CyberSecurity

[pewpewnii]

Hi, do anyone can brief nor share me some IMPORTANT cybersecurity knowledge and skills. I am Computer Science and Network Technology students. Recently, I am quite interested in Cyber Security and i hope my working path will be more on it. Thanks!

[Findecanor]

Some basic principles about security that that I see people overlook too often:
- The weakest link is often a human.
- If security is not user-friendly, it will be circumvented and hence not work in practice.
- Risk is measured on two axes: The probability that it will happen, and how much damage that it can wreak. Both are just as important.
- Security is not a feature -- it is a continuous process. Flaws, weaknesses and new types of attacks are discovered all the time. What is not considered improbable or insignificant today may be combined with something else and become risky tomorrow.

(I'm typing this only because I am still angry about an argument about security I had with some professional idiot on another forum yesterday)

[jamster]

Hi, do anyone can brief nor share me some IMPORTANT cybersecurity knowledge and skills. I am Computer Science and Network Technology students. Recently, I am quite interested in Cyber Security and i hope my working path will be more on it. Thanks!

From observing friends in the industry, the important stuff is what you teach yourself, not what university courses, or other people, tell you.

[yui]

Try to not have an "Administrator" or "root" account open is a good one that i see too often forgotten especially if the password is Admin123 or root (yeah i did see it in a production environment more than one in my very limited career, and i am only an amateur at security stuff) and do not only rely on security trough obscurity, it can be an extra layer but not the only one.
And in security like in development, never ever trust that the user will not try to break your stuff, else they may without even trying.

[-Jerry-]

A good one to know is the Principle of Least Privilege.

This implies that the level of access any user has as a baseline for day-to-day work is the minimum required to do their job; internet access, internal file servers, company intranet, etc. Regardless of whether a user is a global administrator or a code monkey, the account they log in to any computer with should be one without the rights to do anything that could compromise a system, ideally.

Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.

----------------------------------------------------------------

Sidenote:

You may get some benefit from knowing that as a student, you can get access to some fairly good training resources for free. One I rate pretty highly is called the Digital Cyber Academy, a free version of a platform called ImmersiveLabs which offers cyber security training. It has some fairly excellent live labs that let you practice skills using VMs and has all the labs mapped against the MITRE ATT&CK framework. I found it immensely useful when I was getting started and even more so now I've got a commercial account.

[yui]

Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.

i knew that was best practice on unix based systems (sudo ect), but i never thought it was possible on windows

[-Jerry-]

Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.

i knew that was best practice on unix based systems (sudo ect), but i never thought it was possible on windows

It certainly is. Windows actually implements this by default, that’s what those prompts that pop up when you try to install stuff are. They’re part of the User Account Control (UAC) system - they prevent a program running with administrative permissions even if you’re logged in as an administrator. Best practice is to use entirely separate accounts however.

At work, for example, I have the following; a user account, a network admin account, and a test account. I’d never log in to a machine that wasn’t my own with the user account, because that exposes access to my mailbox, personal file storage, etc. I’d also never log in using my administrative account, because I should never need to - any program needing to be installed or access needed can be achieved by elevating that action using admin credentials temporarily. No, if I’m logging into a machine other than my own I’m always using a test account that has default baseline credentials, so if a machine is infected with malware or corrupting data it has no effect on anything important.

[yui]

I did forgot about UAC, and i was more thinking in the lines of network admin like changing file permissions and stuff in the DC, i haven't done it in a while but i do not remember UAC getting in the way of creating a user or those kind of things

[-Jerry-]

I did forgot about UAC, and i was more thinking in the lines of network admin like changing file permissions and stuff in the DC, i haven't done it in a while but i do not remember UAC getting in the way of creating a user or those kind of things

It really depends on the permissions implementation and depends on whether you're using an onprem or cloud implementation, but both should allow protection however. If I log in to a domain management server, I'd expect to have to authenticate: when I access it AND every time I open a tool like Computer Management or Users & Computers. Windows can't prompt you every time you take an action if you're doing it within a tool, by which I mean it can only prompt you when you open Users & Computers, not every time you go to modify a user. It also doesn't protect file permissions, because if you're logged in as a domain admin then you have rights to edit permissions on any file typically. A way to make this less potentially damaging is to segregate permissions in a domain based on departments (or faculties in my case), so instead of a domain admin account, you'd have an admin account that only has permissions to work within your remit.

