Oh yes, I know – you are the Big Boss. You don’t do the things when you pay others to do them for you. That’s why you don’t wash your car, you don’t shop (unless you need a new car or a new smartphone), you don’t dust your desk, and you don’t empty your garbage bin. But even you know there are things nobody will do for you.
Would you pay others to make love to your wife? Of course, you wouldn’t! Oh yes, I know that this is an intimate affair and you wouldn’t entrust it to the strangers. But why do you think that the security of your own information – any information, whether personal or business – is a less intimate affair?
Alas, my friend, the security of your information – or at least a clear understanding of what it is, and how do you achieve it – that’s YOUR PERSONAL BUSINESS. Of course, it’s no Cosa Nostra, although no Big Boss has any guarantee that their problems one day won’t become his problems, yet it’s certainly Cosa Tua.
Of course, you don’t want to fathom all the technicalities. You think that a Big Boss like you makes money for one and only purpose – to do only Big Business. It has, of course, some logic, but the security of your information is the Big Business. Take my word on that.
As you know, Don Vito Corleone never talked on the phone. He was afraid that his voice might be recorded, and then used to fabricate a number of fakes implicating him in bad things. It was a quite sensible an approach for those times, don’t take me wrong, but in our hi-tech world the old man wouldn’t survive a day. You know better than I that you can’t give up cell-phones, e-mail, computers-shmonputers, iPads-shmaypads, and the whole shebang of other electronic gadgets. We live in the world completely different from that of Don Vito, and his commandments don’t work here.
Another old man – Friedrich Nietzsche – said once “what does not destroy me, makes me stronger”. The problem with all that damn modern technology is exactly opposite: first it makes us stronger, and then it destroys us. Or at least causes so many problems that it would better destroy us at once…
The situation of a modern Big Boss may be illustrated like this: He takes the seat in a super-fast non-armoured car (let’s say a Formula One bolid for one), and then he starts speeding at a crazy pace along a public highway. Speeding so much that it’s just a matter of time and pure luck, how soon he will encounter a sharp turn, where he will eject himself from the highway, and ram into a lonely pole, or a cow standing on the shoulder. That is why Formula One bolids are not allowed to ride on the public highways.
So, you have two options: either change to some economy class car that won’t fly on the curve whatever you do, or take care of your security while driving a vanity vehicle.
This book is about security measures.
About the Author
My name is Paul Neumann. I am an IT professional, and an expert in IT security. It should not concern you where was I born and where do I live, because I don’t live where I was born anymore; I live in many corners of our planet because my services are in demand in many places.
Why did I write this book, and to whom is it addressed? For the guys like you – the middle and top-level managers, as well as Big Bosses (and you are one of them, aren’t you?) Because there is a multitude of all kinds of books, manuals, and articles written for so-called security experts – there is no need for you to read them, since you will understand at best one term in ten, if not one in a hundred. But that’s not a problem. They were not written for you, and you do not need to understand them.
The problem is elsewhere. The problem is that most of those “experts”, while reading those materials, understand at best three words in twenty. But they come to you and you entrust to them the most precious thing you have – information security. And that shit is taking care of your information. Not for long, though. Exactly until the first dramatic turn in your life, when someone out there will get an interest in your computer, your e-mail, your iPhone, and your SMS. And that interest won’t come out of sheer curiosity.
I assure you that in my professional life I deal with all kinds of firms, companies, offices, and corporations. And to be exact – with the ways all is organized there. Now I seldom organize information security directly – I have grown up since then. But I’m often invited as an expert to estimate the situation and outline it to the bosses.
And you know what’s the most interesting in all that? In nine cases out of ten those fellows were paying me top bucks just to hear something along the lines: “C’mon, mate! Your company is all-right! Everything is OK, have a nice sleep!” And when I start to list, point by point, all the horrors I saw in their offices, they make sour faces and say: “Paul, buddy, you’re of course an expert and all that, but we think you’re totally wrong.” I am wrong? So what the heck do I cash all that dough for? To tell them fairy tales about the perfect order in their offices?
Would you go to a plastic surgeon and pay him for the expensive examination just to hear something like “C’mon, mate, you look great”? And you would leave his office perfectly happy, taking back to the real world all that’s yours – beer belly, eye bags, cellulite, and the ass as big as two airbags?
Of course, information security, just like the way you look, is your private business. But then what the heck for do you pay money to the experts? What the heck for do you pay that money to me? Sleuths don’t earn their sugar bones for giving their master an excited bark: “Woof, woof, all is right, Master! Woof, woof, there’s nothing to look for! There are no villains around, thanks to the canine god!” Oh, no. Sleuths follow the trail with their noses down to the earth, without paying attention what lays around, until they find the bastard, catch his ass with their sharp fangs, and bring back to the master.
I am that sleuth. I make no compliments, and I don’t pay attention to what shit should I rake with my hands, but I don’t get my remuneration for nothing. But my conclusions and advices are addressed to you, manager, boss, director, or whatever else you are, Big Man. Because if I have found all that shit, it means you waste your money to pay your “security specialists”. Because it means that they and IT security are totally incompatible.
About the Book
After all, I got bored to repeat the same again and again. Each time I come to some company and spot there all the same breaches in the IT security, I have to do again the same procedure: put the management in front of myself and recite a little lecture. In a discrete, but tough manner. Something along the lines: “Guys, if you don’t do something about this, they will grab your balls very, very soon.”
When a surgeon sees the symptoms of an unpleasant and dangerous disease, he doesn’t munch the words. Why should I? My goal is to make you understand the problem. You see the breach in the IT security? No?
And that breach does exist!
Of course, in this most ideal of the worlds I’m not alone – an expert in IT security. What is more, I won’t have the guts to pretend that I’m one of the top hundred ones (although privately I hope so, but only hope). Quite a contrary, I will say that there is an army of top-quality IT security professionals for hire.
So, why the heck none of them works for you?!
Do you know?
Because you think it’s not a big deal. Because even a three-days long, pardon mon Canadien, clap, to you seems a bigger problem than the security of your information. That is why you don’t spend money on professionals, and that’s why you don’t bother to learn a tiny little bit about the crouching dangers, and how you can try to dodge them.
Please note that I don’t write “completely avoid”, because it’s not real. What is real, that is the increase of the level of security by several magnitudes. But for that you need to know what’s and how’s.
