Author Topic: CyberSecurity  (Read 982 times)

0 Members and 1 Guest are viewing this topic.

Offline pewpewnii

  • Thread Starter
  • Posts: 5
CyberSecurity
« on: Thu, 30 July 2020, 00:22:21 »
Hi, do anyone can brief nor share me some IMPORTANT cybersecurity knowledge and skills. I am Computer Science and Network Technology students. Recently, I am quite interested in Cyber Security and i hope my working path will be more on it. Thanks!

Offline Findecanor

  • Posts: 4587
  • Location: Koriko
Re: CyberSecurity
« Reply #1 on: Thu, 30 July 2020, 01:31:44 »
Some basic principles about security that that I see people overlook too often:
- The weakest link is often a human.
- If security is not user-friendly, it will be circumvented and hence not work in practice.
- Risk is measured on two axes: The probability that it will happen, and how much damage that it can wreak. Both are just as important.
- Security is not a feature -- it is a continuous process. Flaws, weaknesses and new types of attacks are discovered all the time. What is not considered improbable or insignificant today may be combined with something else and become risky tomorrow.

(I'm typing this only because I am still angry about an argument about security I had with some professional idiot on another forum yesterday)
Man must shape his tools lest they shape him
-- Arthur Miller

Online jamster

  • Posts: 719
  • Location: Asia
Re: CyberSecurity
« Reply #2 on: Thu, 30 July 2020, 01:39:29 »
Hi, do anyone can brief nor share me some IMPORTANT cybersecurity knowledge and skills. I am Computer Science and Network Technology students. Recently, I am quite interested in Cyber Security and i hope my working path will be more on it. Thanks!

From observing friends in the industry, the important stuff is what you teach yourself, not what university courses, or other people, tell you.

Offline yui

  • Posts: 305
  • Location: 127.0.0.1 (in azerty)
Re: CyberSecurity
« Reply #3 on: Thu, 30 July 2020, 01:49:57 »
Try to not have an "Administrator" or "root" account open is a good one that i see too often forgotten especially if the password is Admin123 or root (yeah i did see it in a production environment more than one in my very limited career, and i am only an amateur at security stuff) and do not only rely on security trough obscurity, it can be an extra layer but not the only one.
And in security like in development, never ever trust that the user will not try to break your stuff, else they may without even trying.
vi vi vi - the roman number of the beast (Plan9 fortune)

Online -Jerry-

  • Posts: 257
  • Location: Bath, UK
  • OR '1'='1'
    • Jerry Talks Tech
Re: CyberSecurity
« Reply #4 on: Thu, 30 July 2020, 02:54:53 »
A good one to know is the Principle of Least Privilege.

This implies that the level of access any user has as a baseline for day-to-day work is the minimum required to do their job; internet access, internal file servers, company intranet, etc. Regardless of whether a user is a global administrator or a code monkey, the account they log in to any computer with should be one without the rights to do anything that could compromise a system, ideally.

Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.

----------------------------------------------------------------

Sidenote:

You may get some benefit from knowing that as a student, you can get access to some fairly good training resources for free. One I rate pretty highly is called the Digital Cyber Academy, a free version of a platform called ImmersiveLabs which offers cyber security training. It has some fairly excellent live labs that let you practice skills using VMs and has all the labs mapped against the MITRE ATT&CK framework. I found it immensely useful when I was getting started and even more so now I've got a commercial account.
« Last Edit: Thu, 30 July 2020, 02:59:32 by -Jerry- »
     
     Hub16           HS60 + Tofu                  Melody96

Offline yui

  • Posts: 305
  • Location: 127.0.0.1 (in azerty)
Re: CyberSecurity
« Reply #5 on: Thu, 30 July 2020, 03:18:58 »
Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.
i knew that was best practice on unix based systems (sudo ect), but i never thought it was possible on windows
vi vi vi - the roman number of the beast (Plan9 fortune)

