The month of April has arrived and #BlogchatterA2Z has begun!! I will be participating again this year and hope to write and write about my favorite topic – Information security and will squeeze some famous proverbs too! Shower my blog with love as I sail through April!! Let’s begin….
We all have a life outside Facebook, Whatsapp, and Twitter – but we have forgotten the password for it’! 🙂 goes the latest security quote that shows the importance of passwords and authentication.
We live in a world where we are authenticating ourselves all the time! Did you know? You enter the ‘username’ and ‘password’ and boom! you are inside a particular website. So, now what is authentication exactly? ‘Authentication’ is proving who you are to the system to access the appropriate resources. The most popular way to authenticate yourself is through the classic ‘username and password’ combination. As an example, in order to access any social media site you enter your ‘username’ and ‘password’. The ‘username’ and ‘password’ are compared against an existing database and once they match, the username is allowed to access the resources. This is a simplified process of authentication.
Three factors that influence ‘authentication’:
There are three factors that ‘authentication’ is based on – something that you have(smartphone or laptop or tablet), what you know(password) and what you are(biometrics)
Strong authentication makes use of two factors . The username-password combination makes use of – something that you have(namely laptop or smartphone) and something that you know(password)
Since the classic username and password combination might be fraught with different types of difficulties, authentication of a user can also be established by making use of ‘biometrics’. ‘Biometrics’ makes use of the physical features of a person(like fingerprint, retina) to perform authentication.
But it must be noted that ‘biometrics’ alone cannot be used to validate a user – it has to be coupled with another factor of authentication to validate the user.
We saw the concept of ‘authentication’ in this post…stay tuned for alphabet ‘B’ tomorrow…
Network and System Security means protecting your system from different kinds of attacks by unauthorized users. With the development of the Internet and the World Wide Web, it is a field that is gaining a lot of importance. In this post, we will discuss various threats to network security and how to protect our system from such threats.
A worm is a program which simply creates copies of itself until the entire disk space in your system is filled up.
These are harmless-looking applications such as text editors which actually perform malicious functions without your knowledge (for example, deleting/modifying other existing files)
This is a kind of software which may get installed on your PC without your consent, tracks your activity and reports this information to people who are willing to pay for it. Spyware mostly finds its way to a PC by getting downloaded along with another file, or from the Internet when you visit a webpage.
Adware is a software that causes your computer to display unwanted pop-up ads. It reduces the performance of your computer, and is similar to spyware, with the difference that it may be installed with your consent. So it is important to go over the terms and conditions before you install any software on your PC.
This is a term used to describe the sending of e-mail in bulk by a known or unknown person. Spamming can also reduce system performance, and can even be used to spread computer viruses.
These methods of attack rely on tricking users rather than using sophisticated technology.
In this kind of attack, the legitimate users are not allowed to use the resources, information or capabilities of the system. This attack, however, generally does not allow the attacker to access or modify data. For example, an attacker may flood the targeted system with a barrage of requests.
These are messages (pieces of information) sent by a web server to a web browser so that the web server can track users’ activity on a webpage. They can help webpages load faster, and can customize the page for users who have already visited them. As they are merely text files, they cannot act maliciously on systems. However, any information you provide freely to a website (including sensitive personal information) will most likely be stored in a cookie, unless you disable the cookie feature in your browser. If someone found out the encryption key to your cookies, he/she could get your personal details. Cookies a threat to security this way.
Having discussed about various threats to network and system security, the question arises as to how we deal with these threats. There are different methods to deal with different kinds of attacks, some of which are listed below:
Solutions to Viruses, Adware, Spyware
Solutions to Spam
1. Protect your system by asking the user for a valid user-ID (authorization) and a valid password (authentication). Keep the passwords strong so that they cannot be easily guessed.
2. Install a firewall on your system. A firewall is a system (hardware or software) designed to prevent unauthorized access to or from a private network.
