Today all corporate networks are connected to the internet. The reasons are numerous, from the exchange of emails to the search for information, from the use of the cloud for data storage to the various services that we access with a browser. Furthermore, we increasingly need to access the corporate network remotely, whether from our home or during a business trip. For this reason, it is essential that all these connections are made with the right level of security. Let’s see what are the available means, how they work, and when to use them.
Authentication and authorisation
Let’s imagine we are suppliers of aerospace components and go to visit a NASA site. Surely when we will be there, before letting us in, they will ask us to identify ourselves with a document. They will want to know the reason for our visit and they will register us to track it. They will give us a badge to wear that identifies us and someone will escort us exactly where we need to go. We would never be alone. If we were ill-intentioned persons, who want to steal information, we wouldn’t have an easy life. It would not be simple to get out of the secure path in which we are. And even if we did, the various areas would have controlled access systems, perhaps through badges, if not more sophisticated. This all started with two basic steps. First of all, we were identified and authenticated, and consequently, we were given permissions on where we could go and what we could see.
The same thing occurs in the digital world. If users of our company are not required to authenticate before accessing the data, any intruders who manage to enter the network could freely access the servers and PCs. They could do whatever they want with our data, in addition to the possibility of blocking the operations. To go back to the previous comparison, the more checkpoints where “I need a badge to enter” I put in my network, the more the hackers will find the access difficult. Consequently, they will have a hard time trying to damage or steal the data. An apparently trivial but very effective example is how to access the operating system of your PC. If I log in as an administrator I am allowed to do what I want on my computer. You may be thinking it’s good, but we must take into account that if hackers manage to get into my PC, they can do whatever they want as well. And this is a little less good. If instead, I log in with a profile that authorizes me to do only what I need daily, it becomes much more difficult for hackers to tamper with sensitive parts of the operating system or access data for which my user is not authorized. This does not mean I must necessarily be limited too, if sporadically I need to access sensitive functions or data, I access them with another user who has these permissions, but only for a very short time. This method is called the principle of least privilege. If you have internal IT experts, the best thing is to leave only to them access to sensitive areas of PCs and servers. This avoids that inexperienced people could inadvertently make the system vulnerable. This does not mean that the principle does not apply to an IT operator as well, who must use administrator privileges only when they are needed.
How do we find out that something dangerous is going on before it’s too late? The first thing is certainly the use of an antivirus, which blocks any risky actions in advance, like opening potentially dangerous files or accessing unsafe websites. However, malware is not always identified in advance, therefore it is good practice to have the antivirus periodically perform in-depth scans. Furthermore, it wouldn’t be a bad thing to have a system that records everything that happens on the network, so who has access to what and when. So we can check if something anomalous has happened and take action before it is too late. For example, those who have a Google account have probably experienced the login from a new device. Google immediately notifies us that there has been an access from an unknown PC or smartphone on that day at that time from that place. In this way, if it were not you, maybe you would be in time to change the account password before the attacker manages to steal or damage data.
Nowadays, transferring information through the internet has become an essential necessity. But this leads to another need: not having my data read by anyone who is not authorized. On the World Wide Web, as the name implies, there is the whole world. Anyone can potentially read what we transfer unless we make it unreadable. This is achievable by means of cryptography; that is, the translation of messages in an incomprehensible language, such as a code made of apparently random letters and numbers. To obtain this, an encoding key is used, which is a series of rules that determine in which code a sentence is transformed.
Symmetric key cryptography
The simplest encryption system is the so-called symmetric key system. This method uses a single key to both encrypt and decrypt the message when it is received. So this process requires that the person who writes the message and the person authorized to read it are both in possession of the key. The weak point of this method lies in the management of the key. If the key is intercepted by hackers when we send it to the other person, they can use it to decipher all the messages we are exchanging on the internet encrypted with that key.
Asymmetric key cryptography
In 1976 the two mathematicians Diffie and Hellman published a new cryptography system. This method involves the use of two keys, one public and one private. To explain how it works we use the classic analogy of padlocks. Suppose we want to exchange some boxes by mail with a friend of ours and we want to be sure that no one can open them. We could put a padlock on the box, send the key to our friend first, and then the box. But in this case, we would have the problem mentioned above. If someone intercepts the key, they could make a copy of it and then open the lock of the box in transit. To avoid this we can do something more clever. We ask our friend to send us an open padlock of which he is the only one who has the key. We put this padlock on the box and send it to him. Since it was never sent, it is impossible that someone could have intercepted the key during the transit.