And this book is written exactly to help you to understand “whats” and “hows” of the problems of the protection of your own security. So you won’t entrust the most private and infinitely precious you have to a college drop-out, whom you have hired part-time for 400–500 bucks to change cartridges in printers, explain accountants where to locate “any key” on their keyboards, pinch your secretary’s ass (that’s not a part of his job contract, but he will do it anyway), demand money for system upgrade (his own home system that is), as well as take care of the system security. Among others.
Because this is how you have defined his job duties, right? “Take care of all those computer thingies. Oh, yes – and security too, by the way…” So why have you not assigned all that burden just on the cleaning lady? The result would be pretty much the same. If not better.
So have in mind, my Big and Very Important Friend, that once you read this book, your life won’t be the same as before. You will become paranoid. Everywhere you go, you will sniff for hackers, and phishers, and carders, oh my! You will suddenly realise, how shaky are the foundations of your fate.
But I don’t want to make you paranoid. Quite a contrary, I want to put you in control of your own happiness. So you will be able to solidify and reinforce those foundations. And so you will always understand what the heck is going on.
Those Magnificent Men in their Magnificent Offices
Before I will start the difficult process of making the revolution in your mind, let us talk a little bit about all those magnificent, and simultaneously horror-striking scenes that open before me, each time I show up in an office, whose security I’m supposed to audit as an IT expert. Or the sleuth, if you wish.
And so, a Big Guy calls me and invites to his office for an audit and expert opinion. He has heard about me from his friends, and the friends of the friends, who have recommended me. What is interesting, he is not concerned (yet!) with the problems of security, but he knows that many of his Big Bossy Friends outsourced an IT expert – some Paul, who, like Nero Wolfe, solves the problems – and he too wants to outsource an expert. Outsourcing – that’s cool!
“Maybe,” thinks the Big Guy, “this sexpert will find some little hole in my business, enough to summon my little bosses and give ‘em little hell in front of him.”
“Or maybe,” the Big Boss continues to think, “this sleuth Paul will put his long sleuthy nose in all the dusted corners of my computers in vain, and eventually he’ll have to admit that he had sniffed nothing – no smell of fake receipts, no fine aroma of counterfeit seals, not even the awful stench of horrible gaps in the folders, through which one can see the guts of extraordinarily secret documents.
Yes, as I have already mentioned it, this Big Guy hired me exactly for that – to spend big money on an expert’s admission that in his office the state of the information security is impeccable. Not a single sleuth will sniff out anything, no mole will find a loophole, no scabby cuckoo will betray the way into his cozy nest – so thinks this pillar of the family business. And he doesn’t even suspect that he rests on legs of not clay, but straw. That any little rat, whom he can’t even notice from the height of his throne, in a few minutes can crash down that pillar in a zillion of little chunks.
But, putting belles-lettres aside, let us get to the facts.
I will dwell on the experience I got in Albania, and I will write about the observations I made in the Albanian offices and companies, but let me assure you, my skeptical reader, that you can find such parlours for damsels of not so difficult virtues everywhere, be it Albania or Canada, Australia or Poland, Finland or Burkina Faso. Of course, every country has its own particularities – its own national charm, so to say – but as a rule, they don’t cross the limits of statistical deviations. As to the rest, incompetent screw-ups in the matters of the information security practically everywhere have those charming and quite recognizable features.
Every office begins with the security guards. Security guards are not exactly my business, as I specialize in the information security, and physical security belongs to the field of expertise of another kind of services, but… But I would like to note some specific features of Those Magnificent Men on Their Magnificent Stools at the entrance, who are particularly well visible in Albania.
Unfortunately, as far as I can say, the concept of professionalism is totally alien to those pals. I have the impression that they all are being grown up in one and the same incubator, which then shovels them in bulk to all the companies, small and great. What is a difference between such a pal and a wooden figure of an Indian at the entrance to an American tobacconist’s – beats me.
Each and any of them appears either as a very “middle”-aged worn-out man, or a young fellow with the stunningly dumb look, who took the saying “Can’t do nothin’ – join the force” for the face value. None of them knows that security is a very serious job, which requires knowledge, skills, and experience.
Their bosses don’t know that either. I have witnessed the “training” of the neophyte security guards, and it always looked more or less like this:
Well, uh, here you sit, and here’s your notebook. Have you got a pen? What the fuck?! I told you to bring a pen, didn’t I?! All right, here’s your monitor – it shows what’s on the other side of the door. If it doesn’t show, fuck the back panel to make it work. There is a loose contact. In a couple of months we shall replace it, if it doesn’t fuck off. If it fucks off, we shall replace it sooner. Now, uh, there is the ring. You look at the monitor. If it’s a terrorist with a bazooka, you don’t open. Otherwise you open. You ask a document. The document must be, got it? You take the document and put it down in the notebook. Have you got a pen? Fuck, I forgot! Here’s your pen. Tomorrow you bring your own one, or we will deduct it from your salary. Now, uh, you put it down in the notebook. Then you ask, where’s he going. You call there and read the name from the document. If they say come in – you let him come in. And you escort him all the way to the right place, got it?! If they say don’t come in – you call them to come to the door to sort it out. Got it all? Go to work. Just in case – here’s my phone number. You call me on business. You call me not on business – I will fire you. What do you mean “what’s on business”? On business is when there is a terrorist with a bazooka on the other side. Then you call me what to do, and I will explain that there is nothing you can do, because nobody can do anything anymore. I’m jokin’, jokin’! Who the fuck cares about our fucking fuck!
Or so it was, if I have recapitulated properly that beautiful, sophisticated, and business-like language.
And what’s next? The worn-out old man sits down behind the desk, and begins his duties of “guarding the security perimeter”, or whatever they put in the contract between the Big Boss and his brother-in-law’s security company.
“Guarding the security perimeter” looks more or less like this: I ring the doorbell. They open without asking who am I. By the way, I’m not expected. I already told the Big Boss, that I wouldn’t come right on the next day after signing the contract, but some time during the month. And he must not tell anyone who am I, and what am I doing in his office.
The guard is asking my name, gets a document in his hands, and diligently copies to his notebook my personal data: Ostap Suleiman Ibrahim ibn Hattab Maria Bender-bey. The document is a handcrafted booklet glued inside a red cover that I bought from a street merchant, and filled in at the nearest café. It is adorned with a completely idiotic seal that I carefully copied from the lavatory door at the embassy of Qatar. But the guard is content. The “red book” is in favour everywhere, and in Albania, particularly, it’s revered. Revered so much that one can buy it on every corner for the equivalent of $1.50, and fill with any sort of drivel.
