Main content Security Threats and Countermeasures

--Originally published at Computer and Information Security

The dependency of our society to computers and networks is increasingly surrounded by a variety of threats. From computer viruses, leakage of personal information, unauthorized access from outside an organization and more.


The proper way to reduce security threats is with appropriate use, education in this topics is the principal countermeasure against security threats. The importance of reading the documentation is huge.

Other important aspect is Social Engineering, it is the act of manipulating people into performing actions or divulging confidential information. This method of deception is commonly used by individuals attempting to break into a computer system, email phishing is a common example of the social engineering app.

Public awareness campaigns can educate the public on the various threats of cyber-crime and the many methods used to combat it. There should be a gubernamental entity or program in charge of educating the public on the various threats of cyber-crime and the many methods to combat it.










source: https://www.ricoh.com/security/products/mfp/countermeasure/

Malware

--Originally published at Computer and Information Security

Malware is short for malicious software, is a term refer to a hostile or intrusive software including worms, computer viruses, trojan horses, ransomware, spyware, adware, scareware and other malicious programs. They are maliciously intended that acts against the requirements of a computer user, it usually takes advantages of deficiencies in the code of a system.


These infectious programs started as pranks or tests, today the malware is used by both hackers and government. Today the main malicious purposes are for steal personality, financial or business purpose.


  • Ransomware: the infected computer is unable to be used until a pay is made. For example the CryptoLocker encrypt that only when you pay the ransom, you are able to decrypt them for a large sum of money
  • Virus: a computer program usually hidden within seemingly innocuous program that produces copies of itself and inserts them into other program or files.
  • Trojan horses: a malicious computer program which  misrepresents itself to appear useful and persuade a victim to install it. generally spread by some form of social engineering, for example where a user is duped into executing an email attachment disguised to be unsuspicious.
these are some of the principal malware found today in the internet, the consequences of becoming a victim of any of this can be extremely dangerous, as said before, from pranks by friends to a ransomware infecting a hospital and threatening to lock all files until a payment is made. People need to be aware of this and educated to be able to prevent this attacks.




Cryptography

--Originally published at Computer and Information Security



Criptography is a method of storing and transmitting data in a particular form so that only those intended are able to read and process information. It includes techniques such as microdots, merging words with images and many more ways for handling information. Modern cryptography concerns itself with the following four objectives

  1. Confidentiality
  2. Integrity
  3. Non-repudiation
  4. Authenticationç
In order to use it correctly there are procedures and protocoles that need to be meted, they refer to mathematical procedures and many different computer programs, but you must not forget that it need to include the regulation of a human behaviours in order to be complete random or non-pattern forms.


Authentication and Access Control

--Originally published at Computer and Information Security

Authentication in this days is not only having a password, today in a distributed client server a user might have several client programs running on her desktop which access server programs uses remote computers across a network and in such environment, the server must authenticate the client run on behalf of a legitimate user.

Modern computer systems provide services to multiple users and require the ability to accurately identify the user making a request. From services like banks or assurance, is not enough to verify a given password because in a network, its a package that can be intercepted and subsequently used to impersonate a user. Nowadays, servers save the behaviour of the users and can detect an abnormal state in the way a person interacts with the system and can activate a flag that it may be an attacker.

Also now the cryptography is an essential tool in the network communication because it can be a intercepted package, but if you dont have the acces key or the security key, you won't be able to read or interprate the package.


What is a security policy

--Originally published at Computer and Information Security

A Security Policy identifies the rules and procedures for all individuals accessing and using assets and resources of an organization. Is a model of organization culture in which rules and procedures that follows the proper use of information and equipment, basically all involving any interaction with any kind of potential hazard to the integrity of the information.

The objectives of a security policy is the preservation of confidentiality, integrity and availability of a systems and information user by their members. The three principles are

  • confidentiality: protection against unauthorized entities
  • integrity: ensures the modification of assets is handled in a specified and authorized manner
  • availability: the state of the system hace continuous access
The security policy is a document that specifies in various sections from regulations of government to warnings of how to use the equipment you are given in your office.

We as a society need to figure out the best ways not only to have a document like this in your organizations but also in our daily basis. An example of not using properly technology can be find in most of the router homes in our country or the personal computers and cellphones, people doesn't have the proper care of all the technology that is now surrounding us.

PGP Security!

--Originally published at Computer and Information Security

The PGP (Pretty Good Privacy) is a crypto system that combines symmetric and asymmetric techniques of encryption, developed by Phil Zimmermann which goal was to protect the distributed data across the internet with a digital signature or key. PGP offers authentication of messages and verification of it's integrity in case the message has been compromised and to know if the message has been read by the person that is supposed to.



