Security in an Insecure World

No one likes to have an application, computer or system they know is vulnerable to issues, bugs and attacks but the truth of the matter is that given time, any system can and will be attacked in a manner that gets the attacker what he wants and you nothing but grief.

Open Source, Popular Products, Community Support.

The general consensus on the Internet is that open source is great, until patch day arrives and there is issues. Recently there was issues with OpenSSL – the Open-source method of ensuring web encryption on websites. The entire community seemed shocked to find that the majority of all of these applications and packages was being written by a handful of people, for free at that – and it took one guy time to fix an issue that popped up because, he had a full time job as well elsewhere. Open-source is great until it breaks.

Popular software like Windows, Exchange, RedHat even, all have two key issue. The cost of working with them upfront licenses and then waiting on patch-day. Upfront cost is a driving factor that leads most servers on the internet to be Unix or Linux based OS systems.

The second issue is since it is popular it makes a very large target for attacks for those with nothing better to do with their time. At the end of the day the company may have more money to put behind development and research than OpenSource software developers do, but the target on their backs is much larger for the aspiring hacker.

Patches, Updates, Upgrades and more!

This is a universal problem that all software has. Eventually patches or software updates are available. Another key factor is how the OS or system handles the update.

Windows largely has to completely reboot if you do anything to it over a certain level beyond changing your desktop background. In the Instance world this means your site, server or project is offline after the update is completed and the entire system has to restart, and hopefully the update was completely compatible with your needs, or it is back to tweaking and configuring until it works again.

Linux and Unix is a little different in this aspect, entire updates and patches can go through and the subsystem just restarts rather than the entire machine. This difference causes a larger uptime and less downtime for the system.

Ports, tunneling, and wide open doors.

Back to security for the main point of this post… Hackers, attacks and bugs happen. All you can do is be as prepared for them as possible.

1. Do not open ports that are not being used.
2. Do not leave back doors in systems for convenience – the attackers may like your shortcut and take advantage of it as well.
3. The next issue is wide open doors. If you do not patch, update, upgrade or close off ports that are not being used it is essentially a big open door with a welcome mat for the scripts, bots and hackers of the internet to show up and make themselves home.

SSH, FTP, Email, HTTP, HTTPS.

Sometimes we need doors to be open but only for certain things. This lets us concentrate firewalls and filtering to the point we can control the flow of data and ensure the usage of those ports and programs is only being used for what we intend them to be used for.

SSH is a very big security risk, this should be turned off when not used, or better yet only accessible with a keyfile. If you do not have the keyfile… no access. No amount of password guessing will let hackers in.

FTP is used mostly for server and website setup and not a lot from that point on unless the client has a filesharing system of some description – and some do. Your server should have FTP closed and whitelisted only access for direct FTP transfers. This prevents malicious access where it could have been avoided.

Email is a necessary evil on most systems. We tend to prefer to offload that work to a third party and just shut down the email system on a server if it is not needed. However even then the system needs to be able to report a problem, system crash or other item that may occur. In this case the server should have some outgoing email only and incoming email should be set to be refused.

HTTP is normal website traffic. Port 80 can be moved to a different port to prevent direct access if your server has caching or CDN turned on. This will prevent any number of DDOS attacks.

HTTPS is a security blanket for the average web surfer. To be honest HTTPS and SSL is no more secure than any other internet protocol. However it does greatly show the average web user that some thought and time went into ensuring at a basic level, the website has done some steps to protect your data and interaction.

PGP was the best available in the internet for a long time until it was finally announced by several governments that they had broken the encryption method that it used. So the best security overall is to ensure your OS, application, or system is up to date. Stay connected to the industry for security update information or upcoming patches. Attend any and all online education portals for conferences and seminars for keeping integrated with the news and updates for potential threats. There is no protection that can give you 100% security. What you can do is keep your data safe, backed up in several places and be as protected as possible.

Your backup is the ultimate security from failures.

Should an attack take out your system, locating the attack, removing the threat and restoring data and functionality after the fact is just as important as trying to prevent the attack to begin with. If you do not have backups that you can restore quickly, you are a disaster waiting to happen.

Your policy is your protection.

Keep and maintain an active policy for your application data, have a plan for restoration, plan for updates and upgrades. Plan for the unexpected. This is the best way to ensure should the worst happen, you have the best options already planned out and ready to put into place.