Computer security basics for dummies. Information security for dummies information specialist
The Internet is multifaceted and unsafe. The more opportunities it gives us, the more dangers and risks it conceals. Theft via the Internet has long been a reality.
Thefts happen from a card or electronic wallet. And if this has not happened to you yet, it means that you are either an ace in protecting your information, or lucky, or have not been using the global web long enough.
The first ones can handle it themselves, but the second and third ones will benefit from learning our summary of useful tips. After all, metal doors do not save you on the Internet. Here, your safety depends on other factors and, most importantly, on your actions in certain situations.
You should not only have an antivirus with a daily updated database, but also protection against spyware. Many people think that by installing one antivirus they can protect information, and this ultimately becomes a fatal mistake.
Don't click on all the links in a row. Especially if they were sent to you by mail or via ICQ. Even if sent by a reliable recipient. Internet surfing is the most popular way to catch a virus, which means giving an attacker a chance to obtain valuable information. Do not download strange, unknown programs, much less install them.
If a strange situation arises when you nevertheless click on an unfamiliar link, disconnect from the Internet. Security programs may issue a warning in this case, or the computer may stop responding. Call a specialist responsible for data security - he will figure out what the problem is.
If you have an electronic wallet installed or any other programs with which you make online payments, it is even more necessary to ensure the security of your computer. In case of incompetence, invite a specialist who will install and configure all the necessary programs and their parameters. After all, we increasingly do not leave our chair to pay for services and make purchases.
When going through the registration procedure, never save your password. Use different passwords every time you register somewhere. Passwords used should be long, preferably with numbers. It is better to change passwords as often as possible, at least once a month. Even if you choose one word and type it using uppercase and lowercase letters, this will already be an excellent password option.
Be careful where you enter your password and login. Often, scammers make duplicate sites that are exactly the same as the original - the only difference can be in the domain. But at a quick glance it is difficult to notice, especially for a beginner. Fraudsters use duplicates to steal user logins and passwords. After you enter your data, scammers will automatically recognize them and can use them for their own purposes, but on a real site.
These simple truths are sure to help someone protect themselves online. Except perhaps for experienced users and computer security experts, because they already know everything very well.
Comments and reviews
If you follow the gaming peripherals market, you know that HyperX has been a very strong company for quite some time...
Dell's new all-in-one PCs will receive a special webcam that slides inside the case and becomes...
Many modern users complain that laptops have become too compact and that sometimes they want...
Large manufacturers have been releasing ready-made personal computers onto the market for quite some time, since...
From August 16 to 18, the main electronic music festival Alfa Future People 2 was held near Nizhny Novgorod...
Information security for dummies
Even 10 years ago, many companies that lost access to their databases simply closed down, as reported in a report from the University of Minnesota, which conducted research in this area. Now, of course, there are many ways to restore information to continue working, however, a leak of confidential information can cause serious losses. At the same time, we are talking not only about companies, but also about ordinary Internet users.
The development of information technology has brought society to a new level of development, when many issues can be solved using a personal computer and the Internet: making purchases, booking hotels, and simply communicating, not to mention the new opportunities for professional activities. But the simplicity, convenience and speed of handling information are fraught with danger - its availability to third parties.
More recently, the term cybercrime has come into use. Previously, such a word was found only among science fiction writers, but now it has become part of modern reality. We are talking about hackers, or cyberbullies, who steal data to access bank cards, accounts on special resources, etc., hacking personal computers using various viruses and Trojans.
How to protect yourself from criminals? The simplest solution is to install an antivirus program. But, unfortunately, even this is not always able to protect against hacking. Another option is to try to study the huge amount of literature on information security that has been written today. True, the standards and programs that are presented in them are accessible and understandable for the most part to specialists in this field, while the threat of losing money from a bank card hangs over almost every Internet user.
However, not everything is as bad as it seems at first glance. With the help of common sense and following simple rules for working on the Internet, you can significantly increase the level of protection of your data from external threats. This is like a basic concern for the safety of property by protecting the apartment. You can simply install a door and a Chinese lock, but you can also listen to the recommendations of specialists involved in security activities. And they will definitely advise installing reliable door locks with non-standard keys and upgrading windows so that they are difficult to open from the outside; install video surveillance and alarm systems; and also enter into an agreement with an organization that provides rapid response services to unauthorized entry into the house. And, perhaps, an equally important rule, which you will definitely be reminded of, because we often forget about it, is not to open doors to strangers and, especially, not to tell anyone where your valuables are.