This is the tutorial I followed, in this video you can check how to send a encrypted message and how to decrypt. (http://notes.jerzygangi.com/the-best-pgp-tutorial-for-mac-os-x-ever/)






Encrypt your device

--Originally published at Computer and Information Security

The software I used to encrypt a usb was Veracript (https://veracrypt.codeplex.com/). This software is a multi-platform fork of Truecrypt and open-source.

In this blog we will follow the instructions in the VeraCrypt documentation.


  1. Download VeraCrypt
  2. Click on the 'Create New Volume'
  3. Select the 'Create and encrypted file container' and then click 'Next'
  4. Select the 'Standard Installation' in the type of installations 
  5. In the 'Volume Location' window, select where you cant to put your encrypted folder and select 'Next'
  6. Select an encryption algorithm, in this case we will select AES and for 'Hash Algorithm' we selected SHA-512, then click 'Next'
  7. Choose the volume size, then 'Next'
  8. Write a password
  9. Select a file system, we selected FAT, for cluster 'Default' and unchecked the 'dynamic' option. Then click in the 'Format' button
  10. Then, click 'Finish'
  11. Finally, click 'Mount' with the partition created selected and we are done.

This process can be useful when you need to have some information secured in a partition or in a external device. 


1) https://www.youtube.com/watch?v=6QJQ2syf90w
2) https://www.fbi.gov/news/testimony/encryption-and-cyber-security-for-mobile-electronic-communication-devices

Encrypt your device

--Originally published at Computer and Information Security

The software I used to encrypt a usb was Veracript (https://veracrypt.codeplex.com/). This software is a multi-platform fork of Truecrypt and open-source.

In this blog we will follow the instructions in the VeraCrypt documentation.


  1. Download VeraCrypt
  2. Click on the 'Create New Volume'
  3. Select the 'Create and encrypted file container' and then click 'Next'
  4. Select the 'Standard Installation' in the type of installations 
  5. In the 'Volume Location' window, select where you cant to put your encrypted folder and select 'Next'
  6. Select an encryption algorithm, in this case we will select AES and for 'Hash Algorithm' we selected SHA-512, then click 'Next'
  7. Choose the volume size, then 'Next'
  8. Write a password
  9. Select a file system, we selected FAT, for cluster 'Default' and unchecked the 'dynamic' option. Then click in the 'Format' button
  10. Then, click 'Finish'
  11. Finally, click 'Mount' with the partition created selected and we are done.

This process can be useful when you need to have some information secured in a partition or in a external device. 


1) https://www.youtube.com/watch?v=6QJQ2syf90w
2) https://www.fbi.gov/news/testimony/encryption-and-cyber-security-for-mobile-electronic-communication-devices

Certifications in Computing Security

--Originally published at Computer and Information Security



There are a lot of certifications in Computer Security, from Servers to Browsers, there are many areas in which you can become a certified programmer. To be a certified programmer in a specific area can make your resume looks better and a bigger salary just because you have a certifications company backing that you know something.

This is a list of some of the certifications involving security that you can get:

  • CISCO CERTIFIED NETWORK PROFESSIONAL ROUTING AND SWITCHING (CCNP)
  • CISCO CERTIFIED NETWORK ASSOCIATE SECURITY CREDENTIAL (CCNA)
  • COMPTIA’S SECURITY+
  • CERTIFIED INFORMATION SYSTEMS SECURITY PROFESSIONAL (CISSP)
  • CERTIFIED INFORMATION SECURITY MANAGER (CISM)
The network area is one of the most important areas, the part of the connections can be very vulnerable and not many people know about this risk. 



Another big thing is the security inside the front-end, you need to protect the data is handled and the way a site or program manages it's routes. 





Ethical hacking

--Originally published at Computer and Information Security


The ACM in 1992 adopted the ACM Code of Ethics and Professional Conduct, it consist of 24 statements of personal responsibility. Some of them are: Contribute to society and human well being, Avoid harm to others, Be honest and trustworthy, Respect privacy to others, Honor confidentiality, etc.

Some of them involve more professional topics like: Strive to achieve highest quality, Acquire and maintain professional competence, Know and respect existing laws, Honor contracts, agreements and assigned responsibilities, etc.

To the full article you can check this website https://www.acm.org/about-acm/acm-code-of-ethics-and-professional-conduct#sect1.

Here are some existing and really serious example of some of the statutes written in the code of ethics that this author believes is important for the reader:

1) don't spy the work of others



2) Respect the plants

 

3) Don't harm other ppl



4) Don't enter the girls bathroom



5) Be careful with the water, you can get hurt