Giovanni Silva

Creating strong security habits

Giovanni Silva's photo
Giovanni Silva
·

12 min read

I work on IT since an early age, half of my life has in contact with technology. As a result I have learn a thing or two, I did play as "script kid", have done some hacks, helped in some security situations.

I have a decent knowledge in security, but never has been so seriously about it as in the last few months.

What changed?

First, government is watching. I have nothing to hide, but that is not even an argument, security should be standard. Second, I am building some value, at least trying, if I start early thinking on it that will pay off in the future. Third, how far can I go, how hard could be? I have no idea. Come with me, let’s find out.

Objectives

  1. Protect all points of attack and data leak for valuable information.
  2. Create and follow a strict habit of security.

The first thing to understand: You are the weakest node in the security chain.

That means, your habits and attitude creates holes on it. You can have a impenetrable door, if you forgot you keys somewhere, someone could copy it.

This is why interfacing with security systems, must be easy. People will fatigue, misuse, circumvent if they can, not everybody is a marine seal.

People have a limited fresh memory (RAM if you like), and must use it for many things. The best security systems, is one you do not need to think on it. Do you drive your car thinking how to pass march, turn the car steering wheel, accelerate, and so on? When you are learning or fresh you do, when you got it you don't. I believe we are not there yet, so stay alert.

Second thing to understand: All nodes on chain must be protected. Break one, and all chain is at risk.

Every place, every network, every drive, every person, every bit of valuable information must be protected. The only time information is available unprotected must be the RAM of your computer, and that must be temporary. This is hard.

Third thing to understand: There is no perfect security. Assume that be compromise is a matter of time, and it get exponential worse as time passes. Rotate keys and plan for contention.

Enough talk. Time to practice.

First step: Memorize a few good passwords

Over the years, I have memorized a few good passwords. You can use an expensive electronic key, a biometric system, face recognition, or whatever your marketing capitalist sell's you, none of this is more secure than a good password. They can offer convenience on identification, but zero security.

You can extract a digital from a photo and use it, seriously this was demonstrated, that easy. Every other mechanism is completely messy dangerous. Do not trust anyone.

The only downsides of passwords are:

  1. Not choose a strong one.
  2. Keyloggers.

Don't try to memorize a lot of passwords, if you are using good ones, you just can't memorize all. We will see next how to use different passwords and keep security.

I use a few strong combinations of base passwords I have memorized:

  • They mixture numbers, letters and special characters.
  • They are not based (on majority) on words.
  • I do mix words with random characters, not sure if that decreases of adds security, but makes more memorable.
  • Do not use only dictionary words, best passwords are complete random.

For systems I do not care about security, I use a weak eight digit alpha password (yes that is weak).

My strongest password have about 25-40 characters.

Other passwords are combinations of it. It makes memorize easy even being very long passwords.

Second step: Full disk encryption

I did talk a little about this on Road to startup infra - Certificate Authority.

Just imagine you disk at the hands of non-trusted people. They can access a lot of information and impersonate you on a good number of systems.

As developers and sysadmins we use SSH keys to interact securely with your systems, but remember that you are the weak part of the chain? I do not know about you but I do not like to type a password on every code push, in fact a hate it. Therefore, my keys have no password.

That is one sensitive file. What about your history? What about kubectl config file? Helm certificates and others? In the course of your job, we will have a lot sensitive information and keys on your computer, even temporary, if you not secure erase the file you are at risk, as careful as you may be, just encrypt your whole drive.

Only this can protect you from unauthorized access.

Options:

  • Vera Crypt - Linux, Windows, Mac - Strong security, open source
  • Bitlocker - Native Windows - Requires windows professional. You don't need a TPM chip
  • FileVault - Native MacOS
  • dm-crypt - Native Linux

Third Step: Full mobile encryption

Your mobile phones are storing increasing sensitive information. Two-factor authentication, that photo you wish you have not take, and so on...

You may be shocked by how easy is the hack a phone. The must dumb thief will know how to disable tracking, GPS, anything (just shutdown), and bring your phone to any low indecent technician to crack it on in minutes. You really do not want to depend on internet connection to locate it.

