I am working on my flowchart/list of basic security activities.
It shows how to go from nothing to something to usable security.
The issue is that I am trying to find a mid-line between detailed instructions and useful overview. Something that lets you know what to do, without getting bogged down in minutia, and at the same time avoids being so vanilla general that its useless.
I'll keep you posted.
Monday, December 15, 2014
Its a "proven failed" method, so why use it?
This is not a conclusive post with detailed instructions.
Rather this is an open ended question for which I have a few quick thoughts.
As always with me it comes down to attacks of opportunity vs targeted attacks.
If you reduce your attack surface and harden your known attack points (firewall, wifi, desktops, remove/change default passwords, snmp, printers, etc) you greatly reduce the chances that a drive by/attack of opportunity will take you down.
However on its own, those items represent a "proven failed methodology".
Which is to say, if all you do is harden the space, without monitoring and investigating, you will fail.
Your network will get popped, hacked, cracked or other terminology meaning someone got to information and access on your network that they were not supposed to get at.
So why do it? Can't I just monitor activity and see the attacks and deal with them at that time?
If defense if doomed to failure, doesn't it make more sense to put my money into detection and reaction?
NO.
Simply put, if you cant reduce the number of attacks you cant respond in any real sense.
Think of your average *airport. Is the security fail-proof? No. Is it tight enough to stop a dedicated hijacker/attacker/bomber? No. However the in place security stops the average person from bringing a gun on board an airplane, and ups the required effort by a dedicated attacker to remove many if not most of the available avenues of attack. This reduces the number of attacks to be dealt with and that in turn makes it possible to look for the kind of original attacks that cant be defended against directly (ok the metaphor starts to break down, but hopefully you see the point).
This topic requires more discussion, proof of effectiveness, detailed reports on what works and why and to what extent. but for now, this is a good start. As an aside, Sony had neither proper defense nor accurate monitoring. they missed the incoming, the outgoing and the jumping between machines that happened inside. They cannot be used as an example of good security at any level.
Good lawyer-ing maybe.
*airport security is a hot topic and one that is debated by people much more in the know than I am.
Needless to say, many security professionals feel that US airport security is "security theater" and that it has never caught a single terrorist. I don't want to get into that discussion, but I cannot ignore its existence.
I fall on the side of "its not good security, whatever it may actually be" and I recognize that there are limits on what they can do politically. For more than that, go find one of the many blogs that harp on this non-stop.
[edited for typos]
Rather this is an open ended question for which I have a few quick thoughts.
As always with me it comes down to attacks of opportunity vs targeted attacks.
If you reduce your attack surface and harden your known attack points (firewall, wifi, desktops, remove/change default passwords, snmp, printers, etc) you greatly reduce the chances that a drive by/attack of opportunity will take you down.
However on its own, those items represent a "proven failed methodology".
Which is to say, if all you do is harden the space, without monitoring and investigating, you will fail.
Your network will get popped, hacked, cracked or other terminology meaning someone got to information and access on your network that they were not supposed to get at.
So why do it? Can't I just monitor activity and see the attacks and deal with them at that time?
If defense if doomed to failure, doesn't it make more sense to put my money into detection and reaction?
NO.
Simply put, if you cant reduce the number of attacks you cant respond in any real sense.
Think of your average *airport. Is the security fail-proof? No. Is it tight enough to stop a dedicated hijacker/attacker/bomber? No. However the in place security stops the average person from bringing a gun on board an airplane, and ups the required effort by a dedicated attacker to remove many if not most of the available avenues of attack. This reduces the number of attacks to be dealt with and that in turn makes it possible to look for the kind of original attacks that cant be defended against directly (ok the metaphor starts to break down, but hopefully you see the point).
This topic requires more discussion, proof of effectiveness, detailed reports on what works and why and to what extent. but for now, this is a good start. As an aside, Sony had neither proper defense nor accurate monitoring. they missed the incoming, the outgoing and the jumping between machines that happened inside. They cannot be used as an example of good security at any level.
Good lawyer-ing maybe.
*airport security is a hot topic and one that is debated by people much more in the know than I am.
Needless to say, many security professionals feel that US airport security is "security theater" and that it has never caught a single terrorist. I don't want to get into that discussion, but I cannot ignore its existence.
I fall on the side of "its not good security, whatever it may actually be" and I recognize that there are limits on what they can do politically. For more than that, go find one of the many blogs that harp on this non-stop.
