Information Security Fundamentals #1
This article is for people who have IT systems or data they would like to protect and who would be disappointed to find them irrevocably destroyed. If you don't own systems or data of any value, that's great, this article probably isn't for you. A word of warning though - I've met many, many people that own data of significant value and yet for a variety of reasons have not considered it's value, the threats to it's existence or the consequences of it's irrevocable loss.
What is Information Security
For the purposes of this discussion I will use the word "data" to refer to all your digital assets: passwords, domain name registrations, content management systems, office documents, email accounts, social media accounts, marketing databases and management information systems. Basically, everything you and your organisation does or owns on a computer.
The mistake that many people make is to assume that whenever they hit "Save", that's it. Their data is written irrevocably into the fabric of the universe for guaranteed later retrieval whenever they like. In fairness, that is usually how it works and generally no more thought is needed. Not always however. Sometimes that data can be intercepted, corrupted or changed and once it's gone, it's too late.
How your data could be destroyed
There are 5 main ways that your data can be destroyed: hardware failure, human error, software error, environmental damage or malicious action.
Hardware failure, particularly disk drives, is common and can easily render your data inaccessible. Similarly human or software errors involving permanent data loss is near a certainty at some point. Environmental damage such as fire or flooding is rare but can happen.
Fortunately, all these issues are relatively easily mitigated with well understood back up strategies. Make regular offsite copies of your data and in the event of a problem you can simply restore any lost data from the back up. It's good practice to take keep multiple separate back up copies going back over several days and weeks just in case your last backups are unreadable for some reason. This does happen and there is no worse feeling than having a corrupted backup, other than not having another backup to fall back to.
Malicious action is where it's starts to get interesting and this will be the main subject of this article. Malicious action is much harder to defend against and regular backups won't be sufficient. Malicious action can come from within and without your organisation. For this article, I will focus on malicious actions that come from outside your organisation. Specifically, internet based attacks on your online infrastructure and local attacks on your physical premises.
The value of your data
Most organisations these days have a portfolio of online digital assets. At least one website, any number of social media accounts, email, a domain name registration account and many others. In various ways these assets are critical to the operation. Most organisations would not shut down immediately if their website were offline but at the very least it would be embarressing and brand damaging. More than few a organisations are highly dependant on their online assets and some of these have never considered that their data could one day be gone forever.
Many organisations don't account for their sunk cost in creating and editing their data. Websites and other digitial content for example can represent £1000's worth of copywriting, software development, seo, customer information etc. Unfortunately, money won't be able to buy your data back after it's gone.
The nature of attacks
Most website owners would be amazed at the extent to which their webservers are under constant attack. They fondly imagine their data securely humming away in a data centre somewhere in Reading, which it most likely is. However it is simultaneously exposed to the most hostile networking environment ever imagined, the internet. Automated programs on computers from all over the world send malicious requests probing the defences of other computers elsewhere on the internet. In many countries, particularly Russia, Eastern Europe, China and increasingly Africa this is either not illegal or there is no effective enforcement.
Every computer on the internet will most likely be receiving these malicious requests. Our home and business computers sit behind firewalls which mostly block such requests but our servers must expose themselves through the firewall in order to provide their services. Malicious requests frequently attempt to compromise servers by anything from repetitively guessing passwords to exploiting vulnerabilities in the server software.
Malicious requests are able to identify which versions of which software you are running on your server(s). This is then compared to a database of known vulnerabilities known as exploits. If your server is vulnerable the exploit can be used to gain control of all or part of the server. If an exploit only gains partial control over the server, further exploits can be executed in a process known as priviledge escalation until the desired degree of control is achieved. In most cases malicious requests will be using exploits for known vulnerabilities that have been fixed in later versions of the software, which it is why it so important to keep up with software updates. There are other types of exploits known as 0days, which are vulnerabilities known only to a select group of people and with no security fix available in the software.
Most software is basically secure but the digital world is so complex that new vulnerabilities are constantly being discovered and the software patched. Keep your software updated.
