How do you explain the concepts of information security to your children? Chances are, you simply dont. Some give up on making information security relatable and just forbid kids from doing some things online or even from using the Internet in general. But prohibition without explanation is counterproductive, more likely spurring children to go after the forbidden fruit.
In answer to the question Why not talk to your children about cyberthreats and how information security works? parents, who may not have the firmest of grasps on the concepts to begin with, tend to get frustrated and give up, and not necessarily in that order. But everythings already been explained. You might not realize it, but numerous textbooks on cybersecurity for little ones were in fact written hundreds of years ago. You know them as fairy tales. All you need to do is refocus them a little.
Little Red Riding Hood
Take, for example,Little Red Riding Hood. Its a well-knownEuropean folk talethats been repeatedly retold by such eminent cybersecurity experts as the Brothers Grimm, Charles Perrault, and many others. The various versions of the story may differ slightly, but the basic plot is the same. Lets take a step-by-step look at what happens.
- Mom sends her daughter to Grandma with a basket of treats.
- Little Red Riding Hood meets the wolf, who asks: Where are you going?
- Little Red Riding Hood replies: Im going to see Grandma and bring her a basket of treats.
The cybersecurity implications are clear from the start here, you can explain thehandshakeprocedure, which is the process of establishing communication between two parties, and together observe the related threats.
Now, Little Red Riding Hood has been programmed to knock on Grandmas door, receive a Whos there? query, and respond with a passphrase about Mom sending treats so that Grandma can proceed with authorization and grant access to the house. But for some reason, she gives out the passphrase to a random request, without having received the proper Whos there? query. That gives the attacker an opening to exploit.
- Depending on the version of the
firmwarefairy tale, the wolf either sends Little Red on a detour, or suggests that she pick some flowers for Grandma.
Either way, its a type ofDenial-of-Service(DoS) attack. If the wolf tries to log in to Grandmas house after Little Red Riding Hoods arrival, it is unlikely to be let in; the one expected visitor is already inside. Therefore, its important for him to put Little Red out of commission for a while, so that she cannot complete her task on schedule.
- Either way, the wolf is the first to reach Grandmas house and duly logs in, responding correctly to the Whos there? query. And Grandma grants him access to the house.
This is a near-textbook version of aMan-in-the-Middle(MitM) attack using the replay attack method (although in our case,Wolf-in-the-Middlewould be more accurate). The wolf taps into the communication channel between two parties, learns the handshake procedure and passphrase from the client, and reproduces both to illegally gain access to the server.
- The wolf gobbles up Grandma, puts on her nightgown and nightcap, and lies in her bed under a blanket.
In modern terms, he is setting up aphishingsite. Everything looks authentic from the door Grandmas bed is there, someone resembling Grandma is lying in it.
- Having approached the house and received the Whos there? query, Little Red Riding Hood gives the passphrase about the treats shes brought.
This is a continuation of the MitM attack, only now the wolf, who has learned the second part of the information exchange procedure, mimics the normal behavior of
the serverGrandma. Little Red, spotting nothing suspicious, logs in.