Category Archive Information Security

Avatar ByJayanthi

Kerberos Authentication protocol

Reading Time: 3 minutes

We have already discussed about Cryptography and Caesar cipher‘. In this post we will explore more about Cryptography by discussing the application of Cryptography – ‘Kerberos authentication protocol’. In today’s insecure online and distributed environment we need stronger authentication mechanism than the classic username/password combination. 

Introduction:

‘Kerberos’ was developed in MIT as part of a project named ‘Athena’. Kerberos is a three headed dog in Greek mythology which was used to guard the underworld. The electronic version of Kerberos or the Kerberos authentication protocol is used to guard user’s online data and keep hackers at bay. The Internet being a place which does not hold the three tenets of Information Security – Confidentiality, Integrity and Availability – needed stronger cryptographic algorithms to ensure user’s online privacy. The Kerberos network authentication protocol was created to uphold the three tenets by making use of symmetric key cryptography. Recall: In Symmetric key cryptography, the same key that is used to encrypt data is used to decrypt data as well. 

The Kerberos authentication protocol is used to prove your identity in a client/server interaction by making use of “tickets”. Kerberos version 4 was created by Steve Miller and Clifford Neuman. Version 5 release 1.16.3 is the latest version  It was created by John Kohl and Clifford Neuman. Kerberos is freely downloadable from the MIT website under copyright permissions. It is also available as a professional product by many vendors. Kerberos is based on the Needham-Schroedar protocol.

 

Necessity of Kerberos:

Kerberos was created to overcome the following threats in an open distributed network environment:

  1. A user may masquerade as another user and access the privileges and rights on the new user’s workstation
  2. A user can change, modify and alter the network address of other workstations
  3. A user can also “snoop” and overhear conversations and gain an entry into servers(Stallings)

Description:

Here is an extremely high level working of the Kerberos authentication protocol ….the important terms to be aware of before we start discussing the working of Kerberos:

KDC – Key distribution center

TGS – Ticket Granting Service

  1. A user logs onto a client machine, enters his credentials and requests some services. Now, the username alone is transmitted to the  KDC server(the password is transformed into the key of a symmetric cipher and kept at the user’s machine) After matching username with the KDC database, the KDC server creates the TGT (Ticket Granting Ticket – which is encrypted by the user’s key)

     2.  The client receives the encrypted TGT.  Recall that Kerberos makes use of symmetric key cryptography. Hence, the encrypted TGT that is received is decrypted using the user’s key(the user’s key is stored in the user’s machine)

      3. The TGT stored on the machine will enable a session with the server for a specified amount of time

      4. In order to communicate with the server and request more services, the client will use the TGT and ask for a specific service from the KDC server

Conclusion:

This is just a simplified version of the Kerberos authentication protocol. It can be inferred from the above description of the Kerberos authentication protocol that the entire functioning is based on “tickets” and encryption and decryption using symmetric key cryptography. No passwords were sent in the entire client/server interaction. It is hoped that stronger authentication standards will be adopted by the industry.

Bibliography:

Kerberos. (n.d.). Retrieved May 7, 2014, from Wikipedia.org: http://en.wikipedia.org/wiki/Kerberos_(protocol)#Further_reading

Cryptography and Network Security. In W. Stallings.

What is kerberos and how does kerberos work, from https://www.slashroot.in/what-is-kerberos-and-how-does-kerberos-work

 

 

 

 

 

Avatar ByBala Manikandan

Network and System Security

Reading Time: 4 minutes

Network and System Security means protecting your system from different kinds of attacks by unauthorized users. With the development of the Internet and the World Wide Web, it is a field that is gaining a lot of importance. In this post, we will discuss various threats to network security and how to protect our system from such threats.

1.      Worms

A worm is a program which simply creates copies of itself until the entire disk space in your system is filled up.

2.      Trojan Horses

These are harmless-looking applications such as text editors which actually perform malicious functions without your knowledge (for example, deleting/modifying other existing files)

3.      Spyware

This is a kind of software which may get installed on your PC without your consent, tracks your activity and reports this information to people who are willing to pay for it. Spyware mostly finds its way to a PC by getting downloaded along with another file, or from the Internet when you visit a webpage.

4.      Adware

Adware is a software that causes your computer to display unwanted pop-up ads. It reduces the performance of your computer, and is similar to spyware, with the difference that it may be installed with your consent. So it is important to go over the terms and conditions before you install any software on your PC.

