Today, Frederic Bret-Mounet, security expert with
@stake, reveals how you can proactively build
security and privacy into your systems and processes
from the early concept stage and beyond.
Anthony: Fred, what do
you do at @stake?
Fred: My official title is
Senior Security Architect. In plain English, I’m a
hacker for hire, although I'm legal - or a “white hat,”
as we say in the industry. Clients hire me and my
colleagues as consultants to perform 2 types of security
assessments: 1) we pretend to be bad guys by launching
actual attacks on their systems and exploring avenues to
compromise them; or 2) we take a proactive approach and
help them design secure systems by working at the
architectural or design levels to insure that threats
are mitigated.
The second approach is clearly the preferred one. We
have studies showing that the cost of addressing
security issues in an existing system is 10 times the
cost of designing a system with security in mind from
the start.
Anthony: What security
protections are available for basic online computing?
Fred: There are 3 primary
lines of defense:
- Hardware firewall and personal firewall
Firewalls are sold as the holy grail of security.
Unfortunately, they aren’t. They’re like the lock on
the front door of your house. You wouldn’t buy a house
without a lock. But everyone knows that a locksmith
will get through that door very easily. That said, a
firewall is definitely a must have. Firewalls are
overlooked by scores of home users because they
require an investment in an add-on product that isn’t
typically supplied when they purchase their computing
equipment.
Hardware and personal firewalls have different
scopes. A hardware firewall is used to protect a
network of multiple computers. A personal (software)
firewall is meant to run on your own machine for your
own protection. It’s the first line of defense you
would deploy in the evolution of a start-up.
- Antivirus software
If you have a broadband connection, it’s only a matter
of days before you get infected with malicious
software viruses. Therefore, an antivirus is critical.
Even more important is a subscription that keeps the
antivirus’s detection capabilities up-to-date. Do not
purchase the antivirus any other way than with a
subscription that you’ll renew annually.
- Spyware removal software
Browsers have vulnerabilities that have not been
addressed yet. Attackers can install code on your hard
drive called Spyware, that tracks your actions and
behavior and ties up precious CPU and hard drive
resources. There are several products on the market,
such as Spybot and Ad-Aware™, that remove
Spyware. As in the case of the antivirus, Spyware
removal software requires constant updating to remain
effective.
Anthony: How should user
behavior be altered to improve security?
Fred: Security often fails
because of inadequate user behavior. One must develop
best practices and habits that are both security-minded
and user-friendly. Here are some examples of dos and
don’ts:
- Avoid opening e-mails with binary attachments;
these may contain malicious viruses.
- Avoid using a unique password that’s shared across
all systems because a successful discovery of that
password by a hacker may compromise your credentials
across multiple systems, financial data, access to
your computer, etc. Also, passwords that use your
mother’s maiden name, child’s name, pet’s name, or any
common word are not secure. There are tools that use
dictionary-based attacks to compromise passwords. So
if your password happens to be in the dictionary, or
looks a lot like a word in the dictionary, then it can
be discovered in less than a few hours.
- Don’t use your browser’s auto-complete feature for
username and password credentials. While this feature
is convenient, it’s not secure; your credentials can
easily be retrieved from your hard drive.
- Make sure you perform a Windows® update
at least once a week, and check for patches. Some
updates are for functionality while others are for
security. As soon as a patch is made available, the
underground world tries to reverse engineer it to
build an attack on those non-patched environments.
It’s a race you need to keep up with.
Anthony: Do you have a
recommendation on how to build a secure password?
Fred: The best technique
to generate a secure password is to create a memorable
sentence and pick, for example, the first letter of each
word or some mnemonic way of recalling what that
password is. Use a mix of lower and upper case letters,
numbers, and perhaps special characters. Many systems
don’t allow you to go that far. So you have to work
within their limits. But that’s the ideal scenario.
Never use less than 6 characters, ideally 8 or 10.
For example: “We were married at 11 a.m. in Paris in
April” could produce the following password - Wwm@11iPi4.
Such a password can be easy to remember, but hard to
compromise by a dictionary attack.
If you have many passwords to manage, there are tools
called password stores to store all those sets of
credentials. You use a cryptographic passphrase to log
into that software and decrypt your other passwords. You
are left with only one password to remember.
Anthony: How can a
concept stage entrepreneur working from a home office
protect valuable Intellectual Property (IP) from being
hacked?
Fred: IP is probably the
most valuable asset in a concept-stage start-up. Make
sure you use all the basic tools mentioned earlier
(firewall, antivirus and Spyware removal) as primary
lines of defense. Other guidelines to protect your IP
are:
- Back-up at a minimum once a month, preferably
weekly, and store the back-up in a safe location - not
in your desk drawer. These back-ups are used for
disaster recovery in the case of fire, earthquake or
other disaster, so choose a secure location.
- Use encryption to protect your data in case your
computer is lost or stolen. Windows® XP and
PGP® provide file encryption. Forgetting
your password means that you will no longer be
authorized to access your data. You will therefore
lose that information forever if you forget the
encryption password. So make sure that when you use
encryption, you have a way of retrieving that
information. Note that while the use of passwords with
basic office software products may prevent casual
eavesdropping, it’s not secure, because these products
were not designed with security in mind. Most of these
do not provide cryptographic strength encryption and
one can find tools to recover the content without a
password.
