TL;DR: InfoSec hasn't changed in 3,000 years.
Imagine an ancient battlefield. One side's general stands on a hill and observes the flow of battle below. He decides he needs one of his chariot commanders to flank around to the west to pin the enemy against a cavalry group coming in from the south.
He takes out his scytale (basically an ancient secret encoder/decoder ring) and encodes a message to the commander on a piece of papyrus. He then rolls it up and seals it with his personal seal and a mixture of wax and bitumen and hands it to a trusted messenger.
The messenger runs down the hill, finds the chariot commander and hands him the scroll. The commander checks the seal to authenticate the message and verify it has not been intercepted and then uses his scytale to decrypt it, which also serves as a secondary means of authentication. He then sets fire to the papyrus, and finally, before executing his orders, stabs the messenger, tearing down the session.
And 3,000 years later, that’s still what we care about.
What we saw in the battlefield example was confidentiality and integrity — the two fundamental principles of security that we care about today. The cipher (or code) helps ensure confidentiality and the wax seal provided integrity.
My point about security is that it's actually very simple in theory. People forget that. The fundamentals of integrity and confidentiality are very straightforward. Viewed through that lens, > 99.999% of infosec is an execution and OpSec problem. We've known the basics for millennia, and we tend to overcomplicate it.
Let’s look at two more modern examples, one from the 1980s, which would get us up to the time period of the hit TV show Stranger Things and the other from present day.
Stranger Things Era
Back in the 1980s, a kid (Alice) is sick with mononucleosis (mono), so she can’t head to her neighbor Bobby’s house to play chess. Instead, she gets a ball of string from the kitchen junk drawer, ties one end around her bedpost and throws the rest through her neighbor’s screenless (and open) window. Based on past behavior this is a clear invitation for communication. Each kid already has a tin can with a hole in the bottom so they can create their own telephone.
The first kid threads her end of the string through the hole and ties a knot. The other kid does the same and then, they each reset their chess boards. Using their tin can phone system, they’ll share moves. Each kid moves their pieces on their board, but only Alice keeps a written log of what gets said. And, because her mom has told her she’s supposed to be resting in bed, she’s going to use a special coder ring, not unlike the one used in Alexander’s time, to make sure her mom can’t read her notes.
The Present Day
If that same kid wanted to play chess now, she’d probably grab her smartphone and engage with a friend on the other side of the world via an app — and she could encrypt herself, using the app, or just rely on the phone’s passcode that she’s changed since the LAST time her mother tried to get into her phone.
But either scenario is just like Alexander’s time.
Confidential and integrity still matter.
In the Stranger Things Era, the chess moves travel from tin can to tin can along a string. If the girl’s mother, Eve, were to tie another string to the middle, maybe she could intercept the conversation, but she’d still have to crack the code.
In the present day, chess moves travel from phone to phone through an app that uses an internet connection. The moves can be discovered if not encrypted or the entire phone could be breached if Alice’s mother discovers the right passcode (say if she had used something easily known, like her own birthday).
What Alice and Bobby care about is keeping the game secret from Eve — they want confidentiality and they want integrity, just like Alexander. We’ll come back to both examples throughout the series.
The Pizza Approach to InfoSec Decisions — Next Post
Now once that we’ve secured the information, we can get into who needs to use it, who has a right to use it, and why. And for that, we’ll take a look at “Please Do Not Throw Sausage Pizza Away” and why this is the phrase that tells you all you need to make effective InfoSec decisions, but that’s for the next post.
Auth0 is the first identity management platform for application builders, and the only identity solution needed for custom-built applications. With a mission to secure the world’s identities so innovators can innovate, Auth0 provides the simplicity, extensibility, and expertise to scale and protect identities in any application, for any audience. Auth0 secures more than 100 million logins each day, giving enterprises the confidence to deliver trusted and elegant digital experiences to their customers around the world.