Computing security and how it applies to STATs

Through the course of Web Security TC2017 we reviewed many topics related to security not only applied to web but also, to any system.

In this blog I would like to explain how these topics were useful when developing and planning our Semestre i Project and of course, their application on it.

Learning applied to the project

CIA (Confidentiality, Integrity and Availability)

  • Confidentiality: We took privacy very serious and this is why we encrypted every password and login credentials for our teachers, directives and students.
    • Bcrypt: We applied this hashing function to hash our password in the database. This is a standard library, open source, easy to use and of course, a powerful tool to keep real information safe.
    • JSON Web Tokens: Instead of using normal sessions, we applied JWT to detect authenticated users using the HS256 signing algorithm.
    • Protected views: All views, which need authentication are protected and no one can get access unless the have a valid token.
  • Integrity: We setup a RESTful API with JWT validations to prevent access to the data using direct API manipulation (POST, DELETE, GET and PUT).
    • To maintain the information safe and protected we took the following measures:
      • SSL: When taking the project to production, we will be using OpenSSL to encrypt the communication between the client and server.
      • SSH over a private_key: Only the administrators with the .key file will be able to access to the server through SSH. With this, we prevent bruteforce attempts under the port 22 which is very common.
      • User permissions: All users can only access to their own API levels. For example, a Teacher can’t manipulate a student’s data if this student is not in the same group in which the Teacher was assigned.
      • Software updates: The project is running Node.js and all the required libraries under their latest stable versions to prevent any vulnerability on them causing data’s compromise.
    • Availability: This rule will apply when releasing the software in a production server.
      • Scalable hosting: We will use AWS EC2 service to setup the server. By using Amazon, we can increase the server power and space without migrating anything. We pay on demand.
      • Firewall setup: We won’t allow remote access to the database, the only port allowed for public access will be 80 and 443 and any other will be restricted by IP.
      • Weekly backups: We could have a EBS volume in AWS to create snapshots of the server in order to maintain the information saved.

Personal learning

Since this class, I started using 1Password as my password manager. I was bit scared about taking this step and trusting a company to manage my password but as Ken said once: “You will always need to trust someone”.

I also learned about keybase.io, which is an amazing web and mobile app to send free end-to-end encrypted file and messages. By the way, open source.

Finally, I really found interesting all the video blogs about security. Amazing sources to stay updated about the topic by security experts.

 

Applying Risk Management as a Computer Engineer

As a Computer Engineer, every time we develop software, the first thing we need to make sure is to analyze and document what we call the plan B in case we experience any unfavorable outcome that might compromise our software in any way (remember CIA principles?)

First of all, we need to categorize your system based on the availability, integrity and confidentiality level that it must have. We won’t give the same priority to a public web server and a server that is specifically used to store classified information. The web server might have a backup server to re-route all the traffic but what about the compromised server with classified information? If the information is compromised, there is no turn back and this is why this must be our priority.

In order to plan a proper Risk Management alternative, we need to follow a process:

  1. Categorize: We need to take in consideration business needs and architecture of the system.
  2. Select: We need to select a security control to manage the risk management.
  3. Implement: Put in practice the security controls chosen.
  4. Assess: Test the security controls monitoring and measuring to make sure that the program is working efficiently.
  5. Authorize: We need to base our decision on the risk that could cause to the organization and individuals.
  6. Monitor: Check if the security controls are working as intended and if not, we repeat this cycle again.

 

 

The price of free – Accepting the Terms and Conditions

Have you ever wondered what does “I accept the Terms and Conditions” really means when you register on the Internet? How many times have you read a website privacy policy?

I know, you’ve probably never read them. Unfortunately, it’s very normal for most of the people to check the acceptance of the Terms and Conditions every time they register on a site simply because they’re forced to do so in order to access. In this article, I would like to tell you why you should be more cautious the next time you accept them.

First of all, what are the Terms and Conditions?

The Terms and Conditions is the document that stipulates the rules that govern certain service or website. Within these terms, we can find the so-called Privacy Policy that explains how your information will be handled and for what purposes. So far everything may sound reasonable, but once we go deeper into the blink of an eye, we are giving the consent to the website to handle our information the way that seems most convenient for them.

What rights do we commonly give when we accept the Terms and Conditions?

A company committed to the information of its users will manage it and use it for purposes that do not imply its compromise. Normally, an Internet service that is paid has a lower chance of using your information for bad purposes and this is because they may not need to profit with it to keep the service alive.

However, if we go the other side, many services on the Internet that are free like your mail service, search engines, and social networks have a hidden cost even if you do not believe it. Your information could be being analyzed in order to show you ads based on your interests, to have a greater conviction power when approaching to you when trying to sell you something and why not, to spy you in a certain way.

I am not claiming that all the Internet services which are free perform these bad practices with your information but I can guarantee that the vast majority of them do so. The next time you provide sensitive information online, make sure to do a research of the company which will be handling it and why not, take a look deeper look at its privacy policy.

The importance of CIA: confidentiality, integrity and availability

In network security, there are 3 fundamental concepts called accessibility, confidentiality, and integrity. If any of the 3 is not present, the other 2 can’t be either achieved.

Taken from https://www.checkmarx.com/2016/06/24/20160624the-importance-of-database-security-and-integrity/

Availability

We need to make sure that all our systems and networks stay up and running properly 24/7. This term involves everything related to capacity, performance, and software/hardware failure.

We must be prepared to prevent any data loss with regular backups stored in more than one place, we need trained people capable of restoring the information in a fast and secure way, our system infrastructure must be redundant so in case we have any hardware, software or power supply failure we can prevent any service interruption.

Availability also involves the correct firewall and infrastructure setup in our network to prevent any kind of network stress attack, which is a very common threat now. DDoS attacks are probably the best example of existing stress attacks on the Internet that can easily affect our network if we don’t have the right setup to mitigate it. Many data centers already offer to their client’s in-house protection, but the best way to protect by not depending on any third-party is having our firewall with the correct rules closing any incoming traffic not necessary and of course, hiding our server public IP using CloudFlare.

Integrity

All the information shared and sent between our systems and network can’t be modified or taken without our permission.

Hackers are a threat and the best way to prevent them is being prepared. We need to control the access to our information with securely hashed passwords, activation of access logs to analyze weird traffic, system firewalls and restricting the access giving least privileges to users and database access.

Confidentiality

Confidentiality means protecting the information to prevent unauthorized access for disclosure or access to it by any individual or system.

In nowadays, online confidentiality is more compromised than ever. Security experts job in companies are having a huge demand simply because the Internet is growing exponentially and therefore, online threats too.

We can see hackers treating big companies about releasing private information such as movies and executive documents, we can see many websites like WikiLeaks publishing confidential information about governments anonymously and I could end up with many examples of how confidentiality can be a nightmare if we don’t take it seriously.This is why as a Software Engineer, we need to prevent this starting with our network, then our system and finally, under our application. Data encryption is a must today. We need to hide sensitive information in a way the intruders can’t decode it.

As a Software Engineer, we have the obligation to implement safety measures starting at the network level, then at the system level and finally, under the final application or service. One way to do this is by using data encryption, which is a must today. We need to hide sensitive information in a way the intruders can’t decode it.

Conclusion

We need to make sure availability, confidentiality and integrity work together to keep our network, systems, and applications secure.