Security!!! (Weeks 10-12)

Good lord, I noticed just now that this blog post didn't successfully get submitted last night. Okay, okay, I know that it sound like a very lame excuse for a late submission but it's totally true! Canning the excuses and moving on, let's go to what I learned the past two weeks...

Physical security. Yep. That's one out of the two things that we focused on. Physical security is exactly what it sounds like: security through physical means, as opposed to using "abstract" defenses like firewalls and such. Physical security entails a LOT of work. Using different types of extinguishers is obvious. Knowing that he number of entrances should be limited is totally logical. Physical security almost sounds easy. Suddenly, the little, yet significantly many things called Minute Details swarm at you and bit your butt. Different door types? Bollards? Natural pathways to direct you to common - or in some cases, private - areas. Did you even know that they have different kinds of sprinklers (see wet and dry pipes)? Apparently, security goes beyond crime prevention and extends until damage control. I actually asked my father (who I call Tay) for tips. He said that it is indeed a very serious affair. Fire exit corridors have to be made out of non-flammable material, including the paint. Everything has to be earthquake-proof. He even mentioned this one time when they got tasked to create a paint factory; electrical conduits have to be triple-gasket-sealed cause the high-voltage wires could ignite the chemical-riddled air at some areas. Everything's really serious here. And we aren't even dealing with software here.

The second lesson was all about security through network structure. Now, this was something that really interested me. For example, did you know that a network generally has three zones in an enterprise environment. We have the untrusted zone (basically the internet, world wide web for us normies). We have the demilitarized zone or DMZ, which contains the servers. It separates the servers from the rest of the LAN segments. DMZ was derived from the Korean Military Zone (that's a fun fact). There are various ways to create DMZs, the most secure being containing it within two firewalls (outgoing and incoming). We also have intrusion detection systems like Snort and many other threat-deterring snares.

That's about it for this week. Again, I'm sorry for the post being late. As a side note, I feel very motivated to pass our final exam. No, it's not about the meal from Shakey's promised to us. I really, really, want to pass the test, for a reason that I have yet to ascertain. Rest assured, I will learn a lot from my study reviews, regardless of whether I pass the test.

This is my second to the last blog post dear reader(s). Thanks for riding along this brain train. Have a nice- (life, day, afterlife, existence, etc).

Crpyotgraphy n Stuff (Weeks 9-10)

What's up whats up?! It's another one of my learning logs and I am sorry that it is late once again. Anyways, I'm supposed to talk about the past two weeks again, aren't I? Hmmm let's see. The thing is, we've only had one actual day where we discussed something about the lecture, and the rest is all about the debates and the presentation of the machine projects.

I suppose I should talk about cryptography first. Cryptography, in its most elementary definition, is the altering of something in such a way that only a certain destination can decipher, which means that the encrypting process was already agreed upon beforehand. One of the earliest forms of cryptography is the Caesar's cipher, where each letter is altered to another letter, either forwards or backwards, according to a certain count. However, this is still rather weak, as one of the criteria for a strong encryption algorithm is that it should eliminate all patterns. Anyone who knows how to do a Caesar cipher can easily crack a message of that nature even if they do not know the letter skip. They merely have to adopt a trial-and-error method.

Encryption algorithms must always be tried and tested. And what better way to do that than to release it top people who would willingly try and crack it for free? This is Kerkchoff's Principle, where it is stated that algorithms must be publicly known to ensure its strength. Also, there will never be an unbreakable algorithm, as Moore's law states that technology is advancing at a very fast pace measured through the number of transistors per square inch of every integrated circuit. Moore saw that this number is actually doubling at a time period of one year, though it has currently slowed down with the change being exhibited only once every 18 months.

There's actually a lot more to the lecture but it gets to the actual algorithms themselves. Asymmetric, symmetric, and a lot of other things. However, I don't really want this blog post to be a another version of the lecture. So if you're interested more about cryptography, read up! It's actually quite interesting.

The Not-too-dry-ware (Weeks 7-8)

Time for weeks 7-8! I know that this learning log's two days late (durrr) but that doesn't meant I won't put my heart into it. Let's see. Admittedly, I'm still looking into the Moodle files to see what exactly we discussed these past two weeks (yes, my memory is that bad). 

Hmmm here's an article that wasn't covered in the lectures. Security Bulletin, The Human Vulnerability: Exploits and Countermeasures. Who wrote it? It's none other than this blog's sole readership, Mr. Justin Pineda himself (gasp).

I confirm that yes, I did read the whole thing. And I have to agree with a lot of points. Humans are the weakest link. Humans do pose the biggest security threats. Emotions are the most exploitable factor of the human; funnily enough, emotions do make the man. Trust is exploited. Recreational desire is exploited. Alarm is exploited. The degree of how much a person can read another person's future actions through their emotional habits is really rather remarkable. So much more amazing is the fact that alarm, which is supposed to raise a person's immediate awareness, is actually a danger as a long-term effect.

