Monday, February 02, 2009

A Little Perspective on Security

I used to teach a class on basic cryptography, and using cryptography in your organizations information security regime. I also taught classes on basic information security.

Mostly my students were mid level network and system admins, consultants, state and local law enforcement officers, and the occasional Fed. Mostly they were mature adults in mid career phase looking to either get some career boosting skills, some help in securing their organization, or some knowledge of how to investigate and deal with security, and security compromise.


Inevitably in any class there would be some genius (usually the 22 year old, most junior admin) who'd drunk the cypherpunk koolaid, and would always be talking about ridiculous key strength, or Van Eck shielding etc...

They always needed to be reminded of a couple things:
  1. There is no such thing as "secure" for anything useful; there is only "Secure Enough".

    There will always be a tradeoff between security, and usability. The only secure computer is one that's unplugged, sealed in concrete, with no data on it; and that isn't useful.

  2. If the NSA wants to read your email bad enough, they will. So would any other nation state. For that matter, so would Exxon Mobil, or Microsoft, or Google.

    You cannot begin to understand the resources available to those with billions or trillions of dollars and thousands or millions of people at their command. You cannot possibly protect yourself against such an array of resources if they are directed against you, and sufficiently motivated; unless you are a competing entity of the same scale.

    Forget 4096 bit encryption, they'll just phreak you, keylog you, or plant a camera over your shoulder; or if it comes down to it, kidnap and torture you.

  3. The NSA doesn't want to read your email. Neither does Google. Stop thinking so highly of yourself. You are an insignificant bug as far as the government or a major corporation are concerned.

    Seriously, nobody cares enough to bother; unless you are a terrorist, or are committing large scale theft or fraud; in which case see point 2 above.

    Your credit card and bank account info on the other hand... yeah, there are a lot of folks out there who would love to have that.

  4. Given points 1 and 2 however, the solution isn't crypto; it's not putting anything you need kept that secret onto a computer. If that isn't an option, then physical security is more important than the strength of your crypto.

    Only after physical security, and basic security practices are taken care of, should you be worried about how strong your crypto is (except when it comes to financial transactions). Crypto is a tool, not a solution.

  5. Given point 3, seriously, how much security do you really need? Security isn't about perfection; because perfection is impossible. Security is about managing risk.
So, how secure do you need to be to make the risk of a particular action acceptable to you?

Sure, eventually, given enough time and data capture, a cracker is going to be able to recover some of your email; but if it's two years from now, and you never discussed anything that would harm you two years down the road over email (and you shouldn't), "can't be broken in two years by someone other than a government or a large corporation" is enough security.

If on the other hand you're the president of the United States, you really shouldn't be using a blackberry; even for "personal" email. It's just an unreasonable risk, because EVERYONE is going to be trying to crack it, and eventually they WILL succeed.

For most people, the only major risk they will take with their computers is online banking; and current cryptography (presuming proper practices are followed) is sufficiently secure that it isn't worth the effort for anyone other than a nation state seeking to track terrorist funding, to crack it.

Remember folks, given sufficient time and motivation, "they" WILL get in. It's not whether you're paranoid, it's whether you're paranoid enough; or in this case, "secure enough".

For most people, in most situations, "secure enough" is pretty simple:
  1. Never do anything that requires any degree of security without strong encryption, and take reasonable precautions surrounding your internal data security; and that will keep your end of the data pipeline secure from everyone but large corporations and governments.

  2. Remember though, the other end is susceptible to compromise. You don't control that end, and that end may not be encrypted. Most data compromise occurs through careless handling at the endpoints, not in transmission.

  3. Also remember that your laptop or desktop may be lost, or stolen, or keylogged, or compromised and remotely controlled. Take reasonable precautions against such things; balancing the risk of compromise, against the value of using your computer to do those things that could be compromised

  4. An infinite amount more data has been compromised by poor physical security, or by simple human error; than by any deliberate attack against information systems.
So you have to evaluate the effort you spend trying to secure your network; against the effort to secure your office, and your users, and your service providers etc...

Actually, above all of that, people need to understand what exactly security is. For most folks, it's just some vague notion of being "safe"; but in the context of information security (and that's ALL information, not just electronic data) security has a very specific meaning:

Security is C.I.A.

