Thinking Security: Can You Hear Me Now?
Author(s): Michael Kain, Posted on June 24th, 2016
This is the 18th blog in a series about security and how security is about how you think.
Some people question why availability is a goal of security. The reason that availability is a very important goal of security is that availability guarantees that what we’re offering (whether it be a network service, a business, or toast) isn’t prone to attackers and can tell the good requests from the evil. For example, service can be affected if a website can be disrupted and crashed by sending too many requests or special kinds of requests. This is called a Denial of Service attack (DoS for short) or if many different actors are needed, a Distributed Denial of Service (DDoS).
We also have to think about availability from the user (client) side as well. With more interconnected devices which are always connected to the Internet (the “Internet of Things or IoT), an attack could be of the network, separating the devices from the servers or fooling the devices into connecting to another server.
This takes us to the larger issue, how vulnerable is the environment prone to attack? With my home (a frequent example in this blog), I can enumerate all of the possible attack vectors (which are many) and which ones are the most logical. I have to keep all of my devices up to date and in good working order. If my Internet-connected toaster has a vulnerability in which a remote attacker can burn my toast by sending a command to the toaster or – even more diabolically – stop me from getting my morning bagel, then I need to update its firmware. So, I have to keep my environment in good working order, PLUS keep a log of all of the events that could be indicators of a possible attack. Availability comes back to the due diligence and the normal paranoia that I blogged about previously.
The concept of availability is more critical when we turn our discussion to computer systems and online presence. A company’s website must always be up and working in order for the business to be making money. For every minute that the website is down, transactions aren’t being completed and customers are getting angry. In the computer environment, it’s also about logging (also called auditing or audit records) to note what events have happened and to be able to score each attempt as a good or bad event. For example, if a certain IP address is trying to connect to my system at a port which doesn’t exist (for example, I’m not running a web server on a system, yet some actor is trying to connect to where the web server would be listening), then I could deduce that it’s an attacker trying to connect and inflict damage. It could also be a misconfiguration of a system (either mine or theirs) which shows that something isn’t working as it should be, but something is stopping it from working. It is a “security-relevant” event because it shows that I could be under attack, or that some service may not be up and running to receive new requests.
Because of the amount of information to cull through, I need automated methods to do this process and be able to write “the rules” quickly as to what is good and bad. I need to think of what events (for example, connections across the network) are expected and which ones aren’t expected. I may get “false positives”, but that’s part of the process – I may have to look at them individually, but it’s all about thinking about what is expected and what isn’t, which assures me that everything is secure.
It does come down to the environment that we’re discussing as to how we can provide availability. We need an environment that is not prone to attack and isn’t vulnerable to all of the common attack methods. That significantly increases the ability of the environment to always be up and running. But we also need an environment which has extensive logging to be able to categorize the somewhat normal events that occur on a computer system in order to find the ones that affect the security of the environment.
ClearPath environments (both running on MCP and 2200 operating systems) have those characteristics. Both environments are impenetrable to attack through their architecture. They also have extensive logging subsystems so that system administrators can determine what events affect the security and could be an indicator of something that is a security issue. Security-relevant events are noted as such so that they are easily analyzed.
So, the concept of availability does illustrate the security mindset and “thinking security” – as a system administrator, I have to have an environment which lets me be up and running all of the time easily. But I also need to keep track of what is happening on that system to see if any events are indications of potential attack. It is part of the security mindset to ensure that, whether it be of a consumer website, or our homes. It comes down to how you think.