This is the 3rd blog in a series about security and how security is about how you think.
Now, that I’ve written down how to secure my house, I need to make sure that I’m doing this right. Let’s say that I know a guy named Pete (for crypto fans, he does also know Alice and Bob). Pete works for a home security company and does this type of validation for a living. He said he’d come over and take a look around my house on Saturday to see if anyone could break in and to make sure that my house is truly secure.
Pete arrived mid-morning, and started to look at my house. He walked around the house a few times, even got up on the roof and looked in the chimney. Then, he asked to come inside – which took me by surprise for a second until I realized – total security compromises both external and internal security – how the house is on the inside also contributes to the overall security.
After about thirty minutes checking various things, he went back outside and grabbed his laptop and then started checking my home Wi-Fi network. He asked if he could get onto it for a second to check out its security. I typed in the password (rather than tell him), and he looked around. When he was done, I deleted the network from his computer and made sure that it was gone. He nodded in approval since he knew that I was thinking security.
We then sat down to talk about his report. He asked me how many people were in the house and how they each handled security. Did they turn off lights when they left the room? Did the lock the door when they left, if only for a second? What struck me here was that he was talking about our home’s security policy (see previous blog) and whether everyone used the same one as part of their lives.
He next showed me his report (which was similar to a home inspection only thinking about security) which included about 1,000 checks – even the brand-new SANTACLAUS attack (Scan All Neighborhood Toys And Chimneys – Loot All Unsuspecting Suckers). He didn’t do all of the checks on his list – some were labelled “Businesses only” or “High Risk Environment”.
Pete really didn’t find much that was insecure. Everything about the house was secure at that time (all doors locked, all windows closed), but he wanted to make sure that everyone was doing the same things all of the time.
Pete told me about some of the issues that he had found at other homes:
Talking with Pete was very enlightening, since we were talking the same mindset, even though we deal with different areas (house security vs computer security). His checklist was a huge list of “what if” scenarios and “best practices” to enforce security. It’s also about how often this process is done. Just as Pete told me that I was secure when he was sitting in my living room, it was really performing Pete’s analysis multiple times (every day? When I change something in my house?). This way I ensure my house is secure.
In computers, this process is relatively easy to do against computer systems. Programs (called security scanners) exist which does this process against computers. They perform a “penetration test” (or “pen test” for short) against one or more computers. They can do an external or internal test or both (with credentials) to understand the security of a computer system or program. They constantly update themselves with the latest checks to make sure that they’re always dealing with up-to-date attacks and vulnerabilities. Programs like nessus and metasploit are available to help in this area. This testing can also be done by companies who do this analysis process for a living.
Penetration testing is all about knowledge and the “what if” security mindset. Pete knows a lot about home security because he keeps up to date about it. People in the security area and security scanner programs are constantly adapting to the new vulnerabilities that are found and attacks that happen. We can use these external assessments to become more secure, and help our security mindset.