What is information security

Foreword

Hello and welcome to Digital Cortex.

This new cyber security page is aimed at contributing to the cyber security community as well as the IT industry as a whole, will be going over there Security concepts and tools.

The aim of explaining industry best practices vendor and technology specifics as well as further social and ethical implications of use and abuse of information technology.

Disclaimer

This page is not affiliated with any vendor organisation and stands as a collective effort of cyber security professionals to enhance the digital world.

What is cyber security?

For our first topic we will go over what is cyber security and why is it so important.

Cyber security is the art of protecting information in the digital age, it is built on three primary concepts

  • Confidentiality
  • Integrity
  • Availability

These three towers encompass the safe and viable way to operate information technology systems, from the PC and smartphone to the most sophisticated elements in the data centre, these concepts have been widely adopted by government organisations and the IT industry as a whole, some may consider them relatively basic but there is actually a wide gap in what is considered as the best practice and what is practiced in real life.

It is therefore important to be educated not only on what these concepts represent but also why it is so important to follow and enhance these practices

 

Confidentiality

Confidentiality means that information exchanged between two points whether those points are systems or people operating systems, is withheld from the rest of the world and only they are able to access that information.

This has been frequently misrepresented as the only aspect of cyber security “if we keep it safe then job done” which obviously is not the case, the reasons will be discussed further along. Many products and systems have been developed by multiple vendors in order to safeguard information.

That being said the most important aspect of that equation is the end user. Adding various technical controls goes a long way into securing information but the primary factor of information governance and leakage is the user itself.

The best example to this is writing a very complex password and then sticking it on a post-it under your keyboard.

User education and industry safety practices (and why is it is important to follow them) are equally important to implementing sophisticated controls. As ethical hackers / penetration testers we’re always trying to look for the simple solutions or what is referred to in the business as “low hanging fruits” which would considerably reduce the effort required to penetrate a system or environment.

As security practitioners we are trying to adhere to secure the practices and educate users within an organisation to follow the same practices, these practices may be enforced by either technical or procedural controls.

The primary examples of such security practices are :

Ζero trust principle

The zero trust principal means that no system or human entity is considered trusted, therefore every entity within an organisation or person needs to have  validated access into an information resource.

By limiting access to resources default we ensure that only authorized entities  may actually accesses resources , therefore blocking out everybody else.

This is an often neglected principle due to the excessive administrative overhead it can potentially have, however it is very important especially in very complex or large organisations where there are a lot of cogs moving at any given time.

Least privilege principle

The principle of least privilege the very basic but very important one, the  concept is that no user or system is granted additional access or permissions than is absolutely necessary for them to perform their tasks. 

By limiting each entity to the very base access,  allows for some more granular security control over the environment or the information being handled,  which leaves less room for abuse of authority.

Typical example would be administrators working the banking environment which will have access to perform tasks on the database holding the financial information of all the banks customers but are not able to actually view sensitive information within the database .

Security modelling

There are many security models that apply to different situations and are used to develop an access control schema in regards to the information being secured.

 

What that basically means that there are different ways to describe access into information, some are regarded as top-down and others are bottom up the most popularly known classification of information is the Bell la Padula model that is made popular from movies and other Pop Culture the designation “Top Secret” derives from that security model.

 

These security models describe the different access levels within an organisation and how they apply to the information being handled for example a person with “Secret” level clearance me read “Secret” files but not “Top Secret”, somebody with “Top Secret” access may view “Secret” files and “Top Secret” files.

Different security models have have different focuses,  which are aimed at more than confidentiality, other models like the Biba model on more focused on the integrity portion the CIA triad is therefore very important to understand each security model  and where that applies.

In modern security systems, role based access is very important and usually administrators and operators are given access based on the certain set of tasks that they are allowed to perform, which are bundled into what is referred to as the role.

Different users have different kinds of access depending on the roles within the organisation and therefore the actual business case dictates the level of access into each and every system .

For example a database administrator can perform privileged tasks on the database but not on the operating system underneath or the network that hosts the database, respectively in network engineer can perform administrative tasks on the network but is not allowed to touch the database.

Encryption  

Encryption, derived from the ancient greek word “krypton” which means “hidden”, is the cornerstone of confidentiality in information security that dates back to the ancient Greeks, in its earliest form (steganography), encryption is a whole field of science which has demonstrated to have changed the course of History.

 A short description of encryption is the on going battle between the people or systems that encrypt information , the cryptographers, and those who try to decipher the encryption and decrypt the information, called crypt-analysts.  

