Essentialism Applied To Infosec
What would your life be like if all you had was the bare minimum of stuff you need to survive and keep yourself physically and mentally healthy?
Have you ever asked yourself how your life would be if all you had was the bare minimum of stuff you need to survive and keep yourself physically and mentally healthy? Doesn't matter if you haven't, today we'll be diving into the subject of applied essentialism, what it means and how it can be applied to infosec.
I'm by no means a professional in this field and I'm merely attempting to write something interesting. No information contained in this articles is supposed to be taken as a general security advice from a real certified professionals. I'm not going to be held liable for what you do with this information and how you apply it.
- What is essentialism?
- Essentialism translated to infosec
- Benefits of essentialism
- Calming down from euphoria
- Complementary techniques
- Practical examples
- Conclusion & summary
What is Essentialism?
Essentialism describes (usually) a way of life, where you reduce your property to only the "essential" things you need. For example, do you really need everything you have in your house? Just take a quick look or try to visualize everything you have.
Is there anything you haven't used in years? Obviously you can go further with this philosophy. Most importantly I just want to talk about something, that almost everyone (if not everyone) has experiences with. Massive cable storages. As crazy as it sounds, but somehow everyone has cables somewhere in their home (either in their basement or garage), because they maybe could be useful some day, or replace a non functioning cable. To me personally this is madness. Sometimes it's also not just one cable of any type, but most people even have the same damn cables in storage. The only thing different being the length or color.
Essentialism is basically the exact opposite of that. When essentialism comes to mind for me, I usually connect it with the words tidiness, focus, reasonability and similar expressions that could be associated with these three terms.
A common mistake, people make is mixing up essentialism with minimalism. Minimalism is a really tight framework and in my (any many others eyes) not reasonable. It's kind of more like self loathing and really pushing it. Not to say, that it doesn't exist for a reason, but at least today we'll only cover essentialism.
Essentialism Translated To Infosec
Now that we know the usual definition of essentialism, what would it translate to in the context of infosec? After all, infosec is very special in itself and very diverse. In the big picture, this is obviously a good thing, but capturing every subset of infosec, from SOCs to DFIR and everything between and beyond that is quite hard. Besides that, essentialism in infosec makes more sense when applied to system architecture, networking etc, so I won't bother with what it would look like from different perspectives beyond the ones, which benefit from essentialism.
Essentialism in infosec therefore would be heavier restrictions of the infrastructure, for me. Explicitly the given operating system, applications running on the operating system, internal network, connection to external networks and general internal information accessibility physically.
Benefits of Essentialism
That concludes the definition of essentialism, so the subject should mostly be clear to you now. What might not be obvious to you, are the benefits of essentialism though, so let me explain.
Since essentialism is striving towards only using and applying essential things, it greatly reduces the overall complexity wherever it's applied. Reducing complexity comes hand in hand with having a clear view of the given subject, so if you know how something works, you obviously understand it better and can secure it more easily. Whether you're talking about the code that runs on your system, the network infrastructure or who has access to which information.
Reducing Attack Vectors
Additionally the attack vectors are reduced as well, if you reduce something only to the necessary minimum. This means, you can focus more on securing the things that are left and do a good job at it, instead of always hustling and checking for new vulnerabilities that could potentially be caused by some abstract stuff or hell do I know. I think all of us know, what I mean. Besides that, you also can't attack what isn't there, or can't be understood by the system. (Hah, no more popping calc.exe)
Maintainability itself, might not be directly related to information security. At some point though, when a software developer (or you) tries every trick to just make a program run or compatible with something, they'll inevitably cause problems. Problems in the form of bugs, which might or might not be a security problem themselves directly, but in concert with other things, or given enough time and computer madness could develop into one. Nowadays computers are so abstract, that really nobody fully understands them anymore. One could potentially argue, that this also makes it worse for the malicious people, but the malicious people only have to win once. In addition to that, computers simply can mess up themselves without anybody trying to exploit them, so relying on complexity is not a solution. Just imagine all the abstractions from the hardware, to your operating system, up to some random Java program running in the JVM. spooky
Ditching Legacy Problems
Ohh legacy systems. Probably one of the worst things to happen to people. It has the flavor of vendor lock in mixed with palliative care, but even worse. Because it's even harder to get out and most of the time only you are able to barely keep it alive and secure it. Looking at the salary of fairly local COBOL programmer positions I think it's saying enough to conclude, that legacy things are a pain for everyone. More importantly though, especially for us infosec folks. Simply maintaining compatibility with older systems can be a security risk.
Reducing the size, complexity and abstractions though, it's way easier to migrate to newer/better solutions instead of getting stuck with something that eventually will turn into something unmaintained by the community, or become something considered as legacy.
Thanks to all the reduction, clearer view etc. you or your company can focus better and spend more time on other things, instead of troubling yourself with the security stuff. Potentially you could learn more techniques from other people in the industry, or spend more time communicating with your team. If this isn't directly an option, you can also spend time to analyze your current status and improve the security instead of merely keeping it alive.