- As you collaborate with partners and consultants,
remember that e-mail is not a secure method of
communication. Therefore, do not send sensitive
information by e-mail. You can secure this type of
information through PGP® which integrates
with your e-mail application and requires that a) your
recipient also uses PGP® and b) a public
key be shared between the people who are exchanging
data (the private key is unique and is only known to
its user).
- FTP is not a secure transport layer. Do not drop
files containing sensitive information on the FTP
server for other people to pick up.
Anthony: How safe is
wireless connectivity?
Fred: Wireless is not
secure because it is similar to a broadcasting radio
station that everyone can listen to. There are ways to
protect wireless communications so that only authorized
people are able to understand what’s being broadcasted,
but it’s still broadcast-based.
I’ve seen quite a few companies and government
agencies take a proactive step and ban wireless
networks. We would walk around their buildings with
wireless sniffers to detect the presence of wireless
networks, and could find rogue wireless networks that
their employees had actually deployed.
The first line of defense in wireless environments is
WEP (wired equivalent privacy). WEP is a built-in
security mechanism in the WiFi protocol to ensure
confidentiality. Unfortunately it’s been broken due to
design and implementation flaws. With a handful of days’
worth of traffic, it’s possible to retrieve the
unencrypted content. From a start-up perspective, if you
have a wireless network, you’re probably going to be
tied to using WEP, because right now, that’s the only
realistic offering in the home/small business arena. At
the very least, go with WEP 128 bits. Ideally, you want
to use WPA, the replacement of WEP, if your hardware
supports it. WPA uses dynamic keys which change every 20
minutes or so. So if your key is compromised, the
attacker has access to only 20 minutes worth of traffic.
If you’re using WEP, make sure you change your
passphrase at least every month. This is usually a
hassle, because you need to copy it on all the machines
on the network, but it’s basically the only way to keep
your network secure.
I think wireless computing is a convenience that is
here to stay and is very hard to resist. Personally, I
have been on a wireless network for 3 years now and I
would never go back to a wired environment.
Anthony: Do you consider
security to be a business enabler?
Fred: Security was
perceived as a business disabler during the dotcom boom,
because of its high cost and adverse impact on overall
system performance and time to market. Since then,
people began to realize how critical security was as
websites were compromised and private information was
disclosed at large.
Over the course of the last few years, I’ve noticed
that security has become an important component of an
increasing number of business applications including
networks, software, processes and business environments.
Currently, there’s mounting pressure from the financial
and healthcare sectors on their vendors/partners to be
security conscious. Many financial institutions require
from their vendors that their business plan include a
security aspect covering the obvious disaster and
recovery/business resumption plan, data confidentiality,
etc. In addition, most major financial institutions
perform security audits on their vendors and partners
because they know that they are only as secure as their
weakest link, which is the one they have the least
control over.
Pressure is also mounting on the compliance side,
putting more emphasis on security. For example, the
Gramm-Leach-Bliley Act ("GLB Act") imposes restrictions
on financial institutions with respect to the disclosure
of personal financial information. HIPAA (Health
Insurance Portability and Accountability Act) also has
security-related requirements which affect the
healthcare industry. In California, SB 1386 requires
institutions collecting certain personal information
(such as SSN, driver license, bank information) to
protect it from theft, and notify people when their
personal information has been compromised.
To highlight where we are in the security lifecycle,
I’d like to go back to the example of the house with a
lock. We are now at the stage where the buyer of the
house would not accept the house without locks, when
during the dotcom boom, the buyer would have probably
taken the house without doors. Security now needs to be
built both into systems and processes from the ground
up. Much like when the government instituted the
building code to regulate construction, we are at a
stage where laws are put into place to define acceptable
practices with respect to digital security.
Anthony: What words of
wisdom do you have for today’s early stage start-up
entrepreneurs?
Fred: Network security has
become a commodity nowadays; there’s not much to be
improved upon in this area. Growth is currently being
experienced in applications security and security
outsourcing. If I were to create a start-up, I would
probably concentrate on a product/service that increases
user security by changing his/her habits.
Think about security at the business plan stage,
especially if you are in the software/technology space.
Security can be a differentiator. Today it may give you
a slight advantage over your competitors. In six months
or a year, it will be expected from everyone.
To find out more about security, check
www.securityfocus.com (great site for up-to-date
vulnerability information), www.atstake.com, and
www.isc2.org. The last site belongs to an organization
that delivers CISSP certification (Certified Information
System Security Professional). Employers are often
requiring the CISSP certification which is recognized
worldwide.
Bio
Frederic Bret-Mounet, CISSP
Senior Security Architect, @stake
Frederic is a seasoned software engineer with 8 years of
experience, 6 of those in information technology
consulting. His professional experience includes
application programming and security consultancy with an
emphasis on Web application design and implementation
for Fortune 500 companies.
Prior to working with @stake, Fred was part of a
consulting company where he completed multiple
assignments with both dot-com and financial clients.
His expertise covers a broad range of technical and
managerial areas including end to end knowledge of web
and client/server architectures, MFC, C++, VB, COM, Java
and wireless networking (802.11). Fred is CISSP
certified.
