Ask Dennis: Information Security 101
Want to ensure the security of your information at home? Vulnerabilities may exist in the devices you use, but you can do something about that.
This is the first in a series of regular articles that Gryphon will be sharing to help current and prospective customers better understand the what and why of information and home network security. We want to better protect the people who use these networks to work and learn from home safely.
· Training teaches how we do things, and the Gryphon technical team will continue to provide excellent support on how to effectively use our products and services.
· Education teaches why we do things. We will try to provide background information that answers many of the questions you may have about home network security and safety.
Information Security in the News
Stories about huge security breaches impacting hundreds of thousands of users of software from SolarWinds, Microsoft, Verkada, and others have filled the media in recent weeks. You might be asking yourself: Should I be concerned? Is there anything I can do to better protect myself?
Each of these security breaches were different but involved common weaknesses (vulnerabilities) that attackers found and exploited in each product. This article will attempt to explain two of those vulnerabilities: unpatched software and weak credentials.
These same vulnerabilities can exist in the devices, software, and networks which you own and manage. You can do something about that!
What is Information Security?
Information security focuses on protecting the confidentiality, integrity, and availability of digital information, as well as the devices, software, and networks used to access that information.
· Confidentiality means that information can only be seen by people who should see it.
· Integrity means that information can only be changed by people who should be able to change it.
· Availability means that the information can always be accessed when needed.
There are three areas where information security controls can be effectively applied: people, process and technology. These are areas that we plan to address in future articles so that you can better understand what we do, and what you can do to better protect your home network and the people who use it.
· Educating and training people to make better decisions that minimize security risks.
· Establishing and following processes to identify, understand and manage people and devices connected to home networks.
· Choosing, maintaining, and managing technology properly to reduce vulnerabilities.
What are Software Vulnerabilities?
Do you get frequent notices from hardware, software, and network companies about applying software patches? Do you ever wonder what that really means and why there are so many patches? Let us try to explain:
Every piece of software starts with a specification (intended functionality). After the program is created a team tests it to determine what the program does (actual functionality). This is called use case testing and identifies features that are missing or not operating properly (traditional faults). These are normally fixed before the software is released to the public.
But some software vulnerabilities are only discovered after their release, impacting the security of your information.
By Herbert H. Thompson and James A. Whittaker
Dr. Dobbs November 01, 2002
After the software is released to the public, attackers begin looking for things the software does that it should not do (unintended, undocumented, or unknown functionality). That is called abuse case testing and tries to discover vulnerabilities that an attacker could exploit.
Once a vulnerability has been identified and can be exploited, attackers begin to use it as a tool to break into systems and disclose confidential information, alter the integrity of the information, or cause an availability (denial of service) attack.
When software manufacturers are made aware of the vulnerability, they work on fixing it and issue a software patch to correct the problem. Sadly today there are still vulnerabilities that have existed for many years and remain unpatched on millions of devices.
Every one of the major breaches described at the beginning of this article involved exploiting software vulnerabilities. This is why applying patches promptly is critically important and something you can do to reduce your information security risk.
What are Strong vs. Weak Credentials, and how do they affect Information Security?
When you meet someone, how do you know who they are? In-person we can recognize the individual (see their face, hear their voice, shake their hand.). And you meet them in a context (a certain location, via other people, etc.) that further validates their identity. In addition, you may ask for a credential (like an official photo ID) that even further proves a person is who they say they are.
Until recently, and sadly even today, most Internet credentials are simply a user ID and password. If I learn your user ID and password and I can log in correctly, I become you. If I learn your credit card number and the card doesn’t require anything else to use, I can buy anything I want.
In general, your identity can be proven by:
· Something you are (photo, fingerprint, voiceprint, other biometric),
· Something you have (credit or debit card, official id, security token, etc.), or
· Something you know (user ID, password, passphrase, other secret).
Each of these is called a factor of authentication. If you use only one of them it is called single-factor authentication. If you use two or more of them it is called multi-factor authentication. Guess which type is stronger? This is why Gryphon always encourages users to set up multi-factor authentication on their accounts!
Believe it or not, in one of the attacks mentioned at the beginning of this article, users had not changed the default user ID and password supplied by the manufacturer. That is one of the easiest things for a hacker to exploit. Gryphon does not allow default credentials.
Whenever you install a new hardware device, network device, or software product, immediately change all default user IDs or passwords to something that only you know and that would be exceedingly difficult for an attacker to guess. The longer and more complicated it is, the more possibilities there are, and the less likely it is to be compromised.
By: Dennis Devlin
Consumer Security Advocate
Future Articles in this Series…
In future articles, we plan to cover a range of topics that try to explain the why of information security in plain English. The author has had a long career as a Chief Information Security Officer for major corporations and research universities and knows what is needed to protect large enterprise networks. He will work to distill that knowledge into practical things that you can do to protect your home network and the people who use it. Your comments, feedback, and suggested topics for future articles are welcomed and encouraged. Thank you for subscribing!