Operating System Security

--Originally published at Computer and Information Security

Dentro de los principales sistemas operativos MacOS es de los más importantes, el día de ayer se descubrió una vulnerabilidad que permitía que un usuario invitado tuviera privilegios de administrador con un simple cambio en el nombre del usuario y varios enters,
Pueden ver el descubrimiento original aquí

Lo más interesante de esto es que 19 horas más tarde Apple ya tenia disponible en su centro de descargas una actualización al sistema operativo que solucionaba el problema.

No existe sistema perfecto pero la velocidad de reacción y el compromiso de los creadores a mantenerlo seguro, confiable y funcional es lo que hace que sus usuarios permanezcan ahí.

Cryptography

--Originally published at Computer and Information Security

Cryptography has been here since we are, we have to remember that to break a cryptography system was the objective of the first computers but also that cryptography and security are always related on iT or other for example:

Every poker player should learn a bit about cryptography. Because, in a way, playing poker is actually a form of cryptography. Let me explain.

Cryptography is the science of encoding information. Typically encryption is used to encode communications between two parties so that a third party is unable to understand it. For millennia, people have been trying to encrypt their communications—and the field of cryptography has become increasingly important over the years.

All of the innovation in cryptography is designed to address one problem. There is an inherent tradeoff between ease-of-use of a cryptographic method and its security.

Interestingly, if you are interested only in security—making sure that no one can possibly break your code—and not at all in ease-of-use, then the solution to perfect encryption is trivially simple. You can use a method called a one time pad.

Let’s say we have a message written in English that is 140 characters long. We want to encode this message so that only its intended recipient can read it. Before we send the message, we generate a list of 140 random numbers from 0 to 26. Maybe we have a computer generate this list. We write the random numbers down on a piece of paper and hand it to our intended recipient.

Then we compose the message. And for every character in our message, we add the corresponding number to it—adding meaning that we go that many letters forward in the alphabet to get the new letter. So if our letter is E, and the random number is 3, then in our Continue reading →

Malware

--Originally published at Computer and Information Security

On this post I want to share some work I did on my company related with this topic and with collaboration with ESET.

Unintentional Security Issues

--Originally published at Computer and Information Security

Easy the users and admins are humans and humans made mistakes

There were many times that because a mistake made by a human the system fail an thats a real issue when for example that human works at AWS and unintentionally breaks the internet of half of USA.

It’s human to make errors but thankfully these errors can be 100% prevented. A mixture of strategies may help to prevent human errors from turning into security incidents.

When looking at attacks today, most people think external attacks are the biggest problem for organizations and where they need to focus most of their energy. However, it is important to distinguish between the source of an attack and the cause of damage. While the source of most attacks is absolutely external, the cause of damage is often the accidental insider. Adversaries recognize that it is too hard to directly break into servers and compromise an organization externally. It is much easier to target an insider, trick that person into opening an attachment or clicking on a link through social engineering, and then leverage his system as a point of compromise. In many cases, the activity that is used to compromise an insider typically revolves around executable attachments, macros in office documents and HTML embedded content. What can an organization do to properly protect itself against insider threats? Most organizations believe greater security awareness is the answer to minimizing accidental insider attacks; this means ensuring employees better understand the dangers and exposures. While I am a big fan of awareness, organizations have to remember that no solution will solve every problem. Awareness is good for basic attacks where there is something visibly wrong with the email or information received by the user. However, with advanced adversaries and more sophisticated phishing attacks, the Continue reading →

Ethical issues security professionals

--Originally published at Computer and Information Security

Physicians, attorneys and other professionals whose job duties affect others' lives usually receive, as part of their formal training, courses that address ethical issues common to their professions.

IT security personnel often have access to confidential data and knowledge about individuals' and companies' networks and systems that give them a great deal of power. That power can be abused, either deliberately or inadvertently. But there are no standardized training requirements for hanging out your shingle as an IT security consultant or in-house security specialist. Associations and organizations for IT pros are beginning to address the ethical side of the job, but again, there is no requirement for IT security personnel to belong to those organizations.

Why are ethical guidelines needed?

The education and training of IT professionals, including security specialists, usually focuses on technical knowledge and skills. You learn how to perform tasks, but with little consideration of how those abilities can be misused. In fact, many IT professionals approach their work with a hacker's perspective: whatever you can do, you're entitled to do. (Note: In this article, we're using the word hacker in the current common meaning, pertaining to "black hat" hackers who use their skills to break into systems and access data and programs without the permission of the owners. We're well aware that the term originally referred to anyone with advanced programming skills, and that there are "white hat hackers" who use their skills to help companies and individuals protect against the black hats.)

In fact, many IT pros don't even realize that their jobs involve ethical issues. Yet we make decisions on a daily basis that raise ethical questions.

What are the ethical issues?

