How secure do you want to be?
You probably get a good deal of email, letters and phone calls
warning you about computer security. The general idea is the same:
your systems are threatened, we can stop the threat. The cost of
the remedy is seldom mentioned up front. but there are lots of buzz
words to make up for any lack of specifics. "Intrusion detection",
"secure firewall", "hackers", "Security assessment" and more.
Is it real? Do you need to do something?
Well, yes, the threats are at least somewhat real, and you may
need to do a few things to mitigate your risks, but I think it is
important to step back and take a realistic look at all of
Who wants to break into my computers?
The basic answer is: people you know, and people you don't know.
People you know are employees, friends (!) and family. Some of
these people already have access to your computers to a greater or
lesser degree. People you don't know may have access to some of
your computers too: web servers, for example. Those people
generally haven't been granted access to your internal systems.
When we are talking about security, we need to be aware of both
of these general classes, because they require different kinds of
Why do they want to break in?
Three basic answers:
- Financial gain
- Malicious mischief
Employees and competitors are both possibly interested in
financial gain from information you may keep on your computers.
However, complete strangers can also be interested because of
stored credit card numbers and even bank account numbers and access
information. These people don't usually want to damage your
systems, although they may cause damage by covering up the evidence
of their theft.
Spite usually comes from people you know. You've wronged them in
some way, you don't pay them enough, you snubbed them, paseed them
over for promotion, whatever. They want to hurt you.
Malicious mischief is just anonymous rock throwing, the
equivalent of halloween pranks. The people attacking don't know you
at all, they just want to destroy something, or scrawl graffiti on
your web site.
There's also the possibility that the actual target is someone
else and your computers are just used to help get to that other
place, or to help attack that other place.
So what can I do?
Well, that's the problem.
You cannot get 100% protection.
Let that sink in a minute. No matter what you do, these bad
things can happen. Therefore, probably the most important thing you
can do is to have a plan that lets you recover from disaster. That
might include insurance and a definition of procedures that will
need to be followed in addition to things directly related to the
computers. You need to access your risk (what do I have to lose)
and what your plan will be if the identified risks come true.
By the way, such disaster planning is just good general
practice. What do you do if all your paper records are lost in a
fire? What do you do if you lose 30% of your customers this year?
If you lose 50% of your employees? Sometimes the answer isn't
pleasant, but it's best to think of these things ahead of time.
Amazingly, very few companies have detailed disaster recovery
But back to the computer side of things. So you can't get 100%
protection. What can you get?
Before you even read the rest of this, consider this sobering
thought: in spite of what you see in the movies, most computer
security breaches come from within, either directly or through what
hackers call "social engineering" - convincing someone inside to
"open a door". People inside your organization already have access
to things that could do you damage. You assume a certain level of
trust, but that trust is often what gets you in trouble.
Firewalls and intrusion detection systems can't do much about
someone you trust. Keep that thought in your mind as we go on.
Speed costs money. How fast do you want to go?
The more security you need, the more it is going to cost. The
cost isn't just money, either. There's also often a cost of
aggravation, of increased difficulty for things you now do easily.
And the costs never stop, because security is a constantly changing
For example, it is strongly recommended that passwords be
changed regularly, and that they NOT be simple ascii strings like
"mydog" etc. People (employees) tend not to like difficult
passwords, especially if they are frequently changing. When people
have to pass through multiple machines (a firewall for example),
best practice is that they have different passwords on each
machine. People really hate that. So, in companies that enforce
this sort of thing, it is depressingly common to see passwords
written on sticky notes attached to monitors. What good is the
password then? Not much.
There's also the matter of notifying important people. For
example, it might be very necessary for your outside consultants to
have access to many or all of your machines. If passwords are
constantly changing (as they should be), you have to constantly
notify them. Now imagine that your consultants have a number of
customers doing the same thing. The overwhelmed consultants will
undoubtedly keep a list of all their clients and all the passwords,
and they will probably keep that list on their computers. What
happens when someone's laptop is stolen and all your passwords end
up in someone else's hands?
What is secure today may not be tomorrow
As bad as the password mess is, insecure programs are even
worse. These threats come from programs that have bugs or sometimes
even deliberate insecurities that give access to your systems.
There have been thousands and thousands of this type of thing
discovered, and many of the worst problems have been fixed,
Things change. Methods to break into computer systems (or just
to tie them up so you can't use them: DOS or "Denial of Service")
are constantly evolving. Patch one hole and the hackers will find
There are services that can notify you of new exploits and
vulnerabilities. For example, the BugTraq mailing list http://www.securityfocus.com/popups/forums/bugtraq/faq.shtml
will make you aware of newly discovered problems.
Here's an example:
The bug in networking_utils.php
networking_utils(PHP) Show Files Vulnerability
Includes a ping function, a traceroute function, and
an nslookup function.
networking_utils.php of the networking_utils php
script allows remote visitors
to view any file on a webserver.
Now comes the problem. Do you use "networking_utils"? Does this
bug affect any of your systems? How much? What's at risk, and what
can you do about it?
Even just the first part of this may be difficult to determine.
While PHP is mostly used on web servers, it can be used elsewhere.
Unfortunately, it might be quietly used inside something else that
has nothing to do with your web servers. But just because you are
using PHP doesn't mean you are using this function.
But let's say it is just your web servers (this time). Most
likely there is some business reason that required the use of this.
Maybe there's a simple fix available, but maybe there isn't. Maybe
you either need your web site completely rewritten or you need to
abandon part of its functionality. Tough decisions, and they can be
And then there's the question of who makes the decision. No one
person in or outside of your organization may have enough of the
total picture to make the call on what to do. Is it safe to ignore?
What will it cost to fix it? Is it worth it? Realize too that
sometimes this isn't something that can wait until next week: if
this were a serious vulnerability with no current fix, your
security people might want to shut down your web server NOW. You,
however, might feel that the risk of someone exploiting this is
small, and the business need for your web presence outweighs that
No easy answers here, and (in spite of the hype from people
selling security services), often no easy fix. Some of these folks
may say that they monitor BugTraq and will fix problems on their
systems. Great, but what about your internal systems? Are they
responsible for those too? How much responsibility do you want to
give them? Will they be able to shut off important systems if they
feel the systems are at risk? How much can you afford to give them?
The reality is that no outside firm is likely to be able to give
you that much attention even if you could afford it, and no outside
firm is likely to be in a position to make the risk/benefit
analysis that really is always required.
If you were really going to do this sort of thing seriously,
even very small organizations would need near full time attention
to the details of security. You'd probably need both full time
employees AND outside services to even begin to cover this well.
Every time you added new software, new employees, or changed any
procedure, the security people would need to review it. Most small
businesses simply cannot afford that level of protection.
The answer is not to just hide your head in the sand, of course.
You may not have the resources to protect your systems to any great
degree, but that doesn't mean there is nothing you can do. You need
basic security precautions in place. At a minimum, you should keep
operating system software reasonably current, and firewall/router
software very current. You should change passwords on important
systems at least yearly, and whenever employees who had access
leave your employ. Passwords should be at least somewhat difficult
in spite of the objections you will get from users. You should also
shut off unneeded services at servers. You may have such things
blocked at your firewall, but to be completely safe, they just
shouldn't be running at all.
Don't forget the "what if" plans. You need to be ready if some
terrible thing does happen- or at least as ready as you can be.
If this page was useful to you, please help others find it:
More Articles by Tony Lawrence
- Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site:
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Publishing your articles here
Jump to Comments
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
I am a Kerio reseller. Articles here related to Kerio products reflect my honest opinion, but I do have an obvious interest in selling those products also.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.