Three golden rules

During this course we have learned a lot about security, our task during this semester is to create a solution to help children in elementary school to learn mathematics, and of course we have to take care of its own security.

There’s a lot of rules that can help us in order to secure a system. I found one, that made me laugh a lot, this post says that the three golden rules for not having security issues were: do not own a computer, do not turn it on and do not use it. Of course that’s not useful for us.

So, we need to set other rules, and these are the ones I found:

  1. Review repeated times the code and test the security often. This means prioritizing and knowing the strengths and weaknesses.
  2. Continuous development. World changes everyday and security must, as well.
  3. Managers must take responsibilities. I think security is a task that developers and managers should be responsible of, but yeah, all the responsibility will lie in the manager, so, the manager should be more worried about it.

Security measures should be taken for our project, because it will work with people’s information. The rules listed above must be applied on it. Testing it many times, to assure that the methods are correctly implemented, offering maintenance services for sure and assuming the responsibility as long as it is used correctly.

Anuncios

Systems Security

Operating systems have security as well. An operating system serves to set security, since it is a platforms that interacts with a lot of users and information. This is how easily you can implement security to your Operating System.

First, passwords. For passwords we can use three things to create them: what we know, what we have and what we are.

  • What we know are things or words that we keep in our heads.
  • What we have could be material things we own, some examples are credentials or tags, which we have already used to have access to some places.
  • What we are are our own characteristics, eyes or fingerprints. These passwords are the best, because you cannot be copied or cloned, but of course, are more expensive.

NTFS (New Technology File System) is a new form of saving, browsing and securing files. This systems allow that premissions and privileges can be granted. Individual persmissions include full control, change, read and execute and list folder, among others.

Also, you can create an active directory to store, classify and retrieve information. It is a directory for objects,  essentially a database that resembles the form of a pyramid. It also, implements athentication, trust relationships (when servers are added), and groups similar entities together in its structure.

My advice is to look further in the web how to provide security to your operating system,  this post is just a little example of what you can do. As always, prevent and be prepared for the danger you could face, operating systems are not the exception.

Web Security

Security is way to prevent harm and includes systems and non-physical factors. To develop a good security environment, you have to consider to basic things:

  • Awareness: Identify dangers and set your mind to wait for them to happen.
  • Protection: Using the existing security services in an intelligent way.

Web services can be complex, so web security matters. Why? Because is common that hackers look for complexity and try to steal information.

Hackers can be defined as “someone who tinkers with computers and come up with innovative ideas”. Unfortunately, the term has been mislead because of our context; nowadays, a hacker is known as someone who can find vulnerable point in a platform, gain control and steal information. There’s several kinds of hackers, sadly, most of them don’t use their knowledge for positive causes.

Web design principles:

  • Least privilege is about giving the user just the minimum privilege over the web service, so they can stick to their field and nothing else.
  • Simplicity means to simplify the programs, the less things we have, the easier to protect it.
  • Never trust users is just a recommendation about being careful with the users, most of them don’t know anything about the dangers, and can cause to the system by accident.
  • Expect the unexpected is assuming that things will happen, even it sounds impossible, is better to be prepared than have no clue at all.
  • Defense in depth refers to have various layers of defense, in order to reduce the strength of the attack if it happens.
  • Security through obscurity is leasing the amount of information you share about your web, because the less it is known, the less chances to be attacked.
  • Blacklisting and whitelisting are opposite concepts. A blacklist is a list of banned things and a whitelist is a list of allowed things, every programmer decides which one is better to use.
  • Map exposure points is having a clear idea of what the user can do in the web and which information can see.

There’s a lot of things that can help us, a lot of people have experienced it and there’s a lot of information to create a good security basis available as common knowledge. So, don’t worry and believe me, it’s better to prevent.

Cryptography

Cryptography is not just secret messages, mainly because those messages are not secret. An encrypted message can be read for anyone, or at least try, because its just a senseless disaster. And that’s not bad, it is planned to be a disaster. To read an encrypted message you need a key, making it a man-made art. The origins of an encrypted messages are really old (recall the Enigma code!).

