In my last post I wrote about a breach in security at Europol. A network engineer stored a backup of device configurations on his private NAS, which wasn't protected and publicly accessible from the Internet. The configurations contain the passwords for the devices. The focus of my last post was on the general lack of security implemented by users, but that was not what shocked me the most about this incident. What I found disturbing was, that devices are configured with a standard user and password.
I've seen this in networks countless times, every device is configured with the same standard user and password. When someone needs access to the devices, they are given the username and password and security is left to the integrity of individuals. It seems to be the general rule, that networks are configured this way.
This is wrong in so many ways. What happens, when a user no longer should have access to the devices? This can happen either when the user no longer is employed by the company or is assigned a different job role within the company. What if an external consultant needs access to a single device? He will now have the password for all devices and have access even when he isn't working as a consultant for the company any more.
Some people argue, that their devices are only accessible from within their network and that they have protected the network with a firewall. This doesn't prevent an employee, who changes roles within the company, from keeping their access or sharing it with other employees. It does not prevent an external consultant from gaining access to all devices. Nor does it keep track of who logged in to a device or changed its configuration.
Have you ever thought about what to do, if the password is compromised? How many devices do you need to log into to change it. How do you know, that you didn't miss a device? How will you redistribute the new password to all the users, who needs access?
What about the firewall protecting your network? How do you log into that? Does it also use a standard user? Maybe it's a different one and the passwords are only known to a select few, but that doesn't change the fundamentals of the problem.
You wouldn't implement a standard user on your computers, why would you do it on your network devices?
The solution to this is extremely simple and virtually free. Just like computers authenticate against Active Directory or LDAP, almost all network devices support a central authentication service, normally RADIUS or TACACS+. With an authentication server, every user gets his own username and password. You can group users to limit access to certain parts of your devices and limit access to certain devices. When user access rights change or a user no longer should have access to the network, it is simple to change or delete the user on the server so that the changes immediately take effect in the network. When users have individual logins, you can keep track of which users log in to what devices and of the changes they make.
While there are commercial servers available, both RADIUS and TACACS+ servers can be downloaded and used for free. FreeRADIUS is, as the name implies, a free RADIUS server, it even comes with the Dialup Admin web interface for easy administration. The TACACS+ deamon from Shrubbery Networks is a free TACACS+ server. Neither of these are resource intensive, so you don't need a dedicated server to run them.
The short time you invest in setting up proper authentication for your network devices, will be repaid with peace of mind and easy administration.
about all the elements, that make a good solution design
Sunday, February 17, 2013
Monday, February 11, 2013
Convenient security
I recently saw a documentary about security. Specifically about the new e-pinters, universally accessible NAS drives and security cameras. According to the documentary some 7.000 e-printers, 14.000 NAS drives and thousands of security cameras are publicly accessible without password over the Internet. And they only investigated one vendor of each product! They copied forgotten passports in scanners, accessed passwords for a secure network at Europol (stored on a NAS) and turned of the security cameras in a shop. They estimated that about 80% of all security breaches are caused by users, not attackers!
Who is to blame?
The documentary aimed a placing the blame with the producer of the devices. I don't agree with that. If you (the user) don't bother to figure out how to lock your car and leave it open, you don't blame the producer. If a network engineer makes a backup of network configurations on his personal NAS and doesn't secure it, so that Europols passwords are freely accessible on the Internet, you can't blame the NAS producer. At least a network engineer should know better.
Why don't users secure their devices?
Unless they are working with security, users generally will choose convenience above security. Contrary to what some employers think, most employees actually want to do their job. When faced with security barriers at work, both implementations and regulations, most employees will work around them if they seriously prevent them from getting their work done.
This isn't just true for users in big enterprises, it is also true for SOHO users, who might not have an IT department. They purchase IT equipment that will make their work easier, not increase security. You can think of this in another way. When was the last time you checked the security features of a car you purchased? I'm not talking about the airbags. Did you ever check the quality of the locks or car alarms? Do you know how easy people can steal your car? If you're like me, you probably don't know these things. You assume, that when you lock your car it's "safe" and you buy insurance. You look at other features like milage, cruise control, bluetooth adapters and so on. Why should this be different when people purchase IT equipment? They look at storage capacity, wireless connectivity, Internet accessibility and so on.
Even IT professionals, will choose convenience over security. I can give you some real life examples.
Many years ago, I was a volunteer in an organization, among other things we needed to publish a booklet. There organization had computers available for the volunteers and these where locked down vigorously by a security obsessed IT administrator (he later started a security company). You couldn't even install a new font one these machines. It was impossible to work on. So I disconnected a PC and plugged my own laptop in (not many people had laptops back then). I now had access to the entire network, printers and everything. Now we could create and publish our booklet. Another more recent example was when I worked at a company, that like many had a 20MB e-mail attachment limit. I needed a vendor to send my materials above 20MB. How to do that? I called the IT dept. and it turned out, the company had a large file exchange portal. I needed to create the vendor as a user on the portal. Send him a link, where he could log in. He could upload the file. I could then go to an internal page and download it...or I could just ask him to send it to my private mail account. You guess which option I chose.
So how come companies spend a lot of money on security and we still have these problems?
It's the way companies view security. It's a paradigm of "washing hands". The CTO asks the IT department "are we secure"? The IT dept. says "yes, we have implemented the best firewalls and the strictest security policies for the users". If there is a security breach, the IT dept. can say, someone broke the policies. The CTO can say we have done everything within our available resources (i.e. we need more money) and so on. Now everybody has washed their hands.
