Information Security A Beginners Guide To Terminology

[baqai]

Hello everyone, I am a I.T consultant having worked for over 14 years in different aspect of Information Technology, Have had a chance to work in the fascinating field of information security and noticing the lack of knowledge on the subject decided to do a small writeup on different terms and meanings so that a layman can understand them and can help secure their digital life.

Keep this in mind that following is NOT text book definitions, these are terms explanations deliberately made easy to make you understand the concepts, so kindly don't come up with "OOOOOO BUT GOOGLE SAYS THIS"

What is security? well any Info Sec person will tell you that Security is APAIN, Well yes it IS A PAIN but this also happens to be the abbreviation for 5 pillars of security, we will discuss them in some details

• A = Authentication
• P = Privacy
• A = Authorization
• I = Integrity
• N = Non Repudiation

Authentication

Authentication means to establish your credentials and to prove who you are, this can be done in form of B-Form, NIC Card, License or other valid identity issued by Issuing Authority (in this case Govt)


Privacy

It means that conversation or exchange of ideas or words between two entities or people should remain private and third person is not able to understand, the most common thing we observe around in our surrounding is people trying to eavesdrop in your conversation for gossip, in cyber world this can be achieved via different methods like key loggers, man in the middle attack etc


Authorization

Authorization is often mixed with Authentication and creates confusion, they are both way different terms, while Authentication is establishing your credentials Authorization is based upon that authentication, that means that if a person XYZ is GM in a company upon authentication and establishing his/her credentials he is given certain authority which can be in form of access levels, access to certain part of building, access to some sensitive files etc. So first a user establishes their credentials using authentication and based upon that they are authorized access.


Integrity

Integrity means that a message should remain the same from one person to another and contents of the message are not distorted in any way, it may sound impossible but a simple experiment of Chinese Whispers will reveal how easy it is for a message to get distorted, how does it translates in cyber world? Well the most common attack is man in the middle attack, in this a black-hat would target a non-secure communication channel, reads packets in real time and change their content, so Mr ABC sending an email to Mr XYZ telling him to release payment of Rs 1000/- can be interception and a simple “0” can be added to make the same payment of Rs 10000/- it may sound science fiction but around 10 years back in a major bank’s conference room with their president and all top brass sitting a demo was given using their own email systems and contents were changed in real time, if that was done 10 years back you can very well imagine how much we must have progressed by now.


Non Repudiation

It means something can be proven in the court of law, in Pakistan it’s a niche subject and as per ET2002 digitally signed emails and contents have the same validity as a physically signed document.

Now lets come to Authentication, there are different kind of authentication, most common are single, two and three factor authentication which you already used in your daily life without even realizing.

Single Factor Authentication

Something you have e.g. NIC card is the most simple way of authenticating yourself.


Two Factor Authentication

Adding another layer to security, it means something you have and something you know e.g. ATM Machine, you have a ATM card and you know the pin code


Three Factor Authentication

Something you have, something you know and something you ARE, bio metrics being the third added layer of authentication

I will keep on adding to the subject once i have time, others please feel free to contribute.

@Dubious @MUSTAKSHAF @ps3linux @NA71 @R Wing @Sully3 @zulu

 

[NA71]

Hello everyone, I am a I.T consultant having worked for over 14 years in different aspect of Information Technology, Have had a chance to work in the fascinating field of information security and noticing the lack of knowledge on the subject decided to do a small writeup on different terms and meanings so that a layman can understand them and can help secure their digital life.