All these activities, of course, require investment. However, they should be applied comprehensively. Don’t rely on yourself that good locks will protect your home from thieves. Any mechanism will sooner or later be opened. And, if, for example, there is no alarm system that sends an alarm signal to the security console, then the entire video surveillance system will be absolutely useless.
From theory to practice
Any security system is a system consisting of many lines of defense that are constantly in process and in action. You cannot calm down immediately after installing technical security measures - the rules of safe behavior on the network and operation of equipment must be observed regularly. Otherwise, the security system will become unusable, leaving only a harmful illusion of security.
How to take care of information security in practice? Let's look at the basic rules.
Zero rule:Don't trust anyone.
As Andrew Grove, Chairman of the Board of Directors of Intel, said, “Only the paranoid survive.” When entering any confidential information, you must be 200% sure that the person you trust with it actually has the right to dispose of this data. For example, on a bank’s website you may be asked for your passport information to open an account - this is a standard procedure, but an online store has absolutely no use for this information. You wouldn’t show your passport to the seller from whom you buy potatoes at the market! This time. Secondly, never, to anyone and under any circumstances do not send the password. All security systems are designed in such a way that only one person should know the password. If you are required to send your password by email or tell it over the phone under any, even the most seemingly plausible, pretext, then you should know that this is 100% deception.
First rule: Be sure to set up your computer so that you always provide a username and password before starting work.
The most important program for any computer user is the operating system. What it will store should only be known to you, so set a password that must be entered when you turn on the computer. The procedure is simple, but there are many benefits. Each time you enter a combination of characters into a line, you will confirm your right to dispose of all information stored on the computer. Eliminate the situation where an unauthorized person can gain free access to your desktop and all files. “Lock up” the information so that it doesn’t look like an apartment without doors with a sign “Come in if you want.”
Second rule: Never work under an account with administrator rights.
For a computer, all users are divided into two types: administrators and regular users. Administrators- these are those users who can configure the operation of all computer services, install and remove programs, and change the operation of the system. Regular users have no right to change or install anything, but they can freely run programs, use the Internet, and do work. Now let’s imagine a situation where a user using an administrator account accesses an attacker’s website. Malicious programs can easily erase data or encrypt it so that criminals can then scam money for data recovery. At the same time, neither the operating system nor antiviruses will save the user from such a misfortune, since everything that the “administrator” does for the computer - and he will think that these are your commands - is the law. Some believe that it is inconvenient to work under the account of an ordinary user , since from time to time you need to install new programs. But, if you think about it, it’s not every day that you have to install software. The advantages are obvious. Once you access the attackers’ website with the rights of a simple user, you thereby expose the malicious program to a protective barrier that is more difficult for it to overcome. It can no longer quickly disguise itself and becomes vulnerable to antiviruses. Therefore, it makes sense to take away your administrator rights just in case. If the need arises to resort to its functionality, you can always temporarily change your account.
Third rule:Your passwords should be long, complex, and preferably varied. All passwords must be changed regularly.
Passwords- This is a huge headache for all information security specialists. This is because users do not like long passwords, as they either forget them or are simply too lazy to type them. And it's good when they exist. Everything here is like with an apartment: the easiest way to get into it is to pick up the key to the lock. A similar method works in the computer field. The easiest way to access data is to pick a password. It was only in the first decades of computer development that a password length of 8 characters was sufficient. However, with the development of technology, the method of enumerating all combinations has become easy to calculate such codes. There is such a thing as password strength- an indicator of the time during which an attacker selects a password using brute force methods. It turns out that combinations consisting of only eight numbers or letters can be guessed in less than a second. That's why, using passwords up to 8 characters long, you risk giving access to an attacker in a short time. Although, if you use both numbers and letters in a short password, and even in different registers, then you will need to spend a couple of days trying to find it using brute force. This is no longer bad, but, of course, not enough. You can achieve satisfactory password strength by simply increasing its length, using a combination of not only letters and numbers, but also signs (‘$’,’%’,&’’,’#’). But how to create a long and complex password without immediately forgetting it? Very simple. Use passphrases. For example: "$Green_Cactus01". Such a password is not contained in the dictionary (although there are separate words “green” and “cactus”), so it cannot be cracked by searching through the dictionary. The password turned out to be more than 12 characters long and it will take more than 10-20 attempts to guess it. Even if one billion searches are carried out in one second, it will take ~10 11 seconds, which is more than a thousand years, to crack such a password.