We saw a few ways in which a system may be compromised actively or passively and the way to counter them. Join me as I uncover more topics on yet another post on Information security!
Do blogging/writing and blockchain have anything in common? Yes – with ”Steemit’. What is ‘Steemit’? It is a blockchain based blogging platform. Imagine writing a blogpost and it being stored on a Blockchain namely the ‘Steem’ blockchain… so, next what is a ‘Blockchain’? To refresh, ‘Blockchain‘ is a distributed ledger of information with no central authority(decentralized) The most popular application of Blockchain is of course, the ‘Bitcoin’.
We have all heard about ‘Blockchain’ being used for the mortgage industry, car auction industry – but for blogging and writing content? yes, it is true – bloggers can write their content which will be posted on the ‘Steem’ blockchain and you ‘may’ even get paid for it. The ‘Steem’ blockchain is used for other decentralized applications as well like DTube (decentralized video platform), eSteem (Steem based mobile app)
‘Steemit’ is a ‘Dapp’ or ‘Decentralized application’ which was started in 2016.One can upvote, downvote,comment on other’s posts (similar to other communities but with a difference , you get paid for it and it is on a blockchain)
Depending on the number of upvotes you get, you get paid in the form of digital tokens called ‘STEEM’. Everyday, STEEM tokens are mined on the ‘Steem’ blockchain and this can be used as rewards to different users.
Other points about ‘Steemit’:
Can ‘Steem’ be converted?
Yes, ‘Steem’ digital tokens can be converted to Bitcoin or to a country’s native currency or your local bank account. You can also convert it into other cryptocurrencies.
We saw the concept of ‘writing and blockchain’ merging in this post by means of the ‘Steemit’ blockchain…join me as I uncover most interesting topics…
Disclaimer: This article is to be used for informational purposes only. With cryptocurrencies being banned in many countries including India – it is up to the user to research and make decisions on the same.
Yes, my self hosted blog turns 2!! 🙂 How has the journey been? (And, if you are wondering what is meant by “self-hosted”, just scroll down…)
Have there been only ups or only downs? Read more to know what I learnt or not…. 🙂 It has been exciting and interesting journey and I wouldn’t trade it for anything in this world! It is almost like starting your business but at maybe 1% of the effort or size.
Graduating from writing technical blogs and creating e-learning videos for different organizations to doing it for my own website has been fun! During my technical writing stint for different organizations, I wrote blogs or created the e-learning videos and each organization took care of the part that I was least interested in(digital marketing – ‘ugh!’)
Creating my self-hosted blog:
What is meant by “self-hosted” blog? In simple terms, I have a blog with a domain name without being tagged by the “wordpress.com” or “blogspot.com”(so, now it is “blogtech.online”) and I have to pay for it and can monetize it as well. Even though, I already had another free blog, ‘jayanthiweb.wordpress.com’, my self-hosted ‘blogtech.online‘ was my own space in the Internet.
Before, the blog went “live” I had a million questions. How would it work? What should I do first? What should I do next? Who was the best hosting provider? There were another gazillion questions in my head….and if you know me, you know I could ask a lot of questions to get my project started! 🙂 Special thanks to two people who helped me find all the answers and made my blog go “live”! 🙂
After all my questions were answered, I became the proud owner of a blog with a nice name that I thought reflected my blog’s writings at that time. I knew I would write about ‘Information security’. But I knew Information security alone could not sustain my blog – which is why I made it a ‘Technical blog sprinkled with personal thoughts” 🙂 I also had other interests like programming in Java,C and I knew my interests would meander even more with concepts like ‘Blockchain’ rocking the technical space…so the name ‘blogtech.online‘ stuck and it is 2 years since the day! 🙂
I knew that all blogs need varied content from different styles of writing. I did get a few writers to write for me and once in a while,my husband and my son always stepped in to fit the writing shoes! 🙂
Me and ‘digital marketing’ – a rough journey! 🙂
After starting my self-hosted blog, I realized I needed to do everything now. Free blogs are relatively easy – we just write and publish it to the community and you have tons of traffic. But my self-hosted blog was different… I was swimming on my own now.
