SoylentNews is people
SoylentNews
The principle of Defence in Depth ("DiD"), says OWASP (Open Web Application Security Project), is that "layered security mechanisms increase security of the system as a whole". That is, if one layer of protection is breached, there's still the opportunity for the attack to be fended off by one or more of the other layers. If anyone's ever drawn something that looks like an onion on the whiteboard – a load of concentric layers with your infrastructure in the middle – that's the concept we're looking at. It's actually a military term that's been adopted by security types in the IT industry who want to be tank commanders when they grow up.
On the face of it it's a pretty simple concept to understand. Rather than just having (say) anti-malware software on your desktop computers, why not also make your Web downloads go through a filter that has malware protection on it too? And yes, this helps. But to do it properly you have to step back a few strides and have an overview of your world: although it's going to cost me 50p in the buzzword swear box, I'm going to say "holistic view".
I secure my systems by naming things like Perl regular expressions. Attackers instantly go cross-eyed and fall over.
(Score: 2) by Gaaark on Friday March 24 2017, @02:39AM
from the onions-have-layers dept.
Sort of like: the onions have onions... i guess it's onions ALL the way down (in?)
:)
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: -1, Offtopic) by Anonymous Coward on Friday March 24 2017, @02:49AM
Please file form I-385 and K-5512 to enable download of this webpage for viewing, A-21 to save to disk.
It is only for your own safety comrade-citizen-brother.
</sarcasm> because some people will sure to miss it.
(Score: 3, Insightful) by JoeMerchant on Friday March 24 2017, @03:14AM (10 children)
Some say security by obscurity is no security at all.
I say, an FTP server configured on port 21 goes down about 1000 times faster than one configured on port 21345. Sure, it's better to use a secure protocol like ssh, but, similarly, a secure protocol on a non-standard port number gets even less exposure to hacking attempts.
Layer that with some proprietary stuff, and try to be smart about key management, salting your hashes, etc. and you're not likely to make the "10 most embarrassingly configured systems" list any time soon.
Mathematically calculate a 5 year secure PGP key and make that your only barrier to entry, some joker with a quantum computer can ruin your whole day long before you thought they could.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 0) by Anonymous Coward on Friday March 24 2017, @05:29AM (8 children)
You might be right. But 1000 times 35 ms is still only 35 seconds. Port scans are automated, so you are only wasting your time and the time of everyone typing that port number into their ftp client.
(Score: 2) by maxwell demon on Friday March 24 2017, @08:08AM (7 children)
What about doing "reverse port knocking": If some IP address accesses unused ports, it gets blocked for a short time, that increases with each tried access to unused or currently blocked ports.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Wootery on Friday March 24 2017, @08:46AM (5 children)
Could be defeated by using a different source IP to check each port number.
(Score: 1) by khallow on Friday March 24 2017, @10:13AM (4 children)
(Score: 2) by TheRaven on Friday March 24 2017, @10:23AM
sudo mod me up
(Score: 2) by JoeMerchant on Friday March 24 2017, @01:46PM (2 children)
There are 10,000 script kiddie attacks flying around for every serious hack.
Serious hacks tend to be more targeted, deliberate, focused. Yes, you should be resistant to them, but ultimately - if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.
In security, you should be as good as you can without compromising usability (unacceptably). The major threat are the simple scripts that trawl for open ports, first: don't fall for that.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by PiMuNu on Friday March 24 2017, @02:20PM (1 child)
> if someone within your organization fails to resist some social engineering, no amount of technical security can resist that.
I thought that was the point of having layered defences (or network zones, or whatever) - so only a very few privileged actors have access to your golden data e.g. customer account data and only by jumping through some hard-to-socially engineer hoop (like ssh keys). Proabably the sort of people who are vulnerable to phishing aren't the sort of people who need to make accesses to the customer db (e.g. non-technical support staff, management, etc).
(Score: 2) by JoeMerchant on Friday March 24 2017, @03:37PM
Very true, first consider the integrity of the user and the power of the key before putting them together... However, in this context, I think they're referring to "layered" as in onions, which means scanning attachments for viruses at multiple points in the stack, with multiple types of scanners, or requiring an SSH key and a username/password login, rather than multiple levels of privilege.
Україна досі не є частиною Росії Слава Україні🌻 https://www.pravda.com.ua/eng/news/2023/06/24/7408365/
(Score: 2) by bob_super on Friday March 24 2017, @05:06PM
Then some exec fails to connect using the default ports, gets blacklisted, grabs his phone to give you an earful, because he needs a cute door with a doormat and a key that fits His keychain, to get into your fortress, and he need it right now...
(Score: 3, Informative) by driverless on Friday March 24 2017, @11:14AM
Some say security by obscurity is no security at all.
Only security absolutists, who believe that security can only be either absolutely 100% theoretically perfect or totally useless. Unfortunately there are way too many people like this in the security industry, but then you don't have to listen to them. Security in obscurity (*in*, not *by*) is perfectly fine in a large number of cases, either as part of a defence-in-depth strategy or as your only security measure. For defence-in-depth, it cuts down on the number of attackers so you can focus on the ones that matter, not the endless hordes of script kiddies. For the only measure you use, consider how you set up a backup key to get into your house if you lock yourself out. You can use security in obscurity and hide it somewhere on your property where no burglar will even find it. Or you can use the "perfect" solution and put it into a key safe, something like this [screwfix.com]. Which can be opened in about ten seconds by anyone who knows how (any criminals worth their salt should), leaving no traces on the lock. In this case the security-in-obscurity solution is the secure one and the "perfect" solution is the insecure one.
