--Originally published at The Hitchhiker's Guide to information security… according to me!

Securing a system is like going to a buffet. You have a plate in mind, and you start looking for the food that could resemble the most to the idea of the perfect dish. After searching for a while you start picking up the best food you found and by the end your master piece is completed. In the information security world as well, there are many constraints, behaviors, procedures, steps to be taken, control and security mechanism, risk management frameworks, etc. that you can choose from, and picking the ones that better fit your system requirements is like grabbing all your favorite food and putting it into the same plate… just awesome, and that awesomeness is called a security policy.

A security policy is a document that explicitly states the steps to be taken in order for a company to maintain their physical and information assets secure. This goes from how to educate employees in order for them to correctly comply with the rules being set, to explanations on how to carry out, through detailed procedures, the security measures established. Think it like a constitution where we all agree to follow a set of rules in order to coexist in a peaceful way and build a better future for which we all agree to work for.

Then again, we stumble on the question “Ok, I know the theory but, how is it applied?” and thank God there are people out there that make our mortal lives easier, making frameworks for us in order to not fall into the darkness while we travel through this unknown land.

A security policy framework consist in the four following types of documents.

• Policies: documents that provide the security expectation of the organization. Its compliance is mandatory.
• Standards: document that describes
  
  
  Continue reading "Forging the future" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Hello and welcome back to the season finale of the Living to the Limit series. I’m your host Edy and I say “Lets Rock!”. (Explosion sound!)

In the previous chapter we discussed about what risk assessment was and the process of obtaining a prioritize list of risks in order to take informed decisions on what to do next. Today we’re going to talk about that next part: Risk Management.

Risk management is the process of analyzing potential responses for each risk and implementing strategies to control those risks. More like an action plan in case something bad happen, and there exist 5 different management strategies.

Avoidance: it’s very literal. It means to get away from the risk itself. For example, walking the long way past home to avoid being hit by bullies. Moving your data center away from the sea to avoid hurricanes.

Transference: just give the problem to someone else. Principally an insurance company or hire a company that trains your personnel to avoid social hacking, etc.

Mitigation: Now this is cool. This is more like dealing with the specific problem approach face to face. If a flood is a risk, building special infrastructure that will make water unable to enter the building will be a good example of mitigation.

Acceptance: the Buddhist approach. You realize you have no money to deal with a specific risk so you just accept that things are the way they are and that you can’t do anything about it. You let it be and pray for the risk to never manifest.

Deterrence: it refers to taking away the determination of a risk to hurt. It doesn’t work with natural disaster, but you can deter a burglar by installing security cameras or buying a guard dog, you’re

Continue reading "Living to the limit (Part 2 of 2)" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Sometimes you just have to take that risk, bet all your money for that awesome hand, ask that person you have a crush on out, eat that piece of pizza with a questionable expiration date, but before taking a decision that may change the course of history, one must ask himself, what are the risks? And that my friend is called risk assessment.

Assessing risks

Risk assessment is the process of identifying a potential risk you may encounter base on the likelihood of them happening or not. But why do we need to identify the risks? Why don’t we just build a freaking wall around everything, put some security guards and buy the newest protection service in the market? Well my friend, as you may already know, money doesn’t grow on trees, and it’s the duty of the security professionals to assess the risks you can encounter to spend the tight budget that he is given wisely. So how we do that? Follow me folks!

First, you need to identify the risks you can face. You face a risk when you are vulnerable to a threat. Vulnerabilities are weaknesses in your security control and threats are external factor that may comprise your security. For example, you have a dog that pisses in your pillow, that is a threat, but you close your door every time your dog is in the house, so you face no risk because you’re not vulnerable, even though there is a threat. The day you leave the door open, then you become vulnerable, and now you face a risk. You might as well start looking are your dog with different eyes…

So, for a real life example, you assess the risks within your organization, it can be that your personnel doesn’t distinguish between sensitive and non-sensitive

Continue reading "Living to the Limit (Part 1 of 2)" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

There are too many bad guys out there waiting for their chance to strike, laughing at the law with their rotten teeth, committing unpunished crimes, running this city with fear. Someone needs to stop this madness, we need heroes who can face their nightmares, embrace the sins of the city and look death right into the eyes in order cleanse the streets of insanity. But who could ever believe that our heroes are here for good… if they don’t have the appropriate CERTIFICATION?

