Stepping up to your personal security role

Close your eyes and try to conjure an image or scenario in your mind around the phrase "cybersecurity incident". When you do so, what picture starts to form in your mind? Depending on your background and level of expertise, the image generated by your frontal cortex could very well be completely different from what's imagined by someone else. Yet security is a responsibility that we all share, even though opinions may differ from one person to the next.

An individual with no formal experience in the technology industry might imagine a cyber security incident as a very smart individual with very impressive computer skills gaining access to a company's servers by moving between 3D buildings with light-pulses flashing around, accompanied in the background by a techno soundtrack that would've been quite catchy in the 90s. If the image in your mind resembles that, I'll blame Hollywood, because cyberattacks are not like that at all. Don't get me wrong, the 1995 film "Hackers" (which stars Jonny Lee Miller and a much younger Angelina Jolie) is a cult classic, and a lot of fun. But in the real world, most hacks are not that sophisticated, and they're not even fun.

For readers with experience in IT, what I'm about to say won't be surprising at all. But if you haven't worked in the IT field, then my observations will be downright shocking. Sometimes, what seems like a sophisticated hack (as the media might portray it) was just a simple phone call. That's it. No fancy visuals designed on SGI workstations.

Yet we do have our fair share of bad actors - though in the industry, we refer to these individuals as "threat actors," and they're way worse than the bad acting we might see in Hollywood hacker movies (no offense Angelina, you were new at the time).

In the real world, when a threat actor gains access to an unauthorized system, it might have played out as a simple phone call to someone within a company. Perhaps that person claimed to be someone in the company's IT department, asking employees for their password. All it would take is for one person to reveal their password and the company is all over the news (for the wrong reasons).

But to be fair, technology is a huge topic. It consists of many different disciplines and mastering this field can take decades. Thankfully, good security hygiene doesn't require you to become a tech guru. And it doesn't matter what your current job role happens to be: Security is important. And you should absolutely be paying attention to it.

In many organizations, there's unfortunately a divide between IT staff and other employees. This divide doesn't have to exist, but it’s found in many organizations depending on their cultures. And it's this divide that can hurt the most. But in order to keep ourselves secure, we really do need to all be on the same page; part of the same team.

For non-technologists, navigating the world of computing can be frustrating. Users are asked to change their passwords regularly, are urged not to repeat the same password on each service, and have to use multi-factor authentication to further protect accounts. For IT professionals, these things are the norm. For everyone else, such policies are a nuisance. Why can't the IT team just make all of the organization's servers 100% invincible? Why constantly inconvenience users?

Often, your typical employee wants to get their job done - and they're not so enthusiastic about opening Google Authenticator for the fifth time in a single working day. The thing is - security is not simple, even if some of the recommended practices often are.

When it comes to those of us working in the field, inconveniencing users is the last thing we want to do. But to many, that's how it may seem. In reality, those of us working on our company's servers want the same things everyone else does - we want to have as stress-free a job as we possibly can. Like others, we want to get our job done and maybe (just maybe) get out of work on time to catch that new superhero movie everyone is talking about.

But here's the thing - security is important to everyone. Or at least it should be. Taking security seriously might be the only reason your company still exists. Does that sound overly dramatic? Well, it kind of is - but it's still correct. All it takes is a single cyber security incident to harm the reputation of your entire organization. And if that happens, profits plummet, and I'm sure you know the rest.

In 2020, Twitter became the victim of a cyber attack. According to the Verge, Twitter revealed that "a few employees were targeted in a phone spear phishing attack." This means that the cyber attack wasn't the result of some 19 year-old computer mastermind cracking codes; the threat actors only needed to pick up the phone.

Yes, they made a series of phone calls. And unlike how security incidents are portrayed in the movies, it's not exciting or entertaining at all. Considering how many attacks begin from a simple phone call or email message, a threat actor doesn't have to be a computer expert to gain access to protected systems. They'll simply pick up the phone and ask for someone's password. And after that, chaos unfolds.

The Twitter example that I mentioned earlier is one of many. While yes, there are threat actors with incredible computer skills taking advantage of unpatched vulnerabilities, many security incidents begin with simple tricks played on well-meaning staff, a hack known as social engineering.

Due to this, security is everyone's responsibility, regardless of their role within a company. The security of an organization is only as strong as the weakest link. All it takes is for one person to click on a malicious link or believe a very convincing (yet completely bogus) phone call is real.

Okay, so what's the solution?

The answer is education. Education empowers everyone, and without end-users being properly trained, the likelihood that someone may fall for a social engineering attack is higher than you might think. And it's only going to get worse from here.

As complicated as the IT industry can sometimes be, if we educate our users we will be better protected. Security training within an organization should be taken very seriously. Teach your team members how to handle the various types of security threats they might face.

For those readers who do work in the IT field, pay special attention to the message. Don't just teach your colleagues what to do in the face of an uncertain situation: Let them know why it's important. Rather than communicating the password policy alone, let everyone know why it exists in the first place. During security trainings, give people actual real-world examples to help illustrate how real cyber security incidents are, and how they actually happen. If you perform an internet search for something like "cyber security breach," the search will return all the results you may need; news articles centered on actual companies that became victims.

Perhaps others within your company may be more eager to follow the password policy if you give them an example of what can happen when there isn't one. In addition, throw in an example of what an organization may have gone through when someone clicked on a link within an email message they thought for sure was actually real.

In short, don't just communicate your company's policies; let everyone know why they exist. And perhaps more importantly, let them know what can happen when they don't.

In order to protect our livelihood, we need to be on the same team. Security hygiene is a responsibility we all share.

Read the previous post of this series: Why Seek an LPI Security Essentials Certification?

Source: lpi.org

Continue reading

Open source myth: That it has a higher total cost of ownership (TCO)

This myth has been long-standing. Proprietary vendors would acknowledge that there were license fees associated with their software, but would point to the costs of migrating, re-training users, and higher wages and scarcity of comparable software support due to fewer "open source people" who can run free and open source software (FOSS).

However, there are weaknesses with those statements—indeed, with any TCO study that doesn't take into account the particular site considering a purchase, and especially with any TCO conducted by a vendor to promote its own products.

Numerous studies conducted by people more familiar with (and sympathetic to) free and open source software suggest that its TCO is excellent. Such studies include one by Foss Technologies, Kenya and one by LWN.

A close look at Microsoft-funded studies reveal that the studies did not expose the true costs of the proprietary licenses. Many of these license costs were hidden in the purchase of new hardware, pre-installed operating systems, and even applications. If the hardware was purchased without the normally "bundled" software, the cost of the hardware would drop, allowing a more level playing field.

Microsoft has removed these studies from its web site. But one 2008 Microsoft study, which disappeared from its web site but was preserved by another organization, admitted that GNU/Linux has just as good a TCO as Windows—at least under certain circumstances.

The cost of ownership studies typically looked ahead for the next five years. During this time, personnel training for the proprietary operating system was typically ignored, since "everyone knew how to use that operating system." In contrast, of course, employees had to be trained to use the open source operating system because "no one knows how to use it."

However, the five-year studies missed a few things that happened in the sixth and following years. Sites had to install updates to the proprietary system, and sometimes do additional training. Likewise, sites might have to pay license update fees for the existing software.

Open source software, on the other hand, typically has a "flow" of updates that take people from one version to the other without needing massive retraining or license upgrade fees.

Over the years, many more people have been exposed to open source software and trained to be system and networking administrators, making these needed support people much more available, and giving a greater salary range for different jobs.

A number of years ago, proprietary software companies would generate (TCO) estimates, but over time, as the five-year TCO of the two styles of software became closer and closer, the companies stopped releasing their numbers.

However, TCO is not the only issue. Return on investment (ROI) is another consideration. If you have a certain amount of money to invest in a solution, perhaps that is the greatest issue.

People tend to think of open source versus proprietary software just for the desktop, not considering the costs of proprietary software for servers. Servers do not tend to have the server software bundled in. Licenses for server software are typically very expensive. Likewise for licenses for closed source software such as databases, geographical information software (GIS), statistical and data reduction tools, project management tools, etc. The cost of the licenses needed just to build your infrastructure can be daunting, particularly for a start-up.

In addition, look at the terms and conditions of your existing proprietary software license. You may find hidden costs in there.

As an example, a well-known proprietary database company used to insist that the only way to share a customer’s data with another customer (even a customer properly licensed for the same software) was to unload the data from the database and reload it into the other customer’s database. For large amounts of data (think petabytes) this would take days, as opposed to imaging the disks holding the data and giving the images to the new customer.

Development, training, and support for a new project (as opposed to converting an already existing project to FOSS) are typically the same whether you are using FOSS or proprietary software, but you don't have to pay up-front license fees for the software if you use FOSS. So consider using FOSS for new projects.

Likewise, if your existing project is not working properly, or is coming up for an expensive license renewal, consider re-implementing it with FOSS.

Another issue that isn't considered often enough is equipment reuse or redeployment. One of the early uses of Linux was to redeploy older equipment that was "retired" from the desktop or mainstream server to be used as routers, firewalls, switches, etc. This gave value to hardware that otherwise would be sent to the dump. These cost savings also fit into total cost of ownership.

