Security is only as Strong as its Weakest Link

A team of researchers from Norwegian University of Science and Technology and National University of Singapore pushed the envelope and discovered a method to intercept data by tapping on an optical fibre cable. They designed an apparatus that is able to sniff data by reading small light pulse transmitting in the cable. Hoi-Kwong Lo from University of Toronto, too, unveiled an optical fibre hack by determining how sender polarised their photons. Tricking the sender in sending tweaked photons, he will be able to study the error rate, and leveraging tweaks to compensate for the disturbances created from photon interception.

As how [1] put it:

Neither of these techniques actually breaks the fundamental principles on which quantum cryptography is based. They simply exploit loopholes introduced when it is reduced to practice.

Security will never be a fair play. The blue team will have to defend every single aspect of the infrastructure – Applications, Networks, and Operations. In contrast, the red team simply needs to discover a single vulnerability each times for them compromise you.

Recalling a project I did on circumventing Microsoft Windows Encrypting File System (EFS) a year ago, I too, tried to achieve my goal exploiting implementation faults. Cryptography is a big field of studies in mathematical science. Yet no matter what encryption one uses, the message will definitely be decrypted when it reaches the intended recipient. In computing, looting information out from end-points is so much easier than intercepting encrypted messages and trying to decrypt it.

Security is only as strong as its weakest link. As a country you need to defend all domains of land, sea, and air. Singaporean will not forget how the Japanese exploited our weak border defence up north that separates us from Malaysia when we placed most of our defences at Sentosa waiting for them to attack us from the south.

People, Process, Technology

The three basic domains of information security – has to be considered when implementing security strategies.

Image Extracted from TechNet

Weakest Link – Exploiting the CIA Triad

CIA – Confidentiality, Integrity, and Availability – is the three core components of security. This triad will always appear in every corner of security. An absence of any component would cripples security. We will have to ensure that the data are protected (C) and trustworthy (I), as well as (A)vailable.

Image Extracted from Wikipedia

It is straight forward to security practitioners when we talk about Confidentiality and Integrity. But many confused (A)vailability being (A)uthenticity as the CIA triad. The latter sounds more coherent when we think about security. Authenticity is more likely a supporting feature than a core component itself. Availability is a core not just in security but also your business.

When you are unable to download your files or play your games when your security suite is in your way, you switch it off. When your firewall is interrupting your business service, you switch it off. How much discipline do you think the government bodies or military have, when their telecommunication is not audible due the installation of encryption devices?  How likely than will security works when there is no availability?

Security is only as strong as its weakest link – all security considerations (CIA) has to be though through and integrated in every single domain (People, process, and technology) of your business.

[1] The Economist. Light Fantastic. 2010, 26 July

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s