There is much emphasis being given to information security in today’s digitally connected ecosystem, and it truly is the need of the hour – below you can find answers to some of the most pertinent topics in information security.
Slava Ivanov, Distinguished Software Engineer at Echoworx with his years of progressive experience in delivering security solutions to solve business challenges, coupled with his strong knowledge of software development cycles is committed in developing a 2018 Thesaurus for information security.
DECEMBER |
Q: CONFUSED WITH THE INTERNET, DEEP WEB OR DARK WEB?
A: The Internet consists of tonline resources available through search engines, like websites we use to shop, bank or socialize. The Deep Web is the part of Internet that is not indexed by major search engines. To visit such places, you would need to go directly to the resource. It isn’t necessary malicious, but just too large to be indexed. The Dark Web is the part of Deep Web not just unindexed, but also requiring special access. The Dark Web is often based on additional sub-networks, like Tor or Freenet and often associated with criminal activities.
Q: WHAT IS ‘POSTERIOR AUTHENTICATION?’
A: When we speak about biometric security, usually we are referring to face recognition or fingerprints – but this authentication method is all about your posterior. Japanese researchers have developed a seat with 360 sensors, which apparently measure your seat groove, aka ‘buttprints,’ or rear-pressure. The researchers claim 98% accuracy in correctly identifying a sitting person. Not bad eh? This method of authentication could have applications in effective anti-theft systems for our cars or yet another method to log in into your device when you sit behind your desk.
Q: WHAT IS A KEYLOGGER?
A: Keyloggers are also known as keystroke loggers. There are many types of keyloggers based on a variety of keylogging methods including two well-known: software- and hardware-based keyloggers. The hardware keyloggers are usually fitted between a keyboard and a device. As they run entirely on hardware, security software wouldn’t be able to detect it. Software keyloggers can be built into rootkits or other less detectable forms. While the programs themselves are legal, many of them used for the purpose of stealing confidential information. Detecting any type of keyloggers is a difficult task since they’re designed to stay hidden.
NOVEMBER |
Q: WHAT IS SOCIAL ENGINEERING?
A: Social engineering is the art of manipulating people so they give up confidential information. Even highly secure systems that cannot be penetrated by digital, or cryptographic means, can be compromised by simply calling an employee of the target organization on the phone and impersonating a co-worker or IT personnel. Some well-known social engineering techniques include phishing, clickjacking, vishing, and baiting. There is no simple solution to prevent a social engineering attack, but the best defense is user education and security awareness.
Q: VULNERABILITY VS. EXPLOIT: WHAT’S THE DIFFERENCE?
A: A security vulnerability is an unintended flaw in software or a system which leaves it open for potential exploitation, such as unauthorized access or malicious behavior, like viruses, worms and other malware. Exploit is another term for a security vulnerability, however it’s an actual active problem, as opposed to a potential problem. For example, a broken lock on your cottage door would be a vulnerability, which must be addressed sooner than later. But a broken door lock in a major city would be an example of an exploit – there might be people in the area, actively exploiting for this known vulnerability.
Q:WHAT IS A PENTEST?
A: Pentest is the short form of penetration test. This is a security exercise where a trusted cyber-security expert attempts to find the vulnerabilities of a system before malicious attackers can exploit them. To produce a pentest report, the system is targeted by simulated attacks: brute-force, SQL injections, etc. The findings are then shared with the target company’s security team for the implementation of subsequent security fixes and patches. In order to keep the system secure, the pentest should be performed on a regular basis, especially when new technology is added.
Q: WHAT DOES CIA HAVE TO DO WITH CYBERSECURITY?
A: In Information Security, the CIA Triad stands for Confidentiality, Integrity and Availability – not to be confused with the US Central Intelligence Agency. Confidentiality – keeping sensitive data secure; Encryption is a reliable solution to ensure confidentiality. Integrity – keeping data intact; Cryptographic hashes and digital signing are used to verify information hasn’t been altered. Availability – keeping data accessible; Strategic planning and resource allocation ensures services and applications are available 24/7, including backup plans, data recovery and services scalability.
OCTOBER |
Q: WHAT IS BOTNET?