Many of the ethical issues that face IT professionals involve privacy. For example:

Should you read the private e-mail of your Continue reading "Ethical issues security professionals" →

IT Risk Management

--Originally published at TC2027 – Titel der Website

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

The business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise or organization

IT risk management can be considered a component of a wider enterprise risk managementsystem.^[1]

The establishment, maintenance and continuous update of an Information security management system (ISMS) provide a strong indication that a company is using a systematic approach for the identification, assessment and management of information security risks.^[2]

Different methodologies have been proposed to manage IT risks, each of them divided into processes and steps.^[3]

According to the Risk IT framework,^[1] this encompasses not only the negative impact of operations and service delivery which can bring destruction or reduction of the value of the organization, but also the benefit enabling risk associated to missing opportunities to use technology to enable or enhance business or the IT project management for aspects like overspending or late delivery with adverse business impact.^{[clarification needed incomprehensible sentence]}

Because risk is strictly tied to uncertainty, decision theory should be applied to manage risk as a science, i.e. rationally making choices under uncertainty.

Generally speaking, risk is the product of likelihood times impact (Risk = Likelihood * Impact).^[4]

The measure of an IT risk can be determined as a product of threat, vulnerability and asset values:^[5]

$Risk=Threat*Vulnerability*Asset$

A more current Risk management framework for IT Risk would be the TIK framework:

$Risk=((Vulnerability*Threat)/CounterMeasure)*AssetValueatRisk$ ^[6]

https://en.wikipedia.org/wiki/IT_risk_management

This is my last Blog post for this course. So i just decided to make it super easy for myself

The information from WIKI gives a super good overview about the topic.

Greetings from a German

Certifications in Computings Security

--Originally published at TC2027 – Titel der Website

Certification is a process by which the detailed requirements are presented.
Certification is a sub-process of conformity assessment. Certifications are issued on a temporary basis by independent certification bodies such as: For example, in Germany DQS, TÜV or DEKRA awarded and the standards independently or proprietary controlled.

Request areas for Certifications:

Products and services and their respective manufacturing processes including trade
relations
people
systems
Companies

Few types of certification:

Proof of educational standards or specially developed specialist standards for personal certifications. The standard for certification bodies that certify persons is regulated in EN ISO / IEC 17024 („Conformity assessment – General requirements for bodies that certify persons“), which is also available as a DIN standard.
Proof of educational standards in the recognition of training institutes, such as those carried out by professional associations (non-university education is sometimes referred to as „certified“ training institutes and partly „accredited“ training institutes, which are also authorized to carry out personal certifications or parts thereof).
Internationally recognized proof of personal competence, eg as PMP (Project Management Professional) by the PMI (Project Management Institute) IPMA Certificates Level D-A for Project Managers.
Certification of a management system (for example, according to ISO 9001, ISO 14001). According to the International Organization for Standardization (ISO), more than 1 million certificates based on the ISO 9001 standard and about 223 149 certificates based on ISO 14001 were issued internationally in more than 150 countries by the end of 2009. [1]
Certification of products or services. Certification bodies operating certification systems for products or services are EN ISO / IEC 17065 (formerly EN 45011 or ISO / IEC Guide 65).

Found this informations in WIKI.

Why should we study computing security?

--Originally published at TC2027 – Titel der Website

It has many reasons why we should study computing security!

The IT gets super fast more importans at it also gets bigger and bigger. Programming is the future for a lot of companies. Datas of the normal human being is a new currency. So computing security is not just important for the important things. It is also important for the little information which we have in the internet. Malware and hacker is the keyword why everybody should now more about security in computing.

Nowadays everybody is a potential victim of those two keywords. And to make sure, that you scale down the risk of being a victim it is more than necessary to know more about security in the internet.

Until now, i just learned so much from Ken. I am not one of those IT experts. But even super simple things which i learned just give me a better feeling when i am surfing in the internet.

Operating System Security (OS Security)

--Originally published at TC2027 – Titel der Website

What is a Operating System Security?

The Definition of a OS is the process of ensuring OS integrity, confidentiality and availability. It uses special provisions to protect the system against threats, viruses, worms malware etc.

OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised.

Techopedia explains Operating System Security (OS Security)

OS security encompasses many different techniques and methods which ensure safety from threats and attacks. OS security allows different applications and programs to perform required tasks and stop unauthorized interference.

OS security may be approached in many ways, including adherence to the following:

Performing regular OS patch updates

Installing updated antivirus engines and software

Scrutinizing all incoming and outgoing network traffic through a firewall

Creating secure accounts with required privileges only (i.e., user management)

Security on the Web

--Originally published at TC2027 – Titel der Website

I found a german article in the internet about Web-Security. The article was posted from the website http://www.computerbetrug.de.

Here the most important topics about this article.

Nowadays web-security is more important than ever. Every internet user can be in a super short term a victim of internet criminals.

This dangers are waiting for victims:

Trojans, spyware, scareware, phishing – these are real threats to your money, your data and your integrity. When you’re on the Internet, you do not have to know every technical term. But you have to know what dangers lurk where and how to protect yourself from them. We have summarized the currently biggest dangers for you here.

A recommendation is also to protect your reputation in the internet. the talk is about blogs, forums and wikipedia. Nowadays anyone can publish virtually anything on the internet. So it is always important to think twice about the stuff you may post. Otherwise you can be victim of Cyber-Mobbing.

Anyone surfing the internet in Germany or running their own website has to follow hundreds of laws and regulations – and must count on a false step or a wrong decision with warnings, fines or even criminal consequences.

You do not have to be an IT professional to be reasonably safe from data thieves, scammers and rip-offs moving through the Internet. It is important that they protect themselves against the greatest risks and protect themselves where necessary.