Author Archive Jayanthi

ByJayanthi

Patience is a virtue!

Reading Time: 1 minute

Today’s proverb is a very simple one that most of us will surely like but difficult to follow in reality…’Patience is a virtue’!!

He was very hardworking. He would get up at the same time every morning(weekday, weekend – it didn’t matter) He could sit with his daughter and teach her softly and gently. If she couldn’t understand something – he could spend more time with her till she understood the whole thing. He will diligently teach his half-interested son how to ride a bike(no scoldings there) Both his kids could not understand that there could be a “strict” father in life… they thought all fathers were like “their” father..calm and composed!! πŸ™‚

Have you tried driving in India and particularly Bangalore? Well, he could do that too and without losing his temper!! There are always cars, bikes, autos, buses flying from haphazard directions on Bangalore roads – but he could somehow manage to drive through it all unfazed(let us not worry about the time it takes to commute, though!! πŸ™‚ :)) 

He could be as cool as a cucumber and he might give a tough competition to Dhoni under most circumstances…… πŸ™‚  well, if you are wondering who is this person who is blessed with a such a patient personality – try guessing, it is not so hard!! πŸ™‚

‘Patience is indeed a virtue’…written for alphabet ‘V’ for the #BlogchatterA2Z challenge. The previous post can be found here.

ByJayanthi

Use it or lose it!

Reading Time: 2 minutes

After a series of technical posts, here is a proverb that I had heard of before, but understood its significance only a few years back.

What happens when you don’t walk for a prolonged period of time? What happens when you stop moving your finger for a prolonged period of time? What happens when you stop learning something new over a period of time? What happens when you stop teaching for prolonged period of time? The answer to all these questions is just a simple one – ‘You just lose the skill to do it”!! Whether body or mind, once you stop doing something(for whatever reason) – it is very hard to re-train the body and mind to try doing it again!

Both the body and mind becomes rusty once we stop doing it. So, unless you are advised by doctors not to do something – it is good to keep going on!

Sheetal had undergone a nasty foot surgery that did not allow her to walk for almost a month. At the end of the month, when she tried to walk, she could not walk normally for obvious reasons. But even beyond a 3-4 months, when the doctors had given her the “medically fit” certificate, she was in no mood to walk a lot as the “not moving” rust had settled on her! When she finally mustered the courage to walk, she could not do the normal walks and was mentally exhausted. Finally, her father pointed out that since she had not used her walking ability, she was finding it hard to get back to complete normalcy! She had to use every ounce of her physical and mental strength along with a deep religious penance to get her walking back!

Don’t let this happen to you…continue doing what you are doing, if you love it!

Cheers!

This post is for alphabet ‘U’ of the #Blogchatter challenge. The previous post can be found here.

 

ByJayanthi

Two factor authentication

Reading Time: 2 minutes

Recall the ‘Authentication‘ post for alphabet ‘A’? Now we deal with two-factor authentication which is an extension to that post.  Authentication in the information security realm is the process of identifying yourself to the system. The most popular way of authentication is the classic ‘username-password’ combination. This is one aspect of Information security that touches us all the time.  From email logins, social media logins, we may have to enter and re-enter our passwords everyday.  We thereby implement the concept of authentication all the time in our lives! Now let us see what is  ‘two factor authentication’ and see what role it plays…

Two-factor authentication:

Do you think the common username and password is totally safe? Is your account totally hack-proof with just a password? Nope – think again… the common username-password combination might be easily cracked by a determined hacker.

Two factor authentication is an additional layer of security for your account. In addition to the username and password combination, one way of establishing two factor authentication is to enter a code that is sent to the user’s phone via a SMS or a voice call. Some other ways of performing two factor authentication are tokens, RFID cards and smartphone apps.