With that said, a close friend have been locked on his house with his niece by two dangerous bandits, they took a lot of valuable things, he was able to break the carcerage after they left, and with the help of police locate the bastards and pursue then on street. When they realized phone was being tracking, they tried to shutdown the phone. Cerberus was installed and it just fake a shutdown, then they throw out the phone on high-speed persecution. Fortunately, the bastards were arrested (again).

You do not want to be on that situation, and you do not need. A simple phone lost can cause a good damage.

Encrypt it.

Android: source.android.com/security/encryption/full..

IOS: ssd.eff.org/en/module/how-encrypt-your-iphone

In addition, do not use that pattern block, put at least an 8 digit number on it. Better if a password with letters.

Fourth step: Use Two-Factor authentication wherever possible

Microsoft Authenticator and Google Authentication are both good alternatives to the problem: What if one of my passwords leak?

Using your smarthphone you could enforce more security by requiring a one time based password to authentication.

I am not a huge fan of this. Simple because if you lost your phone its difficult to regain access to your accounts. And you are talking to a guy who have been hobed and lost phones 3 times already.

A simple phone format will lock you out.

Microsoft Authenticator has a future feature to backup your codes but is not realeased yet: cloudblogs.microsoft.com/enterprisemobility..

I am considering the adoption of yubikey or trezor.

These are solutions that provides hardware password manager and transactions. Feels quite secure, and not succeptive to keyloggers.

Fifth step: Encrypt all your communications

I don't get it, why not all organizations I have worked so far, have SSL everywhere? Is it cost? Is it lack of knowledge or just lazy leadership?

You do not have excuses:

letsencrypt.org

jamielinux.com/docs/openssl-certificate-aut..

My blog post talks about the root ca

Sixth step: Use a Mesh VPN

Sometimes we have to connect systems from different networks. In that situation, a VPN is handy. Is also a good idea to have VPN on internal systems you lack SSL.

In the past, we needed to operate a VPN server. That adds a central point of failure, latency and performance lost, and is complex to operate key exchange (at least boring).

Here enters Mesh VPN, it has NONE of the flaws mentioned.

I use ZeroTier as solution.

All interactions between servers are in a virtual network that expand across data centers and providers.

All access to systems are preferable made by this internal network.

Seventh step: Use a firewall

Ooh, firewall made your six position? Yes.

Organizations leaders tend to invest a hell of money in firewall solutions. Maybe they think firewall is they unmatched defense barrier? They could not be more wrong. Did they know that every million dollar (over the years) firewall out there adds little to open source solutions? And that is not the only case, one firewall will not solve the SSL problem, or the code problem, or the password problem, or the lack of training problem.

Big firewall names have their appealing. I just think that money could be put on better use. Also gets me on the nerves when they "sell security" as if you could buy it. Let me put that strait: Security is your organizations responsibility, you can't delegate it without fully delegating the services with it. Good tools can help, only great process and culture will do it.

I use the best firewall: The one embedded on systems (ufw, firewalld, iptables, etc..).

With automation and infrastructure as code. It is easy to keep consistency and manage individual firewalls at large scale.

This will not protect you against:

  • DDoS attack's.
  • This is not an intrusion detect system.

Anyway, this are different products from a central firewall.

Eighth: Create a central account repository

The best enterprise repository today, one that has almost ubiquitous integration is LDAP.

However, LDAP is not best option to provide access to applications. That is why I use only as repository and fallback for systems that have no OAuth or SAML authentication.

My architecture is the follow:

I use Keycloak as Oauth and SAML provider, it aggregates user accounts and providers (Google, Facebook, Twitter, etc.) and do the heavy duty. Keycloak is configured with. LDAP sync, and all employees have a Ldap account.

All systems authenticate primary using Oauth or SAML, fallback is Ldap.

Ninth: Rotate and revoke access

This is not trivial: Every person access (passwords, keys, tokens...) on your organization need to follow:

  1. Access must be granted on a per need basis. I get it, I am used to have a lot of power in terms of access, and I fell limited when I do not, especially on my devices. Every person should have access only to the systems and information they job requires.
  2. Every access need to be revocable.

The second is the most crucial in my option, because is the must hard. Think on it for a second, how we revoke access of a secretary?

Suppose she have access to her computer, her email and phone password to make call's, you can integrate all with ldap, revoke her ldap account and rest assure she has no access to any of it.