As a finishing note, I have to say that I was amazed by the things that social engineering can do. I have never really heard of a case where a high-ranking person is tricked into revealing sensitive information by a single phone call. Is wittybunny.com a security risk too? (not that I use it).

Well, I have to go. While looking through the file in Moodle, I saw that the debate for tomorrow's supposed to be formalized :O. And in an Asian Parliamentary form no less. I gotta go prep up my teammates. So ciao! See you in two weeks, where hopefully I'd have a thought up of a blog name by then.

Weeks 5-6:Cyber Crime's Slimy Side

The one thing that imprinted itself into my mind the most is the lesson about laws and rights concerning what constitutes for a computer-related activity to be illegal. The knowledge of all these laws were put to the test when we were subjected to this wacky yet typically complicated use case about Pam, which happens to be my nickname, which means that I had to endure the constant ribbing of my teammates whilst solving this particular problem. But I digress. Pam is apparently a journalist who wrote and published an article incriminating this political figure. Gasp. A guilty political figure, who would have thought that politicians could do that? Apparently, the leads from the article all turned out to be true. Now, here's the twister, the information was swiped by a hacker from the politician's email, and was handed over to Pam. Now who was at fault? If we were to gather all the acquitting information, the only one we could think of was that if the politician didn't have something to hide in the first place, then maybe he wouldn't have gotten into trouble. Evidence against her, on the other hand, is quite large, but is made difficult due to the fact that although she did knowingly accept "dirty" information. The best laws that we think that she violated were some sections underneath the Fourth Amendment concerning illegal access of information, the one about violating the right of releasing information which may cause embarrassment to a person, as well as about three more which I won't mention anymore since they are almost on par with the kind of violation that the earlier two that I had mentioned.

That exercise was really tiring by the way. Not to mention bamboozling.

Weeks 3-4: I may not have the experience of security, but I do have the security of experience

Admittedly, I still had to read up again about last week's topics from the INFOSEC Moodle page. Okay, so my memory is bad. On the plus side though, of the 26 pages that chapter two has, I'm already at page 12. Heh heh. I'm gonna stop right here though since I still have this learning log to write. Without any more stalling, let's see what I learned these past two weeks...

I find it really amazing that the world of security really gets complicated, especially in the corporate world. I remember that discussion about the structure of privileges in a given system (a simple information filing system for example). These were the Biba and Clark and the other models. Honestly, I haven't even thought of that type of controlling a person's privileges. It seems that security is a lot more nuanced than I that it would be. Honestly, whenever I see the word "security", I (almost) always make it relative to my course - which is of course all about computers. Who would've thought that security would go beyond a simple "firewall"? I guess I have a lot to learn. For instance, password policies are something that I thought that people don't really use anymore with the mindset that everything has been entrusted to super high-tech computer related stuff. After what I've read in this chapter though, I can clearly see that the security is layered.

Going to the research paper I have to say that it's progressing rather well. I've had about 16 research papers now as reference. True, almost all of these papers were locked behind paywalls, but who could really resist the power of SciHub? With a bit of luck, I'm sure that roughly 2/3 of the paper should be done by the end of this coming week.

Phew, it's already 11PM. I guess it's time to wrap up this post. Until next time dear reader!!! Let's pray for a more engaging literary result next time yes?

Weeks 1-2: Maybe we can Just Kill Management?

Pretty curious title eh? Well, it won't probably be so strange if: a) You are a person working in a company as an IT employed, or b) you're a student (or at the least, was a student) in a class like Information Systems and Security. I mean, how hard do real-life financial management company sectors have to be argued with before they give in and invest in security measures before the unthinkable happens? Really, escapsim coupled with greed can really turn heads faster and in more degrees than Emily Rose's.

I'm getting ahead of myself aren't I? Since I haven't had the time (nor the motivation) to create an introductory post, let me fill you in on what INFOSEC is really about.

Per syllabus, this is what INFOSEC is: This course primarily discusses the various domains of security such as physical security, operational security, network security, host security, application security etc. I just have to tell you, I had to type all that, since the PDF in Moodle doesn't support copy-pasting for some reason. Putting it from my perspective though, INFOSEC is more of exploring concepts of various types of security, answering more of why's rather than the more practical how's. Kinda like data structures as compared to CSPROJ, or something like that.

Getting down to these weeks' highlights, we had an activity in which we were to solve a case study about a grocery store facing about P60,000 in lost merchandise. It didn't help that the store employs an honesty system. It was also explicitly stated that management can no longer allocate budget. Now, we were told not to overthink, but telling me not to overthink is like telling someone not to think of a red elephant eating a watermelon while riding a unicycle. Cutting to the chase, we made a solution changing only policies and not involving any more costs, though judging from the prof's reaction, it wasn't really satisfactory. Look's like from now on, I'll have to think more of a person really defending a cause that's good for the company. It's already 11:04, so, ciao!