security

initiation

This article is not specifically about security in NeuroomNet but, since NeuroomNet is a web-based tool, about the security of web-based tools in general. So what you should consider to operate a system like NeuroomNet safely. We will be happy to help you with any questions you may have, but below you can get suggestions on what to consider.

 

In Part 2 ( NeuroomNet Security Part 2 ) it then deals with aspects of web security in general.

And in part 3 (Why encrypt data?[Link] ) it’s all about the philosophy behind it in general.

 

Security is a double-edged sword: If security is too high, the authorized user is so severely hampered in his tasks that acceptance clearly suffers. However, if it is too low, it can lead to very serious consequences. In this respect, the Internet is both a curse and a blessing at the same time. Knowledge dissemination is a great strength, but with it, knowledge of how to breach a system’s security is also rapidly disseminated. Just as the connection to the Internet itself creates the possibility of being able to easily attack a system. On the other hand, certain subsystems can be automatically kept up to date via the Internet and protected from harmful influences. So if you want to be on the safe side, you have to keep up with the times and adapt your system to the constantly increasing requirements. There are areas with a bit of a breather, because the concept already brings a lot of security with it. Other areas adapt automatically (if there is access to the Internet) and finally there are areas where you have to check regularly whether everything is working as intended or reacting appropriately.

encrypt

A very successful and long-lived method is to encrypt the communication between two parties. An attacker can neither draw conclusions nor get hold of the actual data. If you want to read along here, you have to put in an enormous amount of effort and it is much easier, for example, to start at the end points of the communication, i.e. before it is encrypted/decrypted. Because modern encryption still cannot be cracked in a short period of time. In this way, data can also be transmitted without a guilty conscience via connections that run over the Internet, WLAN, mobile radio or other publicly visible networks. And thanks to sophisticated mechanisms for establishing the encryption, the user does not even notice it in the best case and does not interfere with the daily routine. Except when a time limit for renewing a secured connection has expired. Because one aspect of secure communication is to renew the underlying keys so that the lengthy attacks remain unsuccessful.

firewall

Another aspect of a long-lasting security concept is the protection of the end points by firewalls. A firewall is a security system that protects a computer network and individual computers from unwanted network access. In short, a modern system must be able to handle encrypted communication and protected networks. If the front door and windows in your house were the firewall, then the vault where you keep your most valuable things would be the encryption.

infrastructure

A prerequisite for encryption is the possibility of sending the keys securely to the legitimate participants and updating them regularly. This is done with the help of so-called certificates. With a signature, a certificate can make it credible by whom, for whom and by when it was issued. A distinction is made as to whether a certificate must be publicly accessible or whether it is used within a closed system. The underlying technology, and thus the security, is identical for both variants.

Public application (CA-signed certificates)

Specialized companies are used for public applications with a publicly accessible certificate. These issue certificates only through verified and fee-based applications. Such a certificate can then be used for a certain period of time to secure your own systems and does not require any special preparation on the computers that already know the issuer. The term of such a certificate is currently limited to 2 years and is even to be shortened to 13 months.

Internal application (self-signed certificates)

A self-issued certificate can be used for internal applications. When issuing these certificates, you can then exceed certain limits in order to reduce the frequency of the administrative effort. With such internal applications, however, management of these certificates must first be established and the issuer must be made known to the participants. This enables the users (or computers) to check whether a certificate is (still) valid or to be provided with a new certificate. Both certification systems (internal and external) are often used so that the effort for the user remains as low as possible or because it is technically necessary.

costs and benefits

In principle, everything could go through public certification authorities, but it would incur more costs. You could also do everything with internal certification authorities, but this would cause more effort when distributing the certificates in public space. Apart from that, installing the internal certificates would be an additional effort for the user. Acceptance would drop to zero very quickly.

Conclusion

So that everything works as smoothly as possible, a so-called PKI (private key infrastructure) must be established. This helps with administration, control and can automate individual aspects. There are differences due to the manufacturers used. Appropriately trained personnel are also required to set everything up and, as described above, to renew it every few years or months. The regular installation of renewed certificates must be ensured, as these cannot replace themselves.

The more complex a system becomes, the more likely it is necessary to set up your own certification authority and PKI. The days of “just plugging everything into the network switch” are over, because otherwise anyone can connect, read everything along with the login data and even manipulate them during use (see also man-in-the-middle attack) .