If you want to pursue a career in IT security and information sometimes a school diploma is not enough. You need to fill your uniform with shiny badge because that’s what the recruiters are seeking, but which badge looks better in your chest? Well, it all depends on the path you’re taking, and lucky for you I’ll list 5 options.

Top 5 of security certifications by level.

This is the first top something on my blog. I’m so excited. Here it comes!

Beginners

Enthusiastic people that are still hoping to change the world and think everything possible.

CompTIA Security+: The start of the line. Security+ is a certification that recognizes your technical skills in managing security systems, organizational systems, networks security, cryptography, security risks, security infrastructure and more. It’s said that 2 years working in the network security area are needed in order to take the exam, but are not required.

https://certification.comptia.org/certifications/security

Intermediate

This is for people who have been to war, they know their stuff and know the world is rotten.

Certified Ethical Hacker (CEH): what’s is best that hacking into a computer? Having a paper that says you’re allowed to do it. If you read my post “Mr. Niceguy”, and of course you did, you totally know what a white hat hacker is.

Continue reading "Security is my business, and business is good" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Have you ever had a fight with your little brother/sister (if you don’t have one use your imagination) and he/she, in revenge, hides your cellphone or your car keys denying you access to them? Well if you aren’t a website or network administrator that’s the closest you’re going to get to a denial of service attack, and let it be me who tells you that your little brother/sister is going places.

Denial of service attack or for more casual situations DOS is an attempt to prevent a user to access any type of information or a service provided by an organization. Targeting a network or a computer, an attacker can prevent you from accessing webpages, email accounts, banking accounts, etc.

“But why?” you ask? This attacks are mostly use for revenge, fun or political activism, the attacker doesn’t gain much more than the sweet feeling of power and annoying someone, but the targeted organization or individual can lose valuable time and money. Also, this attacks can be used for blackmailing a company if you play your card right.

One recent example of a DoS attack is one of a 15 year old boy in Australia who issue an attack against his school, a bank and the police. This attacks made the use of their websites unavailable to the user, and in the bank’s case their online services were down for more than 3 hours making them lose millions of dollars in advertisement and bank transactions. The teenager did it for fun and didn’t go to jail by the way… Australians.

Types of DoS attacks

OK, so now we know they are dangerous, but what do they look like? You know… for science. I present to you the:

Buffer Overflow: sends more traffic than the anticipated to a network

Continue reading "Access DENIED" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

I will start by asking the real questions here. What does security even mean?

A definition right out of the dictionary will tell us that it is the precaution taken to guard against danger, crime, attack, sabotage, espionage, etc., but if it was that easy then we will all be burying our hard drives in a freaking hole in an unknown location that is unknown even to us. IS THIS EVEN PRACTICAL?! What if I want to see my data in this moment? Do I need to dig a hole each time? What if I want to share it? No one will be allowed to see it because it isn’t safe?

Security it’s not always about extreme prevention, but about knowing the right amount of protection. “But Edy, how do we know which amount of protection is the right amount?” Well kids, you’ve come to the right blog.

CIA Triad

No, it does not refer to that agency that makes everyone paranoid. It refers to a modelling tool that help us decide the security goals and the approach that we could implement in order to achieve them. CIA stands for confidentiality, integrity and availability and we will now proceed to cover them in detail… Wait for it… NOW!

Confidentiality

People, you may think this is pretty obvious, but in fact it gets confused a lot with integrity, so pay attention. Confidentiality refers to your data only being able to be seen by people you want. It does not mean neither unmodifiable nor unsharable. This is extremely important for delicate information like the addresses and family members of all the employees in a company. Now let’s watch the concept in practice.

Example: Your girlfriend/boyfriend doesn’t know the password of your phone, but your best friend does. Even though your

Continue reading "Adding the right amount of security" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Malwares, the ones who should not be named, the adversaries, the lords of darkness, the communism to my capitalism, the things that should not be, the roots of all evil… Today, in another post of my nonsense, we will be taking a trip to the scary part of information security. Please come along while I show you the truth about this creepy creatures.

As definitions are always handy, malware is a short form of saying, malicious software, (I can see your face feeling with amusement), and it refers to all kinds of software that could potentially harm you or your computer by stealing or hijacking your data, spying on your activities or compromising computer activities.

