Few people understand how information security really works. The television shows and movies depict it as a sort of modern wizardry where hackers fight geeks using technobable spells. In reality, information security focuses on building powerful defenses which no hacker can get through, so the infosec expert can go home and sleep at night knowing the hacker has been thwarted.
It’s those defenses which this very minute protect your valuable information on the Internet. Let’s see what makes them so effective:
The Main Information Security Model
When a company or government stores your personal information, they use a three tier model to help keep your information secure:
- Encryption: your data is saved in a format which is useless to the hacker without a password or other key.
- Access Control: access to your data is restricted to only the people and programs which need it. This is also called ACL for Access Control List.
- Logs: whenever someone or something accesses your data, a record is made. This ensures that the access control works and that no program or person is abusing their authority to access your data.
Implementing these three techniques may sound simple, but it’s quite difficult in practice. For example, it’s easy to encrypt data so hackers can’t use it if they get their hands on it. The problem is that any company which loses the password or key to that data can lose all of their customer data in seconds. It’s like keeping your money in a Swiss bank account—it’s safe and anonymous, but if you forget your secret account number all of that money is useless to you.
Access control and logging also have their own problems. Programs require extra complication in order to handle access control correctly, and it costs companies money to write that extra complication. Logs on the other hand must be read periodically by a human being, and that also costs the company hours which could be spent doing something productive.
This extra cost of information security is part of the reason you so often read about companies getting hacked. It’s not that the information security model is bad or that the hackers are that skilled, but that the company didn’t put the effort into security in the first place.
How You Can Spot Bad Information Security
Are you reluctant to give a particular company your credit card number or other information? Here’s a quick tip which can help you determine whether the company uses one of the most basic information security techniques. If they don’t use this technique, I recommend that you don’t trust them with anything important.
First, create an account. Enter your password and do whatever it takes to confirm the account without giving them your personal information. Then log out and activate the password reset.
If they send you your old password by email, they’re information security idiots. Don’t use them. If they send you a random new password or send you a link to click on to reset your password, then they know at least this very basic information security technique.
The secret to this trick is how the company stores your password in their database. Remember the first two steps of our three-step model; here’s how they apply to passwords:
- Encryption: your password should be encrypted so hackers can’t see it even if they get the password database.
- Access control: nobody and no program should be able to see your password.
If the company can send you your password, then both of these first two rules are broken—the password isn’t encrypted (or otherwise they couldn’t send it to you) and the access control isn’t set (because their email program saw your password before sending it to you.
You may be wondering how the company can use the password if they can’t ever see it. It’s pretty easy—they use math to encrypt your password when you first set it. Then every time you enter your password to log in, they use the same math to encrypt the password you entered. If the two encrypted passwords match, they know you entered the correct password.
The math used here is advanced—it’s designed to be one-way math so that passwords can be encrypted but not decrypted.
What You Can Do To Improve Information Security
A lot of the information security you work with on the Internet revolves around passwords. Many infosec experts agree that passwords are a terrible mechanism—but we don’t have any better solutions which are as easy as passwords.
We’ve tried biometrics such as fingerprints and retina scans, but they require extra equipment people don’t want to buy and they have a fatal flaw—people’s biometrics can change. (For example, you could lose your fingertips or eyes in an accident.)
Other solutions include smart cards, but people also don’t want to buy the equipment necessary to use these.
A recent attempt to beef up password security is Google’s attempt at two-factor authentication—you enter your password and then you enter a code from your cell phone. Most people don’t need to buy a special device to make this work, but it does seem to be an extra pain. We’ll have to wait to see whether it becomes common.
Many people are not aware of the security threats they face on their computers everyday. Even your Facebook account protection is important but often neglected. These simple risks are taken for granted and can turn an ordinary computer user into a cyber security teriorist. Why? Because people are not aware of how they are sharing and using information.
But even if you still use plain passwords, you can help protect your online information by using a more secure password and a different password for each site.
In theory, hackers can’t decrypt your password, so if you enter your password on only secure sites, you should (in theory) be safe using the same password on every site. That’d be great—you could chose a nice, long password and memorize it just once.
But it isn’t the case because once hackers get a hold of a password database they can guess your password, encrypt it, and compare it to your encrypted password. With the right hardware, hackers can make millions of guesses a second, so it takes them only minutes to hack a password with fewer than eight lowercase characters or numbers.
If you use a stronger, longer password, the work hackers have to do goes up significantly and they’ll often give up before breaking into your password. But they still might get it. That’s why you have to use a different password on every site to get the most out of information security.