Fourth rule:Use modern paid antiviruses with update mode enabled at least twice a day.
An installed antivirus by itself is useless without the ability to update anti-virus databases. He will look like a sleeping guard dog. It seems to be there, but it makes no sense. So be sure to ensure that your antivirus program databases are updated regularly.
Fifth rule:Turn on automatic software updates.
Always update your software. This is especially true for the operating system and Internet browser. For example, Microsoft enables auto-update mode by default in its systems. Other software products need to be configured. What is all this for? Very simple. Modern programs are very complex and have a huge number of errors that can affect the security of your data. Manufacturers, releasing updates, gradually eliminate errors through which attackers could get inside your system.
Sixth rule:Do not store passwords on your computer or remember passwords in your Internet browser.
Once a hacker gains access to any part of your computer, once he finds the password file, he won't even have to try to crack the security system. Why would a thief break down a door if there are keys under the doormat? Therefore, keep your passwords on a flash drive in your pocket and always in encrypted form.
Seventh rule:Use encryption systems for critical data.
You should always be prepared for the fact that an attacker can gain physical access to your computer (for example, the banal theft of a laptop). To prevent him from using the information stored in it, firstly, set a user password for entry (see the first rule), and secondly, use a data encryption system. In this case, the hacker will have to tinker with your machine for many, many years.
Eighth rule:Never use the Internet or email to transmit confidential information.
All information is transmitted via the Internet in clear format. By colluding with the technical staff of the telecom operator, it is not difficult to gain access to your messages. Therefore, protect yourself by using either secure connections (https), or data encryption systems and electronic digital signature systems.
Ninth rule:Install programs whose purpose or source of origin you know for sure.
Everyone knows the story of the fall of Troy. The most insidious invention of that war was the Trojan Horse. And although this invention is several thousand years old, this method of conquest has not lost its relevance. But protection against it has long been available: do not install unfamiliar programs either on your own or at the suggestion of third parties. The main risk areas are: sites that cause distrust, and there is no absolute confidence in the legality of the resource, scammers on ICQ, spammers. Each of these actors strives to slip in a “unique” viewer, desktop wallpaper and other applications, and along with them code that will turn your computer into an obedient zombie.
Tenth rule:Be sure to follow specific safety instructions. Always use common sense.
Translation: Olga Alifanova
How it all began
Not so long ago, security testing (and its equally scary brother, penetration testing) was a huge, scary bug that was tamed by those who understood it. They were paid very, very well for this. Then life changed and I suddenly found myself stumbling upon things that would have cost my employer dearly had I not caught them.
Suddenly I was learning more about the beginnings of security testing—knowledge I never thought I'd need—and it was exhausting, amazing, and terrifying (about equal parts).
This is how I felt:
As I began to learn more about security testing, I learned that it is not as intimidating and endless as I thought. I began to understand what people were talking about when they mentioned escalation of privileges, servers under threat, or...
There will be a lot to learn. But it's not that hard to get started, and with some reading and thinking, you might catch a vulnerability (a piece of code that someone with Bad Intentions could use to make the software work in a way it shouldn't) before the software has matured. enough to get into the hands of expensive security professionals (which means it's cheaper to fix - a nice bonus, Really?) and long before it leaks into the vast expanses of the Wild Wild West... ahem, World Wide Web.
I need to know this, seriously?
Many would say that all testers need to know about web security testing. Knowing more about this is a good idea for anyone who spends time online, but I think there are situations in which you won't benefit from learning about web security testing.
You may not need to know about testingWeb- safety if...
- You are part of a large team that includes security experts. This is their area of expertise, and if they do their job well, they work with you and your developers to make sure everything is at the right level of security in their area. They also help you test your software for security issues.