Example of two-factor authentication:

Facebook two factor authentication:

  1. You will enter your username
  2. You will enter your password
  3. You will also additionally be asked to enter a code sent to the phone(assuming you have chosen text messages as your two factor authentication)
  4. Once you enter the correct password and code, you will be logged in successfully

 Example of Google two factor authentication or Google two step authentication can be found here

Now if the hacker intends to hack you account, he has to pass through two layers of security. He has to crack the username/password combination first  and then figure the code that is sent to the phone. Two factor authentication might not be the magic bullet to prevent attacks on any account,but since it involves more work, it might stop the hacker from getting into your account. This is the concept of ‘two factor authentication’. 

Another trivia related to passwords: Did you know the most common passwords all across the world was “123456”, “123456789”, “qwerty”, “password” and “1111111”? If you have any of these passwords for any of your accounts please do change them as you run a high risk of getting hacked! πŸ™‚

This post is for alphabet ‘T’ for #BlogchatterA2Z. The previous post can be found here.

 

 

ByJayanthi

SOC

Reading Time: 2 minutes

‘SOC’ is the acronym for ‘Security Operations Center’. The 2018 Verizon DBIR (Data breach investigations report) states that there were 53,308 security incidents and there were 2,216 data breaches in the year 2018. It also states that the 68% of the breaches took months or longer to discover! Isn’t it amazing – there is a  breach in your organization and you don’t have any idea about it till your customers let you know about it or a third party lets you know about it! That is probably the sad truth in the industry!!

SOC:

Keeping that in mind, the SOC is a team that has been informed whose sole purpose is to monitor and analyze the security of an organization. As with other things in security, a SOC team must be formed only after the formal assent from senior management. For any security program to be successful, the senior management in an organization must always be in tune with the goals of the Information security team.

Since security is mostly a reactive approach for most organizations, the SOC team is trained to detect security incidents within an organization and pass the control onto the ‘incident response team’ if an incident occurs. 

The SOC team consists of security engineers, SOC managers and security analysts along with other security professionals. The SOC team will hopefully reduce the time needed to respond to a cyber attack – since a team is always there to detect attacks as early as possible.

The SOC team must be up 24 hrs a day, 7 days a week, 365 days a year! There might never be a dull moment in the SOC team. The day may start out calm and before long alarm bells might be ringing detecting a security incident.  The SOC infrastructure involves the defensive security mechanisms of firewalls, IDS/IPS, breach detection solutions and more. 

Responsibilities of a SOC:

A professional in the SOC team is expected to be able to perform these tasks:

  • network analysis
  • IDS monitoring and analysis
  • malware analysis and forensics
  • The SOC team should also be in tune with the emerging trends and threats in the cyber security landscape. 

What are the skills to be a member of the SOC team?

You may need to have:

  • a Computer Science degree
  • 1-3 years of work experience related to SQL, TCP/IP, IDS/IPS, C, C++, Java, PHP, OS(like Linux, Unix, Windows)
  • Certifications such as GIAC, CISSP, CEH

These are some skills that are suggested to become a member of the SOC. There are other ways if you have the passion for joining a very happening team in the InfoSec domain!!

This post is for alphabet ‘S’ for #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Red Team – Blue Team

Reading Time: 2 minutes

“Red team – Blue team” is a popular parlance in the Information security domain. It actually imitates military tactics, ” red teams” and “blue teams” who work in offensive and defensive positions. Protecting the infrastructure of an organization and ensuring the complete security of an organization is the ultimate goal of every security program.

Every organization wants their precious data to be safe, for their data not to fall into wrong hands, not to have any of their client’s passwords stolen, not to have any of their private conversations being snooped on and more…How do we achieve this in the Information security domain? By forming two teams – the ‘Red Team’ and the ‘Blue Team’.

