We’ve got a guest speaker this week: Shoaib Yousuf, an IT security professional. His speech is insightful. Some of the more relevant (at least to INFS1602) points include:
- 70% of attacks are from within your organisation, not from outsiders.
- Hackers no longer hack for fun/vandalism, but rather, for profit/politics.
- Modern threats arise from integration (Facebook, email, phones link together – great for identity fraud), social engineering (“free USBs”, poor password policies, one dumb user compromises an entire network), de-perimeterisation (physical boundaries are irrelevant).
- The internet was never designed to be secured – “we will never be able to secure Port 80”, he asserts.
- “Any organisation that has valuable data has probably already been compromised”. There is an increased interest in the concept of resilience – rather than trying (and failing) to prevent attacks, how can we minimise their damage?
Tony has a different set of key points. Since he is academic staff, I think these are worth focusing on:
- Types of attacks. SQL injection is a big one, but you should also be aware of the classics and their terminologies. Malware (malicious software) encompasses viruses (spread when triggered), worms (self-replicating), Trojans (disguised as a gift), spyware (including keyloggers). We’ve also got some activities like spoofing/phishing and its bigger brother pharming (enter the right address and you still get misdirected, thanks to a hacked DNS), DoS and DDoS, and botnets. The advent of Wi-Fi has also created troubles like sniffers (monitor traffic) and ‘evil twins’ (set up your own Wi-Fi hotspot, call it ‘Free Public Wi-Fi’, steal data).
- Security policies. Most organisations have an Acceptable Use Policy (AUP) and Identity Management. In the event of an emergency, the shorter-term Disaster Recovery Plan (DRP) describes how to get your systems back online, while the longer-term Business Continuity Plan (BCP) describes how to restore business operations independent of the compromised systems.
- Security technologies. Secure Socket Layer (SSL) forms the basis of HTTPS, which provides you with an extra layer of security when you access Netbank, Facebook, Gmail, etc. SSL is 128-bit or 256-bit (see picture below).
- Public key and private key. One key is used for encrypting and the other one is used for decrypting. Which one is which? That depends on whether you’re trying to prevent eavesdropping (public encrypts, private decrypts) or if you’re trying to prove your identity like a signature (private encrypts, public decrypts). Digital Certificates (see picture below) are issued by Certificate Authorities on the basis of public keys and private keys.
I’ve tried to put as much relevant content from the textbook as possible in my overview of Tony’s Tutorial, but there are a few extra points. The textbook defines security as “the policies, procedures, and technical measures used to prevent unauthorised access, alteration, theft, or physical damage to information systems”. Another mouthful of textbook! I’ll simplify that to, “the measures taken to prevent unauthorised use of information systems”. Replace ‘use’ with ‘read/write’ if you feel like being fancy. The textbook also classifies system availability and uptime as security issues – fair enough.