Author: MarioFigueroa

Wiser decisions with Risk IT

--Originally published at Allow Yourself to fail and learn… and hack

Diego's Password

In business today, risk plays a critical role. Almost every business decision requires executives and managers to balance risk and reward. Effectively managing the business risks is essential to an enterprise’s success.

IT Risk Management Frameworks, large concept right. Let’s brake it down in order to understand it. Risk, “a situation involving exposure to danger.” pretty simple. Management, “the process of dealing with or controlling things or people.” in this case risks. Framework, “an essential supporting structure of an object.” We think its getting a bit more clear. Concluding, there are information technology risks or danger situation in which people, in this case managers need to take decisions based on their analysis. Here’s where “framework” comes in. A program that evaluates these risks and helps with the process of taking a decision in the area of technology. Hope you liked this blog post!

giphy.gif

Ok… there’s more than that. We are going to…

Ver la entrada original 382 palabras más


Mythology risks

--Originally published at Allow Yourself to fail and learn… and hack

Diego's Password

tumblr_mhhv7oRsbv1rjl16lo1_500.gif

Risk assessment mythologies, haha funny right… Methodologies. What could it mean…

The evaluation or estimation with of the nature, quality or ability of someone or something.

So is the actual quantification of a risk, being quantitative or qualitative. How could we even count or grade a risk; well, that’s when the mythologies comes in. Normally two factors are taken into consideration, the consequences and the probability. The consequences being all the potential loss, counted either monetary or by a given parameter and the probability being the actual percentage, the likeliness of happening or occurring.

giphy.gif

He’s probably right, but first we need to learn how to analyze a risk and take a wise decision. There’s a really interesting articule written by the GIAC. I’ve written about them before, I’ll link the post here. This post will be based on that article.

There are three mythologies… haha enough. Three methodologies used…

Ver la entrada original 224 palabras más


We are as strong as our weakest link

--Originally published at Allow Yourself to fail and learn… and hack

The Hitchhiker's Guide to information security... according to me!

Achilles, the mythical Greek hero, son of a king and a nymph, invulnerable in every part of his body except the heel… Seriously, the lamest part of the body. But Greeks have something very important to teach us and it’s that there’s always a week spot in something. Even though it may seem unbreakable, unstoppable or impenetrable we’re not looking carefully enough. And it’s when we find that weakness that we now have control. As it is, we are as strong as out weakest link. So we need to be harder, better, faster, stronger when it comes to information security and what will be a better place to start than the network of our organization.

DEFINITION I CHOOSE YOU! Network security refers to any activity that will protect the integrity, availability and consistency (CIA coff coff) of the physical and logical assets from any threats or prevent the breach from…

Ver la entrada original 456 palabras más


Cisco’s recommendations

--Originally published at Allow Yourself to fail and learn… and hack

Collaboration post made with Diego

 

Same as previous post (link to previous post). Network security refers to all the measures and efforts made to protect a network and its data. The components we care about are the same components from computer security (usability, reliability, integrity).

 

Having a secure network not only assures a healthy and constant connectivity on the network, but most important it helps to protect personal information from a hacler attack.

 

To provide protection to a network we need to combine multiple layers for a solution. Each layer containing its own policies and controls. Some popular types of network security are the following:

 

  • Access control
  • Antivirus and antimalware software
  • Behavioral analytics – it analizes activites that deviate from the norm
  • Email security – this is the channel where many infections occur. An email secuiry application blocks incoming attacks
  • Firewalls – set a barrier between your network and outside networks
  • Network segmentation – it is intelligent to classify and restric a network to limit the privilegies and content each segment has.
  • Web security
  • Wireless security

 

For more security recommendations visit the following link:

http://www.cisco.com/c/en/us/products/security/what-is-network-security.html


Safe browsing 101

--Originally published at Allow Yourself to fail and learn… and hack

Collaboration made with edy

Through all the semester we have discussed about the risk we can found on web. The certifications, and methodologies developers can use to provide a more secure ecosystem for their users. And about the different type of hackers we can found out there. There are still so many things to learn and practice related to security on the web.

