Security

10 (+1) reasons to treat network security like home security


As I pack up my various technical references and novels in preparation for moving tomorrow, it occurs to me that the front door of your house can teach you some things about IT security.

  1. Deadbolts are more secure than the lock built into the handle. Not only are they sturdier, but they're harder to pick. On the other hand, both of these characteristics are dependent on design differences that make them less convenient to use than the lock built into the handle. If you're in a hurry, you can just turn the lock on the inside handle and swing the door shut -- it'll lock itself without having to use a key, but the security it provides isn't quite as complete. A determined thief can still get in more easily than if the deadbolt was used, and you may find the convenience of skipping the deadbolt evaporates when you lock your keys inside the house. The lesson: Don't take the easy way out. It's not so easy when things don't go according to plan.
  2. Simply closing your door is enough to deter the average passerby, even if he's the sort of morally bankrupt loser that likes thefts of opportunity. If it looks locked, most people assume it is locked. This in no way deters someone who's serious about getting into the house, though. The lesson: Never rely on the appearance of security. The best way to achieve that appearance is to make sure you're actually secure.
  3. Even a deadbolt-locked door is only as secure as the doorframe. If you have a solid-core door with strong, tempered steel deadbolts set into a doorframe attached to drywall with facing tacks, one good kick will break the door open without any damage to your high-quality door and deadbolt. The upside is that you'll be able to reuse the door and locks. The downside is that your 70-inch HD television will be fenced by daybreak. The lesson: The security provided by a single piece of software is only as good as the difficulty of getting around it. Don't assume security crackers will always use the front door the way it was intended.
  4. It's worse than the doorframe. How secure is the window next to the front door? The lesson: Locking down your firewall won't protect you against trojans received via e-mail. Try to cover every point of entry, or you may as well not cover any of them.
  5. When someone knocks on the front door, you might want to see who's out there before you open it. That's why peepholes were invented. Similarly, if you hear the sounds of lockpicks (or even a key, when you know nobody else should have one), you shouldn't just open the door to see who it is. It might be someone with a knife and a desire to loot your home. The lesson: Be careful about what kind of outgoing traffic you allow -- and how your security policies deal with it. For instance, most stateful firewalls allow incoming traffic on all connections that were established from inside, so it behooves you to make sure you account for all allowable outgoing traffic.
  6. Putting a sign in your window that advertises an armed response alarm system, or even an NRA membership sticker, can deter criminals who would otherwise be tempted to break in. Remember that the majority of burglars in the United States admit to being more afraid of armed homeowners than the police, even after they've been apprehended. Telling people about strong security helps reduce the likelihood of being a victim. The lesson: Secrecy about security doesn't make anyone a smaller target.
  7. A good response to a bad situation requires knowing about the bad situation. If someone breaks into your house, bent on doing you and your possessions harm, you cannot respond effectively without knowing there's an intruder. Make sure you -- or someone empowered to act on your behalf, such as an armed security response service, the police, or someone else you trust -- have some way of knowing when someone has broken in. The lesson: Intrusion detection and logging are more useful than you may realize. You might notice someone has compromised your network and planted botnet trojans before they're put to use, or you might log information that can help you track down the intruder or recover from the security failure (and prevent a similar one in the future).
  8. Nobody thinks of everything. Maybe someone will get past your front (or back) door, despite your best efforts. Someone you trust enough to let inside may even turn out to be less honest than you thought. Layered security, right down to careful protection of your valuables and family even from inside your house, is important in case someone gets past the outer walls of your home. Extra protection, such as locks on interior doors and a safe for valuables, can make the difference between discomfort and disaster. The lesson: Protect the inside of your network from itself, as well as from the rest of the world. Encrypted connections such as SSH tunnels even between computers on the same network might save your bacon some day.
  9. The best doors, locks, window bars, safes, and security systems cannot stop all of the most skilled and determined burglars from getting inside all of the time. Once in a while, someone can get lucky against even the best home security. Make sure you insure your valuables, and otherwise prepare for the worst. The lesson: Make sure you have a good disaster recovery plan in place -- one that doesn't rely on the same security model as the systems that need to be recovered in the event of a disaster. Just as a safety deposit box can be used to protect certain rarely used valuables, offsite backups can save your data, your job, and/or your business.
  10. Your house isn't the only place you need to be protected. A cell phone when your car breaks down, a keen awareness of your surroundings, and maybe even some form of personal protection can all be the difference between life and death when you're away from home. Even something as simple as accidentally leaving your wallet behind in a restaurant can lead to disaster if someone uses your identity to commit other crimes that may be traced back to you, run up your credit cards, and loot your bank accounts. Your personal security shouldn't stop when you leave your house. The lesson: Technology that leaves the site, information you may take with you such as passwords, and data you need to share with the outside world need to be protected every bit as much as the network itself.

I promised 10 (+1) in the title of this article. This bonus piece of the analogy turns it around and gives you a different perspective on how to think about IT security:

  1. Good analogies go both ways. Any basic security principles that apply to securing your network can also apply to securing your house or even the building in which you house the physical infrastructure of your network. The lesson: Don't neglect physical security. The best firewall in the world won't stop someone from walking in the front door empty-handed, then walking out with thousands of dollars in hardware containing millions of dollars' worth of data. That's a job for the deadbolt.

