10 reasons not to do HTTPS interception

HTTPS is the bread-and-butter of online security. Strong cryptography that works magically on all devices without complicating things for users. Thanks to innovative projects like Let’s Encrypt, adoption of HTTPS is rising steadily: Mid 2015 it was at 39%, now it is at 51% of HTTPS requests.

Recent research shows however Continue reading “10 reasons not to do HTTPS interception”


CIA is overrated

CIA, the mnemonic for Confidentiality, Integrity and Availability, is often called the foundation, the heart, the ‘holy’ triad of information security. It is preached and practiced much like a religion. Sacred. Question its usefulness and you get angry looks. Some have said that one other item should be added to CIA: Non-repudiation or accountability.  Continue reading “CIA is overrated”

Attack trees

Here is a tool every security expert should use now and then, in my humble opinion: attack trees. Attack trees are really something that comes from a technique in industrial safety engineering called ‘fault trees’ and it is related to dependency analysis using directed graphs. But it can be very useful when modeling threats in complex ICT systems – like an appstore/smartphone ecosystem. See for instance the attack tree in this paAttack_tree_appstores_threatsper on appstore security (see picture below). Continue reading “Attack trees”

Defining Network and Information Security (NIS)

Cyber security is arguably a buzz word. It is often used in a very broad sense, often in a non-specific way: “Cyber security must be improved!”. But in recent years network and information security has become part of legislation (both at EU and national level), and especially in these cases it becomes important to be more precise. So what are possible definition of network and information security”? In this post I will go over some possible definitions:

Communications security and computer security: Network and information security means ‘security’ of the networks (or network systems) and ‘security’ of the information systems. In other words, Network and Information Security (NIS) includes communications security and computer security.

Works as expected: The word “security” in normal language means “to be assured of something”, something good: So network and information (system) security is about making sure that network and information systems work as expected (in a good sense). This implies that security is closely related to usability (user interface design, accessibility), standardization and system development (requirements analysis, software development). Think: The hot water knob is always on the left. Continue reading “Defining Network and Information Security (NIS)”

Computer security basics

//disclaimer – i set out to write some simple, non-comprehensive, lightweight course material for network and information security – posts (like this one) are categorized under ‘security primer’. It is still work in progress, comments welcome.

A computer system can be simply described as a system taking instructions from a user, or a communication channel (which can be seen as a type of user). Alan Turing invented (the theory behind) computers before even conceiving a possible implementation of one.

Alan_Turing_photoPicture the start of the widespread use of mainframe computers and personal computers. No networks available at first, just big machines, and users typing code into them, or moving tapes around. The biggest problem in that time was to find a computer and get it to run your instructions, code, scripts, aka software application. On main frames there was no easy way to debug, so many old programmers recall waiting for a week to run a piece of code, only to find out there was a typo which ruined their execution. Only a select few had the privilege to run code on these computers.  Continue reading “Computer security basics”

Communications security basics

//disclaimer – i set out to write some simple, non-comprehensive, lightweight course material for network and information security – posts (like this one) are categorized under ‘security primer’. It is still work in progress, comments welcome.

Communication systems are basically made of two parts: the channel and the messages. At the start and end of the channel users may be sending messages or listening for them. Simply put, a communication system is secure if it is available for users t800px-Skytaleo send messages when they want, and in that case, when a user sends a message, then the user on the receiving end of the channel receives the message (in a timely manner). Communications security dates back to thousands of years ago. The most well-known part of communications security is cryptography, or the art of keeping messages secret. But also obfuscation, the art of hiding messages, is part of communications security. Continue reading “Communications security basics”