TL;DR: InfoSec hasn't changed in 3,000 years.
Battle Scene
Imagine an ancient battlefield. One side's general stands on a hill and observes the flow of battle below. He decides he needs one of his chariot commanders to flank around to the west to pin the enemy against a cavalry group coming in from the south.
He takes out his scytale (basically an ancient secret encoder/decoder ring) and encodes a message to the commander on a piece of papyrus. He then rolls it up and seals it with his personal seal and a mixture of wax and bitumen and hands it to a trusted messenger.
The messenger runs down the hill, finds the chariot commander and hands him the scroll. The commander checks the seal to authenticate the message and verify it has not been intercepted and then uses his scytale to decrypt it, which also serves as a secondary means of authentication. He then sets fire to the papyrus, and finally, before executing his orders, stabs the messenger, tearing down the session.
And 3,000 years later, that’s still what we care about.
What we saw in the battlefield example was confidentiality and integrity — the two fundamental principles of security that we care about today. The cipher (or code) helps ensure confidentiality and the wax seal provided integrity.
My point about security is that it's actually very simple in theory. People forget that. The fundamentals of integrity and confidentiality are very straightforward. Viewed through that lens, > 99.999% of infosec is an execution and OpSec problem. We've known the basics for millennia, and we tend to overcomplicate it.
Modern Examples
Let’s look at two more modern examples, one from the 1980s, which would get us up to the time period of the hit TV show Stranger Things and the other from present day.
Stranger Things Era
Back in the 1980s, a kid (Alice) is sick with mononucleosis (mono), so she can’t head to her neighbor Bobby’s house to play chess. Instead, she gets a ball of string from the kitchen junk drawer, ties one end around her bedpost and throws the rest through her neighbor’s screenless (and open) window. Based on past behavior this is a clear invitation for communication. Each kid already has a tin can with a hole in the bottom so they can create their own telephone.
The first kid threads her end of the string through the hole and ties a knot. The other kid does the same and then, they each reset their chess boards. Using their tin can phone system, they’ll share moves. Each kid moves their pieces on their board, but only Alice keeps a written log of what gets said. And, because her mom has told her she’s supposed to be resting in bed, she’s going to use a special coder ring, not unlike the one used in Alexander’s time, to make sure her mom can’t read her notes.
The Present Day
If that same kid wanted to play chess now, she’d probably grab her smartphone and engage with a friend on the other side of the world via an app — and she could encrypt herself, using the app, or just rely on the phone’s passcode that she’s changed since the LAST time her mother tried to get into her phone.
But either scenario is just like Alexander’s time.
Confidential and integrity still matter.
In the Stranger Things Era, the chess moves travel from tin can to tin can along a string. If the girl’s mother, Eve, were to tie another string to the middle, maybe she could intercept the conversation, but she’d still have to crack the code.
In the present day, chess moves travel from phone to phone through an app that uses an internet connection. The moves can be discovered if not encrypted or the entire phone could be breached if Alice’s mother discovers the right passcode (say if she had used something easily known, like her own birthday).
What Alice and Bobby care about is keeping the game secret from Eve — they want confidentiality and they want integrity, just like Alexander. We’ll come back to both examples throughout the series.
The Pizza Approach to InfoSec Decisions — Next Post
Now once that we’ve secured the information, we can get into who needs to use it, who has a right to use it, and why. And for that, we’ll take a look at “Please Do Not Throw Sausage Pizza Away” and why this is the phrase that tells you all you need to make effective InfoSec decisions, but that’s for the next post.
About Auth0
Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.
About the author
Joan Pepin
Chief Security Officer (CSO)
Previously, Joan served as Business Information Security Officer (BISO) at Nike, Inc, CISO, and VP of Security at Sumo Logic, and held different positions at Guardent/Verisign/Secureworks organization. Joan holds a patent for developing the methodology to assess whether a communication contains an attack.
She is also is a well-recognized thought leader and has spoken at major events, such as RSA, WhiteHat Security Summit, and Forrester Security Summit, and is frequently called upon for her expertise and commentary in Cloud Security and Compliance in large-scale and DevOps/CI environments.View profile