IT Security Myths & Legends
Misinformation, 'fake news', rumors, and propaganda - surround us. Even worse, we freely share this information with others, often without even knowing the harm it causes. No one is oblivious to this, no one is immune. The only cure is to educate ourselves, to apply logic and reasoning, and think before we share.
Today I am going to countdown some of the top statements you may have heard around IT Security, and provide some facts for you to digest. Ultimately it is up to you decide what you want to do with this information.
5 ) IT Security is the 'IT Departments' responsibility
You may have heard this, or something like it, particularly when something goes horribly wrong, "Hey Brad, I thought you were taking care of that security thing?".
Let's imagine for a minute that you head into the emergency room with a pain in your side. After an examination the Doctor tells you that your appendix is about to rupture at any moment, and if you don't get emergency surgery you will die!! - Is the Doctor responsible for the state of your appendix? Let us further suppose that for whatever reason, you disagree with your Dr. assessment. That's okay Doc, I don't want the surgery? Is the Doc responsible to force you to have the surgery? - NOPE
Soon after your tell the Dr. you are not going ahead with this life saving procedure. Someone will give you some paperwork to sign. This paperwork will be a waiver showing that you understand the risks of your choice, and what could happen (ie: your death), and that knowing these reasons you still opted out of the procedure.
The Dr. ethical responsibility ends there. It is your body, your life, your decision. You can't blame the Dr or the hospital if you die after not following the experts recommendations.
It is the same with IT Security. The geeky tech folks are responsible to make sure you know what is needed, why it is a problem, provide advice, and explain what the risks look like. The software itself is owned by the business/company. It is not the IT departments program, it is not the developers program it is not the database guys program. It is owned by the business, it a business decision, not the IT Department
4) No one knows us - Security
This argument goes something like this:
But - No one even knows us!! 'Company X', we are not even a target to be hacked, we are not a big fortune 500 company, or the CIA, or other government agency - we don't even store anything people would be interested in!!! therefore we have no need to worry about security.
The error in reasoning here is the the false belief that 'hackers' have specific targets. Science Fiction often portrays hacker's like a sort of 'hired gun'. For a price, you get the hacker to hack into 'Company "x'' and steal some data or leak it to the press. Now I'm not saying that these kind of hackers don't exist, but for the most part, hacker's don't hack for money or even to steal things. Hackers hack because it's a game for them, it's fun, and in many cases they do it for the 'reputation / fame'
A hacker starts his day, just like anyone else. He /She / They get up, have breakfast, heads to their day job . They work the required 8/9 hours and finally comes home. With one BIG difference - Before going to work the hacker starts a 'script/bot' on his computer. This script starts 'walking' various 'random' IP Addresses. Like a counter, the program hits a machine, tries to crack it, records the results, moves onto the next etc. In the 'old days' it would literally start dialing phone numbers from 000-0000 to 999-9999 looking for computers that would answer. Today the internet makes this a lot easier and the scan is more like 1.1.1.1 to 254.254.254.254, but it is the same idea. All this happens while the hacker is sitting at work. He does not care 'what' he hacks, he has no target agenda, it's just scanning..
The hacker get's home and instead of a warm supper he is greeted to a nice list on his computer, of all machines that were successfully cracked, and then he can go into one in further detail and explore.
It is not matter of "IF" your server is hacked it is a matter of "WHEN". Maybe it takes 5 minutes, 5 weeks, or 5 years, its like a lottery (a bad lottery) and eventually your number will be up!
3) Safety behind a firewall / DMZ
This myth goes like this. Your security test revealed a flaw your public web server system. To fix this we need to put it in a 'DMZ'/firewall. This means that your webserver will now be separated from the rest of your network, and will keep your data safe.
Well..sort of, if the firewall is configured correctly such that the webserver is unable to see anything. inside your private network Unfortunately, all too frequently this is not what happens. A common mis-configuration is to put the webserver outside (public facing) but keep the data (databases, and file servers inside) "protecting them". While this makes sense on the surface, in order to make it work, the underlying firewall needs to have 'holes' punched in the firewall to access the databases and file systems. Sometimes even holes are "justified" by pointing out they have been password protected, and the password is stored inside of the application on the webserver (or in a configuration file of some sort)
When setting up a public facing web server, you must ASSUME the server will be eventually compromised NOT IF ... BUT WHEN
Once compromised, what will the hacker do next? She/He/They will install their favorite hacking tools on that compromised machine, and then use it to find other compromised machines (on the internal company network), and guess what the hacker will find? You guessed it, open ports to your databases, and file servers, with nicely packaged passwords just sitting there to pick up and use, so your precious data is stolen, but worse, the bad guy can now get on now your internal network, able to do thousands of times more damage. (See: Firewalls 101 video)
Ideally your public web server should be nowhere near your internal systems. Purchase a third private hosting plan, don't try to save a few $$ by hosting it yourself on your own network.
Collecting confidential data on your public site?. Okay write the data to your webserver, but be sure to encrypt it properly using PKI. (public key). Then have your internal network periodically connect to the webserver, 'slurp' the data off it (delete it) and can then decrypt it as needed internally with it's own private key (say every 15/20 minutes). So when the attacker get's into your webserver, he/she only sees encrypted data, and even then it's only the data last written and not 'pulled out', by your internal server. There are no open ports that the hacker can exploit on the server Not 100% perfect but 100,000 times more secure.
2) But it takes someone really smart to hack us and there are very few people like that so why worry about it?
This is another argument which on the surface makes sense, if you protect your system so that only 5 or 10 hackers in all the world are smart enough to get your data, then you've done 'a darn good job' right?
The flaw here is actually one of the great triumphs of modern computing. Computers can do specific work, once performed of hundreds of people, in fractions of a second. Programmers write scripts, the user 'runs' the script and viola the problem is solved.
Let us say "Mr. X" is a really smart hacker to has figured out how to hack the CIA, but he doesn't, instead he posts the steps 'the script' publicly out there for everyone to read. Now, thousands of others can download Mr. X script, and run it, successfully hacking the CIA without even needing to know how the script actually works!!. We call the people that download and execute such scripts "script kiddies"
1) This is all theoretically good, but in practice we simply do not have the time/money to implement it this way, so we are stuck with things 'as is'
This is actually a colliery to #5. All too frequently we sacrifice privacy and security for convivence. If those with decision making power, are aware of the risks, (ie: the patient NOT the Doctor), and choose to ignore them anyway. The business has every right to make that decision (remember they own the software).. Just like there will be those that refuse life saving surgery, choose to have unprotected sex with a multitude of partners, and refused to get a COVID19 vaccine. Some things in life we simply can only educate, not control. If you are a tech person and find yourself stuck against this argument from a business the best you maybe able to do is have your concerns and the final decision document, and then learn to Let it go!
Key Points:
- Security by obscurity is no security at all
https://en.wikipedia.org/wiki/Security_through_obscurity - The key to security is education, and perhaps a bit of criminal profiling. You have to learn to *think* like a hacker understand his motivations, and his skills.
- It is impossible to detect 'when you will be hacked', but the moment you *think* you are 'unhackable' it will be seconds later you get hacked!
Comments
Post a Comment