I have had to head and do a “not-a-so deep dive” into digital marketing. I have learnt a bit of ‘digital marketing’ from my technical blog’s perspective. What was “theme”? What were the “plugins”? What was “organic traffic” and “bounce rate”? And analyzing Google Analytics was fun too!! 🙂 I learnt a little bit of the “digital marketing ocean” all by experience…they say “experience is the best teacher” – it is the “very” best teacher, I would say!
I cannot say I am a digital marketing nerd or anything remotely close to that, but it is good to learn it if you are anywhere in the Internet and want to be seen and heard! 🙂
For a self-hosted blog to survive, it is definitely necessary to be part of blogging communities. Thanks be to blogging communities like Indiblogger, Blogchatter and BlogAdda, I have made great online friends whom I have learnt a lot from. Thanks also to Twitter and all my Twitter friends without whom my blog would not rise steadily today!
So, what is the final report card?
I cannot say I have hit off the charts in Google search results, but my Alexa rank has finally dropped below the million mark! That itself, seems quite an achievement.. Interestingly, my Blockchain posts garnered more interest and attention than I thought! 🙂 (which is always good)
In the 2 years, I have blogged about Steganography, access control, physical security, the CIA triad, top-down approach to security, NIST publications, ransomware, single sign-on, deep web, dark web, zero-day vulnerability and more on the technical side…
To conclude, here are some of my best technical posts:
My personal posts bordered a lot on my India-US-India journey and I published an e-book on that too! In addition, parenting is a funny affair when we have grown kids and all those jokes go right into the blog! 🙂 Here are my best posts in that category:
When I began writing 6 1/2 years ago, I did not know I would have so much to say! 🙂 But I did and I still do… Thanks for reading and continuing to support my blog!
Keep reading, keep commenting and warm wishes for an awesome 2019!
‘Physical security’ is an often overlooked aspect of the security. It is often ‘taken for granted’ and most organizations do not take it seriously. Danny Thakkar from Bayometric.com defines physical security as “… a set of security measures taken to ensure that only authorized personnel have access to equipment, resources and other assets in a facility, these measures are laid out for” (Thakkar)
“Physical security” is ensuring the data centers, servers, printers, workstations and all other devices are secured from both man-made and natural disasters. How do we achieve this? By erecting defenses, in the path of thieves and hackers and anybody else who wants to get their way in. These physical defenses are “physical security”. While absolute security can never be achieved, we can plug in the holes in defenses and hope to keep the critical resources safe from external and internal factors. In this article, we will look at the broad steps that are needed to seal the vulnerabilities and ensure ‘physical security’.
How do we establish physical security?
Physical security can be established by enforcing appropriate access control, surveillance and testing . Physical security will have multiple layers to make sure that critical resources are never compromised. How do we implement physical security? A few points are listed below:
These are some steps to thwart direct physical attacks.
So, the next time you see CCTV cameras, security badges and fingerprint authentication – remember it is one of the simplest Information security concepts doing its hard work…. 🙂
We saw the concept of ‘physical security’ in this post. Join me as I uncover more Information security concepts in future posts….
Thakkar, D. (n.d.). Best Practices in Physical Security Management: Safeguard your Organization against Threats. Retrieved from Bayometric.com: https://www.bayometric.com/best-practices-physical-security-management/
As our dependence on electronic devices increases, from ordering food to paying bills and hailing cab services and making use of online maps to travel to different destinations, the unseeing eyes are also following us everywhere tracking our every move.
We all know of GPS tracking when hailing a cab but did you know that you are being tracked at all times? By having the smartphone with you at all times, with the ‘Location’ being turned ‘on’, every move is being tracked. Some might not worry about this constant tracking by strange individuals, but I do think that it is necessary to know all the possibilities that are present before forming our own conclusions about them.
