Tag: TC2027

Classic Security Architecture Models

--Originally published at Mental Droppings of a Tired Student

A security model is a specification of a security policy it describes the entities governed by the policy, it states the rules that constitute the policy.

There are various types of security models:

  • Models can capture policies for confidentiality or for integrity.
  • Some models apply to environments with static policies, others consider dynamic changes of access rights.
  • Security models can be informal, semi-formal, or formal.

Model vs Policy

A security model maps the abstract goals of the policy to information system terms by specifying explicit data structures and techniques that are necessary to enforce the security policy. A security model is usually represented in mathematics and analytical ideas, which are then mapped to system specifications, and then developed by programmers through programming code.

For Example, if a security policy states that subjects need to be authorized to access objects, the security model would provide the mathematical relationships and formulas explaining how x can access y only through the outlined specific methods
A security policy outlines goals without regard to how they will be accomplished. A model is a framework that gives the policy form and solves security access problems for particular situations.

Read more about secuirty policies in my next post.

Here are three classic security architecture models:

Lattice Models

  • A lattice is a mathematical construct that is built upon the notion of a group.
  • A lattice is a mathematical construction with:
    • a set of elements
    • a partial ordering relation
    • The property that any two elements must have unique least upper bound and greatest lower bound

A security lattice model combines multilevel and multilateral security Lattice elements are security labels that consist of a security level and set of categories.

State Machine Models

In state machine model, the state of a machine is captured in order to verify the security

Continue reading "Classic Security Architecture Models"

Risk Assessment Methodologies (Mastery 7)

--Originally published at Mental Droppings of a Tired Student

In all types of engineering, sophisticated risk assessments are often used  within companies when it concerns threats to life, environment or machine functioning. The nuclear, aerospace, oil, rail and military industries have a long history of dealing with risk assessment. Medical, hospital, social service and food industries control risks and perform risk assessments on a continual basis. Methods for assessment of risk may differ between industries and whether it pertains to general financial decisions or environmental, ecological, or public health risk assessment.

Risk assessment is the determination of quantitative or qualitative estimate of risk related to a well-defined situation and a recognized threat. Quantitative risk assessment requires calculations of two components of risk:

  • The magnitude of the potential loss (L)
  • The probability (p) that the loss will occur.

An acceptable risk is a risk that is understood and tolerated usually because the cost or difficulty of implementing an effective countermeasure for the associated vulnerability exceeds the expectation of loss.

Part of the difficulty in risk management is that both the quantities by which risk assessment is concerned (potential loss and probability of occurrence) can be very difficult to measure. The chance of error in measuring these two concepts is high.

ok

The following methodologies that are commonly used by security
practitioners and consultants for risk assessment:

  • Asset Audit
  •  Pipeline Model
  •  Attack Tree

Asset Audit

The asset audit approach is an easy-to-use and straightforward method for
assessing risks by giving the reviewer and owners a direct approach of looking at
all the information assets and their risk exposure. The people involved in the
asset audit process also obtain a better understanding of how information flows
in and out of, as well as, is stored on the system. With this knowledge and insight
of the system and the information flow, the reviewer can have

Continue reading "Risk Assessment Methodologies (Mastery 7)"

Network Security

--Originally published at TC2027 – Will It Blog?

A network is done when two or more machines are connected together and sharing resources. The internet is not more than a network of networks. Right now I’m going to focus in wired networks security. The wire used to connect two computers using the Ethernet protocol is called UTP (Unshielded Twisted Pair). This commonly are connected to switches which are connected to Routers, this is the basic scheme of a network.

Also neat network wiring looks really awesome, just like the armor of an Eva Unit.

wire

Back to the topic, common vulnerability is  unauthorized access, which well the term explain itself. If the attacker gains access it can exploits several vulnerabilities. Tthe following are a list of vulnerabilities found in several of the parts that conform a network. I will require that you already know what the Layers of the OSI Model are and what sort of protocols are used at each level (I will leave a diagram just in case).

Image result for OSI Model and Protocols at each layer

Vulnerabilities inside TCP/IP Protocol

This is the protocol suite (group of protocols) in which the internet is builded on. One of the protocols that runs in this model is the TCP protocol which has a vulnerability in the three way handshake done when establishing a new connection, an attacker can open a half open session through tons of SYN messages, this would eventually flood the server and make it crash, also IP spoofing attacks can be done through the network (like the ping of death) used in DoS attacks.

Vulnerabilities in the DNS

The Domain Name Server the one in charge of resolving host names into ip addresses also has vulnerabilities that could be exploited. This program can be attacked to modify its records and redirect traffic to an incorrect or malicious IP address, this goes by the name

Continue reading "Network Security"

Total domination of the World! … Or at least of your OS?

--Originally published at TC2027 – Will It Blog?

First of all I would like to say this was a post in collaboration with two other people: Cesar Cornejo and Audray (Ariadna)

About everybody knows by now that systems need security in order to protect data from access of unauthorized users or malicious programs. Operating Systems are no exception to this rule.

Related image

Another characteristic of Operating Systems aside from performing hardware abstractions and sharing/coordinating data among processes, is that they also need to ensure security on each one of its resources such as CPU, disk memory, ram memory, programs and information or data that programs use.

UNIX/Linux

How do they achieve this? For example In UNIX systems at the most low level inside we have three protection domains available: owner, group and global. For each domain three operations are allowed over a certain resource and those are either reading (r), writing(w) and executing (x). So only the superuser (or the sudo user) can change resource settings in order to manage the permissions over those resources, the type of session that is allowed to use them and what are they allowed to do with them.

Related image

Mac OS

On other hand, Apple’s Mac OS X implements extra layer security like:

  • Application Firewall which lets you control the connections made to your computer by others.
  • Gatekeeper which can block, in previous configuration, any install aside from the apps made by Apple.
  • XProtect which compares any downloaded file with a blacklist made by Apple of known malware.

This extra security measures can make a big difference to the average user of any computer and having them running by default is a big plus to not worry with technical issues.

Image result for simpsons lies

We can make an extra comment about an usual myth: Neither Mac’s nor Unix’s can’t get virus.It’s a lie, both of them can

Related image
Continue reading "Total domination of the World! … Or at least of your OS?"

Policies in Wonderland

--Originally published at (Not so) Random talk

Let’s play, let’s play, with allegories and fantasies.

Let’s play, let’s learn, about security policies.

The company becomes a kingdom,

The CEO becomes the queen.

3i8t6n
Gif from: http://makeagif.com/3i8T6n

But being who I am,

But being who you are

It can’t be any kingdom

And now you are in Wonderland.

tim-burton-alice-in-wonderland-chatty-flowers

“Off with the head!”

“Off with the head!”

Yells the Red Queen

For now you are under her rules.

You fell into the Rabbit Hole

You fell into Wonderland

And having been unannounced

The Queen seems to think the policies you’ve broken.

47395-off-with-his-head

“The policies have not been broken”

“The policies have not been written”

“The policies are not even known”, is what you say

So you saved your neck for now.

Think the policies,

Write the policies,

And if the Queen is happy,

Your head shall go home on your shoulders.

Days and days you think,

Days and days you write,

For the policies that won’t be over specific,

And that will pass the test of time.

Security advice must be given,

Security protocols must be covered,

You think of common practices,

But without copying them for this are just for Wonderland.

9b29274c57cfa666bff87983b9a1990a

Three common policies are known to you,

Three common policies are written.

Information, Privacy and Acceptable Use policies

For Wonderland are clearly written now.

The White Rabbit has taken them,

The White Rabbit will read them to the kingdom,

His trumpet will sound, and so he will say

“Hear all, hear all, the new policies are here”.

the-white-rabbit-alice-in-wonderland-25961706-800-400

The Information policy designates

Who is responsible for information security matters,

The Information policy describes,

The role each member of the kingdom will play in information security.

The Queen is the authority in the creation of security standards,

The Queen is the authority for incident response,

But not it won’t

alice
tumblr_ndio3zgh9z1s238efo1_500
Continue reading "Policies in Wonderland"

PHP: Security Perspective

--Originally published at TC2027 – Will It Blog?

Through this semester one of my goals was to learn php and hopefully understand how the backed of an application worked, it also resulted convenient because I had a course on Web development and I though I would be using it on my project for that class.

But at the end I heard from colleagues and forums how it was a pretty unruly/insecure language and through the course we once used this framework called CakePHP. That was my first approach ever to MVC arquitechture. I didn’t like it, it was confusing and it was after watching 2 tutorials that I started understanding what was going on. There are also other php frameworks like lavarel that offer a more elegant way of writing code but I think the thing is that one must understand or have an idea of the language the framework is using.

cake

So I started reading this guide of crude php and what surprised me the most was this part mentioned when covering the part of sessions inside php.

Session fixation describes an attack vector in which a malicious third-party sets (i.e. fixes) the session identifier (SID) of a user, and is thus able to access that user’s session.

And they proceed to mention other things like not to store sensitive information on a cookie, md5 hashing (to “increase” security on data exchange) and other stuff, but I was still worried about the security involved when using this language. What I want to cover is the vulnerabilities that the language has and what I think is the reason that it is so rejected by many developers.

First of all php comes as a language of back end (server side oriented), created back in 1994 and its meaning was PERLsonal home page as I will call it

Continue reading "PHP: Security Perspective"

Nothing is true. Everything is permitted.

--Originally published at Miss F.

Throughout my soon-ending school experience, I always thought that getting good grades was the only way to learn. I hadn’t had trouble with that until 2012, the year I became a University student. My grades dropped, I started failing subjects, my scholarship was reduced and, consequently, I had a personal crisis. It seemed obvious to me that I was becoming a failure and my life would suck forever because I just couldn’t get my average to what I wanted. My brain was going into shock and I couldn’t soak in any knowledge. I can summarize said experience with this song:

Many students believe that their grades define who they are and who they will become. If you have good grades you’ll be successful and get a good job, if they aren’t you suck. Thus, “I Must Impress My Professor” becomes a hymn.

