Scenario 1: Whenever we have something very important to store, we take special care. My father used to store important documents in a toughest iron chest and put it in the most secure attic of the village mud-brick house. Even inside the chest, the important documents were carefully wrapped in multiple layers of paper and cloth before being tucked away in a designated corner of the crammed chest. Whenever an important document was needed, the first and usually the only place to look in used to be the coveted iron chest. It was a matter of having a well-defined, secure and accessible place to store important documents.
Scenario 2: Whenever I go abroad and have a passport, visa and ticket, I make sure to make multiple copies of them and keep a copy each in my dress pocket, luggage bag and handbag while also carrying the originals in the most secure possible way. Multiple copies were created and stored separately to make sure to have at least one copy of the document in case something goes wrong.
Scenario 3: At school we had developed a code language by twisting the order of words and syllables, using a pre-shared insertion pattern so that the conversation was intriguing to others. Similar but much more sophisticated techniques have been used to obfuscate communications on national security, military strategies and trade secrets.
The scenarios are examples of measures to protect important information. Whether that information is in the form of spoken word, a document or other important item, the degree of precaution and the level of security measure used depends upon the importance of the concerned item. The challenge to ensure data security has increased manifolds with the advent of cyberspace. The sudden explosion in the amount of personal and organizational digital data along with the necessity to get connected to the outside world has posed an amplified challenge to secure data.
The major aspects of data security in cyberspace include confidentiality, integrity and availability, the so-called CIA or the three pillars of digital information security. They combine with the accountability and traceability to provide a comprehensive mechanism of securing digital data in the modern world of internet-based hyper connectivity.
Privacy and confidentiality
Confidentiality relates to the data being accessible to the concerned, authorized persons only so that unauthorized people cannot access it. Activities such as breaking the secret code of scrambling the data, sniffing the data using key-stroke sensors or wiretapping, over-the-shoulder leakage of secret information such as passwords are used to compromise the privacy of the data.
As we increase our online presence, we tend to post more about ourselves. The social networking sites are perhaps the single biggest custodians of our personal information: what we do, whom we meet, where we go, what we eat and so on. Then there are the various sites of e-commerce, education, blogs, news portals that ask for our registration. We unknowingly or knowingly submit out names, addresses and other details. We press ‘OK’ or ‘Yes’ to every disclaimer or legal statements used to allow the sites to store, use and probably distribute our personal information.
Our over-descriptive and overexposing social media profiles and other activities can be used to make us victims of cybercrimes. The fake news herders have publicly accepted using Facebook profiles of young children, teenage students and other unsuspecting people to create a widely networked wall of fake news posts: creating propaganda, influencing elections, radicalizing people and making millions for the fraudsters in advertising revenues. Then there are e-commerce pushers that push all sorts of advertisements to us, hoping we click one of their links, leading to our computers being compromised or them making money on a per-click basis for dubious traders of illegal goods and services.
Over-exposure to the internet is like living in a glass house. Each and every activity that we do is visible to the outside world, whether we are aware or not. Ideal would be to cut off all connections to the outside world, or live in a brick mortar house with no windows. But that is not possible. The best alternative is to ensure confidentiality while being connected and open. Credentials such as passwords and data encryption, digital signatures, encrypted network connections can be used to make sure the data is available to the intended users only.
Integrity and originality
The integrity of the digital information is concerned with making sure that the data is not manipulated or tampered with while travelling from the source to the destination, principally over network. Imagine the contents of an email you sent to your boss being manipulated in between and the boss receiving a completely opposite message. These so called ‘man-in-them-middle’ attacks or phishing scams modify the information while it traverses from source to the destination, without the knowledge or either party.
Man-in-the-middle attackers sit between the official information repository and the information user. Then the attackers redirect the data from the repository to their own tools. Once they have the data, they manipulate and forward to the user without the user being aware of the data being manipulated. Phishing websites, that mimic the original websites of mainly financial service providers, redirect the legitimate traffic to their duplicate web pages and from there steal information such as debit/credit card numbers, passwords, user ID etc to use them later to extract money directly or use the information for ransom.
