Lesson video

In progress...


Hello and welcome to lesson four of our security unit.

I'm Ben now so far in this unit, we've learned about the methods used by cyber criminals to attack individuals and try and gain data or disrupt systems. So this lesson is all to do with fighting fire with fire.

So to find out all the different types of defence mechanisms that we can put in place to protect ourselves, and to also protect some networks okay? So all you need for this lesson is your computer, a web browser, it's also very helpful to have a pen and paper ready okay? So you can clear away any distractions that you might have and once you're ready, let's get started.

Okay so this lesson is really to do with designing our defence mechanisms using software, so these learning objectives you can see here, is learning about how we design software to prevent cyber attacks, and then use that software appropriately to help us do that, Okay? So specifically in this lesson, we're going to cover the following that you can see on the screen, so there are a number of different ways in which companies can design for security.

And the ones that we will be discussing in this lesson are SQL injection, which is actually a form of attack, but we'll look at that attack and look about what we can do to defend against it.

We're going to look at encryption, we're going to look at automatic software updates, code reviews, modular testing and the use of passwords.

So let's start off by actually looking at the first one that I mentioned, which is SQL injection okay? Now if you're not sure what SQL is, so SQL stands for Structured Query Language, and is a computer language that is used to communicate with databases.

Now there is a unit on Oak Academy called Databases and SQL where you can learn the specifics about what SQL is and different types of code techniques we can use but basically, SQL is code that allows us to extract data from a database, update database, manipulate the information sites such as delete the contents as well.

So SQL injection occurs when this malicious SQL statements, I'm going to insert into an entry field for execution.

Now, what I mean by that is for example, if you look at the image that you can see on the right hand side here, this would be a normal kind of web interface where you type in your username for example, or your username and password.

Now rather than putting in a normal username, and that's called an injection attack is where SQL code is put into this entry field instead of the username that prompts a database to perform an action that we as a database owners wouldn't want people to do, because they might be able to do some malicious attacks on it, okay? So what it says here, SQL injection exploits an error in an application software design and that's key, because we can defend against this if we design it correctly.

For example, when user input is not controlled by proper validation, when designing a database that has often access to a website, a programmer has to plan to defend against such an attack.

So what can we do with an SQL injection? Well, you might be able to use it to access sensitive data, for example, your usernames and passwords, some information about all your customers, it might be to steal or retrieve that personal data, maybe access financial data or maybe you could do things like update the data so maybe if you're able for example, to access an account detail, you might be able to add credit to an account, you might be able to then delete some of the data in the database, okay? And that case and point destroy the data, take control of the data.

So first to understand a little bit more about how SQL works.

I've got an activity for you to do, which is to go across through a website and it talks to you about how SQL works and then we're going to look at how we defend against it okay? So your understanding about how to defend against it, you really need to understand how the attack works in the first place okay? So go to task one of your worksheet and explore the concept of SQL injection further.

Now there is a hyperlink on your worksheet that will take you to the website where you can do this so please ask your parents or carer before completing this task, coz Oak National Academy are not responsible for any third party content okay? So then pause your video now go ahead and do that activity I want you finish up un pause the video and I'll be here when you get back.

Okay so how did you get on with that activity? So hopefully if you follow the steps on that website, you've now got a better understanding of what SQL injection can actually do okay? So what can we do to avoid SQL injection or something called input sanitization? Now just think for a second what does that word mean sanitization, what's it mean in everyday life? Well hopefully sanitization is kind of prompting some thoughts in your head about maybe making things clean okay? When we sanitise something we remove anything bad remove any germs something like that, and we'd keep things clean.

So input sanitization means keeping the input clean or validating it to make sure that nothing malicious is in there.

We get rid of all those germs, all those bugs, all those bad things and then what we do is make sure any input is okay to be put into the database.

So when designing a database, a programmer need to think about input sanitization.

They do this by including code that removes any SQL commands from input data preventing a hacker from gaining control of the database.

