--Originally published at Mental Droppings of a Tired Student

Since last week Denial of Service attacks was suddenly “a thing” in most media outlets, I thought it was good timing to drop this mastery post related to the topic.

Unless you are living under a rock you heard about the attacks beginning in the morning of last Friday (October 21, 2016) and stretching into the afternoon. The attack involved multiple DOS attacks targeting systems operated by DNS provider Dyn. This massive DOS attack shut down major websites across the internet, Dyn was hit by at least three apparently targeted strikes. The affected websites included Twitter, Reddit, GitHub, Amazon, Netflix, Spotify, Runescape… (who even plays that anymore?), amongst others. Dyn confirmed it was under attack the morning of said events.

This was their statement:

“Starting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.”

We discussed this attack briefly during our Networking class, the professor pointed out how DNS is an obvious target for attack. He also made the point that this kind of thing happens when security is put in the back burner; explaining that engineers generally care about functionality and tend to worry about security later or view security as an added plus. However security, as we’ve learned the hard way, should be just as crucial as functionality.

Dyn claimed the problems were mainly affecting customers on the United States East Coast. I was going to say, I didn’t even feel the attack or witness it firsthand at all. I mainly used cisco’s spark, youtube and facebook, who were not under attack.

--Originally published at Mental Droppings of a Tired Student

First of all, I would dare say 99% of people’s passwords suck. Even Mark Zuckerberg’s password was terrible and he is supposed to know a thing or two about computers. Zuckerberg’s Twitter and Pinterest accounts were hacked, with a group called OurMine Team claiming responsibility. They hacked into the Linkedin Database and found Zuckerberg with the password ‘dadada’. Hmm really? Not even a number, a lowercase/uppercase combo? Yes, the 32-year-old Facebook founder, worth $51.2 billion, had a couple of social media accounts compromised by reusing “dadada”.

But I shouldn’t be too hasty to judge, I have a couple of accounts with crap passwords too. Usually these are accounts I don’t care about, they all have the same password, something I can remember quickly. However, upon researching further about passwords I found out my “good” passwords aren’t as fly as I thought they were.

My method is, I have a password exclusive to my bank information. Then I have a different one for paypal. Then I have similar ones for my social media accounts I often use. And finally, I have the same crap password for accounts I will only use once, or I don’t care if it gets hacked. But to be honest my important ones aren’t as strong as they should be, so I’m currently working on making them better.

The use of passwords as a method of authentication is annoying to say the least, because if you have a password that is easy to remember it’s probably a bad one. Furthermore, generally people assume that because it’s a difficult password to remember for a human, it therefore is a secure password; but it turns out these end up being combinations that are easy for a computer to guess with a relatively simple algorithm. So how can we poor humans win

Continue reading "You Shall Not Password (Mastery 10, Pt. 1)" →

--Originally published at Mental Droppings of a Tired Student

Before we get into this topic, we must ask ourselves, what is risk management?According to Certified Information Systems Auditor Review Manual 2006 produced by ISACA, an international professional association focused on IT Governance, risk management is:

“The process of identifying vulnerabilities and threats to the information resources used by an organization in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of the information resource to the organization.”

So the use of a framework formalizes risk assessment methodologies, in other words, they try to take guesswork out of evaluating IT risks. Evidently, assessing and managing risk is a high priority for many organizations,  and guessing your way around these assessments would be extremely unwise.  Given the ever-changing state of information security vulnerabilities, evaluating IT risks is a huge challenge.

Several formal IT risk-assessment frameworks have emerged over the years to help guide security and risk executives through the process.

Here are some IT risk management frames:

• Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE)
• Factor Analysis of Information Risk (FAIR)
• the National Institute of Standards and Technology’s (NIST) Risk Management Framework (RMF)
• Threat Agent Risk Assessment (TARA)

OCTAVE

OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation), developed at the CERT Coordination Center at Carnegie Mellon University, is a suite of tools, techniques and methods for risk-based infosec strategic assessment and planning.