Keep this in mind that following is NOT text book definitions, these are terms explanations deliberately made easy to make you understand the concepts, so kindly don't come up with "OOOOOO BUT GOOGLE SAYS THIS"

What is security? well any Info Sec person will tell you that Security is APAIN, Well yes it IS A PAIN but this also happens to be the abbreviation for 5 pillars of security, we will discuss them in some details

• A = Authentication
• P = Privacy
• A = Authorization
• I = Integrity
• N = Non Repudiation

Authentication

Authentication means to establish your credentials and to prove who you are, this can be done in form of B-Form, NIC Card, License or other valid identity issued by Issuing Authority (in this case Govt)


Privacy

It means that conversation or exchange of ideas or words between two entities or people should remain private and third person is not able to understand, the most common thing we observe around in our surrounding is people trying to eavesdrop in your conversation for gossip, in cyber world this can be achieved via different methods like key loggers, man in the middle attack etc


Authorization

Authorization is often mixed with Authentication and creates confusion, they are both way different terms, while Authentication is establishing your credentials Authorization is based upon that authentication, that means that if a person XYZ is GM in a company upon authentication and establishing his/her credentials he is given certain authority which can be in form of access levels, access to certain part of building, access to some sensitive files etc. So first a user establishes their credentials using authentication and based upon that they are authorized access.


Integrity

Integrity means that a message should remain the same from one person to another and contents of the message are not distorted in any way, it may sound impossible but a simple experiment of Chinese Whispers will reveal how easy it is for a message to get distorted, how does it translates in cyber world? Well the most common attack is man in the middle attack, in this a black-hat would target a non-secure communication channel, reads packets in real time and change their content, so Mr ABC sending an email to Mr XYZ telling him to release payment of Rs 1000/- can be interception and a simple “0” can be added to make the same payment of Rs 10000/- it may sound science fiction but around 10 years back in a major bank’s conference room with their president and all top brass sitting a demo was given using their own email systems and contents were changed in real time, if that was done 10 years back you can very well imagine how much we must have progressed by now.


Non Repudiation

It means something can be proven in the court of law, in Pakistan it’s a niche subject and as per ET2002 digitally signed emails and contents have the same validity as a physically signed document.

Now lets come to Authentication, there are different kind of authentication, most common are single, two and three factor authentication which you already used in your daily life without even realizing.

Single Factor Authentication

Something you have e.g. NIC card is the most simple way of authenticating yourself.


Two Factor Authentication

Adding another layer to security, it means something you have and something you know e.g. ATM Machine, you have a ATM card and you know the pin code


Three Factor Authentication

Something you have, something you know and something you ARE, bio metrics being the third added layer of authentication

I will keep on adding to the subject once i have time, others please feel free to contribute.

@Dubious @MUSTAKSHAF @ps3linux @NA71 @R Wing @Sully3 @zulu

shabaash bro....I have loads of video lectures on this domain ....I have done cyber security audit of my work place (important) ....with emphasis on Industrial control system. so ref. material may be shared.

I would share via google drive...is it ok?

 

[baqai]

Go ahead, its about creating awareness, yeah i was part of the team which helped get our organization ISO27001 was quiet a learning experience with some REALLY hilarious incidents as well

 

[ps3linux]

Way to go

 

[war&peace]

Go ahead, its about creating awareness, yeah i was part of the team which helped get our organization ISO27001 was quiet a learning experience with some REALLY hilarious incidents as well

Would you like to share those ..not the sensitive or secret part but the funny parts.

 

[ps3linux]

Three Factor Authentication

Something you have, something you know and something you ARE, bio metrics being the third added layer of authentication

I will keep on adding to the subject once i have time, others please feel free to contribute.

Two more Authentication methods are now in use
1) Retinal Scan (high security/ capacity) organizations have started implementing it as an additional layer of authentication
2) DNA authentication, it seems futuristic but I know some proto types are already being tested rigorously
Sorry missed another important one
3)Multimodal Voice and Behavioral authentication

 

[NA71]

Two more Authentication methods are now in use
1) Retinal Scan (high security/ capacity) organizations have started implementing it as an additional layer of authentication
2) DNA authentication, it seems futuristic but I know some proto types are already being tested rigorously
Sorry missed another important one
3)Multimodal Voice and Behavioral authentication

Being electrical/Automation engineer I am more into cyber security domain ....I can share videos of Cyber warfare...How APT works...the Cyber Kill chain ... DDoS, PenTesting, NIST framework so onnnnnnnnn

 

[baqai]

Would you like to share those ..not the sensitive or secret part but the funny parts.

