Communicating freely

Archive for the ‘process’ Category

Security is a process

Monday, June 26th, 2006

Security is a process.  That means it’s not a tool, it’s not something that comes out of a box, and it’s not easy to get right.  Security depends on a chain of different things moving in tandem to counter dangers and weaknesses.  Security does not exist; it’s a way of anticipating or reacting to problems and ensuring that certain goals are met.

Digital security is about countering digital threats.  In my case that usually means considering the threat to communications, more specifically the information contained inside emails.

The security threat with emails sounds something like this: people want to send private messages through a public network where random computers can intercept the messages.  We have to work out how to ensure the messages remain private even if they are intercepted.

The easiest way to do this is to encrypt the messages.  This means that even if someone intercepts the message they won’t be able to read a thing.  The only person who can decrypt the private message is the person who should be reading it.  Perfect.  The overarching security threat is solved by an overarching solution.

The problem returns when we look at the details.

How will we encrypt the private message?  If we use really strong encryption (symmetric encryption) we have to tell the recipient the password.  Transmitting a password is a terrible security risk.  If we use hybrid encryption (PGP) we lose a certain amount of cryptographic robustness.

It becomes evident that security processes inevitably end up being about trading off different percentages of security and practicality.  We need to balance our requirements (sending a private message privately) with the reality of the situation (the only way to send a completely private message is not to send it at all).

A good security process is a careful analysis of the security threat and the security requirements.  It is a balance between theory and practicality that will ensure the main goals of the enterprise are (more or less) met.  Sometimes the security process will fail.  That’s just a mathematical certainty.  There is no such thing as perfect security.

If you think about it there isn’t even such thing as really good security.  What’s a secure workstation?  One you don’t use.  What’s a secure communication network?  See above.  If you actually deploy something you set in motion variables that ensure that at some point or other the security process will fail.  There will be an error along the time and one link in the chain will open.

It is very fortunate that most of the time security is not really quite as important as people may think.  Most private emails are private from a select few individuals like your boss or your wife.  The level of security required to keep them out of your affairs (literally or otherwise) is far less than that required to prevent the NSA checking to see what socks you are wearing.

Even critical security is often time-sensitive.  This means that if a security process offers a good chance of maintaining itself for XYZ time-scale it will often accomplish the required goal.

To put it more bluntly: security processes often translate into either confusing people who have no chance of breaking through them or buying time before professionals break through.  If you’re dealing with professional security life becomes all about buying time.  It’s just insane to think any security process will make a wall that people can’t dig holes in.

Encrypted email is used to send private messages.  It’s pretty tough to crack a PGP encrypted email by brute force.  It takes a lot of computing resources to do that sort of thing.  Of course, the NSA, GCHQ and China intelligence have a lot of computing resources.  If you’re hiding from these guys you’re going to need a lot more than encryption.

Holistic is the word we’re looking for.  A real security process is going to be holistic.  If we’re talking email that means looking way beyond encryption.  Of course we’ll include encryption, but we’ll also be including things like geographical movements (where are the messages coming from?) and time-based analysis (when are these messages being sent and in what order?).  We’ll combine thousands of factors to try to work out how to make a process that will buy enough time to accomplish a goal.

From another perspective, you might bump into a security process and try to work out how to break it before the people using it accomplish their aim.

Maybe the most important thing about any security process is the people using it.  Social engineering has got to be the primary way security processes are cracked.  You meet a guy, get him drunk and get the information you need.  That leads you to another bit of information and so on.  This is how intelligence agencies get a lot of breakthroughs.

For a moment there I drifted into the big picture.  You’re not so interested in how the NSA will discover what XYZ said on ABC trade mission.  But let’s apply the holistic thought to normal everyday encryption.  Holistic processes still apply if you want to go about things properly.

If you want to send a private messages to someone (and that message is to be truly private) simply downloading something like Enigmail OpenPGP will not work.  You need to think locations, you need to think about what will happen to the private keys on both ends of the communication chain.  You need to think about stored emails and the possibility that someone will find them in six months.

You need to think about the fact that even if the emails are encrypted they still exist.  Someone browsing the computer can see that you sent an email to a certain address or name.

There are holes everywhere and we’re just talking about sending a private message to one person in a normal environment.

If you want security then think process.  Look at yourself, look at your objectives, and make a call.  Balance your end-goal against the idea of true security (not doing anything at all), and find a way forward. Remember to plan for the inevitable failure of the security process as well.  Perhaps not today, perhaps not tomorrow, but inevitably it will fail.  If you need something that will work in the long-term you’ll have to keep changing and evolving the security process, replacing each potential access point as probability throws it out of favour.

What’s the most likely way a two-way private message conversation will be compromised?  Any guesses?


One of the parties will tell a friend.

That’s what I mean about security being a process.  And people are the least reliable part of the process.  We have to take this into account when we try to secure a communication channel.