OCTAVE defines assets as including people, hardware, software, information and systems. The OCTAVE methods have several key characteristics. One is that they’re self-directed: Small teams of personnel across business units and IT work together to address the security needs of the organization. Another is that they’re designed to be flexible. Each method can be customized to address an organization’s particular risk environment, security needs and level

Continue reading "IT Risk Management Frameworks" →

--Originally published at Mental Droppings of a Tired Student

Last week (I know I’m pretty behind in writing this post), we had a couple of encryption activities in class. We were asked to code, in the language of our choice, a program to encrypt a text file using the Caesar Cipher as well as the Vigenère Cipher (user input of the text file and key).

Despite dehydration and tiredness, I was able to produce some code in C for the Caesar Cipher.

This was just a quick program that encrypts your message. After that I cleaned it up and made several functions, including the decryption function.

This little web widget was useful to check if my code was encrypting and decrypting correctly.

For Vigenère Cipher I consulted this video to figure out how this encryption works:

I somehow decided to switch to java, it seemed easier for me at the time. I made this during class… It’s a function to get the number of shifts you’ll be cycling through. After that I went to get something to eat because I was starving, by the time I got back class ended so I didn’t get to finish.

According to the video, for the word “math” you would have 12 shifts for “m”, 0 shifts for “a”, 19 for “t” and 7 for “h”. My code yields:

So I was on the right track, but it’s pretty safe to say this isn’t the most efficient code. So that weekend I changed it completely, and decided to stick to c to make everything uniform and simpler.

This webpage helped me check my code.

I uploaded my code to GitHub, take a look at my repository here.

I also happen to be behind on other activities regarding the encryption topic. It’s that time in the semester when you can’t seem to get your sh** together, so bear with

Continue reading "Aut Caesar Aut Nihil: Encryption (Mastery 11 pt.2)" →

--Originally published at Mental Droppings of a Tired Student

In Computer security there are a number of measures a professional can take to demonstrate his or her qualifications. Of course a university degree is a primary form of qualification, there are also credentials sponsored by companies such as Cisco or Microsoft. Additionally, certifications or qualifications given by an organization or the government can be valid forms of demonstrating your security prowess.

Quality and acceptance of these qualifications vary worldwide for IT security credentials, there are many to choose from; Acquiring a master’s degree in the field from a prestigious university can be a form of certification, but there is a long list of credentials offered by different institutions and organizations that might interest someone looking to develop a more specific skill set. You can also gain  award certificates for winning government, university or industry sponsored competitions, including team competitions and contests. Such as Intel Cup, Freescale cup, amongst others.

Here is a list of certifications to consider, if you want to be the very best, like no one ever was.

CISSP

The Certified Information Systems Security Professional (CISSP) is a hardcore technically oriented, advanced-level certification and relates to some of the more complex topics like cryptography, network security, authentication and authorization. I think it’s safe to say it’s meant for IT pros who are very serious about careers in information security, since there is an annual fee of $85 is required to maintain the CISSP credential. Going back for Recertification is required every three years. To recertify, candidates must earn 40 Continuing Professional Education (CPE) credits each year for a total of 120 CPEs within the three-year cycle.

This credential continues to be highly sought-after by IT professionals and well recognized by IT organizations, it has a 40% market demand as of 2016. It is a regular fixture on most-wanted or must-have security

Continue reading "Security Certifications (Mastery 4)" →

--Originally published at Mental Droppings of a Tired Student

Hacking has been a popular topic for a long time, especially since the 90s and Hollywood’s fantasy of grungy goth looking teenagers doubling as computer geniuses having the world literally at their fingertips. In their portrayal of hacking, a hacker is kind of like a magician able to control every technology imaginable through a computer though realistically that is not how things work at all. You gotta admit controlling every TV in the globe through a computer? Far fetched to say the least, not to mention extremely laughable. Or perhaps the computer geeks should be flattered that the normies think so highly of their skills? Who knows…

 

So there are two contrasts to hacking, righteous, ethical, white hat goody-two-shoes hacking and black hat, bad apple of the bunch, scum of the earth hacking. Of course there are those who fancy themselves “grey hat hackers”, but I think such distinction is unnecessary.

White hat hackers are those who are ethical and do things like diagnosing security flaws in order to prompt corporations to fix them. Black hat hackers commit cyber crimes for financial gain or simply because they want to watch the world burn… you know, for the lulz.

