Security Fundamentals

Security Measures to Minimise Vulnerabilities

Defending yourself ...

It may seem so far, that everybody is out to get you and while it may not be everybody, quite a few are. It's not personal, its just business.

Hackers are constantly scanning the internet for vulnerable systems with the help little programs designed to look for a few common vulnerabilities, If they find yours has one, then its game on: the attack begins, with the bad news that its extremely difficult to resist a really determined hacker.

With this in mind, it's time to take a look at the steps that can be taken to defend yourself in order to force the hacker to pass on by to look at the next vulnerable online computer.

Defending yourself
Strong Password

1. Use strong hard to guess passwords

Passwords are the first line of defence against hackers, so it makes sense to make them as hard as possible to guess, not by people, but by brute force programs which can make millions of 'guesses'.

All that is required to defend yourself against this type of attack, is to follow a simple set of rules.

  • Don't use recognisable or dictionary words.
  • Don't use just numbers, possibly even easier to guess.
  • Use all the characters including symbols (?!$%^ etc) on the keyboard both in upper-case (capitals) and lower-case combinations
  • Change the password regularly

2. Avoid using the same password for multiple accounts.

Using the same password for multiple accounts is sometimes called the 'eggshell defence'. The password may be difficult to hack but once broken will allow the hacker access to all accounts without any further work. 'Happy Days' for the hacker.

One Password for All Accounts

3. Use two factor authentication

Adds an extra level of security by adding an extra step between entering a password and gaining full access to an account. This is based around 'two factors':

  1. Something only you know (the password)
  2. Something you have (your phone)

Logging in requires the first step, entering the password. After password has been checked as valid, the site sends a code - the second factor - to your phone which is then entered by you to gain full access to your account. The extra security come from the fact that the code is generated at the time of access and so can be predicted and the ownership of your phone.

4. Don't use free WiFi

Increasingly, free WiFi access to the internet is being offered in public places and transport services. A password isn't always required to connect to these wireless services. While very convenient for getting onto the internet, they provide an equally convenient way for hackers gain to access everything on your connected device. So try to avoid!

Click Bait

5. Be careful on what you click

Embedding malicious code into internet links, addresses and attachments is one of the post popular and successful methods that hackers use. Called 'Phishing' the method relies upon creating addresses or attachments that look real, but when clicked on, triggers the release of a 'virus' the immediately infects the user's computer.

Some viruses trigger an email to all the people in the user's address book and will infect all their computers and so on. So if you receive an unexpected through email or from some not known, then its best not to click on it, but delete it as soon as possible.

There are also tempting adverts and headlines that crop up on websites. Called 'Click-bait' they encourage visitors to click them, which can start a download or divert users to other phishing sites.

6. Use Encryption & HTTPS where ever possible

HTTPS - 'hyper-text transfer protocol secure.' - is an extension of HTTP.

HTTP is used for Internet addresses. The S in HTTPS refers to an extra layer of security which encrypts data being passed between the internet site and the user's device. An additional benefit is that the information is authenticated and so HTTPS can tell whether or not a website is real, reducing the chance of a phishing attack.

https logo
Hardisk

7. Clear your browsing history: Clear your hardware

Internet browsers on connected devices (phone, tablet, laptop etc) maintain a record of all sites that have been visited and what's been done online. Browsers are increasingly synchronise across devices, so that a website visited on one device, will also appear n the history of all other devices. The history log can persist for weeks. So that anyone who is successful of gaining access to any of your devices can get to see and steal a detailed record of a user's online activities.

Take care when disposing or selling hardware. Make sure that hard drives are completely erased to destroy all traces of personal information to frustrate those looking to obtain information from recycled hardware.

8. Update Operating System & Software

Stops hackers from exploiting vulnerabilities in outdated programs. Creating good software is difficult, creating invulnerable software is impossible, especially for when new programming languages, devices and methods emerge in the future. The best we can do is update software on a regular basis as these flaws are discovered and solutions are created for them.

Operating Systems
Firewall image

9. Use Up-to-date Security Programmes & Firewall

Use these to help protect against malware. This includes all varieties of software, which hackers use to damage or compromise device security, for example: viruses, ransom-ware, spyware, adware, Trojans.

Any security software needs to be updated regularly to combat new versions of malware as they emerge.

10. Beware the cloud

Cloud storage can be very convenient. With suitable hardware, all data can be accessible by any device. Nice!

But data stored on the cloud doesn't belong to you and it isn't always encrypted at rest. So as a general rule, if the data is sensitive, don't store it in the cloud.

Breaches in the cloud
Tasks

All users are vulnerable to attack. There are things though, that users can do to minimise the chance of successful attack.

  1. Add a new page to your Security Fundamentals Section named Security Measures.
  2. Create a list of 10 simple steps that use can take to minimise the chances of successful attack.
Vulnerabilities
  1. Go to the following sites and identify in your notebook the protocol used and whether it uses encryption or not.
  2. Explain how you can tell the difference between secure and insecure websites

Record in your notebook:-

  1. Describe the main functions of a firewall
  2. Watch the video and
    1. Name the two different types of firewall
    2. Explain the purpose of each type of firewall.
    3. What could happen if the the firewall was switched off?
    4. The video briefly highlights Sony. Find out about the famous Sony Hack and in your Hacking Case Histories section add a page title Sony.
      1. Under a sub heading Victim. Identify the principal target of the criminals.
      2. Under a sub heading Motivation, identify what you think was the prime motivation of the criminals i.e. financial gain, politics, revenge etc.
      3. Under a sub heading Cost/Loss, identify the value of the crime ie. how much was stolen or how much it cost to put right.
      4. Under an appropriate sub heading, identify the year when the crime was committed.
      5. Under a sub heading Method, briefly describe what the criminals did.
      6. If the criminal used malware, how did that malware get into the system.
      7. Under a sub heading Reasons for success, explain why the criminals were successful in carrying out their crime.
      8. Under a sub heading Lessons Learned, explain how the crime could have been prevented in the first place.
Finding out more ...

Good starting points for finding out more about the Sony hack include the BBC Report. Wired magazine is another good source with Sony got hacked hard. For a detailed look at what went on, check out the start of the first part of Fortune's Hack of the Century

You should be able to:-
  • Provide a list of simple practical actions which users can do, to help protect them from hackers
  • Can provide advice regarding passwords and authentication, avoiding the pitfalls of the eggshell defence.
  • Know to avoid click-bait and are aware of the risks of presented by tempting links.
  • Know how to identify encrypted and secure websites.
  • Explain the importance of firewall software and can explain in general terms of how they work.
  • Explain the importance of keeping software and operating systems up-to date.

If you don't feel confident in meeting any of these performance criteria, ask your teacher or re-read the information again.

Cyber Security

  • Security Fundamentals
  • Data Security
  • Digital Forensics
  • Ethical Hacking
Supporting courses by the SQA Logo
css badge
html badgee