The padlock in our example corresponds to the public key, while the key that never left our friend’s house corresponds to the private key. Obviously, if we want to exchange messages in two directions, we would need four keys in total, two public (two padlocks) and two private (the two keys of the padlocks). In reality, even this system has a weak spot. Since I am sending an “open padlock”, anyone could look into it trying to reconstruct the key. To build the public key (the padlock) starting from the private key (its key) and avoid this problem, mathematical calculations that are difficult to reverse are used. For example, with a computer, finding the result of the multiplication 709 x 887 is immediate, but it is not so fast to find which two numbers have been multiplied to obtain the result 628883. If we make this number become large enough, let’s say at least 600 digits, the time to find the two values ??that multiplied together give that result is so long that in practice it is not feasible. The two numbers to be multiplied represent the private key of the padlock, while the result of the multiplication represents the open padlock that I send. This is just an example to explain the concept, there are various methods for obtaining a secure “padlock”.
Where cryptography is used
Maybe you have noticed that today almost all websites start with HTTPS. This additional S indicates that the exchange of information with that site is secure because it is encrypted using the public and private key system. If we are going to a site that does not use encryption, the browser warns us with a message saying not secure. In reality, the systems used are often hybrids between asymmetric and symmetric keys, because using only the former, communication would become very slow.
There is still a problem to solve. For example, when my bank’s website sends me the public key, that is the padlock to close my box before I send it, how can I be sure that it is really my bank and not a hacker who pretends to be the bank? The answer lies in certificates. There are certification authorities that ascertain that a public key actually belongs to its owner, who has deposited it with this authority. In this way, if an attacker sends his public key to try to steal information from us, the browser does not recognize the certificate as reliable and immediately warns the user of the risks.
In addition to websites, encryption is used to create secure channels between two physically-distant private points. An example is when I want to connect to the corporate network from home. If I log in without taking any precautions, all the data exchanged would be accessible by anyone, given that they pass through the internet. To solve the problem I can use a VPN (virtual private network). It is a virtual channel that connects my PC to the company network, where the data passing through it is encrypted. In this way, I am confident that nobody can read what I am exchanging.
But even though the VPN channel is encrypted, someone could try to enter this virtual tunnel and get to the corporate network, the same way I entered it to exchange data. To avoid this, the authentication and authorization systems that we saw at the beginning are used. So, in addition to using encryption, there is an “entrance check” system as well.
In case we do not need to have a flow of incoming data, but we only want to send it outside our network (for example to a cloud server), instead of using a VPN, we can decide to open the communication only in one direction: outbound. In any case, the data must travel encrypted, otherwise anyone could read it. With this system, a hacker would not be able to read the information sent and could not even access our network through this communication channel, because the entrance is closed. To do this, however, we must choose a protocol that does not require communication in both directions, otherwise it would not work. An example is the MQTT, which publishes data on an intermediate server, to which the final server (where we want to send the data) will make a request to have it. This system is called publish-subscribe. The flow of information becomes bidirectional only from the intermediate server onwards. While, for our network, it allows the door used for this communication to always remain closed for the inbound flow.
The name derives from the systems (e.g. fire doors) used to confine a fire in an area of a building and prevent it from spreading undisturbed. In a computer network, we can imagine it as a door manned by someone who checks what enters and exits. It can be placed between the corporate network and the internet, between a PC and the corporate network, or within the network itself in intermediate points. The aim is to avoid unwanted access.
A firewall is a set of rules that determines what can pass through a specific point. For example, to connect a user from home to the company, we can set as a firewall rule that only certain PCs can access (each computer has a unique identifier). So anyone who tries to connect from another computer is blocked. Or accept connections only from certain IP addresses (the address that uniquely identifies any device connected to a network). Its use can also be reversed. Let’s assume that a program with a virus has ended up on my PC. This program attempts to connect to the internet to open a channel that will allow a hacker to enter. I can set on the firewall that only certain programs can communicate with the internet, and only in certain pre-established ways.
Let’s summarise the 10 key points for cybersecurity
After having explained what the security tools are, we conclude by summarising the 10 main actions that need to be taken to make our network secure:
- Divide the network into areas and filter each entry through a firewall, and not only between the corporate network and the internet (which is the bare minimum).
- Manage areas, devices, and software with an appropriate authentication and authorization system.
- Always apply the principle of least privilege.
- Use a monitoring system to see what is happening on the network.
- Use strong passwords (the longer, the more secure) and not the same for different things.
- Constantly update operating systems and software.
- Have an active and updated antivirus on every computer and server.
- Use a VPN for private connections with the outside (unless encrypted connections that open only the outbound flow are used).
- Use only secure sites (you can read it in the browser).
- Do not use non-original programs, they can hide malware.