Thursday, April 8, 2010

Risk Management

The principles of maintaining a system secured are old as information itself. As long information has been around, ways for preventing information from reaching unwanted hands have been highly reinforced. Due to technology increase, it makes systems more vulnerable to different methods, also known as vectors. Once a system administrator tries to find out what went wrong with the system, sometimes it is too late. For this case, one must be aware of the latest technology involved in your field. Ways of maintaining system secure are changing everyday but principles will never change. Some principles are straightforward to understand and to perform because they do not include too much technical background.

One of the most important concepts of data security is to have availability. How can something be secured if it has been deleted due to a weather incident, human negligence or a malicious act? The first step is to back data regularly. Data backup is perhaps the most antique way for preserving data. There are different categories of backups: full, differential, incremental and delta backup. They differ in the amount of data and when is preserved. The second step to prevent data disasters is to have the proper equipment. Having a UPS (Uninterruptible power supply), having proper job practices, such as not bringing food to the workstations, and policies help an organization to prevent data disaster.

The disaster recovery process has many methods in which helps an organization preserve their data and not endangering it negligently. Other than making proper backups, using proper equipment and procedures, there are also other ways that blend into the same process. Anticipating risks, planning a strategy, and a post-disaster plan helps the organization to act accordingly to such an act. There are two kinds of risk managements. Quantitative and qualitative. Quantitative risk management determines the impact of threats by providing clients with advice, knowledge, and tools necessary to adopt innovations. Qualitative management risk is the separation or categorization of risks. They are categorized in three ways: low, medium and high following a scale from one (being the less severe) to ten (most severe). Some of this scales rely on models. Threats can be divided in categories as well. They can be natural, physical, network human and eavesdropping threats. One must understand the equal importance to those threats. There are no less or more important threats, they are all the same because they all face critical destruction of data. Even though a company might disagree to this concept I understand why. A company with a limited budget cannot spend time fixing every whole that might be possible in a system. They can only fix those holes they see the most eminent.

Lastly, the people aware of the security holes varyies from company to company, but I personally think it must be done accordingly and very cautiously. Critical information in the wrong hands can lead to more hands on that vulnerability and might lead to total disaster. Only certain personnel must be told about the security vulnerabilities and/or breaches and give them a solution. If no one is able or capable to determine what went wrong, they will less likely know what to do to fix them. Some white-hat hacker organizations try to break into corporation systems and offer them help to fix them. In a movie I watched yesterday called “En Busca de Los Hackers” (Seeking for Hackers) – Spanish version, a group of Spanish white hat hackers said that offering themselves to help companies with no hard evidence that somebody has broken into their system does not work. Every company have turned them down. The only method, for them, is the illegal approach. They break into the system first, put the flaws in a disc explaining how they found it and present it to companies for hire. 1 out of 9 companies hired them. No wonder there are vulnerable systems all around the world. If people, including corporates have that fear about hackers, what can they do to make their systems better. Of course, there are bad people out there, but not everybody who call themselves hackers are really what they are.

In this cyber world full of vulnerabilities it is hard to know who is in which side of the road. The only solution for a company is to back up their data daily, that way if they ever lose something they only lose the revenue of a day worth of work, thus controlling how much money they might lose. It is not a matter of if, it is a matter of when. Every system in this world has been compromised at least once in this history, that means no system is silver-bullet for an organization. There are security bases and procedures of course, and they try to minimize the risks as less as possible to save company time and critical data. Only remember one thing, anybody with proper knowledge, a computer connected to the Internet and time, can break into ANY system. One of the reasons is because companies do not encrypt data that goes through the networked medium. Companies seek flexibility, and convenience and these have a price. The price might be more than what they were looking to achieve, and the price is their privacy lost.

Sources:

http://www.it-observer.com/best-practices-securing-your-enterprise.html

http://en.wikipedia.org/wiki/Risk_management

“En Busca de los Hackers” – Seeking for Hackers ( Spanish Movie)

Thursday, April 1, 2010

The Fragile Web

Stay secure over the Internet is almost virtually impossible. Even though total security is completely impossible, there are ways to minimize the risks. Prevention is half of the equation, the other half must be secure practices. As more exposure we get as computer users, the more security driven most of us become. If you are not worried about privacy because you use Linux or MAC, you still must be. Non-encrypted communication, social engineering and online scams don’t discriminate Operating Systems thus making you even as vulnerable than Windows users.

It is harder to stay secure in the 21st century digital era because there are more flexibility options, and more temptations over the Internet. Having a non-encrypted connection might expose your data to the wrong eyes risking your privacy even though you might think you are safe enough by having an up-to-date Antivirus installed on your computer and scan it everyday. Also, having IDS on your home computer might not help a lot as well as a corporate firewall. I think leveling the risks with cost is the best way to implement security. Why wasting a lot of money for professional use if the threats are not potentially important in a home environment than in a corporate which contains top secret information?

By leveling risks with cost determines if you really should spend money and time on implementing such system. Having a personal firewall might only help if the user is security conscious and is willing to spend time and effort on checking every process and communication that is going through your computer every time a pop up window appears. It is worthless to have top of the notch technology if the user is not going to spend time on checking, and in this case, a user has to spend time and effort setting up firewall rules in order to minimize risks and false positives on a system.