- You test software that is rolled out to users, and then no one cares about it: it does not access your servers and does not deal with confidential information. An offline Sudoku app would be a good example - and if a company doesn't care whether it achieves high scores fairly and/or protects its servers well - an online casual game could be such an example too.
- This is a display website and you do not manage the hosting.
- You don't work on the web at all.
You need to know about testing Web-Safety if...
- Your company's software stores any type of personally identifiable information (this is defined by law, but generally it can be used to find you or your family)
Examples: addresses, mail (usually in combination with other information), government-issued identification (social security number, driver's license number, passport)
- Your company's software uses or stores any type of payment information. If you store credit card information, most countries have very strict rules about storing and accessing such data - and very high penalties for failing to protect this data. If you store bank account information, the standards are not as strict, but you still need to keep your eyes open.
- Your company must adhere to the law or procedures regarding data security. Some examples known to me:
Healthcare companies in the US must follow a number of federal laws.
Any publicly traded company in the United States must follow federal laws regarding standards. If a company does not comply with them, it cannot accept credit card payments and is subject to fines and other penalties.
- Your company has privacy requirements for the data it stores.
If you think you need to learn more about web security testing, then perhaps you really need to.
Where to start
Getting started learning web security testing is quite easy - there are great links and tools out there and it will only cost you your time. You can do a lot using just a browser!
Carefully! Danger ahead!
Before you start doing anything destructive, make sure you are absolutely sure you have permission to do it. Yes, even on a test server - other people can use it for other purposes, your company can monitor the network for suspicious behavior - and in general, a bunch of factors play a role here that you may not have the slightest idea about. Always, Always make sure you have permission to play hacker.
Free tools
All the tools I use are made for Windows, because I work in a Windows environment. Some of them are cross-platform, some are not. They are all fairly easy to use for a newbie testing the security waters looking for bugs.
- Browser Developer Tools. Unless they are blocked by your company, most modern browsers allow you to examine the page code, examine the JavaScript, and view the network traffic between the browser and the server. You can also edit and run random JavaScript in them, try changing the code, and repeat network requests.
- Postman. Although it is a Chrome extension, Postman also runs as a standalone application. You can use it to send different requests and examine the responses (here's the kicker: almost everything in security testing can be done in a ton of different ways. Experiment to find your favorites).
- Fiddler. Telerik Fiddler is currently my favorite web request exploration and manipulation tool. It's cross-browser, works on multiple OSes, and is easy to get started with security testing.
- IronWASP. One of the minority of free security scanners made for Windows. It's quite easy to work with and usually produces good results.
- And one more thing… There are a lot of tools available. I just started learning about security, and just started sniffing around.
I'm going to focus on Fiddler going forward because I think it's the simplest of the free tools, and the fastest to go from poking around the interface to actually useful results.
Using Fiddler
When I came across this huge, and potentially very expensive vulnerability that I described above, I was just playing with Fiddler. It’s good that I found it right then: if it had gone on sale, big troubles could have happened.
Settings
I installed Fiddler with default settings. On Windows, you also get a plugin for Internet Explorer that allows you to run directly through IE (and setting it up to monitor only IE traffic is much easier than for other browsers). Depending on what you do, some of these plugins can be very useful: here are my favorites
- SyntaxView/Highlight. Provides syntax highlighting for preparing custom scripts and viewing HTML, Javascript, CSS and XML. Makes fiddling with web code much less painful by highlighting all tags and keywords. I'm a big fan of things that make it easier to focus on what's important, and this is one of them.
- PDF - viewing. Very important if your application builds PDF files on the fly. You can click on the tab and see the PDF rendering. For example, if you're testing a PDF of a bank statement to make sure it's impossible to open another user's statement, this tool is your friend.
Related articles
The best amulets against the evil eye and damage Amulet against the evil eye with hands for children
How to read the Psalter correctly
Delicious dishes with sausages
A glimpse of Bella. Romantic chronicle. A glimpse of genius. Messerer about Akhmadulina Boris Messerer glimpse of Bella romantic chronicle
I dreamed that I was sailing on a boat on the river
How to cook beef entrecote in a frying pan
About the company Foreign language courses at Moscow State University
Which city and why became the main one in Ancient Mesopotamia?
Why Bukhsoft Online is better than a regular accounting program!
Which year is a leap year and how to calculate it