Back to Basics - What Security really means.

Introduction - So what is security anyway?

There are lots of articles that talk about how to secure your workstation and server against this attack or that hacker. There are also lots of clever little tweaks you can make to your system settings to make life hard for people trying to upset your computer, but in the midst of all the fine technical details we have seen on the subject I think at times its easy to lose track of why we make all those clever little changes, what they mean to the people trying to use the computer to do other things, and what the implications really are of the decisions we make.

In this multi-part article I am going to try to look at the reasons behind "security" and try to discuss a few simple rules and tips that will help you to make sense of it all. This article is intended for both the home user and system / network administrators who need some grounding in security basics.

 

Part 1 - The human factor.

First of all, I want to talk about a definition for security. This is a word that's thrown about the computing world and everyone understands the need to make your computer secure but not many people actually talk about what security really means. If we're going to talk about how people relate to "security" we should probably talk about what security means to people.

There are various standards relating to security and there are various clever tests and setups you can employ but I don't want to talk about security in terms of "C2 compliance" and other phrases that only mean something to those who are members of the secret club. I want to use a nice simple definition: Security means only allowing those people you want onto a system, and then only allowing those people to do what they are supposed to do.

"Of course", most of you are saying, "That's obvious! I logged on to read this? Sheesh!" To everyone saying that: Top marks. It is obvious yet all too often we see systems being set up with poor security or set up with over elaborate security.

Yes, it is possible to make a system too secure. Sounds crazy I know but stick with me for a moment. As individuals we use our computers for a reason. Organisations use computer networks for a reason. Those reasons vary - at home you might use a computer to relax, play games, chat on Instant Messenger and suchlike and at work you probably use the company computer network to work a little, chat on instant messenger, and suchlike. But you don't use your computer to "be secure". You use it to make money at work, or to have fun or pursue your hobbies at home.

If you lose sight of this when securing your system you will run into problems. If your computer system is so secure you can't get into it what then? Ooops! What if you can get into it but it takes you half an hour each time? Pretty soon you'll stop bothering to engage this time consuming security feature, so you might as well not bother with it at all.

What if your super-secret password is so difficult for anyone to guess that you forget it and have to write it down on a post-it note stuck to your monitor? Not quite the effect on security your boss was hoping for is it?

What is needed is a balanced approach to security. If you are the computer security officer for a company that sells cars then your company needs to sell cars in order to make a profit. Does it need to be secure? Well yes - you don't want people to break into your company bank account and take out all the money. But neither do you want a system that's so "secure" that no one can use it to earn money to put in the bank account in the first place! Security is a tool that enables smooth running of the car sales business and if it impedes the sale of cars then its failing in it's overall mission. Always remember that computer security is designed to assist in pain free use of the computer for other things - if you forget this you cannot make good decisions about what security is suitable for your system.

When Users attack!

No security plan survives first contact with the people who have to live with it day to day in their pursuit of making your company money. A couple of examples that I've illustrated below should make this clear.

In both these cases, security was getting in the way of getting the job done. People might accept some intrusion into their working pattern if they understand why it's being done but if you mess them about too much and stop them doing their job they will begin to ignore your rules, to cheat, to play a game.

When this happens you run a great risk of a user who simply wants to get their work done efficiently starting to 'cheat' your inefficient security and by accident exposing a back way into your secure system.

Sticky Note Security

In one of my first jobs I worked for a civil service department who were, rightly, paranoid about keeping their data secure. In order to be sure that everyone's top secret approved by the official secrets act network login was secure we had to change our passwords every few days. To stop us from picking easy passwords that anyone could guess, the computer picked our passwords for us.

So every couple of days we had a new password made up of random letters picked for us. Can you guess what happened? If I say that the office used an amazing amount of post-it notes would that be a clue? You guessed it - everyone wrote their password on a sticky note and stuck it on their monitor. To be fair, it wasn't all bad - some people realised the nation's secrets were in their hands and hid THEIR sticky note in their top desk drawer or on the bottom of the keyboard. It's enough to make Jack Ryan, Austin Powers and James Bond all give up and retire early eh?

Speedy Security

At another job we had a slightly saner password policy which was nice but we had another problem. We had a requirement that no one leave their workstation logged in and unattended for any length of time at all, but the problem was it took about 15 minutes to log on to the network, let everything start up and then log into the various applications each person tended to work with. It took 5 minutes to sign out of the system too.