Then comes this fascinating conversation:
“How can I help you?” asks the guard, duly frowning. I guess, it means that if I lie, the divine retribution will make me fall dead this instant.
“I am here for the IT Department”, I answer, “for the regressive debugging of TCP/IP protocols in intranet stack with asynchronous UDP, HTTP, and KGB ports.”
The guard gets flabbergasted. According to the rules, he should call the IT Department and confirm what I said, but he is incapable of repeating all that nonsense. Besides, he is too lazy to call at all. Therefore, still frowning, he asks:
“D’you have an appointment?”
“No, damn it!”, I answer. “I just came here like that, for I have nothing better to do with my time but to loiter through all sorts of lousy offices, and dig their shitty comps!”
Now the guard calms down. The visitor is angry, therefore everything is in order. Both fissures of what substitutes his brain just agreed that if I were a terrorist, I would first, have a crazy look, jellabiya, and a bazooka tucked under the belt, and second, I would vehemently try to convince him that I have an appointment, and that’s why I’m here. “Pissed off, thence he’s working”, decides the guard, proud of his acumen.
“Just asking”, smiles the guard, while his eye-brows are treacherously unfrowning. Next, he explains in details how to find the IT Department, and its workers, and wishes all the best.
And there goes the not uninvited odyssey in the corridors of enterprise…
I doubt if there is a need to describe in details how do I walk from one room to another, and what dialogues do I stage there. I believe it will be way easier and clearer to boil down the results of my ventures to several postulates, which, statistical variations aside, are true for the absolute majority of the offices I have ever visited:
1. Once a guy entered the office without a bazooka, he can’t be a villain. Everyone knows that villains have a crazy look, black beard, and a bazooka tucked under the jellabiya. Everyone, who doesn’t match this description can’t be a villain by definition.
2. Everyone thinks that once the guy passed the security guard, he can be trusted absolutely.
3. In any room it’s enough to pronounce the name and surname of the Big Boss to get all the documents open, and all the secrets revealed. Big Boss’s name and surname can be obtained from the security guard – he will hand it over this instant, respectfully standing up and assuming the “pay-tension” pose.
4. Nowhere, in no one room I have visited to get access in name of the Big Boss, nobody called anywhere, and did not ask who am I, and why do I pronounce the Big Name in vain.
5. Ninety-nine percent of users don’t remember their passwords, therefore they hide them in the most sophisticated ways:
(a) Written on a sticker attached to the monitor.
(b) Written on a sticker hidden under the monitor.
(c) Written on a sticker put on the bottom of a drawer. For unhindered access the drawer is always retracted.
(d) Written in a special notebook. For unhindered access the notebook is always opened on the page with passwords, and put under the monitor.
(e) Super-pooper intelligent users write passwords on the stickers backwards to fool the enemy spies. Once this girl flabbergasted me as she put on the sticker the following instruction: “ANAL (enter at rear).”
6. In many companies, due to constant mess with forgotten passwords, prudent system administrators use one and only one password for all the users. Since users notoriously forget that password, it’s printed with big, bold lettering on a letter-size sheet of paper pinned on the information board.
7. Hardware encryption dongles with security keys, required for handling particularly confidential information, practically always are plugged in, and never leave their bays for years, regardless of whether that one, authorized person to access the data is present or not – an old, glorious tradition dating back directly to the encryption floppy-disks era.
8. The password to access the network folders is revealed immediately, as soon as I ask the standard question: “And what’s the password to access the network folders?” In 70% of cases I did not even mention the name of the Big Boss while asking this question, and in 100% of cases I did not even introduce myself.
9. The question “I am here by the order of Mr.Big. May I look at your computer?” brings about a common understanding, and permission to look at the computer in question. That is the response depends on the visual impression: If I’m a little, bald fattie with a pimple over the left eye, people may sometimes call the secretary, and ask who the heck is trying to help himself to their computers. But since I’m a handsome middle-aged man in elegant suit and tie, there are no questions at all. Just like the security guards, all the office employees know that villains can be accurately identified by a bald head, torn jeans, and a bazooka tucked under the jellabiya.
10. When accountants leave for the lunch, leaving their offices absolutely empty, their monitors still display secret data of the “double” accounting. Which can be simply printed out. On the printer standing in the same room. But if you are too lazy, or too environmentally-concerned, you can just collect them from the tables – they are already scattered there, printed in several copies. All right, I have exaggerated: In about 10% of companies accountants do lock their offices. Because, as they kindly explain, such is their policy. So, they will go for the lunch, while I’m free to work. Locked inside.
11. Nine out of ten accountants honestly answer the question: “What part of the salaries do you pay in cash?” The tenth one will first make sure that I’m not an internal revenue inspector. The answer “No, I am a computer guy”, spiced with a handful of enigmatic acronyms, satisfies her completely.
12. A story of itself is the holy of holies of every company – The Server Room. Secured with a special electronic lock. It is impossible to unlock it. Almost. Because for that you either need to have a plastic credit card handy, or elementary attention to details: Digits that you need to punch are fairly soiled. And since the system administrators don’t know how to use more than three fingers, trying all the possible combinations hardly takes more than 30 seconds. Especially if you take into consideration that the digits almost always are punched in ascending order. Only once I saw the combination “997”, which left me wondering about the nature of this fluctuation.
13. Most confidential papers in the office for security reasons are being torn into no less than two pieces. Surely, the staff would tear them in less than two pieces, but it’s too difficult, and they are too lazy. Then the papers are thrown into the waste-baskets in such a way that it’s easy to read them by just having a glance at them. As a rule, most offices have paper shredders, but staffs don’t like them. This chief accountant in a major bank once told me: “It’s waste of time to feed this monster with paper, and wait while it chews on it. We just throw the papers in the waste-baskets. Yes, we tear them. Sometimes. What the heck? The cleaning lady empties the garbage twice a day.”
14. Typically, every office has this absent-looking guy in a stretched sweater and with greasy hair. They call him “system programmer”. Having been a system programmer for a number of years in my career, I have no clue what do they mean by that, but obviously, this guy justifies his salary, while taking care of the information security at the same time. He had got a brilliant idea of removing CD drives from all the computers. For security, as I learn in confidence. Therefore, trying to record anything on a DVD is futile. All you need to copy goes instead through the USB ports. Since modern external USB disks are already pushing the 5TB capacity limit, the lack of opportunity to copy anything on a 4GB DVD doesn’t make me bite my elbows in despair.