5.      Spamming

This is a term used to describe the sending of e-mail in bulk by a known or unknown person. Spamming can also reduce system performance, and can even be used to spread computer viruses.

6.      Phishing and Pharming

These methods of attack rely on tricking users rather than using sophisticated technology.

  1. Phishing: In this attack, an unidentified person uses an authentic-looking e-mail or website to extract sensitive personal information from another user. For example, you may receive an e-mail which seems to be from your bank, asking you to fill up your personal details by clicking on a link. But the link may take you to a fake website where all your details are obtained and later used for malicious purposes.
  2. Pharming: This attack involves redirecting a website’s traffic to another authentic-looking, but bogus, website. The attacker convinces you that the site is real and then obtains all the information you provide to it.

7.      Snooping and Eavesdropping

  1. Snooping: It refers to the unauthorized access of someone else’s information. It may or may not involve using sophisticated snooping software. Examples are monitoring of keystrokes pressed, secretly observing someone else’s computer activity and directly capturing his/her login ID and password.
  2. Eavesdropping: Eavesdropping involves intercepting someone else’s data as it passes from one place to another. For example, intercepting someone else’s credit card number as it passes from the user’s system to the web server that requested it.

8.      Denial of Service (DoS) Attacks

In this kind of attack, the legitimate users are not allowed to use the resources, information or capabilities of the system. This attack, however, generally does not allow the attacker to access or modify data. For example, an attacker may flood the targeted system with a barrage of requests.

9.      Cookies

These are messages (pieces of information) sent by a web server to a web browser so that the web server can track users’ activity on a webpage. They can help webpages load faster, and can customize the page for users who have already visited them. As they are merely text files, they cannot act maliciously on systems. However, any information you provide freely to a website (including sensitive personal information) will most likely be stored in a cookie, unless you disable the cookie feature in your browser. If someone found out the encryption key to your cookies, he/she could get your personal details. Cookies a threat to security this way.

Preventive Measures

Having discussed about various threats to network and system security, the question arises as to how we deal with these threats. There are different methods to deal with different kinds of attacks, some of which are listed below:

General solutions:

  • Be careful when downloading files on the Internet.
  • Use a different way of writing e-mail addresses on the web. (For example, instead of “abc@xyz.com” you could write “abc AT xyz DOT com” or “abc    AT    xyz    DOT    com” with extra spaces.)
  • Instead of clicking links in e-mails, type the URL of the concerned website in your web browser (the link may direct you to a bogus website).
  • Disconnect from the Internet when away from home. Staying on the Internet increases the risk of certain infections and intrusions.

Solutions to Viruses, Adware, Spyware

  1. Use antivirus and anti-spyware software.
  2. Keep your system up-to-date.

   Solutions to Spam

  1. Use anti-spam software.
  2. Keep your e-mail address private.

 Solutions to Phishing and Pharming

  1. Avoid opening e-mails from unknown sources.
  2. Check the security guidelines of websites you often visit (so you can distinguish between legitimate and fake e-mails).

Solutions to Snooping, Eavesdropping and DoS attacks

1.   Protect your system by asking the user for a valid user-ID (authorization) and a valid password (authentication). Keep the passwords strong so that they cannot be easily guessed.

2. Install a firewall on your system. A firewall is a system (hardware or software) designed to prevent unauthorized access to or from a private network.

Solution to threats caused by Cookies:

  1. Turn off the cookie feature in your web browser, to ensure the safety of your personal information when not needed. 

We saw a few ways in which a system may be compromised actively or passively and the way to counter them. Join me as I uncover more topics on yet another post on Information security!

 

 

 

 

Avatar ByJayanthi

What is Cryptojacking?

Reading Time: 2 minutes

It just feels like we hear something new about  cryptocurrencies everyday, but let us delve into the concept of ‘Cryptojacking’ in this post.  Having blogged about cryptocurrencies and blockchain before, here are a few facts about them:

  1. ‘Bitcoin’ and ‘Blockchain’ are two entirely different concepts
  2. ‘Bitcoin’ is a cryptocurrency while ‘blockchain’ is the underlying technology powering cryptocurrencies like Bitcoin 
  3. Blockchain is a distributed, immutable and shared ledger
  4. Transactions on a blockchain cannot be edited
  5.  ‘Bitcoin’ is one of the more popular cryptocurrencies based on the ‘Blockchain’ concept. 

