Why are we not secure by default?

Why are we not secure by default?

SecurityThings have changed quite a bit over the last few years when it comes to our security on the
internet. As a topic, it is probably getting more attention than it ever has and it’s not surprising.

We have increased the functionality of the internet beyond what anybody could have imagined when it was born. Now we literally store everything in the cloud whether it be our personal data in services like Dropbox or office 365 and One Drive in the enterprise. With backups and files in locations that are physically beyond our control we naturally turn our attention to security.

Data In Transit Security

A big piece of the puzzle is how we secure our data in transit. Enter HTTPS/SSL. When I started building servers many moons ago and (unfortunately) to a certain degree still today you would always start by getting port 80 or HTTP working. This is actually a big hole that we all fall into. Why do we default to insecure when secure is usually not that far away. Inevitably what happens next is that we build everything and install everything with just HTTP enabled and then attempt to switch to HTTPS at the last minute leaving the potential for holes and exploitable entry points.

I’ve made a conscious change over the last few years to challenge myself to never setup a web accessible service over HTTP without SSL enabled. Regardless of who is accessing the service, or whether the service will ultimately sit behind a gateway that will take care of SSL, we should regard HTTPS as the starting point. My question now is why are we not doing this by default?

Fundamentally as a society we want the websites we visit to protect us and protect our data, so why not start with everything protected? Even if it is just publicly accessible data from a website – what is the harm in transmitting that data securely and surely that is a better starting point than switching to secure later?

I really look forward to the day when my browser will refuse to connect to websites that do not offer SSL/HTTPS based connections!

Data At Rest Security

SSL covers our data while it traverses the worlds networks,  but what about the data before it ever leaves our computers. I’m not going to cover the cloud or enterprise encryption that should be enabled by all service providers, server hardening etc. Instead I’m going to focus on what we as end-users should be doing to protect ourselves off the net.

Physical security of our data is as important as data in transit. At the end of the day, your cloud storage and network communications can be as secure as you like but if a thief can simply grab your laptop and access your files with little/no effort then what is the point?

Most platforms give us the tools to protect ourselves at a basic level although again with our tendency to default to insecure it is not switched on by default. As an industry we should look to change this! It should be first boot where this is enabled with the abnormal setup being without encryption.

Enabling is relatively easy in most cases though. Take Mac OS X or Windows 8 for example. Both have their own whole-disk encryption software included. All that is needed is to switch it on. For Mac OS X this is as easy as enabling Filevault and on Windows its as easy as long as your TPM module is enabled (Trusted Platform Module).

Outside of whole disk encryption we can still use programs like TrueCrypt or similar to take care of specific encryption requirements. Although with the recent uncertainty around Truecrypt I may start to move away from that platform.

Conclusion

Its a simple concept and everybody I speak to agrees that this is the way it should be. SSL by default and encrypted by default. It’s most definitely not perfect and there is so much more that has to be done in this area but if we as an industry can make the baseline better then we will at least be starting from good and getting better rather than starting from bad and aiming for good!

Comments are closed.