15. If the USB port you want to use to copy data is taken – for example there is a cell-phone full of downloaded cool applications, as well as with unrestricted broadband Internet access, connected to recharge – office workers will gladly oblige and help you with connecting your own USB device, which is – I quote myself – “a totally new gadget, which will perform vaccination of your computers against all known viruses”.
16. Secretaries, despite of their cute look and dutiful friendliness, firmly stand for the corporate interests. Attempts to bribe them with sweet chocolate, sweet alcohol, or – God forbid! – sweet money, are futile. They will decline your offers with outrage, and will make a big fuss about it. Therefore, don’t try to bribe them. They will tell everything just in a simple, human small-talk. All you need to know is when the Big Boss will be out till evening, come to see him in the morning, and volunteer to wait. A secretary is a human too – she is bored, her office-mates have left for coffee, her Word doesn’t print, and her computer even freezes every now and then. Therefore, a friendly, compassionate conversation with a handsome, middle-aged man in an elegant suit and tie opens her heart. Just don’t forget to use and peruse the phrase “We do it like this”. This phrase opens the flood-gates of her eloquence. For every “We do it like this” immediately follows with “We do it exactly the same”, or “We do it completely different”. It is a bottomless source of valuable information on the public and hidden flaws of the Big Boss, smaller bosses, the whole female staff, as well as particularities of the business organization, and schemes to hide documents and evade taxes. Sometimes I regret that I’m not an internal revenue inspector, but then again, where would they get money to pay me?
17. The same tactics works with cleaning ladies. Maybe even better, for cleaning ladies know a lot. Sometimes they know even more than secretaries.
I can continue the never-ending story of my office voyages, and findings in the office computers, how intriguing was the information I received from the unsuspecting office-mates, and how much information one can collect about the company itself, its owners, managers, CEO, his business secrets, and personal secrets. But the point is not that. The point is to realise how easily can a villain, if only he has no black beard, crazy look, and bazooka tucked under the jellabiya, penetrate an office, and collect all that information. And this book treats about the ways how to possibly safeguard your business from that.
On “IT specialists”
This book will deal with many quite specific technical things – simply because information security is chiefly and directly related to the computers. And there’s no way around this. So, as long as the questions of the information security in your company are left in the hands of that guy in torn jeans, who didn’t even turn his head when I entered his room, because he was so absorbed with contemplating his Instagram account, you should at least in general understand some technical basics, because only this way you can demand something from such, pardon mon Canadien, “specialists”.
These words will probably put you in unfathomable anguish, out of which you will cry out loud: “What the heck is wrong with those damned computer guys?!” Why you, while paying those morons all that money (I’m quoting you), must personally delve in all the technicalities?
Well, first of all, the money you pay them isn’t all that big. All right, all right – I understand that everything is relative in this world!
Second, you hire one and only “system programmer”. Who the heck told you to call that dullish pal a system programmer anyway? System programmer has a very precise definition, and the scope of skills and duties, which have nothing to do with what this sorry excuse for a human being is doing in your company. Let us call him an IT Specialist, and see what duties related to the information technologies does he perform.
Let us begin from the notion that this is a specifically Albanian phenomenon. Why, all the countries went through this phase of their development at some point, but in Canada, Europe, Russia, and even in China IT professions have gone through a serious progress, and differentiation of IT and office specializations. In the 21st century a system administrator won’t be showing your secretary which key is “any key”. A programmer won’t be changing cartridges in the printers. A system analyst won’t be laying crossover cables from one room to another. An information security specialist will get genuinely surprised if you ask him to repair a computer, and a circuit designer will send you to hell if you ask him to export an Access table to Excel.
Because each one of them is a specialist in the field he knows best. He can’t, and sometimes he isn’t even allowed, to work in another field. Because he isn’t a specialist in another field.
In Albania everything is different. This creature called “system programmer” or “informatikan” is treated like Jack of all trades. Meanwhile such an “informatikan” is usually very young. As a rule, he is still a student. Which is understandable, because only in the very young age one thinks that he knows everything, and is all that and a bag of chips. This idiotic self-illusion goes with time and experience. And if it doesn’t go, such an individual will be doomed to read the Facebook, and play the World of Tanks for the rest of his life.
And you, my dear friend, entrust to this creature the most precious of what you have – computers with information. Together with their protection. Maybe, my dear friend, you have gone crazy. I am very sorry to tell you that, but it’s my sacred duty.
So, let us talk at lengths about the information security, and after that you will decide what to do next. I only beg you to avoid drastic moves. You, and only you, and nobody else is responsible that this guy is working in your company. He is not guilty. He has three unfed cats, and a battery of cacti “absorbing monitor radiation” at home. Let him go in peace. As long as you are alive and not broke, everything can be fixed yet.
Information security and its classification
Do not skip this chapter with a contemptuous snort – like, I know very well what’s information security. It isn’t the Binomial theorem. Information security is, like, when information is given to whom it’s allowed, and not given to whom it’s not allowed.
In general, that’s right.
But this observation needs some refinement in more professional terms, so furthermore we won’t move through the text with jerky leaps, but savour each topic systematically, like the genuine frog legs from maître Charles Duchemin at the Maxim’s.
So, how do we define the information?
1. A set of personal data bound to an individual, who doesn’t wish to reveal them to third parties,
2. A variety of business information, whose loss, or disclosure may cause Very Serious Problems.
And what can happen to that information?
Someone to whom this information isn’t intended will get access to the data. That someone may happen a casual friend, a casual foe, or non-casual foe. All three cases are different, but the result is the same, because a casual friend may disseminate the information, which can fall in the hands of non-casual foes. Nope, I’m sober. I am just trying to systematize my experience on the level available to your perception. Do not worry, I will explain it with picturesque real-life examples at hand, and everything will become clearer.
Unauthorized data alteration
Someone got the access to the information, and changed it. Alteration of the information may have various, and very interesting results, which can vary from the loss of information to its wrong interpretation. For example, it takes only three bytes to change your dues payable from 100,000 Zimbabwean dollars to 100,000 U.S. dollars, but the impact on your business will be much bigger than that.