Bitcoin’s energy consumption:

Since bitcoin is based on the blockchain concept, where there is no central authority directing the stakeholders(or miners in Blockchain/Bitcoin lingo), the only way a new block(FYI – a ‘block’ is where transactions are recorded) can be created and agreed upon is by means by of mathematics. This is called ‘mining’, which uses humongous amount of energy. Bitcoin mining can be done by simple software and specialized hardware.

Bitcoin’s current electricity consumption is 46.74 TWh!!(Terawatt hours) (Source: https://digiconomist.net/bitcoin-energy-consumption) To put this into perspective, according to one study in April 2018, Bitcoin’s energy consumption numbers were equal to the energy consumption of an entire country like Switzerland! (Source: https://www.forbes.com/sites/shermanlee/2018/04/19/bitcoins-energy-consumption-can-power-an-entire-country-but-eos-is-trying-to-fix-that/#116123d81bc8)

Having understood that bitcoin mining is heavily energy intensive, we can understand that cyber criminals will look for alternate means to mine cryptocurrencies.

Cryptojacking:

This alternate and malicious way to mine cryptocurrencies is by means of a concept known as ‘Cryptojacking’. ‘Cryptojacking’ unsuspectingly makes use of an innocent person’s computer, tablet, phone or any other connected device to mine cryptocurrencies. The innocent individual is lured by means of suspicious email links or online ads which then runs the mining code in the background and drains your energy for wrong purposes.

The unsuspecting user continues to use his computer/connected without knowing that his connected device is being used for malicious purposes.

What do criminals gain from this?

They get bitcoins or any other cryptocurrency with minimal effort and electricity usage on their side. They can then use these cryptocurrencies to buy things that they wish.

How do we detect that cryptomining code is running on your computer:

The only way that we can detect if the cryptomining code is running on our computer is when the computer gets slow or gets heated up. 

How do we prevent cryptojacking?

We can prevent ‘cryptojacking’ by installing ad-blocking and anti-cryptomining extensions. Users should also turn off Javascript in the browser and be wary of phishing emails. It is also necessary to keep up with the latest in the security realm and install all patches as and when they are released. 

Future of cryptojacking:

The current damage caused by ‘Cryptojacking’ may only be slowing down of the device but this malicious attack may evolve further with time and pose a risk to personal and financial information. According to this report from eset.com, cryptojacking may not be slowing in 2019. So, it is necessary to take note of this attack and be knowledgeable about it and guard against it.

 

Avatar ByJayanthi

What is ‘Steemit’?

Reading Time: 2 minutes

Do blogging/writing and blockchain have anything in common? Yes – with ”Steemit’. What is ‘Steemit’? It is a blockchain based blogging platform. Imagine writing a blogpost and it being stored on a Blockchain namely the ‘Steem’ blockchain… so, next what is a ‘Blockchain’? To refresh, Blockchain‘ is a distributed ledger of information with no central authority(decentralized) The most popular application of Blockchain is of course, the ‘Bitcoin’. 

We have all heard about ‘Blockchain’ being used for the mortgage industry, car auction industry – but for blogging and writing content? yes, it is true – bloggers can write their content which will be  posted on the ‘Steem’ blockchain  and you ‘may’ even get paid for it. The ‘Steem’ blockchain is used for other decentralized applications as well like DTube (decentralized video platform), eSteem (Steem based mobile app)

‘Steemit’:

‘Steemit’ is a ‘Dapp’ or ‘Decentralized application’ which was started in 2016.One can upvote, downvote,comment on other’s posts (similar to other communities but with a difference , you get paid for it and it is on a blockchain)

Depending on the number of upvotes you get, you get paid in the form of digital tokens called ‘STEEM’. Everyday, STEEM tokens are mined on the ‘Steem’ blockchain and this can be used as rewards to different users.

