Screen Shadows 🕵🏼♂️
"In the grand scheme of cybersecurity, an intern and a leaked password are like a rogue mosquito at a picnic – small, annoying, and capable of ruining the whole day." - CS
Picture this: Back in early 2021, the cybersecurity world was set ablaze with the story of the SolarWinds breach—a real head-scratcher that hit the very heart of digital trust, compromising both confidentiality and integrity.
Hackers, with their digital toolbox, found an open window through SolarWinds' Orion software, all thanks to a password that might as well have been "open sesame." Yep, you guessed it: "solarwinds123." This password, created by a junior intern, can be brute-forced in seconds and somehow found its way onto the internet's vast bulletin board, GitHub, through a little slip-up.
The fallout? Enormous. This tiny crack in the wall let intruders waltz right into the digital homes of some pretty significant players, including folks over at the U.S. government, rummaging through sensitive data as if it were a yard sale. It's a stark reminder of how something as simple as a password can have ripples far beyond its humble characters.
TL;DR ⌛️
Cybersecurity isn't just for tech experts; it's also about applying common sense, much like not leaving your house unlocked. Here's a quick rundown of its core principles:
Confidentiality: Keeping data locked away from those who shouldn't see it.
Integrity: Making sure data stays accurate and unaltered.
Availability: Ensuring data is there when you need it, without delays.
Authenticity: Verifying data comes from its true source.
Non-repudiation: Creating a digital trail that prevents denying actions online.
These pillars are the foundation of staying safe in the digital realm, protecting everything from personal info to ensuring transactions are genuine. Understanding these basics is crucial for everyone in today's interconnected world.
🚨 Security Briefing 🚨
Often, when people talk about how much they want to get into cybersecurity, or even when my contemporaries speak about cybersecurity concepts, more attention should be given to the fundamental principles that form the backbone of security. I’m still yet to meet someone in my part of the world who purposely opts to leave the main door of their home wide open just before they retire to bed for the night.
Why? Because inherently, they know better. Kids might act carelessly enough to do that, but (I hope) adults generally don't. They understand the basics of personal safety without needing to take a dedicated course on Safety Essentials 101. That’s because security, at its core, is a mindset, and this applies equally to the digital world. So, to move from a child’s approach to a more mature understanding of cybersecurity, these are the pillars we need to master:
Confidentiality - Keeping sensitive data under lock and key
Integrity - Accurate and reliable data, no unauthorised tampering
Availability - Information access without delays or disruptions
Authenticity - Verifying your information comes from a genuine source
Non-repudiation - Proof of actions that cannot be denied later
Without further adieu…
Pillars Decoded 👨🏼💻
CONFIDENTIALITY means protecting your data from prying eyes. We put systems in place to control who can access what, ensuring sensitive information stays secure. It's about allowing the right people in and keeping unauthorised individuals out. To this aim, you’re almost certain to come across (if not already) the following industry-related terms, which all serve our purpose of achieving information security 🔒:
Sensitivity gauges how distressing it would be if someone else glimpsed your data. Technically, it measures the potential for negative impact or harm due to unauthorised disclosure. Picture your private browser history as dirty laundry; clearly, not everyone needs to see it.
Discretion affords you the power to dictate who sees what and when. Technically speaking, it involves implementing access controls based on need-to-know and least-privilege principles. It’s akin to deciding whom you would entrust with babysitting your children. You wouldn’t confer this responsibility to just anyone, and the same cautious principle applies to your sensitive information.
Moving on to Criticality, this term probes how essential the information is for maintaining life's smooth progression. It assesses the indispensability of a system, asset, or process and the potential repercussions if it were compromised. Consider the difference between losing your house keys and a pack of gum. Both scenarios suck, particularly when your breath is beefing, but one clearly presents a more significant problem than the other.
Concealment is not too dissimilar to playing hide-and-seek with your data, except we’re not playing here. Through techniques like encryption and obfuscation, it’s about making data difficult for unauthorised individuals to uncover. Picture stashing your valuables in a secret drawer instead of simply sliding them under your pillow.
