Of all tech topics, security is possibly the most complex, and certainly the most important. This is because security is always evolving. It is a forced evolution, as we must adapt to constantly emerging threats.
There are various levels of security that we'll have responsibility for. The first level is ourselves or the organization we work for. The second level is our clients. And the third level is the users of the websites or applications we develop for our clients.
Despite our best efforts, clients will always find ways to undermine the protections we provide for them. They rely on us as IT professionals to help them stay safe, but paradoxically also rarely follow the safety advice we provide them with. Most users really are their own worst enemies.
What we need to do, then, is make it as difficult as possible for clients to compromise their own security, while also making it as easy as we can for them to do the tasks they need to do. Achieving both goals to perfection may be impossible, but in this article we'll cover some things you can do to cut down the risks of a security breach occurring.
gif by Patswerk
Protecting your own devices and data
You are the first line of defense for yourself and your clients. If your systems are compromised, then everyone you work for could be at risk. Here are some recommendations for the minimums you can do to avoid operating in an increased risk environment:
- Use a secure desktop operating system. This is the single most basic upgrade you could make, if you're not already using a secure operating system. The most secure operating systems are Linux, Unix, and BSD. You should be using one of these operating systems as your primary desktop operating system.
The bonus for both developers and administrators is you get access to a much larger library of free development and security tools, and most of them work better than their Windows or OSX equivalents. To really operate in paranoid mode, choose the more secure Linux distros such as Parrot, Qubes, and Tails.
- Maintain separation between the operating system and your data. If you're running Linux or Unix, this is easy. You simply make sure that you have created a partition or separate hard disk to host your home partition on. Then all user files will survive any number of operating system installations, and as a bonus can be accessed from multiple operating systems on multi-boot systems.
- Use a journaling file system to help prevent data loss if your system crashes or is halted unexpectedly.
- Mirror your home partition. Regularly back up important files and use file versioning to avoid unintentional overwrites.
- Consider using cloud backup (not to be confused with cloud sync, which is nowhere near as safe and secure as a genuine backup). Sensitive data should be encrypted before being uploaded.
- Keep your system up to date, never ignoring security patches. Systems that use rolling updates have the advantage that you'll always know when patches are available, what needs patching, and why.
- Train people within your organization to be alert to social engineering methods that may be used against them to gain access to your systems.
- Avoid running software from unverified sources. When downloading software from trusted sources, verify file signatures to be certain you have an authentic copy.
- Maintain the physical security of your computers, especially when traveling. Carrying your laptop everywhere may not be practical, but it's better than letting some evil maid corrupt your BIOS. If it's really not an option to carry your computer, lock it up in a lockable case and secure that case in a safe or otherwise as best you can.
- Always remember it's better to be paranoid than to be an idiot who got hacked.
illustration by Phantom Points Creative
Keeping clients safe from IT threats is difficult, because they don't all understand the scale of the threat they face. Many will also have the view that if their site is compromised, then it's your problem to sort out, not theirs.
Many sites have been exploited for years without the site owners being aware of it, because most malicious attacks against sites are not supposed to let their presence be known. You therefore can't rely on the clients to inform you of problems. You'll need to take a proactive approach.
- Try to educate your clients about the risks. Most of the problem is due to ignorance that there is any risk to be on guard against.
- Inform corporate clients that the greatest threat they will face is insider threats created by their own employees and contractors (often inadvertant, but not always so). Also make sure they're aware of problems like social engineering, shoulder surfing, and dumpster diving.
- Keep servers patched. Perform regular backups.
- Scan for evidence of back door exploits or other malicious activity. Designing the file and folder structure for the site to be as simple as possible will help make detection easier. Know which files should be in each folder. If you see new files that are not familiar or seem to have computer generated names, that's a serious red flag.
- Know what files should be in the cgi-bin folder (for most sites, that will be no files), because this is a favorite location for stashing malicious programs.
- Periodically check the htaccess file to make sure it hasn't been tampered with.
- Code that you write is unlikely to make extensive use of encoding and decoding strings, or to contain heavily encrypted content. If PHP files contain unusual code, it's not very likely that those are legitimate files. Unusual character encoding instructions are also a giveaway. It's not likely that your legitimate files will be encoded in Windows-1251 encoding, for example.
- After confirming a breach, change your passwords. Check file permissions are set correctly for all files and folders. Monitor signs the intruder has returned. Even after changing your password, the attackers may have a way in. You'll need to be sure they don't. Set your server to inform you by email when any changes are made to the server.
- Help your users choose passwords appropriately by explaining the rules to them in a way they can understand. This is how most people like to set their passwords:jenny23This is how system administrators usually advise them to set their passwords:n@^2z`jGAnd – the problem is the first password can be cracked in seconds, while the second password can be cracked in a few hours. Also there is no hope whatsoever that the user will remember the more complex password. Here's an example of a password that would take several lifetimes to crack and could never be forgotten:Ialwaysfly@40,000feet – Characteristics of the above password include: Over 20 characters in length, mix of upper and lowercase characters, includes both numbers and letters, includes non-alphanumeric characters, easily memorable. A similar example might be:
asImove^inlife,Iwillnever4getwhereIstartedThere's really no limit to how creative you can get with passwords, and there is so much more advantage with
asImove^inlife,Iwillnever4getwhereIstarted compared to n@^2z`jG. The first example (41 mixed characters) would take until the end of time to crack and is easy to remember, while the second example (8 mixed characters) can be cracked in under six hours and is almost impossible to remember.Don't think you can just string words together and everything will be fine, because the hackers are onto that. You still need to mix cases and use non-alphanumeric characters, but certainly length is more important than complexity as things stand now. Combining both gives you an edge over those who use only one or the other.
Most dictionary based attacks focus on English because it's the most widely used language and most of the best sites to target (in terms of the value of what they can yield) are sites managed by people who speak English. If you know another language, use it when creating your passwords.
As excellent as
asImove^inlife,Iwillnever4getwhereIstarted is, it's still not as perfect as aMedidaQue^enLaVida,nuncaolivdarededondecomence because this adds yet another layer of complexity, forcing the cracker to resort to brute force. Learning another language just to create better passwords may be a bit much, so the other thing you could do is just become (or stay) really bad at English when you design a passphrase. For example:
For the ultimate, you could use badly spelled foreign language words and replace all the vowels with Leet vowels:
I don't know about you, but I wouldn't have the patience to type that. Still, it is a very secure password, and forces the cracker to do an insane amount of work (to hopefully then discover that all they've accessed is a collection of cat pictures)
- Make sure clients understand the dangers inherent in sending sensitive information by email, Skype, etc.
gif by Hoang Nguyen
A special note for developers
A quick and easy cultural shift for developers to adopt that would prevent countless security breaches each year is simply to minimize the external dependency chain of their sites. We are needlessly connecting to third party hosted scripts. Many of these scripts may have their own external dependencies. All for the sake of saving a few bytes.
Whenever possible, we should try to host all our scripts ourselves. A popular third party hosted script is a tempting target for an attacker, because by gaining control over the script, it is possible to run exploits on thousands of computers.
Computer security is a never ending challenge, and there is big money to be made on both sides of the challenge. The stakes are very high, and no one is completely safe, even those who believe they have nothing to hide. Winning is mostly a matter of using common sense and staying alert, never allowing yourself to become complacent.
header image courtesy of Josh Warren