IT Security Myths & Legends

-

 


Misinformation, 'fake news', rumors, and propaganda - surround us.  Even worse, we freely share this information with others, often without even knowing the harm it causes. No one is oblivious to this, no one is immune. The only cure is to educate ourselves, to apply logic and reasoning, and think before we share.

Today I am going to countdown some of the top statements you may have heard around IT Security, and provide some facts for you to digest. Ultimately it is up to you decide what you want to do with this information.

5 ) IT Security is the 'IT Departments' responsibility

You may have heard this, or something like it, particularly when something goes horribly wrong, "Hey Brad, I thought you were taking care of that security thing?".

Let's imagine for a minute that you head into the emergency room with a pain in your side.  After an examination the Doctor tells you that your appendix is about to rupture at any moment, and if you don't get emergency surgery you will die!!  - Is the Doctor responsible for the state of your appendix?  Let us further suppose that for whatever reason, you disagree with your Dr. assessment. That's okay Doc, I don't want the surgery?  Is the Doc responsible to force you to have the surgery? - NOPE

Soon after your tell the Dr. you are not going ahead with this life saving procedure. Someone will  give you some paperwork to sign. This paperwork will be a waiver showing that you understand the risks of your choice, and what could happen (ie: your death), and that knowing these reasons you still opted out of the procedure.

The Dr. ethical responsibility ends there. It is your body, your life, your decision. You can't blame the Dr or the hospital if you die after not following the experts recommendations.

It is the same with IT Security.  The geeky tech folks are responsible to make sure you know what is needed, why it is a problem, provide advice, and explain what the risks look like.  The software itself is owned by the business/company. It is not the IT departments program, it is not the developers program it is not the database guys program.  It is owned by the business, it a business decision, not the IT Department

4) No one knows us - Security

This argument goes something like this:

But - No one even knows us!!  'Company X', we are not even a target to be hacked, we are not a big  fortune 500 company, or the CIA, or other government agency -  we don't even store anything people would be interested in!!! therefore we have no need to worry about security.

The error in reasoning here is the the false belief  that 'hackers' have specific targets.  Science Fiction often portrays hacker's like a sort of 'hired gun'.  For a price, you get the hacker to hack into 'Company "x'' and steal some data or leak it to the press. Now I'm not saying that these kind of hackers don't exist, but for the most part, hacker's don't hack for money or even to steal things. Hackers hack because it's a game for them, it's fun, and in many cases they do it for the 'reputation / fame'

A hacker starts his day, just like anyone else. He /She / They get up, have breakfast, heads to their day job . They work the required 8/9 hours and finally comes home. With one BIG difference - Before going to work the hacker starts a 'script/bot' on his computer. This script starts 'walking' various 'random' IP Addresses. Like a counter, the program hits a machine, tries to crack it, records the results, moves onto the next etc. In the 'old days' it would literally  start dialing  phone numbers from 000-0000 to 999-9999 looking for computers that would answer. Today the internet makes this a lot easier and the scan is more like 1.1.1.1 to 254.254.254.254, but it is the same idea.  All this happens while the hacker is sitting at work. He does not care 'what' he hacks, he has no target agenda, it's just scanning..

The hacker get's home and instead of a warm supper he is greeted to  a nice list on his computer, of all machines that were successfully cracked, and then he can go into one in further detail and explore.

It is not matter of "IF" your server is hacked it is a matter of "WHEN".  Maybe it takes 5 minutes, 5 weeks, or 5 years, its like a lottery (a bad lottery) and eventually your number will be up!

3) Safety behind a firewall / DMZ

This myth goes like this.  Your security test revealed a flaw your public web server system. To fix this we need to put it in a 'DMZ'/firewall.  This means that your webserver will now be separated from the rest of your network, and will keep your data safe.

Well..sort of, if the firewall is configured correctly such that the webserver is unable to see anything. inside your private network Unfortunately, all too frequently this is not what happens.  A common mis-configuration is to put the webserver outside (public facing) but keep the data (databases, and file servers inside) "protecting them".  While this makes sense on the surface, in order to make it work, the underlying firewall needs to have 'holes' punched in the firewall to access the databases and file systems.  Sometimes even holes are "justified" by pointing out they have been password protected, and the password is stored inside of the application on the webserver (or in a configuration file of some sort)

When setting up a public facing web server, you must ASSUME the server will be eventually compromised NOT IF ... BUT WHEN

Once compromised, what will the hacker do next?  She/He/They will install their favorite hacking tools on that compromised machine, and then use it to find other compromised machines (on the internal company network), and guess what the hacker will find? You guessed it, open ports to your databases, and file servers, with nicely packaged passwords just sitting there to pick up and use, so your precious data is stolen, but worse, the bad guy can now  get on now your internal network, able to do thousands of times more damage. (See: Firewalls 101 video)

Ideally your public web server should be nowhere near your internal systems.  Purchase a third private hosting plan, don't try to save a few $$ by hosting it yourself on your own network.

