I’ve had the pleasure of completing my first week of University, and as I’m writing, it’s one day off from the end of Week 2. The first lessons brought to our attention in the Real World Applications of Cyber Security Unit were 3 main things:
- One, that cyber security is hard.
- Two, that the Security Policy is important.
- Three, that there are core security control concepts that cyber security professionals should know like the back of their hand (we went though 7 of them).
Cyber Security is Hard, and Always Will Be
The fact that cyber security is difficult is not a secret, although why it constantly challenges the most security-savvy expert is less often understood.
The truth is that, essentially, the cyber security professionals’ goal is acknowledged to be absolutely impossible – namely, that the goal of eradicating security flaws and making a system 100% secure is never humanly possible to attain.
Why? Because to breach a system requires just one simple vulnerability, and yet to safely secure a system, every possible vulnerability must be found and fixed. There are simply too many possible weaknesses in existence in any one system, due to changes in resources, changes in versions, updates, repositories, changes in system requirements, changes in hardware – you name it.
It also doesn’t help that one of the largest and most threatening vunerabilites that exists today is that of people. People truly are often the weakest link in the chain of security, and it is impossible to secure against all the actions that every person could possibly carry out, innocently or otherwise.
Another reason cyber security challenges its professionals is due to the rule of High Security = Low Convenience. The better the security is implemented in a system inversely relates to the convenience for the user. Without usability, a system is pointless, so finding the balance between sufficient security and effective user convenience is an essential component for cybersecurity professionals.
Begin With The All-Important Security Policy
The design of security begins with the Security Policy. Who is protecting (the Principals), what is being protected (the Assets), and what kind of security is required (the Properties)? Inside this top-level description of security needs, another live document should be created, called the Threat Model.
Who is the adversary? What can they do, and how will they do it? What is their goal? The threat model should break down the attackers’ resources, capabilities and their strategy.
In order to uphold the Security Policy, Security Controls (aka Security Measures) are implemented. It should be stated clearly how each Security Control defends the Security Policy and aligns with its purpose and values. Security Controls can be implemented from a variety of sources, including software, hardware, and most certainly people, as well as other policies and systems.
Seven Core Concepts of Good Security Controls
When designing a secure system, the security engineer falls back onto core concepts of good security controls. Here are just 7 introduced to me.
1. Least privilege.
This is a very simple concept. Simply, minimise access as much as possible.
2. Separation of Privileges.
System privileges should not be based on just one condition. It is not sufficient to determine authorisation. A single condition can be overridden much too easily. Instead, multiple conditions should be met, each separately.
3. Least Common Mechanism
Ideally we don’t want to be using servers, especially shared ones. This is a restrictive principal, and states that we should not default to the most common, but the least common or least shared.
4. Psychological Acceptability
Basically, will people do it? Will they accept it? Any security control must be and should be psychologically acceptable to the user, whether it is walking through a gate in a fence or entering a password online.
The underlying principle in this concept is that users will never change how they interact with security controls – it relies on the security control designers’ to implement something acceptable instead.
5. Default DENY
No. Off the bat. Access should be based on permission rather than exclusions.
6. Open Design Policy
Any security that is based on secrecy and obscurity is evil. Why? Because having transparency and extra input from multiple sources increases the chance to fix vulnerabilities and allows for better debugging. In this way, open source is often much more secure than proprietary.
It is interesting to note that Proprietary software is perceived by the general public to be more secure. Dealing with the public’s perception is a part of the job as a cybersecurity engineer. We need to be able to explain in non-technical terms and defend the implemented security controls.
Open design policy does not apply to actual passwords or cryptography.
7. Composition of Security controls
Last but not least, the layering of systems and controls is a massively key concept in cyber security. I like to visualise it as blankets over blankets over blankets, all different sizes, all overlapping in different areas but trying to cover as much as possible.
The Defense of Depth is the technical term, and controls the overlap and reduces single conditions, making breaches more difficult. Building upon systems and ensuring depth in this way is one way we can combat the impossibility of complete security.
This brings me to the end of my brief rundown of why cyber security is hard, why the security policy is important, and 7 core concepts of cyber security.
Keep secure! Want to keep reading? Check out my newest posts.
CALDER, A. (2020). HUMAN THREATS. In Cyber Security: Essential principles to secure your organisation (pp. 27-37). Cambridgeshire: IT Governance Publishing. doi:10.2307/j.ctv10crcbg.7
Gupta, B. B. (Ed.). (2018). Computer and cyber security : Principles, algorithm, applications, and perspectives : principles, algorithm, applications, and perspectives. ProQuest Ebook Central https://ebookcentral.proquest.com
Bishop, M. (Matthew A. . (2005). Introduction to computer security. Addison-Wesley.