In today’s world it seems as if everyone is connected to the Internet in one way, shape, or form. From the obvious like our computers and smartphones, to the not so obvious like our TV’s, cars, red light cameras, or even industrial control systems everyday we interact with devices that are “smart” or “connected". But have you ever stopped and wondered exactly how secure those systems are, or who has access to those systems?
We hope only those authorized. We authorize only those with proper credentials. And we only give credentials to the people who need access. Sounds simple and secure right? But what are those credentials? A username and user generated password?
For some things this is the best we can do. And yet there are so many other ways to authenticate a user. For example; one could require a valid finger print scan; a verification code sent via SMS; or even a mathematical one-time-password.
Some services come with better authentication methods built in. For example SSH includes the ability to authenticate a user based on a mathematical key pair, to include PGP/GPG keys that are commonly used to encrypt and send emails and important messages.
But when it comes to security we have a tendency to take the easy way out; security through obscurity. While not a bad idea at all, most people simply change the port a service is running on in order to “hide it". But in this day and age it needs to be a common assumption that if its listening, people are talking. What I mean by this is, regardless of what security precautions you take, if you have a service that is listening for connections someone will find it. There is a “dark search engine” for example that regularly scans the entire internet looking for any information an internet connected device willingly provides about itself. So your SSH server running on port 2222, someone probably knows about it. Not to mention its another random thing administrators need to memorize.
A simple solution to this? Follow the examples from the Prohibition Era. That’s right just like when someone wanted to go to a speak-easy and had to do that special knock on the door to get in. But instead of knocking a song on a door, we simply send several packets to pre-defined ports and have the port you need to connect to automatically open up. Wikipedia - Port Knocking
But still this is still simply security through obscurity; While at a much greater level, it is still none the less by-passable given enough time and determination. So going with our previous assumption we need to try to stop attacks, because we are going to undergo one. But how can we do this, every attack is different. Well monitoring is key, but because no one wants to sit around all day watching and reading though thousands of log files in real-time we automate this. Fail2ban is a great example; it monitors log files and can automatically ban IP addresses from the server for a set amount of time, or forever.
Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Source
So now we can feel slightly more secure about fending off brute force attacks, and dictionary attacks; As well as a handful of other known attacks. But what if the attacker manages to get in, or worse is an insider? Well that can only be handled so much beforehand; But the easiest method of mitigation is proper use of access control. If someone doesn’t need access to something; they shouldn’t have access to it. For example; While CEO’s are important and run the company, they shouldn’t have Administrator access rights to all servers and devices; Just as a custodial worker shouldn’t have access to edit the company’s website.
Now that may seem harsh, telling the CEO they can’t have equal or greater access than a system administrator; But they are just as likely if not more to be targeted by a social engineering attack. Simply put; everyone is human and we unknowingly give out more information than we intend to helping the attacker put together a better profile of us, their target, in order to gain access.
So what about DDoS attacks? Well, simply put; unless you have something special in-place its only a sit-in (just like the civil rights movement). Give it time, and it will fade; If not, put something in place to mitigate the impact. They are the most common form of “attack” and one of the most difficult and expense to defeat on ones own.
In the end though; The security of a system is only as good as the programmers who develop the software, and the administrators who install and maintain the system. Because the internet simply connects people together from anywhere in the world. Anyone, Anywhere, has the ability to access the same things you have the ability to access; Just the same, You have the same ability access anything anyone anywhere else has the ability to access. Its simply a matter of knowing the right song to knock on the door; and what passwords are needed.