[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

Scott Ferguson scott.ferguson.clug at gmail.com
Thu Jun 16 21:49:06 MDT 2011 

On Fri, 17 Jun 2011 09:44:26 +1000 Alex Satrapa declared:
> 
> On 16/06/2011, at 20:22 , Bob Edwards wrote:
> 

<snipped to save electrons>

> And finally, do you believe it is true that your computer could not possibly be of interest to anyone, 

In which case your (one's) abilities are in demand, so much of what many
people "want" requires the ability to prove a negative. :-)

<snipped>

> 
> Alex

There is no path of absolute certainty - though it doesn't stop people
from wanting laws against sharp corners on furniture and bad weather.

There is only risk minimalisation and management.

IM(NSO)HO the best, primary, approach to risk minimalisation is to take
a tip from good change control - "if it can't be justified, it shouldn't
be done". eg. give me a "compelling argument" or I will refuse to
consider it. (takes the fun out of life, but gtfu)

The best secondary measure, by which I mean the next step, not a
substitute for the first step, is segregation.

When Mark Twain's Puddinhead Wilson said "put all your eggs in one
basket, AND watch that basket" he meant don't take your eyes off it,
ever. Which is not practical - so separate. eg. avoid serving multiple
services from the same server - virtual hosts, chroots, virtual machines
are all valid solutions. If you can't or won't separate by hardware (and
air gaps) at least separate by software.

The process of justification and separation is part of planning. No
plan, little hope of success. The more complex the process the harder it
is to plan (simplification has been covered elsewhere).

Management (imnsoho) is a matter of giving more weight to gravity of
possible outcomes than the likelihood. eg. it's unlikely Lucas Heights
will melt-down - but it will ruin your day, permanently.

Common mistakes with risk management is to look at it from a singular
point of view. eg. a bank robbery fails because the robbers only planned
from their point of view, not the guards - OR "I've got nothing anyone
would want on my computer" which overlooks the desirability of your
computer simply because it's not the attackers - or your nice post-paid
broadband.

NOTE: statistically the "most common" attacks are blind and dumb. It's
just code with a bias for known blocks of IP addresses, known to belong
to non-portable broadband connections. What's on those machines doesn't
really matter. (your portable address or dialup is not that attractive)

Then there's the issue of financial fraud - stealing your life savings
means needing "couriers" - because you will most likely notice and
pursue recovery when $500K goes missing. But you are unlikely to notice
$1 going missing - and if you do you have fat chance of getting police
or bank assistance.... multiply that by a nice large number.

And I'm not even going to attempt to cover identity fraud.

I believe Bruce Schneier said it best "security is not something you can
buy, it's something you have to get" (it's not a purchaseable product
it's a *constant* practice).

If you keep your beer on the nature strip - someone will drink it, it's
still theft, but it doesn't make it any less risky. You do what you can.

Cheers

--
I don't mean to sound bitter, cold, or cruel, but I am, so that's how it
comes out.
~ Bill Hicks

More information about the linux mailing list