Thursday, April 8, 2010

Risk Management

The principles of maintaining a system secured are old as information itself. As long information has been around, ways for preventing information from reaching unwanted hands have been highly reinforced. Due to technology increase, it makes systems more vulnerable to different methods, also known as vectors. Once a system administrator tries to find out what went wrong with the system, sometimes it is too late. For this case, one must be aware of the latest technology involved in your field. Ways of maintaining system secure are changing everyday but principles will never change. Some principles are straightforward to understand and to perform because they do not include too much technical background.

One of the most important concepts of data security is to have availability. How can something be secured if it has been deleted due to a weather incident, human negligence or a malicious act? The first step is to back data regularly. Data backup is perhaps the most antique way for preserving data. There are different categories of backups: full, differential, incremental and delta backup. They differ in the amount of data and when is preserved. The second step to prevent data disasters is to have the proper equipment. Having a UPS (Uninterruptible power supply), having proper job practices, such as not bringing food to the workstations, and policies help an organization to prevent data disaster.

The disaster recovery process has many methods in which helps an organization preserve their data and not endangering it negligently. Other than making proper backups, using proper equipment and procedures, there are also other ways that blend into the same process. Anticipating risks, planning a strategy, and a post-disaster plan helps the organization to act accordingly to such an act. There are two kinds of risk managements. Quantitative and qualitative. Quantitative risk management determines the impact of threats by providing clients with advice, knowledge, and tools necessary to adopt innovations. Qualitative management risk is the separation or categorization of risks. They are categorized in three ways: low, medium and high following a scale from one (being the less severe) to ten (most severe). Some of this scales rely on models. Threats can be divided in categories as well. They can be natural, physical, network human and eavesdropping threats. One must understand the equal importance to those threats. There are no less or more important threats, they are all the same because they all face critical destruction of data. Even though a company might disagree to this concept I understand why. A company with a limited budget cannot spend time fixing every whole that might be possible in a system. They can only fix those holes they see the most eminent.

Lastly, the people aware of the security holes varyies from company to company, but I personally think it must be done accordingly and very cautiously. Critical information in the wrong hands can lead to more hands on that vulnerability and might lead to total disaster. Only certain personnel must be told about the security vulnerabilities and/or breaches and give them a solution. If no one is able or capable to determine what went wrong, they will less likely know what to do to fix them. Some white-hat hacker organizations try to break into corporation systems and offer them help to fix them. In a movie I watched yesterday called “En Busca de Los Hackers” (Seeking for Hackers) – Spanish version, a group of Spanish white hat hackers said that offering themselves to help companies with no hard evidence that somebody has broken into their system does not work. Every company have turned them down. The only method, for them, is the illegal approach. They break into the system first, put the flaws in a disc explaining how they found it and present it to companies for hire. 1 out of 9 companies hired them. No wonder there are vulnerable systems all around the world. If people, including corporates have that fear about hackers, what can they do to make their systems better. Of course, there are bad people out there, but not everybody who call themselves hackers are really what they are.

In this cyber world full of vulnerabilities it is hard to know who is in which side of the road. The only solution for a company is to back up their data daily, that way if they ever lose something they only lose the revenue of a day worth of work, thus controlling how much money they might lose. It is not a matter of if, it is a matter of when. Every system in this world has been compromised at least once in this history, that means no system is silver-bullet for an organization. There are security bases and procedures of course, and they try to minimize the risks as less as possible to save company time and critical data. Only remember one thing, anybody with proper knowledge, a computer connected to the Internet and time, can break into ANY system. One of the reasons is because companies do not encrypt data that goes through the networked medium. Companies seek flexibility, and convenience and these have a price. The price might be more than what they were looking to achieve, and the price is their privacy lost.

