Is a Truly Secure Computer Actually Possible?

I was once told by an old boss of mine, that the only way in which you could ever truly secure a computer was to encase it in concrete and drop it in the Mariana Trench.[1]   I guess at some 11,000 metres (approximately 7 miles) deep, that’s as about as secure as you could ever get it.

As we all know, computers now play such an important part of our life today, that doing what I’ve said in my opening paragraph is just not an act of war. Information Technology (IT), and indeed Operation Technology (OT), is ever pervading into everyday life and we are simply unable to do anything without them.

Computer hardware, computer networks, computer operating systems, computer applications etc are being attacked on an ever-increasing scale. The statistics on data breaches are simply frightening. As I write this article, breach level index is reporting 9,053,156, 308 data records have been lost or stolen since 2013! That is a staggering 5,123,461 a day, or 213,478 an hour, or 3,558 a minute or 59 a second! They are terrifying statistics. Encasing that computer in concrete and dropping it into the Mariana Trench makes even more sense to me the more I look at those figures.

We’ve had computers in our work place and in our homes for so long now, they are a huge part of our lives. We are all aware of computer attacks, viruses, outbreaks of malware, so how come we still see headlines over data breaches like this;

  • The Wannacry outbreak on the NHS in May 2017 rendered unpatched MS XP IT useless with a criminal induced ransomware
  • Yahoo mail – every single account, 3,000,000,000 (3 Billion) of them, hacked in Oct 17. If you have a Yahoo mail account, your details have gone. If you use the same password on other sites, your details have probably gone from there also.
  • Verizon (communications company) saw 14,000,000 customer records lost; bank account details, home addresses etc
  • Myspace attack 2016, information of some 360,000,000 accounts lost Same as the Verizon attack, personal information of thousands of account holders.
  • The Sony ‘guardians of peace’ hack of 2014 that saw previously unreleased films, or details of forthcoming releases, scripts, salaries of film stars, all compromised.
  • Sony PlayStation attack of 2011 that not only prevented games from working, but it also released personal details of account holders.

Googling ‘Data Breaches’ and adding a year, fills your screens with more and more similar examples.  As I’ve said earlier in this piece, it’s scary.

Microsoft release patches for known vulnerabilities on their OS on a monthly basis; I’ve written an article previously on the Regency website as to whether you patch or don’t patch, you can find it here if you feel that way inclined.  It is believed by some IT security professionals that 5 years ago, the ‘bad guys’ took around a month or so to exploit a vulnerability as the patch was released by Microsoft and it became more widely known, so if you had a half-decent patching routine, you were pretty safe. It is believed by those same IT security professionals that the ‘bad guys’ today can exploit a vulnerability in days, sometimes in a matter of hours, as Microsoft release the patches to fix a vulnerability.  The ‘bad guys’ possibly didn’t even know about the vulnerability before Microsoft released the patch, but by doing so, Microsoft are basically firing the starting pistol on you patching your system and the bad guy devising a ‘hack’ to exploit it. Winner takes all I guess.

Patching is not the be all and end all of a secure IT system; rather it is one component of a defence in depth strategy, also known as the “castle approach”. The military definition of ‘defence in depth’ is “the arrangement of defensive lines or fortifications so they can defend each other” but for IT systems it’s “a concept in which multiple layers of security controls (defences are place throughout an IT system.”[2]  A system that I am more than very familiar with, certainly has defence in depth and one would hope that other major companies with critical IT and OT systems will follow suit. 

What actually make up ‘defence in depth’ within an IT system?’ Here’s a few of the common defences that are employed:

  1. Boundary protection – does your system actually need to be internet facing? Do users need to be able to browse the Internet, send emails outside of your network. It’s a risk balance exercise that your accreditor, SIRO etc need to review
  2. Network Intrusion Devices – generally installed at the outer reaches of the IT system to analyse and report (and potentially block) any untoward activity
  3. Firewalls – hardware or software based, is configured to prevent and/or permit traffic either incoming or outgoing.
  4. System Specific Security Controls – this is, according to the definition I found on the Internet, ‘a security control for an IT system that has not been designated as a common security control” [3]
  5. Patching – patch vulnerabilities, as fast as you can; the bad guys are waiting for Microsoft’s patch Tuesday as much as your IT support guys are. Move off vulnerable, out of date, out of support OS (remember Wannacry exploited vulnerabilities in MS XP it didn’t exploit MS W7 or W10).
  6. Host Based End Point Protection – This utilises anti-virus, whitelisting, Symantec Endpoint Protection etc. Having up to date anti-virus engines installed on your host IT, downloading the anti-virus updates. There is a train of thought that anti-virus is passé and no longer valid in today’s world? There’s an equally prevalent ‘conspiracy theory’ that all viruses are written by the anti-virus companies, well if there were no computer viruses, there would be no need for anti-virus products. A conspiracy theory as I said, I’m not that cynical, honest. 
  7. Application/Device Controls – for example security policies, domain controllers, group policies etc.

Those 7 (and I’m sure there are more you could install if you so wished) levels of security are only as good as the validity of them; if your anti-virus is out of date, if your firewall is configured slightly incorrectly, if your IPS is end of support, then very quickly your defence in depth resembles Swiss Cheese, full of holes, and you’re then open to attack from the ‘bad guys’.

So, is a totally secure IT system actually possible?  Yes of course it is, you need to take your PC, encase it in a mixture of water, aggregate (rock, sand, gravel) and Portland cement and then charter a boat out of the Marianas islands, taking a course east for approximately 124 miles, stop engines and simply throw it overboard. I can guarantee that that PC is totally secure; utterly useless, but it’s totally secure.

Seriously speaking, if you are from an organisation however small, and you would like a more comprehensive conversation with Regency’s business change or security consultants on the subject of IT or OT security then give us a call on our office number 01242 225699 or email us at enquiries@regencyitc.co.uk

Phil Sandford

 

[1] https://en.wikipedia.org/wiki/Mariana_Trench

[2] https://en.wikipedia.org/wiki/Defense_in_depth_(computing)

[3] https://definedterm.com/system_specific_security_control