Skip to content

Instantly share code, notes, and snippets.

@fabianbaechli

fabianbaechli/solutions_of_m183_tasks.md

Last active November 20, 2017 21:45
Show Gist options
  • Save fabianbaechli/bf4596e5408946f236f0bc6bf0fd48c7 to your computer and use it in GitHub Desktop.
Save fabianbaechli/bf4596e5408946f236f0bc6bf0fd48c7 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
solutions_of_m183_tasks.md

Task 5.1.4

  • Availability:
    • If the attack does not exceed a certain amount:
      • Firewall
      • Specialized hardware, which sits in front of the normal servers and routers. Detects and filters the malicious traffic.
        • Costly purchases, which sit around and don't do much for most of the time
        • They need a certain amount of expertise to be handled and maintained -> another cost factor
        • They cannot handle large-scale attacks
    • For larger scale attacks:
      • ISP: The ISP of an enterprise has more bandwidth than the enterprise. Some enterprises use their ISP to protect themselves from DDoS attacks.
        • Today, it is considered best practice, to have two ore more providers. An ISP only protects their own network lines -> Double the cost, if you have two ISPs
        • Since it's not really their main field, they aren't really ahead of the curve, when it comes to new sorts of DDoS tactics.
      • Cloud mitigation providers:
        • Generally speaking, they are experts at handling DDoS attacks. They are constantly researching the latest trends
        • They have huge amounts of bandwidth
        • Most cost effective
  • Integrity:
    • Checksums
      • Message authentication codes (HMAC) -> They guarantee, that the message wasn't altered
        • Both parties have a key k of which only they know.
        • To every message they send, a hash in this form is appended: <messages><hash(k + <message>)>
  • Confidentiality:
    • In web apps, cookies can be used, to store data on the client-side.
      • Cookie theft: The act of mimicking another persons cookie, to access their session
  • Authenticity:
    • Public keys are connected to personal informations about a person like their name + email. You can upload your public key to a keyserver. The key server then can be accessed from other sources to check if your public key matches to you. An example where this is implemented: git commit signing
  • Liability:

    • Blockchain: Blockchain is a continuously growing list of records, called blocks, which are linked and secured using cryptography. Each block typically contains a hash pointer as a link to a previous block, a timestamp and transaction data. By design, blockchains are resistant to modification of the data. A blockchain can serve as an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. A blockchain facilitates secure online transactions. The blockchain is a decentralized and distributed digital ledger that is used to record transactions across many computers so that the record cannot be altered without the alteration of all subsequent blocks and the collusion of the network. This allows the participants to verify transactions inexpensively.

    • Electronic signatures: An electronic signature refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign. This type of signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under. An electronic signature is intended to provide a secure and accurate identification method for the signatory to provide a seamless transaction. A common denominator in most countries is the level of an advanced electronic signature requiring that:

      • The signatory can be uniquely identified and linked to the signature
      • The signatory must have sole control of the private key that was used to create the electronic signature
      • The signature must be capable of identifying if its accompanying data has been tampered with after the message was signed
      • In the event that the accompanying data has been changed, the signature must be invalidated
  • Privacy:

    • Situation Nowadays, almost every website collects user data and creates specific profiles based on this information. This allows the company behind the website to show the user customized ads, which increases the success rate for the advertiser drastically. That in turn allows the website to get higher ad revenue. The problem is, that the internet companies know almost everything about us, and they can and DO use this fact to their own advantage. Some companies even sell their user profiles and get a lot of money for it.

    • What to do If you host a website and collect user data, the user needs to give you his permission for you to do so. This can for example happen via the acceptation of your general terms and conditions. When you are collecting user data, you have to make sure it is stored securely and encrypted. If you sell data, as a reliable company it is very important to anonymise these information’s before you give them to third parties.

Task 5.1.5

Providing security for:

  • Networking:

    • Making sure, that the switches are configured as they should be:
      • For example: Guest users should not be able to see into the VLAN of the company. They should get an IP in another subnet.
    • Securing the WLAN with a strong password and making the server not accessible from it.
    • Having a firewall between the LAN and the WAN

  • Host:

    • Anti virus
    • Controlling and monitoring access to local files
    • Not having unnecessary services and therefore open ports on the server
    • Updating the installed packages regularly so that found bugs in installed libraries can be patched
    • Physically securing the server in a server room which is not accessible without a key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment