[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

How best to secure files?

I have an application supplied by a brokerage that places orders over the internet. I also have a third party charting program that I run, which has some script-language code that is compiled and runs in that environment and talks to the brokerage software via their API. I want to protect my intellectual property which went into the makeup of the script from ANY possibility of it being uploaded by anyone, including backdoors in the legitimate applications from the brokerage or the third party chart vendor. I can set up a hardware firewall with SPI and allow only the urls necessary. That would effectively prevent the charting software from uploading anything as it never needs to phone home, it just gets data from a data provider that I choose. The brokerage software could, however, have a back door in it, that could conceivably, well it's far fetched maybe, sneak an upload past the brokerage firewall. The coder that put the backdoor in the brokerage software would have to know the firewall, and be involved in the coding of the software, and they bring out new versions very frequently. Is this even worth thinking about really? The scripts have a dozen years of work on my part in them and the thought of some hacker stealing them is a bit painful. The scripts run compiled. Recommendations for methods or software that can deny access to source files except to a white list of programs are welcome, other solutions are welcome as well. That would leave only the compiled, running code as a loose end. Can somebody somehow upload the compiled code and reverse engineer it? I'm not too concerned about somebody physically accessing my computer and getting to files or hackware getting to the computer, I am going to dedicate a computer to just bare bones sofware needed for the work, no surfing at all with it...
0
maxpi
Asked:
maxpi
  • 5
  • 3
1 Solution
 
PowerITCommented:
You have listed some concers and ways how you could get cracked. But there are so many other ways.
The best way to protect files is by implementing IT security best practices and have a holistic and layered approach to security.
Only trying to protect these files will not do. Every vulnerability is a potential hole for a hacker to get through.
To evaluate your current security implementation you can compare it to the ISO17799 (now ISO/IEC 27002) code of practice.
You can get a free checklist at SANS. It's not the latest standard but is still very accurate: https://www2.sans.org/score/ISO_17799checklist.php

If you do not trust the third party application then what you need is a source code audit of that application. This is done through automated tools or a source code read. Best is using both. You would need to get access to the source by the vendor or through an escrow agent. Or you could decompile/debug/reverse engineer the application. Although reverse engineering is illegal - even for this purpose - in some countries. Check your local legislation. Also this is a very expensive area you would be moving into.

You could also monitor all traffic going out. But then you would only be warned after the facts.

Compiled code can usually be reversed engineered. There are some tools which TRY to protect executables, but as those tools became part of the executable themselves a clever cracker can get around them. Whatever the vendors of such tools may claim.

A software tool that can deny access to files except for whitelisted programs would be very hard to do on a discretionary access control system (like in Windows). I can probably come up with a dozen of reasons why this would not work in a DAC environment with shared network access. There would always be ways around it.
An architecture which uses mandatory access control is a different story: it can do this. But that's not a single software but a whole OS. Like EnGarde Secure Linux ( http://en.wikipedia.org/wiki/EnGarde_Secure_Linux ) or as and add on to many other distro's. http://en.wikipedia.org/wiki/Security_Enhanced_Linux and http://en.wikipedia.org/wiki/Mandatory_access_control for more info.
On linux there are more possibilities:
- apparmor can also do similar things as MAC, but is less secure: http://en.wikipedia.org/wiki/AppArmor
- systrace can confine an application http://en.wikipedia.org/wiki/Systrace

So to answer your question: safe from following best practices, I think that it is indeed not worth thinking about it. Except if those script would have a large marketvalue to others (not to you: your invested time) and be usefull to others.
One thing that may prove usefull: have a contract with the vendor of the brokerage software in which you define large fines when they would ever do anything like your concerns.

J.
0
 
maxpiAuthor Commented:
The third party software can be url limited with SPI to just a data provider that I choose. collusion between a data provider and the software vendor would be required. For maintenance requiring internet access, I can remove my intellectual property from the machine and scan/delete  bogus files and I am pretty well insulated from hacks from those guys. The only other url's allowed will be for the brokerage. I found from another thread here on expert-x that the brokerage will have their firewall set up with a pinhole that only deals with data in certain forms in order to protect themselves and their customers. I was thinking that nothing more can be done with firewalling but internally to my machine I could somehow deny access to files and limit access to only the required application.
0
 
maxpiAuthor Commented:
I'm not porting to linux, there is no trading environment that I or anybody else mostly, want to run that is available for Linux. I'm stuck with XP/Vista and exploring the idea of setting up a profile for files that would white list programs for access to them.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
maxpiAuthor Commented:
This question is worth 500 for sure. I did not know security was nearly impossible to achieve with all known software on a computer that never surfs!!
0
 
PowerITCommented:
Absolute security is actually simple: it does not exist ...
There are so many entrance vectors to a network, regardless of surfing or not on the PC. Certainly if you start worrying about applications you've installed.
If you absolutely want to isolate this then have a look at application virtualization for windows like Bufferzone: http://www.trustware.com/

J.
0
 
maxpiAuthor Commented:
I can format the hdd and reload the OS, download the software installs with another computer, url limit the business computer to just the url for the the data provider and the url for the brokerage. Essentially, if I follow my procedures and the hardware firewall does stateful packet inspection I should never get exposure to any sites other than those two and I am not concerned with the data provider, they have no way to know whether anything that I am doing is profitable. Someone at the brokerage, OTOH, can find out I am making lots of $ with an automated connection without hacking me at all. That somebody in the brokerage could be trolling for accounts internally that are doing well to target the client computers for theft of intellectual property. There has to be a way to either contain the brokerage software to it's own territory on my computer and never allow it acces to my files or white list access to my files to just the programs I allow. The brokerage software is not browser based, it is a Java app I download and install on my machine.
0
 
maxpiAuthor Commented:
Maybe I could put files on D drive, run software from C drive and not allow some of the software access to anything but the C drive??
0
 
PowerITCommented:
Like I said: Windows can not do this. The security in Windows is not application based but user based. So any application imporsonates and has has the rights which the logged in user has (or the user under which the application is started with runas).
Moving files to another patition does not change this at all.
You could run the application under another user (using runas) and limiting file access for that user.
Or consider virtualization to isolate the app. You can also use Vmware or Virtual PC to do that.

J.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now