Red Team:

The ‘Red Team’ is:

  • The offensive team or the attacking team
  • It consists of team members who perform duties similar to pen-testers who will attack and test an organization’s defenses
  • It may consist of team members from outside the organization 
  • The Red team will have skills pertaining to performing the attacks like phishing, social engineering, masquerading like employees and more
  • The ‘Red Team’ will attack an organization’s defenses and find loop holes in the system that might be potentially attacked by hackers

Blue Team:

The Blue Team is:

  • The defensive team
  • Will erect all defenses by ensuring that necessary software (such as firewalls, anti-virus definitions) have been installed and all patches are downloaded as and when they are released
  • They will also ensure that all loopholes in the security program are sealed
  • The ‘Blue team’ will have to keep up with all the new security threats and bugs in the Information security landscape and mitigate them accordingly
  • The ‘Blue team’ will have to re-group and re-strategize once the threat of attacks looms

Who is more important? (Red Team or Blue Team?)

Both the teams are equally important as both of them work for the betterment of an organization. While one team erects defenses and makes sure everything is secure, the other team attacks it and shows the vulnerability of defenses. The best way to work  of course, is for the “Red team” to think like the “Blue team” and attack the defenses and for the “Blue team” to think like the “Red team” and create good defenses!

This way, the organization can try to be as secure as possible!

There is also a ‘purple’ team but that will be for another post… πŸ™‚

This post is for alphabet ‘R’ for the #Blogchatter challenge. The previous post can be found here.

 

 

 

 

 

ByJayanthi

Winners are not people who never fail, but people who never quit…

Reading Time: 2 minutes

Next in my series of loved proverbs and quotes is this saying “Winners are not people who never fail, but people who never quit”. There must not be one successful person in the world who has not failed at anything. It is also said that “Failure is the stepping stone to success”. If you have not failed in anything in life, success will definitely take longer to reach you. Luckily for me, I have failed a few times here and there and I don’t quit that easily either – hope lady success finds me soon! πŸ™‚

Here are a few people who had to take a few misses initially but made sure they didn’t quit to reach their successful state today:

  1. Bill Gates the creator of Microsoft stumbled with his first start-up and dropped out of Harvard to start his most successful company. 
  2. J.K. Rowling, author of the Harry Potter series of books, faced rejection of her manuscript 12 times before finally being accepted. 
  3. Steven Spielberg, director of extremely popular movies such as ‘Saving Private Ryan’, ‘Jurassic Park’, ‘BFG’, ‘ET’, ‘Schindlers list’, ‘Jaws’ was rejected twice by the ‘University of Southern California’s School of Cinematic Arts.’!!
  4. Albert Einstein’ – the brainy man born in 1879 was considered as a major failure by his father. He did not talk till he was 4 years old. He also joined college but almost dropped out. This is the person, who taught us the theory of relativity and more ground breaking work in Physics.

All the personalities listed suffered initial setbacks in their current glorious career. But it was their inherent trait to never quit that got them to the level they are today!

‘Winners are not people who never fail, but people who never quit’…

Cheers! πŸ™‚

 

This post is for alphabet ‘Q’ for the #BlogchatterA2Z challenge. The previous post can be found here.

 

ByJayanthi

Is “Privacy” a myth?

Reading Time: 2 minutes

“Privacy”, what? might be a common reaction for some of us. For me, of late, I have been getting more and more passionate about privacy issues. What is “privacy” anyways? Is it a total myth in this digital age? Most of my digital life is spent in wondering who has stolen my private information, or who “else” has seen my online pictures and who “else” is listening to me…if you are like me – you are a true “privacy” warrior like me! πŸ™‚

Almost all of our information is stored online in some server in a strange country(or in your very own background!! :)) Safeguarding this personal information and ensuring that this information is not “sold” to other third parties is one way of ensuring “privacy”. Anything that is yours and yours alone and which is spied upon or stolen cunningly is loss of privacy. 

The places you visited, your birthdays, the pictures you take, the milestones achieved(and shared), the places that you have been to, the credit card numbers that are stored for ease of transactions –  we give all this information voluntarily and unknowingly to some online giant. This information – if it stays with the same organization – it is “private”. But more often than not, “your” information gets sold and you have no clue about it.

