Tomorrow I get on a plane to go to Seattle..and I'll be placing my Great Lash Maybelline Mascara in a checked baggage. Because the threat of me, carrying mascara on board is much much too great…. much much much too risky. There are some that argue that the FAA rules make them more secure. There are some that argue that the FAA, in their refusal to profile airline passengers, means that things will be missed, while objects that are not a security risk …like.. a tube of Great Lash Maybelline Mascara will be assigned inappropriate threats and risks.
I say it just points out and emphasizes the reality of the world in which we live in.
We cannot identify, we cannot prioritize, we cannot quantify, we cannot determine risks.
And as long as we cannot identify and quantify risks, just like the inability for the FAA to give different risks to different folks, we too will be forever securing, worrying, and working towards a badly defined threat model that we don't understand. And we'll end up exactly like the FAA and not protecting for the things we should be protecting for.
This is prompted by the blog post that was pointed out to me by Bucky and Amy about the idea that SBS is 'insecure by default' because of the manner in which it is deployed. Which in turn was prompted by a post to the public newsgroup by a SBS consultant. The reality is that a checklist does not make you secure. Deploying 12 servers (which is the minimum number we added up to provide separation of duties and redundant systems) does not make you secure.
Our real threat model
Risk/threat model of the SBS 2000 platform: In that day and age IIS was being attacked right and left. Code Red/Nimda nailed our boxes. Risk mitigation that Susan used for our 'all our eggs in one basket' network? She closed port 80 and 443. Viruses came in via email, thus she delayed deployment of the SBS 2000 platform until Trend's antivirus covered the Exchange box.
Risk/threat model of the SBS 2003 era: What are we seeing as issues nailing us? What zero day events do we have? January of this year… image files. Today we have a zero day Word 2000 impact. Where are many of my risk factors? Applications, Malware, Browser exploits.
The definition of Internet facing device
When folks define an “internet facing device” … to me that definition isn't just the server, it's every single workstation running Internet Explorer with local administrator rights that doesn't have some sort of antispyware and popup blocker…or ..heaven forbid…running the IE 7 beta on those XP sp2 boxes. Each time a user in my office surfs, and is running with local administrator rights they bring more risk factors into my office than what my server does. Because like Sandi said, there is no such thing as 'surfing to trusted sites' anymore.. each potential web site could be a threat to my network.
I watch the pings on the ports that are open using Scorpion Software's Firewall dashboard. And the directed pings from sources that are not me, other remote users or the cell phones that sync with the server are few and far between.
To me, my workstations are just as much as my server a part of the security fabric of my network… so much so that when folks say ..well if a workstation gets owned, as long as they have been set up appropriately with the proper security role, then you just flatten the machine and reinstall… it's obvious they don't understand how most small firms work. All of us in the office need to get into the same shared databases. All of us share the same data. We are a collaborative firm. Thus if there is any breach in any part of my network, something failed. Something that I have to investigate. Something that may warrant a SB1386 notification.
If I get a keylogger on a workstation that has access to my network, it really doesn't matter if my network is set up with one server or twelve.Each workstation in my office, each of my users need access to Exchange, files, the DC, Sharepoint. Thus I could have them separated out and as long as that workstation is the entry place for my greatest risk of trojans, keyloggers and the like… the threat would affect one server or twelve. The entry point for my small firm is not from the external, but from the internal helped along by a judicious dollop of Local administrator rights on each desktop. I once had this argument with the guru of LUA, Aaron Margosis when we were discussing the merits of using RunAs and he commented that the password placed and saved inside a batch file shortcut used to launch runas could be exposed by a keylogger… and I said to him that the game was over already. For if a keylogger got into my network, RunAs or no RunAs, I was having a heart attack because something in my network failed.
In a real security evaluation, you build the threat model by beginning first with the historical incidents in the past. And in a small firm the attackers are not from the external, but from the internal.
The eggs in one basket
I have a basket. It's a very watched basket. It's one that folks in 'big server land' cringe over. Separation of duties and what not are non existent down here. But the reality is that if I had the prerequiste twelve servers to make me “more secure” I'd end up being less secure. Why? Because I certainly wouldn't configure them properly as misconfigurations are typically a huge threat factor. And secondly I wouldn't be watching them like I do my one basket. Granted the other day I missed a 'warning' that wasn't critical, but that's a lesson learned.
All all my eggs in one basket a risk? Yes. But then again so is the risk of separation of duties on servers and not having the necessary expertise and knowledge to keep the safe. I'd strongly argue that more servers to watch, without a good dose of MOM or SCE would bring more risks to my firm and not less.
Will I change my security needs and views in the future? Oh you betcha. Already looking at Dana's RWW-Guard going forward.
But you know what REALLY keeps me safe?
You guys. You guys pinging me saying “You see gray screens on servers today?” … You guys saying “You seen an issue with CRM?” All of us sharing information… sharing as much or more than the bad guys do. That's what keeps me safe. That's what keeps us all safe.
All risks are not created equal
A few months back I was on a project with the Center for Internet Security to define basic minimum standards for protection of critical data. The goal of the project was to define a minimum baseline for all systems. The project was tabled for a bit as we all realized that it was a large project. At the time my concern was that there was no review of the threat model or risk factors. Whether the firm was large or small made no difference. A checklist approach was being attempted and even Visa's PCI guidelines were mocked as being driven by Hardware manufacurers with an agenda to sell more servers. And it points out that as long as we are like the FAA, in this mind set that all risks are created equal, that a tube of Great Lash Maybelline Mascara brought on board a plane by one gal from Fresno, California, is as much risk to that flight as a man trained to fly a plane, with a religious and social agenda, something WILL get through our defenses. Something will break. Something will fail.
We need to stop reacting, stop checking boxes, and start thinking about our real risks here. Because until we do, we're going to be chasing “boogey men” where we don't have real risks.
So today .. I'm secure enough given the choices I've made.
But I'm certainly not insecure by default.
Not by a longshot. [E-Bitz – SBS MVP the Official Blog of the SBS “Diva”]