Security use to be so easy, right?

You had valuables, you needed to protect them.

So you'd give a big burley guy a sword, or put your gold and

gems in a chest, bury the chest, and tattoo a map to it on some random pirate.

I suppose that might still work, but it's hard to keep sand out of a USB key.

For this course, we won't be worrying about physical security,

we'll assume that an infrastructure person or team has already taken care of that.

We're much more concerned with securing access to our information.

Traditionally, to protect data from being read by non-approved eyes,

you would encrypt it.

If you were Julius Caesar for example, you'd take every letter and

shift to the letter three spaces further in the alphabet.

This is known as the Caesar Cipher by the way,

and a pretty easy bit of encryption to start playing with.

But anything that a human can encode of a pen and paper can be decoded too.

While it wasn't the first encryption machine, Germany's Enigma and

other encryption machines made solid steps forward in creating encryptions and

codes that were effectively unbreakable by humans.

You may have even seen a recent film about British attempts to build a computer to

break Enigma, led by Alan Turing.

Unfortunately Turing's bomb didn't breakthrough Enigma, but

it definitely influenced how we think about cryptography.

In the 1970s, serious cryptography and encryption finally broke into the public.

Before then it had been almost entirely the domain of various governments.

This had two major effects.

The average person now had access to fairly unbreakable encryption and

encryption could be studied and improved.

But wait, I thought we were talking about risk.

We are.

By putting an encryption into the public sphere and putting millions of eyes on

encryption methods, attacks against encryption are weakened.

Because hopefully, someone else has already seen and fixed the vulnerability.

So here's my first piece of absolute law.

Don't create and use your own private encryption.

It may be fun to come up with ways to encrypt things, but

that should only be for your own learning.

This isn't just me saying this.

This is standard advice from security experts from around the world.

Don't create your own encryption schemes.

See the teachers notes for a healthy discussion about the risks.

Okay, so you're gonna use publicly available methods to encrypt things.

We'll talk more about encryption in just a bit.

First though, here are some questions to ask yourself to help find places you

might be vulnerable.

Try to answer as honestly as possible.

For this too we have to assume that no application is 100% secure.

All right, here we go.

Quiz time.

Why would someone want to gain access to your application or data?

What are the most likely ways someone would gain that access?

What data would be the most valuable to an attacker?

Assuming your application is compromised, how would that impact your users?

How would it impact your business?

What processes would you follow to fully recover from an attack?

How could someone use your application for other illicit uses.

As an example for that last one, is a somewhat common practice, to use services

that require a credit card for access as a test bed for stolen credit cards.

Thieves enter the card's details, and see if the charges, or

at least the authorization go through.

If so, the card's probably ready for use.

If you had any I don't knows or uncomfortable reflections in

those questions, this is a good time to start working on a plan for

mitigating attacks and recovering from the same.

It sounds horrible and defeatist, but the attacks are likely to come.

Luckily though you're thinking about this already, so you're one step ahead.

Use the plan you come up with and

the answers to your questions to figure out where to focus your security efforts

and protect your highest value and highest risk items first.

All right, that was a bit heavy?

Let's talk about two common ways of obscuring and protecting data.

Hashing and encryption.