Dismiss Notice
Join Physics Forums Today!
The friendliest, high quality science and math community on the planet! Everyone who loves science is here!

The TAO of security

  1. Aug 31, 2010 #1
    Security, Risk Management, and Disaster Recovery is one area where I am an expert ( worked for SunGard, years ago.).

    Since we are scientists, techologists, and overall rational people on this board I will post some insights into this, and hopefully you can apply this where you work and live.

    Technology has gotten to the point where bandwidth is cheap and there is instantaneous communication from the desktop to the portable phone across a global enterprise.

    The mantra is that 'we do because we can', and that is the largest threat to organizational security. You hear people say that an older network was more secure, and it was, because primitave technology in itself is was poor in features and thus did not present the opportunity for security breaches.

    We let marketing departments of product vendors convince us to compromise common sense for the sake of convince and gadetry.

    Networking hardware vendors want everyone in your organization downloading porn at blazing speeds. Back when network bandwidth was expensive ( both from the standpoint of hardware and connection bandwidth) decisions concerning email and the internet were taken seriously. The receptionist did not have internet access, and email was limited.

    Introducing wireless routers into your organization creates a massive security hole. As does handing everyone a smart phone with apps that tie back into your organization.

    Every time someone leaves the building with a laptop, that is a security risk.

    It has gotten to the point where decision makers find the exception, and convince themselves that it is a justification to introduce fundamentally flawed ideas into the organization's workflow and technology.
  2. jcsd
  3. Sep 8, 2010 #2
    Thanks for the tips airborne! Keep them coming if you can!
  4. Sep 11, 2010 #3


    User Avatar
    Science Advisor
    Gold Member
    2017 Award

    I really have to disagree with this. Security is one thing but, cutting off people from their ability to work makes no sense.

    I have had my work disrupted and circumvented by overzealous corporate system administrators who couldn't care less about what we are in business for. For example, last year they cut off access to downloading Firefox because it wasn't an "approved browser". It never occurred to them that our customers preferred it and we (and many other projects in the company) were contractually required to test software with it. Our only choice was to download it outside of work and install it that way - real nice security courtesty of the admins. We also have admins that regularly cut off previously agreed-to ports that are being used by our customer. It's so much fun to spend an entire day re-explaining why that port has to be available.
    Older networks were not more secure because of a lack of features - there just weren't as many viruses and trojans as there are now. There are lots of people who still use primitive technology and they are at the most risk. You seem to advocate cutting off the use of all technological advances. Why not just unplug everyone from the internet and do away with computers entirely? That would be very secure but it wouldn't be realistic either. Network security is an ongoing endevour that has to be balanced with the needs of an organization AND changing technology.
    There is such a thing as encryption. It can be used in each of these cases. My laptop's entire hard drive is encrypted along with other security measures. Good luck getting any data off of it if it gets stolen.
  5. Sep 12, 2010 #4

    First, I am talking much older networks. You cannot have a virus if server does not execute data coming in a network pipe. You can't put a virus on a novell server, not the old ones. Try installing an NLM over the network. It was a lack of technology. I think it is timeframe. I am talking back a bit farther. Back when TCP/IP was a curiosity.

    Am I saying we should go back to that? No, but it illustrates how convience and distributed applications with the open connectivity from any workstation to the internet has really created a security challenge.

    And there is no way to secure a wireless network. That is not a theory. Yes there are technolgoies, but it requires expensive technology which is not even avaible to the home user.
    A laptop and a $200 investment and a few applications and you can hack any wireless network. So if you can access your wireless network, what do you think is preventing anyone else? Does your router lockup if someone attempts too many tries at the passskey? Nope.
    Even limiting it by wireless card machine ID is easy to hack.

    There are ways to limit the risk, but it is very hard to eliminate it. The military and government do it because they have no limit to budget, but companies do have a limit.

    One way you can help yourself is to not broadcast the SSID and change the passkey every day. Plus you can limit connections by the Machine ID of the wireless cards. It is really a numbers game. How many permutations the application cracking your network will have to perform. It will eventually do it, so by changing the parameters you limit the window.

    I cannot tell anyone how to hack anything, it is a contractual thing, you cannot get certified if you break the ethic. But it is not hard. Just keep in mind that if you have wireless coverage outside your home or office, then anyone has coverage. So limiting the range is one way to really help prevent.

    Again it goes back to who is minding the store. Just because cisco creates the ability to do X, there is no reason everyone has to buy it. They are selling a product, so they will push technology to the limit. It does not mean you have to buy into it.

    And the issue with connectivity. Remember proxy servers? Well they are back in vogue again, and the reason is not to save money on the cost of bandwidth as they were intended. Now it is for security.

    And no, there is no reason for everyone in the company to have internet access. It kills productivity and it is a security risk. Any reason that a bank teller needs internet access? Considering the application that can access anyones financial information is on the same workstation?

  6. Sep 13, 2010 #5
    Keep this in mind about security.

    There is a not a single off the shelf solution, and you have to think in terms of security in its entirety.

    I am not talking about the government, but your corporate, small business, or home. It is not a matter of if you have a security risk, you always do, no matter what you use. Cracking any security scheme is really just a numbers game, and opportunity.

    Any scheme can be cracked. How do you think Law Enforcement gathers computer evidence? In Delaware they go after child pornograpy aggressively, and they nail people who download. I won't get specific, but there has not been a single computer system that they have not been able to recovery evidence from, not one. ( I really cannot go into it, but trust me, it is very easy to recover information ).

    The hasp key type solutions are good, don't get me wrong, but it is not the sole solution. And the software driver encryption for hard drives is good, but it has some flaws. And performance is not the only drawback.

    Besides if you are taking your laptop to a public access point people do not need your computer, you have basiclly attached your system to an open network.

    Every packet on a wireless network can be captured, encrypted or not. And the access point itself is open to anyone. Would you let anyone walk in your work and plug into a network connection? Actually that is less of security risk than wireless network, because depending on the switch, they cannot see all the network traffic.

    For your own home network, you can do a simple exercise. Walk around the house with your laptop and see how far you can still connect to the network. If you want outdoor internet accesss then get another wireless router that can only connect to the internet, and then move the other router to a position that is not accessable from outside the house.

    If you have issues moving the router, then buy window film that blocks the broadcast from going outside.

    Sounds like common sense, it is. But you have to think about security at every level.

    Another thing. Delete the default accounts in whatever software you install. Why give someone an easy way to hack, if they know the default accounts then they really only have to figure out the password.
Share this great discussion with others via Reddit, Google+, Twitter, or Facebook