So, to kick of this series about security, lets start with some basic discussion. In this article we're going to take a look at what will be coming up, in the series, and some basic notes, thoughts and ideas.
The first thing about this series, is a small disclaimer. No matter what software you buy, what tools you use, there's no such thing as absolute protection.
No matter how good it is, how strong the encryption is, or how expensive the hardware might be, it cant protect in all scenarios. IF people really want to hack you, steal your secrets, or compromise your network, they can and will. If they are determined enough, well funded, working for "a three letter acronym agency", or from foreign government, they will get in, and yes, even well funded criminal syndicates will too.
That's why, we are going to kick it off with something as basic as a discussion about your most important tool, the security plan. It will help you to think about "how", you think about security, that's your most important tool.
Knowing what's possible under what scenario,s learning to make an informed decision about what the threats are, what to protect, how to protect it, and why, and from who.
Some will think that keeping your computers buried in a concrete basement, build inside a mountain, protected by your own private army is the right response. Can it be ?, sure. If you're trying to protect it from every government in the world, from evil hackers, and you're protecting something like the digital crown jewels, it might be the right response. If you're protecting a copy of your own private love poetry or your cookbook, it might, just might, be a bit overkill. So, thinking about what to protect, from who, how expensive it should be / can be, under what scenario / threat, would be a place to start.
How do you make a security plan ?. We start with some very basic questions.
What do I have that's worth protecting ?
What assets am I trying to protect ?, what kind are they ?, what form are they ?, what format are they ?, how large / small are they ?, are there special considerations that need to be taken ?
How long do I have to protect them ?, against what / who ?
So, make a list of your assets. What data you have, where they are stored. Are they on some form of public storage, or do you need to store them on private servers ?, How are that server going to be protected ?
How will you protect the data itself, and from who ?, Who should have access to it, and why ? How do you plan to protect it, some kind of encryption ?, how strong should the keys be, in what format ?, and how long do you need to keep the backups / how long should the keys be good for ?
All these questions, will help you finding the right plan for you, and make a budget for implementing it. And can tell you a bit about how much trouble it will be to maintain it, which is actually quite important to take into consideration. No one will use an encryption form, or a backup form that's not user friendly, or hard to maintain. Then people start to skip it, and boomm, there's your problem. Keep it effective, simple, just adequate for what you want to do, what you need, and you'll have a solution that's good, and will serve you for years to come.
Who do I want to protect it from ?
Who are my likely adversaries ?
Who is it you're trying to protect you and your assets from ?. There's a bit difference in who they are, and what capabilities they have. It matters if it's that pesky kid next door that's just downloaded Kali Linux, and now are taking it out for a spin, targeting your wifi, or that "Three-Letter-Acronym-Agency", I mentioned, or <insert-evil-crime-syndicate-here>. They will have toys that are very hard to protect yourself from, all the time in the world, and a small army of developers and hackers, highly motivated to target you. In that case, ruuunn..
If it's just the kid next door, talk to his dad, or fuck up his laptop the next time you see him, that'l teach that little B***..
But, have a look at Kali Linux if you're brave enough. It will show you a bit about what are out there for people to play with, and teach you a bit about what tools are out there for everyone to use. It's a bit scary, fun, and fascinating. So, coming up with a realistic picture about who it is that "might" target you, how they could think to target your data / your assets, will help you in finding out how to protect yourself.
How likely is it that I need to protect it ?
How are the burglary statistics in my neighborhood ?, How trustworthy are my guests, roommates or others who have access to my place of living ?, What are the risks I should consider, what are my adversaries capabilities ?, How far are they willing to go ?
Okay, let's be honest. If you're like me and most other people, living in a free world, it's not very likely you're running from the CIA. If you find yourself in that situation, you have my sympathy. If not, then maybe it's just a normal threat level, from those pesky hackers, and "Random J Snooper". So, what's most likely ? That CIA is snooping in your files, or that some "Random J Hacker", is trying to infect your machine to make it a part of his gigantic botnet of doom ?
That "Random J Hacker", is easier to protect yourself from. Some good encryption, some vigilance, some thought about how you use the net, and some encryption and virus scanning, and keeping your system up to date, and using a good VPN solution, is a veeery good start.
It can never protect you 100 %, nothing really can. Not even a complete "Air-gapped" system. As long as data are passing in / out of the system, you're at risk, even though it might be 0.00001 %.
Security is not about making it impossible to hack a system, or steal your files or your stuff. It's about making it so hard, that most aren't even going to try, but will move on to a softer target.
So, take a good look at what are the likelihood that something will happen, hope for the best, and prepare for the worst, and make a mental note to keep it in your plan.
Write down which threats you are going to take seriously, and what risks / threats are to rare, to harmless, or to difficult to plan for, or to costly, and root them out, or include them, according to need. But do keep it realistic.
What happens if I fail ?
Is there some of my assets I can't replace ?, what loss can I stand ?, what about insurance ?
What happens if those dickpics end up on myspace ?, or that juicy email to my boss secretary end up on social media ? ( :D)
What's at stake ?. Are you a journalist trying to stand up to an oppressive government ?, The new Snowden maybe ?, or do you just risk loosing your assets, and risk getting a financial loss, or are your life or your reputation on the line ? Are you risking your job ? Or is it just the new cookbook you're working on ?
The higher the stakes, the more serious you have to be. That can range from encryption, to that mountain and private army i talked about in the beginning :)
How much trouble am I willing to go through to prevent those consequences ?
Am I willing to buy a safe to protect sensitive documents, jewelry, passports and the like ?, How much trouble am I willing to go through using encryption and managing keys ?, How much money am I / can I spend ?
How fast does this need to be done ?
As you can see, the list is endless, or almost. As you begin to make the plan, and start to think in security terms, and the more you'll learn about it, what's actually possible, the more questions will pop up. So, just add them to the list, so you have them, if and when you need them. But, with that said, remember common sense. If the risk of a burglary is low, there's no need for that steel reinforced door, even though it's pretty cool.
If it's high, then, depending on what you're trying to protect, maybe that steel door would be a good idea, and of course, crocodiles in the hallway is a must, and for good measure, don't feed them :)
All fun aside. Answering these questions, and more, will help you understand the threats that are unique to you, and to evaluate your assets, and in the end, understand your adversaries, their motivations, strategies and capabilities, and the likelihood of risks you are up against.