Security lessons from Nature – Venom
I am quite certain that it will come as no surprise to you that there are animals out there that are venomous. Generally speaking, they’re the ones that slither around until you walk up to them, at which point they begin doing a remarkable impersonation of a stick. Should you be unwise enough to think “Hey, I need a stick just like that one!” and pick it up, they will suddenly turn around and stab you with long pointy fangs. Then of course, to add insult to injury, they’ll also inject you with venom. These nasty chemicals will course their way through your system causing pain, organ failure and death.
It’s not just the slithery scaly ones that you should be careful of, of course. There are also the ones with far too many legs. These ones lurk in the woods, waiting for you to get distracted by a pretty nature scene, at which point they’ll descend from the trees on long thin threads, land on your neck and bite you. Then, as you’re falling down and writhing in pain, they’ll climb back up the thread and return to their lairs, giggling the whole way. They also like to live in areas where there are no trees, where they’ll conceal themselves in crevices and wait for you to go rock climbing. If you stick a finger in a hand hold, they’ll bite the fingertip, so that when you yank your hand out and fall off the mountain, you have time to watch your hand slowly swell and turn colours before you eventually splat at the bottom.
Then, there are the ones that live in the sea that are venomous all over. Since they swim better than you, they can come at you from all directions. Since you can only look in one direction at a time, you’re pretty much doomed. There are even some that are almost invisible and are one of the most deadly creatures in the sea.
Lastly, even the cute fuzzy critters can be dangerous. From good sized ones that are part duck to rodents that swarm to little monkey-like creatures with poisonous elbows(!), you never know what’s going to get you.
So yeah, the world is a very dangerous place (and it’s even worse if you dare to live in Australia). The only way to be safe is to not go out in it at all. Well, maybe not. Maybe you’re just fated to get bitten and die a lingering painful death. After all, with all these creatures around, everyone dies that way, right?
What, they don’t?
The lesson to learn this week is one that you already know. Simply put, don’t panic. Yes, there are venomous animals all over, but there are a great many mitigating factors as well. Snakes and spiders actually prefer to be left alone and only bite as a last resort. Even better, most of them aren’t venomous. Scorpion fish and stingrays tend to only bother divers, who generally know the risks and how to avoid them. Also, I can count the number of times I’ve been attacked by a platypus, slow loris or horde of shrews on one hand… and I don’t even need to use my fingers.
The business world is full of security concerns. The threats are real and need to be addressed. However, it can be overwhelming to listen to everyone’s advice and idiotic to ignore it. You have to strike a balance in what you do. It doesn’t make sense to spend a million dollars to protect a $10,000 server. Just like it doesn’t make sense to wear a suit of armor when going rock climbing. The thing is, it also doesn’t make sense to go on a ten mile hike stark naked, smeared with rattlesnake pheromones.
Others have said similar things (Bruce Schneier, Drew McLellan). It really comes down to a simple problem. We’ve had millions of years to come to terms with the risks of living in the world, but only about twenty years to deal with the risks on the Internet. We don’t know how to strike the balance between being naked out there and armoring up ridiculously. We can’t intuitively recognize that a pair of good hiking boots is “good enough”.
There are all sorts of mathematical models that we use in the industry to analyze risk to do cost justification to senior management. They mostly work, but when you down to it, it’s like trying to come up with a mathematical model that says things like “wear gloves when rock climbing” and “don’t pick up snakes in the woods”. They’ll never going to be perfect.
So, what’s the right solution?
I’m afraid that it’s going to have to depend on the situation. If your organization is structured such that you allocate money on a yearly basis, and that money has to be approved by a board, you probably have to weigh all your options, call in numerous vendors, get position statements from all the middle managers, perform risk and threat analyses and put together a cost justification. Then, once you have a plan to present, you get to try to shoehorn the plan into an ROI model that’s not going to work anyway. Then, if you’re lucky, you get it passed. If you’re not, you’re unprotected for another year.
However, I prefer to work with small business. Then it’s easy to do what I like to call “agile security”. It’s fast, it’s cheap and it’s easy. There’s just one drawback. You have to trust.
Back in the days when people didn’t know which snakes were venomous and which ones were safe to hit with a stick and bring home for dinner, they likely relied on a handful of experts. Some knew snakes. Some knew spiders. Some knew plants: which ones not to eat, which ones were yummy, and which ones were the best ground up into a paste and put on the wound that was made when you ignored the advice of the snake expert.
They didn’t have complex models. They didn’t use a lot of numbers. They just said things like: “Don’t touch that snake. When Og touched that snake, it bit him. Then he ran around in circles for a while, turned purple and died.”
In a similar vein, I offer you this advice:
- Install a firewall that blocks both inbound and outbound traffic. If you don’t, it’s easy for an attacker to get your data or use your system to attack others. When this happens, your business will suffer.
- Run a HIPS product (antimalware or application whitelisting). If you don’t, you’ll get infected and an attacker could do anything they want.
- Don’t give everyone administrator access on your servers. If you do, there’s no control over your systems, and anyone could make a mistake that brings everything down.
- Make sure that more than one person knows the administrator passwords. If you don’t, and that person proves to be untrustworthy, you’ll be locked out.
- Keep your systems patched. Server maintenance is like house maintenance. It’s a LOT cheaper to fix things early.
There are a great many others, of course, but these are a good place to start. If you’re not following any of this advice, pick one and start. Remember, you’re walking around in the woods right now. I know that you can’t afford a suit of armor. I know that you don’t know which boots are best. That’s OK. Here are some sandals. They’re not ideal, but it’s better than what you’ve got.
Let’s work our way up together.
Just in case someone gets here by doing a search and doesn’t care for an essay on I.T. Security, here are some links: