Author: toatzin

TC2027 Security course

--Originally published at TC2027 – Computer and Information Security

This is the first time that I take classes with ken and I have to say that it is a different experience. I have to say that this is the first time I try blogging and honestly, it’s not my deal. I’m not at good as many other bloggers out there, but the fact that I dig into the topics and subjects by myself it’s a very rich full experience. I think that this way might not be for everyone, because many persons are used to expect for the teacher to receive the knowledge, but if you dig and investigate on your own you might have found a lot on information out there in the internet.

The course TC2027 was focus on system security and I got to say I learn a lot, not only digging in the mastery topics, also in classes one of the things I like most of the course was the applied experiences that ken or the students share, from there I got to learn a lot of new apps or techniques to enforce my personal security in informatics. I learn about vpn’s, about encryptions, about sql injections, about malware, about personal security, about scams and phishing and one of the most valuable things I learn is that there are a lot of blogs of interest that I now follow to get me updated about security or other stuff.

One of the things that I would recommend for the course is to take your time because each topic it might get much more extend than you think and one post might not cover all of it.


Security Countermeasures

--Originally published at TC2027 – Computer and Information Security

First to put you in context, a threat in systems is a parallel execution of a process, that is a potential adverse event that may be malicious if intended and can compromise the assets of an organization or person to the integrity of a system. So, talking about threads a counter measure is an action or process that can prevent the effect bad use of threads on a system. Actually, threading over systems are quite beautiful if used for optimizing systems or related problem solving, but also as almost everything they can bad if intended.

cm1

Some of the common countermeasures are:

cm2.png

  • Personal firewalls: these ones are software application used to protect a single Internet-connected computer from intruders.
  • Application firewalls: these one in comparation to personal, limits access by applications to the operating system of a system
  • Anti-virus: which I had talk in my later posts

 

Also, there are some hardware countermeasures, the most common is in the router that can prevent the IP address of an individual computer for been visible to the public. Other hardware Countermeasures include Biometric authentication, alarms, intrusion detectioncm3.png

You can check more information in:

http://searchsoftwarequality.techtarget.com/definition/countermeasure

https://msdn.microsoft.com/en-us/library/ff648641.aspx


Malware

--Originally published at TC2027 – Computer and Information Security

A Malicious Software or in short Malware is term used to referee to a variety of forms to a hostile or intrusive software.  This software is intended specifically to damage or access to your information. This can take a variety of forms such as executables, scripts, active content, etc.

There are a variety of types such as:

  1. Virus: Intended to clean files and infect other clean files, they can spread uncontrollably damaging the system, also can delete or corrupt files. There are often find by executable files.
  2. Trojans: This type of malware is intended to pretend to be a legitimate software that has been trapped with it, so it can act discreetly in your system This tends to open backdoor communication for others to access your system or let other malware in.
  3. Spyware: This malware is intended to spy on you. It normally hides in background and reads and access to your information.
  4. Worms: This malware infects and entire network of devices by using network interfaces. It uses their new host (machine) to infect other across the network.
  5. Ransomeware: These are one of the worst malware, there are intended for you to pay for your own information. They lock your system and ask for money for unlocking the system.

These are the more common malwares, but there are a really wide variety of malwares, this is why is really important to know them and know how to protect your system from.

How do you protect from this malware?

First, common sense, avoid suspicious links or prices from webpages or mail, this could be a malware. Also, an antimalware software can be installed to prevent or run scans for your system. There are antivirus such as AVG, Avast, Kaspersky which can prevent you from malware attacks.

Continue reading "Malware"

Cryptography

--Originally published at TC2027 – Computer and Information Security

First of all, crypthography is the practice and study of techniques for secure communication in the presence of the public. So scince the definition we are talking about security, this is about constructing and analyzing protocols that prevent the public form reading the content. This is all about securing the content such as only certain users or machines understand so even when you have access to the message you will not understand it.

There are more common technics for computer related cryptography such as scrambling plaintext into ciphertext with a process called encryption, then when the receptor gets the message it can decrypt it to understand the message.

Cryptgraphy concerns in 4 basic objectives:

  1. Confidentiality: The information will be only understood by the persons that are meant to be. (Like we discuss in my last post about authorization and access control
  2. Integrity: Because if an encrypted message is modified it will not be able to be decrypted. This ensures that the message arrives without alterations or modifications
  3. Non-repudiations: The author of the encryption cannot deny his or her intentions in the transition or creation of the message.
  4. Authentication: Both sides (sender and receiver) can confirm identity is the correct one (Such as my later post, about authentication, check it out.)

There are many ways to get a message encrypted, this procedure are called Cryptosystems that are the mathematical procedures that make this possible and unique.

KeybaseFor example key base is an encrypted related app for mobile and computer to maintain information secure. This is a web link https://keybase.io/ and an explanatory video you can check it out! https://www.youtube.com/watch?v=MXh4SUFeRQQ

Also for more information you can check this video about encryption https://www.youtube.com/watch?v=-yFZGF8FHSg


Authentication and Access Control

--Originally published at TC2027 – Computer and Information Security

So, many of you should be related with some of this terms Authentication or access Control. This terms are really important to maintain private the stuff that must be private. So in this post I will talk about this both terms and explain them further more.

Auth1

Authorization vs Authentication.

These terms are pretty much related, Authentication verifies your identity, and this enables Authorization. Authorization policies you can see this as a role, and a role is used to limit actions to the user, so is what the identity is allowed or not allowed to do. Imagine any customer at amazon can create an account with an identity (his email) and use this identity to login and access amazon services, but amazon authorization policies ensure that this user has access only to the services amazon wants for that user.

Your identity can be included in a group (roles) of identities that share common authorization policies. We create authorization policies commonly in web pages such as Facebook, Amazon, Instagram where they have their own authorization policies and authenticate hundreds of users!

Access Controls

Authorization policies defines what identity or group of identities may access. Access control or also called privileges are methods to ensure Authorization policies are applied. A good example is Facebook where you can set which users can see your wall, or which user can access to your personal information.

Correct configuration for access privileges are important components for protecting your information. Imagine a bank gives the privilege to a common user to access database information for other users, or even worst to update its own information.

For more information you can watch this video its really complete and useful:

https://www.youtube.com/watch?v=6aXMuJPkuiU

References

https://www.icann.org/news/blog/what-is-authorization-and-access-control

https://www.doc.ic.ac.uk/~nd/surprise_95/journal/vol2/vk3/article2.html

 


Classic Security Architecture Models

--Originally published at TC2027 – Computer and Information Security

In my latest post I talk about what are security policies and what a security policy contains but how do we apply a security policy? With a security model.

A security model is used to determine how a security policy will be implemented, what users can access to the system and roles. This security model describes the entities governed by the policy, it states the rules that constitute the policy.

There are many types of security models according their scope, for example

  • Capture policies for confidentiality such as Bell-LaPadula
  • Capture policies for Integrity such as Biba, Clark-Wilson
  • Models applied to environments with static policies such as Bell-LaPadula
  • Models applied to dynamic changes of access rights such as Chinese Wall

And many others but I’ll talk about some of them.

 

How can we differed model from policy, easy a model is maps the goal of a policy by using data structures and techniques that are necessary to enforce the security policy.

 

State Machine Models

In this model the state of the machine is captured in order to verify the security of a system. Each state provides permissions to objects and access subjects, if the subject can access to the object only by mean that are concurrent then the system is secure.

For the im0lementation the developer must define what and where the states variable is, the developer then must define a secure state for each state.

 

Bell—LaPadu Confidentiality Model

This model was the first one to define with a multilevel security policy for the states. This is a static model which enforces the confidentiality of the model. This model focuses on ensuring that the subjects with different clearances (top secret, secret, confidential) are properly authenticated

Rules

Security Policies

--Originally published at TC2027 – Computer and Information Security

Today I’ll talk about security policies, this will be a short post because this is one definition before i can talk about security architecture models that are quite fun.

So, a security policy is the definition of what is secure for a system, it clearly and concisely describes what the protection mechanisms are to achieve. For organizations this must be important because this policy address constraints on functions and flow among them.

Normally a policy must contain the following:

  1. Scope— should address all information, systems, facilities, programs, data, networks and all users of technology in the organization, without exception
  2. Information classification— should provide content-specific definitions rather than generic “confidential” or “restricted”
  3. Management goals— goals for secure handling of information in each classification category (e.g., legal, regulatory, and contractual obligations for security) may be combined and phrased as generic objectives such as “customer privacy entails no authorized cleartext access to customer data for anyone but customer representatives and only for purposes of communicating with customer,” “information integrity entails no write access outside accountable job functions,” and “prevent loss of assets”
  4. Context— Placement of the policy in the context of other management directives and supplementary documents (e.g., is agreed by all at executive level, all other information handling documents must be consistent with it)
  5. Supporting documents— include references to supporting documents (e.g., roles and responsibilities, process, technology standards, procedures, guidelines)
  6. Specific instructions— include instruction on well-established organization-wide security mandates (e.g., all access to any computer system requires identity verification and authentication, no sharing of individual authentication mechanisms)
  7. Responsibilities— outline specific designation of well-established responsibilities (e.g., the technology department is the sole provider of telecommunications lines)
  8. Consequences— include consequences for non-compliance (e.g., up
    Continue reading "Security Policies"

Ethical Hacking

--Originally published at TC2027 – Computer and Information Security

So, this time I want to talk about one topic that may be familiar with a lot of people. I’m talking about ethical hacking, but do you really know what is ethical hacking, or what an ethical hacker does?

So, starting by the basics the definition according to mcmaster it’s ‘the controversial act of locating weaknesses and vulnerabilities of computer and information systems by duplicating the intent and actions of malicious hackers’. So basically, its use your skills to find vulnerabilities or security issues before a hacker does. So, let me continue with the term hacker, it’s any person that knows how to code and does it in a enthusiastic way. So according this definition almost any programmer can be a hacker, but there are also hacker classifications! There is black hat, red hat and other classifications but for this post I’m going to talk about white hackers (Ethical hackers).

I share a cool picture about hacker history: https://eduarea.wordpress.com/2013/06/09/que-es-el-ethical-hacking/

The ethical hackers are the ones that apply they knowledge and hacking skills for defensive purposes on behalf of the owners of information system. This is cool because even they had the knowledge and skills they use this to protect and seek vulnerabilities for a system before another hacker with another intension does. There is some controversy about this because how do people know if this knowledge and skills are being used the right way?

Surprise, there are many white hat hacker certifications available online so you can apply this knowledge without been search by the law.

Continue your journey with Security Certifications

--Originally published at TC2027 – Computer and Information Security

Recently I talk about how the importance of studding a career in computer security in my post “Why should we study computing security“. So today I want to talk about how to continue your path as a computer security engineer. At some point of in your computer security professional life there will be competence which you could be favored if you got some certification’s.

certifications1

There are almost hundred certifications in this area, they come in all shapes and subjects, from ethical hacking, web penetration to forensics. Normally hey are administered by individual organizations such as CompTIA, GIAC, ISC2 etc. Typically, this organizations divide each certification into 3 levels that are entry-level, Intermediate-level, expert so there is a LOT to be certified in.  For now, I’ll just talk about the most popular certifications in the industry.

For starters (Entry level) there are some certifications that are convenient such as:

  • CompTIA Security+ 
    • This is a well-known security certification vendor, people that are certified in security+ are recognized for possessing superior skills in multiple security related disciplines.
    • Watch a VIDEO here. (Sorry I got no premium)
  • GSEC – GIAC Security Essentials Certification
    • Also, an entry level certificate available for everyone that is interested in security IT. There is no prerequisite for this which make it a great start!
  • SSCP: Systems Security Certified Practitioner
    • This is another certification for entry level that is offered by (ISC)2. This certification includes some basis about cryptography, access control, malicious code and activity, networks and communication and security operations and administrations.

For more an intermediate level or expert level these are some other certifications:

The C.I.A goals

--Originally published at TC2027 – Computer and Information Security

Today I’ll be talking about the CIA.

CIA1

This is not about the central intelligence agent as is common known. This is the main goals of every security programs. I’ll talk about each one of these goals. Each program or computer related must fulfill these 3 basic goals to be called secure (well kind of because there is no 100% risk free program)

Confidentiality

Confidentiality aims to ensure that sensitive information from reaching the wrong people. I think nobody would like that their private photos or messages to be seen by other. The Access to your information bust be restricted to those authorized to view. A common example its Facebook, you can authorize whom may see your post and to whom your post will be not seen.

CIA2

The most common way to ensure confidentiality is the data encryption. This will maintain your information readable for you. Also, it’s like a norm to use the two-factor authentication for your confidential information, this is just to authenticate with your phone and your password. Now a day there is also the biometric verifications, security tokens to ensure your confidentiality.

Integrity

This goal aims to maintain the consistency, accuracy and trustworthiness of the data. Your data must not be modified in transit and must not be altered by unauthorized people. Some common example it’s the permission for files, you can add a password for your file to ensure its integrity so no one can change its content.

CIA3

Or for example with the API’s you must ensure that the information is delivered correctly to the user that ask for it, you must ensure that the transit of this data is just for the authorized user and there is no intermediary between this transaction.CIA4

Also talking about relational databases, in case of a server crash you must

CIA5
Continue reading "The C.I.A goals"