Many malicious requests are looking for "mis-configured servers" ie software running on a machine exposed to the internet that has not been properly configured to be secure. Maybe it still has the default passwords or maybe some other aspect which provides a foothold for further exploitation. It's amazingly common to see mis-configured servers in all sorts of places you'd never expect (see human error category above). Mis-configured servers in your infrastructure can be invisible unless you know how to look for them, and hackers do, so plenty of organisations will have no idea they have such vulnerabilities.
Anyone who has access to their organisations internet facing server log files would be shocked to see how much of their traffic is maliciously probing for mis-configured software and un-patched vulnerabilities. They are relentless and constant. It's fortunate that our software is as secure as it is.
What do they want?
In most cases the attackers want to take control of your server and use it for their own purposes. This might be as a server for online games, sending spam email or to become part of their network, known as a botnet and used for attacking other computers. A common goal is to modify compromised web servers to display adverts, web links for seo or even download malicious content to visitors computers. All of this pays handsomely with very little risk of getting caught if you live in the aforementioned countries.
It's also possible to use a type of program called data diddler to encrypt your data and then extort money for the decryption code. Cryptolocker would be a recently successful, very real example of this.
Is there any good news?
Most server software is quite secure. A lot of it has been around for a very long time and has been battle tested. New vulnerabilities do get discovered and fixed but if you keep up with software patches you're generally going to be fine. Many security vulnerabilities are quite obscure and unlikely to ever effect you however occasionally there will be a critical vulnerability that needs to be actioned promptly or even immediately. However, sometimes non-critical vulnerabilities can be combined in unanticipated ways to create a doorway into your systems. It makes sense to keep on top of software updates.
In most cases, website owners using cloud, vps or shared hosting will find that their hosting company takes care of all system level software updates, so php, apache, mysql etc is all done for you automatically. This usually leaves website owners (or their developers) to update the web application that runs at the top of the stack, often content management systems such as Drupal, Wordpress etc or maybe a custom web application.
In most cases intrusion attempts are completely automated. Malicious programs scan the internet for vulnerable servers, break through any security to achieve what is known as "owning" the computer. From there, the malicious program will attempt to install a payload which performs some work for the attacker and likely creates a persistent presence on the computer. Being fully automated, most malicious programs are actually quite dumb. They will attempt their pre-scripted actions but if these fail or if there are targets of opportunity, the malicious program is unlikely to be able to adapt. Most hacking is a numbers game, scan 1000's of computers and some are bound to be vulnerable. This means that taking some simple precautions can protect you against 95% of attacks.
What is your attack surface
Your attack surface is the entirety of interfaces that all of your hardware and software presents to the world. In most cases this is much larger than you think and most of it is completely invisible and requires using your imagination to see what it looks like and where it is. All your internet facing servers, all your web browsers and computers, all devices and software on your network and the network itself are all part of your attack surface. Your attack surface can also extend outside your company. Everyone that has access to your network and any suppliers that install or control software on your network are also part of your extended attack surface. Most people will have difficulty envisioning their attack surface. Hackers, do not, which is what makes them hackers.
The bigger your attack surface the more likelihood of vulnerabilities for malicious people to exploit. The good news is most of your attack surface is actually quite secure. Also most of the threat comes from the internet which is only able to access a relatively small part your total attack surface.
Understanding your attack surface and taking steps to minimise or mitigate it's significance can be a worthwhile investment.
What is your threat matrix
An important question to consider when determining your security posture is, who is likely to be out to get you? If you're a high profile organisation then it's not impossible that you might be targeted by skilled and determined hackers. Defending yourself against such an adversary can be an extremely difficult and expensive proposition and not one to be underestimated. If real hackers are coming for you, you had better be prepared.
Fortunately, most organisations are not that high profile and are unlikely to be specifically targeted. More likely, is attack by a so called script kiddie. 99% of "hacks" are actually script kiddie attacks. Script kiddie attacks are like a computer virus on steroids whereas a targeted attack from skilled hackers is more like being attacked by a digital poltergeist. I'm not joking.
A good rule of thumb for estimating how much effort you should put into information security is to take the value of your data, multiply it by your attack surface and then multiply it again by your threat matrix. Many organisations have never actually considered the value of their data or that they even have an attack surface. Fortunate for them that their threat matrix is small.