Encryption is the safest way to keep information and assure a safe data transfer. Servers have five basic services to guarantee security (listed below), these are implemented through security services, so encryption is a matter of confidentiality.

  • Confidentiality (protecting data)
  • Integrity (unchanged data)
  • Accountability (protection in communication)
  • Authentication (confirm identity)
  • Availability (services accessible).

Trusted third parties, public key infrastructure and the story of Bob and Alice are basic concepts of cryptography:

  • A trusted third party helps to trust connections between Internet environments.
  • Keys:
    • Symmetric, that uses a single key
    • Asymmetric, that uses a pair of keys.
  • Bob and Alice deals with certificates. Bob and Alice can trust each other because of the trusted third party which authenticates through the certificates.

Cryptography is a wise option to protect data and avoid data transfer.

Security architecture and policies

If you’re developing a software to provide a service, you must consider a security architecture. Which is a platform where every single thing is where it has to be, easy to maintain and recover. Security must be included within the architecture of the system.

The construction of a system can be in different ways, and there’s a lot of factors that affect the how well the system is built. For example, a big amount of preassure, allowing inexperienced programmers to do changes or wait just for the time to pass without changing anything. At last, you will not be able to test the system, making it fragile. Fortunately, we can reengineer everything.

You need to understand the technology for this. But don’t worry, if you don’t, you just need to take some time to do research or go out and ask someone that knows about it. No matter how long it takes to you to understand it, security is always a way to save time and money. Considering a good security architecture ensures to run nice, and that further security applications will be easy to implement.

Risk management, and assessment

Information security is more complex that it appears, it deals with conventions further than just the implementation or blocked stuff.

Risk management, is like being alcoholic. The first step to get over it and tackle it is to accept that risks exists and are closer than what you believe. Even though you might think that you’re not the billionaire that hackers are looking for, outside there’s lot of people looking for vulnerable points in your systems to steal your information.

A good way to prevent it is the risk management. These are the six steps:

1. Categorize. You need to categorize dangers. If we group dangers according to its characteristics, we can attack more dangers in an easier way.

2. Select. You have to select the technology or correct measure that you will applied to each danger.

3. Implement. This step is easy, you need to implement the measures you selected previously.

4. Assess. You need to evaluate the things you are going to use, and decide if it’s better to use a better one or keep using the currently. 

5. Authorize. This works by accepting the solution, and have a clear method of what to do in case it is needed.

6. Continuous monitoring. Keep looking for anomalies, you need to know what are you looking for and where. So, if you find something already know what to do, because you have followed the framework and have a plan to solve it.

Following the steps, we can prevent that a risk will not affect as hard as it can. Honestly, most of the risks, will hit in a relatively hard way, but not as much as if there’s no defense set.

Code of Ethics

giphy-downsized

Gif by Giphy

Reading the documents for this subject I liked the term all of they were using, code of ethics, sounds great for a document as for the title – also we will discuss about the ethics in programming (code👀) – that’s why my chose for this post title.

A code of ethics is a document with some rules that an specific person has to follow or it is supposed to follow, just like the rules that are stablished by any institution like the university, etc. Well, this document in particular has some variations, but a few authors agree that it should exist just one global code of ethics for everyone. I think the same, I mean, I can consider myself an ethical person if I follow my code but a different person thinks that’s bullshit if they have a better or more complete code of ethics which to follow.

Seguir leyendo “Code of Ethics”

Basics of computing security

tenor

Gif from tenor

       Let’s be clear. I am not an expert in computing security. Actually, I have never studied about this before… BUT, is the subject I have been waiting since I began my studies as Software Engineer. And now, in my 7th semester, I am writing about it for my computer and information security class with Ken, a flipped-learning teacher, but more important I am writing about it to learn with you, whoever you are.

       For this first entry I am talking about, according to Ken, three key concepts in the computing security which together create the CIA in computer security: availability, confidentiality and integrity.

Seguir leyendo “Basics of computing security”