To make sure that any change in data on its path is detected, special message portions called checksums or digests are often used. Special algorithms calculate the summary ‘signature’ of the original data and sent together with the message or separately. At the destination, the same algorithm is used to calculate the signature of the received data. If the signature calculated at the destination matches the one obtained from the source, the data has not been compromised in between.
Availability and robustness
The data sources or systems connected over the internet are supposed to be working and available all the time. They are supposed to serve their data to the legitimate as and when needed by the end user. One major security threat to the internet-based data management is rendering of the data services unavailable. Suppose a bank website is not available at the moment when a financial transaction is being posted or a network link goes down to an ATM. Suppose the website of an important institution is shut down or replaced by a duplicate, bogus one. Or a single link to an important datacenter is sabotaged and disconnected, affecting a large number of services and their users.
To make sure that such mishaps are minimized and the data services are available at all times, various measures are employed. An important station is connected through more than one network link. Major datacenter has multiple machines working in parallel so that failure of some does not cause major disruption. There are multiple power sources, backup generators, backup air conditioning, security guards, CCTV cameras, fire hydrants and other measures so that the physical facility and the data serving machines inside can operate in so-called ‘high availability’ mode. Regular data backups, multiple sites in different seismic zones, cloud-based replica machines that have online and mirror copy of the actual data repository are more sophisticated measures undertaken to ensure absolute maximum availability of data to the intended users.
Accountability and traceability
Imagine a bookstore where a rogue shopper comes and scours a few books for ten minutes. At the end of the visit, the shopper sneaks to a corner and slips a copy of a bestseller into his jacket pocket. There are a few things that indicate whether the act can be traced and the culprit identified or not. First, the shop needs surveillance. A CCTV footage of the actual act is the most convincing evidence of the act, even if the shop does not track the inventory and stock every day. The person who lifted the book would not be able to deny if shown the footage of the actual act. The surveillance has to be complete, leaving no corner of the shop not covered. What if the CCTV footage is there but the shopkeeper does not notice it or does not notice the missing book? To avoid this, there should be proper keeping of inventory with daily verification of sales and stock.
The scenario is almost similar with digital data. If I email an important document or I do some change to a vital database or a file server, my activities should be recorded and the actions should be properly attributed to me. For this, each person with such privilege needs to be assigned a personalized credential that is not shared with anybody. If a credential is shared, the blame is also shared and it is difficult to pinpoint the source of the deed. Properly timed and sufficiently detailed event logs are important in tracing bad activities as such logs capture each and every important activity along with timestamp and the identity of the person doing it.
In the network-based activities such as hacking, malicious emails and scams, the traceability is provided by network credentials such as email addresses, IP addresses, domain names and other related network credentials. To hide their identity, shrewd online criminals also use hijacked identity of other, unsuspecting users who are less adept in security their activities online. Forged social media profiles, spoofed emails, duplicate network addresses, duplicate web portals are some very widely used examples employed by cyber criminals to dodge security agencies by hiding their identity and trails.
Securing the glass house
Seclusion and isolation is not an option. The Amish in the US, the tribes in the Amazon jungles and Maasai herders in Africa are all connected to the outside world. The glass house is a reality. It cannot be changed. What can be changed is how we live inside the glass. Do we live with all the blinds removed and all the lights on? Or do we live with all the blinds down and lights properly illuminated?
Though getting online is unavoidable, there are a few things that can be done to ensure maximum security and privacy. Avoiding unnecessary posting of personal information online and reading the disclaimer messages carefully before pressing ‘OK’ can be a good start. For end users, using tools such as antivirus, anti-spyware and child online protection can be good options. But before that, regulating the use and being aware is of greater importance.
For corporates and those who serve the data, the security measures can include special security tools such as firewalls. Also useful are good practices such as proper design of the datacenter, power and network redundancy, well-defined operational practices, well-orchestrated physical security etc can be employed in unison and with proper planning so that services keep running and users keep getting access to legitimate data. Safe practices and proper tools also help minimize abuses and also help in catching the perpetrators if abuse happens. Prevention is critical but cure is also important if prevention cannot catch a specific malady. Those who live in the glass house need to be aware of how to be safe and how to protect privacy while living inside the transparent, overexposed, hyper-connected domicile.