Hide yo kids hide yo wifi

What if I tell you that the most common method you use to access web is also really insecure? Well actually almost everything web related is prompt to insecurities (not because it’s bad designed, but because there are people who will always try whatever they can to obtain access where they shouldn’t); however wireless technology is a great target for hackers.

via GIPHY

Let’s talk about wireless security:

This is the prevention of unauthorized access or damage to computers using wireless networks. Anyone on the range of an unencrypted open wireless network can gain unauthorized access to private resource, and use information to perform illegal acts.

Some tools to provide protection by cyphering a wireless network are WEP, WAP, and WAP2. WEP is an early technology therefore nowadays hackers can break WEP’s key in a matter of minutes. More recommended standards for security are WAP and WAP2, due to its more complicate protection which warrantees more safety than others.

Some advice:

For god’s sake, always configure your wireless network with a password.

Make a hard to guess key, to avoid curious intruder breaking in.

If you’re using a router without WPA2 support, seriously consider an upgrade (this technology is outdated since 2003).

The longer your key length the better.

On a business consider a proper setting to provide wireless network for costumers (It’s ok to be generous with people, but don’t let them access to the same wireless network where the organization communicates).

Change your password constantly, there’s no perfect key.

The information shared through your wireless network is important and personal, you shouldn’t underestimate the importance of browsing on an open network.

 

Extra: A short introductory video about the importance of wireless security.

You don’t mess with my key

Cryptography is not a new technique at all, encrypting message has been a thing since many many years ago. This because of the need of humans to share message privately. Protecting important and delicate information that could be misused on hands of wrong people. Nowadays the story and the context is different. There still exist cases in which information has to be protected because of the importance it contains, but now that there are millions of people sharing information on the web. The need for protecting this information is more of a concern due to privacy and protection of personal information. It passed from being a technique used by a few, to a tool provided to the masses.

 

To understand encryption there are 3 main things we need to distinguish.

 

Encrypting:

There’s the Encryption part, where the message we need to share has to be protected by a lock, a lock that only sender and receiver know how to open.

Decrypting:

Then when the receiver gets the message he has to open the lock to understand the message, to open it he use the method sender and receiver share.

Cipher

Instead of using physical locks, this is the thing that nowadays we use to lock our messages.

 

Some common Cryptography methods:

 

Symmetric Key cryptography:

AKA shared key cryptography involves 2 people using the same key to encrypt and decrypt the information

 

Public key cryptography:

Makes use of 2 different keys: a public key for encryption, so than anyone can encrypt a message and send it, and then a private key, which able only one person to open the messages encrypted by the public key.

 

At the end, everything is prompt to be hacked and obtained, therefore the best we can do is to make it as hard as possible for hackers to obtain our information.

 

Extra: I found an excellent course on khan Academy where you can learn a lot about cryptography by yourself.

https://www.khanacademy.org/computing/computer-science/cryptography/crypt/v/intro-to-cryptography

Constitution of security

Have you ever wondered what should we expects as users, or as members of a company from the technology we use, or the information we acquire and manipulate? There’s a document for that and is called Security Policies.

When we talk about security policies, we are talking about the document that companies use to declare on paper how they protect their technology and information. Same as technology, this document is always receiving updates, adding or changing what it states.

Policies should define as follows:

• Scope – Who the policy applies to.
• Who does the actions defined by the policy.
• Defines when defined actions are to be done.
• Defines where or on what equipment the policy applies to.
• Defines the organizational level that the policy applies to such as a division or the entire enterprise.
• Who enforces the policy
• What are the consequences of failure to follow the policy.
• Policies may reference procedures that are used but do not define the procedures. E.g. the policy may specify that passwords must be changed every 60 days but not provide a procedure telling how to change them.

So in simple words, it is sort of an agreement that as user we agree to acknowledge. And as members of a company guides to perform security solutions to problems that may be presented. Sort of a constitution, but with step by step guidance on each problematic that could happen.

Extra: the voice acting here is horrible, but it’s a clear example of a security policy on companies, on this case a secure password policy.

Useful reference:

http://www.comptechdoc.org/independent/security/policies/

Show me your credentials

Nowadays Internet is so important that many companies depend on it. The necessity for protecting all the services we can find online has never been so crucial as today. Employer seeking for top prepared IT security people can rely on the certifications the candidates may have.

Having credentials is not warranty of obtaining the job; however, it’s a way to measure your knowledge and commitment to quality and knowledge update.

 

via GIPHY

There are tons of companies and different certifications offered, today we will  focus only on 4 I consider useful and important:

CISSP:

Developed by the NSA(yeah the one controversial for spying all US Americans) and the ISSEP (Information Systems Security Engineering Professional). This certification is one of the most seek by employers. It focusses on methodologies and best practices on big and small scale.

It requires of an annual fee of $85 dollars to maintain the credentials valid. And a recertification once every 3 years. Obtaining this credential is not easy work, that’s why it is so valued.

CompTIA:

There are 3 different certifications that can be obtained by CompTIA but the one we care about, the one about security is called security+. To obtain it you should consider have at least 2 years of experience, and acquiring a network+ certification. Is a tough certification to get, but a very complete and important  to have.

CEH:

Remember the post about different type of hackers, well white hat hackers are the one who should get this. Cost around $500 dollars to obtain, requires of 2 years work experience.

CISM:

And last but not least we have CISM (Certified Information Security Manager) this is almost a must have among IT experts. It is a lot more demaning than the others, requiring almost 5 years of experience and costib about $700 to obtain.

And that was it, in case you are interested on becoming a security expert now you know about some credentials which might be good for you.

Extra: here’s a cool video I found that might complement the information on this post. It’s a video with experts talking about the evolution of security on the web and the necessity of certifications.

References:

http://www.tomsitpro.com/articles/information-security-certifications,2-205-2.html

Let me in

Authentication is a big issue when talking about security. If there’s an access control it means there’s information we are protecting and we have a huge responsibility to make sure this door to info maintains closed to people not allowed to open it, not even peeking on it to see what’s on the other side.

To make sure we are providing maximum security there are ton of methods to prove access. Some of the methods are based purely on software, sometimes validating on the side of the server, sometimes on both, and sometimes requiring also of extra hardware. To give some example I’m going to show you the most commons out there.

There exist the common authentication of the user providing the username and password, followed by the server verification of the correctness and existence of the input. There are more fancy methods such as double authentication provided by the client and the server simultaneously.

Two steep authentication

SMS: using a cellphone a code is sent to the user to warrant its identity.

Email: same as previous but sending the code through electronic mail.

App notification: uses the connection with an app to send the code and provide  access.

Hardware authentication

This double step authentication is one of the more popular out there. Most of the bank companies use this method to provide access to their online services. Can be achieved thanks to the use of those tiny devices with a screen refreshing a code every 15 seconds.

Biometric access control?

Yeah nowadays that is a thing, unlocking devices and log in to services by using your retina or your fingerprint is not only a sci-fi movie thing anymore, many smartphones and computers use this authentication as the main authentication method. It has proved not only that is more secure but also more natural as a user experience, and more easy to use. The moment fingerprint scanners arrived to our smartphones security on mobile devices evolved.

 

Extra: Watch how Uber is implementing Microsoft’s cognitive service to authenticate drivers. A natural and simple authentication step.

References:

5 Different Two-Step Authentication Methods to Secure Your Online Accounts