Security 101: March – Questions & Answers

The magazine PC.COM (Malaysia) is publishing on a monthly basis the questions and answers coming from their readers. The editor of the magazine was kind to allow us to publish the questions and the answers I provided.

This means that every month we will have a special article with questions and answers.

 

What’s the difference between a threat, a vulnerability and a risk?


A threat is the indication of a possible danger or harm. In the IT security a threat is a possible negative effect caused by some internal and external factors on the applications and their users. The most known threats are buffer overflows, cross-site scripting, SQL injection, elevation of privilege, disclosure of confidential data, data tampering, session highjacking, session reply, man in the middle and others.

A vulnerability is a weakness that makes a threat possible. The threats mentioned above are possible because of vulnerabilities in software. Some examples are:
- lack of input validation (which can cause SQL Injection)
- lack or improper authentication, authorization and session management (which can cause disclosure of confidential data, data tampering, session highjacking, session reply, man in the middle)

A risk is the likelihood that a chosen action or inaction will lead to some kind of loss. Usually, potential losses are called risks. In IT security, a risk has also an associated value which might potentially be lost if threats and known or potential vulnerabilities are not mitigated and addressed.

The Risk (potential loss) can be calculated as the likelihood of a security incident occurring times the impact that will be incurred to the organization due to the incident

What are the steps I can take to protect myself during mobile banking on iOS or Android devices?

The biggest dangers associated with mobile banking are phishing attacks, man in the middle attacks and malicious apps which steal your credentials.
The best way to protect yourself is to have a security solution installed on the device that protects your data against these threats.
If this is not given, then the access to the Internet should be filtered directly on the router or on the gateway.
Usually, financial institutions or known companies with an impeccable reputation create the apps required to access the mobile banking system.
If the created of the app is not known or not trusted, it must be avoided to enter any credentials for accessing the mobile banking system.
Always the access to any banking system must be done via a secured connection (https or other proprietary secured protocol). Also, if the access to the Internet is done via WiFi, the access to the wireless network should be encrypted using WPA2. This way also the risk of session hijacking or man in the middle attacks is seriously reduced.

Sorin Mustaca

Data Security Expert