It IS a bit of a mixed bag. It's a bit better with cloud based solutions in some ways, because with Azure PIM for example, you can fine tune permissions and put MFA prompts on actions, etc.

[Leslieann]

You're going to see some amazingly stupid things.
The person you think is the most computer literate will be the one to do the dumbest thing and ruin your security (oops!).
That person who knows nothing about computers will break your security in the least likely, most hare brained way possible.
There's no such thing as idiot proof.

Cyber security is more than just computer access and networks.
People are easy to compromise (the easiest!) but take care of your surroundings. I had one customer spend $24k on a server rack which was installed in front of a large pane of glass, on the first floor, near their main entry, visible from the drive through of a major drug store chain barely 100 feet away. Why hack the network when you could just smash the window and take the whole thing then take your time hacking an admin password (which takes seconds if you have direct access).

Trust nothing, if you can't verify it's clean, secure or stable assume it isn't, I've thrown away drives and even complete systems because they couldn't be trusted. A system isn't cheap, but cleaning up a breach, data loss, or a failure is even more costly. I had a company refuse to replace a $400 computer but when it failed they lost 2 days worth of sales totaling $22k.

While not exactly cyber security, BACKUP, BACKUP, BACKUP. It used to be you did it mostly because of viruses and data loss, today you need them in case of ransomware which has become a major factor. Once you get hit you may or may not even have the option to pay and recover the data (many are just an encryption with no key), so you better have backups. Also, make sure they're good. I can't tell you how many offices I see have no backup and in those that did, how often it's no good or only partial. Getting a company to do backups, much less proper ones (or anything preventative really) is probably the single most difficult job in I.T.



Also, keep your ear to the ground, rumors, unsubstantiated or not are often based at least partially on facts. There were rumors were swirling for a while before Meltdown and Specter were confirmed yet many blew it off saying it couldn't happen, it was only in a lab, it's not in the wild and is months or years away, it can't happen to me, it needs authentication (see Findecanor's and my first entry).  Even something that starts as a silly and fake rumor may be enough for someone to go looking and actually find something, so take them serious.

[Findecanor]

While not exactly cyber security, BACKUP, BACKUP, BACKUP.

Indeed. This applies not only to the company's data but also to your own work. Do store it on a protected server, which does get regular backups. Not just the shared source code repository -  but your own files too.

I've lost a days worth of development work because the workplace was broken into and my work computer stolen ... and that has happened to me twice, ten years apart. (I should have learned the first time but I hadn't)

[-Jerry-]

Indeed. This applies not only to the company's data but also to your own work. Do store it on a protected server, which does get regular backups. Not just the shared source code repository -  but your own files too.

Yup, this is why I make researchers buying external drives agree to the disclaimer that external drives are only for transient data and we won't give them any help whatsoever in data recovery should they decide to put all the data required for their thesis on there or something equally stupid. They baulk at paying per terabyte of data on our network, because it costs 1/4 as much to buy a hard drive, we have to remind them that what they're paying for isn't one HDD, but three SSDs, effectively - replication and snapshot backup.

Of course, at home I can do what I want, so for really important stuff I've got it backing up to OneDrive and replicating to a seperate disk. Both of those disks are backed up off-site via BackBlaze.

[Leslieann]

Wow, I did not expect that to hit home so well considering it wasn't directly security related, though it should be.