Online -Jerry-

  • Posts: 257
  • Location: Bath, UK
  • OR '1'='1'
    • Jerry Talks Tech
Re: CyberSecurity
« Reply #6 on: Thu, 30 July 2020, 03:25:52 »
Assume that Bob is a user administrator and needs to make a permissions change for Sally. Bob shouldn't be able to do that without elevating his permissions in some way and ideally that elevation should be A) Auditable and B) Time-Limited. In a perfect world, it should also he locked behind a multifactor authentication prompt at the very least too. Bob opens his would use his admin credentials (which are not the same as his user credentials) to log into a separate domain control VM or, more commonly these days, cloud based implementation. He'd then make the change and close that session. This means that if Bob gets phished, his account can't do anything that a standard user can. If he leaves his workstation logged in, he likewise can't be compromised more than a baseline data breach.
i knew that was best practice on unix based systems (sudo ect), but i never thought it was possible on windows

It certainly is. Windows actually implements this by default, that’s what those prompts that pop up when you try to install stuff are. They’re part of the User Account Control (UAC) system - they prevent a program running with administrative permissions even if you’re logged in as an administrator. Best practice is to use entirely separate accounts however.

At work, for example, I have the following; a user account, a network admin account, and a test account. I’d never log in to a machine that wasn’t my own with the user account, because that exposes access to my mailbox, personal file storage, etc. I’d also never log in using my administrative account, because I should never need to - any program needing to be installed or access needed can be achieved by elevating that action using admin credentials temporarily. No, if I’m logging into a machine other than my own I’m always using a test account that has default baseline credentials, so if a machine is infected with malware or corrupting data it has no effect on anything important.
     
     Hub16           HS60 + Tofu                  Melody96

Offline yui

  • Posts: 305
  • Location: 127.0.0.1 (in azerty)
Re: CyberSecurity
« Reply #7 on: Thu, 30 July 2020, 03:37:57 »
I did forgot about UAC, and i was more thinking in the lines of network admin like changing file permissions and stuff in the DC, i haven't done it in a while but i do not remember UAC getting in the way of creating a user or those kind of things
vi vi vi - the roman number of the beast (Plan9 fortune)

Online -Jerry-

  • Posts: 257
  • Location: Bath, UK
  • OR '1'='1'
    • Jerry Talks Tech
Re: CyberSecurity
« Reply #8 on: Thu, 30 July 2020, 04:19:49 »
I did forgot about UAC, and i was more thinking in the lines of network admin like changing file permissions and stuff in the DC, i haven't done it in a while but i do not remember UAC getting in the way of creating a user or those kind of things

It really depends on the permissions implementation and depends on whether you're using an onprem or cloud implementation, but both should allow protection however. If I log in to a domain management server, I'd expect to have to authenticate: when I access it AND every time I open a tool like Computer Management or Users & Computers. Windows can't prompt you every time you take an action if you're doing it within a tool, by which I mean it can only prompt you when you open Users & Computers, not every time you go to modify a user. It also doesn't protect file permissions, because if you're logged in as a domain admin then you have rights to edit permissions on any file typically. A way to make this less potentially damaging is to segregate permissions in a domain based on departments (or faculties in my case), so instead of a domain admin account, you'd have an admin account that only has permissions to work within your remit.

It IS a bit of a mixed bag. It's a bit better with cloud based solutions in some ways, because with Azure PIM for example, you can fine tune permissions and put MFA prompts on actions, etc.
     
     Hub16           HS60 + Tofu                  Melody96

Offline JayZz

  • Posts: 5
Re: CyberSecurity
« Reply #9 on: Thu, 30 July 2020, 05:31:59 »
was useful to read. Totally agree that cybersecurity is a serious issue today. I try to do my best to protect my data from online snoopers For my website I bought SSl certificate on ssls.com to protect my user's data too. It seems that ssl certificate is a must have for any website.
« Last Edit: Fri, 31 July 2020, 03:44:08 by JayZz »

Offline Leslieann

  • * Elevated Elder
  • Posts: 3024
Re: CyberSecurity
« Reply #10 on: Thu, 30 July 2020, 07:04:24 »
You're going to see some amazingly stupid things.
The person you think is the most computer literate will be the one to do the dumbest thing and ruin your security (oops!).
That person who knows nothing about computers will break your security in the least likely, most hare brained way possible.
There's no such thing as idiot proof.

