Thinking security: What should I say?
This is the 33rd blog in a series about security and how security is about how you think.
The Internet is a massive computer network. It is also a huge storage vault of everything that has ever been said, posted, snapped, tweeted and blogged. If you need to find out something, many search engines can show you 10 solutions in just a few clicks.
Need a sample socket program in Go? A few clicks away. Need a top-rated crab-cake recipe? A few more clicks away. How about the names of the purchasing department at a large company so that I can send them a spearfishing email with an infected PDF? A few clicks away.
Storage on the Internet also does not differentiate between old and new information – all information is stored and searchable by a myriad of different search engines. There is also true information vs false information out there. Because anyone can post or create information, the author is not always authenticated and the information is not always validated (or even capable of being validated). Do you trust everything that you read?
What does this mean for “thinking security”? It means that everything ever posted about you, your company and your security stays there, so you have to be careful about what has been posted and “written down.”
Think about Security Guides. They are part of the saved information of the Internet – whatever is written down there is always searchable for anyone, both clients and hackers. Take this example: you are trying to “think security” by documenting the process in which the client changes the administrator password from the factory default (and documenting the factory default so that they can log in the first time). That is a great first step. However, it also documents the factory default password for all to see – and if the client does not change it when installing the system, then they are at risk for an attack. If that system is placed on the Internet, a knowledgeable hacker could use the default administrator password to compromise the system.
A better way of thinking security here is to force the security administrator (or installer) to update the administrator password when they install the system. In this way, no information is written down, and the system is automatically secure. That is really the best kind of security – the kind that is inherent to the environment.
The best Security Guide is one that has nothing in it – because the system is that secure without any necessary additional guidance. This is true for multiple reasons – both that the system is more secure by default and that being secure is easier to accomplish for all clients, who now do not have to read a large Security Guide and interpret it in their environment to get it right.
Security also goes deeper than that – it comes down to what is posted. Take the example of someone trying to help a client change the administrator password and then inadvertently posting the factory default to a bulletin board or website. Same problem. Actually, it’s worse, because many people can probably read it, including hackers with a strong interest in your systems.
I am not trying to condone “security by obscurity” – the notion that no one will know anything about your system if you don’t write anything down. That method never works, because when someone does figure it out and posts, that sensitive information is now out in the open. What I am saying is that you have to think about what you post to the Internet because the security of your environment very much depends on it.
The security of an environment is only as good as the people who know about it and the security of those people. If they are thinking security, then the security of the environment will most likely be much better than if they are not doing so.