secure: adjective – certain to remain safe and unthreatened.
I’d never been that “secure” in my entire life when it comes to IT security. In the past, I’ve run for years without a virus -scanner or protector. The thing is that I’ve been taking this quite logically rather than rationally. Most people would have to frown their eyebrows on my second sentence; why would you not protect yourself?
That’s the thing though. I know what I’m doing and what is happening on my system. I know what I visit (browsing) and I know what I install. I monitor my network and I have zero sensitive data on my home computer. It was the time were scanners would take up a ton of power from your computer, actually making your experience worst than with a virus.
I would do internet-banking on a more “secure” station, the same goes for “sensitive” data, which did not reside on my home computer. Basically, I accepted that my computer would get hacked anyway, most scanners were always too late with new definitions, you can’t prevent 0-days and IF I really wanted a form of security, I would fix it differently. In most cases, I would just format everything and use a clean image again. In the end, I did not want to end up in a botnet 😉
For things that I actually wanted to (try) protect, I’d use a station on which I don’t browse random websites, install software or leave it 24/7 on the internet. I’d use whatever decent security software and let it do its job. I’d use offsite backups, offline storage, online storage in the cloud and so on.
For websites and my accounts, it’s the same. I assume my credentials are compromised the minute I make an account. So I don’t use it for every website nor do I disclose personal data or other important data.
It was a trade-off
That whole part is my own personal trade-off. I’m not trying to say that this is the best practice or anything. I’m merely trying to explain that I prefer a relaxed setting so I could do whatever I wanted without being “afraid” of anything. In my entire life, I never had the issue that I cared that I lost a system, photos, files, personal data. I could wipe my computer and be up & and running within minutes.
Nonetheless, regardless of how you manage your things, there is just one rule:
Just assume you are hacked already.
That makes your life much easier. What if they are already on your computer, server or account. Start to think about that: what damage can they do now? In my case: nothing, except perhaps annoy me.
Because the thing is: If they want to, they will get into your systems. There is no such thing as being secure in IT.
On the defense, it’s so much easier to defend on the inner ring than the outer rings. It does not mean you have to leave everything open, but you should protect from the inside out.
The funny part is that most companies adhere to that fact indirectly by having certain “rules”, yet they seem to miss the fact on why they do it. Yet the reason they do it should be solely based on the fact that you will get hacked.
Why do we have POLP (principle of least privilege) – add more rights to make things work? It’s just so things do not get abused but basically, someone has to be “in” already to “exploit” that.
Just ask any company who says they are secure if they run POLP. If they do, ask them why they do it. I’m curious about their answer.
As normally I try to end positive on my blogs so I will share a few experiences on how I deal with security.
Everything that is truly important to me, resides on a totally different level of “runtime” than the normal day to day work. I see this as mission-critical and will focus on that primarily. If I don’t focus on what is truly important to me, I will neglect certain aspects. It’s just to damn hard to keep everything on such a strict level.
So I prioritize. If it’s not important I keep a sane level of security. I don’t want to annoy myself or others to make things worse for the need. When you do that, people tend to go for workarounds, loopholes and such makes your own friends enemies.
I also tend to make things that actually can be destroyed, killed, purged, or whatever. It’s like using your old sneakers to play outside, so you can throw them away when they are all wet and smelly or broken. So in IT, this means writing infrastructure as code (where the code is my main priority on saving, not the infrastructure). If the shit hits the fan, I throw my infrastructure away and “press play” – voila. I’m ready to start again.
Even this website, my blog, runs in such a way that it’s immutable. I assume you could make efforts to place some malicious files if you really want to target me. That’s fine. I can kill the Kubernetes pod, and your file is gone. Here is also the second part: monitoring and being aware of what you run. You should have things in place to actually know “something” has happened. Not only so you can mitigate it, but also actually fix it. Otherwise, it would be an endless loop of getting hacked on that fresh immutable image 😉
But often I see a shitload of monitoring, yet zero knowledge of what it means. Super great that you monitor the number of requests, but do you know what it means? Do you understand your own monitoring and actually the data that you are monitoring?
Often people/companies get overwhelmed by data. Cool graphs, nice pie-charts, and they act on nothing.
Perhaps dumb it down to a sane set of data on which you know what it actually does, what it should be and when to act. – Then just keep growing on your capabilities to gain more insights. Not the other way around.
p.s. If you believe your website is secure, contact me: https://isitthough.com/