So we're putting this kind of middleman in place where we take the input and rather than putting it straight into the database or injecting it straight into the database, we look at it, we sanitise it so put some validation in place to make sure there's no SQL in there and therefore we know that no SQL injection can take place on our database.

So let's now move on to encryption okay? Now encryption is a process of encoding data or a message so that it can not be understood by anyone other than its intended recipient okay? Now the data or message is encrypted using encryption algorithm, and the opposite of encryption is decryption.

So encrypting is making the attack unreadable so it jumbles it up into a vast array of different characters but then decrypting is making it readable again.

So taking that jumbled up message putting it back in its original form so we can read it okay? Now there's a famous one called the Caesar cypher, now Caesar cypher is as a substitution cypher in which each letter is substituted for another one, for example, we look at this wheel on the right hand side, this is a Caesar cypher wheel okay? Now what we've got here for example, if we have a Caesar cypher of three, it means that each character is moved down the alphabet by three.

So if we had a Caesar cypher of three A will become D 'cause we have A, and then we add three to it B, C, D so A becomes D, so if we have an encryption key of three, every time we write letter, rather letter A, it would encrypt it to being D and if we want to decrypt it, we would take three away from it okay? So in the example here, you can see that A to H okay? In the diagram as it got a key of seven okay? So A to H 'cause A, B, C, D E F G H okay? And that's seven so it be a key of seven.

Now see a Caesar cypher works by giving a number to key value as just explained each plain text letters are placed by a new letter.

The one found the original letters position in the alphabet plus or minus the value of the key okay? And then we can see A becomes D okay? Now it's called Caesar cypher because it was actually invented by Julius Caesar who actually used this to communicate with his armies.

So he created a message and he apparently commonly used an encryption key of three so every letter he wrote, it was encrypted by three and that was kind of common amongst all his, to send to all his commanders in his army.

That's why it's called a Caesar cypher okay? Now an encryption key is a piece of information, usually random characters used by the software algorithm to encrypt data or a message into a form that is unreadable and allow the data message to be made readable again So we're talking about encryption and decryption.

So the key there is something that's readable, that's going to put, it allows us to work out what that key is to be able to encrypt it in the first place and decrypt it back again afterwards.

Now a Caesar cypher encryption key is a very, very simple version so my encryption key in the previous example was three, so my encryption key is three note the key allows me to work out what my message should be encrypted into and then also helps me decrypt it as well.

It's very simple encryption key, 'cause you can imagine modern day encryption algorithms are far more complex than this, but this is just an example of the kind of thing that it does.

So here's an example of a website we can go to, which actually puts a Caesar cypher in place for it.

So I'm going to show you this website, so I'm going to head over to it now.

Okay so hopefully you can see that.

Now the default website comes up with all this like jumbled up text, so let's just see if I can put in "Hello everyone, how are you?" Okay and I'm just going to change my encryption key to three okay? So what that does is it's moving every letter in the alphabet by three, so that would encrypt to that message there okay? So just to prove that it works, I can change this around so I can copy this and I can highlight that there, paste in my new message okay? And then if I change it round the other way, so just move it around okay? Put down too, there we go.

So you can see, I put to minus three and therefore I've got my message, so "Hello everyone how are you?" because I'm moving backwards by three this time okay? So it proves that that actually works.

So heading back over to my slides, so What I'd like you to do now is have a go at doing this okay? So I would like you to there were two links on your worksheets, so you can either use the wheel that I showed you or you can use a website to decode the message below, so this is a message that I would like you to decrypt okay? Now as you can see here, imagine if you want to see this Caesar's generals in the army okay? If you were seeing this or anybody intercepted the message, they would have no idea what that means okay? But because we know the encryption key, then we'd be able to decrypt it but here's the thing you don't know the encryption key so what I'd like you to do is I'd like to head over to task on your worksheet, I'd like to get that message and see if you can work out what the encryption key is okay? So I'm not actually going to give you the key, you've got to work out what it is and therefore work out what the message is in itself okay? So you've got a bit of decrypting to do yourself.

