How Much Security Is Secure Enough?
By KiTaSuMbA in Op-Ed
Thu Apr 04, 2002 at 10:24:17 AM EST
Tags: Security (all tags)
In the past few years "security", "hackers" (inappropriately used), "exploits" have all become buzzwords for the end - users. Wide availability of broadband internet connections, dynamic web content, remote code execution, over-bloated net-wise software and OSes and the widespread of internet among computer illiterate people have turned normal desktop PCs in highly probable cracker / worm / virii targets. This editorial intends not to be an internet security guide, a HOW-TO, a bible, but rather to provide some guidelines to keep you as far as possible from frustrations.
Some rules to keep in mind:
Answering the question:
- There is no such thing as a totally unbreakable computer now or in the future as long as it is somehow connected to a network. Never mind what hardware/software companies promise you and what specific OS aficionados are eager to convince you about.
- Security is inversely related (though not in a linear fashion) to commodity, advanced features, simplicity of use. It all ends up completely crippling your computer's network capabilities.
- The higher the complexity and the size of a system the higher are the odds of presenting vulnerabilities and the time/effort needed to track them down and fix them.
- Security is implemented in multiple levels with the most important being the very user and not his/her box
Before setting up the most die-hard system or skipping this article thinking "why should it ever happen to me?" you should first make up your mind on what level of security and in what sense you need it. This is called a "security policy" and, no, it doesn't concern only IT staff. Ask yourself these questions:
- Why me? Because
- I have some very "interesting" data in my hard disk(s).
- I keep getting involved in flame wars.
- I have a 24/7 high-speed internet connection (cable, DSL etc.).
- I run "sensible" services like web/ftp/mail servers on my box.
- I run software notoriously insecure.
- my aunt Mary is not security-aware and could get us (the box) in trouble.
- I had a fight with my techie roommate/colleague and a subtle "inside" job could be revenge enough for him.
These are all risk factors, you get more or less the idea on how probable is to be attacked and therefore how badly you need better security than what you currently have.
- How much security can I afford without making my internet life a nightmare?
- I run services that HAVE to look at the outside world.
- I know that ACME's foo program has security issues but I can't get my job done without it...
- my aunt Mary only knows how to use 3 programs: IE, outlook and solitaire!
Thinking about these issues gives you an idea on how far you can go with security without going paranoid.
- What kind of attack would I be a candidate for? Depending on your risk factors, different types of attack are more probable than others and thus your security policy should be oriented accordingly.
- flame wars: most "experienced" crackers leave themselves out of them, so you are most probably engaging script-kiddies and trolls that will attack you just to gain some self-esteem and play "cool" at their high-school friends. Their preferred method is a Denial of Service (DoS) as dropping your connection for some time or otherwise harassing you is acheivement enough and this kind of attack is very easily deployed. Another type of attack would be trying a well-known exploit with some (almost) ready to use tools available in the net on a vulnerability likely already fixed with a patch/update/new release of your software as their computer skills are far lesser than what they claim to be.
- stay out of flame wars - don't harass people. The Netiquette is not just a wish-list of some early internet bigots you are too "cool" to follow. And don't go around the net telling people how secure your box is and how darn good you are: someone may try to teach you security the hard way!
- watch out for patches / security updates for your software (from OS to IRC client, whatever) Most security breaches occur upon software already "fixed" that users don't care or don't know about.
- use a well-configured non-computer-resources-hungry firewall. Bulldog, keep-all-out, pseudo-die-hard, fancy-graphics style firewalls are more likely to cowardly die on a simple DoS attack and even crash your system altogether.
- high-speed 24/7 connection: Even a non-so-cautious cracker will route himself through 3-5 boxes before hitting that high-profile site. You also risk that an "advanced" script-kiddie uses your box to install malicious/illegal services: IRC bouncers, warez ftp servers, flooders, mail-bombers etc.
- again, keep an eye for patches / security issues.
- firewall, again. Try to be restrictive on your firewall rules and keep logs to search for "suspicious" activity. Don't get paranoid though, you'll find lots of random hits.
- use strong and encrypted passwords: "password", your birthday or your dog's name are obviously weak :-P. Try not to use the same password on multiple accounts, services: if someone gets his hands on a password of yours it will be the first thing he tries next time.
- a simple Intrusion Detection Software (IDS) / filechecker (checks for modified system files) to identify an intrusion ASAP. It would be best to run such a utility from a read-only medium (floppy / CD-rom) to make sure it isn't compromised itself.
- keep periodic back-ups: they won't hesitate formatting your disk if feared to get caught.
- software with well-known security issues: you can get just about everything as attacks: virii, worms, wannabe crackers "practicing", script-kiddies "having fun".
- check for patches, patches, patches!!! Don't get caught asleep...
- if the security issues are more likely to be due to the software design (security-unaware features) rather than simple bugs in the code, it is *guaranteed* that more trouble will come your way, patch after patch, service pack after service pack (Internet explorer or outlook ring a bell? :-P) . Try to migrate to a more secure product asking yourself if you desperately need all those features, if the users find it impossible to learn how to use another - even similar - software and if you can afford an eventual overhead in the costs to purchase new software.
- use an antivirus software and KEEP it updated: at least you can avoid older virii / worms but keep in mind that this is not a panacea (virii nowdays can be designed and distributed in the net within days / weeks).
- a firewall could keep some of the trouble away but not much: the attack uses a "path" offered by your own software and thus most probably permitted by the firewall itself.
- real world's hatred - induced attack (from inside): depends on the skills of the attacker... There is not much you can do against a sledgehammer!
- strong passwords, really strong passwords!
- IDS / filechecker, antivirus.