Cyber security is more than just computer access and networks.
People are easy to compromise (the easiest!) but take care of your surroundings. I had one customer spend $24k on a server rack which was installed in front of a large pane of glass, on the first floor, near their main entry, visible from the drive through of a major drug store chain barely 100 feet away. Why hack the network when you could just smash the window and take the whole thing then take your time hacking an admin password (which takes seconds if you have direct access).

Trust nothing, if you can't verify it's clean, secure or stable assume it isn't, I've thrown away drives and even complete systems because they couldn't be trusted. A system isn't cheap, but cleaning up a breach, data loss, or a failure is even more costly. I had a company refuse to replace a $400 computer but when it failed they lost 2 days worth of sales totaling $22k.

While not exactly cyber security, BACKUP, BACKUP, BACKUP. It used to be you did it mostly because of viruses and data loss, today you need them in case of ransomware which has become a major factor. Once you get hit you may or may not even have the option to pay and recover the data (many are just an encryption with no key), so you better have backups. Also, make sure they're good. I can't tell you how many offices I see have no backup and in those that did, how often it's no good or only partial. Getting a company to do backups, much less proper ones (or anything preventative really) is probably the single most difficult job in I.T.



Also, keep your ear to the ground, rumors, unsubstantiated or not are often based at least partially on facts. There were rumors were swirling for a while before Meltdown and Specter were confirmed yet many blew it off saying it couldn't happen, it was only in a lab, it's not in the wild and is months or years away, it can't happen to me, it needs authentication (see Findecanor's and my first entry).  Even something that starts as a silly and fake rumor may be enough for someone to go looking and actually find something, so take them serious.
Filco MJ2 L.E. w/hand milled Vortex case, custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, sound dampened,  Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs | HMMK TKL | Magicforce 68 | YMDK75 | KBT Race S L.E. | Das Pro (Costar model) | GH60 | IBM Model M (x2)

Offline Findecanor

  • Posts: 4587
  • Location: Koriko
Re: CyberSecurity
« Reply #11 on: Thu, 30 July 2020, 08:11:32 »
While not exactly cyber security, BACKUP, BACKUP, BACKUP.
Indeed. This applies not only to the company's data but also to your own work. Do store it on a protected server, which does get regular backups. Not just the shared source code repository -  but your own files too.

I've lost a days worth of development work because the workplace was broken into and my work computer stolen ... and that has happened to me twice, ten years apart. (I should have learned the first time but I hadn't)
Man must shape his tools lest they shape him
-- Arthur Miller

Online -Jerry-

  • Posts: 257
  • Location: Bath, UK
  • OR '1'='1'
    • Jerry Talks Tech
Re: CyberSecurity
« Reply #12 on: Thu, 30 July 2020, 08:24:06 »
Indeed. This applies not only to the company's data but also to your own work. Do store it on a protected server, which does get regular backups. Not just the shared source code repository -  but your own files too.

Yup, this is why I make researchers buying external drives agree to the disclaimer that external drives are only for transient data and we won't give them any help whatsoever in data recovery should they decide to put all the data required for their thesis on there or something equally stupid. They baulk at paying per terabyte of data on our network, because it costs 1/4 as much to buy a hard drive, we have to remind them that what they're paying for isn't one HDD, but three SSDs, effectively - replication and snapshot backup.

Of course, at home I can do what I want, so for really important stuff I've got it backing up to OneDrive and replicating to a seperate disk. Both of those disks are backed up off-site via BackBlaze.
     
     Hub16           HS60 + Tofu                  Melody96

Offline Leslieann

  • * Elevated Elder
  • Posts: 3024
Re: CyberSecurity
« Reply #13 on: Thu, 30 July 2020, 22:30:28 »
Wow, I did not expect that to hit home so well considering it wasn't directly security related, though it should be.

Currently I have everything stored on my personal file server at the house. Everything on it gets dumped to an external on a "when I feel like it" basis or if something important changed. I also have a Mega Drive that backs up important stuff and some of that, the real important stuff gets uploaded to Google Drive (I map a folder in the Mega folder to Google) which has versioning (which Mega lacks) and better sub folder recovery. The server has both Mega and Google apps on it, but I only use the Mega app to sync my laptop and since Google is in the Mega drive it handles that as well.

