In the first half of 2019, there was a 54 percent increase in data breaches; big firms and small have contributed to those figures. This includes (breach size in brackets): Capital One (106 million), Suprema (27.8 million), and Facebook (419 million). We are now so accustomed to hearing about cybersecurity incidents that we are in danger of becoming desensitized. But every one of those exposed records represents an individual human being.
The modern business is up against a perfect storm of sophisticated cybercrime methods, stringent data protection legislation, and ensuring they retain customer trust. This is all within a climate of digital transformation, the technologies of which can give an organisation a competitive edge.
Any organisation would be forgiven for feeling like a rabbit in the headlights. But there is a way to have your digital cake and eat it. The discipline of ‘Secure by Design’ (SbD) is taking root in global organisations. By applying the principles of Secure by Design we give our businesses the ability to fight this perfect storm.
Here, we will take a deeper look into what Secure by Design means and share some tips on achieving it.
The Case for Secure by Design
Back in the day, when the internet was but a twinkle in the eye of a server, security was much easier. The corporate firewall and antivirus software we used, worked well. It kept the malicious elements out; to propagate a virus across a network you had to do it using a floppy disk. Then the internet happened. It was like a dream come true for cybercriminals because it opened everything up. Email became the tool of choice of the cybercriminal. In fact, email is still a starting point for 90% of data breaches.
Fast forward to 2020. We now have hyper-connectivity via the Internet of Things (IoT), mobile devices and apps, and edge computing. Cloud computing is ubiquitous across companies of all sizes and industries. The human-computer interface is more complex than it has ever been. The data matrix is so vast and has so many touchpoints, that it effectively offers a data feast to anyone wishing to dip in.
To fit security into this complex matrix we have to be smart in our choices, we have to place security central to the design process itself. Security must be a design remit.
The previous use of endpoint solutions such as antivirus software is no longer enough to stem the flow of data as it moves across myriad devices and connected infrastructures.
Security is a holistic process. To retain control over the path of data, security must become an intrinsic aspect of a service or platform, from the human-touchpoint to the infrastructure it sits within.
The only way to achieve this is to make sure that Secure by Design is placed as a central tenet whenever you design a product, take on a new system, or become part of a larger ecosystem.
By using a Secure by Design approach, you can get security correct, from the start. A security-led design process will evolve into a Secure by Design end result. This will ultimately mitigate security threats and save a lot of hassle, and money, later on.
5 Tips to be Secure by Design
How do you add Secure by Design into the remit of a product or service? Firstly, Secure by Design is a process, not a point solution. It covers every aspect of the creation of a solution. The 5 tips below, give you a feel for using a Secure by Design process:
1. Secure coding – The application of secure coding techniques is a fundamental part of making a system secure. Flaws in code lead to vulnerabilities which lead to cybersecurity incidents. Make sure the product you develop or the one you buy in is built using secure coding practices. Check out OWASP’s secure coding practices checklist.
2. Embed the right protection – Protective measures can be used across all layers of a system. There are a number of areas to consider, this gives you a flavour of some of them:
Two-factor authentication (2FA): The use of a second factor to control access to a resource can help to mitigate malicious attacks such as phishing and non-malicious threats such as password sharing.
Encryption: Data at rest and in transit should be protected using encryption. For example, database encryption and the use of secure transmission protocols, TLS/SSL.
Correct configuration: Data breaches are also caused by misconfiguration of cloud storage. Making sure that your cloud infrastructure is hardened against cyber-attacks is an essential security practise.
3. Keep it Simple Simon (KISS) – The first principle of security is KISS. Keep security as simple as possible; for example, only collect data you really need to collect, this reduces security overhead and help to meet the privacy principles of the General Data Protection Regulation (GDPR).
4. Use the right protocols and implement them correctly – The tech industry has developed some excellent open standards that offer robust security when implemented correctly. For example, the standard protocol OAuth 2.0, has been developed using threat models and with security as a core consideration. Similarly, the JSON Web Token (JWT) has been designed to use digital signatures to maintain integrity during sessions. JWT can also help with resistance to Cross-Site Request Forgery (CSRF) attacks if implemented correctly.
5. Use a security-enhanced interface – The human-computer touch-points can become a security gap if not properly designed. Good security starts with good usability, the balancing act needed for both is achievable with good design. It is often the simplest of UI ideas that can add the most security. For example, in the design of a credential recovery system, instead of revealing the existence of a live email account when account recovery is initiated, simply state that “If the account exists a reset link will be sent”. Similarly, don’t display your password policy on screen. If you let a cybercriminal know that your policy “must include a capital letter, a number, and a special character”, this will help them to create a more successful brute force attack. Instead, follow the advice from the United States National Institute for Standards and Technology (NIST) on the matter, this includes, do not use rules to force the creation of a password and do not have on-screen password hints.