This marks the last security related blog post written for a course grade. The purpose is to summarize my prior posts and analyze the topics I chose, the sources I used, and my thoughts on the usefulness of security blogging. It will wrap up with a small section regarding the lessons I have learned since I wrote my first security post.
I have written about a broad range of topics the past 11 weeks. Many categories were touched: offense, defense, hardware, software, ethics, politics, planning, and management. Many of the more technical ones were inspired by security convention talks and out-of-class reading. The more managerial ones were mostly inspired by the class reading material and professor requests.
Cyber Security and Geopolitics
This topic was suggested by the professor and written in light of current events regarding Chinese military spying. It looks at cyber crime from a non-governmental (but still international) side, as well.
Inspired by class reading and a security convention talk, this post speaks about authenticating with multiple factors and stresses the importance of transmitting those factors out-of-band.
Legality and Morality of Reverse Engineering
From the book Reversing: The Secrets of Reverse Engineering, this entry approaches reverse engineering with law and ethics in mind.
Assets, Vulnerabilities, Threats, Exploits, Risk, and Management
This post dives into asset valuation and risk management. It was suggested by the professor and written in light of the course reading.
PII and UIDs
This post was inspired by the professor and current events regarding social security numbers being compromised in college databases. It talks about handling personally identifiable information and unique identifiers.
Contingency Planning Explained: Risk, Incident Response, Disaster Recovery, and Business Continuity Plans
Inspired by the professor and course reading, this post outlines high-level response, recovery, and continuity planning and the differences between them.
This post, stemming from a security convention talk, delves into the importance of random numbers and offers some ideas on random number generation.
RFID: The Hacker’s Dream Key
Likewise inspired by a security convention talk, this post examines RFID technology and its various weaknesses.
This post, from a security convention talk, details some ways to hack devices that communicate over power lines.
This post, inspired by course reading, talks about maintaining an inventory of network devices.
Inspired by a security convention talk, this post outlines some ways to mess with bots and crawlers.
Blogging has proven more useful as a learning tool than I had originally anticipated. I’ve learned a lot while writing about these topics. Apart from the specifics detailed in each post, the collection of research and scrutiny has helped me understand the core concepts of security and the hacker mentality better. So long as the topics require out-of-class reading, the blogging requirement does a good job of instigating research and furthering knowledge.
For example, I have learned that nothing is ever secure – period. With enough time and energy, any system designed by humans can be beaten by humans. Humans are the weakest link all of the time; if we aren’t the ones building in software bugs, we are the ones using garbage passwords and clicking things that flash. Information gathering is pivotal to compromising a system successfully; a lot times goes into attack preparation. Segregate responsibilities and protect in layers; don’t let one compromised component affect the operations of others. Finally, planning is everything, so spend the bulk of your time doing that.