The users pose the biggest security threat to them selves and the network. We need a strategy to deal with that. Unfortunately, current strategies reflect the existing paradigm of "washing hands".
In general two strategies have been used to increase security. One has been to increase security measures and the other has been to educate users. I believe neither can achieve the goal.
"The more you tighten your grip, the more star systems will slip through your fingers."
- Princess Leia
This is exactly what happens when you tighten security. At some point employees will feel, that security is something they need to overcome in order to do their work and it is virtually impossible to protect against widespread security breaches inside the network. If the only tool you have, is tighter security, you increase the problem, every time you try to fix it.
Other people advocate that we should educate the users, so that they understand the security risks and know which precautions they must take. While it is always good to explain to the users, why certain security measures are in place, I don't believe that we can educate our way out of the problem. Education requires one main ingredient: The desire to learn. If the users don't have any interest in learning about security, the education will be a waste of time.
So what can we do?
In an age of BYOD, I believe that we should give the users what they want - convenience! If we want to secure users and our networks, we need to make the users work for us, by working for the users. Let me give you an example.
If we have a big company, with a large IT department, we could supply them with all their IT needs. If an employee would like a NAS, he could buy this from the IT department. Who then would set it up and support it. If the price is the same as in the shops, he's getting an additional service (support) for free and the benefit for the company, is that we can secure the device and know, that any data stored on it is safe.
This is just an example, but if we start thinking in this way - we can find solutions, that work in our particular situations. We need to think of the users as part of the solution, not part of the problem.
Who is to blame?
The documentary aimed a placing the blame with the producer of the devices. I don't agree with that. If you (the user) don't bother to figure out how to lock your car and leave it open, you don't blame the producer. If a network engineer makes a backup of network configurations on his personal NAS and doesn't secure it, so that Europols passwords are freely accessible on the Internet, you can't blame the NAS producer. At least a network engineer should know better.
Why don't users secure their devices?
Unless they are working with security, users generally will choose convenience above security. Contrary to what some employers think, most employees actually want to do their job. When faced with security barriers at work, both implementations and regulations, most employees will work around them if they seriously prevent them from getting their work done.
This isn't just true for users in big enterprises, it is also true for SOHO users, who might not have an IT department. They purchase IT equipment that will make their work easier, not increase security. You can think of this in another way. When was the last time you checked the security features of a car you purchased? I'm not talking about the airbags. Did you ever check the quality of the locks or car alarms? Do you know how easy people can steal your car? If you're like me, you probably don't know these things. You assume, that when you lock your car it's "safe" and you buy insurance. You look at other features like milage, cruise control, bluetooth adapters and so on. Why should this be different when people purchase IT equipment? They look at storage capacity, wireless connectivity, Internet accessibility and so on.
Even IT professionals, will choose convenience over security. I can give you some real life examples.
Many years ago, I was a volunteer in an organization, among other things we needed to publish a booklet. There organization had computers available for the volunteers and these where locked down vigorously by a security obsessed IT administrator (he later started a security company). You couldn't even install a new font one these machines. It was impossible to work on. So I disconnected a PC and plugged my own laptop in (not many people had laptops back then). I now had access to the entire network, printers and everything. Now we could create and publish our booklet. Another more recent example was when I worked at a company, that like many had a 20MB e-mail attachment limit. I needed a vendor to send my materials above 20MB. How to do that? I called the IT dept. and it turned out, the company had a large file exchange portal. I needed to create the vendor as a user on the portal. Send him a link, where he could log in. He could upload the file. I could then go to an internal page and download it...or I could just ask him to send it to my private mail account. You guess which option I chose.
So how come companies spend a lot of money on security and we still have these problems?
It's the way companies view security. It's a paradigm of "washing hands". The CTO asks the IT department "are we secure"? The IT dept. says "yes, we have implemented the best firewalls and the strictest security policies for the users". If there is a security breach, the IT dept. can say, someone broke the policies. The CTO can say we have done everything within our available resources (i.e. we need more money) and so on. Now everybody has washed their hands.
The users pose the biggest security threat to them selves and the network. We need a strategy to deal with that. Unfortunately, current strategies reflect the existing paradigm of "washing hands".
In general two strategies have been used to increase security. One has been to increase security measures and the other has been to educate users. I believe neither can achieve the goal.
"The more you tighten your grip, the more star systems will slip through your fingers."
- Princess Leia
This is exactly what happens when you tighten security. At some point employees will feel, that security is something they need to overcome in order to do their work and it is virtually impossible to protect against widespread security breaches inside the network. If the only tool you have, is tighter security, you increase the problem, every time you try to fix it.
Other people advocate that we should educate the users, so that they understand the security risks and know which precautions they must take. While it is always good to explain to the users, why certain security measures are in place, I don't believe that we can educate our way out of the problem. Education requires one main ingredient: The desire to learn. If the users don't have any interest in learning about security, the education will be a waste of time.
So what can we do?
In an age of BYOD, I believe that we should give the users what they want - convenience! If we want to secure users and our networks, we need to make the users work for us, by working for the users. Let me give you an example.
If we have a big company, with a large IT department, we could supply them with all their IT needs. If an employee would like a NAS, he could buy this from the IT department. Who then would set it up and support it. If the price is the same as in the shops, he's getting an additional service (support) for free and the benefit for the company, is that we can secure the device and know, that any data stored on it is safe.
This is just an example, but if we start thinking in this way - we can find solutions, that work in our particular situations. We need to think of the users as part of the solution, not part of the problem.
Subscribe to:
Posts (Atom)