Nilesh.org Notes on technology and everything else

I am wanting this book of Crypto-guru Bruce Schneier - Secrets & Lies: Digital Security in a Networked World. For the lesser knowledgable souls, Bruce is the guy who invented the very popular Blowfish cryptographic algorithm and the Twofish algo. Bruce says in this very good article that people, rather than technology are important in security. How true! A general perception exists that computer systems should be fool-proof. But then they can never be. Instead they should be fail-smart.

No matter how hi-tech we go about securing our resources, our assets, our networks, people play the most important role. Say an IDS claims to detect about 90% of the attacks happening on our networks, the rest being false alarms, we would assume it to be a very fool-proof system. Assuming today you get about 10 'doorknob rattling' attempts a day on your Internet gateway, you will not be able to detect 1 attempt which is considered acceptable (not by me!). Now try increasing the sample space. Tomorrow, the attempts might increase to 1000. 90 of them are detected, but what about the rest 10? Won't they go unnoticed? How will you be alarmed about them? That's the gap created by relying too much on technology. Only people can close that gap.

Taking this example, let me say that an Intrusion Detection System is only an automated way of monitoring systems which an administrator did traditionally as a part of his job: scanning through the system audit logs & network audit logs looking for anomalies. Given the large number of systems an admin has to manage today, IDSes are a boon. They should help him do his job better. Not to make him lazy. He should not wait for an IDS to throw up an alert. He *has* to do the regular log sifting.

By giving importance to people, Bruce appears to be an absolute anti-techie guy. In fact, it is the reverse. He is an absolute techie, proven by the fact that he wrote two of the best crypto algorithms. He used to believe in relying on technology solely to secure systems. He used to think that crypto was a solution for all the computer related security problems. But then he got smartened by the discovery that a social engineering attack can give you access to the most secure computer systems in the world.

Indeed, Social engineering is the most dreaded form of security breach. A guy claiming to be the mail admin calls you up and asks for you password. You trust your colleague and give him one-time access to your computer. He installs a key-logger on your machine and has access to all that you access. He has access to all that you encrypt. Because he has your private key passphrase. Your screensaver password is your girlfriend's name. Technology cannot help here. It is people.

So what is the solution? As any decent security guy might tell you, good security is created by overlapping, cross-checking layers, to slow down attacks. You cannot just put up a firewall and forget your security concerns. In fact it increases. Putting up a firewall and forgetting about it gives you a false sense of security. You need a good admin to take a look at whats happening on a day-today basis. You need people. A firewall is just an example. This is applicable to any system. Be it on the Internet, be it on your LAN.

Interesting: Read this white paper on Towards the Scalable Implementation of a User Level Anomaly Detection System. Or read the news about it. This fueled my thoughts on this post. You could call it the next generation IDS. They claim to predict 94% of the time if a user is trying to move beyond his normal way of working. This could possibly mean an attempted break-in. Again as I said …