Sources:

http://www.it-observer.com/best-practices-securing-your-enterprise.html

http://en.wikipedia.org/wiki/Risk_management

“En Busca de los Hackers” – Seeking for Hackers ( Spanish Movie)

Thursday, April 1, 2010

The Fragile Web

Stay secure over the Internet is almost virtually impossible. Even though total security is completely impossible, there are ways to minimize the risks. Prevention is half of the equation, the other half must be secure practices. As more exposure we get as computer users, the more security driven most of us become. If you are not worried about privacy because you use Linux or MAC, you still must be. Non-encrypted communication, social engineering and online scams don’t discriminate Operating Systems thus making you even as vulnerable than Windows users.

It is harder to stay secure in the 21st century digital era because there are more flexibility options, and more temptations over the Internet. Having a non-encrypted connection might expose your data to the wrong eyes risking your privacy even though you might think you are safe enough by having an up-to-date Antivirus installed on your computer and scan it everyday. Also, having IDS on your home computer might not help a lot as well as a corporate firewall. I think leveling the risks with cost is the best way to implement security. Why wasting a lot of money for professional use if the threats are not potentially important in a home environment than in a corporate which contains top secret information?

By leveling risks with cost determines if you really should spend money and time on implementing such system. Having a personal firewall might only help if the user is security conscious and is willing to spend time and effort on checking every process and communication that is going through your computer every time a pop up window appears. It is worthless to have top of the notch technology if the user is not going to spend time on checking, and in this case, a user has to spend time and effort setting up firewall rules in order to minimize risks and false positives on a system.

Also, it is worth to mention that not only a personal firewall and an up-to date anti-virus and anti-spyware are needed. It is also recommended for those who do transactions on-line and send important e-mails to use an encrypted connection. The uses of VPNs are widely known for companies, but what about home users? Is it not the same, if not similar risk in a corporate and a home user who is managing his online banking? It only takes someone to make a targeted attack on you to have your identity stolen. The best way to prevent this is “abstinence”. Try to not do financial stuff online. That way, corporations will likely change their online policies and try to improve the system so more people could use it. It all comes down to money. This method will negociate with corporations thus making them change their strategy. For example, Verizon (Slashdot website) will charge an extra $25 to make online payments more secure. I agree with their strategy over the phone using a one-time password for purchase confirmation, but I don’t agree by paying more to get a security improvement they should done in the first place. Security must be provided with service at same rate.

Even though paying with phone password confirmation might seem a more secure way to do online payments, there are risks in phones as well. The only risk I can think of about phones is that users can put personal information about contacts. If the phone is lost or stolen, important sensible information can be gathered. For example, blackberries can not only be traced with a built-in GPS system but also the Facebook application does not time out after an X minutes or even days of inactivity. That means, the user might have facebook application logged in for weeks or even months and if the phone is lost/stolen, and a bunch of other (internal) information can be taken from and about your contacts. When technology increases and goes mobile, that is when the consumer must be more aware of risks because now information is not only wired, communicated into encrypted and non-encrypted information. Now information is also being transmitted over the air (highly non-encrypted) and it can be eavesdropped by any person. That is when Man-in-the-middle attacks come into place.

Not only on phones, but also other communication medium over the air is vulnerable and susceptible for an attack. Even though many people might think Man-in-the-Middle attacks might take a tremendously amount of effort, there is still an easy way to pull it off. That way is by ARP poisoning using an open source tool called Cain & Abel. (irongeek website). With this method, it is very easy for a knowledge (hacker?) person to get his stuff dirty on your personal information in places known as cyber-cafes, airports, Mc Donald’s and some convenience stores.

Having the best flexibility possible, the most secure possible is impossible. You can not have both. While some people prefer convenience and flexibility over security, a wiser choice might be to try to achieve both at a certain level to minimize the risks of being hacked. In this high-tech world, doing our everyday chores while going mobile might seem dangerous. This is the time to think wisely about our decisions. Come on! We can do better America!!


Sources
Verizon Strategy: http://games.slashdot.org/story/10/03/22/2141205/Verizon-Set-To-Launch-Mobile-Payment-Service?art_pos=1

Cain & Abel: http://www.irongeek.com/i.php?page=videos/using-cain-to-do-a-man-in-the-middle-attack-by-arp-poisoning