So if you have fun with that please and then if you can have a go at that, answer the questions on your worksheets and then once you've done that un pause the video and we'll continue with the lesson.

Okay so how did you get on with that? Now it's not a very complex encryption using Caesar cypher.

So one of the problems is that while a human might take an hour to crack a code, computers can do it even more quickly than we could, so how long did it take you to work out what the encryption key is? So can you imagine how quickly a computer will be able to do it? So what we can do instead is use something called a multi-digit encryption which is a bit more challenging as the encryption key changes with each digit of the message, so for example the encryption key, we've been looking at is three and that's a common one to use but imagine if the first letter was three but the next one was four and then the third letter was three and the next letter was four okay? And so that would be quite a bit more challenging or it may well be there's a random number every time or something like that okay? So using that principle what do you think a two digit key with a shift of one or two would de encrypt "Hello as" okay? So remember Shift means the first letter is one, the second letter is two, the third letter is one to four of lessons two okay? And so on like that.

So see if you can just pause the video for a moment and work out what "Hello" would be.

Okay did you get it? Okay well if you did get it, it should have been IGMNP sorry okay? So you can see that H was shifted by one so that becomes I, E shifts by two and that becomes G, L shifted by one that becomes M, second L shifted by two becomes N and the O is shifted by one.

So you can see that one, two, one, two pattern that's occurring there okay? Now there are obviously more advanced encryption methods out there in the world, real world okay? So we've got something called advanced encryption standards or AES.

This is an encryption method that keeps applications such as for example WinZip and WhatsApp, they keep those secure, so they are the ones used by them.

So AES is a variant of a cypher developed by two Belgium cryptographers, which is a fixed block size, 128 bits and a key size of 128, 192 or 256 so a lot more complicated than a Caesar cypher.

We also have asymmetric encryption.

Now asymmetric encryption means using an algorithm with two keys, a public key and the private key.

Now anyone with a public key can encrypt a message however the public key cannot decrypt the message, only the second private key can do that.

So if anybody's willing to set that one key, they will be able to decrypt the message but because this is using two types of encryption then you need both keys to be able to unlock the door as such to be able to get that message back in its original form okay? So if that's called asymmetric with two or do you think the name for encryption that only uses one key is? Well is symmetric encryption, you've probably got that okay? So symmetric encryption like the Caesar cypher because there's only one key, is just one key to hide and read the message okay? So it assumes that both parties already share that secret key.

Now the problem with that if the key becomes public, all messages have unlocked whereas asymmetric encryption requires that public key and the private key and the public is known to everyone and the private key is only known to the sender and the receiver of the message.

So this provides an extra layer of secrecy and security.

So public key encryption so you can tell if a website is using this public key encryption as they'll have the lock symbol on https in the address box.

So if you have you ever using something where you know you're submitting data to some server somewhere, for example again your bank details, you would want to make sure that under setting, you can see that padlock because you're making sure that the data is not centred, it's pure form so if anybody was to just randomly find those pockets of data, they might be able to do some damage with it whereas this got that public, you know that data at least as being encrypted so you and your bank both know that encryption key okay? So encryption, the advantages and disadvantages one advantage is that messages are more secure, I mean that's a clear advantage, isn't it? That we're sending data there, if it was to be intercepted then no one will be able to, well not easily be able to work out what the message would say okay? But the disadvantage of doing this is that it takes longer for messages to be sent to receive or they need to be scrambled and then unscrambled okay? And also additional certificates is often required as it contains part of the special code or key.

So it's just a bit more kind of complexity into the sending of the messages, there aren't huge disadvantages as of course we wouldn't do them, I mean it doesn't take long for a computer to work out this kind of thing, it's in fact, it's very quick for them but they are nonetheless extra kind of loads on the sending of data rather than just sending in its purest form.

