By Matthew Canning, Become Better at Everything Founder
When you’re shopping for a smart lock for your home, cloud-based backup software for your personal computer, key card entry system for your office, or anything else that relies on serious security as a core requirement, it’s much easier to find features and praise than it is to find out exactly how secure the product really is. Late last year, I had the privilege of meeting Babak Javadi, head of research for The CORE Group, a private security consultancy based out of Philadelphia. Babak and his team employ a holistic approach to personal and professional security that includes everything from physical security through the electronics and software we rely on every day. One day, the folks at The CORE Group may be cutting apart a new lock for a video on their blog, and the next, they may be showing your office building’s head of security on how someone could talk their way into a server room.
I asked Babak to share some tips that the average person could employ to improve his or her personal security. Rather than share a list of common mistakes and how to avoid them—which he feels is only useful for the specific items covered—he’d rather help propagate the importance of developing an overarching security philosophy.
In Babak’s Words:
To improve security, people have to understand how security works as a whole. Not necessarily locks or buildings or antivirus software specifically. In any system, you have to understand the intended design—which is usually easy to find and is well-marketed—and potential limitations, which are much harder to find but have the potential to tell you a lot more about the product or process. This is not something that people generally know, not just because manufacturers don’t tell you, but also because people don’t tend to care.
In any given system, you can assume things can be broken. The question to ask isn’t “if,” but rather “how.” This is true for products as well as processes put into place for the purpose of security. No matter what it is, you should get into the habit of asking “what won’t it do? What won’t it protect me from?” These are referred to as “known unknowns.” Anyone who provides a reasonable solution to a security problem should be able to—and willing to—articulate both its strengths and weaknesses. If not, that’s a red flag.
This is the basis of a security philosophy. It’s about general awareness. If you install antivirus software—you know that it can be defeated. It happens all the time. It’s a complex system that you don’t fully understand, but you are aware that there are probably ways around it. You don’t have to understand the details to understand how it can be circumvented—or that it can be circumvented—and what the implications of that could be. Whether that means someone accessing your most personal files or showing up in your house uninvited and undetected. Everything breaks. Everything has a failure point. Even if you can’t think of it or see it, it doesn’t mean it doesn’t exist or that other people can’t see it. That’s something I take into account in any aspect of my life, and that’s the best security advice I can share with your readers.
Systems for security are getting so complex that it’s often difficult to concisely assess their level of vulnerability. Look at Bluetooth locks. I hate them. Think of all the different components that are in that system: A physical lock attached to something electromagnetic, which is controlled by code, and accessed via Bluetooth through an app on your phone, which is itself an electronic device running on code. There are a million possibilities for exploitation.
So it comes down to this: If you’re relying on systems of any sort you have to assume they can be accessed by someone who wants to get in badly enough. You need to integrate that into your security philosophy and weigh that risk against the benefit it adds to your life, and take the risk into consideration when deciding whether or not to support the system with any sort of “plan B.”
Babak can be reached at firstname.lastname@example.org