Skip to main content

How Secure is Secure Enough?

Over the past few weeks I have spent many hours thinking about my personal information security requirements and discussing pros and cons with others. My goal with this article is to clarify few concepts that have surfaced in these discussions. I want to help you find your way in the jungle of information security.

Information classification

PublicRestrictedConfidentialTop Secret

One size does not fit all. If you were to handle all your information as top secret, that would have a serious impact on your productivity and your wallet. This is the reason most companies develop information classification standards.

Information classification standards help sort information into categories based on sensitivity. They define how information should be handled in each category. The goal is to find fit-for-purpose approaches.

Typical categories include public, restricted, confidential, and top secret.

Public information may be shared freely. This includes information on public websites and in printed literature such as brochures and user guides. In a personal knowledge management scenario, this would include your blog, your book - in case you are an author -, statements you made on social media, any public speeches, etc.

Restricted information can be shared freely with a broader group of people you trust. This of pictures on Google Photos for a sports club that is accessible to all members. Internal company news, policies, and procedures accessible on the intranet would also typically fall into this category.

Confidential information is shared with others on a strict need-to-know basis. Think of a confidential product launch or a merger, acquisition, or divestment deal. The company may even require those involved to sign a non-disclosure agreement before they share any information about the project with them. In a private setting, your interactions with your tax or legal advisor, or your physician, would probably fall into this category.

Top Secret is information that if leaked would have unacceptable consequences. Quarterly financial results of large corporations typically fall into this category. It is not uncommon to host such information on a separate protected infrastructure, ring-fenced from the rest of the corporate network. As individuals, this would probably include your pin/password/code for your online banking environment. Sometimes, this could even include parts of your personal journal as well.

Thinking in these four categories and defining your own security standards for each is a good way to understand your needs and constraints.

What is e2ee?

No EncryptionService ProviderEncryption in TransitService ProviderEnd-to-end EncryptionService Provider

End-to-end encryption ensures that only the intended recipient can access your message. To understand e2ee, consider the following alternatives:

No encryption

This means your message travels in clear text from your device to the recipient’s device. This is, for example, the case with SMS and with websites that are accessed via http (and not the secure alternative https). SMS is relatively safe because an attacker needs expensive technology to intercept SMS messages. Http is simply not secure, period.

Encryption in transit

The communication between your device and the server is encrypted, however, once it arrives, the server decrypts your message for further processing.

This is how websites using https typically work. Your provider can offer additional server-side services that require the processing of your message. These services could include group chat, or automatic transcription of a voice conversation, etc. Once the server has finished processing your incoming message, it forwards it (or its enhanced version - e.g. your voice/video message with auto-generated subtitles) to the recipient in an encrypted form.

Encryption in transit protects your message during the most dangerous part of the journey because attackers could easily intercept your message while it is in transit. Encryption in transit however leaves your message vulnerable on the server.

End-to-end encryption

In this scenario, your message remains encrypted during the entire journey from your device to the recipient. Encryption technologies ensure that only you and your counterpart can read the message, not even the service provider in the middle.

E2ee does not provide full security. Consider the simple scenario that you lose your phone, and you haven’t set a pin or password. Even though your messages were encrypted e2ee, the attacker could access all your secure messages by gaining access to your device.

Now consider that in practice you don’t need to lose your device, attackers using malware can gain access to your device while it is sitting safely in your hands. This is one reason why you should never install “free” pirated applications. There is no such thing as “free”, only you might pay with your privacy instead of your cash.

Finally, even if you have done everything to protect your device, your message may still leak if your recipient does not follow similar safe practices.

Trust-No-One

Trust no one Internet security - Wikipedia

In brief, according to the TNO design philosophy, keys for encryption should always be, and stay, in the hands of the user that applies them. This includes avoiding all trusted external parties, like for example the certificate authority in case of secure end-to-end SSL connections. However, most communication means rely on a trust relationship between at least two parties.

Security through obscurity?

Back in the 1990s it was common practice to install homemade anti-theft solutions into cars. Some people simply used a broken fuse; they replaced a good one with the broken one when they parked their car in an unsafe location. Others disconnected replaced or switched-up cables on the engine’s distributor. Some installed a magnetic Reed switch somewhere on the dashboard that you first had to activate with a small magnet before turning the ignition on. The assumption is that a thief will not have enough time to figure out why the engine is not starting.

