What is Cyber Security
Lets kick off the module with a introduction to Cyber Security.
Definition of Cyber Security
Cyber security is defined by the National Cyber Security Centre (NCSC) as:
Quote
Cyber security is how individuals and organisations reduce the risk of cyber attack. Cyber security's core function is to protect the devices we all use (smartphones, laptops, tablets and computers), and the services we access - both online and at work - from theft or damage. It's also about preventing unauthorised access to the vast amounts of personal information we store on these devices, and online. Cyber security is the application of technologies, processes and controls to protect systems, networks, programs, devices and data from cyber attacks1.
So essentially Cyber security is the process we use to protect our computing devices, and the data stored on them against attack or compromise.
There are many reasons why this is important. One of the biggest issues is the sheer number of connected devices in the modern world. Ownership of personal computing devices and mobile phones, continues to increase worldwide
The IoT
While we can argue whether its good or bad that your Fridge can tweet for you, or your TV reports back to Samsung the rapid growth of the internet of things (or smart devices) doesn't look likely to stop soon. Each of these devices has some code associated with them which means, unless the code is secure, the attack surface for hackers keeps growing.
As well as the number of devices, the way we work and interact with the world is increasingly online. This means our data is stored, processed and transmitted by software. This means that flawed design choices (for example using poor encryption) or implementations can make our data insecure. Additionally the way components are interlinked can mean that security is only as good as the weakest part of the chain.
Finally, cyber crime is on the increase, the increased attack surface makes it easier to find vulnerable systems, and the prevalence of these systems means that an attack can affect more people. In 2019 around ⅔ of all businesses reported some kind of cyber incident2, and it was estimated that Cybercrime is a $1.5 Trillion business. The cost of an attack can be much more than whatever is stolen Legal requirements in the way we store data (GDPR) can have heavy fines of up to 20 Million Euros, following a data breach.
Perspectives on Cyber Security
From my perspective (as an ethical hacker) we take an active approach to Cyber Security, trying to break into systems to assess the security of them. However, while hacking is fun, its a bit more than just focusing on the computing devices themselves. A huge number (around 90%) of successful cyber attacks start with social engineering. This means as a Cyber Security specialist we also have to take account of how people use the systems, and the processes put in place that will help to secure them.
When it comes to Cyber Security as a Computer Scientist or developer its about writing code and designing systems that helps meet any security aims. This would include being aware of best practice, and taking into account any legal factors around the storage and processing of data. As coders we should also make our software "secure by default", it should be easy to configure security related features, and clear what the implications are when they are turned off.
Finally we can look as Cyber Security from a users point of view. Essentially it means we should be able to trust the security of any computer systems we use. Obviously this is for a given value of trust, NO computer system is fully secure, but we should expect that the developers have done everything that is reasonable to ensure our security.
The Secure Code Problem.
When working with more "traditional" computer scientists, they tend to have one of two views on security.
- The Code development is more important, we can focus on teaching people to write the code and there is a whole security team to deal with it afterwards.
- Yes security is an issue, but its a quick one to solve. We just need to teach people who to write secure code. Simples!
When it comes to the first point. The way we write code has got much better, We have:
- Decent Version control
- People actually unit-test
- VS-Code is almost as good as Emacs
- We have Agile practices for writing, and testing software.
So if we know how to fix it, why do we still have an problem with security? Throughout the module you will see that a lot of security flaws come from the same set of mistakes.
On your standard Comp-Sci course coding "ability" gets measured in the number of bugs or functionality. Does the code work and meet the marking scheme? This means we are more concerned over whether your Mongo DB works, rather than if it works in a safe way. Can you can talk about hash tables for storing data efficiently, but don't understand why using hashes for passwords is a good idea?
Note
Fortunately, this isn't the way at Coventry, you are in a security module in a CS degree after all...
There appears to be a similar problem in industry, get the code working and the QA and security evaluation comes later (if it comes at-all). Perhaps its better to start thinking about security throughout the process. This isn't to say the people who teach coding at university or industry practice are bad at what they do (although there are exceptions). But its been an issue for ever, so unless the security aspect is what they have been taught themselves, it still gets missed. At the end of the day I see this as a flaw in the software development lifecycle. Rather than make security part of the whole process, its a check box we have to go through.
The second argument is much harder to deal with. While I agree that teaching security concepts, is a great idea (you are in a security module in a CS degree after all), the attitude of "Just Teach Secure Code" is a dangerous trivialisation of the problem. People have been trying to do this since the dawn of programming, and I doubt that Prof. Random, Computer Scientist from Birmingham (regardless of the Russel group status or not) is going to make much of a difference.
Like everything else in Comp Sci, security is an evolving field, and we cannot
teach Rules for security. I doubt that Thompson and Richie deliberately
designed C's string copy methods to be insecure, but 20 years later, Aleph1
showed us how to Smash the Stack3.
Best practice can change, so rather than teaching security as a set of rules,
teaching why something occurs and encouraging people to think about security
is a much better approach.
Script Kiddies
The very existance of Script Kiddies is another example of why "Just teach people secure coding" is a flawed strategy.
Later in the course we will look at the OWASP top 10 web vunlerblities.
Since its inception, OWASP has had "Fixed" problems like SQL injection in the list,
YET we still get a huge number of SQL based vulnerabilities each year.
So if "Everyone" knows there is a problem, and "Everyone" knows its reasonably easy to protect against it why do they still occur?
Legal Aspects for Cyber Security
There are several laws that apply when we are dealing with and securing data.
We will cover these in detail later, so here is a brief overview.
The first and most obvious is GDPR (General Data Protection Regulations) that were introduced in 2018. Broadly speaking, GPDR sets out expectations for both Data Owners (who data is about) and Data Processors (people storing, using, or processing that data). While the most well known part is to do with fines following a data breach, it has a lot of other interesting aspects that will effect the way you write programs to store data.
The Data protection Act (2018) complements GDPR by addressing specific rules that apply in the UK. Many of these rule (in my opinion) weaken the protections in GDPR, by providing more flexibility in the way data processors can deal with information.
There are also legal protections against hacking, for example the Computer Misuse Act (CMA) set out the penalties for unauthorised access of systems, and the (Regulation of Investigatory Powers (RIPA), that covers interfering with and intercepting communications.
One interesting aspect to these legal requirements is its often a balance between the needs of the individual, and those of the state and organisations. Often there are many grey areas (for example backdoors in encryption) that may have some benefit, but are deeply flawed from a general security perspective.
Summary
In this article we have had overview of cyber security, defining the concept, the scale and cost of cyberattacks. We also looked at different perspectives on security, what it means for professionals and the public. We also introduced some of the legal concepts that apply to cyber security.
Discuss Perspectives #whatissecurity
What are your views on cyber security? Using the feed in Aula,
create a post with the tag #whatissecurity
(or respond to, someone else's post)
Answer the following questions.
- What does it mean to you as an individual (do you personally care)?
- Why do you think it is important?
- What do you think is going to be the biggest security challenge in the next 5 years?
Related Reading
-
Aleph 1 was by no means the first to smash the stack, but he certainly did the first major writeup of the process. ↩