Since many of the blog posts we have participated on were focused or at least required of slight knowledge on computer security, we want to make this post a friendlier one, a post we can share with anyone, and hopefully prevent people from bad practices online.

Let’s start with the basics:

  • Be aware that anything shared online is prompted to be shared with anyone. So avoid personal and important information to filtrate just by not sharing it. (no passwords, no personal documents, no card numbers should ever be shared if not really necessary).
  • Be careful and extremely suspicious about sites asking for personal information, there are many people illegally acquiring personal information by disguising as other services companies and asking users to submit their personal data. A real example that happened to us:I received an email invoice from a transaction for 100 dollars made on PayPal, attached was a link in case I wanted to cancel the transaction. I have a PayPal account, but I never used it on this year. Checking on the official site I realized there wasn’t such payment. Curious about the received mail I accessed to the link and there was a supposed PayPal login. By providing a mail that I’ve never used on PayPal and a random password the system granted me access, and ask me to submit all my personal information. The site looks exactly like a PayPal site, but it
    giphy-1
    Continue reading "Safe browsing 101"

OS protected

--Originally published at Allow Yourself to fail and learn… and hack

collaboration post made with Diego

 

So far we have only talk about security in the web, and internet related security issues, but there’re also other fields in which security should be applied. Operating System is an important example.

 

Operating System Security refers to the measurers and all the effort made by the developers to protect an OS. Do you recall the 3 big components abut computer security? Integrity, Availability, and Confidentiality. Well those three guys are the main components for the Operating system security as well.

 

The purpose of OS security is to protect the OS from malware, threats, and forbidden access. When someone unauthorized access to a computer, usually causes severe damage to the system and the data stored in it.

 

The most recommended methods to maintain security on your OS are the following:

 

  • Performing regular OS patch updates
  • Installing updated antivirus engines and software
  • Scrutinizing all incoming and outgoing network traffic through a firewall
  • Creating secure accounts with required privileges only (i.e., user management)

 

 

There’re also well know classification to determine the effectiveness of a system or a security solution.

 

  • Type A – Highest level
  • Type B
  • Type C
  • Type D – Lowest level (ms-Dos fall in this category)

 

Security applies to many fields and there are good and easy measures to prevent attacks from happening, keep updated and protected.


Hide yo kids hide yo wifi

--Originally published at Allow Yourself to fail and learn… and hack

What if I tell you that the most common method you use to access web is also really insecure? Well actually almost everything web related is prompt to insecurities (not because it’s bad designed, but because there are people who will always try whatever they can to obtain access where they shouldn’t); however wireless technology is a great target for hackers.

128hodfgv2i436

via GIPHY

Let’s talk about wireless security:

This is the prevention of unauthorized access or damage to computers using wireless networks. Anyone on the range of an unencrypted open wireless network can gain unauthorized access to private resource, and use information to perform illegal acts.

Some tools to provide protection by cyphering a wireless network are WEP, WAP, and WAP2. WEP is an early technology therefore nowadays hackers can break WEP’s key in a matter of minutes. More recommended standards for security are WAP and WAP2, due to its more complicate protection which warrantees more safety than others.

Some advice:

For god’s sake, always configure your wireless network with a password.

Make a hard to guess key, to avoid curious intruder breaking in.

If you’re using a router without WPA2 support, seriously consider an upgrade (this technology is outdated since 2003).

The longer your key length the better.

On a business consider a proper setting to provide wireless network for costumers (It’s ok to be generous with people, but don’t let them access to the same wireless network where the organization communicates).

Change your password constantly, there’s no perfect key.

The information shared through your wireless network is important and personal, you shouldn’t underestimate the importance of browsing on an open network.

 

Extra: A short introductory video about the importance of wireless security.