Loss of data
This is clear. There were data. Now they ain’t. Gone. The problem is serious, because the data may happen to be unique, irreplaceable. And at this point you may have three legitimate questions: 1) Where are the data? Because it is a disaster to just lose the information, but if your enemies get hold of that information, then the disastrosity of the disaster will grow at a disastrous pace. 2) How the data can be restored? And 3) How it could be prevented?
Therefore, the question of the information security splits into three basic issues:
Access rights management
It includes multi-level password protection: Access to the facilities, computers, disk partitions, folders, and files, as well as access to the network resources, and physical security.
It is not enough to create – you will need to preserve what you have created. Enemies of your information are not limited to humans (competitors, business partners, government, wife, a former lover, etc.) It may be the ordinary electricity, which has a nasty habit to disappear from the wires, just like the water disappears from the taps. Who is to blame, and what is to be done? These are not the first questions to respond to. First of all, you need to make sure that voltage drops will concern you no more. Or at least will concern your information no more. Yes, there are means, I will tell you about them, no worries. But you better take care about reserve copies (back-ups) as well.
Just like in the business, if you don’t undertake active measures against your competitors, they will devour you. The problem is that in the world of business attack is believed the best kind of defence, while in the information security it’s not welcome, and may result in an extended absence from business, as well as from personal life. But you are free, and encouraged, to defend yourself as much as you wish. Your defence may range from the Great Firewall of China – no, no worries, mate, it has nothing to do with bricklaying; it’s about a specific software – to dedicated software and hardware solutions.
And this would make the basic classification. Of course, a very superficial, and provisional one, because information security experts may elaborate many specific subsections, and the same means of security may fall in several categories. I just want to chart the course that we will follow, and we will discuss the particularities as they occur. Or as it is customary to say: We’ll cross that bridge when we come to it. So, onward to the new, brave, and information-secure world!
Access rights and access control are the basic means of the information security. To you, they seem similar, and you probably wonder, what the heck is the difference. Let’s say it this way: Fully closed access is a special (extreme) case of the access control, while the fully open access is another special (and extreme, as well) case. Between them, that is between the full access and no access, stretches the domain of the access control. While access rights are the way to let the system know, who is seeking access, and where he should be let, and where he should not be let.
Example: You have a personal notebook, where you record all kinds of things and tasks. Records concerning visits to your lover, as well as gymnastic exercises you two perform, ought not to cross your wife’s hands, because otherwise… Anyway, you know what’s otherwise better than I. Notes about the gifts you are planning to buy to your wife very soon, ought not to cross the hands of your lover as well, because she will immediately start demanding the same, honey, but a better one, honey, don’t you love your kitty, daisy, dolly, pumpkin, tootsie, tooshie, cherry, cookie, doughnut, cupcake, pattycake, honey? That is why you need to manage the aforementioned access rights for different users.
In case of the ordinary, old-fashioned notebook it’s not realistic. Yet, if you entrust your information to the high-tech (in right hands) electronic devices, those very devices will provide the due management of access rights. Login “wife”, password ***, and here it is – schedule of everyday’s family events, rare episodes of visiting Uncle Jack and Aunt Zelda, and cancellation of the zoo hike with lagging brats. Login “honey”, password ***************************, and you study the programme of cruises through restaurants, night clubs, and other entertainment for very adults.
What’s that? You say that your notebook is something so intimate that you must not show it even to your head accountant?
Very well, no argument about that; I just tried to explain to you on simple and understandable examples what are access rights. Because – you’re da boss! – we shall hide your notebook from pesky lurkers. But what about your work planner, which should always be open to your personal assistant? What about the office documents, which by definition must be available to dozens, if not to hundreds of people? Well, here comes the question of proper access control in all its glory!
But let us start from the beginning. The ancient Romans used to say “from the eggs”, while we, the people of the technological age, will start from
“How much is a word worth?” ask philosophers, and they are absolutely right, because philosophic factor aside, “much” is the key word here. “Much” of what? Symbols. Characters. As difficult to calculate as possible.
Password is the simplest, and most widely used form of access control (management). In the skillful hands it turns into an almost impenetrable obstacle, and yet, improperly used it becomes alike of a paper screen trying to block the way to the vaults of the Federal Reserve Bank. How many people are laughing from the old school-bus joke about this American spy, who infiltrated Moscow, but forgot he was black? The same funny guys use the password “password” or “5555” to protect the most confidential of the folders and files stored on their hard disks partitions, totally oblivious to their own technological cretinism.
Passwords must be handled with the utmost responsibility. Do not count on clinical idiocy of the guys, who will come to crack your disks and files. The best defence from the idiots is the file named “Don’t_open.me" Whereas the guys, who will come to open your files won’t be idiots. They will try passwords like “password”, “12345”, your wife’s name, your lover’s name, your birthday, your wife’s birthday, and your lover’s birthday right away. You can’t imagine how fantastically high is the success rate to get these passwords right at the first, second, or third try. They are next only to so-called “empty” passwords, when Serious Guys, nothing doubting, simply press the “Enter” when asked to enter the password. My personal favourite is a four-letter password to the administrator’s account on the central server in a certain bank – no, it was not what you think; it was the system administrator’s husband’s name.
So, let us try to put all the possible physical and intellectual effort into learning
How to create a strong password
1. Never, ever use short passwords! The shorter it is, the easier it is to break it. As I write this chapter, password-breaking programs can easily break a whole spectrum of 4-, 5-, and 6-letters combinations, and before I will finish this book, they will probably be able to crack 8-letters combination right before your eyes. So, that would be the minimal required length of your password. Or better 10- or 12-letter length. The longer, the better. Just like in the real world, the size matters in the cyber world, and it’s no laughing matter.
2. Never, ever, under no circumstances use the common idiocies like “password”, “admin”, “123456”, “qwerty”, or “xxxxxx”. Villains very often get offended when they encounter such combinations for passwords. They think that you hold them for morons. Meanwhile the biggest morons are actually those, who use such words.
3. Never, ever use for passwords your name, your relatives’ names, your or their nicknames, as well as your or their birthdays. If you call your wife “Cupboard”, and your lover “Fanny”, don’t think that such facts are not known to anybody, and they are not recorded and stored in some folder, tucked on some shelf in one of many safes, at… Oh well, why would you need that information anyway?
4. Passwords need to be depersonalized to the utmost. No possible personal associations, no sweet memories of the childhood, puberty, or loss of virginity! It is incredible, but it is a fact – masses of computer users put the names of their native towns as their passwords, and masses of computer users are genuinely surprised how easily are those passwords guessed.