Read More: Open source myth: That intruders can more easily find flaws

Source: lpi.org

Continue reading

LPI Security Essentials Certification?

In today's digital age, security is of utmost importance, and individuals who possess the right security skills are in high demand. One of the most respected security certifications in the industry is the LPI Security Essentials Certification.

Introduction:

Security is essential in today's digital world, where cyber threats are a constant concern. Organizations are looking for skilled professionals who can secure their networks, systems, and data against cyber threats. One way to demonstrate these skills is by obtaining security certifications, and the LPI Security Essentials Certification is one of the most recognized certifications in the industry.

This certification validates the candidate's understanding of basic security concepts, including risk management, cryptography, network security, access controls, and more. This article will provide an overview of the LPI Security Essentials Certification, including its benefits, exam details, and study resources.

LPI Security Essentials Certification

The LPI Security Essentials Certification is a globally recognized certification that validates an individual's understanding of basic security concepts. This certification is an excellent choice for individuals who are looking to start their career in cybersecurity or are interested in expanding their knowledge of security concepts.

Benefits of LPI Security Essentials Certification

There are many benefits to obtaining the LPI Security Essentials Certification. Some of these benefits include:

1. Recognition: The LPI Security Essentials Certification is globally recognized and respected, making it an excellent addition to your resume.

2. Career advancement: This certification can help you advance your career in the cybersecurity field by demonstrating your knowledge of basic security concepts.

3. Enhanced skills: Preparing for this certification will enhance your understanding of security concepts and make you a more valuable asset to your organization.

Exam details

The LPI Security Essentials Certification exam is a multiple-choice exam that covers topics such as risk management, cryptography, network security, access controls, and more. The exam consists of 60 questions, and candidates have 90 minutes to complete it. The passing score for this exam is 500 out of 800.

To register for the exam, candidates must create an account on the LPI website and purchase an exam voucher. The exam voucher is valid for one year from the date of purchase, and candidates can schedule the exam at a Pearson VUE testing center.

Study resources

Preparing for the LPI Security Essentials Certification exam requires a significant amount of effort and dedication. However, there are many study resources available that can help you prepare for the exam. Some of these resources include:

1. LPI study guide: The LPI study guide provides an in-depth overview of the exam objectives and includes practice questions and exercises.

2. Online courses: There are many online courses available that cover the topics included in the exam. These courses can provide an interactive learning experience and may include hands-on labs.

3. Practice exams: Taking practice exams can help you assess your knowledge and identify areas where you need to improve.

Conclusion

In conclusion, the LPI Security Essentials Certification is an excellent choice for individuals who are looking to start their career in cybersecurity or expand their knowledge of security concepts. This certification is globally recognized and respected, and obtaining it can enhance your career and make you a more valuable asset to your organization. If you are interested in obtaining this certification, be sure to take advantage of the study resources available and prepare thoroughly for the exam.

Continue reading

Why Seek an LPI Security Essentials Certification?

IT security is more important than ever. We are all, as individuals and as organizations, exposed to IT security threats. Therefore, every computer user needs information about protecting computers and data.

This goal prompted LPI to create the Security Essentials certificate to explain IT security. Having this certification is critical for anyone who wants to develop their general IT competence in order to protect their computer, smartphone, data, and digital identity, as well as for companies and organizations that want to secure their operations.

Security Essentials is designed for students who want to learn the basics of IT security, get started in this field, and get a certificate that will help them find a job. It is also made for teachers, schools, and universities who want to teach these basics. Companies can also encourage their staff to get the certificate, to improve their overall IT security.

The current version of the certificate is 1.0 (identification code 020-100), an exam of 40 questions to be answered in 60 minutes. The objectives lay out what you need to know to obtain certification. Topics include security concepts, encryption, device and memory security, network and service security, identity, and privacy. As a prerequisite, you must pass the Linux Essentials 020 exam.

Individuals and institutions can approach Linux Security Essentials as follows:

◉ Students and other individuals: Please view the objectives to see what you need to know to obtain the certification. Test-takers can also form groups to share resources, explain study methods, and experiment. Also use available tools, such as practical tasks, quizzes, exercises and simulators, to better understand the topics discussed.

◉ Teachers and school administrators: Compare the certification objectives with your school or university course listings to check for coverage and gaps. 

◉ IT security teaching institutions: Become an LPI partner to give students access to educational and examination materials. Partnering with LPI can also help you gain new customers.

