Saturday, February 16, 2013

Computer Security

Geek speak alert.

On Solstice day I had a bunch of friends over and after they left my mother remarked on the fact that no one was competing and doing that whole "one-up-man-ship" thing. One of the things I love about the FLOSS community is the fact that we tend to work together where we can. We respect each other for our respective skills and we can leverage off each other to come up with some really cool ideas and solutions. We share ideas - that means being able to listen to each other.

I mention this because in the last couple of weeks I've come across 2 people who have just ... well .. pulled it out and swung it about as if they're the only ones with 'em (Given that I know that kids read this blog, I'm being a whole lot more... polite than I want to be here). Rather than be curious and actually think about the evidence in front of them, they've boldly denied a bunch of facts and gone with some weird conclusions that support their own swingin' position. What really irks me is that they come from a default position of disrespect.

So this post is for one of them. I know - I shouldn't bite. It's validating their own need for attention - but sod it. This is probably a pretty good subject matter anyway.

Imagine you have a house which you want secured. You don't leave the front door open right? So you lock the front door. Only, a certain number of people have keys. It is hoped that those people all share a common goal and won't trash the place, steal the silverware etc. Even with no malicious intent, there's the chance that they may use and drop a glass - argh! Damage!

So your number one threat:- The user. There's no real way to protect against this unless you were to put safety rails up around everything (Are you sure you want to run this executable?) and glue anything that can be glued down (Locking the user out of certain things). Of course, if the person is now no longer able to drink a glass of water, find cutlery, reach their bed, or watch TV in the lounge the house isn't all that useful. If they're able to sit but can't adjust the cushions, then your users are just really uncomfortable. You've affected the usability of the house - is the trade off of usability worth the safety and to who?

Often the benefits of security is focused not on the user but on the I.T. technicians. If the user can't actually do anything, then the system is secure and the I.T. don't need to do anything (but will probably still find ways of extracting money for making other people's jobs hard).

So the front door is locked and so are the windows. But then you decide your key is too simple and so you file it down a bit so that it needs jiggling in just the right way in order to open the door (over complex password criteria). The users, well and truly fed up, then leave a key in just the right position so that they're not having to jiggle (a post it note on the side of the monitor with their login credentials).

Not only are your users the biggest threat, but if they turn against you, you're in for a world of hurt.

One of the occupants likes to eat on the front steps so when he/she goes to get lunch, they want their silverware on the front step - where anyone could grab it. Alternatively, someone comes by the door and says "I'm a silverware inspector, show me all of your silverware" and so your occupant gives that person all of the silverware.

Your security is only as good as your users. This is a piece of advice I don't think is taught anywhere but is oh so very important. If you care at all about security at all then your number one priority is to work with your users - not for them, not lording it over them. With them. No two ways about it.

You decide that you want a warning when someone who shouldn't be there is there. So you install an alarm. Intrusion detection, while it doesn't stop someone from coming in and stealing the silverware, at least it informs you that it's there. BUT what if that intrusion detection doubles the power bill? (A virus scanner). You're using up all of that power, but what if you've assessed that that threat is actually pretty low given the design of the house? Is wasting that resource on the possibility that MAYBE someone might get in all that important? This becomes a fairly simple cost benefit analysis. How important is your silverware really?  Not silver at all but it has sentimental value because your mum used to call it "silver" jokingly? Is it just silver plated tin? Real silver? Not silver at all but gold?

You decide it's time to look at the design of the house. There are two builders.

One charges a little bit more but builds something that has thus far shown to deter intruders. However, while it doesn't need a lot of maintenance, the few people able to competently maintain this style of house are kind of expensive. The builder does share these plans with you and you're able to get advice and other people's input into how this design could be better.

The other builds something that seems to be quite fragile BUT there are loads of people around who are able to fill gaps with plaster. The builder refuses to show you the plans at all. You will just have to trust in him.

Thus far, Windows, while Windows advocates will tell you that every system has vulnerabilities, has a proven bad track record. Linux, while it does have a couple of viruses thus proving the fact that every system has vulnerabilities, actually has a pretty good track record in comparison.

The house has several occupants and you're afraid that a conflict between them will cause problems (smashed plates and the like). So you decide it's worthwhile isolating these occupants. So you build a bunch of other houses and put each of the occupants in. Suddenly though, you realise that while you're not getting conflicts, you're paying for smaller (no bulk buying power) portions of food, several lots of line maintenance on the phone line etc. Furthermore, the occupants barely talk to each other. You have to go through great pains in order for them to communicate on some small level.

Virtualization/isolation has a price. That price needs to be offset by the benefits. A friend went into a flatting situation with a network engineer whose set up involved around $300 / month on power - due to running multiple servers all running a small piece of the total setup - one for DHCP, another for caching, another as a firewall etc. All for a flat network (domestic situation).

In order to protect the house further, you and your neighbours decide to form a walled community. So you build a great big wall around the community and have a security guard verifying people - using a complex barcode - in order to get in. In order to hold a barbeque, you have to generate a barcode for each of the guests, make sure the security guard recognises those barcodes and then make sure that those barcodes can only be used for a limited time. By the time any of the guests arrive, they're grumpy by the whole ordeal of just getting in. (VPN)

Security almost always has a usability trade off and the level of security needs to be appropriate for the situation. If people are going to frequently hold barbecues, then a walled community is probably not the best solution.

One day someone discovers that there's a tunnel going under your house. In fact, it turns out that to get into your house, someone just needs to grab a hammer and give one of the floorboards a good whack and they're in. (The unseen vulnerability).

Being paranoid, you know that this possibility may exist (even if you haven't found the tunnel yet) so you go about trying to nail down every floorboard, put bars on the windows, secure every roofing tile etc. Meanwhile the occupants are getting sick of all of the noise and you haven't realised that they're now leaving the front door open.

You're more likely to be caught out on the known and manageable vulnerabilities than the ones that might exist. Simple time management would suggest that you try to put more time into those known vulnerabilities that you can do something about rather than the ones that you can't. Furthermore, if people aren't just swinging their bits around and are instead working toward a common goal, then there's a fairly good chance that people will point out the vulnerability rather than using it to steal your silverware.

You then decide that it just isn't worth trying to secure your house yourself. You get a property manager.

You've now outsourced the problem out. When's the last time you heard of a system being too secure on the news? The default position is to start with nothing and open things up depending on job descriptions.

The problem with this for me is that it implies a sort of repetitive, job never changes, mentality. This is where I normally depart from most I.T. people's views. For the most part, your information doesn't need the security given to it. If your user doesn't realise the reason something doesn't work is because it's been locked down, then they don't know to ask their I.T. person to open something up. In which case, we've suddenly limited someone (the very definition of retardation).

The task of security is a balancing act involving a really fine line between usability and security. The WINZ case earlier this year went too far on one direction. But we've also all experienced things in the other direction - where something that should be simple is insanely difficult.

So security 101 - understand the flaws, understand what you're protecting (i.e. in a school a child's work is probably a bit less sensitive than the information pertaining to their home life), mitigate where you can (you can't protect yourself from accidental or malicious damage caused by those within the system but you can mitigate the risk by making sure your users know you and respect you). Given that it's a fine line, it's better to have a kind of partnership (yep - that means getting along with people and respecting them for their respective skills) rather than trying to go at it yourself and finding the users AND external people turning against you.

No comments:

Post a Comment