So let's now look at software whilst in development.

What kind of things can we do to software whilst we're in the development stage of making our software? Or one of the really important things we can do is called a code review okay? Now when designing and testing a new programme is advisable for companies to review and test their code so that it can discover those vulnerabilities in their programme before cyber criminals do basically Now we looked at that WannaCry virus in the previous lessons, the ransomware attack that we looked at, that was a vulnerability in windows, the operating system.

So if testing takes place, maybe thorough testing and I'm not suggesting Microsoft don't do through testing but the more there's vulnerabilities, you can pick up whilst you're developing the code, they stop those cyber criminals from find them as well so thorough kind of code review, making sure that lots of people are looking at the code to see if they can spot it and make sure that no error is in it, the bigger the chance there is of cybersecurity not finding it any vulnerabilities.

Okay so modular testing, now modular testing is kind of subsets of code review I suppose.

So modular testing checks individual subprograms, subroutines classes or procedures in a programme.

So thinking about any programme lessons that you might've done, modular testing means every time you do a subroutine, a function or module in your programme, at that point you're testing it for the vulnerabilities.

So the point of doing modular testing is not to demonstrate that the module works but it's specifically looking for the errors in it.

So it's not testing it with just normal data that you'd expect to be entered, it's testing it with all sorts of different conditions, specifically trying to break it, specifically trying to work out what the errors would be.

So spotting errors could reveal vulnerabilities, again could be exploited by cyber criminals.

So now we've looked at software by design let's now look at some case studies.

So the worksheet that I'm going to ask you to go to now is six briefcase studies in which companies have each use sorry start again.

The worksheet has six brief case studies in which companies each use one means of securing their software okay? So identify the name of each technique from the following list and then explain how it protects the software okay? So your six case studies basically.

They have used one of these forms of protection, one or more of these forms of protection bloke so encryption, automatic software updates, input sanitation, code reviews, modular testing or the use of passwords okay? Now we haven't specifically covered the use of passwords in this lesson but we did look at it when we looked at grease force.

So think about those security methods that we might put in place with passwords so we might have make sure that any time somebody enters a password, it needs to be a certain length, maybe a combination of numbers, symbols and characters okay? So yeah, so I'd like to pause the video now, I would like to head over with task three, look at those case studies and see if you can identify what form of defence they could use okay? So un pause the video once you've done that.

Okay so how did you get on with that? Let's now go through the answer.

So hopefully you can match whether or not you got the same answers as I got okay? So these are what I got, so case study one was encryption, case study two was modular testing, case study three was code review, case study four was the use of passwords, case study five was automatic software updates and case study six was input sanitation.

So how do you get on with that? Now don't be afraid if you to change your answers, if you've got anything wrong then don't worry about it, that's absolutely fine.

I think what's important for you, is you make sure that you do have the correct answer.

So we're going to look back at this document to help you revise for any future tests that you might have then make sure that you have the correct answers okay? So don't be afraid to pause the video if you need to, just to go and correct what you've done but we will move on.

So that's it for this lesson and I hope you've enjoyed learning about the starting to learn sorry about the defence mechanisms that we can put in place.

So we've done a lot of work talking about the attack methods, so we started to look at the things that we can do to protect ourselves on networks against any cyber attacks okay? So we'll continue along that lines next lesson where we'll look at more kind of defence mechanisms that we can put in place so I hope you're looking forward to that and I would really love to see the work that you've done from this lesson.

So if you'd like to share how you got on with this lesson, that'd be absolutely fantastic.

If you'd like to do that, please ask your parents or carer to share your work on Instagram, Facebook or Twitter, tagging @OakNational and using the #LearnwithOak.

And why not take the quiz at the end of this lesson too, to see how you got on and see if there's anything else that you need to go back and revise okay? So that's all for me, I'm looking forward to seeing you next time.