God Mode Driver

Responsibility grows hand in hand with trust. In technical operations, the metrics of responsibility are access rights. The metrics of trust will be the same universally; information security does have a greater emphasis on information confidentiality, integrity and availability. When trust reaches an apex, technical operators are given the responsibility of superuser. It is an account that is not limited to trivial tasks of system maintenance. It is a responsibility of omnipotent access. This is the superuser mode aka God mode. 

 

Experience in changing car oil, jump starting a vehicle and changing a flat tire would be top priorities for first time drivers. Before the privilege of adventurous road trips, drivers should know these basic principles. Privilege is granted to the amount of responsibility handled. Else, detrimental consequences.

Technical operators abide by this principle as well. They remain Tier One until they show effort towards responsible. In time, privilege can be granted. Their marks will be in trustworthiness and competence. As adventurous road trips mark the apex of faithful driver, so the superuser privilege to a faithful technical operator.

The apex is not the end of the adventure. There is a place for maintenance. Oil needs to be changed or a car break. The superuser needs to continue growing in their responsibilities and trust or rights may be revoked. Achievements are good only for only as long as it lasts. Trust and responsibility is an ever growing characteristic in daily life but also in data confidentiality, integrity and availability.

Not so trivial encryption

At the bright age of fourteen I was luentfay taay igPay atinLay (fluent at Pig Latin). It was a lot of fun and trivial practicing it with class mates at that. Sometimes it was probably better that we spoke in Pig Latin so that the teacher couldn't understand it. Unless, of course, the teacher knew how to speak it as well.

I'm not real sure how Pig Latin originated but it's a basic idea. The encipher mechanism is to take the first letter of the first word (P from Pig), place it as the last letter of the word (igP), then add ay to finish the word (igPay). Once you understand the cipher you can encipher or cipher, code or decode, intelligible words to un-intelligible words for those that don't have the cipher. This is the basic idea of encryption.

Encryption is a way to translate electronic information to un-intelligible data, except for those who have the cipher (key in encryption jargon). With this key you can keep the information locked from those who shouldn't have access to it, and conversely unlocked to those who need access to it. 

There aren't a lot of sensitive things I needed to encrypt as a child. But as a professional, any kinds of company data could become malicious in the wrong hands. Thus keeping it safe by encryption is significantly important. Quality grade school teachers are no longer preoccupied about your business. Professionally, there are bigger things at stake and access to information becomes less trivial. 

Multi-Factor Authentication via Smart Cards

Multi-factor authentication (MFA) provides different facets for data confidentiality through authentication. These facets have three categories where the basic idea is to make sure that the person requesting access is who they say they are. This is done by having an implementation of more than one of the categories:

1. Something you know - This is seen in regular small office home office setups through the use of username and password. 
2. Something you have - Like a smart card, which is a common enterprise niche.
3. Something you are - Biometrics signatures provide a unique value from a person. ie fingerprint

Large scale enterprises and government clients are more aware of access risks. This causes distress to system administrators considering security a top priority. So, developing strategies for authentication is necessary for data to remain appropriately confidential. To add smart cards to an organization already using passwords provides multi-factor authentication that drastically mitigates access risk. Therefore it is important for system administrators to have a high level idea of how they administered. Let's start with definitions.

What is a smart card?

Per mentioned, smart cards fit the 'something you have' category of multi-factor authentication. It is a physical card with a chip that provides a certificate to a machine. The certificate provides proof that the owner of this certificate is to be granted access.

How do you administer a smart card?

It's simple enough really. Usually the smart card has a certificate with an associated pin. The certificate is then uploaded to an authentication server via Active Directory or manual export. So, whenever the smart card is on a client machine and requests access to the authentication server, the server makes sure the certificate is a match and allows access.

So a briefer in bullet points:
1. Smart card certificate is uploaded to authentication server.
2. It is configured into a user and their appropriate access levels.
3. Smart card now represents user.
4. Authentication at client level with smart card, references to certificate in authentication server and authentication server provides appropriate access as per user.

It's a simple setup really. To make systems more protected, 'something you are' could be implemented. But two categories of the three found for multi-factor authentication can allow a system administrator to sleep at night.

Building Entrance Sploit

The strongest cup of coffee I've ever had was at a giant tech enterprise. You would know it if I mentioned the company. Hint, their products are responsible for over 50% of the world's Internet traffic. I think the coffee was so strong because of early shift teams. With days starting at 6:30 in the morning. Typical for a NOC crew. Being groggy is normal before that first cup. It'll be easy to forget important things at home, like your access badge. The early crew will relate to this. Thus the building entrance can be socially exploitable.

Day one working at this enterprise, I'm told to get a few teammates' phone numbers in the case I forget my access badge. So, specific cases do exist where it is appropriate to allow others into the building. For instance, a team member waits outside at 6:30 am knowing that someone they recognize will let them into the building. But... What happens when people in that shift start getting used to this? What if someone this early stands outside and gives a reasonable excuse like they know someone you know in the building? What if they were malicious?

An encryption consultant thinks about how to protect data and protects multiple avenues to ensure it's confidentiality and integrity. It's their job to keep things secure; this spreads to other aspects of their lives. On the other hand, others do not think about security as much because it is not part of their day to day work schedule. For instance, a customer service specialist focuses on how to best come to an agreeable compromise. They don't need to give much thought to security.

The most common vulnerability is the human factor. Machines are easier to secure provided limited constraints. They are not susceptible to social engineering. This is why top security concerns for employees of large organizations must be aware of these issues. They are the gate keepers and do hold some form of responsibility. Periodic training training is recommended to remind employees of this. After all, it's easy to forget without coffee.