Collecting confidential data on your public site?. Okay write the data to your webserver, but be sure to encrypt it properly using PKI. (public key).  Then have your internal network periodically connect to the webserver, 'slurp' the data off it (delete it) and can then decrypt it as needed internally with it's own private key (say every 15/20 minutes). So when the attacker get's into your webserver, he/she only sees encrypted data, and even then it's only the data last written and not 'pulled out', by your internal server.  There are no open ports that the hacker can exploit on the server Not 100% perfect but 100,000 times more secure.

2) But it takes someone really smart to hack us and there are very few people like that so why worry about it?

This is another argument which on the surface makes sense, if you protect your system so that only 5 or 10 hackers in all the world are smart enough to get your data, then you've done 'a darn good job' right?

The flaw here is actually one of the great triumphs of modern computing. Computers can do specific work, once performed of hundreds of people, in fractions of a second.  Programmers write scripts, the user 'runs' the script and viola the problem is solved.  

Let us say "Mr. X" is a really smart hacker to has figured out how to hack the CIA, but he doesn't, instead he posts the steps 'the script' publicly out there for everyone to read. Now, thousands of others can download Mr. X script, and run it, successfully hacking the CIA without even needing to know how the script actually works!!.  We call the people that download and execute such scripts "script kiddies"

1) This is all theoretically good, but in practice we simply do not have the time/money to implement it this way, so we are stuck with things 'as is'

This is actually a colliery to #5.  All too frequently we sacrifice privacy and security for convivence. If those with decision making power, are aware of the risks, (ie: the patient NOT the Doctor), and choose to ignore them anyway. The business has every right to make that decision (remember they own the software).. Just like there will be those that refuse life saving surgery, choose to have unprotected sex with a multitude of partners, and refused to get a COVID19 vaccine. Some things in life we simply can only educate, not control.  If you are a tech person and find yourself stuck against this argument from a business the best you maybe able to do is have your concerns and the final decision document, and then learn to Let it go!

Key Points:

  • Security by obscurity is no security at all
    https://en.wikipedia.org/wiki/Security_through_obscurity


  • The key to security is education, and perhaps a bit of criminal profiling. You have to learn to  *think* like a hacker understand his motivations, and his skills.


  • It is impossible to detect 'when you will be hacked', but the moment you *think* you are 'unhackable' it will be seconds later you get hacked!


If you liked this post please consider sharing via your favorite social networks!!

and ..if you like my blogging, video, audio, and programming - please consider becoming a patron and get exclusive access @ Patreon.com/GeekWisdom

Comments

Post a Comment

Popular posts from this blog

Programming Rant - Stop the Insanity!! - .NET 7 is not the successor to .NET 4.8

-
Image
  .NET 7 IS THE SUCESSOR TO .NET 6 .NET 6 IS THE SUCESSOR TO .NET 5 .NET 5 IS THE SUCESSOR TO .NET CORE 3 ...drum roll please... .NET 5 IS NOT THE SUCESSOR TO .NET 4.8 !! ! At the time of this blog their is no .NET path after .NET 4.8. Microsoft will continue to support, patch and update .NET 4.8 for the foreseeable future, though will likely not continue to 'add new' to it. (but they also said this about .NET 4.5.2 and have continued to update it so far to .NET 4.8..so take that with a bit of a grain of salt) Microsoft's "naming" policy of the .NET line and the .NET Core, and .NET Standard is rather foolish from a logical point of view, but it does have some good "salesman" characteristics. Software Development Companies can try to sell the idea in peoples minds to upgrade .NET 4.8 to ..NET 7 and make a bundle in the process - even though Microsoft itself fully admits it is not ending any support for .NET 4.8 This is based on the mistaken idea that a la
Read more

Despite of how it looks - I'm not part of a coup d'etat

-
Image
  Blake Miner recently wrote an interesting blog entry called " The Infinite Version of You" . It is an interesting though experiment based on a concept known as "Theory of Mind" . In a nutshell, the people that others interact with in their minds have a version of "YOU", not the real you but the "YOU" they believe they "know".  Similarly, the people you interact with are not really them but simply a 'copy' of them you have made in your own mind, based on your experiences. This has some personal relevance to me, specifically as a young child, when I was between the ages of 9-11 my dad was diagnosed with a type of Schizophrenia. My dad believed that 'GOD' was taking to him and had given him special abilities, for example, the ability to move objects with his mind. What I came to realize though this experience (and through others following) was that the 'Dad' I knew was only a part of the picture. A bunch of pieces
Read more

Everything in Moderation...

-
Image
 You've probably heard it from a health professionals, in ads or from that local gym.  Can I eat some chocolate? How about a bag of chips? Everything is okay to to eat... in moderation.. right? I am fortunate have been born in a part of the world that values human rights and freedoms. One of these in particular is the 'right' to free speech. We have the right to say what we feel and think, positive or negative, to share our thoughts with others - this is an important aspect of society. Just follow one of the many tweets from Elon Musk, and you can see how much he believes in Free Speech, or for charges brought against others who have attempted to the hinder free speech of others In our world, we are constantly inodiated with information, with the free speech of those around us, and the responsibilities that come with it. There is a man I admire greatly, who gave a lot of talks over his lifetime - his name is Dr Wayne Dyer. He gives one speech about an orange, that truly cha
Read more