Don't forget about physical security
Physical security can be a good metaphor for understanding information security. Everyone understands about locks, keys, trust, burglar alarms and insurance. These sorts of concepts have analogs in information security. Most people implement a sensible level of physical security but understand that if someone really wants to get in, they will find a way and for that they have insurance. So it is with information security. You can even get eRisks Insurance Cover.
What most people don't consider is the the impact of physical security on their information security. Your physical or local attack surface is probably much larger than your internet attack surface and is potentially much easier to exploit. Most organisations have given very little thought to their physical attack surface and are thus utterly unprepared and undefended. Every computer that is accessible to an untrusted person is a potential vector for attack. A prepared person can thoroughly compromise or own an unlocked, unhardened computer, which is most of them, in about 5 seconds or less. This doesn't even require any skill on the part of the attacker, it can be as simple as typing a url or inserting a usb drive to create a backdoor for later control. The attacker in this case, may even have been tricked into cooperating with the attack without even realising what they are doing.
The golden rule is, if you can physically access the hardware you can easily compromise it's security entirely and no-one can stop you. It is entirely plausible, easy even, that someone could remove a hard drive, place it in their own computer thereby trivially bypassing any security and changing the programs on the hard drive before re-installing the drive in it's original computer. That computer now works for the attacker.
When you know what to look for, opportunities for physical attacks are everywhere. Every usb port, every active network port or even just an innocuous cable running through a public area are vectors for attack. Don't make the mistake of thinking that because you think it would be too difficult to attack, that attackers will agree with you. Plenty of people have skills and knowledge that make such unlikely and difficult sounding procedures, very easy and for some, an entertaining challenge.
The good news is that attacks against the physical attack surface are rare because criminals are unable to hide securely in foreign legal systems and punishments for cyber-crime are quite severe in most western countries. As crime goes, cyber-crime still requires a fair amount of skill and sophistication and ultimately, it's less risky and almost as lucrative just to be a regular law-abiding programmer.
A point about popular applications
Another thing that many people have never considered is the impact of choosing popular software. The more people use a particular software product, the more incentive there is for bad hackers to develop programs that specifically exploit that particular piece of software. Tools such as Wordpress and Drupal are popular for a reason, they're great and they're free, but if you're using such tools you have to be aware that in some respects they make you an easier target.
This is no cause for complacency if you're using more expensive and thus more exclusive products. There are alternatives to Drupal and Wordpress for example with 6 figure licence costs eg Sitecore, Episerver etc. In one sense, these products may be less attractive to hackers due to their smaller user base however such software is generally used by large corporations who might be considered rich pickings for cyber-criminals.
The disadvantages of using popular software also have to weighted against the benefit that popular software is likely to have been much more thoroughly battle tested in the brutal arena of the open internet. Popular software also generally has a much larger community of experts to identify and rectify vulnerabilities. Many niche products, particularly closed source ones, will often drag their heels for months and years before fixing discovered vulnerabilities.
If you thought too much about all the awful things that could conceivably happen to you, you'd never get out of bed in the morning. So it is with information security. The worst hardly ever happens, but it makes sense to put in place basic, sensible precautions to avoid the most common problems. In almost every case, increased security results in decreased convenience and productivity so it's important to balance the need for security with continual forward progress.
You should recognise that there is so such thing as ultimate security and have a sufficiently advanced and disciplined backup strategy and business continuity plan that allows you recover your business critical data and survive should the worst happen. Consider a wide variety of unfortunate circumstances when designing such strategies. A surprising number of businesses have no such backup or continuity plans and could be destroyed by quite mild misfortune.
I will detail what basic, sensible precautions people should be taking in a future blog post. If you'd like to be kept informed about such information please subscribe to my newsletter for regular updates.
A final word about hackers
It is worth mentioning that most hackers are the good guys. They built the internet, they share their security research and they are motivated by curiosity to find vulnerabilities in systems of all sorts. Unfortunately, we have created a culture which is frightened of hackers and in many cases criminalises them even when they genuinely try to help organisations improve their security. My view is that organisations should look to encourage feedback and vulnerability reports from good hackers. Many successful internet companies eg Google, Facebook etc all pay very handsome bounties for security related bug reports. Maybe your organisation can't afford to do this, but being friendly and approachable will get you a long way.