There are numerous examples of where encryption will determine the rise and fall of a nation. A popular recently appreciated cryptanalysis feat is the cracking of the Enigma machine by the British Intelligence Agency during World War II.  There is a wonderful book that analyses the impact of encryption throughout history for cryptography enthusiasts for anyone interested in history overall which can be found in the reference section.

In the information age it is therefore very important the information exchanged is encrypted across the web, the most popular form of encryption that runs on most web pages is SSL encryption that can easily be distinguished the top level corner of your browser with that hopefully green padlock that indicates that the session is encrypted.

 

Especially when transporting information over the internet, there are many ciphers and algorithms that are used in order to encrypt information, the primary cipher types are:

Symmetric algorithms

Symmetric algorithms use the same key to encrypt and decrypt the information,  these are the first ciphers that have ever been developed and still find abundant use due to the speed of the calculations being far greater than those of asymmetric ciphers.

If  however the security key is compromised, then all communication can be read in the clear and more so the offender  can impersonate the legitimate owner of the key

Asymmetric algorithms

Asymmetric algorithms use the different key on each side to encrypt and decrypt the information . This system ensures that if one sides’  key is compromised that side cannot impersonate the other or have access to the information without a verified key exchange.

In modern security systems is a continuous change of the encryption key renders it useless over time therefore minimizing the security risk of compromised keys.

The downside of this form of encryption is this severe performance overhead on machines to constantly renew and maintain the keys that are being exchanged therefore not advised on certain use cases.

The most prevalent encryption algorithm at this point in time is the AES-256 algorithm which is an asymmetric algorithm, widely used across web pages,SSL and IPsec VPN implementations for network implementations as well as encrypting information on local machines and hard drives or across different platforms.

Passwords

Passwords are the oldest form of information security ,that was developed early on,  that effectively employ encryption in order to safeguard information both locally and over a network.

Still widely used today it is the most dominant form of securing information over the years, there are many ways to bypass password security on files and services by either  discovering or inferring the password or simply tricking the user into providing it.

There are various ways into which that can be done technically or through social manipulation( or as it’s widely known in information security industry social engineering), on the opposite side of that front , multiple security mechanisms have been developed in order to counter the various threats to password safety.

As mentioned before this is a two part composite, for the technical controls only compliment the security awareness of an individual or an organisation and are no substitute for good security practices. The most common ways securing passwords are:

Frequent rotation

By frequently changing ones password we ensure that even if compromised that password is no longer valid and therefore an attacker would need to repeat the whole process of obtaining it, impeding his efforts and hopefully leave them open to interception and mitigation.

Multi Factor authentication

Multi Factor authentication has introduced the next level of security by factoring in multiple inputs as well as the time when the information is being accessed  in order to authorise access into that piece of information.

What’s also very important about that is that each form of entity authentication is independent to the other, the most commonly used multi Factor authentication would be a password plus a token that would generate seemingly random numbers, based on an algorithm that can be verified and replicated, in order to ensure that the access is legitimate at that point in time.

Any discrepancies in the time of access, the token code or the password would lead into denial of access to the required resource.

Password management systems

Password management systems are the latest trend in authentication technology where they generate a very long password per connection which is unique to either that application or session , in this way there is no timeframe for an attacker to predict the possible passwords or perform social engineering, as even the authenticating user is oblivious to what the transmitted password is.

After the password being used, any interception that could happen  would be rendered useless for the next time a connection or access is being attempted.This is a very robust method for managing passwords and it’s frequently used by all types of  IT professionals and administrators.

Integrity

Integrity ensures that information passed on from one point to another is unaltered and intact, there are various methods and technologies with which to ensure that, the main goal is to ensure that no unauthorised tampering of information is allowed and that the chain of custody remains intact at all times.

Integrity is extremely important and specially in the field of Digital Forensics where information  collected is admissible as evidence in court. It is also very important for maintaining an audit trail of activities performed in various systems to ensure that no malicious party may alter logs in order to cover their tracks and conceal what has been wrongfully done.

Hashes

In order to ensure integrity one of the best tools that is being used widely across many devices whether they are aimed at the end user the network or the infrastructure are hashes. The process of cashing create a digest of a message or file that is encrypted in an alphanumeric sequence unique to that item.

 

Any change to the file or message would result in a change in the hash by comparing the two values, we compare them and determine whether the  digest value is different and therefore detect tampering in the specific item.

Hashing in cryptography validates that the encryption key has not been tampered with and that the message is authentic since hash values can be calculated based on the  algorithm used, by the recipient of the message or encryption key, who can then validate that the sender is authentic.

In digital forensics the same calculations occur in order to make sure that key files within systems have not been tampered with, prior during or after the investigation, therefore insuring that the chain of custody is intact. United States legislation States clearly that in the case of evidence tampering, they consider the evidence as inadmissible in court. It is therefore evident why is so important to maintain integrity within the information.