It is quite a possibility that you will be using ‘Google maps’ for taking you to different places and you might be signed onto multiple devices using the same ‘gmail’ account. While, it looks perfectly harmless and seems that your life is getting simplified in every way in this electronic era – the reverse is unfortunately true.
How you are being tracked:
As an example, sign into your Google account and click on ‘Maps’ in the right hand corner. Once inside Google Maps, click on the menu and pick ‘Your timeline’. Now, you can see all the places you have visited in the last couple of years! You can also see the time of visit, the duration of visit,the latitude and longitude of the places that you visited! In addition, all these details are visible for a prolonged period of time too!
You might have visited 100 places over a period of 5 years and chances are all of them might be listed right there on the screen! You may have forgotten where you went in October of 2017, but your device and ‘Location history’ does not forget!
So, what can be done?
If you would like to delete all of your location data and prevent your location from being saved in the future, follow the steps below:
Once this is completed, your Location history will neither be visible to you or anybody else(at,least for some time!) In today’s age, with so much information and power in our hands, it is up to us to do all the homework and control the data that is exposed to the outside world by disabling the various settings.
Here’s to a “track free” world… 🙂
It is a reality that the cyber security landscape is rapidly changing everyday. New threats emerge constantly and what was true 5 years ago might not be true today. In this reality, it is important to re-skill ourselves constantly.
Living in a hyper connected world, we are constantly signing into systems to access different types of information. Unauthorized individuals should never be able to access our resources. How can this be done? By the very basic and fundamental concept in Information security – ‘access control’.
What is Access control and what are the different types?
Access control ensures that only authorized individuals can access appropriate resources. Physical access control ensures that physical resources like specific rooms, buildings are accessed by appropriate people.Logical access control ensures that resources like networks, files are accessed by appropriate people.
We observe the principles of ‘access control’ all around us unknowingly. When we share a post on social media platform, we set the permission to ‘public’ or ‘private’ or ‘Friends’ as the case may be. This makes sure that the post is visible only to necessary people and not all.
The simple example of checking email can also be mentioned here. The correct combination of username and password authenticates the user to access his resources (email, in this case).
The different stages of access control are:
‘Identification’ is done by providing the user with a unique id number, username or account number. ‘Authentication’ is done by providing the password or personal identification number. This correct combination of username and password reiterates the fact that the user is in fact “who he claims to be”. Once the user has been authenticated, the user next has to be authorized to access the resource. The ‘access control matrix’ is checked to make sure that if the user is the “person” authorized to access the requested resource. This is “authorization”. Finally the user is “accountable” for all the actions taken. To ensure accountability, user’s login information and subsequent actions are noted.
Now that we have seen what is meant by ‘access control’ – we see the different access control models. There are three main types of access control models and they are discretionary access control, mandatory access control and role based access control. Every organization has different business objectives. The type of access control to be implemented is entirely dependent on its objectives as well the culture of the organization.
Discretionary access control:
Before we discuss the different access controls, we see what is meant by a “subject” and “object”. The “subject” is the one that is making the request for the resource and the “object” is the resource itself. In discretionary access control model, he who creates the information is the “owner”. The “owner” can decide who can access which data. Recall, that this is authorization. This is normally implemented by “access control lists” or ACLs. ACLs are specified by the system administrator and enforced by the operating system. The majority of the operating systems such as Windows, Linux and Macintosh systems are DAC based.
Mandatory Access Control:
The ‘mandatory access control’ is much more structured and organized than the DAC. In this type of access control, the operating system has the final say on who can access which resource. Users have security clearance (secret, top secret, confidential) and data is also classified in a similar way. The clearance and classification are stored as ‘security labels’. When a user makes a request for a resource, it is dependent on the clearance of the individual, the classification of the data and the security policy of the system. This is enforced by the security officer and implemented by the operating system. This type of access control is used where security is of utmost importance. Normal DAC systems will not be suitable when the need is to classify data of special security clearance. We need MAC systems with special operating systems to enforce the rules.