To use a common catchphrase, the concept of Secrecy can be illustrated as "What happens in Vegas stays in Vegas," but applied to your data. It’s about preserving confidentiality through stringent access controls and safeguards. Imagine if the plot of the next Marvel movie were leaked before its release; spoilers aren’t fun for anyone.
Privacy emphasises personal boundaries; it’s about keeping what you wish close to your chest, shielded from view. This entails protecting personally identifiable information (PII) to avoid damaging an individual's reputation or safety. Imagine your private diary, littered with all its secrets, suddenly displayed on posters at every bus stop in town. Far from an ideal situation.
Seclusion transports your data to a metaphorical deserted island, storing it in a highly restricted, segregated environment away from social contact insofar as possible. Similar to secrecy but with the added step of separation. It’s like securing your secret bank account documents in a safe and burying that safe in your garden. Mr Fox might be curious, but he won’t be getting his paws on your assets.
Lastly, Isolation involves keeping your data in a sort of ‘quarantine’, away from other environments or processes. By segmenting sensitive data from other systems, the goal is to minimise attack surfaces and prevent any cross-contamination. Ever experienced the nauseating feeling when you’ve discovered that you’ve forwarded an email to the wrong person? Isolation is the cybersecurity strategy that helps avert such awkward blunders.
INTEGRITY means no random changes to your data and nothing misplaced. Your digital life is a giant jigsaw puzzle 🧩. Every email, text message, photo, and online purchase is a unique piece. For the whole picture to make sense, you need all those pieces to be exactly as you left them. This is the essence of data integrity.
In the cybersecurity world, integrity is about making sure the digital puzzle remains reliable and accurate. It's about putting safeguards in place to prevent a whole range of mishaps, which we can view from three broad perspectives:
Protection against unauthorised subjects making changes: Hackers love to tamper with data: changing prices in an online shop, tweaking medical records, or even messing with your smart home settings. Strong integrity measures act like a digital bouncer, keeping these bad actors out.
Protection against authorised subjects making unauthorised changes: We all make the occasional typo or accidentally delete important files. Integrity controls are your digital "undo" button, allowing you to roll back to the correct version or, more ideally, preventing them from happening in the first place.
Maintaining the big picture: Integrity isn't just about individual files; it focuses on how everything fits together. If the balance in your online bank account is suddenly incorrect, it doesn't matter whether the transactions themselves are right. Integrity helps ensure all the pieces of your digital world align correctly.
Unfortunately, upholding data integrity isn't easy. It requires a lot of work and robust access controls. It also involves constant checks to ensure data stays pristine as it moves between devices and online services where many cyber-criminals reside 🥷🏼.
While the technical side might get a bit complex, the core concept is simple: in the digital world, just like in a jigsaw puzzle, you want every single piece to be perfecto!
AVAILABILITY is a straightforward concept. If you’re reading this, I could bet my bottom dollar that on more than a dozen occasions in your life, you’ve tried to watch a video on a streaming service 🍿, only to be greeted by that irritating buffering circle. That's the frustrating taste of an "availability" issue in the digital world. In cybersecurity, availability means making sure the stuff you need, when you need it, is actually there and working as you expect it.
But the cyber world, as we all know, isn't all sunshine and rainbows. Availability has its enemies:
Structural Issues: Hardware failures, software bugs, and power outages – these are the classic infrastructural components which love to cause us problems.
Bad Actors: Hackers love launching Denial-of-Service (DoS) attacks, which basically flood your system with so much junk traffic that it grinds to a halt because it can’t process that junk quickly enough.
Good Actors (albeit misinformed): Mistakes do happen! Accidental deletions, bad configurations, spilling coffee on the server...all classic availability downers due to human error.
So, how do we keep things running as they should?
Redundancy is Key: You’ll be familiar with the term ‘backup,’ but here, we mean something a little different. We’re talking about having spares so that if one system fails, another takes over immediately. Very nice.
