Security Saturday!
Next week I am supposed to present my master thesis in the field of cryptographic engineering. I have now been working in the field of security management and ISO2700X processes, but I started this job while preparing for my master thesis. I took all the right electives, and then some interesting other electives as well. The lot of them make me more geared towards formal proofs of low-level programs, and the correct handling of lambda-calculus and adjacent languages (such as Coq and Haskell).
The master thesis, however, is in the parallel programming of a specific algorithm in order to speed it up. It was a lot of fun, but writing a paper, and subsequently a presentation is annoying. I did the work, the algorithm is fast and stable, let me graduate. Although I do not technically even need the graduation, since I already have a degree in software engineering anyways...
This is the strange thing about learning about security, people rarely end up where they think they will. I thought I would go from software engineering to hacking, however I found out before even starting my master program that ethical hacking is one of the most boring jobs ever. So many documents... No, I would rather specialize as a cryptographic engineer then, but even that will not be where I end up, since my current employer does not want to lose me. By the time I graduate, my title will be fancy, but the cryptographic engineering I did to get the title will be mostly irrelevant, much like the formal methods I took as electives.
But I would never have figured out that this was a possible path, if I never took the step. And now that I am aware of all specializations in the field of security, I can be aware of most angles of threats that will beset a company. It made me realize, first and foremost, that most of us are not secure because we did our best. We are secure because we are not interesting. If a normal phishing mail does not get you, then nothing will since no-one will waste time on hand-crafting an attack using the last ATPs and zero-days (which costs considerable money and time to set up) if successfully breaching your perimeter only yields a few hundreds of dollars.
In fact, even the best secured company I know of was safe because of that reason. This was, of course, the Amsterdam location of Deloitte where I interned with the Cyber Security team. I know not if they changed their name since, but when I was there they went by Deloitte Cyber Risk Services if I recall correctly. They were very secure, but when someone finally took some effort, they did get a breach. Not because Deloitte is bad, but because when someone is more interested in breaching you than you are in protecting yourself then they will find a way in. It is at that point simply another free market working, and the one with the most resources will come out on top.
Now, the wrong takeaway would be that you need no protection. You do. Your social numbers, bank numbers and some other numbers are still juicy. A complete identity with all of your cards and stuff should go for around 500.- (though my information is outdated, and Russia-focused) at once, so spending around 500.- per years on your digital security, or spending less but putting some time in selecting providers (phone, internet) that help protect you is really not a waste of money, but a proper investment in not having to pick up the pieces afterwards.
And perhaps the most useful thing to do is putting a plan in place for when things go wrong. Search on the web (using DuckDuckGo, not Google) and ask some savvy acquaintance to think up a plan with you. What do you do when your perimeter is breached and some of your number do leak? having a plan beforehand will definitely lessen the impact later. From top of my head, I'm thinking: Spread your money between cash, and more than one bank. Invest some money so that you have some shares you can sell when your bank account gets emptied. Even if you get the money back, you need to bridge the gap.
I am sure there is more things you can do, which I have not looked into. The point of today simply was to write a Security Saturday that did not require a lot of research for me (because I already know). Since I need my time to write that stupid presentation so that I finally get my degree that is relatively useless now anyways but who cares, at least the title sounds relatively fancy!
Stay safe out there!
There is so much more to this one chapter, but it is so good already!
I had to cut it short because guests arrived, but this should get you started on your own study :)
@calvinrempel Thank you once again for the Theology Tuesday you did, I refer back to it in this one :)
@JamesDerian Congratulations with your Marriage :)
Next time there might (almost certainly) not be a Theology Tuesday, so the official next one will be February 22nd! I have a marriage to attend. As the groom. Our home is still half a project.
Fun times!
Alc and I talk about my book that is now officially finished. This is part 1 of 2. Parts have not been neatly cut. Part two will air 5 minutes after part 1 for coninuity!
Hope you enjoy :)
This is the third corner to have persistent discussions and talks in. I love tech, but especially once it transcends hardware a little. I have two degrees; a bachelor's in Software Engineering and a master's in Information Security Technology. My graduation thesis focused on assembly-level optimizations (that is, one level above the hardware level) and my free subjects were in formal verification. This is why I love programming in the security corner, or maybe it is the other way around.
I started going down the Security path because I early on saw that the world around us would become a dangerous cesspool of badly-implemented and hostile tech. Now I am one of the people that understands the field around that mess :)
So in here you can discuss secure phones, weird programming languages, sad truths about internet-connected fridges. Also about malware, adblockers, and so on and so fort!
A lot of tech talk I do over at the @Lunduke community, where a lot of nerds hang out and it is ...
Much like the reading corner, let's have a music corner! A few rules for this one, since some music can be provocative. I don't mind much but let's keep youtube links with risque thumbnails out of here.
Other music I might also mind. "Do you find that offensive?" might someone ask. Yes, there is some music I choose not to listen on principle, and I walk a thin line there sometimes. But do not worry, I have a wide taste otherwise so feel free to share almost anything :)
Either way, here is the music corner!
Many times when we talk about security, we mean to say "Digital security". In essence we mean to say that our hardware and software that we use stays safe no matter what we do. And even though the ISO27001 standard (and by extension, for example, the NEN7510 standard) make it abundantly clear that security is a people-domain problem, we usually take that as a process-like truth. Meaning, we think that being secure is a matter of regulating people.
The truth is very different. For example, while writing this I am pretty shot. I slept five hours and I an under influence of a bunch of painkillers and some alcohol. Before you ask what I was thinking, let me mention that I have a genetic defect in my spine that I am dealing with right now by taking measured doses of all three (and yes, to get the Bible into this conversation, there is even a biblical ground for the inebriation with alcohol - see proverbs and the letters to Timothy - , although I did not use red wine. But hey, I am still on top of ...