Security through obscurity is an approach to minimize the risk of getting targeted by an attack.

Examples of security through obscurity include solutions in which an administrator changes default/popular/common settings, such as changing default port configurations for SSH, the default folders for applications, etc. Some people may hide passwords in binary files.

Security through obscurity can be good if combined with other security mechanisms and defensive rules. But if security through obscurity is your sole source of protection, you may be building your house on sand. Also, consider the case of hiding the key to your home under the front doormat. What if your obscurity isn’t so effective after all? If applied carelessly, you may make things easier for an attacker to uncover secrets.

How do I know who to trust?

TRUST

As a customer, it is extremely difficult to assess the security of the services we use. Every company will stress the security of their services, even if their practices and architecture do not support this claim.

You can look for telltale signs:

  • Is the service using https? Is the certificate valid according to your browser?

  • What does Google bring up when you research the service? e.g. try a query like “how secure is onedrive?” or “icloud security breach”. Look for publications from independent parties and not the service provider.

  • Check the password policy for the service. Anything less than 8 characters lower + uppercase and numbers is unacceptable. Do they offer two-factor authentication? Have they sent you a registration confirmation email with your password in clear text? - a bad sign!

  • Is there a documented process for reporting security incidents?

  • Don’t let empty words fool you, that “your privacy is our number one concern...”. Are you able to find any evidence of external security certification and compliance to standards? Keywords to look for include mention of SOC2 ReportISO/IEC 27001 compliance, participation in Cyber Essentials SchemeCIF Certified logo, etc.

  • Are the services hosted at one of the reputable global service providers, like Amazon, Google or Microsoft, or at a no-name local shop? Not that small companies cannot be excellent, however large service providers have much more to lose with a security scandal.

Conclusion

Once someone steals your information or you leak it by mistake, you can’t take it back. You may find legal remediation, but the effects can be long and devastating. Take for example Jennifer Lawrence who, when reflecting on her nude photos being leaked in 2014, commented “I feel like I got gang banged by the f*cking planet” and “I would much prefer my whole house to have been invaded. That’s what’s so scary about electronic (things). I have such fear with my phone and my computer and electronics.” [*]

My advice is, take information security seriously, your life can turn upside down in an instant if you are not careful. It may be difficult to do due diligence, especially if you are not familiar with the technology. However, it is still much easier to conduct due diligence than to perform damage control.

Check out my related posts

Like this post?
Show your support.

Comments

Popular posts from this blog

Deep Dive Into Roam's Data Structure - Why Roam is Much More Than a Note Taking App

Which are the longest paragraphs in your graph? Which pages did you edit or create last week? How many paragraphs of text do you have in your database in total? Which pages do you have under a given namesapece (e.g. meetings/)?

Showcasing Excalidraw

Conor ( @Conaw ) pointed me to Excalidraw last week, and I was blown away by the tool and especially about the opportunities it opens up for  Roam Research ! It is a full-featured, embeddable sketching component ready for web integration. This post will showcase key Excalidraw features and discusses some of the issues I still need to solve to complete its integration into Roam. I spent most of my free time during the week integrating Excalidraw into Roam. This article will introduce Excalidraw by showcasing its features.

My GTD - How I Organize Meetings and TODOs in Roam

How efficient is your workflow for keeping on top of all your meeting notes, action items, contacts, projects and more?  If you were to bump into someone unexpectedly would you be able to remind yourself of all the relevant topics you wanted to discuss with the person?  Can you remember all the things you wanted to get done when running your errands?  Can you keep track of your discussions with all the people you talk to regularly? In this post I will walk you through my meetings-actions-people workflow in Roam. If you are new to Roam and Roam42... Just in case you are not familiar with Roam , it is an ultra flexible note taking tool. It's like the Excel for text. If you want to find out more, there is tremendous amount of quality content available on YouTube, just search from "Roam Research". Equally, you can head over to RoamBrain.com for all the best links and more. My workf

Roam-Excalidraw Plugin MVP Release

  I am releasing the MVP version of the Roam-Excalidraw Plugin. Over the past two weeks, I have been super focused on getting to this point. As a consequence, this post is going to be shorter and more utilitarian than usual. I had to make a choice whether to release the plugin this weekend or to write a detailed blog post. I opted for the first.

contact: info@zsolt.blog