Also, it is worth to mention that not only a personal firewall and an up-to date anti-virus and anti-spyware are needed. It is also recommended for those who do transactions on-line and send important e-mails to use an encrypted connection. The uses of VPNs are widely known for companies, but what about home users? Is it not the same, if not similar risk in a corporate and a home user who is managing his online banking? It only takes someone to make a targeted attack on you to have your identity stolen. The best way to prevent this is “abstinence”. Try to not do financial stuff online. That way, corporations will likely change their online policies and try to improve the system so more people could use it. It all comes down to money. This method will negociate with corporations thus making them change their strategy. For example, Verizon (Slashdot website) will charge an extra $25 to make online payments more secure. I agree with their strategy over the phone using a one-time password for purchase confirmation, but I don’t agree by paying more to get a security improvement they should done in the first place. Security must be provided with service at same rate.

Even though paying with phone password confirmation might seem a more secure way to do online payments, there are risks in phones as well. The only risk I can think of about phones is that users can put personal information about contacts. If the phone is lost or stolen, important sensible information can be gathered. For example, blackberries can not only be traced with a built-in GPS system but also the Facebook application does not time out after an X minutes or even days of inactivity. That means, the user might have facebook application logged in for weeks or even months and if the phone is lost/stolen, and a bunch of other (internal) information can be taken from and about your contacts. When technology increases and goes mobile, that is when the consumer must be more aware of risks because now information is not only wired, communicated into encrypted and non-encrypted information. Now information is also being transmitted over the air (highly non-encrypted) and it can be eavesdropped by any person. That is when Man-in-the-middle attacks come into place.

Not only on phones, but also other communication medium over the air is vulnerable and susceptible for an attack. Even though many people might think Man-in-the-Middle attacks might take a tremendously amount of effort, there is still an easy way to pull it off. That way is by ARP poisoning using an open source tool called Cain & Abel. (irongeek website). With this method, it is very easy for a knowledge (hacker?) person to get his stuff dirty on your personal information in places known as cyber-cafes, airports, Mc Donald’s and some convenience stores.

Having the best flexibility possible, the most secure possible is impossible. You can not have both. While some people prefer convenience and flexibility over security, a wiser choice might be to try to achieve both at a certain level to minimize the risks of being hacked. In this high-tech world, doing our everyday chores while going mobile might seem dangerous. This is the time to think wisely about our decisions. Come on! We can do better America!!


Sources
Verizon Strategy: http://games.slashdot.org/story/10/03/22/2141205/Verizon-Set-To-Launch-Mobile-Payment-Service?art_pos=1

Cain & Abel: http://www.irongeek.com/i.php?page=videos/using-cain-to-do-a-man-in-the-middle-attack-by-arp-poisoning

Wednesday, March 31, 2010

Struggle VS Google and China

Culture is what divides each nation. Culture can make technology change the way is wanted. Without culture, a society can be lost in richness and binds into another. The culture is what we have inside and cannot describe it because it is part of our personality and rules we obey in our daily lives. When culture is violated, we feel like we are being harassed and taken our dignity away. When business agreements influences culture and principles of a nation, that is where the problem arises.

Google is very known as the power giant of online searches. Anybody can access their own country version of Google by their own machines. For example, if you are in Ukraine, the site Google.com will be redirected to Ukrainian version of Google. Google had an agreement with China. The agreement was that Google would provide fast searches inside the Big Firewall of China but have censorship on it so the Chinese nation wouldn’t be able to start a political revolution aided by the Internet. We all know China is a communist country and communist governments limit the availability of information they consider “not suitable” for their nation to have access to.

When Google took away censorship, China government’s and some Chinese people felt their culture and life were violated. I am unknown to the fact Google took away censorship but I know that was not a smart move. I truly believe that if you really want business from a foreign country, you have to know their laws and not try to break them. For example, in a party a DJ has to play the music people want to hear, not what they want to hear. Even though the DJ might not like the music, he stills have to play it. He will get paid for it, but if he disobeys and does whatever he wants, the clientele will be severely pissed at him. That is what happened with Chinese government, and communists. Many activists hacked into Google’s headquarter e-mail accounts and systems to reveal themselves for such a bad act. Google kept on reacting badly to the response of Chinese nation, so havoc fell from the sky. Chinese government say Google violated their agreement but so Google did something they thought it would solve the problems, even though it did not.

Google moved (redirected) Chinese version of Google to the version of Hong-Kong and that is a problem, the same problem they had before. Chinese users will try to visit Google and yet have an uncensored version of Google from Hong Kong. The Big Firewall of China is broken. It is broken for two reasons. Users can access any sites they want by going around the Big Firewall in two ways: Google.hk and proxy servers. Maybe Google might help China by removing the redirection, but I don’t think they will because they want money. About proxy servers, there might be underground sites made by Chinese underground mafia which could provide users with proxy servers which make them connect to any site they want.

Any way they choose, the Big Firewall will always be broken thus providing unsolicited information leak through it. Nothing is perfect, and much less technology. We all know that, the Internet is one of the most vulnerable systems in the world because it is very complex and it will take an unlimited amount of time to patch every hole in it. We have special gateways, proxy servers, VPNs, Tor software, anonymizer sites and protocols that can be used to bypass any sort of security that might get in our way.

Sources

http://www.upi.com/Daily-Briefing/2010/03/23/Google-vs-China/UPI-93351269347903/
http://techcrunch.com/2010/01/12/google-china-attacks/
http://www.torproject.org/