Journey with Isaac Shi

View Original

The Tower of London and Cybersecurity

Last year I visited GST’s Scotland office in Aberdeen, during the trip I made a stop in London to visit the Tower of London, the fortress built by William the Conqueror. As I marveled at the thousand-year-old castle’s sturdy walls and impressive moat, I couldn’t help but notice how similar the castle’s fortifications were to GST’s own robust cybersecurity effort. 

The Tower of London, the picture was taken by the author

The Tower of London is the nation’s most secure castle. It boasts not one, but two “curtains” of walls with a surrounding moat. To fend off attackers, each wall was filled with cannons and guards (known as the Beefeaters for their daily consumption of…you guessed it…beef). 

With these fortifications, the Tower of London served as England’s symbol of strength. In times of war and revolt, the tower provided a secure, central location for kings and queens to protect their most prized possessions, forge arms, and control the nation’s supply of money. Without the tower, England might not have survived its turbulent history to become a powerful nation.  

A strong software security approach is very similar to the Tower of London: multiple layers of protection keep software systems and networks safe from cyberattacks. As the world becomes more and more reliant on data, preserving the integrity and confidentiality of that data becomes increasingly more critical. 

In order to keep your system safe, you can’t rely on just one measure of protection. Much like how the Tower of London consisted of multiple layers of walls, a moat, watch towers, and beefeaters, online businesses should also use multiple layers of cybersecurity measures. 

One of the most common cyberattacks developers have to protect against are SQL injection attacks, which are malicious SQL statements that get executed by the system's database when inputted. This is like the enemy tricking the gatekeeper to gain free access to your castle. Developers can protect against these attacks by screening user inputs and rejecting suspicious inputs aka making sure your gatekeeper is smart and detail-oriented. 

Inside the Tower of London, the picture was taken by the author

A necessary security measure to take is role-based access control (RBAC). This is a method of restricting access in the network based on the role of the user. In other words, if you are a low-level official in the castle, you aren’t allowed access to the Queen’s chamber. This is a simple, yet incredibly effective way of keeping sensitive data safe from malicious users.  

Database encryption is the last line of defense, much like White Tower (the keep, a castle within the castle), which makes your data unreadable and useless without a decryption key. This is like locking up your treasure in a box that can’t be easily picked and only giving keys to people you trust. In this way, even if attackers breach the castle, they still cannot access the treasure. Hopefully, your database encryption is redundant and attackers never get pass the other application security measures, but you can never be too safe. 

These are just a few of the many ways you can protect against cyberattacks, but your system will most likely still have some vulnerabilities. This is why penetration tests, which simulate a cyberattack against your system, are helpful for exposing further vulnerabilities. It's like hiring good guys (white hat hackers) to break into your castle so you can make new fortifications. 

Unfortunately, many organizations still refuse to place enough focus on cybersecurity. Not taking cybersecurity seriously can incur economic costs in the form of lawsuits and system repairs, regulatory costs from HIPAA and GDPR violation fines, and reputation costs because you will make it onto the news…but not in a good way. According to a study conducted by IBM, the average data breach costs around $3.92 million. If that isn’t a good enough reason to start beefing up your security, I don’t know what is. 

Anne Boleyn was beheaded at this spot in the Tower of London.
I took this picture with deep sympathy for Anne Boleyn.

A high-profile and relevant example is the recent phenomenon of Zoombombing where individuals hijack Zoom sessions and disrupt them by screen sharing inappropriate or offensive content. Users are able to join these meetings with relative ease because passwords aren’t commonly used and the meeting IDs can be released publicly. However, Zoom has done a decently good job addressing these application security issues by promoting the use of passwords, hiding meeting IDs, and adding a report feature. 

One of the biggest data breaches the world has ever seen occurred in 2013 when 3 billion Yahoo accounts were compromised…that’s every single one of them. It all happened when just one Yahoo employee clicked on a link in a spear-phishing email. Talk about a bad day at work! To make things worse, Yahoo was using outdated and easy-to-crack data encryption, giving the hackers full access to Yahoo’s user database. It took Yahoo 3 years to publicly announce the breach, and they’re still paying the price of it to this day. What are the lessons learned? Regularly conduct penetration tests, use up-to-date encryption, and take immediate action. Complacency kills.   

Here at GST, we strongly believe that the actions we take to protect your data and system are just as important as developing the software functionality itself. Hackers are constantly finding new exploits and techniques, so we are constantly updating our security countermeasures to keep the data safe, so when your castle is attacked, your fortress be ready. We are here to help you the entrepreneurs and business owners to become your industry’s William the Conqueror. 


By Isaac Shi, Max Yuan
May 19, 2020