Security Fundamentals: Creating Secure Environments

By Edward J. Hawkins, II
Contributor, InCyberDefense

This is the first of three articles on security fundamentals.

Traditionally, for an environment to be considered secure three primary goals must be met. These goals are commonly referred to as the CIA triad:

• Confidentiality
• Integrity
• Availability

Confidentiality Definition Varies by Its Environment

Confidentiality has different meanings, depending on the environment in which the term is used. For example, when confidentiality is used within the government or the military, it takes on a meaning associated with a sensitivity level which, if violated, could result in the damage or harm to government personnel and equipment. For example, this type of confidentiality might be likened to lawyer-client privilege, whereby the lawyer agrees not to share information about a client with a third party.

Defining the Difference between Privacy and Confidentiality

Privacy is a close relative to confidentiality. But these two words are not interchangeable. The difference is in how information is controlled.

Privacy relates to personal autonomy and control of information about oneself, while confidentiality means the assurance of data secrecy. This understanding of confidentiality can also be defined as the assurance that information will not be disclosed to inappropriate entities or processes. And while confidentiality is a security goal, it is important to understand that reaching that goal is predicated on the environment in which it is used.

Achieving Confidentiality through Cryptography

To achieve security through confidentiality, it is standard practice to use some form of cryptography. Modern uses of cryptography include securing wireless communications between cellular subscribers and their provider network, home wireless networking, internal and external storage media, and network connectivity.

However, location determines how multiple algorithms are used in today’s cryptography-rich environment. Some algorithms can be applied in layers to create an even more secure environment.

Some of the more commonly used cryptographic algorithms today are:

• Advanced Encryption Standard (AES)
• Message Digest version 5 (MD-5)
• Secure Hash Algorithm (SHA) family
• Elliptic Curve Cryptography (ECC)

Many of these algorithms are regularly employed in various places without the average person’s knowledge. For example, cellular network providers utilize the AES algorithm to protect their customers’ communications. Homeowners have the option to employ this same algorithm on their wireless in-home networks.

Hashing algorithms protect data from being manipulated when the sender transmits it to the receiver by providing a mathematical computation of the data. This computation is the hash value.

Keeping Web Browsers Safe

The most common use of cryptography today is in web browsers. The creators of web-browsing software have implemented three primary means to secure connections between users and providers of web-based services. The cryptographic services used in this case are Secure Socket Layer (SSL), Transport Layer Security (TLS) and the Internet Protocol Security (IPSec) suite.

SSL has largely been replaced by TLS version 1.2 and should be viewed as the preferred method for secure communications. IPSec, on the other hand, gives users the ability to create virtual private network (VPN) connections through a web browser for secure communications.

When these methods are implemented properly, a green padlock will appear in the uniform resource locator (URL). However, when there is a configuration issue with the website’s security, the web browser will attempt to inform the user of the problem. That will allow the user to make an informed decision whether to proceed with conducting a transaction on that insecure website.

Although the decision of whether or not to use an insecure website is up to the user, it should be noted that a website administrator might implement more stringent security measures. That might cause the web browser to behave in a way to make the website appear to be unsecure. Ideally, the user should proceed with caution once he or she determines if the website is secure.

Best Practices for Ensuring the Confidentiality of Secure Environments

Here are some basic recommendations for ensuring confidentiality:

1) Understand what information needs to be protected and from whom.

2) Know what cryptographic algorithm is being used.

3) When possible, implement whole disk cryptography on your systems.

4) Look for the green padlock when using a web browser.

5) Look for cryptographic algorithms that have a high number of bits (e.g. AES-256, SHA-512). The higher the number of bits, the harder it is to break.

6) When securing your home wireless networks, use Wi-Fi Protection Alliance version 2 (WPA2) with AES and a long passphrase for the key.