Currently I have everything stored on my personal file server at the house. Everything on it gets dumped to an external on a "when I feel like it" basis or if something important changed. I also have a Mega Drive that backs up important stuff and some of that, the real important stuff gets uploaded to Google Drive (I map a folder in the Mega folder to Google) which has versioning (which Mega lacks) and better sub folder recovery. The server has both Mega and Google apps on it, but I only use the Mega app to sync my laptop and since Google is in the Mega drive it handles that as well.

So 2 copies of everything, 3 copies of important stuff (1 off site), and 4 copies of very important stuff with 2 copies offsite. Other than the external it's all on free accounts.

[pewpewnii]

Hooo, Thanks for all the replies. I will look through all of the info! Much appreciate !!!!

[fohat.digs]

Everything on it gets dumped to an external on a "when I feel like it" basis or if something important changed.

I don't have vast quantities of stuff. A single TB holds my family photos and documents and my music collection. Then I have about 2TB of various historical and downloaded stuff that is "semi-important" but not absolutely critical.

In my mind, something on a hard drive that is unplugged and in its box is pretty safe. Before I pack it away I run a virus scan and chkdsk on it, so it should be clean. I have a couple of 1TB external SSD hard drives for the things that are truly precious, and one of them is usually rotated into my safe deposit box.
 

[Leslieann]

I don't have vast quantities of stuff. A single TB holds my family photos and documents and my music collection. Then I have about 2TB of various historical and downloaded stuff that is "semi-important" but not absolutely critical.

In my mind, something on a hard drive that is unplugged and in its box is pretty safe. Before I pack it away I run a virus scan and chkdsk on it, so it should be clean. I have a couple of 1TB external SSD hard drives for the things that are truly precious, and one of them is usually rotated into my safe deposit box.

Externals are good, but it's not off-site, if there's a fire or flood it's vulnerable, granted if that happens you have bigger problems.
You may want to adapt a hybrid like I use just to salvage those things you really don't want to lose, just in case.

If you really want a cheap offsite for all those pics, create multiple Mega accounts (yourname1,2,3,4 etc...) then upload all you can to each. Since it doesn't change often it would just be a stable off-site archive. Then just use the last for anything new.

[fohat.digs]

I am leery of the cloud for various reasons, although I don't have anything illegal or so sensitive that I would be significantly damaged if it got loose.

Besides the one in the safe deposit box, I also leave a hard drive with a friend who lives far out in the country. In the case of an extended power outage (here or at the server farm), interruption of the internet anywhere along the line for whatever reasons, or something else, it comforts me to know that I could go entirely off-grid for an indeterminate amount of time and have full access to my files.

[-Jerry-]

I am leery of the cloud for various reasons, although I don't have anything illegal or so sensitive that I would be significantly damaged if it got loose.

Besides the one in the safe deposit box, I also leave a hard drive with a friend who lives far out in the country. In the case of an extended power outage (here or at the server farm), interruption of the internet anywhere along the line for whatever reasons, or something else, it comforts me to know that I could go entirely off-grid for an indeterminate amount of time and have full access to my files.

I mean, I can go entirely off the grid already - if we’re talking about a backup solution the data is on my computer, that’s not really an issue. I can’t speak to other providers, but my BackBlaze is encrypted with a private key that only I have, for example. My Microsoft storage is likewise encrypted at rest and in transit and I could use my own encryption keys for that should I care to, but I really don’t - sufficiently complex passcodes + MFA are enough for me.

[Leslieann]

Mega is also encrypted.

[janerampl]

How many of you really care about your cybersecurity? I'm not just talking about an antivirus on your computer, but about something more serious than this

[SBJ]

How many of you really care about your cybersecurity? I'm not just talking about an antivirus on your computer, but about something more serious than this

Why do I have a feeling a sales pitch of some sort is coming? 

[dgneo]

How many of you really care about your cybersecurity? I'm not just talking about an antivirus on your computer, but about something more serious than this

it’s my career

[fohat.digs]

How many of you really care about your cybersecurity?

