The view from here
These are usually things I find hard to understand, the more I write, the more confused I get...
See my personal blog here
Wednesday 12 September 2007, 1:36 PM
Security relationships
I'm a big fan of encryption, always have been, always will be. I'm a fan in much the same way I'm a fan of crosswords, and used to spend hours playing with Caesar ciphers as a child. Later progressing on to more complex Alberti ciphers, but of course I didn't know that then.
I've worked with a number of encryption providers over the years, using CBC and EBC to the newer elliptic curve identity-based encryption. It's all very clever, but as greater advances are made in encryption I'm beginning to wonder if we really need to be spending so much time working out new secure methods of obfuscation, or tying up the entry points.
To anyone who has spent any time in this area, this will seem simple, but I've read a number of articles this morning about encryption (in the name of research), which imply that this is not common knowledge.
I'd love to spend the next 4 hours telling you about everything from Diffie-Hellman to ECB, CBC, IVs and all manner of other TLAs. I don't have enough room on the blog and you don't have enough patience however.
The problem is, even with the strongest encryption in the world, if I have your password and account details, I can see that data. Data security doesn't just sit in and with the data, it is totally dependent on user security. The fact is that there is no such thing as unbreakable encryption. Given enough time, and an infinite number of monkeys, I could break anything you provided me with. Sure it might take 1000 years with a million PCs, but it's not unbreakable, there is no fully secure encryption method, and thus it must be or we wouldn't be able to decrypt.
Also, access controls are probably about as good as they're going to get. We can polish the management of them, but you either let someone access the data, or you don't. Where we are still lacking is user security, and not the mechanisms, but the use of and education around it.
If we had this implemented properly in our networks already, we'd be a lot more secure. Two-factor is just about strong enough for corporate use, single factor should be reserved for blog comments and signing up for demos. Banking should, of course, be as tight as possible for the sake of everyone using it and running it.
So much effort is spent on each individual point solution pushing their wares that the average user gets lost in a morass of conflicting messages. It's time we had an end to end security message for the clients and users of the systems.
Security is way too confusing for most people, and we're way too busy to educate on every part of it aren't we? Well, if we make the time now, I have a feeling it will make our lives a whole lot easier moving forwards.
PreviousComments on this post
Any computer's security is only as good as the user. Case in point, I recently built my brother-in-law a new computer. He was using one from 1997 and it was loaded with all sorts of adware, malware, etc. I left him with a disc of utilities to install and advised him to run them everyday. Three weeks later he calls me and tells me he is having the same problems as before. It is running slow and takes a long time to boot up and shut down. I asked him if he was running the utilities I left with him. Well, no he hadn't gotten around to installing them yet. A windows based computer will be compromised in under an hour with no protection, so you can't depend on the user to do what needs to be done.
Just stop to consider for a moment what "only as good as the user" means. How do you know anything about security? Was it magically injected into your brain, or assimilated at birth? No, you were taught it, and you were interested in it because it was made interesting to you in some way at some point.
Security is only as good as those educating, and this is what anyone working in security has to take responsibility for. For too long we have closed doors on people, used acronyms and been a bit aloof. If we have patience and welcome questions, things can only improve for us. We aren't going to suddenly find ourselves out of work just because more people understand, it will just mean we can stop doing the tedious jobs and get on with the exciting stuff.
In a previous life, I was a teenage hacker; one, moreover, known to the media. This was when hacking was new, weird and (as proved by a court case inspired by antics in which I had a hand) legal.
One of the favourite questions from hacks was "Can you break into the police computer?". My answer was that any networked computer will have its vulnerabilities, but frankly I couldn't see why you'd bother as you could normally find out what you wanted by standing the local plod a nice drink. Not that I ever did - how many eighteen year olds do you know who are capable, at any level, of bribing the police? - and nor did I ever need to, but I wasn't entirely green.
And this is still the case, in general. Security is only as good as the weakest link, and if you're using very strong cryptography then the bad people will focus on the humans -- hence phishing.
This isn't always true, though. If you've got a great deal of data in one place and someone gets access, then they can copy it and work on it elsewhere. In those cases you really do want the strongest possible encryption to withstand an attack that could be prolonged and very capable.
Yes indeed. It's all about the risk. I would never say to a "Mom and Pop cornershop" that they should encrypt all their customer details for example, but my bank? Too right.
At this stage the question becomes "What is more important?", the encryption or the user education? Well, as you say, we are only as strong as our weakest link, so both, right? But common sense tells us that there is a far more widespread risk from user carelessness (100s or 1000 of users) than unencrypted data (units or 10s of databases). However, there is a far greater loss associated with unencrypted data in some cases - where compliance is concerned for example and fines can be levied, account data, SSNs, etc, etc.
Risk Analysis becomes very important at this stage, but essentially, yes, it's about the weak links.
Private message disabled
