attack Actions physically destroy physically remove physically copyTuesday, 30 August 2011Now we get more devious. You might never know I’ve been in and out ifI’ve physically copied the information but otherwise left things as theywere. It’s like photocopying paper ﬁles.Even better, if you’ve encrypted documents and I copy the document, Ican then (on my own site, in my own time) throw all the computingresources I have at breaking that encryption. Brute force (trying zillionsof plausible passwords) works almost all the time.
Attack Actions physically destroy physically remove physically copy overhearTuesday, 30 August 2011I might physically tap your outgoing broadband to read your email orwatch your accounts, just as I might tap your phone to listen to yourconversations. I might watch as you unlock your iPhone in line at theairport.
Attack Actions physically destroy physically remove physically copy overhear malwareTuesday, 30 August 2011I might put software onto your computer that you can’t see, but whichworks for me: it tells me what you type, it sends me the web pages youlook at, it sends me every ﬁle on your computer. From afar, I could eveninstruct your computer to send spam, attack another computer, ordestroy the hard drive. Collectively this bad software is called“malware”, and it encompasses specialist terms like “trojan”, “virus”, andso on.
Attack VectorsTuesday, 30 August 2011Ok, so if I were a black hat hoping to do some of those bad things toyou, what am I going to do?
Attack Vectors B&ETuesday, 30 August 2011Possibly the easiest to break into your office and steal the computer.Those of you in small practices are particularly vulnerable to bricksthrough the window. Before the security company arrives, I’ll havehoofed it with your computer.If I don’t want you to know that I have your stuff, I’ll sweep a couple offolders off the desk but also sneak in and put a keylogger between yourkeyboard and your computer. Then all I have to do is repeat the processtwo weeks later and i’ll have your passwords and
Tuesday, 30 August 2011This is a before and after of a keylogger installed on a computer. Youwouldn’t notice, but it’s silently listening to every keystroke.
Attack Vectors B&E EmployeesTuesday, 30 August 2011But, to be honest, B&E is too risky. It involves leaving one’s chair. Theeasiest way to get inside your computers is to have someone at yourcompany give it to me. At big companies with corporate IT, it’s easy(“hi, it’s Jill here on Level 4 -- I’ve forgotten how to change mypassword, could you do it for me?”).At a smaller company, I could just call and pretend to be Microsoftsupport. Well, I could until the newspapers got ahold of it. But the basicidea is sound: pretend to be someone I’m not, get you to give me thepasswords, and I’m in. This is called “social engineering”, and is thedigital equivalent of pretending to be the pizza delivery man or cleanersto get physical access.
Attack Vectors B&E Employees PasswordsTuesday, 30 August 2011I might not even have to call you. If your computer systems areconnected to the Internet (or live in the cloud), I might just be able to tryevery one of thousands of passwords until I ﬁnd the one that lets me in.Most people aren’t imaginative about their passwords: hands upeveryone who has a password that includes a person’s name. A placename. A date.Once I have your password, the computer thinks I’m you. I can readyour ﬁles, log in remotely, and copy and change whatever I like.Best of all, most people reuse passwords. Maybe I throw all myresources against the silly Internet forum you use to read funny catpictures, then once I’ve found that password I’ll use it to silently andinvisibly log into your work computer.
Attack Vectors B&E Employees Passwords PhishingTuesday, 30 August 2011Another way for me to get you to hurt your security is to try “phishing”.That’s where I send you mail that looks like it’s from Xero, it says “aspart of our regular security audit, we detected that you have a vulnerablepassword. Please log in here and change it.” Of course, the link in theemail isn’t to Xero’s web site, it’s to a blackhat website that looks likeit’s Xero. Bingo, you’ve just told me your Xero password.Or perhaps I don’t want you to go to Xero, I want you to open thisattachment. But the attachment is deceptive and malicious: it’s aspreadsheet but it loads something that installs malware on your harddrive.Even if you think you’re onto my game and you won’t open attachmentsfrom strangers or click links that purport to be from trusted sites, Imight still be able to get you. I’ll focus in on you, and forge an emailthat looks like it’s speciﬁcally from someone you know and aimed at you.This is called “spear phishing”.RSA, a security company whose secure tokens are passwordreplacements that are heavily used in the American defense industry, wastargeted by Chinese hackers in just this fashion. Employees who weren’thigh-proﬁle got mail with the subject line “2011 Recruitment Plan” and aspreadsheet, which had malware in it. From there, attackers got the keysto the encryption in RSA’s magic password system, and opened thedoors to Lockheed and other defence contractors.