 

 

Other points about ‘Steemit’:

  1. Users can earn money by creating content and if it receives generous upvotes – one can earn enough ‘STEEM’ tokens
  2. Users will also a receive a reward in another way. If they upvote another post and that post becomes popular later, they get rewarded with STEEM tokens too
  3. Unlike regular blogging sites, if an user loses his/her password/owner key, it cannot be reset! Hence, it is recommended for users to store an offline copy of the same. There are a number of keys too – such as owner, active, posting and memo. Since each account contains funds, it is critical for owners to safeguard their keys appropriately.
  4. Another interesting point about ‘Steemit’ is that since the content is stored on the ‘Steem’ blockchain – it cannot be deleted(though a blank page can be shown for the time the post is active) Since one important property of a blockchain is immutability(changes made to a block cannot be altered)   – all edits, comments are stored on the ‘Steem’ blockchain permanently.

Can ‘Steem’ be converted?

Yes, ‘Steem’ digital tokens can be converted to Bitcoin or to a country’s native currency or your local bank account. You can also convert it into other cryptocurrencies.

We saw the concept of ‘writing and blockchain’ merging in this post by means of the ‘Steemit’ blockchain…join me as I uncover most interesting topics…

Disclaimer: This article is to be used for informational purposes only. With cryptocurrencies being banned in many countries including India – it is up to the user to research and make decisions on the same.

Avatar ByJayanthi

2 years on a self-hosted blog…how is it?

Reading Time: 4 minutes

Yes, my self hosted blog turns 2!! 🙂 How has the journey been? (And, if you are wondering what is meant by “self-hosted”, just scroll down…)

Have there been only ups or only downs? Read more to know what I learnt or not…. 🙂 It has been exciting and interesting journey and I wouldn’t trade it for anything in this world! It is almost like starting your business but at maybe 1% of the effort or size.

Graduating from writing technical blogs and creating e-learning videos for different organizations to doing it for my own website has been fun! During my technical writing stint for different organizations,  I wrote blogs or created the e-learning videos and each organization took care of the part that I was least interested in(digital marketing – ‘ugh!’)

Creating my self-hosted blog:

What is meant by “self-hosted” blog? In simple terms, I have a blog with a domain name without being tagged by the “wordpress.com” or “blogspot.com”(so, now it is “blogtech.online”) and I have to pay for it and can monetize it as well. Even though, I already had another free blog, ‘jayanthiweb.wordpress.com’, my self-hosted ‘blogtech.online‘ was my own space in the Internet. 

Before, the blog went “live” I had a million questions. How would it work? What should I do first? What should I do next? Who was the best hosting provider? There were another gazillion questions in my head….and if you know me, you know I could ask a lot of questions to get my project started! 🙂 Special thanks to two people who helped me find all the answers and made my blog go “live”! 🙂

After all my questions were answered, I became the proud owner of a blog with a nice name that I thought reflected my blog’s writings at that time. I knew I would write about ‘Information security’.  But I knew Information security alone could not sustain my blog – which is why I made it a ‘Technical blog sprinkled with personal thoughts” 🙂 I also had other interests like programming in Java,C and I knew my interests would meander even more with concepts like ‘Blockchain’ rocking the technical space…so the name ‘blogtech.online‘ stuck and it is 2 years since the day! 🙂

I knew that all blogs need varied content from different styles of writing. I did get a few writers to write for me and once in a while,my husband and my son always stepped in to fit the writing shoes! 🙂

Me and ‘digital marketing’ – a rough journey! 🙂

After starting my self-hosted blog, I realized I needed to do everything now. Free blogs are relatively easy – we just write and publish it to the community and you have tons of traffic. But my self-hosted blog was different… I was swimming on my own now.

I have had to head and do a “not-a-so deep dive” into digital marketing. I have learnt a bit of ‘digital marketing’ from my technical blog’s perspective. What was “theme”? What were the “plugins”? What was “organic traffic” and “bounce rate”? And analyzing Google Analytics was fun too!! 🙂 I learnt a little bit of the “digital marketing ocean” all by experience…they say “experience is the best teacher” – it is the “very” best teacher, I would say!

I cannot say I am a digital marketing nerd or anything remotely close to that, but it is good to learn it if you are anywhere in the Internet and want to be seen and heard! 🙂

Blogging communities:

For a self-hosted blog to survive, it is definitely necessary to be part of blogging communities. Thanks be to blogging communities like Indiblogger, Blogchatter and BlogAdda, I have made great online friends whom I have learnt a lot from. Thanks also to Twitter and all my Twitter friends without whom my blog would not rise steadily today! 

sample post

 

So, what is the final report card?