The EU GDPR(General Data Protection Regulation) that came into effect last year was the strongest data privacy regulation in 20 years. It broadly seeks to protect user data and make all organizations create transparent data policies. Selling user data is not the only invasion of privacy – there are other ways that privacy of users can be lost too.

Alexa:

Digital assistants or personal assistants(like Siri, Cortana, Amazon Echo) may be more ubiquitous in the West than in India. Personal assistants are supposed to make our life simpler – they can call anybody, order pizza, turn on the lights and more. But according to a report published a week back, did you know that “Alexa” was listening to your conversations all along? If you forgot to “turn off” your Alexa, it could eavesdrop on all your personal conversations. According to this report, voice snippets are  analyzed by Amazon employees for better customer experience.  

So, if you feel your privacy has been lost with the Amazon Echo devices, it would be good to go to ‘Settings’ in the ‘Alexa’ app – and disable “the use of voice recordings for the development of new features’. Similarly, it would be good to review all ‘privacy” features in all digital devices and set it to stringent levels. 

With all the privacy hacks on various digital platforms – I hardly feel like sharing anything online except for meeting everybody in person! πŸ™‚

This post is for alphabet ‘P’ of the #Blogchatter challenge. The previous post can be found here.

 

ByJayanthi

OWASP Top 10 vulnerabilities

Reading Time: 3 minutes

OWASP( ‘Open web application security project’) is a community and it is a non-profit organization that is primarily oriented towards securing software. Any type of software that we use today, is always prone to vulnerabilities and bugs. These bugs give hackers a chance to proliferate inside the software and steal our precious information. Can we say any of the data that is stored on countless servers and databases is safe? Never…there is always a way to steal your credit card number sitting in a strange server on a strange land. One way of doing it is by exploiting the vulnerabilities or weaknesses in the software that we use everyday…

OWASP lists the top 10 vulnerabilities in application software along with their risks and countermeasures. This helps organizations to ramp up their software by knowing the common vulnerabilities that are being used. This list is updated every 3-4 years and the last list was updated in 2018.

 

 

It is quite that amazing that when I started coding years ago – we were only worried about getting the code to run the way we wanted it to. But now, times have changed and we have to make sure that the code is hack proof in every possible way.. anyways, here are the OWASP top vulnerabilities released in 2018:

  1. Injection

        ‘Injection’ may mean different things to people from different walks of life but in our context – ‘injection’ is inputting wrong user  data thereby triggering unintended commands. Some examples of injections can be SQL queries, PHP queries, LDAP queries and more.  ‘Injection’ attacks check if an application is vulnerable or not.

    2. Broken authentication

      We have already discussed authentication in an earlier post.  In a typical authentication scenario, we enter the ‘username’ and ‘password’ and if we enter them correctly, we are authenticated. What happens if somebody steals your session maybe in a shopping conversation with a big online retailer? Maybe you were just authenticated and you finished shopping online. What if somebody steals your financial information with the information you entered last?  This is ‘broken authentication’.

   3. Sensitive data exposure

    Now that online banking and online transactions have all become common place – all usernames and passwords can be sniffed if good encryption is not in place. Just imagine a scenario, wherein your online banking password is sniffed by miscreants! Imagine the damage they can do!! 

  This can be avoided by using the latest encryption algorithms and making sure that none of the information is stored in the cache.

4. XML external entities

  This is known as XXE attacks and these are possible due to the uploading of malicious XML files by the user. Once a malicious file is uploaded to the server, it can be used to steal data and do other malicious things.

5. Broken access control

   I have already written about ‘access control‘ in another post.  ‘Access control’ authorizes users to access the appropriate resources. What if ‘John’ gains ‘admin’ privileges and is able to access your account? Is that right? This is ‘broken access control’. John is not authorized to access your account and he should not be able to access by changing a small piece of code.

This can be prevented by using ‘authorization tokens’.

6. Security  misconfigurations

Security misconfigurations can result from using default ‘security’ settings. 

