mardi 26 février 2013

Walls and Fortresses: Some History Lessons

Chinese Wall, Limes, Hadrian's Wall, Maginot Line, Siegfried Line, Atlantic Wall, Berlin Wall... And every impregnable fortresses... All have failed.

The so-called "security perimeter" doesn't exist anymore; did it even exist once ?

Cloud infrastructures BYOD APTs (Spear) Phishing etc. or just the human factor ?

Defense-in-depth is an old and well known moto in InfoSec, but many people seem to just stop at the perimeter defense.

Sure, having a so-called "perimeter" to defend is reassuring, putting all efforts defending it ensures that we are safe inside it; good rest while not on the front line.

I don't mean firewalls, antiviruses, anti-spam and other protections, etc. don't avail, they have their use. But don't count on them to provide a complete security. They never have, they never will.

History is repeating itself, over and over. One of the well known and most documented failed perimeter defenses wa the Maginot Line during the Battle of France in May-June 1940.

The French military command, being one war late as often, thought building a fortified line would prevent German invasion. The problem was this impregnable line was too short and didn't cover the Ardennes area, deemed to be impossible to bypass by tanks and mobile units.

Though the "Blitzkrieg" concept existed only on paper at the time, a German general fully used it: Erwin Rommel.

The divisions Rommel commanded were called the "Ghost Divisions" because they moved so quickly even the German high command didn't know their whereabouts, not speaking of the Allies. This led to the Allied armies being encircled in Dunkirk.

After the Dunkirk evacuation, the German army turned south to invade France, took Paris, and seemed about to invade the whole country. At this time, the remaining French army changed its strategy and implemented hedgehog tactics of defence in depth. This was rather effective, considering the state of the French army in June 1940, which had no reserves anymore and so was doomed.

Four years later, when the Allies liberated Western Europe, the Siegfried Line facing the Maginot Line, didn't avail much more against General Patton's tanks.

Lessons to remind:
- The perimeter doesn't provide a complete security. It can even provide a false feeling of security, which is worse than all.
- Changes in the technology, whereas tanks/aircrafts or mobile devices(BYOD or not)/cloud infra can even render the notion of perimeter mostly obsolete.
- In-depth defenses can be more important than perimeter ones.
- Expect the unexpected.
- Dynamism always beat staticness, in the end.
- Oh, and always keep an eye on your logs, the Allies defeat would have been prevented if the air forces observation reports had been heeded at the very start of the German offensive.

Information Security Yield a Bunch of Ranting

You rant when your system is denying you a legitimate access, or just hindering your work.

You rant when your system is breached.
You rant when fellow workers do wrong and put your organization at risk.
You rant when the company/organization you trusted is breached (Certification Authorities, White List providers, etc.).
You rant when there is a bug, security related or not.
You're right, nothing new, DON'T PANIC! ;)
Some info about me:
I'm kind of a newbie in InfoSec, though I had to deal with security for a long time, since I first had to administer internet servers; that was back in 1995.
I worked in some different domains, Operations, R&D, Logistics, Deliveries (not only on software projects) and more and more in management.
Got hit by and witnessed some breaches along the road.
In these latest years, I had the privilege to work at F-Secure, though this was a mere accident ;) The fellows there inoculated me with a virus I was destined to catch. I would never thank them enough for that :)

So I'm taking the opportunity to be out of job for now to study InfoSec, and try to pass some certifications, for a start.

This blog will host my thoughts about this large subject, comments about issues and/or security news, no promise it will be updated as regularly as it should, depending of my schedule.

This (not so) virtual world is changing, I feel it in the cables, I feel it on my servers, I smell it on my wifi... But all is not lost and nothing will be forgotten.