Thursday, December 22, 2016

The Golden Rule of Security

Last week, my job sent me to a Security + class. I now have to study and take the test for the certification.

The instructor reminded me of the Golden Rule of Security: I will not spend more (money/effort) to protect the asset than the asset is worth.

When you're dealing with an enterprise network, you may need advanced encryption and security features. But you also have (hopefully) enough properly trained and qualified employees to carry it out. You can also configure your workstation images so most of it is an abstract to your users. They don't have to think about it.

A home network is a different story. I'm an IT and cyber security professional, but my wife and children are not. I also don't have the resources and budget or an enterprise network. But the majority of my equipment and data don't require that budget or resources either.

I once locked a home network down too hard. While still married to my ex-wife, "somebody" was getting into my accounts and sending nasty messages from my accounts to hers. Taking everything at face value, I overreacted and locked everything down. I set an overly complex password to access the wireless router. I changed several passwords to a much more complex schema.

And of course, it only worked for me. At the time, I was a geographical bachelor living and working in Virginia while my family stayed in New Jersey. The job market up there sucked, so I went where I could get a decent enough job. So while I was away, for some reason, other devices couldn't access the network. They'd have to wait for me to come home every other weekend. I think my ex's parents just bought a new router and set it up.

During all of this, my ex received another message from my gmail account, signed with "Sent from my iPhone". When I have an iPhone, I never leave that line in the signature.

I consulted with several cyber professionals, and the best they could come to was that it was an inside job. I realized that my ex knew my common passwords and PINs. I changed them, and the next time I went "home", I took every possible device she could access and use out of the house.

The "hacking" stopped. I can't prove it, but it does seem like an inside job. I still don't completely understand why, but I have several theories. All I can say is, once a woman turns on you, there is no going back.

So, I've learned to apply an appropriate level of security to my network. I lock it down as best I can, but not so hard my family can't use it. My wife, at times, can't tell the difference between her Yahoo!, Google, Microsoft, and iCloud accounts. I have to accept that and account for it. I also can't expect my children to understand MAC address filtering.

One neat thing I learned in the class, for those of you fluent in the OSI model, is Layer 8. Layer 8 is the user or PEBKAC layer. And you have to account for it. Some people are completely ignorant of technology, and are proud of it. They refuse to learn. They're proud to still have "flip" phones. They don't know the difference between Windows XP, Vista, 7, 8, or 10. And they don't care. They install Weatherbug and every stupid toolbar that asks to be installed. And people like us have to clean it up when they complain their computers stop working.

A friend of mine used to have his network locked down as hard as possible for a home network. He didn't broadcast his SSID and had to manually approve every MAC address. He finally realized that when you lock it down too hard, people start wondering what exactly you're protecting. Then, having become curious, they'll try to break in. He relaxed his posture somewhat.

No comments: