In this article, author has urged users to follow the fundamental security principles, which very often they forget and eventually invite intruders to dismantle systems and network.
When I’m thinking about security, I like to ask myself these three questions when looking at the problems and solutions as this will help to tailor the security to the need. The questions can be asked at every stage of designing a solution. So, before thinking about solution, we can first think about the problem:
The first question is ‘What is the threat?’ Understanding threat is arguably the most important step in designing security, and it is why so much money and effort is put into risk assessment exercises. Take a simple example; I want to secure data on my hard drive – what are the threats that exist? It might be tempting to dive straight into talking about encryption, but then we might ignore all the other threats like data loss from mechanical failure, or leakage because of unencrypted WiFi.
The second question is ‘Why does the threat exist?’ What are the factors that give rise to the threat? If the threat is that my data could be lost, why could it be lost, is it that I’m using mechanical hard-drives and working in an environment where they are frequently subjected to shock? Is it that my laptop could be stolen? Is it that I could get infected with a Trojan and have important information leaked to a malicious third party?
The third question is ‘When does the threat exist?’ If the threat to my data only exists when I’m travelling with my laptop, then I might not need the solution all the time, or I may need a different solution. If you are securing a valuable asset within a room in a building, but the asset is removed and placed in a safe location overnight, you may not need to protect the room with guards and cameras at night (conversely you might, if there is a risk that someone could alter the room, say by adding their own camera, to compromise that asset when it’s replaced the next day). Still this is an important consideration.
Towards Better Security
You can (and should) ask questions about the solution. “What are the options?”, “Why are they effective (or not)?” and “When are they most effective or ineffective?”. Further you can ask them once the solution is in place, you should complete the cycle by again assessing the risks that remain unmitigated, and the process starts again.
Security is about process, if you haven’t thought about how you will design it, implement and managing in the situation that you are facing, then you will not achieve good security. Technology alone does not solve security problems, and there are many examples of ineffective uses of technology, indeed, I’ve referred to some in past articles. The security expert Bruce Schneier refers to this sort of security measure as ‘Security Theatre’ – that is, doing something because it looks like a worthwhile thing to do rather than analysing the problem and taking action that would actually measurably increase security. I travel a lot back and forward between the UK and India, so I am frequently witness to acts of security theatre in the ‘real-world’. Checks in airports such as taking bottles of water or liquid over 100ml away from people or disallowing nail clippers are good examples of worthless security measures, if you want to have a weapon on an aeroplane, simply smash a glass bottle that you bought in duty free (as demonstrated on the otherwise awful Hollywood movie “Snakes on A Plane”). In fact arguably the most important measure that has been taken to improve security when flying was to start to lock flight-deck doors during flight. Simple measures are often most effective, even if they don’t look that good to politicians trying to demonstrate that they’re dealing effectively with threats.
Following Basics
So how does this relate in the computer world? It relates because we often hear all about threat, threat, threat but many of the solutions that are implemented aren’t much better than security theatre. One of my favourite examples that I came across personally was a company that spent around 12,000 (GBP) on an Intrusion Detection System (IDS), that was installed for a year, and after the first training, nobody ever checked the logs because it generated too many false alarms, so it was decommissioned. This sort of mistake is perhaps a little amusing, but it does demonstrate the lack of thought and planning that sometimes goes into developing security for your business. Buying a piece of technology; even (and sometimes especially) an expensive one with a lot of functionality; is not a security solution if it is not part of a wider plan that defines what threat it mitigates, when and how you are going to use it, and why it’s important to have it. Intrusion Detection Systems can be excellent, they can let you know if something untoward is happening on your network, but if no one is monitoring the alerts then you’ll waste your money buying one.
As I’ve mentioned I spent a lot of time travelling, and therefore I’ve had a lot of experience, (both good and bad) of airport security measures. It pays to remember when talking about security that the same concepts which apply in the real world also apply to the computer world, things don’t just change because technology is involved. Airport security (and we can argue about which measures are effective or not later) is about layers. In most cases, at least in larger international airports, you cannot drive your car up to the doors of the airport building; this is the first noticeable measure. What is the threat here? Well, the threat is that someone will drive a car loaded with explosives up to the building, and detonate it – an attempt at this happened in Glasgow airport in the UK, fortunately the car, set alight by the drives, loaded with petrol, gas cylinders and nails did not explode, but caused several deaths and some serious burn injuries. But the deeper issue of ‘Why it is a threat’ extends much further, into geo-political issues and terrorist agendas; however, it is a threat because there are people who wish to do very public harm to large groups of innocent people. When it is a threat depends on the circumstances. In a tiny regional airport with one or two flights, there is arguably less threat, as terrorists tend to favour high visibility targets that will have maximum impact.
Within the airport itself you will see other security measures, only ticketed passengers are allowed past certain points, and usually only after some checks have taken place, identity documents will be checked and verified, and a boarding pass issued, to show that the passenger should be allowed through. This gives an opportunity to check for known criminals and so on. Then there will be some physical screening and possibly searches of baggage and persons entering. Airports tend to also have a reasonable presence of armed police, sophisticated camera monitoring technology, doors and passages guarded by staff, secured with locks and alarms and so on. Perhaps alone each measure may not provide a great deal of security, but added together in layers, the major threats are reduced. Ultimately, it is rarely be possible to eliminate risk altogether. However, by carefully layering your security and approaching it from a practical standpoint that asks what measures are suitable, you will surely reduce your risk. It’s also true to say that security measures cannot be static, we need to keep asking what the next threat will be, and sometimes there are game changing events – threats that haven’t been predicted or widely known about, and these require new thinking and new measures.
Conclusion
So, when thinking about security in the computer world, just remember that the same principles apply. There are many threats out there, and they can have devastating effect on businesses and even on lives. We must be aware of the threats and how to mitigate them and technology is certainly a part of that, but people are always very important in the equation. People are almost always the largest factor determining success in security; whether it is in training them to correctly use security measures, or in having them understand why a particular policy is important, or even just in simply thinking and acting in a most security conscious way, people are going to be the biggest source of risk and the biggest asset. Often when asking what is the threat, and why does the threat exist, the answer comes down to how people act, and that can’t always be solved with technology, but requires education and training people to think about security issues.
—By: Andrew Lee, CTO, K7 Computing |
