P is for …

Password

There has been much written about passwords, but for this entry I thought it worth defining what a password actually is. It’s a code, phrase or sequence of letters and numbers which is used to validate that you are who you say you are. It’s often used in conjunction with a username or when you login to a device or system.

You’re advised to keep your password secret, known only to you, because this helps with non-repudiation.

Patching

Pretty much all software has vulnerabilities in it. The more complex the software, the more likely it is to have vulnerabilities. Patches are pieces of code written by software developers to fix those vulnerabilities once the manufacturers become aware of them.

Patching is the process of applying these bespoke pieces of code. Typically patches are given a severity based on the risk the vulnerability contains. Urgent patches should be applied as soon as possible, whereas low risk patches don’t need to be applied so quickly.

When applying patches in a work environment, it is advisable to test the patch on several machines first, before applying it to every device, just in case there are any issues or conflicts which the patch causes with existing software.

Payload

Viruses often contain malware, some of which contains special code to try to compromise a device. This is typically called a payload. Different viruses carry different payloads, and some carry multiple different payloads.

An analogy which might explain this is where you have bomber aircraft, the bombs they carry are referred to as the payload.

Penetration test

A common way of testing web sites and web applications is to run a penetration test. This is where ethical hackers i.e. people with prior permission from an organisation, run tests to see if they can find vulnerabilities, and find out what would happen if those vulnerabilities are exploited.

Typically, the testers will provide a report documenting their findings, and the organisation being tested will then fix any issues found by the testers.

This should be run on a regular basis, because new vulnerabilities, including zero day threats, are constantly being discovered.

There are also physical penetration tests, where people are hired to try to access a business. This is called a red team test.

Phishing

Phishing is a form of attack where the bad guys send email to a list of email addresses (which they’ve often bought on the dark web). The email typically either has an infected attachment or a link to an infected website, or it contains a message asking you to help someone release money from their bank account or some equally ridiculous plea for help.

These messages are indiscriminate and are not targeted at specific individuals. Those which are specifically targeted are known as spear phishing or whaling.

Principle of Least Privilege

A key feature of cyber security is making sure that users only have access to the programs or data they need access to for their job. This is known as the principle of least privilege.

For example, there’s generally no reason why someone working in the accounts department needs access to personnel records, or someone working in HR probably doesn’t need access to files for a specific project. Access would normally be restricted to help protect data.

Certified Ethical Hacker

In spring 2013 I attended a Certified Ethical Hacker (CEH) training course with Firebrand in Wyboston, England. It was a week long bootcamp, with classes starting on the Sunday evening, 12 hour days in the classroom and a 3 hour exam on the Friday morning.

The classes were made up of a mixture of theory and practical work. All attendees had a number of virtual environments to work in, and we were able to use a number of the tools we’d talked about in a safe environment. After class we had two to three hours reading every night, to read the courseware, so we spent roughly 15 hours a day on the topic.

As you can imagine, this kind of intense training crams a lot in and leaves you pretty drained at the end, but it was worth it. The course “only” gives the background, and it is then down to the individual to keep their education up by reading more on the topic, by trying the tools out and by carrying out this kind of work.

While I don’t currently do any kind of hacking as part of my job, the course gave a very good understanding of the techniques and methods used, and the risks and potential impact that each kind of attack could bring to an organisation. From that perspective, it meant I was well prepared for writing policies and standards to help counteract the threats from this angle.

Recertification takes place every three years, and in that time you have to be able to demonstrate completion of at least 120 hours of Continuing Professional Education (CPE) in related topics. I have recently completed my first recertification and am therefore entitled to use the CEH designation, approved by the EC-Council, until 2019.

Certified Information Systems Security Professional

In November 2015 I attended a week long bootcamp at Firebrand Training in Wyboston, England. From the Sunday to the Saturday thirty or more students sat in the classroom and tried to take in all of the course materials, ready for an exam on the Sunday.

The exam itself is computer based, 250 multiple choice questions, and you’re given six hours to complete it. You are permitted to take breaks, and the training centre laid on food and drink so you could freshen up a bit before getting back to the exam.

I have to say that if I hadn’t had years of experience to call on, and if I hadn’t done the Certified Ethical Hacker (CEH) qualification a few years before I would probably have struggled with some sections. As it was, I passed and then had to apply for my certification proper. ¬†That involved completing a questionnaire and finding an existing Certified Information Systems Security Professional (CISSP) to vouch for me, then waiting for several weeks before being given the good news.

As with the CISM and CEH designations, recertification requires at least 120 hours of Continuing Professional Education (CPE) in related topics over three years. As I have only recently gained the accreditation, I don’t have to recertification until 2019.

In my opinion, the CISSP from (ISC)2 was the hardest certification for me to pass, though the course for CEH was much more intense.