Security by denying everything

Deny Everything

Most applications that come with a layer of security give the user the option to set up some rules. For example, when I set up an apache webserver, there are rules to determine which files are accessible to the user and which are not. The same goes with the firewall, you can set which ports are open and which are not.

But there is always some default rules that are added to make sure that the computer or the application is secure in case the user never bother to touch the settings. And these default settings are almost always set to Deny All.

For example, when I create the webserver, chances are I don't want users to access all the files available. It would be time consuming to try to figure out which files I want to share and which are OK. So by default, I chose Deny All and then add each of the folders I want to share. This way, every new folder I add will not be accessible until I say so. This makes it much more secure.

The same applies to the firewall rules. The default rules block all port numbers, and then explicitly add each of the ports needed for the system. This way you can't forget to block a specific port because they are all blocked anyway.

So in general, Deny All then explicitly allowing some is the best policy.

Secured bird

The reason I mention this is to propose a way handle downloading files over the internet.

Being the computer guy among my friends, family and peers, I always find myself trying to fix someone else's machine. Some swear that they never been to a bad site yet somehow they got a virus.

It's true, you don't need to go to a bad site to download a virus. Sometimes, they just start downloading without your interaction, some other times, the ad is placed right next a download button just to trick you to download a different file.

Trying to explain which files are ok to download and which are not is impossible. The internet is infinite, there is no way to create a comprehensive list. The only way to keep your computer safe is to use a Deny All mental model.

This is simple, consider every internet file harmful and never safe to run. That's it.

Just like that, you have protected yourself from every harmful file on the internet. But, of course you will have to download files eventually, so this is only the first measure.

Once you implement the Deny All Scheme, you can start allowing places you trust one at a time.

For example, if you are to download a file, the first thought should be, it's not ok download any file. The second is, where is the file from, if it is from a colleague and you are expecting the file then sure, you can allow it. If the file is from a specific website you know and trust, then ok.

The goal here is to doubt every single file you get. I write this today because I hear a lot of things like "I don't have really use the machine for anything serious". Some how people think that it won't be a big deal if their computer is hacked cause they can just wipe it all off.

What they don't know is that most virus sit quietly on your machine waiting for a specific event to occur to report back to mother base. A simple example is a virus that just want to get your bank info. It is not going to display ads, or slow down your machine. All it will do is get your bank info, which is something we commonly access on our computers these days.

Computers are not toys anymore, and allowing others to run arbitrary code on the machine can be very damaging. If you are trying to teach someone how to keep their computer secure, don't simply tell them to not download .exe files, they could download a zip file and run the extracted .exe thinking its not the same as running one directly.

The better policy would be to think in Deny All, considering everything harmful. And only when you trust the source should you ever download or open the files.


There are no comments added yet.

Let's hear your thoughts

For my eyes only