Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
How do you identify places you might be attacked? Do you have a plan for dealing with an attack and the fallout from such?
Attack vectors
If you want another look at our list of questions, here it is:
- Why would someone want to gain access to your application or data?
- What are the most likely ways someone would gain that access?
- What data would be the most valuable to an attacker?
- Assuming your application is compromised, how would that impact your users? How would it impact your business?
- What processes would you follow to fully recover from an attack?
- How could someone use your application for other illicit uses?
Links
Here is a StackOverflow discussion about why you shouldn't create your own security schemes and cryptography.
If you'd like a bit more info about how cryptography moved from governments to people, this BBC article is a great place to start, as is this article from Wikipedia.
Lastly, the EFF has a great guide to security. While this is mostly aimed at things to do for your own personal online safety, it's full of great ideas and advice. I highly recommend you check it out.
Security use to be so easy, right?
0:00
You had valuables,
you needed to protect them.
0:02
So you'd give a big burley guy a sword,
or put your gold and
0:04
gems in a chest, bury the chest, and
tattoo a map to it on some random pirate.
0:07
I suppose that might still work, but
it's hard to keep sand out of a USB key.
0:11
For this course, we won't be
worrying about physical security,
0:15
we'll assume that an infrastructure person
or team has already taken care of that.
0:17
We're much more concerned with
securing access to our information.
0:21
Traditionally, to protect data from
being read by non-approved eyes,
0:25
you would encrypt it.
0:28
If you were Julius Caesar for
example, you'd take every letter and
0:28
shift to the letter three
spaces further in the alphabet.
0:32
This is known as
the Caesar Cipher by the way,
0:34
and a pretty easy bit of
encryption to start playing with.
0:36
But anything that a human can encode
of a pen and paper can be decoded too.
0:39
While it wasn't the first encryption
machine, Germany's Enigma and
0:43
other encryption machines made solid
steps forward in creating encryptions and
0:46
codes that were effectively
unbreakable by humans.
0:49
You may have even seen a recent film about
British attempts to build a computer to
0:53
break Enigma, led by Alan Turing.
0:56
Unfortunately Turing's bomb
didn't breakthrough Enigma, but
0:58
it definitely influenced how
we think about cryptography.
1:00
In the 1970s, serious cryptography and
encryption finally broke into the public.
1:03
Before then it had been almost entirely
the domain of various governments.
1:07
This had two major effects.
1:10
The average person now had access to
fairly unbreakable encryption and
1:12
encryption could be studied and improved.
1:16
But wait,
I thought we were talking about risk.
1:18
We are.
1:21
By putting an encryption into the public
sphere and putting millions of eyes on
1:21
encryption methods,
attacks against encryption are weakened.
1:24
Because hopefully, someone else has
already seen and fixed the vulnerability.
1:27
So here's my first piece of absolute law.
1:30
Don't create and
use your own private encryption.
1:32
It may be fun to come up with
ways to encrypt things, but
1:35
that should only be for your own learning.
1:37
This isn't just me saying this.
1:39
This is standard advice from security
experts from around the world.
1:40
Don't create your own encryption schemes.
1:43
See the teachers notes for
a healthy discussion about the risks.
1:45
Okay, so you're gonna use publicly
available methods to encrypt things.
1:49
We'll talk more about
encryption in just a bit.
1:52
First though, here are some questions
to ask yourself to help find places you
1:54
might be vulnerable.
1:57
Try to answer as honestly as possible.
1:59
For this too we have to assume that
no application is 100% secure.
2:00
All right, here we go.
2:04
Quiz time.
2:05
Why would someone want to gain
access to your application or data?
2:06
What are the most likely ways
someone would gain that access?
2:10
What data would be the most
valuable to an attacker?
2:13
Assuming your application is compromised,
how would that impact your users?
2:16
How would it impact your business?
2:19
What processes would you follow
to fully recover from an attack?
2:20
How could someone use your application for
other illicit uses.
2:24
As an example for that last one, is a
somewhat common practice, to use services
2:28
that require a credit card for access
as a test bed for stolen credit cards.
2:31
Thieves enter the card's details,
and see if the charges, or
2:35
at least the authorization go through.
2:37
If so, the card's probably ready for use.
2:39
If you had any I don't knows or
uncomfortable reflections in
2:42
those questions, this is a good
time to start working on a plan for
2:44
mitigating attacks and
recovering from the same.
2:47
It sounds horrible and defeatist,
but the attacks are likely to come.
2:50
Luckily though you're thinking about
this already, so you're one step ahead.
2:54
Use the plan you come up with and
2:57
the answers to your questions to figure
out where to focus your security efforts
2:58
and protect your highest value and
highest risk items first.
3:01
All right, that was a bit heavy?
3:05
Let's talk about two common ways
of obscuring and protecting data.
3:06
Hashing and encryption.
3:09
You need to sign up for Treehouse in order to download course files.
Sign up