The war between hackers and security professionals has been going on for several decades now, and the arms race hasn’t slowed down one bit. Every time a hole is patched, malicious attackers will find another way around. And as technology continues to become cheaper and more accessible for technically illiterate users, security experts are also struggling to protect clumsy end-users from their own mistakes and relaxed attitudes.
To a layperson, computer security might seem like this incredibly mind-boggling field… similar to quantum physics or rocket surgery. If you talk to the average security professional about securing your IT systems, you’ll need to have an understanding of things like:
- Brute force attacks and social engineering
- Network communications protocols
- Viruses and malware
- Privacy regulations and information compliance
- Computer programming languages
- Encryption algorithms
- Open vs. closed source software
- Systems analysis
Any one of these fields would take months of study just to get your head around them.
Although the nitty-gritty details are best left to the experts, it’s surprisingly easy to get a very broad understanding of computer security. And with this broad understanding, there is actually quite a lot that you can do to protect yourself.
All computer or network security strategies fall into one of 2 basic categories, or some sort of hybrid between the 2. These 2 approaches are called “open by default” and “closed by default”.
Closed By Default (White List)
Closed by default is the most secure way that you can manage any kind of technology or information management system.
Imagine a file cabinet inside of a bank vault. Every document inside of this file cabinet has been written in a secret code, which is only known by one man who lives inside the vault. The man can’t get out, and nobody else can get in.
Although this is the most secure way to manage information, there are a number of drawbacks to this approach.
- Because nobody can get in or out, this information is of no use at all. Most information is only useful if it can be shared or used in an interaction with other individuals.
- If the man in the vault dies, all of the information in the file cabinet will die with him since he’s the only person who can decode the files.
This might sound crazy, but a lot of companies will entrust all of their critical business data to a single individual. If that person should die or leave the company, everyone else will be locked out and the company will have to close its doors.
- If anyone wants access to the information stored in the file cabinet, they must wait for a guard to let them into the safe, and then they must convince the man to translate the documents for them. If the man is busy, you’ll have to wait in line for your turn… however long that may take.
Likewise, systems configured with closed-by-default security settings can often cause problems for end-users. I used to work for a company whose server could only be accessed for 4 hours per day… and the computer had to be at a specific network location.
- This system works great if only 3 or 4 people need access to the files in the cabinet. But if tens of thousands of people have permission to access the files, then the access lists and credentials will quickly become too large to manage.
If your blog was being targeted by a spammer, a “closed by default” approach would require you to make a “white list” of every possible IP address except for the attacker’s address. This database would take up several terabytes, and would significantly slow down the server. And even then, there’s still a chance that you might end up accidentally excluding a legitimate user.
If you’ve ever been mistakenly locked out of an application where you had legitimate rights of access, it was probably managed using a “closed by default” approach.
Open By Default (Black List)
An “open by default” strategy allows anyone to access the system, and then creates specific cases for exclusion.
Imagine a security guard in a shopping mall. The doors are wide open for anyone to walk in. The security guard’s job is to keep an eye out for suspicious activity, and to prevent known shoplifters from entering the mall.
As with the “closed by default” approach, “open by default” also has some specific problems.
- Although a black list of known shoplifters will prevent those individuals from stealing again, this list can’t stop new undiscovered shoplifters from stealing. The stores in the mall accept this risk in exchange for better customer service and simpler security.
A message board system is a perfect example of this. Anyone may sign up for an account and begin posting their views. But if a member begins posting SPAM or abusive comments, the forum administrators will step in and ban that individual.
From an administration perspective, the “open by default” or black list approach is much cheaper and easier to manage. However, there is a trade-off in the added risk which must be absorbed.
For certain types of information – such as customer lists or medical information – this risk is simply unacceptable, and only a white list or “closed by default” approach will do.
Hybrid Approach (Segregation)
IT security professionals are in favour of segregation, but that doesn’t mean they’re racist.
When talking about IT security, segregation describes the process of splitting and isolating systems into “open” and “closed” zones. Systems that require a high degree of security are placed in exclusive “closed by default” zones, and less critical systems are placed into “open by default” zones.
The classic example would be an online store.
The web site and shopping cart would be stored in an open zone. Anyone can access these services, unless they’ve done something to end up on a black list. If the main shopping site is exploited by hackers, it’ll be temporarily inconvenient… but not catastrophic.
But the server that processes your credit card is completely isolated from the main store… usually on a different network or in a different building. And access to the transaction processing server and its stored information is extremely restricted.
By thinking about networks, software and systems in terms of open, closed and hybrid zones, understanding computer security can become much easier and straight-forward.