100 Days to Cyber Security Literacy (Day 2): The hackers are coming! They want our passwords!
Alright, folks! Excuse me the little break. I am moving soon and had a ton of stuff to do.
On Day 1, we established the geopolitical reality that cyber warfare is now a thing. Attacks on infrastructure will likely be a part of a cyber warfare strategy. From that emerged my personal mission for this 100-day experiment: to understand better what skills and knowledge are needed to protect critical infrastructure. Finally, I listed the online materials I would use to provide direction to our exploration.
Today, we are going to talk about Cyber Security from the ethical hacker’s point of view, and thus, build some more vocabulary. While we want our adventure in Cyber Security to be fun, we need to build the formalism that the established professionals, who are currently safeguarding our countries’ infrastructure, are using. We will conclude with a brief practical exercise in password security.
We have to emerge from the womb before we can crawl!
Think Like an Ethical Hacker
What is your mental image of a hacker? Do you think of a guy wearing a hoodie in a basement where every flat surface is covered with Mountain Dew cans, empty ramen noodle cups and pizza boxes? Is he feverishly tapping out esoteric commands on his keyboard to download NASA’s photos of aliens?
As I have been going through the modules of this online course, I was impressed by the formalism. This series of online courses is approved by FEMA. This means they are geared directly towards infrastructure protection.
Everything is broken into categories and models. It is the exact opposite of our sensationalized images of the attacker as embodying some sort of chaos. There are even categories for that! Our hacker, we are told, is one of 3 types:
- Amateurs: These are low-skilled operators that can only use pre-made tools. The internet calls them “script kiddies.”
- Hackers: These folks have developed their knowledge a step further. They can develop or modify tools. They can think about creating attacks beyond the scope of the amateur’s pre-made tools.
- Career Criminals: These are the “graduates” of our mysterious and poorly defined hacker school. They seriously know how to do stuff. However, it is unknown if they wear hoodies or not though it is likely they wear something extra during the winter.
Why do we want these cold, lifeless definitions? If you are a security professional you definitely need to be thinking about which of these skill levels is coming after you.
Last week we spoke of 3 principles of information security: confidentiality, integrity, and availability. We now have a way to categorize possible threats.
Information Security | Threat | Example | Common Control |
---|---|---|---|
Confidentiality | Disclosure | Edward Snowden!!! | Encryption |
Integrity | Alteration | Changing files that could be necessary to operations! | Access Controls (Permissions to read and/or write to a file) |
Availability | Denial | Denial of Service (DoS) attacks flooding a target with fake requests! | Firewalls & Proxy Servers |
We need these categories because even a modest information system can be complex. Our foe may have developed a specialty and can look for systems that are vulnerable to his skills. Our foe may have the time and skill to study our information system, intercept communications coming from and to it, and then, choose the attack most suited to our weak points. We need a thought process so that we can systematically address the potential threats.
AND!!! We need to prioritize those threats. This need brings us to a first approximation of a risk assessment model:
- What must be protected?
- Who might attack us and why?
- Which assets need additional protection?
Notice that these questions allow us to prioritize our assets and the types of attacks that present the most risk.
But we should start practicing what we preach!!!
Attackers want passwords. Even in a normal account with limited access to an information system, intelligence can be gathered about the system.
First Things First: Password Security!
How easy is it for an attacker to “crack” your password? I looked for a few articles on this, and I will list them below. Other than some kind of “social engineering” to get someone to reveal a password, the main avenues of acquiring a password are keyboard loggers and password cracking software.
These are all complex and nuanced topics. There are probably entire books about either one. Briefly, a keyboard logger is a type of software that saves everything that you type. It might be used by a company to monitor the employees or an attacker could install it to surveil you (and maybe get that juicy, sweet password). A password cracker enters passwords over and over until it gets the right one. They can be “smart” by using, for example, dictionary words instead of random strings and permute the letters of the dictionary words with numbers and symbols. this is because so many use words that have been altered with numbers and symbols in order to memorize their passwords.
Password crackers are increasingly smart. There are more complicated schemes, where if the attacker can get a system’s passwords in “hash” form, a sort of encrypted version of the password, the cracking go even more quickly (see article below).
We can make things more difficult by having a strong password of more than 16 characters that is a mix of lower-case letters, upper-case letters, numbers, and symbols. The most often cited method for creating a strong but memorable password is to generate a string of letters, numbers, and symbols and then make a sentence out of it as a mnemonic. You can read about it here and here.
In the final estimation, the strongest password policy is to have a randomly generated string for each site you use. Unless you have a nearly autistic flair for memorizing strings of random characters, you will need a password vault to do this.
Here are the articles I read for this post:
- How long would it take to crack your password?
- Estimating Password-Cracking Times
- Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
So… Tomorrow we will continue to build our Cyber Security lexicon, talk about password vaults, and hopefully, finally, treat in a preliminary way how we will get Linux running on our machines.
Hope to see you at Day 3!!!