Security fundamentals

“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”

And perhaps guard dogs

Security is important. But what do we mean by security? What kind of threats do we have to mitigate against? Why is it so important? These are the questions I’m going to try and answer today in this first post in my security fundamentals series. Later on we’ll dive into the finer details of cryptography, operating system security, network security etc.

What is security?

Security is about the protection of (digital) assets. There are three main steps to this:

  • Prevention: I don’t want my stuff stolen and prevention is better than cure.
  • Detection: I want to know if my system has been breached and who the culprit is.
  • Recovery: I want to be able to use my system and data in the case of a breach – we need backups!

Historic Computer Security:

  • Used to not be a concern – back in the 50’s and 60’s there were only a few trusted users allowed onto a single user mainframe and everyone was pretty friendly because it was mainly academics using computers
  • Nowadays very different, multiuser systems, thousands of users accessing distributed networks and nowadays not all users are trustworthy. Everything is moving online as well – ubiquitous computing.

Some definitions to make it all hopefully a bit clearer:

  • Confidentiality: Prevention of unauthorised disclosure of information
    • E.g. protection of medical records
  • Integrity: Prevention of unauthorised modification of information and the assurance that data remains unmodified
    • E.g. Distribute bank transactions like you would find with blockchain.
    • Note the second part if the definition is really important. For example a bank cannot process a transaction if it is not 100% certain that the amount or account number has not been changed. Note also that symmetric encryption does nothing to prevent this so other methods have to be used.
  • Authenticity: Prevention of somebody else pretending to be an authorised party
    • Integrity vs authenticity. We need to know that the sender is who we think they are and that the message is ‘fresh’. For example it is common banking practice to reject cheques in the UK that are over 6 months old in case the payment has been made another way or the cheque has been lost or stolen.
Authorization
  • Availability: Prevention of unauthorised withholding of information or resources
    • The property of being accessible and useable upon demand by an authorised entity.
    • In other words, we wants to prevent denial of service (DOS). This doesn’t even have to be an attack – companies can unintentionally DOS themselves by having bad security policies for example, overly complicated password policies which then lead to users forgetting their passwords and locking themselves out.
    • There is often a tradeoff between security and availability. Even sensible policies such as locking an account after multiple failed login attempts can be abused to lock out an account.
  • Accountability: Users should be held responsible for their actions
    • The system should identify and authenticate users and ensure compliance.
    • Audit trails must be kept.
  • Non repudiation: Provides un-forgeable evidence that someone did something
    • A legal term originally used in the context of signing wills i.e. when you sign a will there is a witness who says that it was you who signed the will and you were in a sound mind.
    • Essentially just means that you cannot deny that you did something. The main example of this that we are interested in, are digital certificates which prove ownership of a public key.

Who needs computer security?

Most internet users don’t know enough or care enough about security. In this paper published by security researchers at Google 231 security experts and 294 web users were asked what they do to stay safe online. The results reveal some basic assumptions and biases the average internet user makes about security:

Interesting takeaways:

  • Experts install software updates much more often than non experts
  • Experts use a password manager
  • Experts use 2FA
  • Non experts rely too much on antivirus
  • Non-experts consider changing passwords frequently as good practice
  • Non-experts are reusing passwords
  • Fortunately both experts and non experts are using strong passwords

What kind of threats are there?

Say your grandma wants to pay for something with her card. [1] What could go wrong? Well there’s a lot!

What if someone is eavesdropping?

  • They could see granny’s purchases and potentially steal her card details!
  • Solved with encryption – specifically HTTPS/TLS.
  • This is based on key exchange – a mathematical structure which allows us to establish a shared secret over an insecure channel. Diffie Hellman is the main way of doing this.
    • Diffie Hellman does not protect from man in the middle attacks (MITM). Someone pretends to be the server to the client and the client to the server.
    • We need public key encryption to protect against this type of attack.
    • But this begs the question on how we agree on what encryption protocol to use? We need a handshake protocol – TLS is the one that underpins HTTPS.

Is the client who they say they are?

  • E.g. you’re shopping online but walk away before clicking on purchase. Someone else then changes the delivery address to them.
  • We need to verify the identity of the client.
  • Passwords and multi factor authentication are the main answer to this.

What if the server gets hacked?

  • This will be a problem if we just gave the server our password!
  • This is solved by password hashing so it is stored for verification without even knowing what the password is.
  • Forward secrecy. This protects past sessions against future compromises of keys or passwords.

Is the server who they say they are?

  • Anyone can make a website which looks like Amazon – how can we prove it?
  • Need certificates and a certificate authority. The certificate authority verifies the validity of the certificate.
  • There will need to be a way of revoking certificates. This is done by certificate revocation lists or OCSP [2]

Is there malware on the client machine?

  • Antivirus
  • User Training
  • File Access Controls
  • Memory Protection
  • Kernel Protection

Can everyone inside the company trustworthy?

  • Database security controls
  • File Access Controls
  • Intrusion Detection
  • Security Auditing

Is the server even available?

  • Firewall
  • Backup Power
  • Denial of Server protection
  • Data Backup

Is the server trustworthy?

  • May bring in a 3rd party payment service such as Paypal so that the seller never sees your card information
  • All the above points will have to be taken into account for this 3rd party

Are the card details even valid?

Will need a banking server which again has to take into account all the above if not more

Suffice to say even with a simple example of sending 16 digits of a card number across the internet, a lot can go wrong and there has to be several layers of security to prevent all these problems.

Hopefully this gave you some introduction to computer security and answered the questions posed at the top. If you want, leave a comment down below and you should all definitely follow these tips for better computer security:

Security Advice
Maybe not 😉

Sorry grandmas, I know there’s some of you are tech savvy!

Online Certificate Status Protocol, a protocol used for obtaining the revocation status of a digital certificate.