Many of the modern concepts of security are the same as in the past; however, things are changing quickly. Here are some modern security concepts and the issues associated with them.
Changing, Obsolete or Incorrect Ideas
A firewall is all the security that you need – this is something that has never been true but too many people believe it. A firewall is not enough to protect you completely; in fact, it has never been enough – this is analogous to believing that a chain-link fence will keep out all intruders. Yes, it will keep away the animals and a good one will deter casual thieves; it will not slow down a determined attacker much.
Seals of certification – these were popular in the early 90s but, to be blunt, they are worthless. There are too many and they mean nothing. Do not use them on your website – they may impress older visitors but for anyone Gen-X or younger, they look dated and archaic.
The greatest threat is from pimply-faced, bored ‘hackers’ – this may have been true at one point in time, up until the early 90s. However, the vast majority of modern IT security exploits arise from three sources
- corporate espionage – plain vanilla economic sabotage or commercial intelligence gathering, this is almost exclusively done for economic reasons. It is almost always about resources – whether attempting to gather them for the attacker or deny them to your organization. These groups will often attempt to remain hidden and keep their activities secret if for no other reason than they will be subject to prosecution if they are domestic or government censure if not.
- state-based organizations – basically, this is the model of foreign government ‘hacking’; this is done for a number of reasons including intelligence gathering, threat and surveillance assessment, and domestic economic sabotage. This is a very dangerous sort of intrusion as these organizations have a vested interest in remaining hidden and covert. They also have a lot of resources to expend against your perimeter defenses.
- non-state organizations – these are the real bad guys in IT security. This is any group that is not a company or a ‘country’ – in actuality, this usually means either organized crime or terrorist groups. Motivations are often economic but in the case of ‘hactivist’ groups, public communication or disclosure of secret information are the main focus. These groups are very destructive and do not often feel much need to hide their activities as they are not used to being held to account for their activities.
Modern Security Ideas
Attack surface – this is a critical concept in modern security. It refers to the overall sum of attack points (or vectors) over which an attacker can attempt to access the system. The two main ways to become less vulnerable are to reduce the attack surface (i.e., have fewer ways to enter or attack the system) and to add layers of defenses behind each potential ingress point (i.e., add layers of security ‘speed bumps’).
Multi-layered Security – the best advances in IT security has been in the area of defense in depth. This refers to placing many smaller barriers in the way of attackers; the overall effect is to wear down the attackers, and make the access attempt, information, or resources to which the attacker wishes to gain access too ‘expensive’. In addition, defense in depth will allow for fewer security holes or back doors, as all parts of the system are better covered and there is a much lower chance to leaving an opening through which an attacker can easily enter. It is, however, not cheap and requires regular updates, tweaking, and improvements. Old security is often worthless security – the modern security game is a co-evolution of attack tools and defenses.
Hacker is not a bad word – the word ‘hacker’ originally meant someone that ‘hacks’ things to see the edge of their abilities or explores systems to find vulnerabilities with the goal of fixing them – the ‘correct’ term for a bad guy version is either ‘cracker’ or black-hat. The latter arises from the somewhat fluid nature of security experts who may start doing illegal activities for profit or boredom (black-hat), progress to doing illegal or unethical activities for ‘good’ reasons (grey-hat), and progress to not doing illegal activities but serving as a security consultant (white-hat). Given the rapid change in IT security, most white-hats must retain some grey to keep networks and informants active; however, remaining a full black-hat is difficult, given the severity which which most governments prosecute IT security offenders.
Which of these techniques and ideas do you have familiarity with? Are any new to you?
Image courtesy of rjp / flickr.com