Security Lessons from Nature – Minimizing Shadows

Imagine for a minute that you’re a bug. You wander around looking for food and avoiding predators. Now, most critters that predate on bugs aren’t exactly the brightest. They just sort of fly around and look for anything that looks buggy and then try to eat it. There are generally only two clues for buggyness: movement and contrast.

Basically, if something moves like a bug, it’s probably a bug. Of course, this is only good against the bugs that haven’t learned to just keep still. If you want to keep your little bug self safe and secure, all you have to do is not move when a predator comes at you… which is a lot harder than it sounds… and not 100% successful now that predators have learned the contrast trick.

Most says, there tends to be light around, and even though bugs have gotten pretty good at matching their surroundings, if the light comes from the wrong angle, it doesn’t matter how well you match your environment, you’ll cast a nice long shadow. If a bird is looking for an area of sharp contrast, they can find you even if you manage to stay frozen.

Bad news for bugs.

Unless, of course, you manage to reduce your shadow. If you are careful to shift your position or only land in pre-existing shadows, you can really reduce these shadows. Similarly, if you only come out during mid day and stay hidden during morning and evening, you’ll avoid the long shadows. Basically, you want to reduce the amount of your body that catches the light, which would reduce the amount of shadow, which would reduce the likelihood of attack.

We do the same thing in the security world. A system can be attacked in many (many (many)) ways. Looking just at a fairly standard Web system, a system can be attacked at: ssh, apache, mysql/postresql, openssl, php/perl/ruby, ftp, or any modules contained within… and this assumes that the system has been hardened and isn’t running any of the common applications such as X, Gnome/KDE, OpenOffice.org, Firefox, portmap, r* commands, etc. The simple fact is that we load our systems with all sorts of fancy widgets, adding new functionality here and there, making it run faster (or least, more interestingly) and… if an attacker looks at… casting a very interesting shadow.

Simply put, every thing you can install can be exploited. It may be reviewed. It may be well designed. It may be hardened. However, this is not a perfect world, and there are no guarantees. You can’t make sure that everything is running exactly as it should be, but what you can know with absolute certainty is that something that’s not there cannot be exploited. People have a really hard time robbing a house that’s not been built, and they’d have similar difficulties attacking a service that’s not running.

In I.T. Security, we call this reducing our attack surface. The term can apply to an entire business, a network, a server or just an application. The idea is pretty much exactly what a bug does. We want to make our shadow as small as possible, by reducing the number of protrusions and things that make the shadow interesting. In practice, this means reducing your business (you’re not a bug anymore, by the way) to just what you need. If you don’t need modems, don’t leave them plugged in. If you don’t need to be running telnet, don’t run it. If you don’t need to employ untrusted people at incredibly low wages, don’t do it.

The point here isn’t to say that you can be completely safe by minimizing what’s running… there is no completely safe. Any bug can get eaten, despite how good it gets at what it does. The point is that by minimizing the attack surface, you can get it to a manageable size. If bugs were the size of baseballs, cast huge shadows and were slow to maneuver, they’d be eaten awfully quickly. By staying small and relatively flat, they’ve been able to focus on better defenses (such as scent bombing, protective colouration, and just plain old tasting bad). The same applies to your business. If you limit what you’re doing and running to something manageable, it can then be managed.

It also helps not to move suddenly when someone flips over a leaf… but I’ve not yet figured out exactly how that applies to business.