Layers of Security

There are many layers to any notion of security. How well do you understand each?

A few years ago, I was enthralled by the Dan Brown thriller, Digital Fortress. To be honest, that’s actually the book that spiked my interest in security and cryptography in the first place.

One of the key points of the novel has the heros racing against the clock to crack a worm placed by a former NSA engineer before outside hackers breach the final layer of security around the network. At one point they even visualize the network’s security as a layer of concentric rings being constantly attacked by “snakes” from the outside.

A great visualization for a sci-fi thriller. Not so much for a book explaining digital security.

Cybersecurity

This year I started challenging myself by taking a Coursera series on cybersecurity. It’s a combination of four classes and a capstone to pull everything together. The courses themselves cover:

  • Usable security (i.e. making secure systems not easily compromised by lazy users)
  • Software security (understanding things like memory leaks and injection attacks)
  • Cryptography (explaining the core principles of secure communication)
  • Hardware security (explaining and protecting against certain side-channel attacks)

It’s been a fantastic run thus far. Challenging, engaging, enlightening.

Among other things, the courses have shown me the different layers of security present in modern web applications and how to better understand and work with each.

Much of the software that runs the framework of my sites is built on top of C and C++. There are certain aspects to these languages that make them ideal for such a purpose – namely, speed. There are other aspects that make them somewhat dangerous to use in a distributed context. Take for example the recent Heartbleed memory overflow attack. Or the Shellshock code injection attack.

Dealing with networked software means we also have to understand and protect against untrusted data introducing potential side-effects; we have to sanitize data inputs to prevent remote code/data injection.

The fact that products are used by humans means we need to code with the end-users in mind. A system that forces users to change their passwords to a unique, “strong” password every three months might feel secure; the chances administrators will re-use passwords across applications (or render them insecure through some other means) are so high as to destroy any security this might present.

My only complaint about these courses thus far is that we haven’t gone far enough into network security. Every course has explicitly stated that students aren’t expected to understand networking and just teaches the primitives involved with the various topics. To be sure this is very useful, but in a world of increasingly remote communication, it’s not going to continue to take us that far.

There are many layers to any notion of security. How well do you understand each?