Let’s traverse this topic in an orderly fashion: from dark to light. You know, just so no one gets offended because apparently there are more than two shades of hacker hats. Let’s use a scale to categorise each of these hackers, god I love quantifying things! It gives me solace in a world full of chaos. I’m using D&D alignments as a base because I have no shame.

1. Neutral Good: Finds security flaws, is completely altruistic in their hacking, finds a major flaw that affects many systems or donates their earnings.
2. Chaotic Good: Finds security flaws and notified the company, got a reward for
   
   
   
   
   
   
   
   
   
   
   
   
   Continue reading "Ponies, Hats and lots of DOS attacks (Mastery 5)" →

--Originally published at Mental Droppings of a Tired Student

As a certified control freak I live my life by to do lists. Don’t judge me.

• Watch week 5 video
• Make Google Calendar with schedule plan for the semester
• Take a look at Keybase
• Go through all my accounts and make sure everything is secure :3
• Write at least 5 more mastery posts (I want those points yo)
• Look at the rubric and calculate how many points I have… decide what to correct in order to get a decent grade
• Read Other people’s posts and comment on the ones I like
• Study for the test
• try to make a video..? Idk im pretty camera shy
• Look at Ken’s links and recommendations on twitter

so far I think thats all

--Originally published at Mental Droppings of a Tired Student

Let me start this post by repeating the one quote many professors have referenced when teaching my peers and myself:

Indeed, the kind of knowledge acquired by professionals within fields like science and technology, particularly the vast arsenal of skills and practical knowledge acquired in an engineering degree, which can often be used for the greater good  of mankind and attribute great advances to make everyone’s life easier… but it could presumably and easily be used for for evil.

In countless organizations IT personnel are entrusted with the ability to access sensitive and personal data. How they handle this responsibility has much to do with their ethical standards, which is why organizations carefully select people with high standards to protect data. Or do they? I think most of us just don’t want to lose our jobs, or we’re too busy to care.

I can comment on the topic from personal experience, since I was lucky enough to land an internship at HP (right before it mutated into HPE and HP INC), particularly in an IT team that dealt with fairly sensitive data. Everyone in our team had immense power, I mean we had access to virtually any internal information, no matter how confidential. Since our team was L3 (Layer 3), we were in charge of handling issues with high priority that had already been looked at by 3 previous teams who had been unable to solve them. Needless to say we had access to people’s mailboxes, sharepoint websites, yammer accounts, anything that needed fixing really.

Not to brag, but I ramped up unusually quickly within that team. Not because I’m smart or anything like that, but because I’m really nosy and found a sick sense of satisfaction in being able to fix things other people didn’t understand (my poor users).

Continue reading "With great power comes great responsibility (mastery 3)" →

--Originally published at Mental Droppings of a Tired Student

 

Information Security has three main goals: Integrity, Availability and Confidentiality, a triforce of security, if you will.

Lets talk about each of these for a bit:

Integrity

Data integrity refers to the accuracy and consistency of data over its life-cycle. Integrity is a key component of the security trinity since corrupted data is of little use to enterprises. Moreover, sensible data loss could be lethal for a company, hence why data integrity is such a big deal. Corporations go through great lengths in order to safeguard their data and information. Additionally, enterprise security solutions are a real asset companies often focus on.

Let’s see how exactly data can be compromised… what is data’s worst nightmare? Each time data is replicated or transferred, it should remain unaltered between stages. Error checking methods and validation procedures are typically relied on to ensure the integrity of data that is transferred or reproduced to ensure it has not suffered alterations.

Some error checking procedures are absolutely mind blowing, ECC, checksum, parity bits it’s all very arcane and mathematical. They type of thing that somehow works but leaves you wondering how someone would even think of such a strange yet effective solution.I’m convinced who ever came up with this probably made a deal with the devil to acquire that level of genius. I’m talking about you Hamming.

Anyway! Data integrity can be compromised in many ways, making data integrity practices an important component of effective enterprise security protocols. That’s right, you can be the MVP at your job just for being more mindful of security risks. Not a lot of engineers seem to consider this, they tend to worry about functionality.

Continue reading "Triforce of Security (Mastery 2)" →