So 2 copies of everything, 3 copies of important stuff (1 off site), and 4 copies of very important stuff with 2 copies offsite. Other than the external it's all on free accounts.
Filco MJ2 L.E. w/hand milled Vortex case, custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, sound dampened,  Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs | HMMK TKL | Magicforce 68 | YMDK75 | KBT Race S L.E. | Das Pro (Costar model) | GH60 | IBM Model M (x2)

Offline pewpewnii

  • Thread Starter
  • Posts: 5
Re: CyberSecurity
« Reply #14 on: Sat, 01 August 2020, 09:42:38 »
Hooo, Thanks for all the replies. I will look through all of the info! Much appreciate !!!!

Offline fohat.digs

  • * Elevated Elder
  • Posts: 5889
  • Location: 35°57'20"N, 83°52'50"W
  • weird funny old guy
Re: CyberSecurity
« Reply #15 on: Sat, 01 August 2020, 10:45:15 »

Everything on it gets dumped to an external on a "when I feel like it" basis or if something important changed.


I don't have vast quantities of stuff. A single TB holds my family photos and documents and my music collection. Then I have about 2TB of various historical and downloaded stuff that is "semi-important" but not absolutely critical.

In my mind, something on a hard drive that is unplugged and in its box is pretty safe. Before I pack it away I run a virus scan and chkdsk on it, so it should be clean. I have a couple of 1TB external SSD hard drives for the things that are truly precious, and one of them is usually rotated into my safe deposit box.
 
Were our leaders just stupid? Well, maybe. But there’s a deeper explanation of the profoundly self-destructive behavior of Trump and his allies: They were all members of America’s cult of selfishness. You see, the modern US right is committed to the proposition that greed is good, that we’re all better off when individuals engage in the untrammeled pursuit of self-interest. In their vision, unrestricted profit maximization by businesses and unregulated consumer choice is the recipe for a good society.
Support for this proposition is, if anything, more emotional than intellectual. I’ve long been struck by the intensity of right-wing anger against relatively trivial regulations, like bans on phosphates in detergent and efficiency standards for light bulbs. It’s the principle of the thing: Many on the right are enraged at any suggestion that their actions should take other people’s welfare into account. This rage is sometimes portrayed as love of freedom. But people who insist on the right to pollute are notably unbothered by, say, federal agents tear-gassing peaceful protesters. What they call “freedom” is actually absence of responsibility.
Rational policy in a pandemic, however, is all about taking responsibility. The main reason you shouldn’t go to a bar and should wear a mask isn’t self-protection, although that’s part of it; the point is that congregating in noisy, crowded spaces or exhaling droplets into shared air puts others at risk. And that’s the kind of thing America’s right just hates, hates to hear. Anger at any suggestion of social responsibility also helps explain the looming fiscal catastrophe.  – Paul Krugman 2020-07-28 NYT

Offline Leslieann

  • * Elevated Elder
  • Posts: 3024
Re: CyberSecurity
« Reply #16 on: Sat, 01 August 2020, 21:19:08 »
I don't have vast quantities of stuff. A single TB holds my family photos and documents and my music collection. Then I have about 2TB of various historical and downloaded stuff that is "semi-important" but not absolutely critical.

In my mind, something on a hard drive that is unplugged and in its box is pretty safe. Before I pack it away I run a virus scan and chkdsk on it, so it should be clean. I have a couple of 1TB external SSD hard drives for the things that are truly precious, and one of them is usually rotated into my safe deposit box.
Externals are good, but it's not off-site, if there's a fire or flood it's vulnerable, granted if that happens you have bigger problems.
You may want to adapt a hybrid like I use just to salvage those things you really don't want to lose, just in case.

