Depth or layers? – Security Blog #9

--Originally published at That Class Blog

Okay, so… Have you heard of the famous cake layers? If you haven’t, please, check out my last blog. Else, we can continue!

And just for you to understand the reference. The anchors go the ocean floor… Deeply… To the depths…

176805103_eeb002dfdf_o
“Rusty Anchor” by _lem (CC https://creativecommons.org/licenses/by-nc-nd/2.0/). Taken from https://www.flickr.com/photos/_lem/176805103/

So, why did I asked you to read about the security layers? Because security in depth is based on the layers implementation. We already discussed how layers are supposed to function, if you achieve to cover all holes of each layer with the preceding layers, there will be no way an attack could be successful to your system. The thing is that achieving that level of perfection is impossible. Instead, security in depth assumes from the start that the layer method can, and will eventually fail. The layered security only achieves the exhaustion of the threat (Successful defense) or the slowing of it, giving time for other plans of action and countermeasures initialize.

Depth defense also assumes that the hack or breach isn’t necessarily of remote origin, this means that the possibility of physical theft, threats, unauthorized person access, and some other unique events (See van Eck phreaking below).

Usually, taking into account those possible events involve the set up of:

  1. Monitors, alerts and emergency responses
  2. Authorized personnel activity logs
  3. Forensic analysis
  4. Reports on criminal activity
  5. Disaster recovery

Remeber that the objective of depth defense is to gain time. Each of the set up new components main objective is to delay the threat, which might not be obtained if we used only technological solutions. The obtained extra time should be used by the administrator to identify and try to overcome the hack.

And I guess that is for now regarding security.
As a mini comment

😀
Continue reading "Depth or layers? – Security Blog #9"

Cake layers rule – Security Blog #8

--Originally published at That Class Blog

As the 8th blog regarding security, I will talk about the computer security layers. There are some people who state that there are 5, there are some people who say there are 8. What I mostly found during the investigation is that there are security layers as layers in the cake (Including the top frosting), 7.

What you, dear reader, need to remember during the reading of this entry, is that this set of rules can be implemented either by a network system administration or a regular single computer user.

The logic behind the security layers is the following: A single defense will be ineffective or flawed if the defense mechanism leaves unprotected areas, with its protective layer (umbrella), empty. That it’s why the layer’s purpose is to cover those empty spots. Theoretically, the empty areas on each layer would be so different, that an attack can’t penetrate through all the holes, and the service would remain available.

8234883949_e9e1be1f17_k
“20121201-_IGP1571” by Tim Ebbs (CC https://creativecommons.org/licenses/by-nc-nd/2.0/). Taken from https://www.flickr.com/photos/ebbsphotography/8234883949/
  1. Application Whitelisting: The objective is to install just a set of limited programs and applications in the administered computers. The fewer applications, the fewer possibility there is of a breach.
  2. System Restore Solution: This is one of the most talked security solutions in the classroom. Basically, it consists of creating a plan of action when the hack peril arouses.  This would let the user gain access to their files, even if the system is hacked and damaged files remain.
  3. Network authentication: A system of usernames and passwords must be taken into place. This would give access only to authorized users. This means no login without a password prompt.
  4. Encryption: All of your files, disks and the rest of removable devices should be encrypted. This will provide a Continue reading "Cake layers rule – Security Blog #8"

Secure Network, How? – Security Blog #7

--Originally published at That Class Blog

This entry is not addressed to regular computer users, but more specifically to engineering students or people interested in network’s security, as the concepts are not that regular. This entry’s topic is the security of the network’s enterprise.

Virtual Private Network

This first category isn’t that much complex, as Virtual Private Networks (VPNs), are more and more widely used by the general users. So I won’t be talking a lot about this. VPNs are a method used by enterprises to connect and access an internal network from the outside, using a more secure network and an encrypted one.

15252943257_12957cec4a_k
“network” by Rosmarie Voegtli (CC https://creativecommons.org/licenses/by/2.0/). Taken from https://www.flickr.com/photos/rvoegtli/15252943257

Intrusion Detection Systems

Intrusion Detection Systems (IDS) main function is to aid the administrator in the detection of the type of attack that is being carried to the system. Usually, the IDS also help the administrator find and execute a solution to the problem as well as a plan of action on future detections. These systems trace and record logs, signature and triggered events. Usually, the IDS is attached to the firewall (Which I’m speaking down below) and the network router.

The most popular IDS tools I found are Snort and Cisco Network-Based IDS. Both successfully notify the user real-time, the signatures of attacks made to the network. The main advantage of Cisco IDS is the results obtained in the aftermath of the events (Reassembly of IPs and TCP sessions) and Cisco continuous support to the client. Meanwhile, Snort is open-source, cheaper to implement (Hardware wise), and flexible (Only requires Linux) and has multiple modalities where it can be implemented.

Firewalls

Firewalls, also called Intrusion Detection Devices, are software or applications that work directly in the network layer. As most of us already know, the firewalls protect the Continue reading "Secure Network, How? – Security Blog #7"

OMG I did it!

--Originally published at That Class Blog

Okay, so I’ve been so proud this last 2 weeks because I finally got a -more than- decent score in LastPass Security Challenge. The first time I took the quiz I had more than 40 sites (There were more of them, but I already had the duplicate/same domain configuration working), and I obtained a well deserved 12%, in the lowest 7%, but at least my Master Password was excellent (At least something wasn’t horribly wrong).

26965409864_0508284796_k
“pw_xato-net_02-06” by Mark Burnett (CC https://creativecommons.org/licenses/by/2.0/). Taken from https://www.flickr.com/photos/mark_burnett/26965409864

Now, I can truly be proud to say that after some heavy work I got, after inserting 5 new sites, a 96%. This puts my account in the top 1% of Last Pass users. YAY!

So,  it was really a heavy task to change the passwords of almost 50 sites. It was really horrible and exhausting (Maybe because I tried to all of the necessary changes in one sitting). But I can share some stuff I’ve learned to the rest of the world:

  • Last Pass offers a method that automatically changes your password in the supported sites (Usually it only works with the big ones). I found that method extremely ineffective. It takes what feels like years, to let the program found the adequate buttons, text fields and then generate the password. I don’t know why did this happen. Maybe because I have some pages in Spanish and Esperanto, and the program failed to find the buttons (if the method is made using the value of the button and not the ID, or something like that).
    I mean. My problem was with the time it took to accomplish those tasks. Not that it didn’t work. I don’t have any problem leaving Last Pass to change your password in the background while Continue reading "OMG I did it!"

Let’s talk about 2 factor aunthentication – Security Blog #5

--Originally published at That Class Blog

After the last security class, when we all did the Last Pass Challenge (Where I did so… so bad), I started to change an generate a lot of passwords (Like 40 as of now) and activated 2-factor authentication on most of the sites where I could. I don’t know why I did this until now, and not when we talked about this topic in class.

16021496959_1d2ffb589a_h
“Fingerprint authentication 06” by Hideya Hamano (CC BY-NC-ND). From https://www.flickr.com/photos/mawari/16021496959

I knew what the 2-factor authentication did, but I didn’t know how. So after some reading (Links below) I finally got around all the concepts.

  1. 2 Factor Authentication (2FA) is just a layer of Multi-Factor Authentication (MFA)
  2. 2FA works even if the device isn’t connected to the internet. Not for SMS 2FA.
  3. It’s very secure, but as everything, it has some weak components.
  4. This makes 2FA a failed attempt to create a silver bullet for security.

Let’s start with the concept of 2FA just being a layer. What layer? Of how many? Why do we have that layer only? I want more of those!

Okay, so the point of the verification is to tell the service that you are who you say you are. That is why we have passwords. And passwords are things we know, and the knowledge factors are the first and basic layer of credentials in an MFA.

The second layer of credentials are the possession factors, which are the things that the user has, like a phone, an ID or tokens. This is the layer where 2FA is based upon.

The last big layer is the third one. It’s called inherence factors. These factors are the things that the user is. Usually, we are talking about biometrics here, but there are ways to measure behaviors and patterns of a Continue reading "Let’s talk about 2 factor aunthentication – Security Blog #5"

I want to become a pro – Security blog #4

--Originally published at That Class Blog

So you are a pro, you say…

You think you are good, you say…

But do you have a computer security certification?

No?, you say…

11960608165_55df368e44_o
“Professional” by Dan Taylor (CC BY-NC-ND). From https://www.flickr.com/photos/dantaylorphotography/11960608165

As many more data breaches are happening each year, with more size and quality of attack, cybersecurity skills are on very high demand. But not because there a lot of jobs available, means that the position is going to be given to anyone who tryes and aplyes (Mainly to make sure that the person know about the stuff, but also because there are so many areas of specialization in security). The company will ask you to have one or more certifications.

Let’s talk about some of them. In fact, just 8 of the more of 70 certifications that Wikipedia has mentioned (Only 10 of those have an individual entry).

ISSEP/CISSP

The Information Systems Security Engineering Professional certification was developed by the N.S.A. It cover security methodologies and practices into all information systems aswell as the proper and secure handling of data. This is the must-have certification if you want a career in IT security.
It’s issued by the (ISC)²

LPT

The EC-Council Licensed Penetration Tester certification demonstartes the person’s ability to audit network security and perform penetrations and develop proper corrective actions to the problems and weakness found in the test.
It’s issued by the EC-Council

GPEN

The GIAC Certified Penetration Tester certification it’s similar to the LPT (Above) but it demonstrate too the persons knowledge of legal issues regardiong penetration testing aswell as specific penetrations tests and practices.
It’s issued by the GIAC.

CSFA

The Cybersecurity Forensic Analyst certification provides the necessary knowledge to perform a deep analysis of computer systems and proper interpretation of investigation results in a short time Continue reading "I want to become a pro – Security blog #4"

Let’s be ethical – Security Blog #3

--Originally published at That Class Blog

This is the first time I hear about ethical hacking. Really, it is.

I mean, I knew that there are people who do that. But I never thought that they were called like that.

So let’s start learning ethically! ?

Ethical Hacking describes the action of hacking by an entity to help identify potential threats. The hacker tries to go around the security and search for weak points where a malicious hacker could exploit and cause an information breach. This information is later provided to the companies or individuals to fix and minimize future hazards.

Ethical hackers and penetrations testers have some perks. They might not reach the levels of adrenaline and badassery as a regular -nonethical- hacker, but they really do earn a nice economic remuneration and the nice assurance that you won’t end up in prison.

And how can you become an ethical hacker?

First, you might consider career/major in IT. You might even study alongside the military (If your country has a program) and they could even pay you to study your career and offer you a job regarding security.

You need to get some basic certifications (CCNA) and some more specialized (Security+, CISSP or TICSA). When doing your certifications, you should also work in tech support and move up to administrative roles, until you achieve an information security position. At this point, you can apply for the Certified Ethical Hacker (CEH) title by the International Council of Electronic Commerce Consultant.

To hack, network engineering skill are -of course- necessary, but UNIX/Linux, C, LISP, Perl, JAVA, and SQL are necessary concepts that you need to master. Oh, and let’s not forget about the soft skill (As any other IT job) and street smarts (People skills and talent for manipulations).

And can you just start hacking after that?

Nope.

Continue reading "Let’s be ethical – Security Blog #3"

The CIA Triad – Security Blog #2

--Originally published at That Class Blog

No, I’m not going to talk about the Central Intelligence Agency (Responsibles to provide national security intelligence to the US). This particual triad -which some people call AIC to avoid the confusion with the regular CIA- stands for Confidentiality, Integrity and Availability.

5762931134_1cfeb64df6_o
“CIA Bitchessss” by Erik bij de Vaate (CC BY-NC-ND). From https://www.flickr.com/photos/mediadeo/5762931134

In general, confidentiality is the property in charge to limit the information, integrity is the assurance of accurate and trustworthy information and availability  is the guarantee of authorized people to information. These concepts conform a model to help people think security-wise.

Confidentiality

The purpose of this is to ensure that every piece of information reaches the adequate people and that no sensitive information is breached.