I cannot say I have hit off the charts in Google search results, but my Alexa rank has finally dropped below the million mark! That itself, seems quite an achievement.. Interestingly, my Blockchain posts garnered more interest and attention than I thought! 🙂 (which is always good)

In the 2 years, I have blogged about Steganography, access control, physical security, the CIA triad, top-down approach to security, NIST publications, ransomware, single sign-on, deep web, dark web, zero-day vulnerability and more on the technical side… 

To conclude, here are some of my best technical posts:

  1. Physical security
  2. Conflict resolution at work place(By: Mani Prithiviraj)
  3. Which is more secure SSL, TLS or HTTPS?
  4. What is “Dark Web?”
  5. What is ‘Ransomware?’

My personal posts bordered a lot on my India-US-India journey and I published an e-book on that too! In addition, parenting is a funny affair when we have grown kids and all those jokes go right into the blog! 🙂 Here are my best posts in that category:

  1.  Myths about the US!
  2.  What is your social media personality?
  3. Are you a ‘helicopter’ parent?
  4. Why do we Tamilians not have a last name?
  5. Toughest job in the world
  6. How did I become a writer?

When I began writing 6 1/2 years ago, I did not know I would have so much to say! 🙂 But I did and I still do… Thanks for reading and continuing to support my blog! 

Keep reading, keep commenting and warm wishes for an awesome 2019!

 

 

 

 

 

 

Avatar ByJayanthi

Physical security

Reading Time: 2 minutes

‘Physical security’ is an often overlooked aspect of the security. It is often ‘taken for granted’ and most organizations do not take it seriously. Danny Thakkar from Bayometric.com defines physical security as “… a set of security measures taken to ensure that only authorized personnel have access to equipment, resources and other assets in a facility, these measures are laid out for” (Thakkar)

“Physical security” is ensuring the data centers, servers, printers, workstations and all other devices are secured from both man-made and natural disasters. How do we achieve this? By erecting defenses, in the path of thieves and hackers and anybody else who wants to get their way in. These physical defenses are “physical security”. While absolute security can never be achieved, we can plug in the holes in defenses and hope to keep the critical resources safe from external and internal factors. In this article, we will look at the broad steps that are needed to seal the vulnerabilities and ensure ‘physical security’.

How do we establish physical security?

Physical security can be established by enforcing appropriate access control, surveillance and testing . Physical security will have multiple layers to make sure that critical resources are never compromised. How do we implement physical security?  A few points are listed below:

security

  1. The simplest and most effective way of implementing physical security is secure the place by means of old-fashioned locks. In addition, the appropriate zones can be sealed by means of biometric systems.
  2. At the outermost layer, the organization should be fenced properly and all entry points should have good locking systems and appropriate entry authentication mechanisms
  3. The entire facility should also be well lit
  4. The organization should be well guarded by adequate security personnel at all entry points’
  5. ‘Surveillance’ can be implemented by installing CCTV cameras within various points in an organization
  6. All employees should have appropriate security badges and this must be authenticated at the entry door by swiping. Ex-employees should be removed from the company’s database to make sure that they do not have the authorization to enter the company.

These are some steps to thwart direct physical attacks. 

So, the next time you see CCTV cameras, security badges and fingerprint authentication – remember it is one of the simplest Information security concepts doing its hard work…. 🙂

We saw the concept of ‘physical security’ in this post. Join me as I uncover more Information security concepts in future posts….

Bibliography

Thakkar, D. (n.d.). Best Practices in Physical Security Management: Safeguard your Organization against Threats. Retrieved from Bayometric.com: https://www.bayometric.com/best-practices-physical-security-management/

Avatar ByJayanthi

Tracking

Reading Time: 2 minutes

As our dependence on electronic devices increases, from ordering food to paying bills and hailing cab services and making use of online maps to travel to different destinations,  the unseeing eyes are also following us everywhere tracking our every move.

We all know of GPS tracking when hailing a cab but did you know that you are being tracked at all times? By having the smartphone with you at all times, with the ‘Location’ being turned ‘on’, every move is being tracked. Some might not worry about this constant tracking by strange individuals, but I do think that it is necessary  to know all the possibilities that are present before forming our own conclusions about them.

It is quite a possibility that you will be using ‘Google maps’ for taking you to different places and you might be signed onto multiple devices using the same ‘gmail’ account. While, it looks perfectly harmless and seems that your life is getting simplified in every way in this electronic era – the reverse is unfortunately true.

