In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.
The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.
The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.
TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).
Here’s our progress thus far:
- “A” is for accountability
- “B” is for business
- “C” is for cybersecurity
- “D” is for data
- “E” is for everyone
- “F” is for fundamentals
- “G” is for governance
- “H” is for holistic
- “I” is for if
- “J” is for jaded
And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).
Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.
For the purposes of the Information Security ABCs, “K” is for “Key”.
The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:
Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).
There are physical keys, logical (or technical) keys, and all the “other” keys.
Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.
Confused? Don’t be. Here are the most common types of physical key locks.
Types of Keyed Locks
IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.
- Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.
- Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.
- Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.
- Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.
- Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.
Keys open locks. Simple, right?
Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.
Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:
- Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
- Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
- Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).
It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.
Other Uses of “Key”
The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.
Then there are information security “key” concepts, like:
- Information security is risk management.
- Information security protects the confidentiality, integrity, and availability of information.
- Information security is a business issue, not an IT issue.
- You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
- And many, many more…
More use of the word “key”:
- Key Chain
- Key Distribution Center (KDC)
- Key Escrow
- Key Fob
- Key Generator (Keygen)
- Key Length
- Key Performance Indicators (KPI)
- Key Risk Indicators (KRI)
- Key Value Store
- Key-Value Pair (KVP)
- Keyboard Buffer
- Keyboard Macro
- Keyboard Shortcut
- Keystroke Logger
- Keyword Stuffing
So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).
On to “L”!