Tuesday, April 16, 2013

Understanding digital security

Over the years, many people have asked me about digital security.  How often should I change my passwords?  What all do I need to protect my website and server from malicious attacks?  Unfortunately, there is no one size fits all solution to digital security, but it does help to understand how it works.

Just like "water resistant" doesn't mean your watch can't be damaged by water, having security doesn't prevent attackers from gaining access to your system.

If you have ever purchased a commercial grade safe, you know that they are rated based on the number of minutes it takes someone to crack them.  TL-15 means that it will take at least 15 minutes to crack the safe using normal tools.  When purchasing a commercial safe, you want to buy a rating that is higher than your security team's average response time.  

Similar to physical safes, digital security, including passwords and firewalls, all have a time rating.  An 8 character password can be cracked with brute force in just a few hours with a decent computer.  The goal of digital security then, isn't to prevent attacks, it is to identify them before they are successful.

For the websites I work on, I use a couple of simple methods to deter devious activity.  First, I limit the number of invalid attempts for certain fields and the number of overall page views within a given time frame.  This prevents large amounts of data from being scraped and increases the amount of time it takes to test 200,000,000 possible password combinations.  

The second part is to have automated monitoring of these activities.  Knowing someone is combing through 100+ pages on your site every minute, gives you options.  You can limit their access or discontinue it all together.

Highly sophisticated attacks will always be an issue, but unless you are a bank or government entity, you probably don't need to worry.  Most attackers are lazy.  If you put up a decent fight and prevent them from stealing the farm, they will end up moving on to the next, easier target.

What do you do to keep your files secure?