This can be avoided by configuring all the servers appropriately and preventing wordy error messages.

7. Cross site scripting

Cross site scripting occurs when attackers can insert a piece of code on a web page. This can then be used to steal user data and bring down websites.

8.  Insecure deserialization

Serialization and Deserialization are two processes which happen when dealing with data. This is a type of vulnerability wherein the ‘deserialization’ happens with untrusted sources. 

9. Using Components with known vulnerabilities

It is always possible that web application developers are working with components that have some vulnerabilities in them. The vulnerabilities might have just have been discovered. Once that happens, it is good for application developers to delete such components or install patches immediately.

10. Insufficient logging and monitoring

Many security breaches are detected long after an incident. By this time, hackers can penetrate the system and cause even more damage. In order to minimize extra damage, all activities must be logged and monitored. 

The original set of OWASP top 10 vulnerabilities can be found here

This post is for alphabet ‘O’ of the #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Never judge a book by its cover!

Reading Time: 2 minutes

In my favorite proverb series – this is yet another one ‘Never judge a book by its cover’!! – which means not to judge a person too quickly and by looking at only their outward appearance and demeanor. 

Almost all the proverbs seem to be leading us for a perfect life(good healthy eating habits, forgetting the past, moving on etc etc) which is next to impossible for all us… πŸ™‚ but we can still try to follow it to some extent at least…

Judging someone is something we are all guilty of…but sometimes, we judge somebody without knowing them totally and by external appearances alone.  We judge a person in a hurry just by looking at them or by speaking just a few words with them too. We label them quickly too (talkative, quiet, silent, pessimistic, optimist, studious, nerd, geek, no sense of humor etc etc) I have been guilty of judging somebody too quickly just by their appearance and finally realized how wrong I was too!(face palm!!)

All of us undergo many,many experiences in life and each of the experiences either mellows us down, makes us stronger or weaker. Even though there is a Tamil proverb “agathin azhagu mugathil theriyum”(The beauty of your mind is visible on your face) – more often than not, you cannot understand everything that a person has undergone just by looking at their face. Most of us maintain a happy and smiling face which holds many secrets! 

So, good to not judge a book by its cover but give all relationships some time to develop and grow!

This post is for alphabet ‘N’ of the #Blogchatter challenge. The previous post can be found here.

ByJayanthi

Identity management

Reading Time: 2 minutes

‘Identity management’ in some ways is an extension of the concepts of  access control and authentication. The current business environment is complex and getting more complex with time. There are numerous departments(like CRM, ERP and HR) and networks. There are hundreds of business users(like employees, customers and partners) constantly logging into systems and accessing different resources. Employees might also move onto different departments and they might also quit and move onto different organizations. How do we handle the huge responsibility of checking the credentials of the users, authentication them and authorization them? This is done by process of ‘identity management’.

‘Identity management’ involves the process of first identifying the user, authenticating the user and authorizing them to access appropriate resources in an automated way. ‘Identity management’ solutions have to handle the huge task of assigning access to  different users across multiple systems. They also have to make sure that the access is neither too restricted nor too broad.  ‘Identity management’ solutions also involves revoking the credentials of former employees so that cannot access the old resources again.

 

Advantages of IDM solutions:

In the earlier days, IDM solutions were manual, but with today’s complex business scenario, automated solutions are the need of the hour. IDM solutions offer these advantages:

  1. They increase the productivity in an organization(administrators do not have to spend time configuring the different settings for different users)
  2. Security in the organization is enhanced since users are given appropriate access and single-sign on is implemented

IDM solutions:

A number of organizations offer IDM solutions and here are a few of them:

  1. Computer Associates Identity and access management
  2. IBM Identity and access management
  3. Oracle Identity management

Seamless digital transitions in today’s business scenario is possible because of sophisticated identity management’ solutions. 

This post is for alphabet ‘M’ of the #Blogchatter challenge. The previous post can be found here.