(Score: 3, Insightful) by NotSanguine on Friday March 24 2017, @03:39AM (2 children)
Mostly because devs and implementors are generally more concerned with getting whatever it is "up and running" rather than designing security into their stuff.
What makes more sense is to take security into consideration during the design and development stages, which would greatly assist with "defense-in-depth" efforts. Bolting security on after the fact usually ends up with something along the lines of the "crunchy shell with a soft, chewy center" metaphor.
In a sane environment, it's strictly a cost/benefit analysis: How much will it cost us if we're hacked? vs. How much will securing the environment cost?
When an environment has security baked into the design and development, it usually costs less and runs cleaner in the long term, despite what the MBA and hack coders "think."
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2, Insightful) by anubi on Friday March 24 2017, @05:03AM (1 child)
I believe this whole security fiasco is the result of special interest's need of controlling things after the sale and installation on the customer machine.
I also believe the only solution is to make an OS that has absolutely NO remote arbitrary code execution capability. That is to say the OS becomes much like a graphical calculator, capable of all the eye candy displays you would want, but no way to send a program to it - rather that would have to be initiated during physical contact with the machine, kinda like in one of the Star Trek movies where V-Ger flat insisted on a physical contact. - And be able to hold the rightsholder of the program so loaded totally responsible for what it does in one's machine. Creating back doors in ones program for release to the public would come at a substantial risk.
Now, I am not saying the machine cannot be remotely controlled.... rather I am saying that any program that would do the telemetry would have to be deliberately loaded.
Anyone can download a file and run it if they wish, write their own, or pass copies of code around, run it at your own risk. Its not the OS's job to nanny who can do what. But it WOULD be the OS's job to accurately report on who is doing what. Holding programs accountable and verifiable for what they did.
If the program I loaded instructs the machine to download yet more programs, and run them, tell me!
Businesses have no problem with installing cameras to closely watch employees. Why can't my OS tell me exactly what programs are asking of it. Especially if one is on a "watch list" of programs "on probation".
And, while I am on the OS, I also need trustworthy hardware booting from USB, so an alternative boot program can go out and verify the boot and OS part of my primary storage to be sure the OS is intact and is accurately reporting. The "safe mode" of Windows looks like a good start on this. Disable ALL startup stuff so it can be re-enabled one at a time to help find malicious code.
Then the burden of trustworthiness is on the rightsholder of the software I loaded... no different than holding an employer responsible for what his employee did in my home. If I contracted to have the house painted, and while he was doing it, he slipped in my house and emailed the contents of my computer to one of his colleagues, I would be furious. This kinda crap may be OK for "business-class" software but it has no place in a private home.
That backdoor crap has no place in the core operating system.
If some business makes backdoor-ridden software, let them... however this narrows down who is letting the cat out of the bag when the backdoors show up routing through that software. Once certain software vendors have a reputation of distributing programs riddled with STD's, they will acquire a reputation of being seen as risky and any business requiring it will be looked at as if that business insisted you visit the whore down the street before he will shake your hand.
Much like I do with JavaScript right now. A business site tells me JavaScript is required. I click away.
Many more of us need to do the same to send business a clear signal that we won't accept risky behaviour just to shake their hand or shop in their digital store. Many online businesses give me the same uneasy feeling as being required to shake hands with an extremely filthy doorman in order to visit their store. This thing blocking the door extends its hand, oozing with God-knows-what and I am not allowed to know, stating "Handshake Required!" I have to turn away and go somewhere else who does not implement the doorman. If I absolutely have to visit them, I have to wear as much antivirus as I can in order to comply with their business requirement.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by WillR on Friday March 24 2017, @02:10PM
Why can't my OS tell me exactly what programs are asking of it
It can (see debuggers, strace, dtrace, kprobes, etc.) Most people don't ask it to, because they wouldn't understand the output. The ones that do ask very specific questions, not a blanket "tell me what you're going", because on a 4GHz quad core CPU that would produce several gigabytes per second of log spew.
(Score: 0) by Anonymous Coward on Friday March 24 2017, @03:52AM (3 children)
Just install Windows 10 and it should be OK.
(Score: 1, Funny) by Anonymous Coward on Friday March 24 2017, @04:02AM
Should I also install Ubuntu on Windows 10 so I get systemd?
(Score: 2) by driverless on Friday March 24 2017, @11:16AM (1 child)
That should actually be pretty safe. Who in their right mind would want to break into, or steal, a system running that sucking-chest-wound of an OS?
(Score: 2) by bob_super on Friday March 24 2017, @05:09PM
So, the ultimate security is Windows ME, because nobody in their right mind would trust it to hold important information?
(Score: 2) by Azuma Hazuki on Friday March 24 2017, @04:20AM
Isn't this obvious? The "cold" attacks are essentially lazy, mostly-deterministic spray'n'pray batches. Firewall at the WAN interface, firewalls on each node, principle of least privilege, don't run anything as a service that doesn't need to run, etc. This sounds almost tautological, like saying "if you make it hard for lazy remote attacks to succeed, it'll be harder for lazy remote attacks to succeed."
I am "that girl" your mother warned you about...