Okay, back to packing. I've procrastinated enough.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

14 comments
aya.dream
aya.dream

Great post...but you forgot to mention closing the barn door! It does not matter how powerful a system you have, how many different firewall programs you run or how many virus scanners you have. In the end you are your systems worst enemy. Social engineering is big business and it aims to get information about you from you (ultimately your passwords and money). This can be done by telephone (Hi I'm a field technician for XYZ AntiVirus Inc, can I have your password to fix a problem we're having with your system), e-mail (Please find attached photo of me 'thisisme.jpg.exe') or by chatline (Do you want to swap photos?). Don't let you be your biggest security risk

aaron
aaron

I love this post...It gives me great material for conversation. I am going to take it one step further in that businesses should protect their network the same way they physically protect their headquarters,campus, etc... When you work for a company you often times need a badge. If you don't have a badge, you need to sign in as a visitor, show picture ID and have a meeting with a person from that company. Then, security calls to verify that you have a meeting with that person, and in some cases that person has to come to the lobby to escort you. Beyond that there are security camera's everywhere watching. So, essentually the company knows who belongs in the building and everyone else needs approval to get in. And there is an eye in the sky watching everything. This is the approach Bit9 takes in protecting Windows systems. An IT department says what executables, dlls, etc are good...anything outside of that needs approval before it can install and execute. Additionally, we'll tell you the second someone copies any software to any machine in your environment (eye in the sky) in real time. What many business do today is have a list of bad guys and if you aren't on that list than you can go through no problem. How long would that last as the physical security policy at a company? check us out at www.bit9.com

popoute
popoute

It seems that people usually have logical thinking when they discuss physical security. This is not the case when they discuss logical security. There are hundreds of companies that have invested heavily into intrusion detection systems but they have a total lack of incident response or policies associated with what to do when there is an incident detected. When you ask them if they would buy an home alarm system that does not have a siren and does not alert the police they always respond "No way", however they do this on a day to day basis with their logical security. Good article Clement Dupuis cdupuis@cccure.org http://www.cccure.org

v982911
v982911

Great post, i love this. Finally someone with good thoughts on security without trying to make things much more difficult

Sterling chip Camden
Sterling chip Camden

#6 changed my thinking. I've always thought it prudent to avoid drawing attention to your network, but I can see how a black hat might just move along to an easier target if they can perceive the measures that have been put into place.

apotheon
apotheon

"[i]What many business do today is have a list of bad guys and if you aren't on that list than you can go through no problem. How long would that last as the physical security policy at a company?[/i]" It's really dismaying how often I see that sort of "default allow" access control policy. Access control should always, except in certain very specific circumstances, be managed with a "default deny" policy -- much like what you describe Bit9 doing. This applies to remote login, firewalls, and software management, among other things.

graham.moore
graham.moore

I like the approach you take in this article. If more people used the home security analogy as a basis for dealing with both physical and logical security issues at work, fewer security failures would occur in the workplace. A couple of errors regarding the deadbolt analogy - deadbolt locks are as easy to pick as their knobset counterparts. Both a Kwikset (or Weiser, Schlage, Corbin, etc.) deadbolt and knobset use essentially the same cylinders, manufactured to the same tolerances. Their pick resistance is identical. The durability of the housings surrounding the cylinders are what make a difference. An important benefit you can get from a deadbolt is the option to improve the pick resistance (UL437 standard cylinders) and ability to resist brute force attack on this particular security component without having to upgrade everything else in your keying system (ANSI Grade 1 vs. Grades 2 or 3). You run the risk of having a device that is not part of your security system (carrying an additional key) if this is all you upgrade. Deadbolts aren't typically tempered steel. Even the best Grade 1 deadbolts use a brass bolt assembly with a hardened steel insert concealed in the bolt. This construction gives several benefits that can contribute to your analogy. The brass bolt is cheaper and easier to machine, doesn't rust like the high carbon steel insert it conceals, is self-lubricating and shatter resistant. Sounds like another case of defense in depth, no?

apotheon
apotheon

"[i]changed my thinking[/i]" That's about the best compliment I can get as a response to one of these articles. It means I'm doing exactly the job I set out to do: provide inspiration for people to think about security in new ways. I don't think any other job than security is so completely dependent upon constantly viewing things from new perspectives to do it well.

apotheon
apotheon

When I was living in Florida, I had a couple of friends who worked as locksmiths -- one for an on-call service similar to AAA's for getting people into their cars when they've locked themselves out, but more geared toward houses and the like, and the other as a freelance locksmith who pretty much did it all (including picking car door locks -- not an easy task). Thanks to the two of them, I've gotten to experience the process of lockpicking first-hand. One of the first things I noticed is that a standard set of lockpicks can prove problematic with a deadbolt. Because the mechanism is much heavier than that in a standard door-handle lock, and the very slim metal used in a typical lockpick, it can be quite difficult to turn a deadbolt when picking it. I felt like I needed an extra hand to get it turned. The technical process of pushing the tumblers out of the way may not be any more difficult, but actually getting the deadbolt open is a trifle more difficult. "[i]Deadbolts aren't typically tempered steel. Even the best Grade 1 deadbolts use a brass bolt assembly with a hardened steel insert concealed in the bolt. This construction gives several benefits that can contribute to your analogy. The brass bolt is cheaper and easier to machine, doesn't rust like the high carbon steel insert it conceals, is self-lubricating and shatter resistant.[/i]" Now . . . [b]that[/b] I didn't know. Thanks for the information.

apotheon
apotheon

I'd say I'll keep that in mind, except for two things: 1. I'm unlikely to ever pick another lock. 2. I'm sure I've lost whatever lockpicking mojo I picked up in that hour-long bit of demonstration and instruction.

graham.moore
graham.moore

You can normally pick a deadbolt cylinder as easily as a knobset (I find it easier because it is held more firmly in place) but you have to fight the spring holding the bolt in the thrown position. That's where a thin flat-bladed screwdriver is handy to actually turn the plug once it's picked. As you mentioned, a stiff internal assembly can be really hard on tension wrenches.

Editor's Picks