Now, try to revoke a Linux admin account.

First off, you can't. Trusty is the ultimate word here. If the guy want to keep its access you will have a hard time.

There is one way to guarantee this: Backup whole system without any execution program, ssh keys and /etc group and passwords, or sensitive information (encryption keys, etc...) start with a fresh base image (one he has no access to), change all passwords for all user and system accounts, install everything again. I think this is inconvenient, I prefer just make sure he will suffer an accident if anything happens :-)

With that said, you can distribute one-time passwords for root access using vault vaultproject.io/docs/secrets/ssh/one-time-s..

I use this strategy, combined with 2 hours vault tokens, to revoke my own access on every system. I don't know another password, and if my laptop get compromised first they need to pass full disk encryption, in a max of 2 hours, then they need to quick create permanent access to the servers. There are other ways to compromise a system, I know. However, an attacker have to control my computer and hijack the current SSH connection, this is highly unlikely.

If access on vault is revoked, access to all systems are gone.

There is a fallback, and this is the cloud provider. One with access to cloud provider can reset system passwords like physical access. I trust NSA has no interest on do it. Nevertheless, if they had, they need European cooperation. Is more easy if they ask me politely with good reason ;-)

If my system is compromised, which is unlikely with full disk encryption, they could have access to code. They cannot execute attacks.

Tenth: Backup all the things

This adds an obvious layer of problem: Encrypt the backups.

All my servers have offline encrypted at rest backups. The keys are different for every server one key cannot compromise other.

Solution I use: github.com/restic/restic

My computer has encrypted backups on my home network.

Eleventh: Encrypt cloud files

All files on Dropbox, Google drive and specially Microsoft onedrive that are sensitive enough are encrypted.

I do this more for personal stuff, like photos and documents.

I use BoxCryptor

Confession: In the past I did put sensitive information on this systems for convenience (ssh keys, passwords), this is a terrible idea, and I did revoke all before was too late.

Note: Google and Dropbox claim to encrypt your files, and I bet they do. Microsoft do not do it. Anyway, do it by your own

I stop counting: Use a password keeper

I am using lastpass.com on all sites. This adds security, but you have to trust their business and that they code this right. I believe is ok.

This is good to not have to (you cannot) memorize a lot of good passwords.

Prefer encrypted communication

This is a habit you can make easily: Avoid all channels that offers no encryption.

That way you contribute by forcing vendors to think on security first.

In case you need a non-encrypted channel. Don't use to transmit sensitive information like credit cards.

This is more a reminder, I don't think you do that.

Last: Use a decent antivirus

This is a basic step. That is why is the last on list.

Unless you use Linux or Mac, then I don't think you need to worry too much about it, your behavior will get you a long way in this systems. In fact, I have never used one.

If you use Windows, you are basically obligated to use a decent antivirus. Nowadays I'm on windows 10, I found Bitdefender to be really good, second contender in my option is Kaspersky

Conclusion

This are all the things I do for now.

In summary:

  • Strong passwords
  • Encryption everywhere
  • Use firewall
  • Central repository for accounts
  • Revoke access
  • Rotate keys
  • Use a password vault
  • Backup

I going to add to my habits:

  • Sign commits with gpg
  • Use keybase to prove identity and share things with collaborators. I am investigating this.

I guess Keybase is good to exchange and security store GPG keys for commits or email. Let's find out.

There is another thing to think: Cloud.

What happens to my servers when they are deleted? This is not easy as, your files will not be accessible. What if the same point or parts of it be mounted to other client, after all this is a shared environment. It’s possible, that a sophisticated client can access this information the same way they could with a physical drive, the virtualization layer is not the answer.

I do trust they employers, but should I? This is optimist, trusty is to know that something is not possible, not that someone is honest enough to not want do it. Anyway, in an ideal word, security is not on dictionary, is standard, and honesty is wide spread as breathing.

I assume they permanent erase files. Even that has its risks. But I'm not too much paranoid, I keep every servers on cloud, it’s cheap and more reliable. We need to take risks. But if you can't afford it, make sure you can effectively encrypt your servers.

Take risks, prepare, do your part, have faith and trusty more.

Regards,

Giovanni Silva.