You don’t mess with my key

--Originally published at Allow Yourself to fail and learn… and hack

 

Cryptography is not a new technique at all, encrypting message has been a thing since many many years ago. This because of the need of humans to share message privately. Protecting important and delicate information that could be misused on hands of wrong people. Nowadays the story and the context is different. There still exist cases in which information has to be protected because of the importance it contains, but now that there are millions of people sharing information on the web. The need for protecting this information is more of a concern due to privacy and protection of personal information. It passed from being a technique used by a few, to a tool provided to the masses.

 

To understand encryption there are 3 main things we need to distinguish.

 

Encrypting:

There’s the Encryption part, where the message we need to share has to be protected by a lock, a lock that only sender and receiver know how to open.

Decrypting:

Then when the receiver gets the message he has to open the lock to understand the message, to open it he use the method sender and receiver share.

Cipher

Instead of using physical locks, this is the thing that nowadays we use to lock our messages.

 

Some common Cryptography methods:

 

Symmetric Key cryptography:

AKA shared key cryptography involves 2 people using the same key to encrypt and decrypt the information

 

Public key cryptography:

Makes use of 2 different keys: a public key for encryption, so than anyone can encrypt a message and send it, and then a private key, which able only one person to open the messages encrypted by the public key.

 

At the end, everything is prompt to be hacked and obtained, therefore the best we can do is to

Continue reading "You don’t mess with my key"

Constitution of security

--Originally published at Allow Yourself to fail and learn… and hack

Have you ever wondered what should we expects as users, or as members of a company from the technology we use, or the information we acquire and manipulate? There’s a document for that and is called Security Policies.

When we talk about security policies, we are talking about the document that companies use to declare on paper how they protect their technology and information. Same as technology, this document is always receiving updates, adding or changing what it states.

Policies should define as follows:

  • Scope – Who the policy applies to.
  • Who does the actions defined by the policy.
  • Defines when defined actions are to be done.
  • Defines where or on what equipment the policy applies to.
  • Defines the organizational level that the policy applies to such as a division or the entire enterprise.
  • Who enforces the policy
  • What are the consequences of failure to follow the policy.
  • Policies may reference procedures that are used but do not define the procedures. E.g. the policy may specify that passwords must be changed every 60 days but not provide a procedure telling how to change them.

zvlutg6bzkbi0

So in simple words, it is sort of an agreement that as user we agree to acknowledge. And as members of a company guides to perform security solutions to problems that may be presented. Sort of a constitution, but with step by step guidance on each problematic that could happen.

Extra: the voice acting here is horrible, but it’s a clear example of a security policy on companies, on this case a secure password policy.

Useful reference:

http://www.comptechdoc.org/independent/security/policies/


Show me your credentials

--Originally published at Allow Yourself to fail and learn… and hack

Nowadays Internet is so important that many companies depend on it. The necessity for protecting all the services we can find online has never been so crucial as today. Employer seeking for top prepared IT security people can rely on the certifications the candidates may have.

Having credentials is not warranty of obtaining the job; however, it’s a way to measure your knowledge and commitment to quality and knowledge update.

l0myw6itaexpcscwo

 

via GIPHY

There are tons of companies and different certifications offered, today we will  focus only on 4 I consider useful and important:

CISSP:

Developed by the NSA(yeah the one controversial for spying all US Americans) and the ISSEP (Information Systems Security Engineering Professional). This certification is one of the most seek by employers. It focusses on methodologies and best practices on big and small scale.

It requires of an annual fee of $85 dollars to maintain the credentials valid. And a recertification once every 3 years. Obtaining this credential is not easy work, that’s why it is so valued.

CompTIA:

There are 3 different certifications that can be obtained by CompTIA but the one we care about, the one about security is called security+. To obtain it you should consider have at least 2 years of experience, and acquiring a network+ certification. Is a tough certification to get, but a very complete and important  to have.

CEH:

Remember the post about different type of hackers, well white hat hackers are the one who should get this. Cost around $500 dollars to obtain, requires of 2 years work experience.

CISM:

And last but not least we have CISM (Certified Information Security Manager) this is almost a must have among IT experts. It is a lot more demaning than the others, requiring almost 5 years of experience and costib about $700

Continue reading "Show me your credentials"