Role based Access Control:
Role based access control or RBAC is also known as ‘non-discretionary access control’. In Role based access control, access to a particular resource is governed by the “role” an employee is mapped to. This type of access control is tougher to configure as the organizational policies have to be translated to roles. For example, an employee in “HR” does not need access to resources in “payroll”. RBAC is easy to configure when the employee turnover is high. When “Sam” from “Finance” leaves the organization and “Wendy” joins, “Wendy” is just mapped to “Finance” and she takes the same roles and responsibilities as the previous employee. There is no additional configuration needed here.
Access control is the basis of many topics and the RBAC model forms the basis of many identity management solutions.
We saw a very small portion of a fundamental concept in Information security. Join me as I uncover more!
Harris, S. All in one CISSP. In S. Harris.
In the wake of the Facebook data breach that supposedly compromised 50 million accounts and other personal data last week, it is but imperative to look at yet another aspect of ‘Information security’ – ‘Single sign on’.
What is ‘Single sign on’?
Remember, the time when you discovered a new website or app ? You had to register to get into the site. You were presented with these options:
‘Continue with Google’
‘Continue with Facebook’
in addition to a lengthy sign up process. In a hurry to understand what the new craze was, you just signed in with your ‘Facebook’ or Google account information instead of going through the whole signing up rigmarole. This is ‘Single sign on’ wherein by just signing into Facebook or Google, you can access many other apps and sites with ease.
What is the downside of ‘Single sign on’?
It seems to be such an easy thing to do – just sign in with one account and we can access so many other sites with ease. So, what is exactly the problem? If you have signed into multiple accounts using Facebook or Google, when the main ‘sign on’ site gets hacked, it is quite a possibility that the other apps that use ‘Single sign’ on method of being authenticated would have their data breached too.
So in essence, you are exposing the data related to all other apps to the hackers too!
How do we ensure the safety of our data in the wake of the breach?
Since there is nothing that is simple and easy in this world, single sign on comes with its own troubles. In case of the Facebook data breach, you would have definitely received appropriate messages and notifications if, your account was indeed hacked. In addition,it is good to always:
These security tips will hold good for some time before the next breach occurs!
No sooner had I written about maintaining a ‘minimum online presence’ on my Hacking post, I had several comments relating to that(either, ‘it was not possible’ or ‘how do we that’) While it is next to impossible to grow a business or forge business relationships without a good social media presence, it is also imperative to reveal only what is needed. In this post I will discuss what I meant by ‘minimum online presence’:
Going to an online world is just like going to work – if we will not reveal everything about ourselves to everyone at our work place – we should not reveal everything about our self in the online world too! It is best for your business to thrive but not at the cost of your kids/personal safety or your financial information.
For any other information that has to be shared, visit the person, call or private message the person. It builds good business/personal relationships too! 🙂
This is my eighth post for #MyFriendAlexa by @Blogchatter
The Information security world is a deep one and sometimes it is quite shocking to know the things that can be done. Did you know that ‘Black widow’ is not just the name of a spider…but it is a actual software that is used for ‘reconnaissance’ too(Of course, InfoSec professionals will know :))
‘Reconnaissance’ is the ability to obtain freely available information about a website. Vocabulary.com defines “Reconnoitering as checking something out, but in a sneaky way!”
Once this information is obtained one can seal the extra unwanted information that is unintentionally creeping out(for example, maybe passwords and employee details are visible with the reconnaissance tools) One of the ways that a site can be ripped is by employing website downloaders like ‘Black Widow’, Website downloader and Httrack.
Most of these tools will allow you to download the entire website and the directory structure, external links, bad links and email addresses. The picture below shows a screen shot of the ‘Black Widow’ software…
The details provided above are for informational purposes only! Please do not use it in any inappropriate way!
This is my fifth post for #MyFriendAlexa by @Blogchatter!
Liked this post? Please comment and share! 🙂