5. It is highly recommended to write your password with alternating cases. Remember – absolute majority of passwords are cASe-sENSiTive. Using combinations of letters, numbers, and special characters strengthens passwords, and makes them difficult to break. Combinations made solely of the lower-case letters of the Latin alphabet can be calculated within a reasonable time regardless of their length. If the combination is cAse-SEnsiTIVe, especially without an obvious rule, that increases the complexity of its calculation by a magnitude. If you add numbers (extra 10 characters), as well as special characters (another handful of extra characters) – it decreases the chances for quick calculation dramatically. Breaking such a password would require an amount of time, after which the result in most cases is useless.
6. Sometimes you may happen over recommendations to use a phrase for your password. For example, the phrase “helloworld” is not the worst password in the world – it’s easy to remember – but it’s not the best one either. Because on one hand you get a really long password (a friend of mine was using the phrase “ihatepeoplewhosinginthemorning”, but on the other hand there is a distinct chance that a villain will somehow guess what phrase did you use. The aforementioned friend of mine had his phrase painted on his favourite coffee mug, and you never know if you won’t murmur it while sleeping. Meanwhile wives and lovers often belong to those villains, across whose hands no passwords should come. But if your phrase is “L03iSa&x8#3p@”, I guarantee you won’t pronounce it, whether sleeping, or drunk, or tortured. Anyway, if you decide to use this method, at least try to insert one or two special characters according to some algorithms. For example, the phrase “howkindofyoutoletmecome” may become “howkind!1ofyou2@toletme#3come”.
A thought expressed becomes a lie.
A thought expressed becomes a circus in a brothel.
(Former Naval Person)
1. You will be laughing, but you must not write your password on a sticker, and attach it to the monitor. You must not put that sticker in your drawer. Not even if you cunningly flip it upside-down to fool an enemy spy.
2. You must not put down your password in any paper or electronic notebook. Not even if you cunningly write it backwards. Not even if you hide it behind another, simpler password.
3. I regret to inform you about one absolutely immutable thing: You must not write passwords anywhere, and under no circumstances! Carve it on the stone tablets with golden lettering, and may it be the only writing about the passwords that you will ever make. There must be no other.
4. “And what now?”, shall you probably ask. “Where am I supposed to store that damned password?” In your head, my dear business genius, in your head, and nowhere else. I believe that if you have become The Big Boss, you must be capable of keeping at least something in your head. The world practice clearly shows that it’s easier to make some effort, and memorize a password (actually, there should be few of them, but I will explain it later), than trying to write it somewhere clandestinely, and then spending a lot of time trying to recall where exactly.
This friend of mine – an excellent IT professional, by the way – had once designed a perfectly gnarly system of recording passwords in such a way that any villain at all desire wouldn’t be able to read them, if only he could discover them, which itself was practically impossible. We examined that system together afterwards, analyzed each and every aspect of his joyful creativity, and figured out that in order to record one password, we had to memorize three other passwords. After that, he tried just to remember the passwords. He liked it.
How many passwords are just right?
This is a good question, my friend. Very right one. Because one and only password is a nonsense just like one and only bank account. You need several passwords for different life situations. Necessarily!
Several passwords strengthen your security big time. Because if you use the same password to lock the drawer with magazines “for men only”, travel duffel, safe with money, and the secret disk partition, it’s beautiful, easy to remember, and slightly idiotic. And make no mistake – I used the word “slightly” solely out of respect for your esteemed social position.
“So now what?!”, may you ask with irritation. “Now I have to put a password on every little shit? And keep all that shit in my head?!” No, I won’t even suggest that. Or better to say – I would gladly suggest that, but I realise that it’s unrealistic. Therefore I suggest a lite version. It is called
Password security levels
One evening sit at the table without the glass of whisky, and systematize all situations that might require using and storing a password on various levels. There may be few levels:
1. Basic level.
Travel duffel, drawer with porn, phone bills, Internet fora… For short, all the stuff where access of the third parties won’t cause too many problems.
2. Medium level.
Folders and disk partitions with office documents, private chats, and BDSM fora (or whatever hobbies you have), personal notebooks, e-mail, and everything else close and personal.
3. High level.
Bank accounts, credit cards, folders and disk partitions with secret documents and sensitive accounting data, particularly secret e-mail, etc.
And so on. In fact, the number of such levels and related access cases are to be set individually. Someone is afraid to lose the credit-card PIN-code rather than the access to gay and lesbian site, and someone else – exactly otherwise.
What really matters is that there should be no less than three levels. Optimally – five levels of password security, each associated with a set of access cases. The idea is to have one password per level. A serious password should be long and hard to break. (Difficulty of memorizing is directly proportional to the difficulty of breaking, of course.) But it’s one for the whole level together with all the access cases related to the given level.
If you get a new access case, for example, access to the paid sections of your favourite financial analyses on-line magazine, then all you need to do is to figure out what would be the level of security to be associated with this case, and give it the appropriate password. Later you will need to recall a couple of times what’s the security level associated with the given access case, and you will easily remember the password.
Of course, this is a compromise of reliability in favour of easy access. Because ideally you should have a unique, individual password for every single case of access to your resources. Yet, in the modern world we are required to use so many passwords that it’s impossible to remember them all. That is why we need to apply such methods. They at least make our life easier.
But God forbid to use one, simple password for all the life occasions! If you do it, your life will soon become one, endless heavy case.
Your very own office octopus
Proper organization of the local network in your office is the guarantee of the proper level of security. All Big Bosses must memorize this simple rule. Big Bosses also need to know, more or less, what is a local network. It is when computers are connected one with another with cables, and from the computer placed in the Marketing Department one can print documents on the printer placed in the Human Resources. Yet, what Big Bosses really need to know is what does the proper organization of the office local network mean.
On one hand, Big Bosses don’t need to know technicalities, because it’s the job of hired or outsourced professionals. On the other hand, in such an intimate matter as the information security it’s better to learn some technicalities, at least in the general plane; especially so, that there’s nothing particularly difficult in it. At least you will be able to estimate the professional level of the invited specialist. But that’s second. First is that you need to know, damn it, what’s going on!
So, try to understand what is a local network, and what is its role in data protection. It is useful, I swear by my bank account!
For short, a Local Area Network (or LAN) is a set of computers, connected together in one, coherent system by the means of specialized hardware. And cables, of course. That system enables the exchange of information from one computer to another.