How you are being tracked:

As an example, sign into your Google account and click on ‘Maps’ in the right hand corner. Once inside Google Maps, click on the menu and pick ‘Your timeline’. Now, you can see all the places you have visited in the last couple of years! You can also see the time of visit, the duration of visit,the latitude and longitude of the places that you visited! In addition, all these details are visible for a prolonged period of time too! 

You might have visited 100 places over a period of 5 years and chances are all of them might be listed right there on the screen! You may have forgotten where you went in October of 2017, but your device and ‘Location history’ does not forget!

So, what can be done?

If you would like to delete all of your location data and prevent your  location from being saved in the future, follow the steps below:

  1. After clicking on ‘Timeline’, click ‘Manage Location History’, disable ‘Location History’ under ‘Activity controls’. This makes sure that future Location tracking is disabled. 
  2. In order to delete previous ‘Locations’ go to ‘Timeline’ and under the settings tab click on ‘Delete all Location history’
timeline
Disabling Location history

Once this is completed, your Location history will neither be visible to you or anybody else(at,least for some time!) In today’s age, with so much information and power in our hands, it is up to us to do all the homework and control the data that is exposed to the outside world by disabling the various settings.

Avatar ByJayanthi

Access control

Reading Time: 3 minutes

It is a reality that the cyber security landscape is rapidly changing everyday. New threats emerge constantly and what was true 5 years ago might not be true today. In this reality, it is important to re-skill ourselves constantly.

Living in a hyper connected world, we are constantly signing into systems to access different types of information. Unauthorized individuals should never be able to access our resources.  How can this be done? By the very basic and fundamental concept in Information security – ‘access control’. 

What is Access control and what are the different types?

Access control ensures that only authorized individuals can access appropriate resources. Physical access control ensures that physical resources like specific rooms, buildings are accessed by appropriate people.Logical access control ensures that resources like networks, files are accessed by appropriate people. 

We observe the principles of ‘access control’ all around us unknowingly. When we share a post on social media platform, we set the permission to ‘public’ or ‘private’ or ‘Friends’ as the case may be. This makes sure that the post is visible only to necessary people and not all.

The simple example of checking email can also be mentioned here.  The correct combination of username and password authenticates the user to access his resources (email, in this case).

The different stages of access control are:

1.Identification

2. Authentication

3. Authorization

4. Accountability

‘Identification’ is done by providing the user with a unique id number, username or account number. ‘Authentication’ is done by providing the password or personal identification number. This correct combination of username and password reiterates the fact that the user is in fact “who he claims to be”. Once the user has been authenticated, the user next has to be authorized to access the resource. The ‘access control matrix’ is checked to make sure that if the user is the “person” authorized to access the requested resource. This is “authorization”. Finally the user is “accountable” for all the actions taken. To ensure accountability, user’s login information and subsequent actions are noted. 

Now that we have seen what is meant by ‘access control’ – we see the different access control models. There are three main types of access control models and they are discretionary access control, mandatory access control and role based access control. Every organization has different business objectives. The type of access control to be implemented is entirely dependent on its objectives as well the culture of the organization.

Discretionary access control:

Before we discuss the different access controls, we see what is meant by a “subject” and “object”. The “subject” is the one that is making the request for the resource and the “object” is the resource itself. In discretionary access control model, he who creates the information is the “owner”. The “owner” can decide who can access which data. Recall, that this is authorization. This is normally implemented by “access control lists” or ACLs. ACLs are specified by the system administrator and enforced by the operating system. The majority of the operating systems such as Windows, Linux and Macintosh systems are DAC based.

Mandatory Access Control:

The ‘mandatory access control’ is much more structured and organized than the DAC. In this type of access control, the operating system has the final say on who can access which resource. Users have security clearance (secret, top secret, confidential) and data is also classified in a similar way. The clearance and classification are stored as ‘security labels’.  When a user makes a request for a resource, it is dependent on the clearance of the individual, the classification of the data and the security policy of the system. This is enforced by the security officer and implemented by the operating system. This type of access control is used where security is of utmost importance. Normal DAC systems will not be suitable when the need is to classify data of special security clearance. We need MAC systems with special operating systems to enforce the rules.

