Tuesday, 3 January 2017

Big Bad World


There are an increasing number of businesses whose assets are either entirely or mostly electronic, mostly in the form of data these intangible resources are the means by which many make their money.
A natural consequence of this is that the security of the infrastructure used to hold these valuables becomes of increasing importance, news stories of breaches come thick and fast to the extent that even a lay person is aware of the phenomena.
Given the potential ramifications of such a leak what can be done to ensure all possible security measures are put in place?
Don't Rely On People
Human beings are inherently insecure, we don't have a great capacity for remembering large and complex pieces of information and we can't be relied upon to not inadvertently commit a security related misdemeanor.
When we rely on human based security we are beholden to passwords, in theory a well chosen password gives a good level of security but the practicalities of having to store these passwords inside human beings does a lot to weaken the security provided.
Humans are also unique in their ability to be compromised by non-technical attacks in the form of social engineering, watering holes and phishing attacks, while education to recognise these threats can be affective it should never be considered full-proof.
Technology exists to counteract these threats, whether it be password managers, multi factor authentication or biometrics all are attempting to reduce the reliance on an individual remembering and not exposing the details necessary to access a system.
Obviously a certain amount of trust has to be placed on users of a system but expect that at some point one of those users will make a mistake and ensure this isn't fatal for the security of your assets.
Don't Just Protect The Boundary
Discussions around security will often talk about stopping people getting in, whilst protecting the boundary of a system is an obvious step to take the best security strategies will assume that despite best efforts someone will get through, this leads to the concept of defence in depth.
Any one piece of security or protection can probably be defeated but if this just gives you access to try and compromise the next layer you can increase the time and effort necessary to compromise an entire system to such a point as to be infeasible or not in proportion to the reward.
These layers may consist of the non-technical such as physically securing sensitive areas, the technical such as proper use of encryption and network segregation or administrative such as ensuring sub-systems and users only have the minimum amount of privilege that they need to effectively operate.
Security measures shouldn't just be equivalent to a steel door on a safe they should be a spiders web of measures that impede the progress of would be attackers at every turn.
Complacency Killed Security
Attackers are often very resourceful, creative and intelligent people who are highly skilled in there ability to defeat whats put in front of them.
Many a breached system would have looked comparable with Fort Knox until someone exposed the minor crack of a weakness that blew the whole thing open.
The security of a system should be demonstrable and should be verified by regular penetration testing and probing.
Its also advisable to have an attitude of distrust and pessimism, everyone is out to get you and soon or later they probably will.
Its important to have uncomfortable conversations about how the aftermath of an attack will dealt with, how can consequences be limited and how can security be re-established, the strategy for dealing with a breach is as important as the strategy for preventing one.
The proper application of security is often achieved by the application of many subtle measures to achieve something stronger than the sum of its parts, this is further strengthened via constant re-evaluation, the assumption that attackers are trying to get in and the need for security to demonstrable and not just theoretical.
Good security is also collaborative with everyone understanding the role they need to play and the potential pitfalls they could be exposed to whilst performing their role, together we can attempt to combat a big bad world.

No comments:

Post a Comment