How Halloween inspired me on IT Infrastructure Access ControlAnirban Banerjee
Last year while giving candy to some very cute children in my neighborhood I was suddenly reminded of server access security! Bear with me for a bit as I take you on a journey through my random security oriented thoughts.
Trick or Treat and Halloween Costumes
My family and I usually give candy (the good kind mind you, no tootsie rolls) every year to lots of young children who visit our house in a residential neighborhood here in the Bay Area. It is a pleasure to see kids dressed up as all kinds of movie characters, wizards, witches, fairies, inanimate objects and what not. I think two years ago could be talked about as the year of Frozen – Elsa, the talking snowman (apologies I forgot his name!) while last year was kind of a mixed bag. One of the most interesting costumes I saw was a child wearing a cardboard box in the shape of a truck. It was not so much that the costume was startlingly good or that the child was cuteness to the power infinity (although the little kid was very sweet) but the fact that the parents made an effort to also dress up as dump trucks, wearing cardboard boxes cut out and painted a bright waste management green that made me get a warm glow all inside. I love it when I see people taking the extra effort to make an experience special.
Making the Jump from Halloween to Infrastructure Access Security
Now consider the case for how we manage access to infrastructure like servers, containers and such. The default way for most companies is to use something called SSH keys. An SSH key is basically a file with a bunch of information in it that certifies who you are by the fact that you have a complementary copy of it on your laptop. Think of it as 2 pieces that snap well together – you have one piece of information and the server you connect to has the other piece of information. If both of these pieces snap well together, hey it is you trying to get access and boom you are allowed on the server.
Now SSH keys work fine for what they are supposed to do and boy SSH has a bunch of useful flags, even SSHFP based publishing of fingerprint information that can let your laptop figure out if it is connecting to the right server by checking the fingerprint via DNS! Pretty non obvious but very effective and powerful indeed.
How everything relates
I had a flashback when I saw the two parents dressed up as trucks with their little child. We were setting up some servers for our little stealth startup and were trying to secure SSH. We did all the standard security through obscurity (move SSH to a different port), port knocking, disallow root logins, restrict active shell access and a bunch of other things. We felt that the server was pretty locked down. We had a local friend who is a good resource for pentesting check things out and give us a thumbs up. This is where after celebrating out little victory (trust me in startups everyday is a roller coaster, we have to celebrate and have fun, no fun means drudgery) we went back to our respective lives. Work ensued as usual. It was then that a member of our team said maybe we should try to push the envelope a bit on security on the servers. Even though we felt pretty good about it, we pondered on this considered the time we would probably need ot spend and what we would not get done if we chose to spend more time on server hardening. In the end we decided that the servers and images that run our service, are kind of our backbone. They are perhaps the most precious things to our service and data storage – we decided to take a little extra care of them.
We went and implemented trapdoors that dynamically alert tripwires and point attackers into juicy directories that don’t really contain real information but help to delay and confuse the attacker. We have also implemented dynamic behavior identification for commands being executed from privileged accounts so that even if someone breaks in we can see and receive some indication of weird actions. This took a lot more time than we realized. A first version of all this took a week. More fine tuning a couple of more days. Its a big investment to set things up this way – but you do need to take the extra special are of your children.
Anyways – have a great Halloween everyone. Have fun, stay safe and have a great time!