Tuesday, July 16, 2013

Practical Security

I stuck my neck out in another post called Security Paranoia and some people asked how one could go about improving security in a business environment.
From Gulfnews

First of all, you have to realize that you can never have perfect security.  Information will always leak out.  The best you can do is to slow the leakage down to an acceptable level, but please try to remain reasonable.  There is an old joke that military IT has the motto: "We are not happy, until you are not happy".  You got to allow business to carry on somehow.

Secondly, trying to educate your users about security and trying to get them to avoid 'risky behaviour' is a total waste of time.  They will do their damndest on purpose or by accident and it is totally up to you to ensure the system integrity despite your user's best efforts to the contrary.  If you don't want them to do something, then don't give them the tool to do it and if they have to have a 'bad' tool, then give them an isolated laboratory to work in.

Divide and Conquer

Government IT uses a process of divide and conquer:  Partition a network into smaller segments that need not communicate with each other.  Provide encrypted tunnels between distant nets that do need to communicate.  An excellent source of information is the Canada IT Security Guidance here: http://www.cse-cst.gc.ca/its-sti/publications/itsd-dsti/itsd01-eng.html

In a business environment, provide separate servers, subnets and VLANs for the different departments, with deep packet inspection firewalls between them, so that if one department gets compromised, it doesn't bring the whole house of cards down.

End to End Encryption

Use end-to-end encryption wherever feasible.  When you notice that your company has developed strategic partnerships and use preferred vendors, talk to their IT and set up an encrypted tunnel between your email and phone servers, so that mail and voice between your companies turn black.  If you do it properly, the whole process of hardening your service will not be noticed by your users.

So whose end-to-end encryption should you use?  It depends on who your threat is.  If you are OK with your own government reading your mail and recording your phones, then you could use an off the shelf product made in your own country, or you could pick something from an unaligned little country on the far side of the globe in the hope that since they have no idea who you are, they likely won't do you any harm.

Some countries for example Canada, publish lists of equipment certified for government use (http://www.cse-cst.gc.ca/its-sti/services/cc/cp-pc-eng.html) - you can use those.  Me? I would avoid any off the shelf product and would rather build my own VPN gateways from a Linux distribution.

The important thing is to continually work on turning as much of your corporate communications black as you possibly can.  Monitor who your company is talking to and keep adding more VPN tunnels to the mail and voice servers of those companies.  This way, you provide transparent security service to your users - they won't even know about it and you and your counterpart at the other company can sleep better knowing that all their comms went black.

Encryption Tests

Verifying whether a VPN product is most probably good, is not as hard as you may fear.  Capture a stream of data and try to compress it (Just the data, not the datagram headers too!).  Encrypted data should be incompressible.   You can also try some statistical tests for randomness - the histograms should always be flat.   It should also only ever communicate with its opposite party.  If you sniff a VPN box with wireshark for a few days and it ever tries to communicate with anything else on the WAN, then burn the device at a stake...

Utilities for Personal Security

You should try out these projects, they are amazing and make end to end security easy:
  • Secure Telephone, Redphone - https://whispersystems.org/#encrypted_voice
  • Secure Video Phone, Jitsi - https://jitsi.org/
  • Secure mail for Thunderbird, Enigmail - http://www.enigmail.net/home/index.php
  • Secure mail plugin for Mac OSX, GPGmail - https://gpgtools.org/gpgmail/index.html
  • Secure webmail plugin for Chrome, Mailvelope - http://www.mailvelope.com/help
With the above tools, you can easily turn most of your communications black.

At first, it feels a bit weird to use email encryption, but it will soon become a habit and plaintext mail will look funny.

No comments:

Post a Comment

On topic comments are welcome. Junk will be deleted.