Saturday, 2 August 2014

First Rule of Security, Deny Your Enemies Information

The Canadian Government alleged this week that the Chinese Government hacked into NRC computer systems, and China's response has been "prove it".

On the surface, this request for proof makes sense, as what we have is a game of "we said" "they said." But when it comes to IT security, publicly disclosing the proof is the last thing you want to do. And yes, it would have to be a public disclosure. If the Canadian Government gave the Chinese Government the proof under a none disclosure agreement, it would be very easy for the Chinese to deny the proof, and say it doesn't show anything. Without public analysis of the proof, no one can verify anyone's claims. And a public disclosure would be mind numbingly stupid.

What is the first rule of computer security?

Deny any potential enemies information about your system. Seriously. Because the first step of any attack is reconnaissance. Deny your enemies the ability to scout your systems for weaknesses.

Let me use a none-computerized example.

You have something very valuable that you don't want stolen. Say a bajillion dollar necklace. When it isn't being worn, you want to store it someplace safe, so that thieves can't easily steal it from your home while you're away. The standard location is in a Vault or a Safe. So you select a quality Safe, but what's the first thing you do? You decide where to put it, preferably someplace hidden and none obvious. The more time it takes to find the safe is less time any thieves have to crack that safe. No safe is ever 100% secure. If you're really tricksy, you purchase two Safes. One you put in a semi-obvious location (behind a picture frame) and the other Safe you put in a very secure location, say in a special room buried underground that you have to access through the wine cellar by moving a rack of wine bottles.

One day you get home, and you find that someone found the secure Safe, but didn't successfully crack it. Do you disclose to the news media that a thief broke into your home, and found the securely hidden Safe? Only if you're a moron. If you let the news media disclose how your Safe was found, now every thief in the world knows where that Safe is. Chances are one of them knows how to crack it. Right now the only thief that knows where it is was unsuccessful. Now you put all your efforts into fixing that problem. You don't open yourself to thievery by giving away the details to the whole world.

It's the same problem, only much larger in scope, when it comes to computer security. Every detail is important. The type of servers and workstations, the operating systems, applications installed, network layout and any security systems that protect that infrastructure. Also important, the physical location, the people who have access, physical security, everything.

To disclose the proof of a successful attack you have to reveal everything involved in why the attack worked. What system was first compromised, how it was done, why the security systems didn't work (what people didn't follow procedure). Essentially, publishing the proof of how it is done gives everyone a blueprint on how to do it themselves. You're drawing a detailed map for them.

"So change the security system!" you might say.

Let's go back to my safe example. Someone knows where the safe is, and the make and model of it. They've tried once, they might try again. To have pulled off that attempt, they managed to learn where the safe is (remember it was super secret, who blabbed?), defeat the home security system and knew when the house was empty. And they got away with their identity intact. How much work is involved in solving this problem? Ideally, you would sell this house, build a brand new one in another country far away and redo all of the security/layout/secrecy of the safes for that house. You don't do that in a week. you don't even do that in a year. Some of that solution may be practically impossible.

And that's the problem with computer security. In a way, it's better to be hacked when your security systems/practices are weak. The solution is to adopt the state of the art systems and procedures. But what if you are already using some or all of the best systems and procedures, and you still get hacked? That's a friggin nightmare is what that is. Your strongest defense is obfuscation and secrecy. Because if better systems don't exist (or only offer marginal improvement) you're going to be vulnerable to another attack by the same people. And you know it. The last thing you want to do is add to your worries by publicly disclosing how it was done.

But what the hell, if the Chinese Government was successful, maybe it wouldn't hurt to tell the Russians and every cyber-criminal organization out there how to do it too.

Or maybe it would.

No comments: