Security

initiation

This article is not specifically about security in NeuroomNet but, since NeuroomNet is a web-based tool, about the security of web-based tools in general. So, what to consider in order to safely operate a system like NeuroomNet. We will be happy to help you with any questions you may have, but below you can get some ideas of what to consider.

Part 2(NeuroomNet Security Part 2 ) is even more general about the aspects of web security.

And in part 3 (Why encrypt data? [Link]), we’ll look at the philosophy behind it in general.

Security is a double-edged sword: If the security is too high, the authorized user is so massively hindered in his or her tasks that acceptance suffers significantly. However, if it is too low, it can lead to very serious consequences.
In this respect, the Internet is both a curse and a blessing at the same time.
Knowledge dissemination is a great strength, but with it, knowledge of how to breach a system’s security is also rapidly disseminated. Just as the connection to the Internet itself creates the possibility of being able to easily attack a system. On the other hand, certain subsystems can be automatically kept up to date via the Internet and protected from harmful influences.
So if you want to be on the safe side, you have to keep up with the times and adapt your system to the constantly increasing requirements. There are areas with a bit of a breather, because the concept already brings a lot of security with it. Other areas, adapt automatically (if there is access to the Internet) and finally there are areas where you have to regularly look if everything works as intended or react appropriately.

encrypt

A very successful and long-lived method is to encrypt the communication between two parties. This means that an attacker can neither draw conclusions nor obtain the actual data. If you want to read along here, you have to put in an enormous amount of effort and it is much easier, for example, to start at the end points of the communication, i.e. before it is encrypted/decrypted. Because modern encryption still cannot be cracked in a short period of time. In this way, data can also be transmitted without a guilty conscience via connections that run over the Internet, WLAN, mobile radio or other publicly visible networks. And thanks to sophisticated mechanisms for establishing the encryption, in the best case scenario the user doesn’t even notice and is not bothered by the daily routine. Except when a time limit for renewing a secured connection has expired. Because one aspect of secure communication is to renew the underlying keys so that the lengthy attacks remain unsuccessful.

firewall

Another aspect of a long-lasting security concept is the protection of the end points by firewalls. A firewall is a security system that protects a computer network and individual computers from unwanted network access. In short, a modern system must be able to handle encrypted communication and protected networks. If the front door and windows in your house were the firewall, then the vault where you keep your most valuable things would be the encryption.

infrastructure

A prerequisite for encryption is the ability to securely send the keys to legitimate participants and to update them regularly. This is done with the help of so-called certificates. With a signature, a certificate can make it credible by whom, for whom and by when it was issued. A distinction is made as to whether a certificate must be publicly accessible or whether it is used within a closed system. The underlying technology, and thus the security, is identical for both variants.

Public application (CA-signed certificates)

Specialized companies are used for public applications with a publicly accessible certificate. These issue certificates only through verified and fee-based applications. Such a certificate can then be used for a certain period of time to secure one’s own systems and does not require any special preparation on the computers that already know the issuer.
The term of such a certificate is currently limited to 2 years and is even to be shortened to 13 months.

Internal application (self-signed certificates)

A self-issued certificate can be used for internal applications. When issuing these certificates, it is then possible to exceed certain limits in order to reduce the administrative burden in its frequency. For such internal applications, however, an administration of these certificates must first be established, and the issuer must be made known to the participants. This allows users (or computers) to check whether a certificate is (still) valid or to be provided with a new certificate. Often, both certification systems (internal and external) are used in order to keep the effort for the users as low as possible or even because it is technically necessary.

costs and benefits

In principle, everything could go through public certification authorities, but it would incur more costs. You could also do everything with internal certification authorities, but this would cause more effort when distributing the certificates in public space. Apart from that, installing the internal certificates would be an additional effort for the users. Acceptance would drop to zero very quickly.

Conclusion

So that everything works as smoothly as possible, a so-called PKI (private key infrastructure) must be established. This helps with administration, control and can automate individual aspects. There are differences due to the manufacturers used in each case. Appropriately trained personnel are also required to set everything up and, as described above, to renew it every few years or months. The regular installation of renewed certificates must be ensured, as these cannot replace themselves.

The more complex a system becomes, the more likely it is necessary to set up your own certification authority and PKI. The days of “just plugging everything into the network switch” are over, because otherwise anyone can connect, read everything along with the login data and even manipulate them during use (see also man-in-the-middle attack) .