Monday, February 25, 2008

Five Methods for Layered Security

Friday's edition of The New York Times newspaper announced the discovery by a team of scientists from Princeton University that Dynamic Random Access Memory (DRAM) chips could be made to retain their data for an extended period of time after being powered down if the chips are cooled. In the experiments, the RAM chips were cooled using an inexpensive can of compressed air, and scientists were still able to extract information from the chips, including the complex encryption keys used to decode files.
By cooling the chips, the data is literally frozen in place. Then it was just a matter of reading the strings of zeros and ones that make up the information stored on the chip. From the billions of bits of data, the scientists were able to identify and extract their private encryption keys. This new discovery has industry experts clamoring over this wide loophole in computer security. However, when you think about it, this issue is only related to IT security in the sense that a computer chip is involved. In fact, this is primarily a physical security issue. If the would-be thief cannot access the physical computer chip, there is no threat.
The most successful way to protect anything is with a layered security approach. No one method will solve all problems, so you adopt multiple methods to deal with different weaknesses. First and foremost, let us all agree that the only 100% secure computer is one that is disconnected from everything and is turned off. Granted, that is not a very useful computer.
The architecture of a layered security for your computers starts with a solid, reliable and reputable firewall. A firewall restricts access to certain types of network traffic. A hardware firewall sits on your network right at the point of internet entry and the software firewalls protect all the network computers. I do not recommend a software firewall on a server as your primary means of defense because you open the server to direct attack. By controlling what has access, you can eliminate most problems.
If something sneaks past your firewall, you need an Intrusion Detection System (IDS). There are different approaches for making IDS work on a network. The most typical method is based on signature matching. Every internet threat has a signature which can be thought of as early warning symptoms. An IDS system constantly monitors your network looking for these early warning signs, then alerts you when it discovers a problem.
Finally, install anti-virus software on every machine and you have a solid IT security foundation. If you still need to have the virtues of anti-virus software explained to you then you are still relatively new to the internet. Anti-virus is mandatory now. To further expand your defenses, you need to spend time and resources educating your staff in proper internet behaviors that will reduce risks. This includes not opening email attachments from unknown senders to avoiding many adult-oriented websites.
But all of these practices only protect against virtual threats. A physical security system still needs to be put in place to protect the physical equipment. I have seen companies that spend a fortune on virtual security but then leave the door to the server room unlocked. Strict guidelines need to be in place for who gets access to the equipment that runs your business.
I am not downplaying the brilliant discoveries of the Princeton University team. What I am arguing is that this is not an IT security issue, but a physical security issue. If the would be thief cannot get the RAM chips, then there is no chance of them stealing the information off the chip. If you can control access to the equipment then you limit the threat. So, start adding layers to your security. The more layers of protection you can throw between your data and a thief the greater likelihood you will stay safe and secure.
Sources:
Markoff, John. "Researchers Find Way to Steal Encrypted Data" The New York Times Published Feb 22, 2008; internet edition;



R-Squared Computing - Business Technology Experts