If you really want a cheap offsite for all those pics, create multiple Mega accounts (yourname1,2,3,4 etc...) then upload all you can to each. Since it doesn't change often it would just be a stable off-site archive. Then just use the last for anything new.
Filco MJ2 L.E. w/hand milled Vortex case, custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, sound dampened,  Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs | HMMK TKL | Magicforce 68 | YMDK75 | KBT Race S L.E. | Das Pro (Costar model) | GH60 | IBM Model M (x2)

Offline fohat.digs

  • * Elevated Elder
  • Posts: 5889
  • Location: 35°57'20"N, 83°52'50"W
  • weird funny old guy
Re: CyberSecurity
« Reply #17 on: Sun, 02 August 2020, 08:07:07 »
I am leery of the cloud for various reasons, although I don't have anything illegal or so sensitive that I would be significantly damaged if it got loose.

Besides the one in the safe deposit box, I also leave a hard drive with a friend who lives far out in the country. In the case of an extended power outage (here or at the server farm), interruption of the internet anywhere along the line for whatever reasons, or something else, it comforts me to know that I could go entirely off-grid for an indeterminate amount of time and have full access to my files.
Were our leaders just stupid? Well, maybe. But there’s a deeper explanation of the profoundly self-destructive behavior of Trump and his allies: They were all members of America’s cult of selfishness. You see, the modern US right is committed to the proposition that greed is good, that we’re all better off when individuals engage in the untrammeled pursuit of self-interest. In their vision, unrestricted profit maximization by businesses and unregulated consumer choice is the recipe for a good society.
Support for this proposition is, if anything, more emotional than intellectual. I’ve long been struck by the intensity of right-wing anger against relatively trivial regulations, like bans on phosphates in detergent and efficiency standards for light bulbs. It’s the principle of the thing: Many on the right are enraged at any suggestion that their actions should take other people’s welfare into account. This rage is sometimes portrayed as love of freedom. But people who insist on the right to pollute are notably unbothered by, say, federal agents tear-gassing peaceful protesters. What they call “freedom” is actually absence of responsibility.
Rational policy in a pandemic, however, is all about taking responsibility. The main reason you shouldn’t go to a bar and should wear a mask isn’t self-protection, although that’s part of it; the point is that congregating in noisy, crowded spaces or exhaling droplets into shared air puts others at risk. And that’s the kind of thing America’s right just hates, hates to hear. Anger at any suggestion of social responsibility also helps explain the looming fiscal catastrophe.  – Paul Krugman 2020-07-28 NYT

Online -Jerry-

  • Posts: 257
  • Location: Bath, UK
  • OR '1'='1'
    • Jerry Talks Tech
Re: CyberSecurity
« Reply #18 on: Sun, 02 August 2020, 14:30:35 »
I am leery of the cloud for various reasons, although I don't have anything illegal or so sensitive that I would be significantly damaged if it got loose.

Besides the one in the safe deposit box, I also leave a hard drive with a friend who lives far out in the country. In the case of an extended power outage (here or at the server farm), interruption of the internet anywhere along the line for whatever reasons, or something else, it comforts me to know that I could go entirely off-grid for an indeterminate amount of time and have full access to my files.

I mean, I can go entirely off the grid already - if we’re talking about a backup solution the data is on my computer, that’s not really an issue. I can’t speak to other providers, but my BackBlaze is encrypted with a private key that only I have, for example. My Microsoft storage is likewise encrypted at rest and in transit and I could use my own encryption keys for that should I care to, but I really don’t - sufficiently complex passcodes + MFA are enough for me.
     
     Hub16           HS60 + Tofu                  Melody96

Offline Leslieann

  • * Elevated Elder
  • Posts: 3024
Re: CyberSecurity
« Reply #19 on: Sun, 02 August 2020, 21:42:21 »
Mega is also encrypted.
Filco MJ2 L.E. w/hand milled Vortex case, custom feet/paint/winkey blockoff plate, HID Liberator, stainless steel universal plate, 3d printed adapters, Type C, sound dampened,  Thick PBT caps (o-ringed), Cherry Jailhouse Blues w/lubed/clipped Cherry light springs | HMMK TKL | Magicforce 68 | YMDK75 | KBT Race S L.E. | Das Pro (Costar model) | GH60 | IBM Model M (x2)