The biggest failure in information security is actually a failure in information technology implementation.
For many, many decades the operating systems and applications that have been made for computers have come with built-in security features. The very idea of a username and password to log into a computer pre-dates home computers by at least a decade, with Multics back in 1964. And it wasn’t the first.
But what has happened over this time is the old “arms race” where the bad guy finds a way around the restrictions put in place, so newer and more elaborate restrictions are put-up. More elaborate and complex security systems require more time to set-up, more knowledge to implement and a generally higher degree of intelligence.
In the business world, there is little tolerance or interest in the needs of Information Technology, but an excruitiatingly large demand. Most IT departments run on very tight budgets with minimal personel, the majority of funding going to hardware and obscenely expensive software licensing. If you don’t offer very high pay and very good benefits, you can’t really attract the very best IT employees.
So for the last 23 years or so, the information technology field has turned to 3rd party solutions for complex security. “Solutions” include antivirus, antispyware, Intrusion Prevention Systems, Firewalls, anti-spam, web filters and more. There are host-based and network-based versions of all of these, plus other variations and specialized implementations. There is deep-packet inspection, source-code analysis, vulnerability assessment, penetration testing, and on and on and on.
The end result? In a typical production environment of a Fortune 500 company, you have dozens, hundreds or even thousands of computer systems that essentially run with a default, base Operating System install and all the 3rd party security tools bolted on as an after-thought. No patching is done at all, or only the absolute minimum needed to keep the systems running. Many unused services are left installed and running. Local security policies are never configured, or only a few token changes are made. Services like HTTP, SMTP, FTP, IMAP, POP and the like also run with default configurations.
These systems are INCREDIBLLY VULNERABLE AND EASY TO HACK! They can be broken into remotely or locally. We’re talking $150,000 premimum servers that can be turned into digital scrap with the equivalent of a toothpick. They are the electronic equivalent of a frail person with no immune system, kept alive by a thin plastic bubble. That bubble? The 3rd party security software that has been installed on the server and the network. And that very expensive, five million dollars worth of security solutions? Very likely has also been thrown in place with default settings, providing only half-assed protection.
This all happens because IT departments are overworked and full of lazy, ignorant people. Not every IT staffer is an idiot slob. But there are enough overworked, stressed IT workers mixed with enough faux-IT employees to result in the mess that the world find itselves in today: A billion computers in shitty health.
It’s time to wake up and shake the cobwebs out of our heads. We can build computers configured properly that they are not immediately vulnerable to every single exploit that is published. We do not have to rely on a dozen layers of expensive, 3rd-party security software to protect outselves! I’m not suggesting we do away entirely with firewalls and other measures. But we can make our servers, workstations and websites many times more secure than they are without anything more than additional man hours. Which in the end, is probably cheaper than overpriced security software.
Computer security follows the biological threat model. A healthy computer system is hard to infect or exploit. Not impossible. Just hard. Hard enough that the infection/exploit vector (be it automated script or malicious hacker) will just go and find something easier to attack in most cases. Even when a healthy computer system is violated, it will be easier to recover from the attack.
What makes a healthy, secure computer system? Here’s a short list to start with:
- Install all operating system patches that are applicable, not just the ones that are “approved”.
- Absolutely no unnecessary software installed. If you don’t need it, yank it!
- If you can’t uninstall something you don’t need, turn it off, delete it, restrict access to it in some other way.
- Turn off the services you don’t need (which you should uninstall if you really don’t need them!)
- Configure a local security policy to at least enforce password security and enable auditing of security events.
- For any of the services you DO use, including 3rd-party software, make sure to enable the security features included such as authentication, encryption, access restrictions, etc.
- Update your 3rd party software as well as the operating system. That means patch that crappy Java engine and that piece-of-shit Adobe Reader!
- Backups. If your critical system isn’t being backed-up every single day, you are putting a gun to your head and asking people to pull the trigger. I am not joking. Lack of backups is literal suicide, people!
- Monitor your systems! Monitor the hardware sensors, the disk capacity, the network usage, the CPU load, everything you can get your hands on.
- All of the logging on your servers should go to a central syslog server as well as locally. If your server becomes a burning, molten hole in the ground you still have logs of what the fuck happened.
- Test your systems! Make sure that all the redundant hardware actually works, that backups are restorable, that patches installed are active (schedule reboots on a weekly basis), and any other behind the scenes scheduled jobs actually run to completion.
Does that look like a long list to you? Am I hearing some of you whine that it’s too much work? TOUGH SHIT! IT ISN’T FOR WIMPS, DAMN IT! Suck it up and earn your paycheck, kids!
Only after you’ve got a healthy, secure computing system should you than look at installing any 3rd party quackery like antivirus, IPS and the like. And you know what? Keep that crap off the servers. Just used network-based implementations. That way when those idiots in networking screw-up, it doesn’t reflect badly on you.