[edited for typos]
Wednesday, December 10, 2014
A comment on passwords
Things we all know:
Passwords are important
We should not share our passwords
Passwords are annoying
We have too many passwords
Things the IT world knows about people's and passwords:
Passwords will be reused
People will add a 1 to the end
People will base them off their lives
People hate passwords
So honest truth, none of us are great with our passwords. Unless forced we rarely change them, we have a default we use for "unimportant" accounts and we often use bad passwords.
The problem is that there is no longer an unimportant account. Social networking accounts can be used to reset email passwords, email accounts can be used to reset almost any password, and eventually every one of those can lead back to your bank.
So what makes a bad password?
we have all seen this XKCD comic on password strength. Ok that defines (in one way) a good password, but what is a bad password?
Too short: short passwords are easy to crack or fake.
Easily guessed: There are any number of "Common Password" lists out there. If your password is anywhere on that list, you have a bad password. Just as bad, using a password that is uniquely yours, ie your favorite author/book/sport/sport team/etc. Those are also easily guessed.
Re-used: a password used in two places is bad. IF one place gets hacked, your password will likely be tried by an automated system in a bunch of standard locations. It will also be added to one or more of the known password lists and then more easily tried elsewhere during the next hack.
Unusable: This is a tough one to deal with, without help. If your password is a 42 character result of encrypting your cats dna and then multiplying it by your dog's dna.... its not going to be usable. However, you can fix this one easily with a password safe.
How to make a good password:
DON'T
Don't bother manually making a good password. Within the last 5 years more than a BILLION active passwords have been exposed. That means you can assume that whatever cool and innovative trick your using to make your passwords has been used by someone else and their password was exposed somewhere along the lines.
So don't make passwords by hand. Use a password generator.
Between the password save and the password generator you should no longer be looking at your passwords, ever.
I personally like 1password and keepass as my favorites. Lastpass and splashID are also OK, but not my favorites.
Which ever one you use, create a long password to secure it with, and then never create a password again. Let the safe generate and store and enter your password. Use the functionality built into most of them that tells you when its time to change old passwords.
Yes, the safe is a single point of failure in your personal security, however its a reasonable trade off. You, as an individual, are unlikely to get targeted. That means no one is trying to steal and crack your password safe. It does not mean that you are safe from an attack of opportunity.
Those strong passwords and thus your password safe making you a much less likely target for automated easy attacks.
and that is today's ramble.
Passwords are important
We should not share our passwords
Passwords are annoying
We have too many passwords
Things the IT world knows about people's and passwords:
Passwords will be reused
People will add a 1 to the end
People will base them off their lives
People hate passwords
So honest truth, none of us are great with our passwords. Unless forced we rarely change them, we have a default we use for "unimportant" accounts and we often use bad passwords.
The problem is that there is no longer an unimportant account. Social networking accounts can be used to reset email passwords, email accounts can be used to reset almost any password, and eventually every one of those can lead back to your bank.
So what makes a bad password?
we have all seen this XKCD comic on password strength. Ok that defines (in one way) a good password, but what is a bad password?
Too short: short passwords are easy to crack or fake.
Easily guessed: There are any number of "Common Password" lists out there. If your password is anywhere on that list, you have a bad password. Just as bad, using a password that is uniquely yours, ie your favorite author/book/sport/sport team/etc. Those are also easily guessed.
Re-used: a password used in two places is bad. IF one place gets hacked, your password will likely be tried by an automated system in a bunch of standard locations. It will also be added to one or more of the known password lists and then more easily tried elsewhere during the next hack.
Unusable: This is a tough one to deal with, without help. If your password is a 42 character result of encrypting your cats dna and then multiplying it by your dog's dna.... its not going to be usable. However, you can fix this one easily with a password safe.
How to make a good password:
DON'T
Don't bother manually making a good password. Within the last 5 years more than a BILLION active passwords have been exposed. That means you can assume that whatever cool and innovative trick your using to make your passwords has been used by someone else and their password was exposed somewhere along the lines.
So don't make passwords by hand. Use a password generator.
Between the password save and the password generator you should no longer be looking at your passwords, ever.
I personally like 1password and keepass as my favorites. Lastpass and splashID are also OK, but not my favorites.
Which ever one you use, create a long password to secure it with, and then never create a password again. Let the safe generate and store and enter your password. Use the functionality built into most of them that tells you when its time to change old passwords.
Yes, the safe is a single point of failure in your personal security, however its a reasonable trade off. You, as an individual, are unlikely to get targeted. That means no one is trying to steal and crack your password safe. It does not mean that you are safe from an attack of opportunity.
Those strong passwords and thus your password safe making you a much less likely target for automated easy attacks.
and that is today's ramble.
Subscribe to:
Comments (Atom)