Way back then...Apple ][

-
The way I remember it... It was the fall of 1993, I had just started Grade 11, near the far end of the hallway of my highschool were 2 classes. 'Typing' and 'Computer Related Studies'.  It was the first year I would actually have 'computers' as a course in school, which I was pretty excited for. I only had an old Vic 20 at the time, but was hoping for a new IBM Clone 80386 for Christmas (I got my wish, it was from the Sears catalog and at the time was like close to $2000) I was quite familar with programming in BASIC, but I got a specific book at the local library on AppleSoft Basic to learn to program in the APPLE 2.  Most of the first part of the year was all about 'computer' history. We actually didn't spend too much time using the computers in the lab, which was fine, I enjoyed learning about the history, plus I was part of the school newspaper that year so I got to use the Apples running the newspaper program "The Newsroom". Wh
Read more

The Most Dangerous Software on the Internet!

-
Image
(From Wikipedia): The infinite monkey theorem states that a monkey hitting keys at random on a typewriter keyboard for an infinite amount of time will almost surely type any given text, such as the complete works of William Shakespeare. In fact, the monkey would almost surely type every possible finite text an infinite number of times. However, the probability that monkeys filling the observable universe would type a complete work such as Shakespeare's Hamlet is so tiny that the chance of it occurring during a period of time hundreds of thousands of orders of magnitude longer than the age of the universe is extremely low (but technically not zero). Recently in the news, their have been articles regarding " Reverse Class Action Lawsuits ". In a typical class action law suit a group of people get "ban" together to sue a large company.  The 'reverse' class action lawsuit is a tool being used by movie companies, to target individual users downloading o
Read more

Diabetes is not caused by eating too much sugar !!!

-
Image
 It makes me cringe every time I see a meme like this ! TLDR; -> Please help support finding a cure for Type 1 diabetes. I made this video for my local community Facebook page and it was rejected. I'm hoping you can help support the fight! To Donate:  https://jdrf.akaraisin.com/ui/jdrfwalk2023/p/1fc07cd8d6214688ad239471dfa31a88 ---- I worry, sometimes, that people really believe this is true, that eating a lot of sugar gives you diabetes. Suggesting that those that have diabetes are somehow 'responsible' for it because they ate too much sugar. This is utter nonsense ! ..and probably makes it hard to raise money to support finding a cure for diabetes - if the person is 'at fault' then why help them right? A person who chooses to smoke cigarettes, drink excessive amounts of beer, or engage in 'recreational' drug use, literally made a choice (in most cases) to put toxic chemical in their body - and yes I know people have addiction problems and need help - bu
Read more

Windows Gadgets (Geek Wisdom Clock)

-
Image
Do you remember the old days of ' Windows Desktop Gadgets ?' Gadgets were introduced back in 2000's by project "sidebar". A research group, who had developed a way to add things lick a clock, or an RSS reader on your desktop. Well the other day a fellow team mate of mine showed me a transparent clock he was working on in VB.NET. And I was like "Whoa! - Cool can I get a copy?" Well I tweaked it a bit, and wrote a tutorial on how it works on my GitHub Page. You can read the tutorial here:  https://www.codeproject.com/Articles/5249592/Making-a-Transparent-Desktop-Clock  and the related GitHub is @  https://github.com/geekwisdom/gwClock . Feel free to make your own gadgets using it. Or if you prefer to just download the binary release -   https://github.com/geekwisdom/gwClock/releases Thanks to Chris Wilby for the inspiration and the source! Enjoy !
Read more

So I started a Podcast ! - The G33k Dream Team .

-
Image
  *** HELP WANTED *** It was a dark and stormy night - okay well actually it was about 9AM on a Friday the 13th that I received a Facebook (messenger) message from Matt Gabrielson.. but the story starts a little earlier than that. About one year earlier, to be precise, on Jan 13th 2022, I sent Matt a message asking if I could write a guest blog on his site.  It took him over 1 year to respond - not because he wasn't fast at responding but because it took over 1 year for the message to show up in his Facebook Messenger. So we did an interview together for his YouTube channel it is called " What is GeekWisdom ", it was an opportunity to discuss GeekWisdom , how it started and what it meant. As of the time of this article, that video had more views then any of his other interview thus far, so when a few weeks later he contacted me as if I wanted to start a podcast with him, I jumped at the opportunity. The format is pretty simple, at least once a month (on the 4th), we are g
Read more

You should be able to do that...

-
Image
Everyone in life has different *things* which cause frustration.  For me often the primary source of frustration is around language and communication. A recent lifehacker podcast "How to get Your Point Across Online"  reminded me of how easy it is to fall into the trap of 'You should be able to do that...' There are many things I am not very good at, at least not in the not so humble opinion of others. I am not a multitasker, I cannot listen to/respond to more than one conversation at  time. I cannot remember things well (or where I put them) without prompts or reminders, and I quickly become anxious when confronted with a new situation that scares me, and it takes time for me to process my emotions. It is so easy for others to dismiss my 'quirkiness' as a flaw either in my ability as a person or in my personality. I suppose in people's mind we setup a "personna" of what every person should be able to do, and if they cannot just 'do it',
Read more