“What's in a name? That which we call a rose by any other name would smell as sweet.”
While The Bard certainly was correct about this as it relates to roses, information security is confusing enough without agreeing upon a lingua franca to make our discussions on this topic a little easier.
So, here (in no particular order) are some of the terms and phrases that will be used in this blog on security in embedded devices and systems:
Security: “Ability of a system to protect information, system resources, and intended functionality with respect to confidentiality, integrity, and availability.”
Information Security (AKA “InfoSec”): The discipline whose goal is to protect the business model of a given business. Includes negative events happening to consumers, but only as it impacts the business model.
Vulnerability: “A weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product” (think: “a hole in a fence”).
Exploit: “An attack on a product that takes advantage of a vulnerability” (think: “Crawling through the hole in the fence”).
Threat: “Intent to exploit a vulnerability” (think: “Hey neighbor, I am going to crawl through that hole in your fence!”)
Mitigation: A change that reduces the severity, seriousness or impact of a vulnerability (continuing the fence metaphor: this could be a new fence, patching the hole in the fence, or a Rottweiler on the other side of the fence).
Dogs: As in the last definition, expect to see a lot of dog references in this blog. No particular link to InfoSec except that I love them, they are the best ‘people’!
Attack Surface: “The total vulnerability exposure of a device or system.”
Confidentiality: “Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.”
Integrity: “Guarding against improper information modification or destruction. Includes ensuring information nonrepudiation and authenticity.”
Availability: “Ensuring timely and reliable access to and use of information.”
CIA: The triad of Confidentiality, Integrity, and Availability when addressed as a group.
FOTA, “Firmware Over The Air”: The process of updating software in fielded devices.
MITM, “Man In The Middle”: Anything listening to communications between two other entities. Sometimes referred to as an “Eve.”
Encryption: “The process of encoding a message or information in such a way that only authorized ‘entities’ can read it.” (Put another way, it changes the nature of the problem from “plain text” to “key management”).
Key Exchange/Management: “The management of cryptographic keys in a cryptosystem. Includes dealing with the generation, exchange, storage, use, revocation and replacement of keys.” (This is one of the hardest things in InfoSec to securely accomplish).
Cryptographic Hash: “A cryptographically significant signature for a given data set” such as a SHA256 hash or a CMAC. (think: Cyclical redundancy check for security. Note: a CRC is NOT a crypt hash!)
Likelihood: “The state or fact of a given event being likely or probable.”
Attacker Skill Level: e.g., None; Script Kiddie; Good; Advanced; Nation State; etc.
Attacker Motivation: e.g., Money; Challenge; Fame; Activism; Revenge; Murder; Fun; Competitor; etc.
Risk: Per ISO 14971, risk is defined as “the combination of the probability of occurrence of harm and the severity of that harm” as it relates to safety and efficacy. ‘Risk’ is not about your potential loss of intellectual property!
Key Derivation Function (AKA “KDF”): “Functions that can be called to create a secure cryptographic key from a dataset.” (Sounds a lot like a hash, doesn’t it?)
Authentication: “The process of verifying the identity of a user, device, or process.” (Another one of the hardest things in InfoSec to securely accomplish!)
Nonrepudiation: “The ability to provide proof of the integrity and origin of a dataset.”
Least Privilege: “Each part of a system (including users) should only have access to the minimum amount of data and functionality needed to perform the intended functionality for that part, user, or entity.”
Kerckhoffs’ Principal (AKA “no security through obscurity”): Reliance on the secrecy of the design and/or implementation as a method of providing security for a system. This doesn’t work.
Privacy: “The right of users to have control over how your personal information is collected and used.” (See also: HIPAA; HHS; FTC)
Physical Security: “Security mitigations that are designed to deny unauthorized access to facilities, equipment, devices and resources, and to protect property from damage or exposure of shared secrets, security mitigations, and firmware.”
Side Channel Attack: “An attack based on information gained from a physical implementation of a cryptosystem.” (Such as power consumption, timing, clock glitching, etc.)
Weaponize: The process of an attack converting a device from its intended functionality into a new purpose to attack some other device or system.
Data in Motion: “Refers to data being communicated over a medium, such as TCP/IP; USB; SPI; etc.”
Data at Rest: “Refers to data being stored onto a medium, such as a hard drive, SSD, flash memory, EEROM, etc.”
Penetration Testing (AKA “Pen Testing”; see also “hackers for hire”): Contracting a 3rd party to attack your product and release the results only to you. Allows you to find vulnerabilities in your embedded system before you ship the product (get ready for some tough decisions!)