Why We Don't Need Perfectly Secure Systems

Wednesday Dec 6th 2000 by Kurt Seifried

Security is never black and white - rather it's one big ugly shade of gray. Learn why perfect security is not necessary, or even desirable.

Kurt's Closet Archive

People constantly discuss the issue of secure systems and often get it wrong. Comments like "once an attacker has physical access, your security is useless" are wrong because no security measure will protect you 100% from all attacks.

Consider a server that is secure against network attacks by being physically separated from any networks. Plus, all the machines that can access it are similarly secured. The OS is secure and the users are all vetted and non-hostile. This network resides on the floor of an office building, with armed security guards and multiple layers of physical access protection. The network has it's own UPS's and generators, and all the machines are in heavy hermetically sealed containers that are EMP hardened. Attacking this network to steal data might be very difficult, but it is still possible for an attacker to deny your access to it.

Security is never black and white - rather it's one big ugly shade of gray. A machine running ancient software with poor passwords that is physically secured and not attached to any networks can be far more secure then an up to date machine with all the latest security software, on a public network. Security is about risk management. Are you willing to risk an elite commando unit of trained sysadmins breaking into your building at 3 a.m. to steal your data? Most people probably are, since the chances of this happening are slim and the cost of protection is high. On the other hand, if you want to prevent someone from breaking into your mail server via the Internet, a reasonably common occurrence, then investing in a firewall and keeping software up to date is probably a cost effective strategy.

However, all these measures are absolutely useless if no one responds to incidents. Most businesses do not have truly secure physical facilities. Instead, they build something that requires effort to get into (e.g. break a window, kick down a door, etc.) and has an alarm system to alert the police or a security company. The general goal of physical security is to slow the attacker down by 5-10 minutes, giving time for the police to arrive.

This applies to computer security as well. Most systems have the ability to log intrusion attempts, and send some sort of alarm to a software or human operator. If my network and host intrusion detection systems can reliably detect an attack and warn me as it happens, then I will be able to respond in some manner (firewall the attacker's IP, turn the service they are attacking off temporarily, etc.) and defeat the attack. Assuming the attacker does get in, then being alerted as quickly as possible is critical so that the system can be cleaned up, data restored from backups if needed, and the problem patched. Also you have a much better chance of tracking them down before they remove evidence of their attack.

So let's examine physical security. First, the computer should be physically attached to an object (like a heavy desk or the floor) so that the attacker cannot simply walk away with it. If you have security guards, then they should be trained to not let people walk out with computers ("do you have a repair order for that, sir?") hard drives, tape drives, and other forms of large capacity storage. If an attacker is willing and able to physically steal the machine/harddrive/backup tape, then once they are out they have all the time in the world to work on it with no worries about being interrupted or caught.

This can easily be solved by placing servers in locked cages, and using cable lock systems on desktops. Assuming the attacker has to stand in front of the machine to break into it, you want to slow them down as much as possible to increase the chance of someone noticing and interrupting them. Closed circuit TV is especially valuable here for server rooms, but is really only useful if someone monitors it (and forcing the attacker to stay longer increases the chance of detection).

Slowing an attacker down is easy, starting with securing the hardware boot process. This means using BIOS or boot prom passwords, removing the ability to boot from removable media (or removing the floppy and cdrom entirely from the machine). Be aware that many BIOS's have default master passwords, when possible, use recent boards that lack this "functionality". Securing the OS boot process is the next step. Many operating systems such as Windows and Linux can be interrupted during boot and fed various commands. LILO (Linux's boot loader) is especially susceptible to this, because you can make it boot to a command prompt with a simple "init=/bin/sh" at the LILO command line. If you make it difficult for the attacker to subvert the boot process, then that means the OS will be brought up properly, and it's defenses (usernames and passwords, for example) will be given a chance to come into play.

Assuming the attacker cannot subvert the boot process without being forced to open up the case and remove the BIOS battery to reset it (and keeping it in a locked cage will prevent this), then you can assume they will need several minutes at least. Monitoring the servers and actually responding in some fashion (wandering over to look at it) means that any attacker rebooting and trying to subvert the boot process will probably be caught. Of course, if no-one bothers to look then the attacker has all the time in the world to open the case and reset the BIOS (or simply steal the harddrive).

In summary, computer security needs to be viewed as a complex organism, with all it's systems interconnected, instead of as a series of discrete problems to be solved individually. Any form of security is utterly useless without some kind of response. If you do not monitor log files then an attacker can simply try to brute force accounts by guessing common passwords, given enough time they will succeed. If on the other hand someone notices that a certain range of IP's are behaving badly they can be firewalled, or users can be reminded (once again) that they should use strong passwords. Of course, this is all useless if someone breaks in and takes your Sun Enterprise server away on a dolly.

Related Links

Why sulogin is Useless on its Own

SecurityPortal is the world's foremost on-line resource and services provider for companies and individuals concerned about protecting their information systems and networks.
The Focal Point for Security on the Net (tm)

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved