Tuesday, December 6, 2016

Information Security Learning Resources part 2

   Today we have part 2 of a 2-part guest post by security analyst Chris Goff.  Chris has collected a set
of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Security Concepts
There are three key concepts of information security which you may or may not be familiar with:
    -      Confidentiality
o   Confidentiality is the characteristic of information whereby only those with sufficient privileges and a demonstrated need may access certain information. When unauthorized individuals or systems can view information, confidentiality is breached.
    -      Integrity
o   Integrity is the quality or state of being whole, complete, and uncorrupted. The integrity of information is threatened when it is exposed to corruption, damaged, destruction, or other disruption of its authentic state. Corruption can occur while information is being entered, stored, or transmitted.
    -      Availability
o   Availability is the characteristic of information that enables user access to information in a usable format without interference or obstruction. A user in this definition may be either a person or another computer system. Availability does not imply that the information is accessible to any user; rather, it means availability to authorized users.

This is known as the “security triad”. It can be further expanded upon:
    -      Privacy
o   Information that is collected, used, and stored by an organization is intended only for the purposes stated by the data owner at the time it was collected. Privacy as a characteristic of information does not signify freedom from observation (the meaning usually associated with the word), but in this context, privacy means that information will be used only in ways known to the person providing it. Many organizations collect, swap, and sell personal information as a commodity. It is now possible to collect and combine information on individuals from separate sources, which has yielded detailed databases whose data might be used in ways not agreed to, or even communicated to, the original data owner. Many people have become aware of these practices and are looking to the government for protection of the privacy of their data.
    -      Identification
o   An information system possesses the characteristic of identification when it is able to recognize individual users. Identification is the first step in gaining access to secured material, and it services as the foundation for subsequent authentication and authorization. Identification and authentication are essential to establishing the level of access or authorization that an individual is granted. Identification is typically performed by means of a user name or other ID.
    -      Authentication
o   An information system possesses the identity that he or she claims. Examples include the use of cryptographic certificates to establish Secure Sockets Layer (SSL) connections or the use of cryptographic hardware devices--for example, hardware tokens provided by companies such as RSA's SecurID--to confirm a user's identity.
    -      Authorization
o   After the identity of a user is authenticated, a process called authorization assures that the user (whether a person or a computer) has been specifically and explicitly authorized by the proper authority to access, update, or delete the contents of an information asset. An example of authorization is the activation and use of access control lists and authorization groups in a networking environment. Another example is a database authorization scheme to verify that the user of an application is authorized for specific functions such as reading, writing, creating, and deleting.
    -      Accountability
o   Accountability of information exists when a control provides assurance that every activity undertaken can be attributed to a named person or automated process. For example, audit logs that track user activity on an information system provide accountability. (Management of Information Security by Michael E. Whitman and Herbert J. Mattord)

Tuesday, November 22, 2016

Information Security Learning Resources part 1

   Today we have a guest post by security analyst Chris Goff.  Chris has collected a set of info, links and lists that definitely qualify as extremely cool resources!  You can check out Chris' website
at http://chris-goff.com/ or follow him at https://www.linkedin.com/in/goffchris

   There's a lot of info packed in here, and it's pretty technical. But you don't have to memorize it all now and there won't be a test!  Just skim it, enjoy it and bookmark it!

Information Security Learning Resources
or information security for the self-learner
by Chris Goff

This is the result of many years of notes. This is by no means an exhaustive list, nor the definitive path to information security.

If you come across a dead link, use the Internet Way Back Machine (https://www.archive.org).

Bookmark these Google Search cheat sheets, they will come in handy:

Official Google Cheat Sheet - http://www.google.com/help/cheatsheet.html

Google Advanced Operators Cheat Sheet - http://www.googleguide.com/print/adv_op_ref.pdf

Learning How To Learn - http://l.goodbits.io/l/407nqn1n

Core competencies

Here are three core competencies within information technology that will provide a solid foundation on which to start a security career:
  • Systems Administration
  • Network Administration
  • Programming
It is also critical that you learn to deal with people and business. Take some public speaking classes (Toastmasters: https://www.toastmasters.org/), volunteer for presentations at local groups, and volunteer to deliver training for folks at your workplace. One of the greatest methods of learning is to teach.

The core competencies are not a requirement, however be aware that InfoSec is expected to be a Subject Matter Expert (SME) on most topics. If you wish to be successful diversity of knowledge is key.
“There is no security without understanding.” – Michael Lucas, author Absolute OpenBSD

Tuesday, November 8, 2016

Patch, Vault 'n Fob

   Well, I was trying for something catchy like Stop, Drop and Roll.  That's a saying we learned in school, back in the day, for what you should do if your clothes catch on fire.

   Fortunately, it seems like everyone has heard that saying and it rolls off the tongue.

   Unfortunately, my three word phrase Patch, Vault and Fob, is not nearly as catchy.

   Fortunately, the odds of your clothes catching on fire is low.

   Unfortunately, the odds of your software, browsers or accounts being compromised is very high.

   A couple of weeks ago the internet was hit with the highly impact-full and publicized distributed denial of service (DDoS) attack on Dyn, a DNS provider.  I won't go into the details here but I think I will cover DDoS in a future post.  Anyway, shortly after that I was chatting with someone at a dinner who asked me about this attack, internet safety in general and what they could do.  To keep it simple and because, as a math person I like things in 3's!, I provided these 3 simple (well, maybe straight-forward is more accurate) things that absolutely everyone should do at home...

Tuesday, October 25, 2016

Lock Before You Leap

   Most organizations have some kind of requirement to protect data.  Sometimes it's regulatory, for example organizations in healthcare or financial or retail need to protect personal data on individuals.  But for sales, manufacturing or other industries like medical devices, their "secret sauce" could be intellectual property like formulas or proprietary processes, or customer lists.

   Whether it's critical data on people, processes or things, what most organizations have in common is that, if they cannot protect this information, the results could be fines or inability to do business and that can directly translate to harm to people and organizations.

   There are so many ways to protect information (or to fail at protecting information), some more complicated than others.

   One very simple way that information can be breached, disclosed or otherwise lost is through unattended, unlocked devices.  For example, someone leaves a laptop logged in, screen unlocked and walks away - someone else can take that laptop and would have access to any data it has.  This is also true for desktop workstations.  In this case the computer won't likely be taken, but if the workstation is unattended and unlocked, anyone else can access the data on that machine leading to potential breaches and regulatory problems.

Tuesday, October 18, 2016

Internet Safety for Parents

   I've written about Internet safety for families, kids, teens and I've even spoken on safety for pre-schoolers.  But it's important to think about online safety for parents as well.

   That's true both for parents of young children was well seniors with grown children.  The safety challenges for seniors are similar but there are some differences.  They may not be as familiar with technology and, according to the FBI:

  • they are often financially secure and/or have good credit
  • they may be more trusting and they don't think they'd be a target
   This article by the AARP lists some common scams against seniors including some we've discussed like fake Microsoft support calls or IRS-related tax fraud.

   What got me thinking about this topic was a great article entitled "10 Ways to Help Our Parents With Online Security".  The article touches on a number of themes we've discussed in the past.  I'll list the 10 items with links back to some past editions of this blog - typically they:
  1. don't think they have anything worth stealing
  2. have bad password habits - just like most people
  3. are confused by 2-factor authentication - something we all should use
  4. leave mobile devices unattended and without security measures
  5. don't recognize phishing emails
  6. don't understand social media and how it can be used in scams
  7. share too much information
  8. can be manipulated by online media
  9. place too much trust in an anti-virus product
  10. don't understand how sophisticated scams and attacks can be
   In what ways can you help your parents stay safe online?

Tuesday, October 11, 2016

What You Can''t See Can Hurt You(r Data)

   "It is all around us, even now in this very room. You can see it when you look out your window or when you turn on your television. You can feel it when you go to work, when you go to church, when you pay your taxes.."

   It's "all around you. Here, between you, me, the tree, the rock, everywhere."

