DISCLAIMER/WARNING
This article was published by Fernando Castro on LinkedIn in January 2022, here. I (Fernando Gont) disagree with most of the observations made in this article, but just felt like archiving this post as an example of how NOT to think about security. Note: tihs article was translated to English via Google Translator.
Please, DO NOT follow the “tips” in this article!
Nowadays, when it is believed that the Internet is increasingly hostile, paranoia also grows in the field of security, but not the good practices, I call this Security by obscurity. This security practice based on paranoia, mistrust and saying that the Internet is an impenetrable and dangerous jungle is the basic argument for them to grow in political companies that in certain scenarios can be more harmful than beneficial for the company In general, an example of these policies are the following:
- Distrust employees at all costs, security by obscurity invites the employer to believe in internal enemies, in no way encourages building an environment of trust where an employee will never attack you internally because of how a culture has been built based on respect and trust, not just any employee here can become your enemy at any time and hence the policies of VPNs, “super-secure” passwords among other measures that make it difficult for the employee to connect to do their job, but of course, as It’s about secrecy, security by obscurity is not about training employees in good security practices for the managing your credentials, how to have secure access to company platforms and why it is important to implement measures to work safely. Many times it is only the ego of whoever is responsible for the team, there are no discussions with the other teams about the measures to be taken. in this model it only matters that what the security team asks for is applied regardless of whether the clients of the company are affected business.
- Closed by default. This is a typical measure of security by obscurity, the excuse is to reduce the attack surface, close ports, change the port to a “higher” one that is not standard and measures that are oriented to a practice where hiding is the best form of defense. For example, security by obscurity teams often suggest changing the SSH port to a XXXXX port but it is still exposed to the Internet or putting the SSH service behind a VPN, regardless of whether the company’s development team may need the service SSH to connect some servers with CI/CD tools.
Security by obscurity is a practice that is far from being analytical with the needs of companies, that is why for several years and based on my experience in server implementation, for platforms that handle thousands of users and have a record of zero hacking is that I have been proposing to start talking about security for transparency. (I should clarify that it’s not about being optimistic, it’s about being realistic and using the best possible practices).
La seguridad por transparencia se basa en los siguientes principios:
- By default your employees are not enemies, if you have a good business culture based on trust where, even if they stop being employees, the relationships end on good terms, the employee will not reveal your secrets.
-It is necessary to close all your accesses and accounts at the time of an exit. - First of all good practices. Here I go with examples:
- If you want you can expose the SSH service to the Internet, even on the default port, but make sure that password access are prohibited, that you can only enter using keys, that you have limited users who can connect via SSH and very important that you use a tool with Fail2Ban to block failed attempts to access your SSH.
- Never expose a web server directly to the Internet, no matter how basic it may seem to use a Reverse Proxy, with tools like NGINX or HaProxy they can help you create a WAF that secures your infrastructure in a simple and clean way, as well as helping you manage all your SSL certificates among other nice benefits. (In the future I will share a guide to good practices for all types of services based on the idea of Security by Transparency)
Security for other transparency requires in-depth knowledge of the environment where your model will be applied, every detail of internal operation is taken into account, the possible effects on business continuity and policies are created that are discussed with the different teams that will be affected, their goal is teamwork and the collective creation of a safe and clear environment for everyone.
Although the Internet can be a hostile environment, it is also a wonderful place where great things are developed for everyone, security does not have to be a straitjacket to grow, it is not about being naive, it is clear that there are threats and many, but the correct approach is not necessarily to hide and distrust, secure environments are also healthy in the way incidents are reported, in how the different teams are trained in security elements, sometimes there is a greater risk of being hacked by creating a hostile environment where people do not like security policies if we create this environment in a clear, friendly and transparent way in our companies or work spaces.