SO you purchase a new item of IT equipment and take it out of the box. Do you suppose it is secure? To answer this question we have to consider the ‘attack surface’ and the opportunities for loading malware and creating back doors. The opportunity turns out to be greater than most can imagine: Who designed and made the chips? Who designed and assembled the boards? Who designed and assembled the product? Who designed and produced the OS and the apps? Who loaded the OS and the apps? Who tested the complete product? Who packaged, shipped, stored and distributed it?
I think we can assume that such an ‘opportunity space’ sees many items of IT equipment compromised long before they are lifted out of their packaging. So can we test everything to make sure we have a clean slate on day one?
In short: no. The sheer complexity of possible combinations now renders such a task almost impossible for all but the simplest of entities. Even hubs, switches and routers can pose a significant challenge – not to mention the complexities of servers and data centres. Security is a dream, a fallacy – fundamentally unattainable.
All of this is compounded by us: our work, leisure and travel habits. What use is a company firewall when we travel the world and log on using WiFi from hotels and coffee shops? And what use is malware protection that is always retrospective and days or weeks behind the initial attack and acquisition? I think we have to operate on the basis that everything is compromised and a potential risk/threat, but the situation is far from hopeless: there is a lot we can do to help ourselves. Using network operators and ISPs that employ malware protection is a good start, especially if we back this up with firewalls and malware protection on the multiplicity of mobile devices we use. Home hubs, routers and switches should be similarly protected as far as we can reasonably configure them.
We have to look at our habits and operating modes for enhanced security. Sensible passwords, protocols and encryption are obvious as is never losing sight of our phone, tablet or laptop. But there is something else that few appear to exploit: knowledge. If we had a conversation last night, I don’t have to record or report it in full – my messages and emails can be cryptic. For example: “I was thinking about our discussion last night and I think you are right – our client would prefer the modified red version.” Or perhaps even better: “Let’s proceed with the modified red version.”
What could a competitor infer from all this? Very little. And we can do much more. Should I want to send more detail, I can do this by parsing the information and delivering it through multiple channels. Intercepting all of these elements is extremely difficult and any one message element will be useless without the whole.
One of the dumbest practices I see is the e-mail string of sensitive conversations and documentation, complete with every response in detail and all attachments of all referenced documents – copied many people in parallel. If you want to be really insecure, that should do it. And while we are at it, frequenting the same coffee shop at the same time day after day isn’t smart either.
Security through obscuration, unpredictability and being reasonably sensible, as well as the exploitation of every degree of freedom to hand can be powerful. The days of the silver bullet are long gone. Nothing is secure, but the total risk can be mitigated by a string of known and well-understood techniques. Best of all: if we just take time out to think like a hacker, we can all do much better. Just ask the question: if I wanted to break in, access files and materials, how would I do it? But remember, there are no holds barred on that side of the line. We have to understand that and respond accordingly. ?
Peter Cochrane is an IT?consultant and former chief technologist at BT