Attack Vectors B&E Employees Passwords Phishing Internet-exploitable software vulnerabilityTuesday, 30 August 2011But bugger it, if you’ve left your Windows machine plugged directly intothe Internet with no ﬁrewall running then I can probably bust in.Chances are that one of the things your computer is running can’t dealwith the crap I can throw at it, and I’ll be able to use it to break in.
Are these reasonable?Tuesday, 30 August 2011You might be asking yourself whether you actually have something tofear from any of these. It depends on your clients. Computer espionageis very common between business rivals, and is very common betweennation states. As the stakes and the stature of the clients goes down,the odds of attacks you’ll attract because of them go down. Two farmersin Warkworth aren’t going to attract the same interest as, say, thebarrister for Julian Assange of Wikileaks.Then again, as a computer user (regardless of your profession) on theInternet you have to watch out for attempts to trick you into divulgingpasswords or installing software: your credit card number and the use ofyour computer is enough for many out there.
Reasonable PrecautionsTuesday, 30 August 2011So here are seven reasonable precautions that you should take.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backupsTuesday, 30 August 2011First, these are the basics. If you don’t do these, don’t even bother withanything else. You might as well just mail your ﬁles to the Kremlin.Firewall keeps unwanted Internet connections out. It’s like bright lightsaround your building at night.Antivirus software is now generally anti-malware. It’ll scan yourdownloads and attachments and keep the bad stuff out.Automatic updates keep your computer secure. You can’t do this onceand then walk away. Pay the money to the bloodsuckers at the antiviruscompany and get the updates: no point being 2005-secure in 2011.There’s no such thing as “2005-secure in 2011”.Backups are to keep your ﬁles safe should your computers be stolen,lost, or destroyed. Don’t keep your backups with your computers (ﬁres).If you’re worried about information being stolen, physically secure thosebackups.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwordsTuesday, 30 August 2011Lock your office doors and window. Lock your laptop too: enablepasswords and swipe codes and whatever else your gizmos have to keeppeople out. Here you’re protecting against someone stealing yourlaptop, opening it up, and realizing they can sell or use your ﬁles fortheir advantage.Consider enabling “two factor authentication” if you use Google apps likegmail. When you go to log in, Google will text you a passcode that youhave to enter before you can actually use the service.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwords Make the passwords hard to guessTuesday, 30 August 2011You wouldn’t use a plasticine padlock; don’t use a weak password.Use a different password on each service.Use a system for your passwords (e.g., three random words and thename of the service, separated by punctuation).Consider using 1Password if all these passwords are too hard toremember. It’s an app for your iPhone (or laptop or other smartphone) tokeep your passwords encrypted, revealing them as you need them(assuming you can provide The Master Password).
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwords Make the passwords hard to guess Encrypt your ﬁlesTuesday, 30 August 2011If I steal your computer, I can take the hard drive out, put a cable on it,and look at the ﬁles from my computer. Encrypt that sucker. Modernoperating systems come with this, use it.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwords Make the passwords hard to guess Encrypt your ﬁles Prevent shoulder-surﬁngTuesday, 30 August 2011Treat your password like a PIN: look around to see who’s watching.Shoulder surﬁng is the ﬁne art of looking at people as they type inpasswords. Just as you’re supposed to shield your hand as you type inyour PIN at the supermarket (but who does), you should be aware ofyour surroundings every time you unlock your phone or computer.Similarly, don’t read work stuff on the plane. I *am* that guy whoalways tries to read the stuff you’re looking at.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwords Make the passwords hard to guess Encrypt your ﬁles Prevent shoulder-surﬁng Encrypt your Internet trafﬁcTuesday, 30 August 2011If you’re going to work outside the office, get a VPN (Virtual PrivateNetwork). This makes sure that I can’t watch your Internet messages zippast and pull out the passwords.
Reasonable Precautions Firewall, antivirus, automatic updates, and (secure) backups Use locks and passwords Make the passwords hard to guess Encrypt your ﬁles Prevent shoulder-surﬁng Encrypt your Internet trafﬁc Train employeesTuesday, 30 August 2011It does you no good to be paranoid if your secretary lets the black hatin. Educate everyone about the perils of shoulder surﬁng and socialengineering for physical or online access. Establish procedures forcontrolling access, and enforce them (no “look, it’s someone you don’tknow, but I have a great sob story that means you should bend therules ....”).
Thank you email@example.comTuesday, 30 August 2011