At the IBM conference in Berlin I realized that I have been preaching some ideas about (internet) security for a while. The gist of this idea is that security in the ‘world of computers’ (also referenced as the internet, on-line or -nowadays- clouds) is not all about technical solutions. In fact the most important component are not the technical implementations. Besides, these are pretty easy, although most people try to hide that.
Let me be clear and frank: implementing a secure computer system is hard, requires quite some knowledge, but so is programming a reasonable application or a corporate website as well. I think that putting a house or car together is even much harder. It is just another set of skills and you probably need specialized personnel to handle the security stuff for you. It is still a skill set most intelligent people could acquire.
We are confronted on a daily basis with security breaches, data leaks and ‘evil hackers’. However these are merely exposing our disability to create a secure on-line system, mostly because it is built without care or with too much convenience.
Everybody taking part in bringing a system on-line has to play its part en make sure their component is helping security or otherwise it is just like snowflakes in an avalanche: all of them pleading not guilty!
What to do?
There are a couple of simple, basic steps to adhere to. The first is to protect and encrypt data and secondly distrust your colleagues. Let me explain:
Everybody is collecting data, but most of it is of little use (unless you are Facebook, where every little bit seems to count). So whatever you do not store cannot be stolen, used for wrong intentions or be held against you. If you are building a system, which will work for many years, think about purging obsolete data in the design. How informative and useful is some data, entered a couple of years ago?
Also always encrypt sensitive data. It amazes me how many systems are still broken and expose plain-text passwords through an SQL injection. How is that even remotely possible? It is not so hard to store a mere hash (hopefully ‘salted’ as a plain hash is just as vulnerable as a plain-text password).
And thirdly distrust. Do you want your sensitive data to be read by a colleague? Would you allow a random system administrator or DBA access if it was your data? If not, then why not prevent it in the first place? If your trusted personnel cannot access the data which they do not need, so can’t anybody you distrust. And most security breaches are still helped by insiders or done as an inside job. So it is good practice not to trust people like me. 😉
Also never play the convenience argument as a cover-up for not doing your work. Storing a security token in an application, or a bypass password inside your demo or application is leaving a security hole. You’d be amazed how many mock-ups or demo’s still run, or are ‘pushed to production’. So any mistake at demo-time never gets fixed until it is too late. I have even been called back at a client once, for recreating their demo-site after they re-branded their entire site. The demo was still used after three years and I never intended it to be active so long. (Fortunately it was an empty demo, without data, but still, three years! I should have sold it!)
And then there are all these simple, obvious ones which everybody keeps on forgetting:
- Use strong, one-time passwords,
- Lock your system whenever you stand up from your desk,
- Do not use post-its for logins and passwords,
- Keep it a secret, that you have a secret to keep,
- Report security incidents,
- Never use the userID of a someone else,
- Never give your passwords or PIN to someone else,
All of these simple habits are not necessarily making your environment more secure, but it is just like having an expensive car: If you park it down town, park it next to a slightly more beautiful car, so the thieves will not take yours, but the nicer car next to it. The same holds true for security: Making it slightly more complicated will scare most simple thieves away.
But if your data is precious, just expect to be attacked, ‘stand guard at the gates’ (and read the logs) and be ready to act whenever necessary.
One final word of advice: Do not belief in your own façade or abilities. Make sure someone else checks and audits your stuff. Even if you had all procedures and compliance documents in perfect order, but somehow forget to test and check the actual computers themselves, you are just keeping up appearances.