Ever since they started embedding Webcams in laptops, I’ve been putting a small Post-it note over the lens. There are just too many hacks that can permit an attacker to spy on you via your own Webcam. Needless to say this was one of the first lockdown steps I performed on my CloudPassage laptop. On my first visit to the main office, I had two people ask about the Post-in note on my laptop. On my second visit to the corporate office, nearly every system with an embedded camera had a Post-it note covering the lens. This behavior intrigued me as the precaution is not part of our corporate security policy.
Folks have proactively taken it upon themselves to implement this additional layer of protection. Security going viral? Is that even possible? Any seasoned security professional will tell you that trying to convey the benefits of security to folks outside our industry is about as effective as trying to convey to a pre-teen that candy and soda before bedtime is a bad idea. So what made this security concept so different from all of the others?
Personalize the risk
All too often we talk about security in abstract terms. We talk about the need to protect “data” or “servers”, which are extremely unrelatable terms to the average person. Having an attacker stream video off of your system at an inopportune time is both personal and relatable. It is easy for the average person to understand why this could be a risk. When we convey the importance of security, we need to do a better job of personalizing the risk to the target audience. This may be by spending a bit more time explain “why” as opposed to “how”, or in some cases it may be a matter of developing better analogizes. A good security solution is doomed to be ineffective if people refuse to adopt it.
So easy your boss can use it
When it comes to technology, we geeks tend to have a different interpretation of the word “simple”. Saying “You can lock that down by CRONing a shell script” may be a valid statement between hardcore tech types, but sounds like complete gibberish to the uninitiated. One of the strengths of the Post-in note solution is its simplicity. Note that I’ve given few instructions on how to perform the hack, yet by simply looking at the picture in this blog most readers will be able to deploy the solution for themselves.
Now granted, locking down a cloud requires a bit more complexity than covering the lens on a camera. However as security folks, part of our job is to abstract these layers of complexity in order to better commoditize the solution. Excellent examples are Check Point and Apple. Both companies dominated their respective markets (perimeter security in the case of Check Point, consumer electronics in the case of Apple) by taking an intricate solution and abstracting all of the layers of complexity. This created products that their customers could understand and use with minimal training. Think about an iPhone for a moment. This is a relatively complex piece of tech, and yet the average person can become fluent in using it within an hour without ever opening a manual.
So in order to be effective, a good security solution has to be easy to understand and use.
Simplify the architecture
There is a very fine line between defense in-depth and a house of cards. By this I mean we tend to deploy security in layers. One of the things we need to evaluate is whether those layers complement each other, or rely on each other in order to function properly. For example a logging solution is of little benefit unless all of the appropriate systems are properly configured to forward their log entries. Unfortunately, from the perspective of the logging solution, it may be difficult to determine if this is the case.
One of the strengths of the Post-it note solution is that it is capable of implementing the required security without relying on any other security layers. For example instead of using a Post-it note, I could choose to simply disable the Webcam driver. This would obviously prevent the Webcam from functioning as well. However if an attacker is able to gain access to my system, they can easily enable the driver. So we have a house of cards solution where by disabling the driver is only effective if an attacker cannot gain high level access to the system. However the Post-it note solution is true defense in-depth, in that it does not rely on any other layers in order to do its job.
As a cloud security example, consider the use of virtual firewall appliances versus host based firewalls. The virtual firewall appliance is only effective so long as the vSwitch does not become compromised. As soon as it does, the security provided by the firewall appliance is neutralized. With a host based firewall, security can be maintained even if the vSwitch is compromised. An attacker would have to compromise the host itself to circumvent the host based firewall, but even then there are checks we can put into place.
So a simplified security solution should be able to do its job without requiring that other layers maintain their integrity.
Auditing should be easy
One of the biggest benefits of the Post-it note solution is that it lends itself to being easily audited. I can answer the question “Is the solutions still working effectively?” by simply shifting my focus a few inches higher. To again pick on “disabling the Webcam driver” as a possible alternate solution, I would need to go out of my way to check and see if the driver is still disabled. This would require me to have the skills to accomplish this task, as well as remember to do it at regular intervals.
Far too often in security we tend to overthink implementation but completely disregard long term administration. Simplicity in security has to apply to long term administration as well as initial deployment.
Security simplicity is a major tenant in CloudPassage Halo. The entire team works hard to not only develop an effective security solution, but one that is quick to deploy and easy to maintain. It may not quite be a Post-it note on a Webcam, but we are working hard to get it there.