I’ve previously discussed how important it is to pay attention to the medium you’re using; transferring data via satellite for example puts you at great risk as you’re spreading your data on a wide geographical range, in most cases unencrypted. Everyone with a satellite tuner hooked up to his computer system can intercept any data being sent via satellite to anyone.
As if to prove the point the Wall Street Journal broke the story that insurgents in Iraq and Afghanistan were intercepting video feeds from U.S. Drones. This happened because the drone transmitted whatever it was seeing unencrypted back via satellite. The reason why it was unencrypted? The Wall Street Journal reports that officials said they were aware of the problem but considered it unlikely that their local adversaries would have the know-how to exploit it, and this is what I really wanted to discuss in the following post.
There are various approaches to security. It is obviously impossible to secure everything; ultimately one does a risk assessment and decides on a good risk to cost ratio. A risk to cost ratio however is not a straight forward process of simply securing only the most visible threats, because the other threats are either too obscure or generally not thought about by hackers.
In one of my very first articles I gave the following scenario: “Assume that someone has a house which he wants to secure and decides to go all the way and overdo it to get as close to the 100% security level as possible. He installs a vault door as his front door, puts bullet proof glass on all windows and puts titanium bars in front of each one of his windows. He has reinforced concrete on each wall making his home look like a bunker and even puts a guard at his front door on a 24-hour watch. Now let’s assume that for whatever reason he leaves a pretty flimsy back door maybe even facing a dark alley way.”
This drone episode made me remember this example as it fits perfectly. When you’re relying on something like that for security, none of your attackers will be able to breach your security because they lack the know-how or that a flaw is hidden well enough that no one will find it, you’re like the home owner of this fictitious scenario who left the flimsy backdoor that can be opened by a small kick because it faces a dark alley that is not frequented by anyone. However security is all lost when the weakest link is compromised and this is very important I can never stress this enough. To steal the valuables from our fictitious scenario’s home a thief doesn’t have to get around the security guard, bust the vault door, cut the titanium bars and get through the bullet proof glass and break down the Reinforced concrete. All he has to do is kick the back door, the one in the alley.
This is exactly the tricky part of security. One must first identify all the possible attack vectors, how to reinforce them, what the cost will be and how much more secure that cost is going to make us. The tricky part at this point is communicating this to management especially if their background doesn’t include any IT security at all.
It is to be expected that their first reaction would be to try and cut expenses by what they might initially see as redundant. I would expect questions such as, why do we need an antivirus system if we have a firewall? Why would we need a patching system in place if we have antivirus? Why do we need to control USB when it’s only company employees who have physical access to these computers? Why do we need a firewall to control our remote logging system when it’s not even running on a standard port? No one will find it!
These are all questions that one might face when coming up with a proposal for tackling security on their systems. It is our responsibility to convey to them the message that it is essential to cover all bases. Nothing is really extra or unnecessary because an attacker doesn’t need to get through all our defenses but only through our weakest one.