Role based Access Control:

Role based access control or RBAC is also known as ‘non-discretionary access control’. In Role based access control, access to a particular resource is governed by the “role” an employee is mapped to. This type of access control is tougher to configure as the organizational policies have to be translated to roles. For example, an employee in “HR” does not need access to resources in “payroll”. RBAC is easy to configure when the employee turnover is high. When “Sam” from “Finance” leaves the organization and “Wendy” joins, “Wendy” is just mapped to “Finance” and she takes the same roles and responsibilities as the previous employee. There is no additional configuration needed here.

Access control is the basis of many topics and the RBAC model forms the basis of many identity management solutions.

We saw a very small portion of a fundamental concept in Information security. Join me as I uncover more!

Bibliography

Harris, S. All in one CISSP. In S. Harris.

Avatar ByJayanthi

Single sign on

Reading Time: 2 minutes

In the wake of the Facebook data breach that supposedly compromised 50 million accounts and other personal data last week,  it is but imperative to look at yet another aspect of ‘Information security’ – ‘Single sign on’.

What is ‘Single sign on’?

Remember, the time when you discovered a new website or app ? You had to register to get into the site. You were presented with these options:

                ‘Continue with Google’

                 ‘Continue with Facebook’

in addition to a lengthy sign up process. In a hurry to understand what the new craze was, you just signed in with your ‘Facebook’ or Google account information instead of going through the whole signing up rigmarole. This is ‘Single sign on’ wherein by just signing into Facebook or Google, you can access many other apps and sites with ease.

data breach

What is the downside of ‘Single sign on’?

It seems to be such an easy thing to do – just sign in with one account and we can access so many other sites with ease. So, what is exactly the problem? If you have signed into multiple accounts using Facebook or Google, when the main ‘sign on’  site gets hacked, it is quite a possibility that the other apps that use ‘Single sign’ on method of being authenticated would have their data breached too. 

So in essence, you are exposing the data related to all other apps to the hackers too!

How do we ensure the safety of our data in the wake of the breach?

Since there is nothing that is simple and easy in this world, single sign on comes with its own troubles. In case of the Facebook data breach, you would have definitely received appropriate messages and notifications if, your account was indeed hacked. In addition,it is  good to always:

  1. Check ‘Settings’  in ‘Facebook’ and check the devices and locations where you are logged in from. Logout from all of them and re-login with a new password.
  2. It is also good to login to each site/app with a separate login and password henceforth and give your memory a good workout! 🙂 (Seriously though, a password manager might be a good option to consider since it is difficult to remember multiple logins and passwords)
  3. It is better to try two factor authentication to prevent further data loss.

These security tips will hold good for some time before the next breach occurs!

Avatar ByJayanthi

‘Minimum online presence’

Reading Time: 2 minutes

No sooner had I written about maintaining a ‘minimum online presence’ on my Hacking post, I had several comments relating to that(either, ‘it was not possible’ or ‘how do we that’) While it is next to impossible to grow a business or forge business relationships without a good social media presence, it is also imperative to reveal only what is needed.  In this post I will discuss what I meant by ‘minimum online presence’:

  • It is unnecessary to reveal location information all the time. It is pretty exciting to tell our social media world the smallest details relating to our current location/life – but it is good information for a hacker or anybody of malicious intent.  Occasionally, revealing is fine but we do not have to feed all the social media giants with our data all the time!  ‘Location’ is needed only for food delivery apps and Uber/Ola booking services.
Cyber security
  • Posting of children’s pictures is also absolutely unnecessary. Children’s pictures can also be stolen and used for malicious purposes. You don’t want strangers leering at your child’s picture, do you? But again, posting once in a while will not do any major harm. 
  • It is also good to not divulge bank account numbers, passwords, phone numbers,credit card numbers and other personal numbers in public conversations without appropriate encryption.Why? – because, once that information is received by hackers,  your bank balance will be reduced to zero! 
  • It is a better idea to change your profile picture occasionally on different social media platforms than changing it frequently
  •    It is also good to never go overboard with excessive personal information(whether pictures, conversations, or any other data) Balance is always the key!

Going to an online world is just like going to work – if we will not reveal everything about ourselves to everyone at our work place – we should not reveal everything about our self in the online world too! It is best for your  business to thrive but not at the cost of your kids/personal safety or your financial information. 

For any other information that has to be shared, visit the person, call or private message the person. It builds good business/personal relationships too! 🙂

This is my eighth post for #MyFriendAlexa by @Blogchatter