And to make sure this is done, to enforce levels of authorization and authentication of information access is necessary. As well as creating categories and collections of information and stablish discretion functions.

Some methods used to ensure confidentiality are: Data encryption, two-factor authentication, biometric verification, security tokens. In extreme cases air gapping, or doing hard copies of the information is made.

Integrity

The purpose of this component is to protect data from unauthorized modifications or to make sure that an option to undone changes is always available. Also, integrity involves making sure that data is always consistent, accurate and trustworthy.

Some methods used to ensure integrity are: Typical system file permissions, user access control, version control. Data might include checksums. Backups and redundancy is important to restore breaches of integrity.

Availability

This is very straightforward. This property assures the availability of the data. All kinds of systems for protection must be up to provide the informationwhen requested. Power outages and hardware upgrade and failure must be taken into account when making the availability design. Continue reading "The CIA Triad – Security Blog #2"

Why should we study Computer Security? – Security Blog #1

--Originally published at That Class Blog

Yeah! Why should we? Isn’t an antivirus and a firewall enough for everyone? Why should I bother studying this if nothing is happening and no one even cares?

Well, in fact, a lot is happening regarding security and there are a lot of people and companies that really do care.

15327725543_d391350869_o
“Computer Security – Padlock” by Blue Coat Photos (CC BY-SA). From https://www.flickr.com/photos/111692634@N04/15327725543

As Gib Sorebo (Chief of Cybersecurity at Leidos) states:

The reason we continually fail to adequately secure our networks is not a failure to undertand technology, but a failure to undertand people and how they behave.

Cybersecurity it’s not (only) about quality control, or writing good code or designing high-performance networks. At the end what you can learn is to anticipate and manage risks; To anticipate human errors alongside computer vulnerabilities, deal with uncertainty and incomplete information.

So if managing risks is something you are interested in, cybersecurity definitely is something you should consider, because there are few areas that offer this knowledge as much as computer security.

But the problem is little quantity of people that are majoring or doing graduate studies regarding this topic (Well, this can be good news also). This is causing a big demand for engineers that know their security stuff, and usually, these companies that know what they really need are giving high payments to the people that can do what they want.

And what I’ve learned about topics that no one study but are highly paid, is that people are usually highly skilled and have a natural capacity to deal with risks. People are interesting and like challenges. You can’t get bored doing cybersecurity work inside in a company… Or anywhere… Because these careers usually are demanded everywhere, anytime.

An extra is being proud of being a computer Continue reading "Why should we study Computer Security? – Security Blog #1"

Why should we study Computer Security? – Security Blog #1

--Originally published at That Class Blog

Yeah! Why should we? Isn’t an antivirus and a firewall enough for everyone? Why should I bother studying this if nothing is happening and no one even cares?

Well, in fact, a lot is happening regarding security and there are a lot of people and companies that really do care.

15327725543_d391350869_o
“Computer Security – Padlock” by Blue Coat Photos (CC BY-SA). From https://www.flickr.com/photos/111692634@N04/15327725543

As Gib Sorebo (Chief of Cybersecurity at Leidos) states:

The reason we continually fail to adequately secure our networks is not a failure to undertand technology, but a failure to undertand people and how they behave.

Cybersecurity it’s not (only) about quality control, or writing good code or designing high-performance networks. At the end what you can learn is to anticipate and manage risks; To anticipate human errors alongside computer vulnerabilities, deal with uncertainty and incomplete information.

So if managing risks is something you are interested in, cybersecurity definitely is something you should consider, because there are few areas that offer this knowledge as much as computer security.

But the problem is little quantity of people that are majoring or doing graduate studies regarding this topic (Well, this can be good news also). This is causing a big demand for engineers that know their security stuff, and usually, these companies that know what they really need are giving high payments to the people that can do what they want.

And what I’ve learned about topics that no one study but are highly paid, is that people are usually highly skilled and have a natural capacity to deal with risks. People are interesting and like challenges. You can’t get bored doing cybersecurity work inside in a company… Or anywhere… Because these careers usually are demanded everywhere, anytime.

An extra is being proud of being a computer Continue reading "Why should we study Computer Security? – Security Blog #1"