- keep back-ups not accessible to third parties.
- data encryption (perhaps a bit too much of paranoia here...).
- sensible services: you can get crackers trying to route themselves through your computer, somebody "practicing" on an exploit he just read/heard about or - rarely - figured out himself, attacks specifically targeting YOUR service (website defacement, mail servers used for spamming etc.) , worms.
- do you really need these services? Most end users prefer using preconfigured OS installations rather than selectively choosing the applications they need. They select a "typical" MS Windows installation which contains, surprisingly enough for the typical desktop user's needs, the "personal web server" (Microsoft's own web server - IIS), a software "traditionally" known for its bugs and vulnerabilities. Linux newbies go for the full install of their distribution to avoid the trouble of choosing among some 50 or more software packages, thus installing just about every network service known to present day (from rsh and NFS to apache and telnet). Trouble is, a lot of users are actually unaware of the services their system runs or don't realize the security implications of such a configuration. Indeed, one of the most widespread worms, Nimda, exploits a well-known and fixed long before its appearance vulnerability of the IIS web server. MS justified themselves that the service pack fixing the bug was available for some time and there was a notice on their site informing users. However the worm rapidly propagated in the net as most users failed to update their computers (either because they didn't care or because they didn't even know what IIS is!). Let's ask this question again: do you *know* what services your system runs? And if yes, are you sure you need them all the time or could you load them upon request, e.g. testing a dynamic web page before uploading it. And, furthermore, do these services need to look to the outside world? If not, configure them properly.
- patches, service packs, security updates, remember???
- configure your server appropriately: double check for file permissions, vulnerabilities in dynamic content web pages, strong passwords.
- firewall: the firewall configuration should leave these services go through but you could avoid some heat anyway.
- keep logs for the network AND the service (if available) and READ them, either manually (on high-traffic servers this is close to impossible) or by using specialized software.
- use a reliable IDS application.
- keep frequent back-ups. You can't take for granted that you are secured.
- Educate your users. This must be *high priority* for you. If users mess around blindly, trouble is coming at you real fast, real soon, no matter what security measures you take (you cannot "program" a user's mind not to give passwords away to "friends" or not to use his phone number as one). Try to be detailed and specific though polite and clear. Don't use jargon or tech terms heavier than they can handle. Explain what could happen if they do this or that, don't give them a dry list of DOs and DON'Ts and don't play guru to them making them feel like complete idiots. If you work at an office, print an "internet security policy" sheet and try to be available for further questions/discussion. You can gain a hell of a lot more by being polite and "concerned" than by pestering people and barking at them every time they fail to keep up with your policy standards. In the middle/long term you will save a lot of time and nerves-breaking, painful system recoveries.
- about strong passwords: on non-office, real multiuser boxes (e.g. your home linux desktop, where aunt Mary reads her mail and browses the web for cookbooks) don't take user account passwords lightly ("who cares, it's *his* home directory getting messed up"). Local exploits to gain root access, and thus complete control over your box, are far more numerous and easier than remote ones. Configure your system not to accept weak passwords (on most modern linux distributions it's as simple as an option checked in a GUI configuration tool) and educate users (see above).
- use an antivirus program and keep it updated.
- configure a firewall: make it functional though. You don't need people asking you why their ICQ client won't work, why they can't use DCC on IRC networks or those with the "I am a hacker, dude!" attitude piercing that firewall, tunneling etc. just to get more functionality or your little brother back home messing around with IPTABLES when you are away.
- critical / "hot" data on your hard disk(s): you might be targeted by a really experienced cracker with the explicit intent of theft.
- DATA ENCRYPTION! strong data encryption. :-)
- a very efficient firewall.
- keep the complexity of the system as low as possible without crippling your job to avoid eventual vulnerabilities: these guys don't need an exploit to be posted on the net to deploy one.
- security focus and other security-oriented (both defender and attacker sides) sites should be on your daily web walk-about.
- update, patch, service pack as soon as available, not "one of these days, really soon..."
- if it is *really* critical, use some professional advice / help. Unless of course you know your way inside your box pretty well so you shouldn't have read this far if not for fun (or perhaps looking for some bits to flame about :-)
Hopefully, if you followed me this far, you can figure out (more or less) how much security is secure enough for *your* case. Remember, there is no golden rule of thumb on this issue nor a way to be 100% safe. Now, having a defined strategy, go create your security policy in details and read the documentation on how to implement it on your computer.
hackers: people that present the attitude to rather adapt their tools to them than the other way around. On computers: those that know their computer inside out, play with it to the limits of cripling it just to "try something they read about" and would rebuild the entire system to get that "-03 -march=i686 -mcpu=686" extra optimization (I know I did, and got a KDE on steroids! :-P)
crackers: people who sneak into strangers' computers usually doing damage/defacement. Mainstream media erroneously call them "hackers".
script kiddies: usually under-18, socially isolated individuals and "wannabe-crackers" without the skills and/or the talent. They use tools and code already available on the net on a "download - compile (the "advanced" ones) - execute" scheme. Identifible mostly by their compulsive linguistic/orthographic extravaganzas (r00t for "root", 31337 h4x0r for "elite hacker" etc.).
warez: illegally copied / cracked software
virus: a malicious piece of code that embeded on a file, "infects" your system's files causing almost invariably serious damage
worm: a code that using your system resources and services propagates itself to other victims (most frequently by e-mail). Almost all recent virii contain a worm component
trojan horse: a program that provides remote unauthorized access to your computer.
exploit: a method to gain unauthorized access to files and /or services of your computer through software already installed.
firewall: software that "filters" your network connection allowing only specific type of connections to occur.