Security and STATS (not security stats)

--Originally published at Alfonso reviews…

I know this is not the way to start a blogpost, but this post is going to be a long one, and yes, you’ll get a potato.

You may or may not know what I mean when saying STATS, for those wondering, STATS is a project where I’ve been working for the last 15 weeks, and it involves a web app, elementary school kids, and math.

Basically at the start of this semester, when creating my schedule, all my subjects were gone, and I got this notification saying, do you wish to register the STATS package, and I thought to myself, “do I get to choose?” Long story short, the answer was NO and I ended up in an interesting way of learning and developing as an ISC. No homeworks, no exams, just us developers, and the project at hand, that was the promise, some teachers respected it, some others didn’t, but that’s another story.

My team, which I think is the best team where I’ve worked ever, (If you guys are reading this, thanks for this semester) and I decided to make it happen, and we created a web app featuring an adventure of a spaceship on its journey to the Red Planet, math here and there and funny stuff.

The app intended audience/users are kids in elementary school, and their respective teachers as administrators of the system, the kids would play the game, and we would be collecting data, analizing it, and sending it to the teachers helping them with their work…

Data… Security… I wonder if those two should be related in any way, oh, yeah, they should be like father and son, like wolves and the moon, and like that bubblegum in your shoe.

With that being said, lets start our ride on how security

Continue reading "Security and STATS (not security stats)"

One rule to rule them a… wait… there are three?? (Short talk about Morris’s golden rules and the STATS project )

--Originally published at Alfonso reviews…

I know it’s early in the morning, but I felt like writting a little bit, I had this topic as an assignment in university, and I thought about adding some salt and pepper to it, Bob and Alice always like their food with salt and pepper *wink*.

Obviously I’m not as safe as one could be with the Morris’s rules, but I think that by following those three little fellas my life would be slow and boring.

Rule 1: Do not own a computer. Even if I didn’t use my laptop to write, phones nowadays are little computers that send and receive stuff every second, so… I’m screwed.

Rule 2: Do not power it on. Like, for real, people out there, if you broke the first law and you have spent some money on a laptop or phone, and you care about your security, don’t turn it on, it won’t explode (I hope), but who knows who may be looking through your webcam or hearing through your mic, yes, I’m frightened while looking at that thing on top of my computer hoping it won’t look back at me.

Rule 3: Uhm yeah… if you got this far, I guess you broke the third rule with me, as it is not to use your computer. Your eyes are not tricking you. Your computer is your door to many places in the outer world, but it’s also a window of opportunity for people lurking for information.

But don’t worry that much, many of us have broken this rules, we may or may not become a target. But know what you are getting into by using a computer, and if you can, lock the window.

I had so much fun by writting this, and I hope you had some while reading it, now

Continue reading "One rule to rule them a… wait… there are three?? (Short talk about Morris’s golden rules and the STATS project )"

Business + Code of Ethics = Organizational Progress (a guide about what a code of ethics is, and what should it include)

--Originally published at Alfonso reviews…

What is a code of ethics? This is probably the reason why you are here.

A code of ethics is a document where an organization shows their mission and  values, so other people can see the alignment the organization will take when problems arise, and how is the organization going to approach those problems.

This document also includes ethical principles that follow the organization’s values. Looks somewhat like a rulebook stating what to do and not to do while in the organization.

And the main reasons why it’s good to have a code of ethics are to guide the people in organizational decisions, to make clear the goals of the organization, and to let the people which will be the next moves from the organization.

Usually, a code of ethics is written to protect the reputation of the organization. If, by any chance, a member of the organization fails to follow the code of ethics, the organization can say that his/her behavior isn’t aligned with the organizational goals and code of ethics, and decide what action to take about the person implicated.

The NIST way (a brief description of the NIST Risk Management Framework)

--Originally published at Alfonso reviews…

The NIST Risk Management Framework is a guide to know how much security you need depending on the risks you can or cannot take, and how to apply the necessary measures to ensure your system is as safe as you need. The guideline it provides consists of six steps that can be done over and over again until you are satisfied.

  1. The first step’s goal is to determine what kind of information system you are trying to keep safe. Maybe you are trying to protect a database with the names and adresses of thousands of people, as well as their telephone numbers, and credit card information. In this case, you’ll need to focus on getting strong security measures in your system, It probably won’t be cheap, but it’s a must when working with sensitive data. On the other hand, if your system is concerned with… let’s say dog photos, you may not be that worried about information leaking from your databases.
  2. The second step depends on the first one, depending how much secrecy with the information you need, you’ll be choosing some security controls, and those controls will be managing the risks involved with operating the business.
  3. After you have chosen what security controls you are going to use, you need to implement them, but beware, too much security limits functionality, unless you really need an excesive ammount of secrecy, you should be looking for a balance between security and usability.
  4. The fourth step is more concerned about the third step working as it should, here you should check is the security controls you just implemented are working efficiently, if you need to apply some changes, this is the time to do it. And remember, in security you always need to look at the weakest link, so put the system
    Continue reading "The NIST way (a brief description of the NIST Risk Management Framework)"

CIA (the triad, not the Central Intelligence Agency)

--Originally published at Alfonso reviews…

Modern organizations have big amounts of information, information that must be kept safe. There is where the CIA triad comes into play, but, what does CIA stand for, CIA means Confidentiality, Integrity and Availability, and this three concepts are the guidelines for having good information security policies.

I think that if you came to this article you want to know more about the CIA, so I’ll proceed to talk a little bit about each part of the triad.

The Confidentiality limits the access  to information so that only the people who should see some content can actually see it, and no one else. It relies on the creation and administration of strong passwords, training the users into security issues and the risks they are getting into, in some cases it goes down to encryption of material, and in extreme cases, into isolation of the information from the environment, like having a computer disconnected from the network, or having the information in a physical form.

The Integrity focuses on ensuring that the information is trustworthy and accurate, and works on this aspect by managing file permissions, access controls, and using version control and redundancies for backups to restore affected data, Integrity is also concerned on keeping the data identical when being sent, and when received.

And Availability guarantees access to data by authorized people, its main focus is to ensure that the hardware and software are working properly, if something goes wrong it needs to be fixed so data is available again. In other words, it needs to keep data safe from physical or digital harm, and in some cases data gets in a waterproof and fireproof safe, and behind a firewall and proxy servers.

This triad faces some serious stuff, but most of the problems come when it faces big

Continue reading "CIA (the triad, not the Central Intelligence Agency)"