What is Cybersecurity in a broader context?
There are many ways of categorising cybersecurity to make it easier to understand. If you have ever studied cybersecurity, you would have come across the concepts of confidentiality, integrity, and availability as part of Cybersecurity 101. But it is worth revisiting these concepts as you may see them in a different light now. Understanding security infrastructure and making it happen are two different things. As cybersecurity practitioners, it is our job to understand what the key issues are, but we also need to educate those around us.
What is confidentiality of data?
Confidentiality of data refers to when someone sends you information that is properly authenticated and the person is authorised to do so. Authentication and confidentiality are two mutually inclusive concepts. Authentication is the mechanism for creating confidentiality e.g. passwords, multi-factor authentication, and the use of biometrics.
The core method of ensuring confidentiality is ubiquitous are passwords. But passwords also have their issues. They are forgettable, and ‘gettable’ when we are not careful! The more ‘gettable’ something is, the more forgettable it tends to be. Passwords weaken when you attach it to something concerning yourself e.g. date of birth or a parent’s name. But when we try to make passwords longer and complex, they become easier to forget. The use of phrases, whitespace, asterisks or dashes does help to make passwords more secure. However, complex passwords in combination with password managers, which store all your passwords in one place, is better yet from a security and convenience view.
Biometrics, authenticator apps, magic links, and SMS codes.
Magic links are sent to you via email, and you click on them to log in to the required interface. I am definitely not a fan of magic links! I would use authenticator apps like Google or Microsoft authenticator, where you get a series of numbers that rotate periodically. The fact that the numbers appear on a dedicated app on your phone, is what makes it secure. Apart from authenticator apps, I would also recommend password managers like LastPass.
Biometrics helps to prove that you are who you say you are. It uses features like voice, face, fingerprints, eyes, iris, or retina for authentication. We all assumed that biometrics would put an end to password usage. However, there are things passwords can do that biometrics can’t. Whether you are using voice, face, or iris, it is still data. And you can forger or steal data. If I told you that your password was compromised, you would immediately change it. But if I told you that your retina data got compromised, there is not much you can do about that! The same goes for fingerprints.
When we consider face and voice, we are moving in deep fake territory. You can impersonate a voice, and deep fake a face. Iris technology can be invasive because you have to stand really close to special apparatus that shines an infrared beam against the back of your eye. But they are very accurate. The problem with iris technology is that you can still spoof it with an exceptional quality photo or digital imagery. However, the most spoof-free is the retina. There is no perfect solution, and that is why passwords are so ubiquitous. You don’t need any special hardware for a password. And when it gets compromised, it is easy to change it.
Integrity relates to the fact that you require proof or assurances that your communication has not been intercepted or altered en route from source to destination and vice versa. There are two forms of integrity compromise – one is encryption, and the other is hashing. Encryption is reversible. It takes place when you use a cipher to make the plain text unreadable. And unless you have a cipher for decryption, the integrity of the password will remain intact.
Hashing occurs when you apply a mathematical equation or calculation to a clear text password. You basically end up with a string of nonsense. And the beauty of this is that the passwords are stored in hashes, there is no need to store the clear text password. Thus, if the data is stolen it is not possible using the same math to get it back to the original plain text password.
If you take every word in the dictionary and map it to a hashing algorithm, you will have a hash to dictionary word mapping. If you have a list of hashed passwords which were created from dictionary words, then the hash can be matched, and the password could be revealed. This is an example of a rainbow table, and there are hundreds of them out there, with billions of entries. You can counter these by salting. Salting occurs when you add a further layer of protection to hashing. You add an additional element of randomness to the calculation that creates the hash, i.e., the salt. Therefore, hashes are great, but only when salted.
Unfortunately, most banks do not hash the passwords. This is evident as banks ask, for example, what your 3rd, 6th, or 9th password character is. If the passwords had been hashed this would not be possible. Unfortunately, this means passwords will remain in clear text for longer and could be visible to banking staff. This idea of revealing 3 characters of your password is ridiculous for online web and mobile banking as it essentially reduces the password size to 3 characters temporarily. Instead of having to guess a 20-character password, hackers only need to guess three password characters.
The 3-character challenge is a hangover from telephone banking. The idea was for you not to say your password out loud over the phone in case someone overheard it. It makes a little sense for telephone banking but not for online. In addition, I must confess that I have written out and numbered my passwords characters in the past just to make the process easier. In doing this, banks have, unwittingly, created an insecure environment by making people write down their passwords so that they can work out what the letters are.
One of the crucial parts of cybersecurity is making sure business systems remain available and robust against hackers. Businesses should remain robust against faults like drives/systems failure, or internet downtime. That also includes natural disasters such as floods, fires, or even theft. Ransomware is probably the biggest threat to availability. It buggers up everything. You lose availability, but you also lose access to the data. And that is why backups and the ability to roll back to previous data is so important. Quality backups are ransomwares’ nemesis.
What can we do to ensure that flood security is adhered to in an organisation?
You can categorise organisations into people, processes, and technology. Cybersecurity is not going to work unless we get peoples’ buy-in and unless people take it seriously. As a cybersecurity consultant, one of your biggest challenges will be selling the necessity to do something about the threat. You will have to be persuasive enough so that internal stakeholders can recognise the scale of the threat.
We see evidence of companies being breached, without any idea that they have been breached all the time! So the ability to persuade and get buy-in from c-suite decision makers is crucial. Once you have buy-in from everybody and processes are put in place, everybody needs to adhere to the rules. Security awareness needs to be broad and deep. If you don’t have the people-side sorted, the technology and process will not get done because no one will believe in it.
What about processes?
We need to ensure that there is accountability and understanding of what everyone’s responsibilities are so that the organisation remains secure. The cultural ethos of treating people’s data with care needs to be instilled.
Activities, roles, and documentation
Activities refer to the governance, management, and auditing of data. We can talk about best practices all day, but it needs to be known and understood by people and made part of their job descriptions. People have to be trained to enable them to fulfil their roles. Documentation is where information is recorded and written down and relates to policies, processes, and procedures.
The policy is a high-level document and offers guidance, advice, and best practice. It has to be recorded in an easily digestible manner – regardless of the audience’s technical knowledge and understanding. It should be made accessible to everyone, and there should be an online evaluation system in place to test staff knowledge. A quiz at the end of the document works well. As cybersecurity policies are updated every year, it is a great way to make sure that people stay up to date with changes in this realm.
Processes and procedures embody a more granular level of policies – this is where what should be done and how it is done is defined. Everyone needs to read company policies, but you only need to understand processes if it applies to your day to day role. Procedures provide step-by-step levels of detail.
To recap: the three pillars of cybersecurity are confidentiality, availability, and integrity. To mobilise the organisation, the pillars can be broken down into people, processes, and technology.
Although technology changes all the time, companies should never lead with it. People and processes should drive cybersecurity instead. The technology should be supportive of the things that you are trying to achieve. Always prioritise people and processes first, and then decide what technology should be used to enable people and processes.
Please note: This article has been transcribed and summarised from our podcast of the same title.