Cyber Security First Principles | S1E4

Marc Briggs  0:03  
Welcome to DE:CODED, Series One Episode Four - your weekly podcast providing in depth insight into cyber security. Show notes, including any links mentioned in the show are available at DecodedCyber.com.

Simon Edwards  0:22  
I'm Simon Edwards, co host of the decoded podcast, and founder of SE Labs, a testing security organization that works with all of the major security players. I used to be a journalist covering security. Now I advise security vendors, their customers and other organizations about information security.

Marc Briggs  0:43  
And Hi, I'm Marc, Simon's co-host on DE:CODED, and I run the operations at SE Labs. I spent 11 years in the British Army, and the last four years transitioning those skills I learned from the military into cybersecurity.

Simon Edwards  1:00  
This series introduces some important cybersecurity concepts. We explore how hackers attack, ways to prevent or at least detect their intrusions and how to respond when they succeed. We'll also discuss the products and services available. And because it's our job to test these things, we'll look at what makes a good and bad product. In this episode, we're going to focus on cybersecurity first principles.

Marc Briggs  1:30  
Now, there is a lot of complexity around security, some of which is necessary. But there's also a lot of over complication, we thought it would be a good idea to look at what security really means. Why can't we just lock up everything in a safe and know it's all secured?

Simon Edwards  1:45  
Well, you could. And the young n, which is a satirical online newspaper, ran an article on online banking back in 2013, the headline of which was: "After checking your bank account, remember to log out, close the web browser and throw your computer into the ocean."

Marc Briggs  2:03  
Okay, is it as easy as 123 is not that? Well, security is always a trade off between convenience, cost and control. If you use a two factor authentication token to secure your email or Dropbox accounts, for example, it will cost you a few pounds less than 30 quid and log on to a new device requires a couple of extra steps, which can be annoying. But then the extra security you enjoy the control you exercise is worth it, we think,

Simon Edwards  2:33  
Right! But using PGP encryption for your email is technically very hard, not least because you're probably using a smartphone for a lot of the time. And even on Windows and Mac, it's just far too much for normal people. It might be free in terms of money. And it might mean major governments can't read your email

Marc Briggs  2:55  
But then probably none of your friends can read your emails.

Simon Edwards  2:57  
No, definitely not. But it's free. It's powerful, but massively inconvenient. Even some of the security companies that we deal with struggle to use it. Going back to first principles, we have the idea of cost, convenience and control. But we also need to identify the threats that actually concern us. A large retail business is going to have a very different set of problems to a small law firm, and individual's personal security profile is very different to that of say a US politician. We also have to consider that with cyber security. There are targeted attacks, and then more generalized attacks that can affect everyone. In the physical world. a mugger can really only attack one person at a time. a burglar can only case so many targets and break in every so often, where a cyber criminals can send tricky emails and defraud 1000s of people simultaneously.

Marc Briggs  4:03  
But the thing every person in business has in common is that they should follow these simple steps which are initially identify the threat. Secondly, assess the risk, and finally mitigate that risk. Now usually this can be a low cost exercise, unless of course you pay for expensive security consultants high value expensive security consultants, but as is often the case, it is largely common sense. I'll give you an example. So an individual might identify the risks that they might be mugged on the way home from work, how likely is that they may not think it's very likely it continued to carry their $2,000 MacBook around, but they may mitigate the risk by ensuring their bag is zipped up. So it's not obvious to see their computer and not easy for someone to grab it without them noticing.

Simon Edwards  4:55  
And that's that's basic personal security stuff, isn't it? Don't show your purse when you're on the London Underground, sure.

Marc Briggs  5:02  
And a billionaire as another example, with a secret formula for a fizzy drink or a chicken spice blend, might consider leaving that in a safe, because he doesn't need to have access to it all the time. But if he did need to transport it, the potential impact of having been stolen and copied is significantly greater. Then you cue armed guards, bulletproof vehicles, suitcases with chains, deception, all those other measures.

Simon Edwards  5:34  
I mean, that is all pretty simple stuff so far. But in the real world. You know, don't large companies like our clients have whole security teams set up to deal with and think about this very complex stuff.

Marc Briggs  5:47  
Even governments start with a few simple principles, consider the CIA triad of confidentiality, where you limit access to information integrity, where information is trustworthy and accurate. And availability, where authorized people can access the information reliably.