The Security Essentials certificate is the perfect tool for those who want to learn or teach the basics of IT security. Because of the wide recognition of IT security’s importance, this certificate can be helpful when looking for a job in the IT industry or when strengthening IT standards in organizations.

Read More: A Sysadmin Takes the LPI Security Essentials Exam

Source: lpi.org

Continue reading

Community Event Creates a Vision for Empowerment

Jumping Bean, a computer consulting firm located in a suburb of Johannesburg, South Africa, received an unusual phone call in late 2022. Parents of students at a local high school, consisting predominantly of previously disadvantaged students, asked the organization to run an educational day.

Jumping Bean took up this unusual opportunity and decided to focus on open source software as an enabler for under-represented demographics entering the computer field. Staff offered short lectures on open source, highlighting the value of certifications granted by Linux Professional Institute (LPI), with which Jumping Bean is a partner. The staff also ran some games and handed out Linux Career Guides.

Mark Clarke, whose job title at Jumping Bean is Technology Sensei, said that the event drew 50 students headed toward graduation (“matric”) and their parents, along with a few teachers who could find time to get away from their seasonal work on final exams.

The Importance of Offering a Career Path

Clarke laid out difficult conditions for education in South Africa. Funding is uncertain, and the general quality of secondary education is declining. Universities are out of reach for many qualified students, and youth unemployment has been rising at an alarming rate. As an example of the infrastructure problems South Africans face, Clarke warned me that his electrical power might be turned off soon.

Jumping Bean offers a range of courses on a wide range of computing topics, aimed at college students aiming at professional careers as well as professionals in computing or other fields who want to improve their skills. Courses are offered both at their Ferndale site and online.

Jumping Bean values its partnership with LPI because their certifications have international recognition. At the high school student event, staff explained the reasons for getting certified. They explained what careers are like in web programming and computer security, both of which now have certs from LPI.

The staff also opened students up to a broader understanding of computing infrastructure and open source: for instance, that Linux runs most of the computers in cloud services such as AWS. The staff also discussed the online games loved by students, describing the networks and data centers that supported these games and the role of open source software.

Opportunities for Reaching Out to Youth

It appears, from Clarke's description, that the career day they ran had an even deeper influence on the presenters than on the students. Jumping Bean, which has focused on professional development, is interested in reaching out to beginners with less background and fewer resources. They'd like to do something to address youth unemployment.

Discussions at Jumping Bean have started with plans for more such events. They may create a code camp, both in-person and online. Other ideas include study programs with online meetings. Their marketing department plans to contact the high school to discuss follow-up activities.

Eventually, Jumping Bean would like to offer programs to the kinds of high school students who attended the December event. But because few students can afford this kind of professional training, such a program would depend either on government funding—which is unlikely to be forthcoming—or private grants.

The success of this recent student event, and its impact on the hosts, show the great social value–and eventually, the business value–of holding community events and looking behind the horizon of one’s current business model. Congratulations to Jumping Bean for rising to meet the request of local citizens.

Source: lpi.org

Continue reading

Open source myth: That intruders can more easily find flaws

People who think that open source suffers from poor quality often air this myth as well. It seems superficially to make sense, because malicious attackers can read open code and find bugs they can exploit. These bugs are often called “zero-day vulnerabilities”because they exist in software when it is first released, and the intruder might find the flaw before legitimate developers and security researchers.

But consider this: Why are modern security tools (such as the encryption methods used to send data securely over the Web) open source?

Read More: LPI Certification

In fact, security researchers prefer tools that are open source. This allows a wide range of experts to review the code. Proprietary tools generally are insufficiently reviewed by security experts, and therefore have flaws.

Yes, open source tools still have security flaws. But the rate is about the same as proprietary software. Malicious attackers can use disassemblers and other tools to slice through the obscurity of proprietary code and discover its flaws.

There is a practice in the computer field called "security through obscurity." This practice is based on the hope that nobody will break into your system because they won't find it or won't know where its weaknesses lie.

For instance, because many tools such as Google Docs assign URLs or file names containing long strings of random characters, many people think they don't have to protect the documents any further. Security through obscurity is the principle behind hiding source code.

Security through obscurity is sometimes useful in conjunction with other, more robust practices such as encryption. But the principle is generally disparaged by security experts because sophisticated attackers can find ways around obscurity. In this age of fast, massive calculations that can analyze terabytes of data quickly, it becomes less and less feasible to hide what you're doing just by keeping it secret.

Read the Previous Post of this series

1. Examining myths that hold people back from open source software

2. Open source myth: That open source has poor quality

3. Open source myth: That it will be incompatible with the software colleagues use

Source: lpi.org

Continue reading