   No, not the Matrix and not the Force, but a more insidious power... WiFi!

   Public WiFi is everywhere.  Many stores, malls, airports, cities and even parks offer it.  Sometimes it's free and sometimes not.

   It's US Cyber Security Awareness Month so it's a good time to think about the risks of using public WiFi and how to protect yourself.

   There are definitely risks in using public WiFi including:
  • pushing software - WiFi can be configured to send software to your device when you connect.  That might be OK at home or important in the office, but it can be misused by an attacker out in public.  Don't install software offered to you on a public WiFi.
  • redirecting your browsing - a WiFi connection can control how you get to websites.  If an attacker controls the WiFi, they can cause you to go to copycat websites with malicious software or to phishing sites.
  • evil twin attack - you know when you're at the coffee shop and you can connect with a WiFi connection that has the same name as that coffee shop?  How do you know it's really the coffee shop's connection?  You don't.  Anyone can buy a wireless router at the store for $25, put it anywhere, and name it anything they want.  Using a deceptive name for a WiFi connection to lure people is called the evil twin attack.
  • are you encrypted? - VPNs, Virtual Private Networks or secure connections, are a great way to protect your data when connecting over unknown networks... like the Internet!  However, you first have to connect to the Internet before establishing the VPN.
Here are some tips to reduce your risks of using WiFi outside your home or office:
  • use your smartphone hotspot - if this is a feature of your mobile phone and plan, you can use your phone as a WiFi hotspot and connect to it.  You then can feel confident that your connection is going through your cellular carrier.  Warning... this will use your mobile data and may cost you extra depending upon your plan and data limits.
  • only use wifi with a password or passphrase - even if everyone knows the password.  Using WPA or WPA2 with a password/passphrase means that every connection between a PC and the wireless network is encrypted.
  • turn off file sharing - in Windows you can designate a network as public, work or home, or you can directly turn off file sharing.  Here's an article with the instructions.
  • if possible don't use open wifi in very open areas - the more open an area you're in, the harder it is to figure out if you're connected to a legit WiFi.  And...
  • be aware of your surroundings - it's not strictly a WiFi issue, but when you're on public WiFi you're in... Public!  Protect your screen.  Protect your passwords.
   Even if you do all this, a skilled attacker can still cause you problems on a public WiFi network.  So, if you have to use public WiFi, try to:

  • limit personal info - even if it looks like a website is https, do your personal business from a secure connection at home
  • same for banking, shopping - definitely save your financial transactions for known secure connections
  • use care with confidential work data - you should use care when dealing with critical work data, particularly if you work with other peoples' personal data!
   Here are a few articles with more info.

   As a side note, there are also questions about potential health risks of all the wireless signals in our environment.  It's hard to separate fact from speculation and wireless may or may not be a health issue.

   In the future we'll see even more wireless than we do now.  And we'll also see better wireless network security.  Many new cars come with WiFi hotspots and more cities and municipalities are offering wireless. 

   What are your tips for public WiFi safety?  Have you ever come across an "evil twin" WiFi network?

Tuesday, October 4, 2016

Can't Live with 'em, Can't Live without 'em

   They're dead.  They're here to stay.

   They're safe.  They're breached.

   They're encrypted.  They're visible.

   They're complex.  They're too simple.

   Once again, the topic we love to hate... Passwords!  And, you know what else???  It's also that greatest of holiday celebrations... US Cyber Security Month!

   In honor of US Cyber Security Month and the recently announced breach of 500 million Yahoo! account passwords and other info  (while announced in 2016, the breach actually took place in 2014, and is not the same as the password breach they had in 2012! - yes, I know... it's hard to keep up!), I'm re-running a post I wrote in... wait for it... 2012!  Not only is everything I wrote in that post 100% relevant today, but I even commented on that 2012 Yahoo! breach.  The more things change, the more they stay the same.  Happy Cyber Security Month!
   Passwords are a mess!  A "good" password has these features:
  • hard to create
  • hard to remember
  • hard to enter
  • probably has to be changed as soon as you memorize it
  • plus other inconsistent, random rules depending upon the site