So every time someone needed to take a 5 minute bathroom break they needed to sign out of their computer, take their break, sign back in again and this took a total of 25 minutes each time. This policy was quietly dropped by morning coffee break on the 3rd day of trying it.

100% Secure? You sure?

There is a legend about the 100% secure computer. Apparently this is the one that's unplugged from the wall, encased in concrete and buried in a secret place. Anything else is less than 100% secure.

 We can argue about which operating system is most "secure" all day but there is no such thing as a totally secure system. All systems can be cracked given enough time and the right circumstances, and while mistakes by operating system vendors are what grab the headlines, most knowledgeable people know very well that human errors account for most security problems.

The weakest link?

When we talk about human errors being responsible for most security lapses most people imagine someone giving out their password to the wrong person, or leaving the office unlocked at night, or suchlike. And this is of course part of the problem. But the biggest problem with humans is that we tend to make much simpler mistakes than those.

How many people reading this will have deleted a file by accident? Sent an email to the wrong person by mistake? I know I've done both those things in the past yet here I'm still writing notes telling other people how to be secure. It happens to everyone. If you hire a networking expert who tells you they've never done anything like one of those things you either hired a liar or the world's luckiest genius.

Assuming everyone accepts that its easy to make a mistake, and assuming that we all accept that the file you can delete by accident could be the only copy of the company accounts, or the email you forward to the wrong person could be the top secret corporate financial plan, or other equally sensitive things, its clear that we can't just think about security in terms of outside hackers and viruses and other sexy headline grabbing things.

When designing your network you need to make it as easy as possible to do the right things and as difficult as possible to do the wrong thing. A few examples might be:

• Worried about users deleting files by accident?
  • Make sure only those users who need to be able to do this are allowed to.
  • Take proper backups.
• Worried that people will walk away and leave their workstations logged in?
  • Use screen savers that are password protected.
  • Make the server log people off if their system is inactive at a time the office is not supposed to be open.

Notice how in the first example we made it hard for users to do the wrong thing? If you take the ability to make a mistake away from people who don't need to be in the position to make the mistake at all, you've protected yourself without inconveniencing anyone.

In the second example, we made it easy to do the right thing - if someone using a system like the one I describe above goes home at night without logging off, the system will take care of it for them.

"I missed the part where that was my problem"

If you want your business to be secure, not to mention a happy place to work in general, you need to get the employees on your side. You are selling security to them as something that will improve their job security without impeding their ability to perform their daily work routine.

The first and most obvious thing is to explain to them why new security measures are needed - and listen to their replies because they might be in a better position to tell you why you are wrong, or how your new system could be made even better.

The second thing you need to do is to encourage people to tell your computer and/or security people about anything strange that happened. The most important part of getting people to speak to you is to make sure they don't feel unhappy or scared to do so.

Make it clear that if they make a mistake, or a hacker or virus targets them, that you are not interested in punishing them for screwing up, you want to fix the thing that allowed them to make that crucial mistake or become a target for hackers and viruses.

If they make a report over a security issue, always take it seriously. If you know its nothing to be worried about, explain to them, in their terms, that you are glad they told you about it but that there is no need to worry. If you install security software (e.g. virus scanners) on their machine, make sure the scanner doesn't bother them all the time with trivial messages. You don't want to get in the way of their work, and you don't want them to get used to a virus scanner that plays Chicken Little all the time so that when something really important does happen they don't notice anymore.

End of part 1

We've covered why it's important to consider security as means to an end rather than an end in itself. It's easy to get sucked into paranoia about security and get blinded to the fact that you didn't buy your computer or network to spend all day securing it, but to use it to help you with your business or relaxation at home. Let's try to recap a few "Golden Rules" about security we can take away from what I've said so far.

• Remember - Security is about allowing people to use their computer without having to worry about their security.
• This means they expect their security precautions to be 100% effective and 0% intrusive which is impossible.
• Make it easy for users to do the right thing, and difficult for them to do wrong things.
• Remember your sales pitch - explain to the people you need to use a security system why it solves their problem because they probably don't care about why it solves your problem.
• "Fix" culture not "Blame" culture. Fix the problem don't blame the person - or they'll never tell you about their security worries again.

Top