What a Local Area Network can do?
1. Enable instant (well… almost) file exchange between two or more computers belonging to the same network.
2. Enable simultaneous access of two or more users to one file (document).
3. Share access to the peripheral devices, for example – print documents from all the computers in the network on the same printer.
4. Have Internet access on all the computers via one, dedicated computer connected to the World-Wide Wait. (In fact, nowadays the Internet access in local networks is enabled not via a computer, but via a special device, which after all is a computer of a kind anyway.)
5. Set up a server, where all the data are collected on one, central computer, and other computers access those data in client mode. (I will elaborate it in details later.)
What kinds of networks can we identify? They may be linear (serial), or star (parallel).
Serial network is made of computers connected one to another, just like the Christmas-tree festoon lights. It is the simplest, and the most inefficient kind of networking. Because if the chain of computers gets interrupted, the entire network will go to the dogs, that is it will stop working. And interruptions may occur quite easily; for example, when the cleaning lady swinging her broom will pull the network cable, and unplug it from one computer. That is why this kind of networking is out of use nowadays. It has been replaced with the parallel connection.
Parallel network is made when computers are not connected directly one to another, but through a special device. In the simplest case it’s a hub, but more and more commonly it is a switch. Therefore, such a switch is like the centre of the star, from which cables are going to individual computers. It is like the head of an octopus, spreading its tentacles all over your office. If you cut one tentacle, the octopus won’t die, right? The same is the story with the network star: Even if you cut one cable, the network won’t cease to work, except the connection on the damaged line.
How many computers one may connect through one switch? Depending from the class of the hardware, it may be 8, 16, or 24. But there is no need to connect all the computers through one switch. Just like in case of the extension cords, one may connect to a switch not only computers, but also another switch with its own star of computers. And then one may connect a third switch to the second switch, and so on, and so on in a cascade of switches.
Of course, the network in your office must be strictly parallel. A serial network is somewhat easier and cheaper to build, but the problems it may cause can inflict such a colossal financial and moral damage that if your system administrator suddenly proposes to build a serial network, “because it’s cheaper”, you better shoot him on the spot. Such a, pardon mon Canadien, “specialist” has no right to live on the face of the Earth.
The brain of the octopus
Everybody knows what is the server. Kind of… If you ask a randomly chosen Big Boss what is a server, he will tell you that it’s… uhm, like… a central computer, which… uhm, like… doing something centrally. But what is it doing, nobody knows. All that matters is that it’s doing it centrally. And that it’s The Server. Which devours a ton of money, because, I quote your system administrator, “network must have a server”. That is why every quarter you have to allocate money for “critically important” (I quote your system administrator again) upgrades, as to DVD player, joystick, 19” plasma monitor, mighty video card, powerful sound card, and stereo loud-speakers with sub-woofer, because the server (I still quote your system administrator) “must be up to date”.
And that thingie, which costs so much money, is placed behind an armoured door locked from inside (“security requirements”, as your system administrator had explained), and makes quite a noise, audible even through the locked armoured door, conspicuously resembling the rattle of tank tracks, heavy-metal tunes, and orgasmic groans.
No worries! These are not sounds of heavy battles of the vicious viruses clashing with your precious documents. It is your system administrator, a.k.a. “sysop” or “sysadmin”, playing the World of Tanks, or watching porn to the tunes of Neanderthal music.
The guy enjoys to the utmost the fact that the magic phrase “network must have a server” raises no doubts even among the managers, who, out of these four words, can understand only “must” and “have”.
Guess what? It is a holy truth! A network must have a server – no questions asked.
Yet, the server is not a computer purchased for the sole purpose of entertaining your sysadmin. It is something else. So, let’s examine what the heck it is.
Without venturing into quite tiresome, and absolutely incomprehensible to you technicalities, server is a dedicated computer, where all the data created and processed in your office are stored.
In the first local networks, servers were organized mostly out of economy. Those were quite powerful computers with big hard disks, whereas users’ computers were merely terminals – simpler computers, often without hard disks at all, for all the executable files were stored on the servers as well, together with the data.
Later, when the price of an average personal computer had dropped to the price of a bottle of brandy (no, c’mon, a good brandy; I really mean it – something with “V.S.O.P.” marking on the label), the question of economy ceased to be acute, and it was possible to build networks without servers at all, because hard disks on every single desktop computer offered enough space to install the whole shebang of necessary software, and possibility to work with it without a hassle.
Nevertheless, the proper organization of the local network still includes at least one central server, which keeps all office files. At the same time, users install software on their local computers, but they have to store the results of their work on the server(s). Why so? First of all for the convenience. And second – for security.
Let us imagine that your local network has no server, that is no central computer with all the documents stored there.
Every user creates, processes, and stores documents on his computer. At the same time, many documents (technical, financial, legal) require shared work of two or more users. You too need an access to those documents to control the workflow of your business, and its quality.
How to organize it? On one hand, to simplify the task, one may open all the folders, and all the files on all the computers to every user of the local network. Yet, first of all, it would be a flagrant breach of all the possible security rules, and second, it would lead to nightmarish results: Documents will start multiplying at the rate faster than that of Lasik Roitschwantz’s rabbits; they will start to appear, disappear, duplicate, messing with versions, updates, etc. For short, your office will quickly turn into a Gypsy encampment that knows no doors or locks.
It is possible, of course, to close folders on local disks with passwords, which will be known to authorized persons only (in fact it’s somewhat more complicated, but I simplify it for you, so you wouldn’t be burdened with redundant information). Yet, this method isn’t good either. Instead of a Gypsy encampment, now you will be put in charge of an apartment building, and with a bunch of keys to all the locks at hand. To recall where are the items you need, you would have to put a lot of effort into searching through one apartment at a time. In other words, you would have to browse folders on the computers of Peter and Paul, Mary and Magdalene, Master and Margarita, Tom and Jerry, Mrs Dumblewhaite from the Accounting, Miss Peggy from the Marketing, that young fellow, what’s his name, from the Human Resources, and God knows who else, because only God knows what are you looking for, and where that stuff has been nooked.
With server in place everything is simpler. You create an elaborate catalogue of folders and files reflecting the departments and projects of your company, and everything is stored there. Each user obtains access only to the areas of his business tasks. And that access can be full (read and write documents), or limited (read only, so she would be able to read what she needs to read, but she wouldn’t be able to delete them accidentally). You, as a master and commander, will have access to all the folders and files of the catalogue.
