Security 101

Security in IT is a gigantic huge topic that is impossible to fully cover. In addition, it constantly evolves and almost every single day appears a new vulnerability, malware or God damn knows what technique in order to compromise a system.

The duty to protect and be aware of all of these vulnerabilities and update the apps/sites/services/systems in order to reduce the risk of new issues becomes an overwhelming task. So the aim of this series of articles is not to try to explore the entire landscape but to set and briefly describe some related main topics instead.

I will focus on the development side of the spectrum. I’ll try to explore both roles: as an attacker, and what measures could avoid the attack or at least reduce the window of exposure. This is always an unfair battle. The attackers just have to achieve their goal once. The line of defense, instead, it simply can’t fail just once. One leak, exploit, hack and the entire system can easily be compromised.

But, what do we mean when we say compromised? Well, the actual dimension of the damage is not always obvious or quantifiable. The main targets are common data, infrastructure, and ultimately money, not necessarily in this order.

Data became the “new oil” they claim. Any piece of information provides a potential intelligence to be used or trade at some point. Either if it is personal-sensitive data like emails, addresses or credit card numbers, or regular “boring” ones like activity logs or search queries. All of them have some value and try to imagine put it all together.

If data actually has this value, a real monetary value, the next question is where do we store it in order to keep it safe? If we do the analogy with current money, there are at least a couple of strategies:
- Put all your money under your bed
- Put it in a bank

All thieves know that there is a lot of money in banks. Banks know that as well. So they manage to try to keep it safe. It is basically all that they do. The trade-off is that at some point other people know about your money. This is a matter of trust, that’s all. I think is a pretty accurate analogy to what happens with data. You can try to store it yourself or put it in some cloud providers. The trade-offs are the same as the analogy.

Compromise a system and access to its infrastructure provides resources to be used in different ways. Either to send spam, denial-of-service (DDoS) attack or simply use it as a proxy to compromise other services in order to make more difficult to track.

And at last, but not least, money is a more conventional target. Obtaining passwords, credit card credentials, bank accounts, etc. is a straight forward way to access directly to the target. It could be some more sophisticated and tricky ways to achieve the goal tho. Hack systems and use them to cryptocurrency mining to put just one example.

We definitely must take care of how do we use technology, be responsible and mature. Systems are becoming more and more complex which demand proficiency from the engineers and from the users as well. All we are part of this.


Mar 18 2020