Skip to content

Security Concepts: The Three Pillars

In the next couple of articles we will look at some general security concepts and frameworks.

While these do not give us answers to our security problems, the do provide a way to start thinking about security, and give some structure to the concept. It also makes it clear where the problems exist.

This means that instead of a vague "problem", we can frame our decisions in the frameworks. For example: asking "Which of the three pillars does this particular approach address".

The Three Pillars of Cyber Security

It's easy to assume there is a technological solution the security problem. However, while technology plays a huge part, we need to look at security from a much wider perspective.

Rather than focus on just a technical aspect, The Three Pillars of Cyber Security represent the three elements we need to consider. It provides a standardised way of looking at Cyber Security, and removes some of this technological focus, allowing us to avoid the trap of a purely technological approach.

The Three Pillars

People

This is widely considered to the pillar with the most risk attached to it.

Statistics from Verizon’s 2018 Data Breach Investigations Report, show that phishing or other forms of social engineering cause 93% of all data breaches. Rather than target the computers, the attackers target the people using them.

So why are these attacks so successful? One argument could be due to scale, Semantic estimate that there are around 130 Million phishing emails sent each day, and Google reported a daily 18 Million phishing emails related to Covid-19 per day 1. It doesn't need a high percentage of successful campaigns to start effecting becoming a major threat.

Note

The figures for successful phishing attacks vary. It seems that around 30% of "delivered" phishing emails are opened (Verizon), and 1% of people click through. However, where that fits in terms of absolute numbers is unclear.

People are also a relatively easy target, and do lots of silly things (like reuse passwords), that make the hackers job easier. Human error can also account for a lot of successful attacks.

Its here we can introduce Rule 2 (rule 1 comes later):

Rule 2

RULE 2: You can make something idiot proof, then Idiot 2.0 is released

A lot of mitigation of human factors is down to training and awareness. By understanding how and why social engineering works, we are better able to spot it, and therefore protect ourselves.

As developers, we cant be responsible for this training. However, we can still make design choices that help people avoid these mistakes. For example making it so our software enforces a secure password by default, or by making it hard to (or the danger clear) when we turn security related features off.

Processes

Processes relate to the company procedures around security. This can cover things like legal requirements (such as GDPR), through to individual policies on things like passwords.

At a developer level it is unlikely we will have direct influence over these processes, you will be expected to comply with policy rather than set it. Being aware of the reasons why some policy is implemented (it may be legal, it may be good practice) will help you meet it.

Areas of policy that may be missed surround incident response, or levels of authorisation. Planning for when the attack does happen, and implementing a suitable logging, detection, and recovery mechanism can go a long way towards mitigating the effectiveness of an attack. Additionally, ensuring that we meet the legal requirements when we store, or process data can protect against litigation.

One area of polity you may be able to influence is the development process. It is important that security is part of the process, rather than a "stage" software goes through before launch. By building good security practice into our programs from the start, we can only make them better.

Infrastructure

Our final pillar is Infrastructure, this accounts for all the hardware, software and physical security (IE cameras, and entry systems) within an organisation. We will discuss technologies role in a later session.

Infrastructure has a huge role to play in cyber security, and unfortunately is one of the weaker points when it comes to implementation. However, its also one of the points we will have the greatest influence over.

Technology to protect us against cyber attack is often marketed as the solution to all problems.

While its true that it can help protect against some attacks, a purely technical approach is limited by weaknesses in the other two pillars. Having the worlds best firewall wont protect you when Alex from HR is phished and install the latest bitcoin miner. Instead things like firewalls and antivirus can make an attackers lives a lot harder, but will not prevent a determined attack.

Summary

Here we have introduced the three pillars of cyber security.

The pillars remind us that security is not just a technical process, but is also affected by the people and processes that interact with them.

Discuss The Three Pillars #3pillars

The three pillars give us a useful way of breaking security issues into "blocks" of threats and solutions.

Using the feed in Aula, create (or reply) to a post with the tag #3pillars

  • Which of the Three pillars do you think is the most important?
  • Why do you think this is the case?

  1. https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams