Understanding Security: Maps versus Lists

Many people I speak with don't have a security mindset, not because they aren't aware of security, but rather that it doesn't play a role in their life. As computers become more involved in our everyday lives, we all need to understand the security implications and defend against attacks. The only proper way to defend against something is to understand how it is attacked.

I'll paraphrase a tweet I saw on Twitter 1 about security, "An attacker uses maps, but defenders use lists." To explain what this means in security terms, let's look at the definition of those terms.

A list is defined as "any enumeration of a set of items." Whereas a map is defined as "a symbolic depiction highlighting relationships between elements of some space, such as objects, regions, and themes."

Thus, a list is just a number of items that must be compiled and then checked against when performing a security audit. These items may or may not be related. On the other hand, a map is a set of unrelated items that, when used together, form a path that builds on top of each other to find a security hole.

Growing a Security Mindset

Whenever I teach someone about security, I first introduce them to lockpicking. The reason is simple: computer security exists in bits and bytes outside of our physical realm (i.e. the things we interact with our hands). Humans have a difficult time quantifying risk normally, so when you add a non-corporeal aspect to it, we have no ability to know even where to begin quantifying risk.

Lockpicking is a wonderful way to teach someone that a security device doesn't necessarily mean something is secure. In fact, locks (and safes) are specifically rated by how much time it takes for someone to break into them (or, rather, how much time it takes to keep someone out).

Watching someone pick a lock for the first time, and realize how easy it was, is the first step to a security mindset. One can talk forever about preparing for a physical or computer attack, but I've never seen anyone learn quicker than watching a lock recently purchased from a store get picked in under 10 seconds.

Without a security mindset, we all go through life assuming that our security devices are taking care of us, without actually verifying that they are doing their job. It is this implicit assumption that an attacker relies on during an exploit.

Finding Relationships

An attacker exploits the fact that a defender doesn't see the relationships between one innocuous security hole and another. Looking at one security hole doesn't amount to much, maybe it's a keyword on a blog, or a password in a Git commit history, but an attacker adds up all those security holes to penetrate a company. All a defender can do is build a checklist like:

[x] No passwords in Git.
[x] Permissions on Git repository are locked down to employees.
[x] Every employee must lock their computer with a password.
[x] Lock the castle gates.
[x] Raise the drawbridge.
... and so on ...

I jest, but the map vs list problem is as old as time. The problem with the checklist approach is that an attacker, for the most part, does not worry about attacking the (metaphorical) front-door: that is, acting like a normal user. Instead, most attacks happens at a side- or back-door where there is little attention paid to threats.

The Simpsons provides one of my favourite examples of security in this clip:

Mr. Burns goes through all the trouble making facial scans and other security devices to guard a critical piece of infrastructure, and yet an old rusty backdoor is left open and a dog freely walks through.

So, what's the rusty door here? It's any legacy service or software that is left unattended, or an automated system that everyone thinks "just works." It can even be, and most likely is, the employees at a company. At any event or meetup, it is easy to strike up a conversation with an employee and get details about project names or technologies being used. These technologies are later researched by attackers for exploits. Now, I don't think we need to be paranoid when speaking to someone, but we need to realize that we, as humans, are a lot more forthcoming with information that we realize. A security mindset is one that realizes we are speaking about things that could be used against us, so it's best to think about any small security holes before we talk to others.

Plugging these holes can be as simple as removing project names, software, and versions from Web requests (Nginx, Apache come to mind). Also being careful what kind of technologies are being strung together with hastily written glue code.

Glue Code

One exploitable area is when two technologies don't fit together perfectly, so a company builds its own software or service to make them interact. In this situation, the attack surface is increased because there are now three moving parts:

  1. The first system
  2. The second system
  3. The glue that connects the two systems

Each of these parts must be maintained and kept updated. In any reasonably sized company, each system can be maintained by separate teams. This presents a security hole because no single person has a complete view of their entire system.

Forget What TV Taught You

The final thing I want to touch on is the portrayal of hackers on television and film. Somehow hacking is seen as this technical feat of wizardry that requires fast fingers and very little pressing of the Spacebar or Enter keys. If you want to get into a security mindset, please realize that all of this is fake. Here is an example of everything that is fake when you think of how attacks work:

Words escape me. Most attacks happen slowly, where something catches an attacker's eye on a blog or website, and then she goes about researching connections to it. It's like scratching an itch, and it happens slowly. There's no mashing of fingers on a keyboard, using terrible jargon, or clicking a single-purpose built GUI for disabling fire alarms.

Instead, watch Mr. Robot which accurately shows how attacks happen. Most of the attacks in the show are about social engineering, researching publicly-accessible information, and knowing weaknesses in systems. For instance, every RFID keycard is a publicly-accessible antenna for anyone close enough to interact with it. I suggest you shield it from the outside word, or make sure that it doesn't contain your name or company on it.

Next Steps

If you want to start gaining a security mindset, that's great news! It's a lot to learn but, trust me, once you start seeing that computers are not as secure as you think, you will look at the world a bit differently. Again, it doesn't mean you become paranoid but it does mean you start realizing how must trust we put into things that we don't fully understand.

Footnotes

  1. I can no longer find the tweet. Gotta love Twitter's search function.