« Breaking down the "electric grid is vulnerable" stories. | Main | *cough* Have to work from home *sneeze*? »

On assuming that you are owned.

Security professionals made a comment at last week's RSA that organizations should assume that they are currently owned by an outside attacker. While this may strike some as paranoia, it is a good assumption for minimizing impact in the event of a serious compromise.

For both individuals and businesses, determining the impact of getting owned begins with listing all the things that you use that are own-able, and then determining a risk mitigation strategy, a containment strategy, and a recovery strategy for each system. These all boil down to a series of "what if" questions that anyone can think through. For the average user, the set of systems that can be compromised includes, but is not limited to, all physical systems, backup mechanisms, and hosted services like e-mail and social networks.

We start from the most "distant" system inwards -- the hosted services. How can an individual's hosted accounts become compromised? The easiest way an attacker could compromise your account is through weak passwords or by sniffing passwords off the wire; therefore, we can reduce the risk of compromise by using strong passwords for our accounts and not accessing them from public access terminals and insecure wireless networks. If you are using a weak password on one site, it is entirely likely you are using a weak password elsewhere. Preventing the attacker from hopping from one hosted account to another can be as simple as using a strong and unique password on every site you access. It isn't just access to the data we should be concerned about. If the service is compromised, it is possible that everything in the account could be deleted, in which case having a backup of, say, all blog posts and all e-mail transactions would be required to get back up and running.

Let's say that the attacker has moved beyond our hosted account and either remotely compromised our physical system or actually stolen the hardware. In both cases, we should expect that all of our unencrypted data is accessible to the world. Both scenarios necessitate file-by-file encryption and a combination of physically secured on-site or off-site backups. A remote compromise would be a far worse situation: even though you don't lose the hardware, the attacker has the opportunity to capture passwords used for hosted services as well as financial accounts. The only way to limit your exposure here is to use cryptographic key fobs (like a SecureID token) and hope they aren't controlling the entire session.

Ultimately the only way to minimize the impact of a compromise is to assume that all of your data is compromised and consequently reduce the amount of data you either keep accessible to content that would not be devastating if it was leaked. In other words, never commit anything to bytes that you don't want your spouse, children, parents, or coworkers to see; the data may only be a single attack away from leaking out into the ether.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on April 27, 2009 9:41 PM.

The previous post in this blog was Breaking down the "electric grid is vulnerable" stories..

The next post in this blog is *cough* Have to work from home *sneeze*?.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.33