The basics of infosec

Posted by kdow on Aug 18, 2016 10:48:30 AM


Hackers! They’re everywhere these days. Snowden is in hiding, there are conferences where hackers figure out exploits in day-to-day items (like cars) and it feels like banking & other ideally super-secure systems are exposed.

I thought I would write a little bit about how people should think about infosec (information security). Am I qualified to do such a thing? Not particularly. I did a bit of this in college, and as a teen on IRC I spent a bunch of time doing nefarious things with local radio station websites & such. And since then I’ve tried to keep up with news & information around the industry.

The basics

The most basic part of all this is simple: what data is available over a networked connection? You’re likely accessing music on Spotify, movies on Netflix, hosting documents on Dropbox & accessing vital information via email. But consider what’s underneath that data. I have a scan of my passport on Dropbox for those times when you need a copy to apply for something online. My credit card details are on many different services, too.

It’s worth doing some sort of asset audit to see what data you have hosted where. Not to give yourself a dose of the fear, but to be aware of just how much data you have hosted online, and who can access the variants of this data.

There’s a simple acronym to keep in mind when thinking about infosec: CIA. CIA stands for confidentiality, integrity & availability. These are three key elements for almost all axioms within infosec. Information must be confidential, which means it’s restricted only to the intended recipients/senders. Integrity refers to the data’s consistency, or trustworthiness. And the data must be available with the appropriate access levels (read, write, execute) to the appropriate actors.

Infections

Okay, so we know the basics of what data we store online as well as what the key basics are for information when it is online (CIA). But what causes problems? We’ve all heard about virus attacks & infections, but it’s worth knowing what different types of attacks could be attempted.

There are four basic types of attack: worms, trojans, spyware & straight-up viruses. A worm is spread over a network & tries to hijack some resources to do something nasty, like delete files or compromise security systems. A trojan is named after the wooden horse that was used to smuggle soldiers into Troy, and the software equivalent works in much the same way (smuggling bad processes into a legitimate program). Spyware typically sit on your computer, collecting data like passwords, without you knowing it. Viruses are notorious for copying themselves onto your hard drive via data there to do malicious things like corrupting data or even deleting it.

Most infections are undetected by the average user. The transportation mode that these infections use to get to your computer are emails, files, IMs or pretty much anything that can legitimately “install” on your computer.

Anti-virus software typically has a large bank of data to match file sizes, names and conventions to spot irregularities on your hard disk. Once it spots one, it’ll quarantine the file to scan it (because it might be legitimate). If it’s a bad file, it can update a remote server so other users don’t get infected and remove the virus from your machine.

A non-viral infection that’s very common these days is a phishing attack. This happens daily to people at this point! Imagine the scene: a typical internet denizen has a Facebook account. This is common and should be part of your data audit (from the beginning of this post). Knowing most users in a certain demographic are going to be Facebook users, if you generate a bunch of emails in a domain range (@gmail.com, @company-name.com, etc.) and send them what appears to be something from Facebook. There’s a chance someone will click the link. Behind that link is what appears to be a Facebook login. Instead, all it’s doing is logging the credentials of unsuspecting users to a third party database and using that information for malicious reasons. The reasons wouldn’t be to post bad things on your FB timeline, but instead, a smart phishing attack would assume those same credentials work on, say, Paypal. Now, without a lot of effort, a criminal has the ability to make payments on your behalf without you knowing.

The way to protect yourself against phishing is to be vigilent. Anti-virus software and most good email clients/servers will do a lot of work for you, but if you receive a social network notification to your work inbox, chances are it’s phishing. It’s also really unusual for IT to email asking you to login to some system. No one’s going to scold you for being vigilant & asking the sender if a particular message is actually legitimate. Another simple way is to simply look at the address bar of a login page. The phishing attack can easily spoof the look & feel of a login page, but it can’t copy facebook.com/login as a URL.

Passwords

A common misconception of the modern world is that passwords are secure. That’s a bold statement to make, I know. But most passwords aren’t brute-force attacked. It’s far more likely that your password will be acquired through phishing or a database breach than a piece of software making random guesses.

That said, to ensure you are protected as much as possible with the systems you use, creating a more complex password is ideal. A lot of modern browsers will create random strings for you (Safari does this quite well) & stores them in their own databases, which are also secure. Some services even use biometrics to more robustly secure a service, device or the data within (an iPhone is a good example of this, using your thumb print to access the phone).

Most services worth their salt with use encryption & hashing to encode the details of a password on that server. But using two-factor authentication, biometrics and complex passwords are all going to secure your data far more than simply relying on the server side alone. If a service offers a deeper level of protection: use it.

Encryption & cryptography

This is the meat-and-two-veg of infosec. We know what the basics of infused is, what it’s about and why it’s important. But we’ve yet to traverse the murky waters of actual cryptography.

I imagine most people have come across crypto as a phrase in one point or another. A lot of people who’ve read anything about Bitcoin, for example, would have read that it’s a type of cryptocurrency. Crypto, in these instances, simply means secure. Cryptography, then, is the art & science of keeping things secure. And remember, the basics of all of this is to keep things confidential, consistent and available to the actors that need to see it. A secure piece of data can only be secure to a certain degree. You, the owner of said data needs to access it. Which is why there are often holes to exploit!

The basics of this are that data is transported over a network following some sort of scrambling that only the sender & receiver can decrypt. I’m sure everyone learned about Caesar Ciphers in school, and promptly used them to write secret notes to friends. Imagine this, but far more complex. The complexity is decrypted when the sender & receiver of the data have a key to access the cipher that turns the garbled message into something useful. This operates much the same way that two school kids tell each other that the message they’re passing is written using a Caesar Cipher.

Online, you know you’re on a secure site because the browser will feature some myriad of notifications. Normally a padlock icon will show, with some green text indicating the site is secure. Or simply the URL contains the prefex https.


And that’s the guts of it. There’s obviously far more you could find out about the industry. One simple resource would be to watch the videos from the recent Blackhat conference. Or read blogs like Hackday. Of course, if you want more help, advice or just want to say hello, find me on Twitter. I also lurk around IRC (Freenode, Snoonet & a few others) so ask for who I am here :)