Apriori and Posteriori Security

Strangely enough, more than a hundred years since the Titanic steamship sinking, I still feel the need to explain how pointless it is to build unsinkable ships. Do not worry, I have not confused our series theme. We will not discuss the sea voyage safety, but computer system security. Nevertheless, you will see how strong is the parallel in some technician and manager thinking.

If you work in the IT field, at some point you must have had to enter (and perhaps you asked someone to enter) changes in the computer network to prevent anyone unauthorized from accessing it. Surely an attractive idea and at first glance correct … and unfeasible. There is a phenomenon called “jailer’s paradox” which claims that a prisoner will always manage to escape the jailer because he focuses only on one escape route while the jailer must consider all conceivable options simultaneously. Taking into account the notorious Murphy’s Law claiming that “anything that can go wrong, will go wrong, and anything that cannot go wrong, will go wrong anyway”, we have no choice but to accept that every network will sooner or later be breached successfully.

Since we cannot prevent the network breach, what, if anything, makes sense to do? We will keep returning to this question from different perspectives in future chapters, but first let us be clear: not all is lost. As in all power conflicts cases (and the cyberspace has been recently recognized as another regular type of battleground on the global level), we can – and ought to – learn from history. And here we have a large number of guidelines from the pre-computer era and its secret service conflict history. All truly great secret service development strategists always, except for the primary security measures, invested a great amount of effort into learning whether their spy network had been breached. Let us do the same.

I will start with a rhetorical question: do you think anyone would still steal if every thief were tracked down, sentenced, and his property seized within a couple of weeks? You are getting warmer! If we cannot prevent the network breach, let’s take action to find out about any breach as soon as possible and with as much certainty as possible. The army is ahead of us again: have you heard the term “passive radar”? After years of a valid doctrine that the first strike is aimed to eliminate the enemy’s radar  (because every radar discloses itself with its operations and therefore I can easily find out whether I have really eliminated it, and afterwards I can easily dominate the airspace), new radars “only” listening to various signals emitted by the enemy, optionally  reflections from other radio transmitters, are being used.

Let us substitute the “classic” radars with what is vital in our network: namely various firewalls, authentication and antivirus servers and policy enforcing devices the elimination or bypassing of which is naturally every hacker’s first goal. We should therefore include in our network also other elements whose presence may (and should) remain unknown to all unauthorized persons, whose presence and active status is practically impossible to determine (except for a physical search), and whose purpose is collecting and processing an information that allows us to detect (and even better, locate) an unusual activity in our network.

Naturally, an unusual activity does not always mean a successful or deliberate and malevolent intrusion. It may be a distracted office worker who clicked on a virus containing email, an employees’ child who uses our network to play online games or an accountant who has an unusual data transfer volume for two days each month because he is quickly tracing discrepancies in figures before the deadline. But it can also be a real attack. How do we deal with it?

I will assume the role of Scheherazade and save the explanation how to put posteriori security into practice for the next chapter, so we can devote sufficient time and detail to this important security concept. As an interesting fact in the end, can you guess how long a malicious code remains active and undetected in a number of firms according to the Cisco Annual Security Report? Incredible 200 days. All sorts of things can happen during that time period, don’t you agree?