It is one of the greatest threats to the modern world as we know it. And if that weren't enough, another massive solar flare like the one 150 years ago would do untold damage that we are unprepared for.

This book is a few years old now, but I strongly recommend it:

https://www.goodreads.com/book/show/36560496-the-perfect-weapon

[Leslieann]

It's part of my job, so... A lot?

More than I want, less than I need.
It would scare people to know what's really out there and just how little companies do to protect users. People talk about how the "security theater" at airports is a just a show but the sad truth is that it's far more secure than many networks I've worked on and these networks have pretty much your whole life on them. No worries though, they also rarely have backups so there's a good chance your data will be lost before it got stolen.

Think I'm joking? Why do you think so many companies are falling prey and paying the fees for the targetted encryption scams, it's because they A. had insurance to cover it, and B. it's probably the only backup that exists.

[Findecanor]

One of the things that worries me about the world today is that systems are getting too integrated, and thus too dependent on each-other.
To have good security, you need to keep things separated from each other: that goes both for the big picture and all the way down to the hardware level. Things need to have some modicum of autonomy so that they don't get dragged with when another component goes down.

Last week, a large grocery store franchise had to close 90% of its stores for almost a week because their outsourced cashier system that had been hacked and held for ransom. That shouldn't have been possible had the system - on the franchise's side - been structured right instead of a single point of failure.

Cell phones have gone from being phones to being convenient multi-purpose devices, to being personal wallets/keys/passes/etc that are necessary for everything. And with systems not catering for people without a personal smartphone, you are all too vulnerable if one of these theft-prone devices get lost/broken/stolen or just out of charge. And then there are the great many hacking-attacks on smartphones.

We haven't been subjected to any major solar flare during this digital age, but it will happen sooner or later that a solar flare will hit a largely populated continent and knock out a great many electronics devices at once. And we'd better not be too dependent on them, or we'll fail when they do.

[Leslieann]

Last week, a large grocery store franchise had to close 90% of its stores for almost a week because their outsourced cashier system had been hacked and held for ransom. That shouldn't have been possible had the system - on the franchise's side - been structured right.

Some of this also goes back to drive speeds.
Restoring from backups is a gigantic mess on a big raid and full of risks. Seagate and WD could make 5PB drives it wouldn't change that they are becoming just too slow for modern computing and specifically raid rebuilds. It currently takes up to 3 days to rebuild a modern array with the biggest, fastest drives you can get, longer if you have to go to tape and rebuild from backups which is often the case for ransomware.

It's cheaper and faster to pay the ransom for some of these companies, again, that's if they even had backups to begin with.

[-Jerry-]

Longer if you have to go to tape and rebuild from backups which is often the case for ransomware.

Exactly this; a threat actor, before they make any overt actions to towards live servers, will often do as much as possible to prevent backups being restored, from simple stuff like changing DNS registrations for the backup servers, to messing up your hypervisors, etc. It's one of the things that make least-privileged-access so important, along with having separation between your main directory and the system that controls access to whatever backup systems you have; stop them pivoting.

[TacticalCoder]

How many of you really care about your cybersecurity? I'm not just talking about an antivirus on your computer, but about something more serious than this

It's not my career but I do care about it a huge lot.  I'm configuring my Linux firewalls by hand, I use physical U2F tokens everywhere it's supported. When they're not supported I use 2FA.  I've got per-user firewall rules, and one user on my system which cannot access the net. I've got another user, on the same system, whose entire user account lives in RAM.  I reboot, everything is blank state for that user account.  Stuff like that.
.

Others may see thing differently but for my own security, I don't give a crap about giving up convenience: I'll give as much convenience as needed to get a more secure setup.  For certain things I've got a fully airgapped computer on which I sign messages (that is: no WiFi capability, ethernet port not in use, read-only OS/SSD etc.).  Nobody besides someone physically infiltrating my house (which has an alarm too ofc) is hacking that.