Simon Edwards  6:05  
Okay, well, let's look at a couple of examples. So I'll start with a business example, where they will need to look at the threats, which will be in almost every case, competitors, but then also maybe tax regulations, and, unfortunately, internal incompetence as well.

Simon Edwards  6:23  
So first, the business financial records shouldn't be available to everyone. Because the company doesn't want competitors to see such a detailed view of the organization. They could take advantage of periods in which the company is running short of cash, for example, maybe they could undercut their prices at that point or attempt even to buy out the company.

Simon Edwards  6:45  
So confidentiality is important. And then secondly, the counts should though be available to the finance team at all times. If they're always locked in a safe and say the key holder has gone home early, then business is impacted, they can't do their work. So the business starts to fail. And finally, the books should be accurate.

Simon Edwards  7:06  
The business needs to be able to trust the fingers, where it might end up facing a larger than expected tax bill. It might realize too late that the bank balance is zero. Or it could face legal issues if it's audited by the IRS HMRC or whichever tax enforcement organization is in play.

Marc Briggs  7:24  
And in a personal example, the threats could be fraudsters careless banks, and not being able to pay the bills. You'd want to limit access to your bank accounts to prevent theft, and keep the banks responsible for the money security unless you take reasonable care. With your log on details. They can blame you for what amounts to an online bank robbery, and you won't have to compensate you for the losses.

Marc Briggs  7:51  
You also want to ensure the information in your account is trustworthy and accurate by keeping your own records and reconciling statements. You want to make sure the bank isn't making mistakes, and identify abuse from your account by fraudsters. Finally, you want availability to your money, there's no point locking up funds security if you can't access them. If the money is buried in the woods, then it's not much help when your energy company starts sending threatening Debt Recovery letters.

Simon Edwards  8:20  
When you look at the usual pieces of security virus that we're all very familiar with, they all fall into at least one of the three categories of confidentiality, integrity, and availability. Let's take backup for an example. That's all about integrity is information trustworthy and accurate. We can't guarantee that the data that was first created was any good, but with good backups, we can be sure that it's not being changed.

Simon Edwards  8:50  
A backup managed properly should allow us to look back at past data and confirm that the data we're using matches and hasn't been changed by an attacker. But backups don't do anything for confidentiality or availability. Having a backup doesn't limit who can access information. And it doesn't give authorized people reliable access to that data.

Marc Briggs  9:12  
Being aware of people watching over your shoulder when you type in a password or other sensitive data. The shoulder surfing threat is entirely about confidentiality, keeping the sensitive data away from prying eyes. But it doesn't ensure that the data is good, or that the data is going to be available to you whenever you need it

Simon Edwards  9:32  
Right. But it gets more complicated when we get to things like antivirus or encryption. With antivirus. The idea is that the system being protected, doesn't get hacked. So the antivirus is playing a role in maintaining confidentiality. If the hackers can't get control of the system, then they can't read your secret files.

Simon Edwards  9:54  
But antivirus can also protect against ransomware which means it also helps to keep the data available. It's not have been encrypted away. So it's unavailable until you pay a ransom. And also, if the data can't be messed with potentially being edited to show wrong information, then it's playing a part in integrity too.

Marc Briggs  10:14  
And even password complexity ticks to the boxes, having good passwords or two factor authentication doesn't increase availability to authorize users. It does maintain confidentiality, though. And it sort of helps with integrity. Because if you are some random guy who knew the password, you could log on and corrupt files for fun. Coffee yet confidentiality might not be lost, because you might not read the files. But if you mess with them, it is then the integrity is compromised. Now we've made a table showing all of the different common pieces of advice and where they sit in this triad of security concepts

Simon Edwards  10:52  
interesting bedside reading.

Marc Briggs  10:53  
Yes!

Simon Edwards  10:56  
Next week, we're going to talk about how cybersecurity is bought and sold in the industry. We'll talk to a couple of very special guests, people who have bought millions of dollars worth of products, and someone who actually has worked for a tester, and now works in the security industry.

Simon Edwards  11:15  
It's going to be a fascinating insight into a multi billion dollar industry, one that perhaps isn't quite as clean as you might imagine. So stay tuned. Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues.

Simon Edwards  11:32  
If you want to join the DE:CODED community, and access private content, including our monthly executive briefings, apply at DecodedCyber.com/circle. And that's it. Thank you for listening and we hope to see you again soon.