Cybersecurity Shields: Firewalls and access controls are like bodyguards, keeping malicious agents away from your precious resources. We’d rather not go without them.
The Age-Old Backup: They're the ultimate "rewind button" in case something goes wrong. If we’re in charge of operations, it’s always a good idea to test them regularly—we don't want to find out they don't work when disaster strikes.
Remember, availability is a big part of what makes the digital world truly useful. Companies spend a lot of time and money making sure their systems stay online reliably – because, let's be honest, an unavailable website or service is about as useful as a broken vending machine, and it will cost a company a whole lot more than a few missed kinder-bueno sales.
AUTHENTICITY is what the spring chickens refer to as “being real”. No. Well, not quite.
Unlike integrity, authenticity is proving that the message you received was actually sent by the person or place it says it's from 😇. This means that when you get some piece of information, you can be pretty sure it's legitimate and hasn't been messed with along the way.
How many examples have we personally come across in our daily lives? A spoofed email from your bank saying your account's been compromised? A counterfeit handbag? Fake IDs? Watches? Emails? Knock-off websites? Take your pick!
Now, here's where things get interesting:
One-trick ponies aren't secure anymore: Relying on just a password is risky—hackers crack those all the time, especially when it’s as weak as our intern friend's earlier. That's why we use multi-factor authentication (MFA), such as having to input a text code received on your phone in addition to entering your password, or even better, a YubiKey. It might be annoying, but it’s better than having your accounts compromised.
Context matters: Where you are and what device you use are extra clues to confirm that you're actually logging in, not a criminal halfway across the world trying to access your account after you just logged in from your home location 30 minutes ago—what we call in security ‘impossible travel’.
Authentication is a complex topic we'll explore further later, but for now, remember that in the digital world, it’s not advisable to take things at face value. Make sure you’re dealing with a legitimate source before you hand over your personal information because once you do, you won’t get it back.
NON-REPUDIATION sounds pretty intellectual, doesn’t it?
In the online world, words like "I didn't do it!" don't fly; that’s why people would rather exclaim, “I was hacked!”—hmm, yeah, convenient 💭🧐. That's where non-repudiation comes in. Think ‘digital receipt’, proving who sent what message, bought that embarrassing item, or triggered a security alert.
Here's why non-repudiation matters:
No Take-Backsies: If someone fakes your email to send nasty messages, you'd have a hard time proving it wasn't you without non-repudiation. You may well be in hot water for something a mischievous impersonator did.
Take Accountability: From online shopping to file sharing at work, non-repudiation ensures everyone is responsible for their actions. No more blaming glitches.
Detective Work Made Easy(ier): When something goes wrong, non-repudiation leaves us a trail of digital breadcrumbs to follow. This helps us figure out who accessed what and when, making investigations a lot more straightforward than if this trail wasn’t available.
So, how do we make this non-repudiation magic happen?
Digital Signatures: At the moment, just think of these as fancy, impossible-to-fake electronic scribbles that prove it's really you.
Logging the Details: Tracking who logs in, what they do, and when they’ve done it (as we kinda just said). It's the boring but essential audit trail that is logged and monitored by specialised software.
Strong Access Controls: These controls ensure that only the right people can do the right things. They also minimise the chances of someone else using your account to cause trouble.
Non-repudiation might seem like a techy, abstract concept, but it's arguably the cornerstone of trust online. Whether you're paying for a service online or accessing sensitive files at work, it's the system that helps make sure you (and only you) are responsible for your digital actions, so let’s behave shall we?
Conclusion
As you may have noticed, there are many overlapping concepts in cybersecurity, and it’s good they do because, as we discussed at the top of this post, security, at its core, is a mindset. Whether you’re a seasoned professional swashbuckling through the cybersecurity industry or a ‘regular degular’ simply trying to ensure you’re not unnecessarily putting yourself at risk, there’s a healthy dose of professional scepticism needed to ensure we're keeping ourselves, families and organisations out of harm’s way.