Gain insights into effective security techniques including patching, cryptography, and phishing prevention. Explore practices to make systems resistant and vulnerabilities more detectable, enhancing defense against attacks.

docker.tar.gz

network-commands

node

It seems like hardly a week goes by without a high-profile computer breach. Why do these happen? How can you prevent them? This course doesn’t have all the answers, but it does outline practices that make life harder for attackers and that will help tide you over until you get a full-time security team in place.

In this course, you will learn 5 simple, yet effective, techniques for preventing attackers from getting into your system. These techniques are related to: patching, software vulnerabilities, cryptography, windows security, and phishing. Within each chapter you will learn the best practices for preventing vulnerabilities and how to make them more detectable. 

This course is based on the Pragmatic Programmers’ book, Practical Security, and is aimed at developers, admins, team leads, architects, technology generalists, and all others who stand guard against the things that disrupt the network.

Practical Security: Simple Practices for Defending Your Systems

Credentials such as keys and passwords, by their nature, are extremely valuable to attackers and difficult to work with securely. Of course, we do our best to keep them safe, but what if we fail? Is there anything we can do to soften the blow?

Consider this serious-looking equation:


The rest of this course addresses the first term—lowering the likelihood of a successful attack. That’s good; that’s where we should focus most of our efforts. But we should prepare for the worst. Let’s assume that someday, despite our best efforts, we lose control of our credentials. Since we can’t 100% guarantee that we’ll never lose credentials, we should take steps ahead of time to lower the cost of the loss by lowering the value of the credentials as much as possible.

We minimize the value of credentials in three main ways:
1. We limit the time in which a given credential is valid.
2. We limit the power of a user password by splitting authority between a password and a second factor.
3. We limit the scope in which a given credential can be used.

# Limiting the time a credential is valid
The simplest way to decrease the value of a credential is to limit the time in which it is valid. No special security knowledge needed, just a bit of deployment savviness.

We get a double return on the effort invested into frequent rotation of credentials. Not only does this help lower the value of our credentials, but this is also a capability we need to have in our system anyway. If we ever detect a compromise, we’ll need to rotate all the affected credentials as part of the remediation. Better to have a frequently used, fully automated way to change them than to scramble and learn to do it in the aftermath of a breach. We also need to have the ability to rotate credentials when key members of our team leave the company. After someone leaves, we should rotate all the credentials they had access to.

Credentials used by programs to authenticate to other programs are great candidates for frequent rotation. Programs don’t have problems remembering new credentials. And since programs can’t use two-factor authorization (2FA) as an extra layer of protection around their credentials, it’s good to use frequent rotation as an extra layer of protection.

If credentials never change, then an attacker who steals a credential once has access forever. With frequent credential rotation, an attacker who steals a credential once would either have to make frequent attacks to steal the new credentials or use the initial access to establish persistent access. Both of these make the attack noisier, which hopefully will lead to detection. Additionally, in time, the initial vulnerability may be fixed. Then, once credentials rotate, the attacker is locked out again.

# Limiting the power of a credential with 2FA
Frequent rotation is great for credentials used by software but problematic for credentials used by people. People can’t remember very many strong passwords and can have trouble remembering new passwords all the time. So when it comes to decreasing the value of passwords used by people, our best bet is to limit their value by splitting authority between a password and a second factor such as a two-factor authentication (2FA) system like YubiKey or Google Authenticator. With 2FA in place, the value of a stolen password is much lower. Additionally, login attempts that don’t have a corresponding 2FA event make for a high-quality signal that an attack is underway. Monitor these if you can. We’ll cover 2FA in more detail in the lesson on [Authentication-Based Defense](https://www.educative.io/courses/practical-security-defending-your-systems/authentication-based-defense#2fa).

# Limiting the scope of a credential
Finally, we decrease the value of credentials by decreasing the scope on which they work. Instead of having one superpowerful system account with access to everything, try to have multiple, less-privileged accounts. That way, if one credential is compromised, it doesn’t give over access to everything.

We saw one application of this principle back in [Layering Additional Defenses as a Mitigation Against Future Mistakes](https://www.educative.io/courses/practical-security-defending-your-systems/additional-defenses-as-a-mitigation-against-future-mistakes). We saw that splitting database access across multiple accounts can limit the impact of SQL injection and make attack attempts noisier.

Credentials with limited permissions aren’t just for databases. This same principle can be applied to operating system permissions as well. A typical web application has a web server and a database. Prefer deployments where the database runs as a different user than the web server. Ideally, the database and the web server would be further separated onto different computers. And if there are scheduled tasks, say, in cron, each of them should run as a different user. That way if one of them is compromised, it won’t provide a way for an attacker to move throughout the environment.

Similarly, for user accounts, grant permissions to people on a need-to-use basis only.

 <font size="6">  &nbsp; &nbsp;  &nbsp; &nbsp;&nbsp;  &nbsp; &nbsp;   &nbsp;  &nbsp;   &nbsp;   &nbsp; &nbsp; &nbsp; &nbsp;       &nbsp;  &nbsp;  &nbsp; &nbsp;&nbsp;   &nbsp; &nbsp; &nbsp;   &nbsp; &nbsp; &nbsp;&nbsp;  **Q U I Z**  &nbsp;   </font> 

The Impact of credential loss can be minimized from the get-go. Let's explore how.

Introduction

Patching

Vulnerabilities

Cryptography

Windows

Phishing

Minimizing the Cost of Credential Loss