A: The word “Botnet” is a combination of the words robot and network. The botnet is known as a group of Internet-connected devices – IoT and mobile devices, computers, networks – affected by malware. Each compromised device is called “bot” and can be controlled remotely by a botnet’s originator, known as a “bot master.” Botnets are increasingly rented out by cyber criminals as commodities and commonly used in DDoS attacks. Botnets are able to take advantage of collective computer power, send large volumes of spam, steal credentials en masse or spy on people and organizations.
Q: IS CRYPTOJACKING A NEW THREAT IN THE WILD?
A: Cryptojacking is the unauthorized use of a victim’s computer to mine cryptocurrency. According to a recent Symantec security report, cryptojacking just came out of nowhere and exploded like nothing before. Hackers see it as a cheap and easy way to make more money with less risk. Unlike other types of malware, cryptojacking does not damage a victim’s data or computer. But, since they do steal CPU processing resources, the victim will be paying with a reduced device lifecycle, more power usage and overall performance issues.
Q: WHAT IS SPYWARE?
A: Spyware is a type of malicious software installed onto your computer, often without your knowledge. It is designed to monitor your computing activities and collect and report the data back to companies for marketing purposes. The data collection usually includes your personal information such as your name, address, browsing habits, preferences, interests or downloads. Besides being an invasion of privacy, this software can cause serious performance issues.
Q: WHAT IS THE BIRTHDAY ATTACK?
A: The Birthday Attack is a type of brute-force attack based on the birthday paradox, which states that out of 253 people in a room, there’s a 50% chance someone has your birth date; however, only 23 people need to be in the room to get a 50% chance of any two sharing the same birthday. This is because the matches are based on pairs. This statistical phenomenon also applies to finding collisions in hashing algorithms because it’s much harder to find something that collides with a given hash than to find any two inputs that have the same hash value.
Q: WHAT IS SAME ORIGIN POLICY?
A: In computing, Same-Origin Policy is the browser-based defense mechanism that ensures certain conditions must be met before content (usually JavaScript) will be run when served from a given web application. Under the policy, the browser permits one web page script to access data in another web page only when they have the same origin; where the origin is a combination of web resource protocol, domain and port.
SEPTEMBER |
Q: ARE OPEN SOURCE PROJECTS MORE SECURE THAN PROPRIETARY ONES?
A: A common misconception is that open source projects are more secure, either because anyone can inspect the source code, or because so many eyes are watching it. And, vice versa, a commercial product of a well-known company is more secure because everyone trusts it. The security of the project comes from a combination of many factors, including how many developers are working on it, what are their backgrounds, quality control of the project, etc. There are many examples of horribly insecure applications that come from both camps.
Q: WHAT IS CROSS-SITE REQUEST FORGERY?
A: Cross-Site Request Forgery (CSRF) is the type of attack on web site where an intruder camouflages as a legitimate and trusted user. For example, a webpage image tag may be compromised and point to a URL associated with some action; when the user loads this page, the browser executes this action and the user might not be aware that such attack has occurred. The attack can be used to modify firewall settings, post unauthorized data on a forum or conduct fraudulent financial transactions.
Q: WHY DOES MY PKI IDENTITY INCLUDE TWO KEYS?
A: A public and private key pair is a pair of asymmetric keys that perform the encrypt/decrypt functions of a secure data transmission. Public key is public and available to everyone. On the other hand, the Private Key must remain confidential to its respective owner. When encrypting data, the public key of the recipient is used – and only this recipient will be able to decrypt it. When signing, the private key is used to confirm identity of sender.
Q: IS IT “DOS” OR “DDOS” ATTACK?
A: A denial-of-service (DoS) attack is a type of cyber attack designed to make a computer or network unavailable to its intended users by disrupting the services of a host. This is typically done by flooding the host with an overwhelming number of packets to oversaturate server capacity, resulting in denial-of-service or memory buffer overflow which can cause the host to consume disk space, memory, or CPU time. A distributed denial-of-service (DDoS) attack is analogous to DoS, but traffic would come from different sources, which makes it impossible to prevent by just blocking a single source of attack.
AUGUST |
Q: I USE GOOGLE CHROME, DO YOU?
