Archive 6 min read

Cybersecurity Basics #1 - The Goal

The basics starts with understanding the goal of security. It sounds simple but the goal is to make sure whatever you build works as you intend...and only as you intend!

Cybersecurity Basics #1 - The Goal

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Third time's a charm, having some trouble streaming this out live. So I'm just gonna record it straight up and then push it out on the channels afterwards. Um We're talking about cybersecurity basics. This is the first in an ongoing series for a little while.

So as always, I'm looking for your feedback, I'm looking for your input. Hit me up online um at Mark NC A for those of you on the vlog in the comments down below or as always by email me@markn.ca, I want to start by laying out why we're doing any of this.

What's the goal of cybersecurity? Well, for me, the goal is pretty straightforward. It's to make sure that whatever you've built does what you intended to do and only that, that's it. It's a pretty straightforward and simple definition. Most people can understand that whatever you've built should do what you want to.

But only that now you're probably thinking, but is it the goal of security cyber security specifically to stop hackers and bad guys? Absolutely. But that's covered in that definition, but that definition also covers a lot more. So let me give you an example, if we had built the streaming site, so whatever venue you're watching or listening to this broadcast through, um you want to make sure that hackers can't take it down, you want to make sure that it's always available to your users that's critical.

Um But also there's a case here where people are broadcasting on your platform and you want to give them the ability to set things to be public or locked down to specific accounts. And if that doesn't work properly, now, you have a potential breach in that.

I'm broadcasting privately to you, but it's actually going out publicly to the world, that's a security issue as well. And if you only think of security in the context of stopping bad guys, you're going to miss that other very real and frankly more common case.

So it's really important to think of that goal all the time. The goal of cybersecurity is to make sure that whatever you've built works as intended and only as intended. Now, the second thing I wanted to cover in this first video, second thing in the first video that makes sense, um was the different types of security because you're going to hear security referred to as cybersecurity, security, information security.

Um Sometimes you have operational security and then of course, there's physical security. Now there's some reasoning behind all of these different definitions. But the, you know, it's important to know what they are but they're not absolutely critical. So physical security pretty straightforward, most people got an introduction to that.

When they were kids, you locked up your bike at school so that nobody else could take it right. We practice physical security all the time. We lock our cars, we lock our houses. It's a pretty simple concept to understand. There's a lot of nuance in its practice, but it pretty straightforward physical security.

Um operational security is the practice of the processes around your everyday workflow. So an example of operational security is, let's say we're having a conversation at the coffee shop. Um right where we're out on the patio at the coffee house, we're having a nice um uh drink and we're having a conversation.

Um Now, operational security will define what level of depth of information that you and I can share. So if we're talking about work and we're out in public and talking about a really sensitive project that's not public yet, that's probably a breach of operational security.

So the operational security process would say, hey, don't share sensitive information out in public, even if you're authorized to hear what I'm telling you. The people at the tables around us are not, right? So, operational security is that process, it's that um practice of security um regardless of the system or the environment.

So if you're a big fan of spy movies, it's basically called tradecraft. Um So operational security is the process. Um very much people based. Um though there is obviously some automated systems in play and the other area here is cybersecurity that originally referred to the defense of digital systems.

So can you lock down servers, make sure that nobody gets to them? Can you secure your laptops, your mobiles, your tablets, things like that. It's expanded now we use cybersecurity in a much broader definition. And then there's information security, information, security is really, really interesting because it's more about the information, not the systems that are on top of it or sorry, the systems that process it or store it now that's obviously critical as well, but it handles, it crosses all three areas, sort of digital security.

So cybersecurity, it crosses operational security as well as physical security because you're talking about the information itself and then of course, there's just security which covers everything. So you're going to hear those terms often and they're important, but they're not absolutely critical because you're goal focused and you remember that that goal of all types of security is to make sure that whatever you've built works as you intend and only as intended.

And I think understanding that goal moving forward helps provide context and context is absolutely critical. And I'll give you a quick example to wrap up this first video. When it comes to physical security, very few people question the value of seatbelts.

Most people accept them, whether you like wearing them or not. Most people accept the fact that a seatbelt will protect you in a collision. There is very little debate at this point around that. That's good people understand why a security control the seatbelt is in place.

When it comes to the digital world, we lose sight of that a lot. We don't provide people with adequate context to understand why things like digital safety belt equivalents are in place. My un favorite example is the password. So we know that passwords have been horribly managed and worked and presented and dealt with in general for the last however long we've been using passwords.

We know that based on math logic and probability and human nature that pass phrases are a much better thing. So a pass phrase is literally a sentence of phrase that is unique to you because it's better because it's longer and the longer something is the harder it is for a human to guess, but also the harder it is for a computer to guess.

So we know that pass phrases are far superior than that ridiculous. Eight character needs a letter needs a number, blah, blah, blah, pass phrases generate better outcomes. And the official password guidance from NIST, which is a big standards body.

It's the National Institute for Standards and Technology in the US, they officially updated their guidance last year. So we know and it's finally gotten through the old guard's head that pass phrases are better, but we rarely communicate this out well to users and people just grumble along with their passwords, which has led to password one or I have to change it password two, password three.

And that for me is a great example of where the security community failed because we don't make it easy to understand the context. Whereas if you understood the context around password choices and we'll cover that in another video because I can go on forever about that one is that there's really important reasons behind that.

But if you as a user don't know those reasons, you're going to push back against that security control because it's in your way. So as little a burden, a seatbelt is just to, you know, take it and click it in, you know, the benefit.

So even that half second action, you understand the benefit, you're getting back for it. We don't make that equivalent in cybersecurity. And so that's part of the goal of this basics. However, this is like every morning with Mark, this set of topics is going to be driven by you.

I need to know what you guys want to hear. What words did you hear? Not understand or can't put a certain concept in context. Um Do you have a great way of explaining some of these things? Let me know, hit me up online at marknca for those of you watching the vlogs in the comments down below and as always by email me@markn.ca I'd love to hear your examples, your challenges.

I'm always here to help. I hope you're set up for a wonderful day. Um I will talk to you online and I will see you on the show tomorrow, hopefully streaming for shot instead of third time.

Read next