My “Why I Don’t Use Antivirus” post has been receiving a recent surge of traffic, and with it, new commentors who open my eyes to how other people think. The result of my reading these comments is the conclusion that people view practices as either “secure” or “insecure,” while leaving little room in between the camps.
In this post, I’m going to introduce a concept that is hardly new, but needs more attention:
Secure Enough: The point in which the impact of an unmitigated risk is less than the effort to mitigate the risk.
Defensive computer security is not a game you can win. All it takes is one unacceptable compromise for you to lose, while offensive computer security plays with polar rules. What changes from person to person however is the definition of “unacceptable compromise.” For a home machine, it may be an attacker gaining access to information that would leave an individual financially vulnerable. For a business, it is definitely related to the goals of the business and the damage a compromise could inflict.
Because of this, every entity’s security model is going to be different, but they (should) all start with an analysis of resources and the priority with which they should be protected. Then, and only then, should layers of security be applied to a system. The reason for this?
Security applied without cause increases complexity of a system with no added benefit. [1]
Breaking it down, the steps to deciding how to secure a system are as follows:
- Quantify the resources of a system (not forgetting privacy, damage to community, and other frequently overlooked aspects of a compromise)
- Determine the importance of defending each resource (including cost to repair, replace, and contain the results of an attack in man hour, intellectual property, and dollar cost)
- Determine the risk tolerance for each resource identified, independent of cost (with 0 meaning much risk tolerance, and arbitrarily high numbers conveying increasingly less risk tolerance, for the sake of this article)
- Determine the cost of defending each resource (using the same criteria as #2, in addition to including cost to maintain the security measure)
I won’t go further into describing how to do the analysis, because every entity is going to be different with every facet. Regardless, once the three steps have been performed, deciding which security layers to apply is the result of an expression like the following: [2]
if: (importance of resource + cost of resource) * risk tolerance > (cost of implementing security measure)
then: Defend resource using security measure identified
else: Analyze less costly alternatives for defending resource, defend with blanket defense, or ignore additional defense for this resource completely
This trivially says that if the resource is important, valuable, and you cannot risk an attack on it, it will be beneficial to mitigate any risk of that resource being compromised. Alternatively, if the resource is not important, not valuable, and you can tolerate the risk of it being compromised, it may not be worth the effort to mitigate the potential security threat. Points in between become a balance of cost of and risk tolerance versus the cost of implementing a security layer to protect the resource.
This method of securing a system obviously leaves security threats that are not directly mitigated. But the idea is not to get perfect security coverage, it is to adequately cover the resources that are worth defending. Or, in other words, the goal is to be Secure Enough.
[1] Okay, maybe there is *some* benefit, but because the security layer was applied without direct cause, the potential benefit will only be realized on accident – but regardless increases the complexity of a system.
[2] I made this expression up, it is only given to convey the relationship between the involved metrics.
I want to open this up with a question posed by j9er on twitter:
j9er Taking cloud computing to its ultimate outcome, does ayone care that, say, Microsoft would have all your data? Or, Google?
My concise response: yes, I care. But the three primary reasons go beyond the 140 characters twitter would allot me.
Unrestricted Access
The big thing that keeps me from being completely comfortable with a third party storing my data for me is whether I would have unrestricted access to my data. Currently, users are even having problems with google disabling access to its user’s gmail accounts. So say Google or Microsoft have all my data, not just my e-mail and some google docs: how are they going to guarantee that I can access my data how I want, when I want, and wherever I want?
Security
Beyond that, security is an issue. On my home system or my personal servers, I can guarantee their security, as I am the sole administrator of my nodes and I am security conscious. Additionally, my personal data is not coveted by malicious hackers. The amount of effort it would take for someone to gain access to my machines externally is definitely not worth the information they would gain access to. However, when the information of millions of users is aggregated into one location, that data becomes extremely attractive. So the second question becomes: how can the company guarantee the security of the cloud, and the security of the information within? (On that note, I highly reccommend the cloudsecurity blog, where they attempt to answer these questions.)
Privacy
The last concern is one I am sure most people familiar with the topic have thought about. Storing information with an organization involves a great amount of trust, and when it is done improperly people raise their voices. (A good example is any time the CIA/NSA/FBI want to merge databases. If you do it without consent, it is an improper collection of information.) Storing information in the cloud therefore needs to be consensual, guarded well, and exposed only to the owner and applications owned by the organization, but never reviewed by humans, and with all personally identifying information scrubbed. The final question therefore is: how can the organization storing my data guarantee my personal privacy?
I care about my data. Especially who has it, who may have access to it, and how it may be used to identify me. Until the questions can be answered and those guarantees made, I won’t be comfortable storing all my data in the cloud.
I had a friend share a blog post of a story that has been all over the Internet lately regarding Microsoft having a government backdoor in Windows. The story shared is located here, but I’m sure drudging around tech news sites run by 14 year olds or ignorant IT professionals will expose you to similar content.
Full disclosure: I’ve been using Linux for over five years regularly, and am typing this post from my laptop running Debian Linux to my server running Debian Linux, but I do use Windows on my desktop. Hopefully that sentence will cut down on comments accusing me of fanboyism, because I’m going to stick up for Microsoft here.
Actually, I don’t need to stick up for them – because the ‘backdoor’ doesn’t exist as far as anyone knows. I can’t pretend to know whether one exists (a huge reason why open source is better in cases like this), but in this instance the authors of titles are just being media whores and trying to amplify the situation for traffic. The reasons why this is true are straightforward, and numbered for your pleasure:
1. The component in question is not a part of Windows by default.
The program the article’s author is claiming has a backdoor is the Malicious Software Removal Tool, which does not ship by default with any version of Windows. Yeah, it is a component produced by Microsoft, but even if there was a backdoor in it, it isn’t a backdoor in Windows.
2. It isn’t a backdoor.
Backdoors allow an outsider unauthorized access into a system. As the article reports, the Malicious Software Removal Tool may report the IP address of the machine through the tool to a central location. Reporting an IP is nowhere near the same class as a backdoor. While I won’t argue that doing this against the user’s will is a breach of privacy, people seem to be in love with escalating issues, and it is as stupid as it is unfounded.
3. Everything is speculation.
Find a fact worth the attention these stories are getting. Everything is based on interpretation of events, and the discussion following those interpretations are once again removed before “facts” are arrived at. Sensationalist writing has always annoyed me, and that people take it seriously even more so.
So there you have it. The fabled Microsoft Windows government backdoor is a manifestation produced by someone who fails both at basic computer security and journalism. Just as the title of this post states: the Microsoft Windows government backdoor… isn’t.
