Throughout my career, I have noticed that most people do not understand security. Some think that it is too complicated to understand and they give up trying to understand it.

1) Common security pitfalls

Most people think that a VPN connection will give them all the security they will need. Well, a VPN connection secures the communication link that goes from one computer to a receiving gateway, passing through an insecure transport like the Internet.

Most people have the tendency to forget that once the data is received by the VPN gateway, the data circulating behind the VPN gateway in the private network becomes unencrypted.

In the case of a remote access software, this is not acceptable because while you remotely type usernames or password, the data will be encrypted when going through the Internet but it will be UNENCRYPTED inside the private LAN. Therefore, everything you type, including passwords, would circulate un-encrypted inside the local network.

Let’s encrypt, for example, an empty MS Word document. Unfortunately, most encryption ciphers will encrypt same patterns inside the data the same way over and over again leaving a detectable pattern in the encrypted data. If the hacker knows part of the data you are encrypting, then he/she might figure out where else you are using this same data just by looking at the encrypted data patterns. It partially gives away your encryption system.

Example of an extract of an empty MS Word file:

The same empty file encrypted using the standard AES (without additional security)

The number one cause of security infiltration is when a system has neglected or underestimated a way to get in even though its main entrance is very secure. One ironic example is an extremely secure system, impossible to break in from the Internet, but the system administrator is a new hire just out of jail. Do not laugh, statistics say that a lot of security personal from various agencies do come from jail. There are other more common examples like choosing the name of your daughter as your password or leaving your password printed somewhere.

Step 1 to understand security is to understand how the data on a computer system can be accessed. This starts by enumerating its various data items:

1. The locations of its different computers (servers and client computers)
2. The whereabouts of its exported data
   (backups, flash memory, CDs, DVDs, floppy, printed information, etc.)
   

After this, you need to evaluate the risk of an intruder accessing those various data items.

Step 2, for each data item you want to protect, you need to secure its access.
The best way is to close all doors; but this is not always acceptable.

A security system always has ways to physically access its data items. This might be as simple as looking over your shoulder for a print-out of your annual salary or as malicious as stealing your hard drive. But since physical access is better understood by people, we will omit covering those topics, even though it is a major cause of security leaks.

The Internet is INSECURE; there is no "but", there is no "if": the Internet is INSECURE. Once data gets out of your computer on the Internet, it is undetermined how many computers will see part or all or your data. The visibility of your data is NOT limited to your ISP. By definition, the Internet may expose your data to an undetermined number of Internet gateways.

Practically speaking, you should assume that data traveling over the Internet may be exposed to the world and therefore can not be private. But this does not mean there is no place for security. Indeed, there are two kinds of security measures for computer data:

1. Preventing physical access to the data
2. Encrypting the data

A lot of people confuse Security with Encryption. It is not the same: encryption can be used to provide security by making the data unreadable. But security can be achieved without encryption if the data is always in a secure environment. Security may include encryption but you always need more than encryption to have a secure system.

2.4) If your data does not need security, stop thinking about it

Security is costly: it slows things down, makes them hard to manipulate, causes additional precautions and equipment expenditures. Wisely choosing the data you need to protect will save you time, money and headaches.

For example: do you put a cover on your car when you leave it in a parking lot?
Well, do you want to prevent people from looking at your car or inside it?
Maybe your last bank statement is visible from a window? Do you need security?

Computer data security is the same: you have to decide what data to protect.

Most authentication systems do not hide the fact that there are authentications going on at different points in time. The very fact that there is an authentication being done is not hidden. The authentication’s data itself is protected, but not the fact that there is an authentication going on.

Another example, is after a transaction is authenticated: most systems do not bother to hide the fact that there are data packets being exchanged, though it is valuable information by itself! For example, if a protocol of a CIA communication link is such that a large transmission would be done when an attack on the U.S. is detected, then almost any hacker can learn when there is an attack just by looking at the traffic!!! Do not worry, there are ways around this and I presume that if the CIA uses a protocol to transmit sensitive data, I presume they use one of the methods to hide the real data traffic if it ever occurs. One way is to add irrelevant data to the protocol.

So, you should not worry that some information is not protected. What is important is that THE IMPORTANT data IS protected.

The number one security question from Win-Hand customers is:
      "How can I trust the security of the Win-Hand Connection Server"?

Well, for the part that is important (the customer’s private data): it is irrelevant if the Connection Server is secure or not because the rest of the Internet is INSECURE. Their private data will go through an insecure world before reaching the remote computer or the PDA, whether it is going through the Win-Hand Connection Server or not. What IS IMPORTANT is that the customer’s private data IS protected.

In the case of Win-Hand, it uses End-to-End security. This means the data is encrypted by one end of the communication link and decrypted by the other end and never decrypted in-between. Both ends use private encryption keys that are only shared between each end.

The Connection Server, after it authenticates the user, can see that there are data packets going back and forth between the PDA and the customer’s remote computer, but they are encrypted using end-to-end security. The Connection Server (as well as any other gateway on the Internet) sees the encrypted data packets, but without the encryption keys, there is nothing to do with the data.

That is a good question. According to the publications, 128-bit SSL is breakable by a powerful computer in a short time frame. The debates about this subject are beyond the scope of this article. 128-bit AES has been approved to replace older and weaker encryption standards. AES crack time was estimated to be 149 trillion years. So nothing is 100% secure, including your house, but most things are secure enough.

Security is complex for the same reason the security of your own house is complex: there are many ways to compromise it. Recycling of sensitive papers? Deadly fumes caused by insulation in the walls? The water supply? A very safe lock front door with a single-pane window in the back door? Looking through the window? THIS is what is complicated about security!!!

So for Computer Security, I guess the following expression fits very well:
      "The devil is in the details"...