Basic_Security_Guide_Introduction.mw

{{Header}}
{{#seo:
|description=Computer Security Guide Introduction for {{project_name_long}}, Linux, and {{project_name_long}} Hardening. This page is an introduction into computer security and why you should care about computer security.
|image=Padlock-597495-640.jpg
}}
{{title|title=
Essential Security Guide Introduction
}}
[[File:Padlock-597495-640.jpg|thumb]]
{{intro|
This page is an introduction into computer security and motivation to care about computer security.
}}
{{security_intro}}
= Essentials =

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = ''"Security is a process, not a product."'' -- Bruce Schneier, encryption and security expert. <ref name=schneier_security>https://www.schneier.com/essays/archives/2000/04/the_process_of_secur.html</ref>}}

It is important to understand that {{project_name_short}} and all general software cannot guarantee absolute security; 'perfect security' is a mirage. The reason is flaws in hardware and software are ever-present, as continual upgrades and patches inevitably introduce further coding <ref>Security bugs generally fall into two categories: those which pose a passive threat due to eventual erroneous behavior, and the introduction of accidental vulnerabilities that are exploitable with malicious inputs.</ref> or design errors which attackers of varying skill can profit from. As a consequence, the best approach is to try and mitigate risk exposure and provide defense in depth. <ref name=schneier_security /> <ref>Schneier also notes several other security principles: limit privilege, secure the weakest link, use choke points, fail securely, leverage unpredictability, enlist the users, embrace simplicity, detect attackers, respond to attackers, be vigilant, and watch the watchers.</ref>

With this understanding, a material improvement in security requires 'raising the bar' against potential attackers and eavesdroppers: <ref>https://github.com/maqp/tfc/wiki/Threat-model</ref>

<blockquote>Security is a process, not a product. It is also about economics. Briefly explained, each attacker has a set of capabilities, privileges, and a certain amount of budget, time and motivation. Given enough of these resources, security of any process will fail; the goal when securing a system is to add layers of security that make attacks too expensive. Nation-state actors have massive budgets, and no single system can be made secure enough against targeted attacks. However, if widely deployed, systems that cannot be compromised with automated attacks, increase the attacker's cost linearly and thus force the attacker to pick targets. Such systems are the only way to make mass surveillance infeasibly expensive.</blockquote>

In the case of {{project_name_short}}, relative security can be improved by [[System_Hardening_Checklist|hardening the platform]] as much as possible. If you are unfamiliar with {{project_name_short}} / Linux or have limited knowledge of computer security topics, then it is recommended to first read these resources:

* [[Documentation#computer-security-education|The Computer Security Education section]]
* [[Post Install Advice|Post-installation Security Advice]]
* [[Warning|Warnings]]

If you have more time available, then it is recommended to read the [[Documentation]] widely.

= Motivation =

If motivation is needed to secure your computer, refer to these articles:

* [https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ The Scrap Value of a Hacked PC, Revisited (blog post).]
* [https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ The Value of a Hacked Email Account (blog post).]
* [[Social Engineering]]: [https://youtu.be/fHhNWAKw0bY?t=51 hacking at defcon]
* [[Two-factor authentication 2FA]]: [https://citizenlab.ca/2015/08/iran_two_factor_phishing/ Two-Factor Authentication Phishing From Iran]
If the reader is time-poor, then just review the [https://krebsonsecurity.com/wp-content/uploads/2012/10/HackedPC2012.png Hacked PC] or [https://krebsonsecurity.com/wp-content/uploads/2013/06/HE-1-600x333.jpg Hacked Email] figures, or briefly scan the summary tables below.

== Hacked PC ==

US journalist and investigative reporter Brian Krebs notes there are a large number of malicious uses for hacked PCs, including ransomware, bot activity, stolen account credentials, webmail spam and much more.

'''Table:''' ''Value of a Hacked PC'' <ref>https://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/ Figure 1.</ref>

{| class="wikitable"
|-
! scope="col"| '''Category'''
! scope="col"| '''Attacker Activity'''
|-
! scope="row"| Account Credentials
| eBay/Paypal fake auctions
Online gaming, website FTP, Skype/VOIP credentials <br />
Client-side encryption certificates
|-
! scope="row"| Bot Activity
| Zombies: spam, DDoS extortion, click fraud and CAPTCHA-solving
|-
! scope="row"| Email Attacks
| Webmail spam
Stranded abroad advance scams <br />
Harvesting email contacts and associated accounts <br />
Access to corporate email
|-
! scope="row"| Financial Credentials
| Bank account and credit card data
Stock trading account <br />
Mutual fund / 401k account
|-
! scope="row" | Hostage Attacks
| Fake anti-virus
Ransomware and email account ransom<br />
Webcam image extortion
|-
! scope="row"| Reputation Hijacking
| Facebook, Twitter, LinkedIn, Google
|-
! scope="row"| Virtual Goods
| Online gaming characters, goods/currency
OS and PC game license keys
|-
! scope="row"| Web Server
| Phishing, malware download site <br />
Warez/privacy, child pornography server <br />
Spam site
|}

== Hacked Email Account ==

Krebs also notes the significant value of a hacked email account. Just one breach of an online email service permits the theft of valuable personal data, account/contact harvesting, re-sale of retail accounts, spam and much more. An email account is a particularly weak link, since once under the attacker's control they can reset the password, along with the passwords of many linked services and accounts.

'''Table:''' ''Value of a Hacked Email Account'' <ref>https://krebsonsecurity.com/2013/06/the-value-of-a-hacked-email-account/ Figure 1.</ref>

{| class="wikitable"
|-
! scope="col"| '''Category'''
! scope="col"| '''Attacker Activity'''
|-
! scope="row" | Employment
| Forwarded work documents and work email
Fedex, UPS, Pitney Bowes account <br />
Salesforce, ADP accounts
|-
! scope="row"| Financial
| Bank accounts
Email account ransom <br />
Change of billing <br />
Cyberheist lure
|-
! scope="row"| Harvesting
| Email, chat contacts
File hosting accounts <br />
Google Docs, MS Drive, Dropbox, Box.com <br />
Software license keys
|-
! scope="row"| Privacy
| Your messages, calendar, photos, Google/Skype chats
Call records (+ mobile account) <br />
Your location (+ mobile/itunes)
|-
! scope="row"| Retail Resale
| Facebook, Twitter, Tumbler, Macys, Amazon, Walmart
i-Tunes, Skype, Bestbuy, Spotify, Hulu+, Netflix <br />
Origin, Steam, Crossfire
|-
! scope="row"| Spam
| Commercial email
Phishing, malware <br />
Stranded abroad, email signature and Facebook/Twitter scams <br />
|}

= Advanced Security Guide =

After reading this chapter, it is recommended to refer to the Advanced Security Guide section for even more security advice.

= Stay Tuned =

It is recommended to read the [[Stay Tuned|latest {{project_name_short}} news]] to stay in touch with ongoing developments, such as notifications about important security vulnerabilities, improved {{project_name_short}} releases, other software updates and additional advice.

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]