Computer Systems Security Planning for Success

This chapter is meant to serve as a brief and gentle introduction to the cryptographic concepts often encountered in the field of security. It is by no means exhaustive but it should provide a basis for a better understanding of why protocols are designed the way they are. Cryptography is a method of scrambling data into non-readable text. It allows us to transform data into a secure form so that unauthorized users cannot view it.

Cryptography is used to set up secure channels of communication, but it can also be used to provide non-repudiation of actions, basically leaving digital footprints that show someone did something. This means that cryptography allows us to provide authentication, authorization, and accounting (AAA).

By using a secure and confidential encrypted channel we can be sure that anyone who intercepts our communications cannot "listen in." This helps prevents man-in-the-middle (MITM) attacks. Cryptography can also be used to provide integrity: proving that the data is valid. With cryptography you can provide a signature for the data showing that the person who claims to have sent it really did send it. Cryptography also allows for non-repudiation as it can show that only one person was capable of sending a particular message. Lastly cryptography also allows us to perform authentication without storing passwords in plaintext. This is critical in an age where data breaches are increasingly common.

Example 2.1.1. Case Study: Equifax.

In September of 2017, Equifax announced a data breach the exposed the personal information of 147 million people.

¹

www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

The original attack made use of an exploit in an outdated version of Apache Struts

²

struts.apache.org/

which was being used as part of Equifax’s system for handling credit disputes from customers. Once the attackers had gained access to internal Equifax servers, the began gathering as much information as they could from internal databases.

🔗

What is particularly egregious about this data breach is that passwords in many databases were stored in plaintext. This means that the attackers were able to try the passwords and usernames on other services. While it is important that users use different passwords for different services it is far more disturbing that a company as large as Equifax did not have the policies in place to use cryptography to mitigate the risks from such an enormous breach.

🔗

🔗