Nism Unit 8
Published:
Seminar
During the seminar, we had an interesting discussion on the security of various content management systems. Ian Wolloff vouched for wordpress and mentioned that he is using it to serve 10000+ daily interactions. There was also mention of something called a “Headless CMS”, which is something I’m not familiar with, and will research further when I have time.
I also raised a point for discussion regarding the ethics of data collection- my exact question was something along the lines of: “even if data is anonymized, is it still ethical to keep it? You might still have private content in something like messages sent and received”. Taylor Edgell responded by saying that it would depend on the business and their intended use- for example, if an accident or incident happened, and the business said that they would process a person’s data to better protect the company, the data should could still be used.
Unit Reading
This unit’s reading focused on different standards, and also had some content dedicated to Kali Linux. I found the chapter on securing your Kali instance extremely fascinating, and although it’s not something that I need to take into account for the assignment, I found it a useful addition to my pool of knowledge, especially for real-world applications. Different instances of Linux need different measures to be taken to secure them: a containerized application running on a private network, running on a barebones version of Linux may need no additional precautions taken, while a publicly accessible web server (such as a wordpress server) might need a lot more security. In my career, I have had to reconfigure ssh settings on a publicly accessible Linux virtual machine to prevent automated login attempts from script users. In the case of information security management, penetration testers may find themselves in different scenarios, which leads to some not needing to secure their Kali Linux systems, while others might need to.
I discovered a tool called lynis (Cisofy, n.d.), which can be used to see how secure your Linux distribution is. I think automated tooling is going to play a much larger role in security- the amount of possible configurations of an application increases exponentially over time, and it’s impossible to be able to track vulnerabilities in complex and varied systems.
As a result, I learned how to implement security at an operating system level. This is something that I will apply in my work because I use operating systems at different levels- I sometimes need to connect to production containers on Kubernetes, for my daily work I use MacOS (which is UNIX-based). Different precautions should be taken to secure both, and going forward, what I aim to do, is start looking at how I should better secure my various systems. My personal laptop is a good place to start- due to programming tools installed, I have many services running and have permissive network settings, which can be cleaned up for safety.
Document Links
Meeting Minutes
Initial Post
Seminar 4 Slideshow
References
Cisofy. (n.d.) Lynis, an introduction. Available from: https://cisofy.com/lynis/ [Accessed 24 January 2021].