Just for curiosity, I was wondering if a there were a way to completely and utterly secure computers and communications, either at the same premisis, or across premises. I almost immediately hit on the Wikipedia article about air gaps. An air gap is the following:
An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network.
This means no external network interfaces, wired or wireless, and usually hardened physical security and isolation, which necessitates using removable media or even hand-typing data into the air gapped system as needed, depending on human analysis of data to be transferred. Also, preventing leakage of information through electro-magnetic transmission by-product may necessitate the usage of something like a Faraday Cage.
However, as I read to the end of the article, I hit on this:
Sophisticated computer viruses for use in cyberwarfare, such as Stuxnet and agent.btz have been designed to infect air-gapped systems by exploiting security holes related to the handling of removable media.
So, the air gapped computer can potentially be infected by malware, despite best efforts, unless no external media transfers occur. Finally, and more ominously, this:
In general, malware can exploit various hardware combinations to leak sensitive information from air-gapped systems using “air-gap covert channels”. These hardware combinations use a number of different mediums to bridge the air-gap, including: acoustic, light, seismic, magnetic, thermal, and radio-frequency
No External Media: Safe?
Just thinking through the above as stated, one would think that as long as no external media transfers occur, both of these “bombshell” statements should not apply, right? But at some point, the computing infrastructure had to be assembled from parts, probably from diverse nations, then loaded with firmware, an operating system, applications, and data.
Even with no ongoing external media transfers, I would think hidden malware that existed before the hardening phase could raise its ugly head. I am not a security expert by any means, but after reading the Wikipedia article and doing a little research out of curiosity, this does just seem to make sense to me.
After reading that last two bombshells at the end of the article, I came to the following conclusion. I think it is probably pretty accurate:
The only way to completely and utterly secure computing infrastructure is to never buy it in the first place. If you already have some, just pitch everything into the gaping maw of an active volcano, or a high temperature blast furnace…
I do indeed recognize that, for some companies, completely destroying their entire computing infrastructure is just not the way to go. I am not totally unreasonable, after all. For them, I can recommend a good fall back in the following quote, which follows from the fact that ultimate security is an unobtainable chimera. I based it on the venerable Boy Scout Motto (“Be Prepared!”):
Assume data theft, data loss, and operational interruption are inevitable, and put mitigation strategies in place before they happen.
I hope this (hopefully funny) post has given the concerned IT admin or business owner a hearty LOL to take the edge off some worry. However, I do think there are some pearls of wisdom here that do in all seriousness apply.
Thanks to Pexels for the free featured image.