Convenient? Of course! This is the light side of The Force, which has no dark side! It makes possible:
1. Making reserve copies of absolutely every single document. (Imagine the joy of archiving documents from each computer one at a time!)
2. Scanning files for viruses. (Modern viruses have ability of penetrating many file formats, including Word, Excel, e-mail, and others.)
3. Quick searching for words and phrases in documents.
4. Accessing any documents, even if the computers of the users, who create and maintain them, are switched off.
5. Monitoring who and when had access to what files and folders.
And above all, when everything is in one place, it’s easier to command that place. Imagine that suddenly the D-Day came to your office. I will elaborate at lengths later what’s that specific day, and how to get prepared for its arrival. D-Day means that most of the office documents, especially those, which contain… uhm, like… let us just say – inventory of especially precious ballpens and paper clips, need to disappear without a trace from the face of the Earth. Search them on all the computers, and delete one by one? Gimmie a’break! You will have only 7 seconds for such an operation; all right – 10 seconds, to give the the cops time to figure out that the door opens the other way. It takes just a click of the mouse to delete them from the server. Whereas deleting files from local computers, if they are not stored on the server, will take at best several minutes. And don’t forget, that some computers may happen out of the reach of the sysadmin charged with this critical task simply because they will be switched off.
Therefore server, server, and once more server! Especially so that apart from keeping your files, server has more important functions to do. Your sysadmin must enforce the policy of creating and maintaining files only on the server, otherwise information security in your office will be akin of sci-fi, with the accent on “fi” rather than “sci”.
And why are you smiling so strangely, and conspiratorially winking your eye? What? Where to store your documents? You won’t believe – on the server as well! For the same reasons I just have painstakingly enumerated for you. Yeah, your sysadmin in this case will have the access to those documents as well. You can’t do anything about that. A system administrator nowadays is closer and more intimate than a lawyer, and a psychoanalyst.
Nevertheless, if you have super-pooper top secret X-files, which you must not show to anybody under no circumstances, then keep them on your local disk, and take care of their archiving, and protection (we will discuss yet how).
Every beast shalt have its own door
Setting up the server, and enforcing all the users to store their documents only there, doesn’t mean that the job is finished. Now it’s the time to organize proper access rights. System administration won’t do it without you. You, or your secretary, must make a list of employees (users), and specify who should have access to what documents. The list must come together with the accurate tree (catalogue) of all the office documents, as well as instructions what users (or more accurately, their computers) should have what access rights (full, read-only, or denied) to each branch of the tree (folder of the catalogue).
Yes, I know that it’s not easy, especially if you have never bothered to organize your business properly. But you absolutely must do it. It must become the inalienable part of your business strategy. If you construct the tree of the catalogue properly, thenceforth it will continue growing up and wide, and with time it will become a strong, well-rooted oak. Otherwise, if the tree of the catalogue isn’t constructed properly, instead of the proud oak you will get a dwarfish crab-tree suffering from all kinds of growths on its bark.
By the way, making the catalogue of the office documents can become an enlightening experience. As you evaluate access rights to this or that information of each individual worker, you will finally understand what’s going on in your company. Very likely, you will want to correct positions and job duties of many an employees afterwards. It may happen that you will discover that they have access to the information you don’t want them to access…
(Old school-bus joke.)
When you give your system administrator the detailed instructions regarding constructing the catalogue of the office documents, together with the users’ access rights, make sure he will define so-called user policies. In fact, your system administrator should use his brain to do everything properly and correctly, but on the other hand you too should understand what it is, because if your sysadmin decides to make his job easier, and others’ jobs more comfortable, your job will come to the situation like that from the old school-bus joke.
What is the use of that ton of money you have spent on the powerful server, which is placed in the hermetically locked server room behind an armoured door, if the access to the important documents is either unprotected, or protected with a weak password known to everyone in the office? There is no use at all! You need to impress on every single user that he needs to create and memorize his own password, which complies with the rules we have already discussed. And what is interesting, you can make it programmatically – on the operating system level.
This is what is called the user policy, and the administrative user password policy. Believe me, your sysadmin can force your users to do many things, and he can do them in the way users can’t evade, otherwise they will never get an access to the server files, and won’t be able to work. Here is what your sysadmin can do:
1. Set password expiration policy.
A very interesting feature. If you set it, say, to 30 days, exactly in 30 days the server will demand from a user, all users, or a group of users to change their password. And what’s more, each user in question will be warned in advance, so he will have the time to prepare himself, so to say, morally for the coming heroic deed.
2. Set password minimum length.
As discussed before, if you use a 2- or 3-character password, you better don’t use passwords at all to avoid bringing shame on your head. Passwords must be at least 8-characters long, and users must comply rigorously. No problem! The server, or strictly speaking the password policy, can refuse passwords shorter than the given number of characters. (Let us make it 6 for the sake of your secretary.)
3. Forbid password recycling.
A cunning user may have two passwords, say “Romeo” and “Juliet”, and change one to the other all the time. Of course, such a combination is easy to remember, but from the point of view of the information security it’s a total outrage. But if the password policy forbids password recycling, a second “Romeo”, and a second “Juliet” won’t pass for sure, and therefore the user will have to summon all her fantasy to change to something else.
4. Enforce password complexity.
Remember what I said about the passwords? You can make the server do most of those tricks. If you activate password complexity check, the server will check passwords against the complexity requirements, and will allow no “Romeo” or “Juliet”. Instead, it will enforce my recommendations: use of case-sensitive passwords (small and capital letters), digits, and non-alphanumeric characters. Of course, on this occasion you will learn from your staff a lot of new things about yourself, your family, your sexual, and even zoological preferences, but at least their passwords will more or less fit security requirements. What server can’t do is to stop users from putting their passwords down on stickers, and attaching those stickers to their monitors.
Now, when all your sensitive data are stored, hopefully, on the server, there comes a new problem: How to protect the server itself? You have entrusted all your information to one computer, which is modern and robust, but if various life forms have easy access to it – your painstakingly constructed system won’t be worth a fart, right? Of course, those creatures won’t get the full access to the data without the administrator’s password, but… What if the administrator stabs you in the back, and sells the password? Or makes access available without a password at all?
That is why the server must be protected as well.
You have read free % of the book. Please buy it to finish!Buy the book
для читателей старше 18 лет