1

I'm setting up some externally accessible services for a small business, and evaluating some of the different options I have. This is all new to me. I have found the question, "is this secure?" to be very vague and misleading. So, to weigh the pros and cons of these options in terms of security, I am trying to divide that question up into more reasonable categories.

Thinking about it, I have divided the issue of "security" into the following four categories:

  • Login security: Is the system vulnerable to proper but unauthorized logins, e.g. are passwords too easy to guess, is it vulnerable to dictionary attacks, is it properly set up to disallow anonymous access, does the system force a user to use the same credentials for many services, are credentials being shared through other means (e.g. plain text password reminder emails), is the client side prone to issues (e.g. does a web-based service leave passwords in http get requests in the browser history), etc.

  • Sniffing / intercepting / modifying traffic: Is the system vulnerable to a motivated attacker (or a casual attacker just looking to cause random trouble, e.g. monitoring wifi traffic in a public location) who can gain credentials or other information by watching network traffic (e.g. are credentials and/or data transmitted with poor or no encryption) or intercepting and modifying it (e.g. mitm attacks)?

  • Exploits / holes: Is the system vulnerable to flaws in service applications or underlying protocols (things that usually end up discovered and patched eventually, but are outside my control)? This category does not include exploits accomplished by mitm-based attacks, but rather, things that can be exploited without intercepting existing traffic (e.g. the exploit code red took advantage of).

  • "Internal" access: (Not sure what to call this) If an attacker does gain access to one service, can they easily obtain other information from there about that service or others (e.g. a service with SQL injection vulnerabilities, gaining root access to other machines on a LAN after an unauthorized VPN login, etc.)

I have then been attempting to analyze the pros and cons of various service options in terms of the categories above. The categories above, I think, have distinctly varying levels of risk associated with them.

My question is: Is my categorization correct, or at least reasonable? If not, keeping in mind that this is a small business that is unlikely to be an explicit target for attackers (explicit -- of course there still seems to be the flood of random foreign IP addresses that seem to be constantly and inexplicably trying to obtain SSH logins and request random weird web pages), how is the matter of "security" usually divided up and analyzed when evaluating the addition of a new service?

I am constantly frustrated by statements like "X is not secure" without further explanation. I have found that certain things are secure enough for certain usages; and my primary goals are to 1) come up with a way to objectively evaluate whether or not a service or protocol is good enough for a given situation - weighing its risks vs. benefits, and 2) be able to clearly and adequately answer users' questions about the security of the options I choose.

The reason is I'm trying to categorize these things based on the environment an attacker would have to be in, the tools and skills required, and the estimated likelihood of somebody actually attempting it.

Jason C
  • 273
  • 2
  • 16
  • Where would an MitM fall under this system? Note that an MitM attack need not happen at login. – cpast Feb 18 '15 at 23:14
  • @cpast Thanks; I am extending the "sniffing / capturing data" category to cover that. That category, then, will be for any risks associated with tapping into and/or intercepting and modifying traffic, that require at least minimal effort on the part of the attacker. – Jason C Feb 18 '15 at 23:34
  • "Is this secure?" is the wrong question. The right question is, "Against what attacks is this vulnerable?" (Hat tip to Curt Sampson, who said it first.) – Bob Brown Feb 19 '15 at 14:16

1 Answers1

1

Solving small problems is certainly easier than solving big problems. But you might want to think about how you would decompose these categories further into a hierarchy (decompose the problems further before trying to find answers). e.g. typically what you have described as login security is decomposed into access, authentication and authorization.

You will probably find that you will want to revisit and develop this hierarchy as you work on the analysis.

A fairly obvious gap in your current model is that you are only considering an us-and-them scenario - but as a service provider, there are at more parties involved. Does the system you are evaluating (for example) provide a means of attributing activities to specific individual or at least differentiating between your customers and yourself?

Another approach (complementary - not exclusive) is to cast yourself in the role of the attacker and consider how the system you are evaluating prevents you from acheiving some nefarious purpose - read someone's email, modify a project proposal, deface a website....Given a specific outcome facilitates making informaed choices about whether a solution which is not completely secure (i.e. all of them ;)) is worth the risk - take a guess at the probability of someone wanting to achieve the outcome, multiply by a guess at the probability that the solution can be thus exploited, and multiply by the cost impact. (There are more complex models for risk assessment).

symcbean
  • 18,625
  • 1
  • 41
  • 75