There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.
You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.
Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.
Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.
When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.
Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.
An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.
A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.
Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.
This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.
There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.
Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.
These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.
Principle of Least Privilege
A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.
For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.
10 thoughts on “P is for …”
[…] enables attackers to gain control of a target machine from a remote location. When attackers use phishing techniques, the first step after a link is created is often to implement a RAT. This enables an […]
[…] access to the HR system, so you wouldn’t give them that access. This is also known as the Principle of Least Privilege, or in spy films it would be called “need-to-know”. Access control also means revoking […]
[…] is very similar in concept to phishing, but instead of email being used to deliver malicious code or links to malicious website, SMS text […]
[…] 2FA is becoming increasingly common, and is a really good idea for any accounts you may have where you have to enter bank or credit card details. Single (one) factor authentication is usually something your username and password. […]
[…] is just another term for patches, and is pretty much used interchangably. So these are fixes for parts of code which are found to […]
[…] computer virus is a form of malware which can carry different payloads. Just like a virus which infects people, a computer virus is designed to infect devices by a number […]
[…] hackers, ie those who carry out lawful penetration tests with written permission from a client, are often called white hats. This is because they’re […]
[…] time taken between a vulnerability existing and a patch being released to fix it can be several weeks, months or even years. An exploit written to take […]
[…] sure that all devices have been patched and have antivirus software installed and active. This is often achieved by using Network Access […]
[…] start with one of the basic elements when protecting systems, which is patching. When you think about a car or bike tyre, you know that occasionally they get holes in them, and […]