It wasn’t until less than a year ago that I started seeing things differently. I started loving my degree and my subjects, I began feeling happy about myself and what I had accomplished. Who cares about grades when I have so much more to offer? I clearly remember a few months ago when I called my mum and told her “I think I’m finally getting the hang of school”. She laughed and said “Well, better late than never!”. It literally took me 19 years to understand what school was all about, or at least what it should be about.

A huge part of this change of mind I had, I owe to Ken Bauer and every other teacher that focused on helping students learn instead of showing off and acting as a deity. It’s because of you that I understood that everyone has their own learning process and it’s OK to take longer to understand something and it’s OK not

mvp
gems
Continue reading "Nothing is true. Everything is permitted."

Papelito habla!

--Originally published at The shield of the world

So there are a lot of options to actually certificate yourself as an computer security. Why is important to have a certificate? To actually prove that you have a good amount of knowledge and that you are worth to be hired. Is like the certificates in the web pages. A prove that you can actually trust in something.

200w

So there are a lot of certificates some of the most popular are:

  1. Comp TIA Security +
  2. CEH: Certified Ethical Hacker
  3. G SEC: SANS GIAC Security Essentials
  4. CISSP: Certified Information Systems Security Professional
  5. CISM: Certified Information Security Manager

In this list provided by InfoSec, there are entry-level credentials, like Security+ and GIAC Security Essentials, as well as more advanced certs, such as the CEH, CISSP and CISM.

So as an advice from there guys getting a certification is a good bet if you actually want to advance your career in the IT field and if you are interested in specializing in security.

2004

Is important to know that there are a number of tracks a professional can take to demonstrate qualifications. Four sources categorizing these, and many other credentials, licenses and certifications, are:

  1. Schools and universities;
  2. “Vendor” sponsored credentials (Microsoft, Cisco)
  3. Association and organization sponsored credentials
  4. Governmental body sponsored licenses, certifications and credentials

Is important to know that the quality and acceptance of the IT credentials vary worldwide as you may imagine. Like passing from a Master degree, to Microsoft certification, to a list of lesser known credentials.

So, getting a certificate is a good option and probably the best is to go for a entry level known course or certification to have the quality and acceptance in every country. Probably some of them are really useful in your country because they are known, but this may not happen in other countries.

2005

Go
Continue reading "Papelito habla!"

Is not about you…is about me

--Originally published at The shield of the world

So when we talk about Computer Security there is a topic that some of us really think about. How to ensure the ethical and legal responsibilities, why this? Because when someone has the knowledge about this topic is easy to go from white to black hat in a matter of seconds.

2001

There are some other professionals whose jobs duties affect others’ lives and they receive a formal training, to address ethical issues and how to deal with them. In the case of the IT security personnel they have access to confidential data and knowledge about individuals’ and companies’ networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations.

200

This is something related to what happened to Tec de Monterrey, when the institution was growing and becoming important in the country as a quality education institution, their mission was to deliver a god tier prepared technicians to the professional world. And they did, but they all lack of ethical values and were some of the critics that the institution received as feedback from the enterprises that hire the graduates from Tec.

Nowadays the institution has more courses related to ethical challenges and how to deal with them, debating about the best solution with a global perspective of the affected ones. As a technical related career we, with the help of the professors are developing an ethical guidelines. Is something when everybody should be related to.

So the main responsibility is to respect the privacy of the information an IT or

2002
Continue reading "Is not about you…is about me"

Administrating Security (Risk Assessment Methodologies)

--Originally published at TC2027 – Will It Blog?

It is a fact that system administrators may found themselves also doing some security tasks within their organizations or projects, having to carry  on the security of both users (technical aspects) and upper management (explain costs).

What is risk analysis?

This is procedure is used to estimate potential losses that may result from system vulnerabilities and to quantify the damage of those. So as a  primary goal of risk analysis we have the selection of cost-effective safeguards to reduce risk to an acceptable level.

In more simple words,  is a way to figure out how important is your system and how far you are willing to go to protect it.

Yahoo Screen fire tim tebow on fire puppies

First we want to detect the most valuable asset (information and puppies) aside from the tangible assets (equipment). Also consider the importance and vulnerability of that information.Costs. The cost of losing or compromising the information and the cost of protecting the information (maintenance)

Contingency plan

Plan for disaster, it may spell the difference between a problem and a catastrophe.Backups are the key to disaster planning. As simple as invoking activities as backing up data for storage at remote secure facilities and arranging other equipment facilities.

Thread Modeling

Getting into more technical stuff one of the first steps into any kind of security developing life cycle model is threat modeling therefore is a procedure that optimizes any kind of app or network instance by identifying objectives and vulnerabilities, and then countermeasures to prevent or mitigate its effect.

The image below (courtesy of Microsoft) are the steps of a generic threat modeling process

http://kenscourses.com/tc2027fall2016/wp-content/uploads/2016/11/8c43d285179ecd434575d5911015ad24.jpg

Once done, the next thing you want to do is to find security issues by performing several code reviews or penetration tests, otherwise the problems will not be discovered until production time and that just compromises the

Continue reading "Administrating Security (Risk Assessment Methodologies)"