Please read this disclaimer
You probably get a good deal of email, letters and phone calls warning you about computer security. The general idea is the same: your systems are threatened, we can stop the threat. The cost of the remedy is seldom mentioned up front. but there are lots of buzz words to make up for any lack of specifics. “Intrusion detection”, “secure firewall”, “hackers”, “Security assessment” and more
Is it real? Do you need to do something?
Well, yes, the threats are at least somewhat real, and you may need to do a few things to mitigate your risks, but I think it is important to step back and take a realistic look at all of this.
Who wants to break into my computers?
The basic answer is: people you know, and people you don’t know. People you know are employees, friends (!) and family. Some of these people already have access to your computers to a greater or lesser degree. People you don’t know may have access to some of your computers too: web servers, for example. Those people generally haven’t been granted access to your internal systems.
When we are talking about security, we need to be aware of both of these general classes, because they require different kinds of security protection.
Why do they want to break in?
Three basic answers:
- Financial gain
- Spite
- Malicious mischief
Employees and competitors are both possibly interested in financial gain from information you may keep on your computers. However, complete strangers can also be interested because of stored credit card numbers and even bank account numbers and access information. These people don’t usually want to damage your systems, although they may cause damage by covering up the evidence of their theft.
Spite usually comes from people you know. You’ve wronged them in some way, you don’t pay them enough, you snubbed them, paseed them over for promotion, whatever. They want to hurt you.
Malicious mischief is just anonymous rock throwing, the equivalent of halloween pranks. The people attacking don’t know you at all, they just want to destroy something, or scrawl graffiti on your web site.
There’s also the possibility that the actual target is someone else and your computers are just used to help get to that other place, or to help attack that other place.
So what can I do?
Well, that’s the problem.
You cannot get 100% protection.
Let that sink in a minute. No matter what you do, these bad things can happen. Therefore, probably the most important thing you can do is to have a plan that lets you recover from disaster. That might include insurance and a definition of procedures that will need to be followed in addition to things directly related to the computers. You need to access your risk (what do I have to lose) and what your plan will be if the identified risks come true.
By the way, such disaster planning is just good general practice. What do you do if all your paper records are lost in a fire? What do you do if you lose 30% of your customers this year? If you lose 50% of your employees? Sometimes the answer isn’t pleasant, but it’s best to think of these things ahead of time. Amazingly, very few companies have detailed disaster recovery plans.
But back to the computer side of things. So you can’t get 100% protection. What can you get?
Before you even read the rest of this, consider this sobering thought: in spite of what you see in the movies, most computer security breaches come from within, either directly or through what hackers call “social engineering” – convincing someone inside to “open a door”. People inside your organization already have access to things that could do you damage. You assume a certain level of trust, but that trust is often what gets you in trouble.
Firewalls and intrusion detection systems can’t do much about someone you trust. Keep that thought in your mind as we go on.
Speed costs money. How fast do you want to go?
The more security you need, the more it is going to cost. The cost isn’t just money, either. There’s also often a cost of aggravation, of increased difficulty for things you now do easily. And the costs never stop, because security is a constantly changing target.
For example, it is strongly recommended that passwords be changed regularly, and that they NOT be simple ascii strings like “mydog” etc. People (employees) tend not to like difficult passwords, especially if they are frequently changing. When people have to pass through multiple machines (a firewall for example), best practice is that the have different passwords on each machine. People really hate that. So, in companies that enforce this sort of thing, it is depressingly common to see passwords written on sticky notes attached to monitors. What good is the password then? Not much.
There’s also the matter of notifying important people. For example, it might be very necessary for your outside consultants to have access to many or all of your machines. If passwords are constantly changing (as they should be), you have to constantly notify them. Now imagine that your consultants have a number of customers doing the same thing. The overwhelmed consultants will undoubtedly keep a list of all their clients and all the passwords, and they will probably keep that list on their computers. What happens when someone’s laptop is stolen and all your passwords end up in someone else’s hands?
What is secure today may not be tomorrow
As bad as the password mess is, insecure programs are even worse. These threats come from programs that have bugs or sometimes even deliberate insecurities that give access to your systems. There have been thousands and thousands of this type of thing discovered, and many of the worst problems have been fixed, but…
Things change. Methods to break into computer systems (or just to tie them up so you can’t use them: DOS or “Denial of Service”) are constantly evolving. Patch one hole and the hackers will find another.
