Saturday, July 20, 2013

Security



When you work in a domain (e.g. programming) you often face and get to understand things that laypeople don't understand. One of these topics is "security". Security is a broad subject but some of its core aspects are very simple and very important, and they apply to all domains where security is needed: computers, houses, hospitals, jewelries, etc.

The 2 core rules of security:

  • Security is not binary with the only possibilities of secure and insecure. Security is a measure.
  • Security is like a chain: it's only as good as its weakest link

A 3rd rule, which I separate because it is more difficult to assess
  • A system is secure when the requirements to compromise it are disproportionately expensive compared to the benefits gained by compromising it.



The 1st rule: 

Security is not binary with the only possibilities of secure and insecure. Security is a measure.
If you're not a computer expert, it might be easier to understand based on real-world examples like a burglar getting into a house. No house is perfectly secure. Think of a house with a very poor lock! Picking the lock will take only a few seconds. Plenty of videos on Youtube actually teach how to pick locks and demonstrate how easily it's done.

If the lock of our house is of high quality, then maybe the windows are easily broken? Single-pane windows, without a roller-shutter or without metal bars are a no-brainer for thieves.

So let's assume you have a strong lock and well-protected windows! Is it possible to gain access through the roof? Or to smash the door? Do you have an alarm system? Do you have security cameras or a webcam sensible to movement, which can record a break-in? are these cameras hidden, with the hope of recovering the footage after a robbery? or can they transfer (as long as they're not broken) the data stream in real time through the internet to a remote storage unit? because your computer is likely to be the 1st item stolen.

You get the idea! Security is a measure. For computers, security works the same way. You have a choice of several antivirus programs, all of which have different levels of efficiency. How you use the internet also exposes you to more or less threats. 15 years ago, you shouldn't have visited websites dedicated to hacking. 10 years ago, the prime danger were adult websites. 5 years ago, you should have been careful about websites proposing phone ringtones. And today, the top threat is on religion-related websites. Once again, it's not binary. Also, you probably use a password with some services like Gmail or Facebook. How strong your password is and how much effort will bad people need to invest in order to break it? That's a measure.



The 2nd rule:

Security is like a chain: it's only as good as its weakest link.
Let's continue with the previous example of a house and let's suppose you have invested tremendous efforts into making your house safe. Have you entrusted anyone with a copy of your keys and with the alarm code? oops! weakest link detected! If not, then maybe you're a single person and maybe you will want to go on dates. Are you taking every precaution to prevent your date from spiking your drink? Maybe so... then let's suppose your date is going well, and your date will accompany you to your house, exchange kisses with you and more: your date might have put some (invisible) drug on her skin which you will get to lick and which will paralyze you while that person will be able to rob the house.

No need to elaborate further: for the security of your computer and your data, you should be able to identify in your software and in your practices what puts you the most at risk. If you have a good antivirus and yet you spend all your time on adult and religious websites, then you can probably tell that your practices put you at risk. But rule #1 still applies and your security is a trade-off between what efforts you invested in security and how much comfort or freedom you desire when surfing adult or religious websites.



The 3rd rule:

A system is secure when the requirements to compromise it are disproportionately expensive compared to the benefits gained by compromising it.
As stated earlier in this article, this 3rd rule is more difficult to assess. It is not difficult to understand this rule. If all the belongings inside your house amount to $100, then robbers won't waste plenty of time and efforts worth more than this into trying to break inside your house.

The real difficulty of this 3rd rule is the practical assessment of what a computer is worth and the assessment of the cost for would-be robbers. The raw cost of breaking into your computer must actually be divided by the total number of computers similar to yours and which can be broken in, using the same technique. With hundreds of millions of computers connected to the internet at all times, it is worth for criminals to invest vast sums of money into creating malicious software.

And the value of breaking into your computer is hard difficult to evaluate because there are many options for criminals to make money with it. Someone who gained full control of your computer could (without your knowledge) use your hard drive to store data for them and stream videos from your computer to other people. Also, they could record everything that happens on your screen and everything you type on your keyboard in order to intercept your credit card details. Or in some cases, they can lock all your data away from you and demand a ransom for the code that will let you have your data back.


Conclusion


  • I hope this is a good introduction to security.
  • Having read this article is a good start for future articles discussing cryptography or recommendations of which software to use on your computer, good practices, and configuration tips.

No comments:

Post a Comment

Creative Commons License
Erik Lallemand's blog by Erik Lallemand is licensed under
a Creative Commons Attribution 3.0 Unported License.