The ‘Security by’ model approach

by

Passionate about it! Intrigued by it! Confused by it! SaaS, RaaS, XaaS, what! what!, okay let me PaaS, oops meant pass! Unlike the as-aservice model that inherently loves prepending strange InfoTech words, I am going to talk about another model, that seems to enjoy appending weird random like words; the ‘Security by’ model! Don’t you just love it? Oops, I meant I.T! Security by Obscurity, Security by Isolation, Security by Default!; The ‘Security by’ model approach!

 

 

The ‘Security by’ model approach seems to share and rely on; 

  • the protection of systems through the reliance of unknown or hidden weakness in the model or implementation of a particular system.
  • the securing of systems through the segregation of one system from the others.
  • the safe guarding of applications inherently, that is, security should be built into a platform for all applications without integrating or deploying any additional, separate or third party solutions.

Security by Obscurity

Below are (some) real life examples where Security by Obscurity is / can be applied;

  1.  Port Renaming – As a former System Administrator I have come across (in most cases) colleagues who have or in my case, tried to narrow down the number of malicious user attacks or malicious bots connecting to specific services running on specific ports by renaming the Port Number(s), as most of these attacks are automated scans done by bots that look for specific ports. This has seen the amount of traffic to these Ports drop considerably. E.g renaming SSH, Remote Desktop or Web based Services port numbers to something else. In some cases it might actually not even involve renaming the port as such, but implementing Network Address Translation (NAT) at a firewall level that points to these services or ports.
  2. SSID WiFi Disabling – SSID WiFi disabling basically involves hiding ones Wireless Network name from being broadcasted. We can argue that a WiFi SSID is in itself a Network name not a password but some will argue that, at times the fact that one announces the presence of a Wireless network (by broadcasting the WiFi Network’s SSID) draws unnecessary attention, especially to some Script Kiddies and hackers alike who are generally intrigued by these ‘boundary less signals’.
  3. Default CMS Admin Backend URL Renaming – Online presence in the form of Web sites is on the increase and of particular interest are Content Management Systems (CMSes) like Joomla, Drupal, WordPress and MODX to name a few. In order for one to be able to create new posts, update posts or delete posts for blogging, informative, marketing purposes e.t.c one has to log onto the Admin Backend portal that allows them to make the necessary changes. The different CMSes come with default backend URLs to access their respective Admin panels; example by default – Joomla is: http://domainname/administrator; Drupal is: http://domainname/?q=user; WordPress is: http://domainname/wp-admin and MODX is: http://domainname/manager to name a few. This prevents bots (that usually run specific scripts from checking specific URL patterns) from targeting one’s site or it prevents malicious users from targeting your site through the use of Google dorks, also see a previous post for more examples.

Security by Isolation

Below are (some) real life examples where Security by Isolation is / can be applied;

  1. Qubes – Is an operating system that implements security by compartmentalisation. The believe is, no particular Operating system is secure or bug free, so one can have various isolated environments (known as Qubes) running separately for various activities, that is, one Qube can be used for your work related activities, the other for banking, personal stuff, browsing Tor. The assumption is, if one environment (Qube) is affected, say by malware, it does not spill over to the other environments. In the end, the isolation prevents a single attack for completely crippling your operations.
  2. Air gap – Is a technique of separating a secure system or systems by completely disconnecting it / them from unsecured networks. The isolation is done physically, main purpose is to not link systems with public networks or networks that have direct internet access. Air gaps are usually used in mission critical, highly secure environments that is, as an example, servers that store Card Holder details (credit cards) or industrial control systems (SCADA systems).
  3. Fireglass – Threat isolation platform that offers web, email, document isolation solutions (to name a few). As an example, malicious links & attachments sent via emails are not directly sent to a user. Links are altered on the Fireglass server side and replaced with safe links view-able securely through document isolation.

Security by Default

Below are (some) real life examples where Security by Default is / can be applied;

  1. Tails – Is a live operating system whose emphasis is anonymity and privacy. It enables users to surf and browse the internet anonymously without leaving a trace, unless one explicitly tells it to do so. It comes built-in and pre-configured with apps like Tor.
  2. Docker – is a software container platform that comes bundled with libraries and settings to make applications work on the go. This uniform configuration guarantees that software will always run the same irrespective of where it is deployed.
  3. *Nix – A collective term for Operating systems that more or less behave like or are a derivative of Unix. That is, Linux,  BSD Operating systems. Ubuntu Linux by default locks the “root” (administrator) password hence a newly created user can not log in as root; the user is assigned administrative rights at setup to carry out administrative tasks though.

The above three (3), are not the only “Security by’s!” One will often hear of; Security by Design, Security by Minority, Security by Diversity to name a few. That being said, is the ‘Security by’ model approach a good or bad security approach!? I personally consider it good if it is used as an additional protective security layer to an already hardened system or technology, and bad if one heavily relies on it and ONLY uses it to conceal, host, support an already vulnerable or weak configuration, application, system or environment. When things take the latter route, Risk management is the aftermath, that’s the catch! Do the risks outweigh the implementation? That being said, one needs to understand the problem at hand, that is, the pro’s & con’s, as this enables or helps individuals or organisations make informed risk management decisions towards “The ‘Security by’ model approach!”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.