There are services that can notify you of new exploits and vulnerabilities. For example, the BugTraq mailing list http://www.securityfocus.com/popups/forums/bugtraq/faq.shtml will make you aware of newly discovered problems.
Here’s an example:
Title: The bug in networking_utils.php (http://www.sourcecraft.org/downloads) networking_utils(PHP) Show Files Vulnerability Summary: networking_utils.php Includes a ping function, a traceroute function, and an nslookup function. Vulnerable systems: networking_utils networking_utils.php of the networking_utils php script allows remote visitors to view any file on a webserver.
Now comes the problem. Do you use “networking_utils”? Does this bug affect any of your systems? How much? What’s at risk, and what can you do about it?
Even just the first part of this may be difficult to determine. While PHP is mostly used on web servers, it can be used elsewhere. Unfortunately, it might be quietly used inside something else that has nothing to do with your web servers. But just because you are using PHP doesn’t mean you are using this function.
But let’s say it is just your web servers (this time). Most likely there is some business reason that required the use of this. Maybe there’s a simple fix available, but maybe there isn’t. Maybe you either need your web site completely rewritten or you need to abandon part of its functionality. Tough decisions, and they can be very costly.
And then there’s the question of who makes the decision. No one person in or outside of your organization may have enough of the total picture to make the call on what to do. Is it safe to ignore? What will it cost to fix it? Is it worth it? Realize too that sometimes this isn’t something that can wait until next week: if this were a serious vulnerability with no current fix, your security people might want to shut down your web server NOW. You, however, might feel that the risk of someone exploiting this is small, and the business need for your web presence outweighs that risk.
No easy answers here, and (in spite of the hype from people selling security services), often no easy fix. Some of these folks may say that they monitor BugTraq and will fix problems on their systems. Great, but what about your internal systems? Are they responsible for those too? How much responsibility do you want to give them? Will they be able to shut off important systems if they feel the systems are at risk? How much can you afford to give them? The reality is that no outside firm is likely to be able to give you that much attention even if you could afford it, and no outside firm is likely to be in a position to make the risk/benefit analysis that really is always required.
If you were really going to do this sort of thing seriously, even very small organizations would need near full time attention to the details of security. You’d probably need both full time employees AND outside services to even begin to cover this well. Every time you added new software, new employees, or changed any procedure, the security people would need to review it. Most small businesses simply cannot afford that level of protection.
The answer is not to just hide your head in the sand, of course. You may not have the resources to protect your systems to any great degree, but that doesn’t mean there is nothing you can do. You need basic security precautions in place. At a minimum, you should keep operating system software reasonably current, and firewall/router software very current. You should change passwords on important systems at least yearly, and whenever employees who had access leave your employ. Passwords should be at least somewhat difficult in spite of the objections you will get from users. You should also shut off unneeded services at servers. You may have such things blocked at your firewall, but to be completely safe, they just shouldn’t be running at all.
Don’t forget the “what if” plans. You need to be ready if some terrible thing does happen- or at least as ready as you can be.
Originally appeared at http://www.aplawrence.com/CS/security.html.
November 2002 Tony Lawrence All rights reserved
This article is copyrighted material. You have permission to use it for any purpose, commercial or non-commercial, as long as it is kept intact and credit is given as specified herein.
You may publish it in paper or electronic form. That includes magazine, newsletters, and web pages, both internal and external, for profit or not. Banner ads and other graphics may be removed, but all other text, hyperlinks and copyright notices, including this, should remain (but see below also). You may not delete text, alter it, or add to it in any way that does not clearly delineate what is yours and what comes from this site. You may alter fonts, font sizes and the like and reformat text as is appropriate for your use.
You may select specific paragraphs or sections, but if you do so, you must either include this entire notice also, noting that you have not published the entire article, or simply note that the paragraphs you have published are part of a larger article and give the http address of the actual article.
My main concern is that no one would be confused that you wrote something I wrote or vice-versa. If your use meets that concern, and allows people to find the original article here, I have no objection.
This general permission specifically does NOT apply to test questions and answers.
Some articles at http://www.aplawrence.com and are copyrighted by other individuals or corporations; these paragraphs do not apply to those articles even if accidentally included.
We do appreciate being advised of any such use: Email: tony@aplawrence.com.
A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com