No, not the Central Intelligence Agency, though that is a convenient and amusing coincidence to those of us in the field (security professionals have an odd sense of humor, believe me); but it is an acronym.

C.I.A stands for:
Confidentiality: Your confidential information must be kept private. No one should be able to access your confidential information without your knowledge and approval.

Integrity: Your information must be protected from tampering. No one should be able to modify your information without your knowledge and approval.

Availability: Your information must be available to authorized users when they need it. No one should be able to prevent authorized users from accessing your information without your knowledge and approval.
Most people only every think about the confidentiality aspect of security; but integrity and availability are equally as important, and often harder to achieve. Worse, a compromise of integrity or availability can be far more damaging than a compromise in confidentiality.

After all, what good is keeping your bank account data secure, if you can't get your balance when you need to; or if someone has altered the account number on a funds transfer to redirect it to Burkina Faso, instead of your bank account?

Again though (and this is going to get irritating because I'm going to repeat it several times), for most people, most of the time; an appropriate degree of security isn't that complicated. You just need to follow good security practices, take simple precautions, and balance your risk against your convenience.

Ok, How? What are the risks? What are "reasonable measures"?

Well, I can't tell you how to run your life, or what your specific risks are; or even how to weight those risks against convenience and usability; those are all individual determinations. I can however use myself as an example.

The first question is about risks. These are the things which make people paranoid; because as human beings we are generally poor at evaluating risk, and especially evaluating relative risks against rewards or utility.

For example, people worry to a ricidulous degree about their credit card being stolen online; but worry comparitively little about using their credit card in stores and restaurants; or the fact that credit card companies mail their cards to them via first class mail. In fact, over 99% (yes, really, over 99%) of all credit card compromises are either at retail point of sale, or through the mail.

I have a simple philosophy about risk, and that is "You don't stop mosquitos with machine guns"; by which I mean you don't want to try and identify and address every specific possible risk, because you can't possibly know what every risk is.

Instead, you want to build a good solid foundation of security and information management technologies and practices, appropriate to your overall level of risk; which by it's nature will address ALL risks as a whole. You also want to have the tools and techniques available to you for responding appropriately when there IS a compromise.

So to extend the analogy, don't try and shoot down the mosquito; put on some bug repellent, and a mosquito net, and live in a house with as few open windows as possible; and keep some antibiotics, qunine, and doctors information around for when you do get bit.

As to reasonable measures, again you have to figure out what is appropriate (or available) to your environmnet; but I can use myself as an example.

I take simple, but effective, precautions to mitigate and manage my risk; and balance it against the convenience and usability I expect from my systems.
  1. Whenever possible, I use strong passwords that are not related to me or my personal data in any way; and which cannot be related to any word in any dictionary, or any variant or misspelling, or character substitution thereof.

    I suggest taking a song lyric; stanza from a poem; or a phrase, sentence, or paragraph from a book or story you know very well; then using either the first letter of each word, or the first letter of each sentence, and mixing in capitalization, punctuation marks, and numbers to reach at least eight characters.

    Passwords thus derived are very easy to remember, but essentially impossible to guess, or use some kind of pattern matching algorithm on (called a dictionary attack). Oh and you'll never run out of them so long as you can remember a song.

    I wont say "don't use the same password for everything"; because you've all heard that a thousand times already; but if you're like me you WILL use the same password for many things.

    That's OK. It's better to use a single good strong password for most things, than to try and remeber a dozen weaker passwords.

    Choose a good, strong password; and use that password for all those accounts that don't require a lot of security (like online forum accounts or somesuch) and you should be fine.

    Please though, do use a different (and hopefully even stronger and better) password (and a different username too, if you can choose it) for each of your online banking accounts, credit card accounts, and home utility acounts. Also, never use the same password for your secure accounts as you do for your email accounts. That way one account being compromised won't result in all your other accounts being compromised.

    Oh and PLEASE PLEASE PLEASE, change your passwords every once in a while. It doesn't have to be every few weeks; but a couple times a year would be a good idea. The longer you use the same password, the more likely that password is to be compromised.

    Unfortunately, some companies or web sites insist on using stupidly insecure things as passwords (like social security numbers), or have password policies that prevent you from using good passwords; but I try to minimize what I do with those companies over a network.

    In fact, I sometimes decide simply not to do business with those companies based on their poor security practices.

  2. I never write anything down, or store anything on a computer, or transmit anything via a computer or network (oh and that includes phones by the by) that I am not prepared for the New York Times to publish; without encrypting it first.

    Even then, I don't transmit any truly critical secret data over any public data network, excepting credit card purchases and online banking; because I have decided that the (small) risk of compromise is worth the (very large) convenience of those things.

  3. I use a strong open source encryption scheme, and associated software; and I keep them updated.

  4. I keep my computers patched and updated, to try and keep ahead of vulnerabilities.

  5. I do all my computing behind a hardware firewall. I even have a mini hardware firewall that I travel with, and that protects me at client sites, wireless hotspots, hotels etc...

  6. I try and only use software that is not inherently, stupidly, buggy and insecure. I unfortunately have to use Microsoft operating systems for much of what I do; but I don't use internet explorer unless forced into it for example.

  7. I do not engage in stupidly risky behavior with my systems, or my data.

    I don't disclose private information to anyone without good reason, authentication, and security (is that REALLY your credit card company on the phone?); and I don't give websites that data either.

    I don't visit shady web sites, or use my credit card in shady retailers.

    I don't let strange people drive my car or walk around in my house. I also don't download or run untrusted files with executable content, or ANY files of any kind without virus and spyware scanning) that would be likely to result in compromise.

  8. I use multiple layers of malware detection and prevention, including virus scanning, spy and adware scanning, intrustion detection, and configuration management systems (yes, configuration management is a security tool); and I keep them up to date.

  9. I attend to the physical security of my systems, my data, and my environment.

    I keep my laptop and smart phone secured to my person at all times while traveling. I keep strong passwords on my systems and encrypt sensitive data, and don't travel with my most sensitive data; in case I DO lose a system, or it is stolen.

    Oh and it should go without saying, I don't keep physical copies of passwords around for people to read. Post it notes have broken more security than weak crypto by two or three orders of magnitude.

    I also attend to the physical security of my computing and data access environments. I only perform operations that require security in environments that I trust; and I protect those environments against physical compromise (or in the case of wireless networks, using strong encryption).

    Anything physical (printed, stored, saved, written) with confidential data on it gets securely stored (in safes or security cabinets) when it's not being accessed. After that physical media is done being used, it is either securely erased, or securely destroyed.

    I shred any physical media with any kind of personal data on it. Crosscut shredders that can handle cd roms and DVDs are your friend. Secure file deletion programs (the software equivalent of a shredder) are also your friend.

    Yes, the NSA can probably recover something from your hard drive after using a secure delete program. Unless you're the president, the president of a bank, or connected to Osama Bin Laden; no-one wants your email bad enough that you should worry about it.

    If you're really paranoid, or just bored, do what I do: Degauss the things with an industrial degausser, then take them out into the desert and shoot them full of holes, blow them up, or slag'em with thermite.

    Or more boring, hire a data destruction service to put them through a chipper-shredder (yes, they make a chipper shredder for hard drives. They're great fun to watch actually).

    Remember, post it notes, ethernet ports, wireless networks, cd-roms, and flash drives (or USB ports), are all far easier to compromise than strong encryption.

  10. I keep multiple, known good, encrypted copies of all my critical data, on read only media, in at least two separate and reasonably secure environments.

    I also keep at least two backups of all my systems; one online or nearline, and one in a fire safe (I try to keep them current, but admittedly I fall behind some times).

    It doesn't matter how secure your data is, if you can't get to it; or if it gets lost or stolen or destroyed.
By taking just those basic, common sense precautions, I've protected myself against at least 99.99% of the possible threats out there (or at least the ones I can personally address. Again remember, most compromises are at the endpoints. You can't take personal precautions against your banks janitorial service throwing out a printout with your data on it.); without significantly reducing my convenience or usability; and without taking undue effort or energy.

I'd say that's about the best you can hope for given the world we live in today.