Bruce Schneier made the New York Times. This is for his “movie plot” contest: he’s tired of seeing resources diverted to stopping terrorist attacks that are gandiose and easy to imagine, but difficult to execute and thus unlikely.
In the computing world, Schneier is well known for his various books on security and cryptography. He’s probably best known for the Blowfish cypher, which I’d bet real money you use every day. I enjoy reading his blog, which is enjoyable and usually insightful. He thinks “big picture” security; for him, nearly everything has security implications.
Security is a big deal, and it’s an issue you can’t ignore. Unfortunately, most of us, as Schneier says, think in terms of movie plots. Hands up everyone who has taken steps to keep someone from snooping on their TCP sessions. This includes all of you who use ssh and shy from telnet. After all, telnet is unencrypted! Would you type your password into a telnet session? Only morons use telnet.
Right.
But do you know what the chances are of someone actually snooping on your telnet session are? Over the internet? If you are a bank, yes, you have a legitimate reason to encrypt everything. If you are mail.my-family-domain.net, then encryption is probably overkill. Now, of course, ssh is extremely easy to use, and in fact is even more convenient than telnet for, well, everything, but I’ve seen people get lambasted for using telnet when, really, who cares?
(Now, I’m guilty of this, too. When I back up my personal finances, I always encrypt them. I don’t have the skills to determine whether the program I use (ccrypt) is actually securely encrypting the files, I don’t care whether anyone really DOES read the backups, and I don’t think anyone cares to read the backups, but I do it anyway.)
The problem, though, isn’t paranoia. I mean, it’s a little bit of a problem; last night a customer locked himself out of his server, and asked me to open the firewall. It took far longer than it should have because he was using TWO firewalls. But generally paranoia is fine. So you’d rather use a dedicated line than a VPN. Great. If you have the cash for it, go right ahead. But what if you aren’t swimming in monies, but you buy that line anyway? After all, several banks recently got ripped off because their ATMs have been configured to go over the internet instead of dedicated lines, and now they’re being hacked. I know we only sell used automobiles, but I don’t like taking risks.
Meanwhile, our employees are writing their passwords down on stickeys. Or better yet, they all just use the same account.
This is the issue. The other night I had a colocation customer call frantically asking that some (former?) employees be taken off his access list. (The access list is the list of people allowed into the building.) He then wanted me to copy all his data off his server, in case something should happen to it; he had no backups. Going over this later, I determined he would probably have paid about $10k in emergency fees–minimum–for the kind of work he was requesting. Fortunately he had hot swappable drives configured in a RAID mirror. I removed one drive from each of his servers: there were his backups.
This customer probably has a firewall, but I doubt whether it has ever done more than repel automated ssh attacks. On the other hand, who looks at an employee–maybe even a friend–and says, “One day this person might be the most dangerous attacker I get.”?
Okay, so that’s also a movie plot scenerio. Don’t pour ALL your resources into defending from ex-employees and delimiting the access of current ones. You’ll only make the people who work for you ineffective and frustrated, and you’ll be taking money from legitimate departments.
As Schneier says, security is always a trade-off. You can’t say, “we have to defend against this at all cost”, where this is some horror story on reddit. You actually have to spend some time identifying appropriate threats, the costs of defense and disaster recovery, and determine how many resources any given attack actually warrants.
But if you do decide that you really do need two firewalls, please be kind and inform Support.
Recent Comments