An audit team comes to visit your office to make sure proper information security practices are in place (which obviously is topi drama) and the audit team randomly asks people different questions to evaluate the procedures, we had a 7 tier data center and the area i used to sit in was in tier 2 where access was based upon biometrics

so this colleague while flirting with this new receptionist had forgot his card there and along with other colleagues came in tier 2, the audit team found the card and when the guys turn came he started babbling about state of the art security and what not and in the end audit team presented his ID and said "ayenda badge kai sath khatoon ku bhi andur lay ana ziada asaani hu gi" LOL

and there were other things like USB not allowed to use and finding stacks of them around and what not

 

[NA71]

An audit team comes to visit your office to make sure proper information security practices are in place (which obviously is topi drama) and the audit team randomly asks people different questions to evaluate the procedures, we had a 7 tier data center and the area i used to sit in was in tier 2 where access was based upon biometrics

so this colleague while flirting with this new receptionist had forgot his card there and along with other colleagues came in tier 2, the audit team found the card and when the guys turn came he started babbling about state of the art security and what not and in the end audit team presented his ID and said "ayenda badge kai sath khatoon ku bhi andur lay ana ziada asaani hu gi" LOL

and there were other things like USB not allowed to use and finding stacks of them around and what not

This is usual practice ...the first victim is Internet access ...USB flash drive....actually we do not know beyond that.

This is usual practice ...the first victim is Internet access ...USB flash drive....actually we do not know beyond that.

In cyber security terminology it is called "AIR GAP"....Iranians were maintaining that AIR GAP at highest degree ...but still hit by first cyber attack

 

[baqai]

yeah there are several procedures involving physical security, data security, infrastructure, hazards, data redundancy etc etc etc but that would exceed the scope of this topic

if anyone have questions please do feel free to ask and discuss

 

[war&peace]

An audit team comes to visit your office to make sure proper information security practices are in place (which obviously is topi drama) and the audit team randomly asks people different questions to evaluate the procedures, we had a 7 tier data center and the area i used to sit in was in tier 2 where access was based upon biometrics

so this colleague while flirting with this new receptionist had forgot his card there and along with other colleagues came in tier 2, the audit team found the card and when the guys turn came he started babbling about state of the art security and what not and in the end audit team presented his ID and said "ayenda badge kai sath khatoon ku bhi andur lay ana ziada asaani hu gi" LOL

and there were other things like USB not allowed to use and finding stacks of them around and what not

LoLzz, it reminds me of this

 

[ps3linux]

yeah there are several procedures involving physical security, data security, infrastructure, hazards, data redundancy etc etc etc but that would exceed the scope of this topic

if anyone have questions please do feel free to ask and discuss

IT Audit is more like IT idiots, competition is who is more incompetent.

 

[baqai]

Just to give you guys an idea

our main server need to have 8 people in order for any work to be done

3 people's bio-metric authentication to enter the server room
3 people had different keys to the rack(s)
1 person had bio-metric based authentication to the system
1 person had smart card based access to database

system was off the grid (no physical network or wireless network access), USB's were disabled, entry was done only after total frisk and storing on pocket contents in a locker outside.

 

[ps3linux]

Just to give you guys an idea

our main server need to have 8 people in order for any work to be done

3 people's bio-metric authentication to enter the server room
3 people had different keys to the rack(s)
1 person had bio-metric based authentication to the system
1 person had smart card based access to database

system was off the grid (no physical network or wireless network access), USB's were disabled, entry was done only after total frisk and storing on pocket contents in a locker outside.

I think thats a pretty strong authentication.

Just thinking aloud, how about another layer facial recognition (with software and NV cameras) any unauthorized person in the server an alarm via SMS to all concerned, yes PIR sensors to be active during off hours, any one enters the server PIR activates and through something like SIM900 to send SMS alerts to all concerned.

Built a home security system like this once for my own house.

 

[baqai]

yes that's pretty strong authentication but keep that in mind that the server was IA (Issuing Authority) for Verisign class 1,2,3 digital certificates, the place had NV cameras as well as multitude of sensors as well, i cannot disclose the whole security measures and i am sure besides the obvious ones there were/are others which were above my pay grade