A: There are plenty of browsers available these days to choose from: Chrome, with its built-in Google search engine; Edge, with its ability to make notes right on the page; Firefox, with its option to continue reading the pages where you left on another device; Safari, which is perfectly tailored for mobile devices. No matter what your criteria for choosing the Internet browser, the most important thing is to keep it up-to-date with all security patches and updates. Enjoy your safe browsing.
Q: WHAT IS A DIGITAL CERTIFICATE?
A: In cryptography, a Digital Certificate is an electronic form of identification, much like your passport or driver’s license. It provides information about your identity and is issued by a certification authority (CA) for a specific period of time. The CA guarantees the validity of the information included within the certificate. The most common format for digital certificates is defined by X.509 standard. There are a variety of areas where certificates are used: SSL/TLS, S/MIME, code signing, etc.
Q: WHAT DO COMPUTER COOKIES TASTE LIKE?
A: A cookie is a small file from a website which is stored on your computer by a web browser. The yummy part of the cookie is that it can store, for example, login info, zip code, etc. so you don’t need to type it in over and over again. The bitter part of it is that it can keep track of your habits and be used by advertising networks. The yucky taste comes when a cookie carrying sensitive information is intercepted by a hacker. Clean up cookies regularly, keep your antivirus software up-to-date, and visit the websites you trust – enjoy the great taste of cookies!
Q: WHAT DOES SSO STAND FOR?
A: SSO stands for Single Sign-On. With single sign-on, the user can authenticate once and then use multiple systems or applications without having to log in again. Without SSO of any kind, users may have to remember a different username and password (different credentials) for each system used. This leads the user to use short, simple or similar passwords for every resource. To reduce password fatigue, time to re-enter identity info, “forgot password” requests, etc., many organizations are implementing Single Sign-On.
Q: WHAT IS S/MIME?
A: S/MIME (Secure Multipurpose Internet Mail Extensions) is the standard to secure MIME messages which brings SMTP communication to the next level by allowing widely accepted e-mail protocol to be used without compromising security. It uses PKI (Public key Infrastructure) to encrypt and/or sign the data. S/MIME provides cryptographic service benefits into e-mail: confidentiality and data integrity with message encryption; authentication and non-repudiation with digital signing.
JULY |
Q: WHAT IS MIME?
A: MIME (Multipurpose Internet Mail Extensions) is the Internet standard that defines how a message has to be formatted for transfer between different e-mail systems. MIME is a very flexible format and allows the inclusion of virtually any type of data such as text, images, audio, applications, etc. With appropriate encoding MIME is able to handle messages written in international languages as well. MIME is designed for SMTP communications, but many definitions of the standard are widely used in WWW communication protocols.
Q: WHAT IS TABNABBING?
A: Tabnabbing, also known as Tabjacking, is a phishing attack that makes use of the inattention of a user to opened multiple browser tabs to steal the user’s sensitive information. For example, you have opened the page affected by the exploit along with other tabs in the browser. If the script of the malicious tab detects inactivity, the web page will be reloaded and display, for example, a fake Gmail login page instead. Due to lack of attention to the opened tabs, user may enter the requested credentials and they will be stolen by the criminals.
Q: HOW CAN A VPN ENHANCE MY PRIVACY AND SECURITY?
A: A VPN (Virtual Private Network) extends a private network (ex.: company network) across a public network, (ex.: Internet) and enables users to access private network resources as if they were directly connected to this private network. A VPN uses encryption technology to encrypt network traffic, so if an attacker sniffs on the packets, he only gets encrypted data. It detects modification of transmitted data and provides its integrity. A VPN uses authentication to prevent unauthorized access to the resources.
Q: IS “PHARMING” YET ANOTHER WORD WITH A MISTAKE?
A: Pharming is an advanced type of cybercrime, similar to phishing, which combines the meanings of the words “phishing” and “farming”. The usual purpose of pharming is to obtain usernames and passwords from online retailers or banks, without needing to phish you with malicious e-mails or links. You go to a well-known web resource, as always, but end up at the hacker’s system – made to look like a legitimate website. One of the techniques used in a pharming attack is the corruption of the DNS services on the computer system by malicious code known as DNS cache poisoning.
JUNE |
Q: HOW TO BE SAFE WHEN MAKING ONLINE PAYMENTS?
A: There are a few things to consider when you shop online: 1. Make sure the retail website is using an SSL connection and that the business is trustworthy. 2. Always favour credit card transactions over debit. 3. Do not make payments when connected to a public Wi-Fi network. 4. Consider to opt out of storing your credit card information on a retailer’s website – even if you use it often. 5. Never enter your PIN code or banking password when completing a transaction. The last word: Check your credit card statement regularly, sign up for transaction notifications, if possible, and stay safe.
Q: HOW TO BE SAFE ON STARBUCKS WI-FI?
A: To stay safe while using a public Wi-Fi network, use only a secure connection (SSL) to websites you trust. Avoid using personal usernames and passwords, even just to check your email, as hackers can monitor unprotected Wi-Fi networks and your information can be stolen. Turn off File Sharing and AirDrop options, and check that your laptop’s firewall is enabled. For even better protection, secure and encrypt your connection by using a Virtual Private Network (VPN) – a safe digital tunnel to your device.
Q: WHAT IS IOT ANYWAY?
A: The Internet of Things (IoT) is an ecosystem of connected devices able to communicate with us, and with one another, over the Internet. A smart thermostat, controllable from our phones and tablets, for example, is a well-known IoT-connected device. Everything these days is “smart,” from simple sensors and actuators to refrigerators and cars. The future of the IoT is very exciting and stands to revolutionize the way we live, making entire cities and countries function in a smarter and more efficient way. It truly is a Golden Age for IoT devices.
Q: HOW WELL IS BLOWFISH SWIMMING IN CRYPTOGRAPHY?
A: Blowfish is a symmetric encryption algorithm designed by Bruce Schneier in 1993 as the replacement for older DES and IDEA algorithms. It has a 64-bit block size and uses a variable-length key, from 32 bits to 448 bits, which is suitable for both domestic and export uses. Blowfish attempts to make a brute-force attack difficult by making the initial key setup a fairly slow operation. This algorithm is unpatented, unlicensed and is available free to everyone. Blowfish shouldn’t be used for large files due to small block size (64-bit as opposed to AES’s 128-bit block size).
MAY |
Q: ARE BLUEJACKING, BLUESNARFING AND BLUEBUGGING NEW SHADES OF BLUE?
A: Bluejacking, the earliest Bluetooth attack, is the sending of unsolicited messages to Bluetooth-enabled devices. Bluejacking is quite harmless and is usually limited to sending text messages, images or sounds to a targeted device. Bluesnarfing is more damaging and targets a user’s privacy – with an attacker connecting to an early-Bluetooth device, without the owner’s knowledge, and downloading their phonebook, calendar and more. Bluebugging goes further – with complete virtual takeover of the device. Once connected, an attacker can access your contacts, make calls, listen to calls, read your messages and emails and even track your location, without your knowledge.
Q: SAML OR OAUTH?
A: SAML (Security Assertion Markup Language) is usually used when solution requires centralized identity management; involves SSO with at least one enterprise participant; provides access to an application. OAuth (Open Authorization) is usually used when a solution provides access to resources, such as accounts, files, etc.; or involves mobile devices. Both technologies can be used at the same time. For example: SAML for authentication; once SAML token is processed, use it as the OAuth bearer token to access protected resources over HTTP.
Q: WHAT ARE THE TYPES OF BIOMETRICS?
A: There are two main types of biometrics: Physiological biometrics is something related to what we are, including specific measurements, dimensions, and characteristics of our body. Your face, eyes, vein pattern or a fingerprint are an example of physiological biometric data. Behavioral biometrics is what we do and is related to our personal habits and unique movements. Your voice, gestures, walking style, and the handwritten signature is the simplest example of this type.
Q: IS IT POSSIBLE TO STOP IDENTITY THEFT?
A: It’s almost impossible to completely prevent identity theft, however it is possible to reduce the risk by following some simple tips: 1. Be aware of your privacy settings on social media. 2. Use strong and different passwords when creating online accounts. 3. Do not check out suspicious emails which may be phishing for data. 4. Do not provide any information to websites which not using an SSL connection. 5. Protect your PC by using a firewall, antivirus and spyware protection software, and by keeping it up to date.
APRIL |
Q: WHY USE SAML?
A: The Security Assertion Markup Language (SAML) is an open standard that represents an XML-based framework for sharing security information about identity, authentication, and authorization across different systems. SAML eliminates the need for multiple applications and services passwords by enabling a token-based authentication exchange. It solves the key challenge by enabling single sign-on (SSO) functionality. SAML saves administrative time and increases security with centralized control over authentication and access.
Q: WHAT IS PCI COMPLIANCE?
A: PCI stands for the Payment Card Industry, and is often followed by the letters DSS, which stand for Data Security Standard. PCI compliant businesses must consistently adhere to the rules defined by the PCI Security Standards Council. Some of which are: Maintain an information security policy; Monitor and maintain a secure network; Implement strong access controls; Protect sensitive information. Customers, of such businesses, should feel safe and confident that their data will be protected.
Q: WHAT IS IDENTITY THEFT?
A: Identity theft is unwanted or unauthorized access to your personal information. Once someone gets hold of your personal details, they are able to commit all sorts of crimes using them, including telecommunications fraud, money laundering, cybercrimes, and more. Criminals use seemingly harmless pieces of information, like your date of birth, to gain access to other information about you, including your address, email, place of birth, insurance numbers, and passwords. Take care to protect your data by being aware of your privacy when sharing sensitive data.
Q: WHAT IS ADVANCED ENCRYPTION STANDARD (AES)?
A: The Advanced Encryption Standard (AES) is a symmetric-key block cipher algorithm. AES is a subset of the Rijndael cipher developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen. AES is capable of handling 128-bit blocks, using keys sized at 128, 192, and 256 bits. Key size is unlimited, whereas the maximum block size is 256 bits. AES is more secure and enables faster encryption than its predecessors DES and 3DES. Overall AES has proven to be a reliable cipher over time.
MARCH |
Q: BLUETOOTH: CONVENIENCE WITH A PRICE?
A: We are using Bluetooth technology every day to connect our headphones, fitness trackers, car’s hands-free system, etc. It’s important to know about security issues associated with technology. Bluetooth sends data wirelessly where it can be intercepted by the wrong people. To protect your information, consider to set your devices to “undiscoverable” when not in use. Never accept pairing requests from unknown parties. Download and install regular security updates for your devices.
Q: IS THERE A MISTAKE IN THE WORD “PHISHING”?
A: Phishing scams mimic reputable entitles like banks, online resources, legitimate and authorized organizations in an attempt to obtain sensitive information such as usernames, passwords, credit card details, etc. It’s called Phishing due to long-time hacker tradition to use “PH” instead of “F”. Be careful not to fall for the tricks set up by those Phishermen and prevent yourself from getting caught in the Phish net.
Q: WHAT IS DIFFIE-HELLMAN KEY EXCHANGE?
A: Diffie-Hellman (DH) is a key exchange protocol originally conceptualized by Ralph Merkle. It’s named after Whitfield Diffie and Martin Hellman – two cryptographers. DH allows to securely exchange cryptographic keys over a public channel without having anything shared beforehand. An established shared secret key can then be used to encrypt subsequent communications. DH exchange itself doesn’t provide authentication of the parties and could be vulnerable to man-in-the-middle attack. Variants of DH with authentication should be considered.
Q: WHAT IS SSL HANDSHAKE?
A: SSL/TLS connection between a client and a server starts with a “handshake.” This includes a few steps – starting with validating the identity of the other party and concluding with the generation of a common Session key. First the server sends a Public key to the client to be used for encryption; The client generates a Symmetric key, encrypts it and sends it back; Then the server decrypts this Session key using its Private key. Now the server and the client are ready to use this Symmetric key to encrypt and decrypt transfer of data.
FEBRUARY |
Q: IS FACE RECOGNITION TECHNOLOGY FOR AUTHENTICATION ONLY?