And then, well, I tend to love cryptography and I did this little funny thing not totally unrelated to "cybersecurity" two years ago: I solved a 20 years old cryptographic challenge from the MIT and got an award for being the first to solve it ; )


I posted about it here in the past:

https://geekhack.org/index.php?topic=100927.0

[Leslieann]

It's not my career but I do care about it a huge lot.  I'm configuring my Linux firewalls by hand, I use physical U2F tokens everywhere it's supported. When they're not supported I use 2FA.  I've got per-user firewall rules, and one user on my system which cannot access the net. I've got another user, on the same system, whose entire user account lives in RAM.  I reboot, everything is blank state for that user account.  Stuff like that.

Others may see thing differently but for my own security, I don't give a crap about giving up convenience: I'll give as much convenience as needed to get a more secure setup.  For certain things I've got a fully airgapped computer on which I sign messages (that is: no WiFi capability, ethernet port not in use, read-only OS/SSD etc.).  Nobody besides someone physically infiltrating my house (which has an alarm too ofc) is hacking that.

Overklill much?

For a home user, Linux is rather impenetrable.
Most hacks on it require access or have an external net connection due to to it being aimed at servers, your router/modem already has a firewall that will stop most attacks before they get there. Windows is at risk because it's meant as a desktop so the attacks are aimed at a desktop environment, to which a firewall offers less protection.

One other thing to note.
Rules and QOS settings can absolutely destroy router performance, it takes very few rules to completely bog down even a mid range router (as how I know). They just aren't designed for it.

Considering your isp and the gov knows where you go regardless and you aren't a gov. official/drug dealer/spy/John McAfee (most likely)/or similar, I'm not really sure what or who you think you're protecting yourself from. Most people or even businesses are really not worth that sort of effort.

[yui]

It's not my career but I do care about it a huge lot.  I'm configuring my Linux firewalls by hand, I use physical U2F tokens everywhere it's supported. When they're not supported I use 2FA.  I've got per-user firewall rules, and one user on my system which cannot access the net. I've got another user, on the same system, whose entire user account lives in RAM.  I reboot, everything is blank state for that user account.  Stuff like that.

Others may see thing differently but for my own security, I don't give a crap about giving up convenience: I'll give as much convenience as needed to get a more secure setup.  For certain things I've got a fully airgapped computer on which I sign messages (that is: no WiFi capability, ethernet port not in use, read-only OS/SSD etc.).  Nobody besides someone physically infiltrating my house (which has an alarm too ofc) is hacking that.

Overklill much?

For a home user, Linux is rather impenetrable.
Most hacks on it require access or have an external net connection due to to it being aimed at servers, your router/modem already has a firewall that will stop most attacks before they get there. Windows is at risk because it's meant as a desktop so the attacks are aimed at a desktop environment, to which a firewall offers less protection.

One other thing to note.
Rules and QOS settings can absolutely destroy router performance, it takes very few rules to completely bog down even a mid range router (as how I know). They just aren't designed for it.

Considering your isp and the gov knows where you go regardless and you aren't a gov. official/drug dealer/spy/John McAfee (most likely)/or similar, I'm not really sure what or who you think you're protecting yourself from. Most people or even businesses are really not worth that sort of effort.

sometimes overkill is part of the fun, i do the same with my networking (kinda off-topic here, built on 4 switches and OS2 fiber links), and if you plan on doing it your job or if it is your job, having the ability to build such an overkill setup can help training you for proper enterprise stuff. i do dabble in security too, 2FA, hardware security, and VM are my main interest right now, and i do plan on having 3 vlan (LAN, Wi-Fi, and DMZ) and web server in the future (reason for my interest in higher security), i also tried to configure iptable by hand but failed miserably and ended up with no network access at all. something i also keep a keen eye on is hardware RNG for my (future) server