 

There are multiple technologies available to protect the integrity of files and information in general but we will not  dive deeper into that field for the moment being full stop it is sufficient to say that is a very important requirement and worthy of attention as it has implications in the real world as much as the digital one.

Availability

Availability is  as the name implies the capability to have a resource available to us at any given time. Depending on the importance of that resource to the owner / user, the need to have it always available increases.

 

For example, the primary source of frustration for many users throughout the internet especially when trying to load a social media that they are not able,  has often resulted in an exponential number of calls to the local police station, magine what will happen if they lost the availability of a resource like the power company or emergency services or an organ transplant service.

The social and economic implications of the loss of availability can be grave, resulting in the loss of revenue or even life. There are multiple technologies that are invested into providing high availability as it is referred to in the business and the limit of these technologies are only constrained by the budgets of your organisations putting them in place.

Redundancies and convergence

Redundancy in any type of a system is having a spare system ready to assume the responsibilities of its partner once it goes down or is otherwise compromised.This form of redundancy is widely known as clustering and is implemented by various vendors in different types of devices ,applications and services.

 

The main idea behind it is that there is a transparent or near transparent failover from one device to the next therefore the end-user is oblivious of what has happened behind the scenes and that the confidentiality and the integrity of the information that traverses the system at that point in time is preserved.

Members of a cluster can be geographically joined or separated spanning vast distances across the globe,modern networking technology  has provided fast and reliable networks that are able to facilitate this need.

 

Convergence is the term used to describe the time that is required to seamlessly redirect traffic from one destination to another location clustering that means that when the original host that was serving the traffic whether that be a server or network device, is no longer available,  the redundant host will assume that role. The time gap for this transition from host A to host B is what we call convergence.

Load balancing

Load balancing technologies enhance performance and provide availability, they are usually network devices that receives incoming traffic on to a resource and redirect it to a pool of hosts, ready to serve this traffic.  

Load balancers are capable of performing diagnostics on the availability and performance metrics of the hosts receiving the traffic and make very accurate estimations that they are ready to perform their role.

Based on the advanced configuration administrators can set criteria for how the load balancing is performed and therefore ensure that traffic is only redirected to hosts that are able to perform their functions adequately.

Modern load balancers can also introduce security checks when performing the load balancing and inspect the traffic destined for the end hosts, in order to protect the infrastructure from malicious attacks or resource exhaustion. This level of next-gen inspection allows granular control as well as a clear audit trail of the information exchanged between points.

Security approach

I hope it is clear by now but this is a multifaceted and highly demanding science where there is always something new around the corner, the question that usually arises when discussing cyber security is:  “What is required in order to secure information?

is it network is that application or user control?”  the answer is all of it and then some.

The approach to security has to be holistic, it covers many areas from physical security to digital and procedural controls. it is important to understand that each security concept complements the other and there are very few that are actually mutually exclusive.

Security industry professionals have been tasked  with fulfilling multitude of needs under one big umbrella that is called security. It is therefore important to understand that specialization in various fields of security is mandatory will having an overview of what is required in the basic concepts is even more so.

Specialization gives  a security professional the ability to understand an area of security in depth, but without a broad overview or what is required and how each piece interacts with the others, it is a partial effort.

When comes to cyber security we all have a role to play weather it is behind a keyboard, in the data centre or at home educating around the basics information disclosure and why we shouldn’t share personal information on the internet.

Outro

These are some basic cyber security concepts and we have barely scratched the surface what cyber security And I hope you enjoyed this post.  I will continue to delve into technologies tools and concepts in order to explain this multifaceted science, I hope you find this information useful and if there’s something specific you would like me to cover please contact me.

References

Confidentiality

Zero trust:

https://www.paloaltonetworks.com/cyberpedia/what-is-a-zero-trust-architecture

Security Models:

https://securitycommunity.tcs.com/infosecsoapbox/articles/2016/02/25/security-model-bell-lapadula-model

https://pdfs.semanticscholar.org/da60/d398d6e3cd183c2c4c2ee0cf2c4cc4a018c1.pdf

Encryption:

The code book – Simon Singh

https://www.amazon.co.uk/Code-Book-Secret-History-Code-breaking/dp/1857028899/ref=sr_1_1?s=books&ie=UTF8&qid=1522315714&sr=1-1&keywords=simon+singh+the+code+book

AES:

https://csrc.nist.gov/csrc/media/projects/cryptographic-standards-and-guidelines/documents/aes-development/rijndael-ammended.pdf

Availability

Convergence

http://www.datacenterjournal.com/network-convergence-affects-data-centers/