They come in many colors and presentations and their names and stats are the following:

Virus

As you can also relate to them in real life, viruses are a computer program that can copy itself and spread to other computers if the user executes a corrupted file.

• Attack points: they can execute malicious code that can give the attacker access to your files and computer functions, enabling them to steal information, corrupt your data or harm your computer.
• Habitat: they can reside in e-mail files, infected files from other computers or within another software.

Worm

It’s a computer program that replicates itself and spreads to other computer. But wait, what’s the difference between a worm and a virus? Well, a virus needs to be attached to another program and be executed in order to replicate, the worm replicates itself without any user interaction.

• Attack points: they normally are “payload free” which mean that they don’t harm your computer nor steal your data, but they can overload your network by consuming bandwidth, which might slow your computer’s browser. Nevertheless, there’re still cases in
  
  
  Continue reading "The root of all evil" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Hackers, those evil dudes that steal all the money of your bank account number while sitting in an Starbucks table zipping from a frappuccino. Also, the inspiration of so many movies, videogames and tv shows like Watchdogs and Mr. Robot, but do we actually know what the heck does hacking mean? No, it’s not clicking violently 1’s and 0’s into the command terminal of a computer. It goes deeper… way deeper.  

//giphy.com/embed/obAMTQ7SeWqPK

Let’s start with some background. Ethics, the core of our beautiful society, are a system of moral principles that dictate how decisions are taken and in general how to live life, it includes our rights and responsibilities and what is right and wrong, and surprisingly, they exist in the computer world too. Can you believe it?!

There are four areas of computer ethics:

1. Computer crime:
2. Responsibility for computer failure:
3. Protection of computer property:
4. Privacy:

Now straight to the point. Hacking involves any activity that results in the unauthorised entry into a system or network, a hacker is a person who penetrates systems and exploits vulnerabilities in order to gain unauthorised access to data and resources. So yes, he might steal your data, but the frappuccino is optional.

But the real question here is, are all hackers that bad? Quick answer. No. But let me go deeper. Many hackers hack into a system without causing damage or stealing data, they do it because it is a challenge, however there are other hackers who want to commit fraud, steal or damage other people. Most of the time the hackers are employees who have easier access to the system. Usually the term “hacker” is related to something bad, illegal or vandalic; however not everyone out  there is a bad person there exist three different hacker types which vary in

Continue reading "Mr. Niceguy" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Computer and information security, a phrase that you may only hear in university courses or in the cover of some IT magazine that you’re looking at while waiting for your turn to pay at the supermarket. You hear it and may think they’re talking about some new “antivirus” or a new way of preventing the Chinese and Russians from spying conversations with their computers, but most importantly, that you don’t give a damn, because YOU have a password with  more than 8 characters, a digit and a sign; you don’t click on pop-ups, and you ignore the “Viagra” mails on your inbox. You live a humble life away from all danger, why should you be worried? Well, after reading this post, you might wanna put another sign to that password. 

When you hear the word security you immediately think of locks, closed doors, guys with guns in the entrance of a building and 24/7 surveillance cameras; and, to a certain point, you’re correct, but why do you need a tall, expressionless big guy standing next to a door? Let me answer that for you: because you wan’t to protect something. You want that the thing behind that door stays there, safe from all harm, secure; and that also applies to all your electronic devices and data. 

Lets put some context into it and state all the important things you might wanna keep from others: browser history, conversations, photos, schedules, bank account’s information, medical records, friends and family name,etc.. Why? What could anyone do with that information?  Steal physical and intellectual property, blackmail, impersonate as you (this may result on you being accused of a crime you didn’t commit), harm any friends and family, or worse things I can’t even start to imagine. Can they do that? Yes they can!

Continue reading "Paranoid Android" →

--Originally published at The Hitchhiker's Guide to information security… according to me!

Oh hello there,

My name is Edy (yes, it’s written that way) and I’m a music, book and movie lover who gets bored easily, and is constantly searching for new and interesting things in this endless journey we call life.

I’m currently studying a bachelor in Computer Science and this semester I’m taking an amazing course on Information and Security. This blog will consists on my insights and shower thoughts about some facts and different perspectives on the subject, so bear with me while I spout some interesting nonsense through my writing.

The rules are simple:

I write, you comment, we reach a mutual understanding, learn from each other and repeat.

Easy.

Looking forward to it.