A: Face recognition technology is already helping in many areas of our lives such as, airport security screening, friendly unsupervised video surveillance, investigation of crime scenes, etc. Lets explore how the technology can be used to personalize marketing approaches? It can, for example, replace a store loyalty card. When you walk into the store, the staff would know what you bought the last time, provide you with personal offers, and redeem your points. The store itself may tailor your offerings by analyzing facial data, such as gender, age, and ethnicity. The possibilities are endless.
Q: DOES TLS USE SYMMETRIC OR ASYMMETRIC ENCRYPTION?
A: Both. TLS uses asymmetric encryption algorithm only to establish a secure client-server session. For asymmetric encryption, the sender needs a Public key to encrypt data and the receiver needs a Private key to decrypt it. The bulk payload encryption requires speed, so a symmetric encryption algorithm is used to exchange information over an established secured session. For symmetric encryption both sender and receiver share a single Symmetric key to encrypt and decrypt data.
Q: “OK, GOOGLE” SHOULD I BE CONCERNED ABOUT MY PRIVACY?
A: Voice enabled assistants, like Google Home, Amazon Echo, etc., can answer your question, provide a weather report, turn up the thermostat, control the lights, or even order a pizza. This convenience comes with a price. Assistant is always listening. Consider using the “mic mute” button to turn it off when not needed. Anyone can control your device. Consider not connecting some IoT appliances like smart door locks; disable payment options not being used. Enjoy your digital home assistant, but don’t make it the host.
Q: WHAT IS OBFUSCATION?
A: The purpose of obfuscation is to prevent someone from understanding the meaning of something. In software development, it’s often used on the computer code to make tampering, reverse engineering, or theft of a product’s functionality more difficult. It’s important to understand that obfuscation is not like encryption, but rather like encoding. It can be reversed by using the same technique or simply as a manual process that just takes time.
Q: WHAT ARE THE FACTORS OF AUTHENTICATION?
A: There are three main categories of Authentication:
- Knowledge is something you know, for example simple user name and password;
- Possession is something you have, it may be your access card or keyfob;
- Inherence is something you are, your biometric characteristic, like fingerprint.
Sometimes, your location is considered a 4thfactor.Multifactor Authentication significantly increases security but will obviously impact user experience.
JANUARY |
Q: WHAT IS DATA ENCODING?
A: In computer technology, encoding transforms original data into another format so it can be transferred and consumed by different systems. For example, use binary-to-text Base64 encoding for binary files to send it over email. Encoding uses publicly available algorithms and can be easily reversed (decoded). The main purpose of encoding is not to keep information secret, but to ensure it’s safely and properly consumed.
Q: IS BIOMETRICS THE ULTIMATE AUTHENTICATION SOLUTION?
A: Biometrics is the technical term for metrics related to human characteristics, like your fingerprint, voice, eye iris, etc. Many consumer products have adopted biometrics for authentication as a matter of user convenience, while enterprise grade products are opting-out to ensure maximum information security. The main authenticationfactor is knowledge, such as a password or PIN. Biometric data was never designed to be the secret. Can you imagine yourself wearing gloves all the time?
Q: IS FACE ID MORE SECURE THAN TOUCH ID?
A: Apple claims there is a 1 in a million chance someone can unlock your device using Face ID compared to 1 in 50000 chances of someone having the same fingerprint as you. Does this mean the security of Face ID is 20 times higher? The important thing to remember is that Face ID and Touch ID are more about convenience and design than security. Your password (PIN) will always remain the biggest point of weakness on your device. So, it’s best to make it a strong one.
Q: WHAT THE “HEX”?
A: Hexadecimal numbers (hex or base-16) are widely used in computing and math as representation of binary values. Each hexadecimal digit represents four bits or half a byte. 16 unique symbols 0-9 and A-F used to represent a value.
This purple color has HTML hex number #7334A4
#73(hex) is (7×16) + (3×1) = 115 (decimal) of red
#34(hex) is (3×16) + (4×1) = 52 (decimal) of green
#A4(hex) is (10×16) + (4×1) = 164 (decimal) of blue
In RGB space our color will be rgb (115, 52, 164)
This is a very condensed version of the many security terms and acronyms in use today, but we hope it helps. Don’t stop now. Learn how you can use encryption to build trusted communications with white papers, reports, webinars, and videos.
ENCRYPTION RESOURCES