Calming Down From Euphoria
This was a very unilateral section, so let me be a bit more reflective and not bury this philosophy in compliments. Essentialism is nice and all, but you really should know when to use it and when not.
As security people, we also have to keep in mind the end user, these being mostly normal people or at least not ones that know much about information security. Nowadays many companies invest big money, so their employees can attend meetings and learn how they can behave safely and in a security preserving manner. Mostly, this is already too much for some people and quite frankly I like to get a bit lazy, even though I know this stuff.
The reasons may be different, but the outcome is the same. People weaken their and maybe others safety and security. For me this is not a big problem, since I'm only lazy, if I don't put others or a company in danger. People that misbehave in that surrounding though make it a problem, far beyond what they can make up for.
So sometimes, enforcing not too many security policies and being a little less stricter can actually improve safety and security sometimes. People always find a way around security protocols, techniques and other stuff you put in their way. Worst of all, they can do it in a way that you won't notice or have no control over.
Essentialism might make something less complex for you and maybe some other persons too, but not for all. The other problem of essentialism in the context of infosec being, that it's there to strictly enforce security policies and techniques. At the end, you'll have to wage the war between the less complexity benefit and the stricter enforcement. This is no simple task by any means, but unfortunately necessary.
While essentialism has many benefits on its own and is something to consider or at least think about, I wouldn't recommend relying completely on it. Since it makes your job easier, you can as mentioned before focus more time on other things. There are so many combinations, that I can't list them all, but at least I can list my personally underrated things.
Documenting, Documenting, Documenting
Documentation is in my opinion one of the most underrated things ever. Many of you will maybe be confused and would like to confront me with all the documents and tutorials on things. The main problem are the parts that aren't documented though and from personal experience I can say, that I wish more stuff would be documented. Stackoverflow is nice, but it doesn't compare to something well documented. You shouldn't be looking for questions on the web after all, you should be looking for answers.
With all that extra time on your hands, you could also plan things out better and think about potential vulnerabilities in the design of your security implementations. Improving the user friendliness and intuitivity can also strengthen security. Whether the intuition is for other people that maintain or will maintain the security related stuff, for yourself in situations where you'd otherwise try to remember what on earth you did there or for the end user as a guidance.
More Testing & Cleaning Up
Yes, I know. Testing proves the existence of bugs, not absence. Testing is most of the time economically viable though and good enough for most use cases. In addition to that, you can enforce type checking in case you want to apply this to software. Type checking (if you use it correctly) makes sure, that you have some quality standards, use best practices and most of the time make your code easier to read and understand. Static analysis is obviously very closely related, but type checking itself deserves an extra mention.
After all this text, you maybe have some fresh ideas that you wouldn't have thought about otherwise. Sometimes we all tend to get mentally stuck with our thoughts though. For that situation, I've prepared a little list of neat ideas that might inspire you to come up with your own. Beware though, I've mixed essentialism with other techniques in these examples, which aren't even necessarily the one's mentioned above.
- Use microservices or unikernels for webservers/networking technology, since these don't need a full operating system and mostly only have to do one job.
- Enforce principle of least authority, so privilege escalation and similar vulnerabilities are harder to achieve. (Professionally you should already be doing this and not just because of this text)
- Block websites, which aren't on a whitelist. Similarly, don't let employees download external software. No matter if it's on their work computer, work laptop or a smartphone by the company.
- Don't let employees connect their personal technology with the business network/networks and make sure they don't have access to the WiFi passwords and anything that would grant them access to the network.
- Document all the software (apps included) which are installed on the business computers etc. and have a internal network connection. Along that, you can create documents for groups of employees and technology, indexing them to get an overview of the internal structure of your company and decide about, whether some people or technology related things have to much power or knowledge than they need and could potentially pose as a vulnerability.
- Instead of securing every bit of a given subject, focus instead on the most vulnerable and most critical parts.
- Because of the reduced attack vectors and things that could potentially happen, evaluate the most common attacks and incidents that could occur in your situation. What would your response be to a given situation, how drastic is the situation, would your response fix the problem temporary, is the situation too overwhelming and you need aid from law enforcement? These are only some questions, but having a plan beforehand can go a long way.
Conclusion & Summary
It's fun for me, to apply philosophy and other things to infosec. Really gives the whole topic a fresh spin to it. Essentialism really is a nice and interesting philosophy on its own, but also interesting as an infosec philosophy. Thanks to its nature, essentialism allows itself to be combined well with other techniques and practices and it's really recommendable to do so, since alone it's not enough to be called a secure framework. That's it for today folks. Cheers.
About The Art Used In This Article
The awesome artwork used in this article is the work of Zaki Abdelmounim. He is a 25-year-old Moroccan 3D generalist living in Qatar and working in the TV industry. This project is called Hardcoding:Redshift Study, Zaki started the project after watching the movie Chappie, he really liked the concept of the command chair that was done by George Hull, and wanted to recreate something similar in 3D for the sake of practice and fun, resulting in what we think is the worlds best hacker desk design. Learn more about this project here.