DIEGO ARREGUING GOMEZ'S CYBER BLOG

Send Email LinkedIn logo
Robert Smith picture

Hi, I'm Diego!

I am Diego Arreguin Gomez, a Mexican born in Zapopan, Jalisco who is currently developing as a Cybersecurity Professional in Tecnologico de Monterrey in the Cybersecurity BootCamp. I work at Greentube as an IT and Facility Support Specialist. I provide first and Second Level Support for both Greentube Mexico and Greentube USA subsidiaries, being the responsible for troubleshooting, access management, security recommendations, infrastructure optimization and innovation leading both subsidiaries IT related projects.

Blog Posts

Image 1

Humans: The biggest asset for cyber-attacks

Phishing, vishing, smishing, human-error

Every single time that we imagine someone directing a Cyber-Attack, we can all see and remind of the famous Matrix screens with green code and numbers being typed in such a fast pase that we can even think As hackers as some of the greatest erudites of our cyber-society. But, have we ever stopped and thinked about that we are almost daily a part of a cyber security threat? Have we ever stopped to think that the weakest point of a cyber-security infrastructure are humans? There are two possible ways that a human represents the weakest point in my opinion. 1.- HUMAN ERROR: This part is crucial coming from the Cyber-security team. Just imagine that someone while creating a firewall, reviewing a code infrastructure, applying an SSL certificate to a web page, creating numerous VMs or servers as part of the organization infrastructure, someone just has a typo-error, a miss-click in one of Azure's, AWS, Google's cloud services, or someone making a variable public in a source code, someone forgetting to review one of the SQL's basic Security standards, someone just by error compromising an entire server, an entire data base, or even an entire source code to a possible attacker. Now, organizations infrastructure in IT with ISO security standards are the main firewalls to try and avoid the human error. But, still we have heard of big attacks to Uber's, Facebook's, Instagram's, Banks' data-bases compromising millions of user's private information. 2.- SOCIAL ENGINEERING: The previous point was related to such a technical breach, speaking of pen-testing an organizations infrastructure or trying to find the possible human error in a server, firewall, code, etc. But, the next one sometimes doesn't even requires a technical background for the attacker to be able to breach an organization. It just requires, social skills. Have you ever recieved a call from a cousin from far away who needs money? A mail indicating you have won an iPhone totally free? A text message saying that you made a deposit to a bank account without your knowledge? If you haven't I'm sure you have heard of someone who has. And even a story of someone who fall in a social engineering trick. This 'tricks' are not only dedicated for personal attacks. They are also targetted to organizations and even some big company names have lost money from a Social Engineering attack. Sometimes organizaitons don't take the time to train their people to this kind of attacks, or even employees forget to double-check all possible sources of communication just to be sure that they are not leaking information or transactions into the wrong hands. Clicking on links without being totally sure the source is legitimate and reliable. And with the current involvment of IA recreating voices or even faces in video/voice calls, this kind of attacks are expected to increase and represent a bigger threat for cyber-security in the future. Does this mean that we shouln't have humans in companys? Absolutely no. That is not the purpose of this blog entry. The purpose is to make the reader aware that security breaches will not always even need a computer for an attacker to create a breach. Never trust no source of digital communication by default, try always to be aware of the possible ways an attacker may reach to you. Even find phishing self-training in YouTube, and if you are part of an organization, always promote that there is Security training to maintain all employees self-aware of their digital life for both personal and business matters. But, as all areas of Cyber-security. We can protect our infrastructure and train the company's assets to mitigate incidents, but Humans will ever represent an asset for a cyber attacker.

Image-2

Should organizations use Open Source Software?

Open Source, Cyber-security, Pros-Cons, Controled Environment

Every time that you have code Engineers, Digital Art Designers, or even a Financial employee who likes to test and use new software that they can find in the infinite options someone can find in the internet, Sooner or later you're going to find the question, Can we use this open-source software? Now if you're new in the IT world, perhaps your direct response to this question would be an immeadiate NO. But, answering the question: YES, an organization can use an open source software. Now, does that means that we should use all available open-source softwares in the internet? NO. Why? Because an open source software representes a possible breach that you don't even know it happened. Without knowing all the entries to an open-source software, a possible attacker could type malicious code that could compromise our organization. But, wouldn't that be a contradiction to my answer to the question? No, it is not a contradiction. We can relate this question to the famouse website for information 'Wikipedia'. Wikipedia could represent an open source software if you don't understand the terminology of this. Anyone could entry something to Wikipedia. Does that mean that all information in Wikipedia is reliable? No, not all information in Wikipedia is reliable. Does that mean that you can't find good information in Wikipedia? Yes, you can still find good information of reliable facts in Wikipedia. But then, what makes the difference? The source of the information. Whenever you request to your security team if they can use an open-source software, the security team will conduct an investigation to the software that need to answer some direct questions. Who is the entity responsible of the software? What information the software saves? Do they have standardize ISO security certifications? Are they a reliable entity for security topics? Do they conduct audits to their source code and security infrastructure? Who conducts this audits? Can an attacker just type malicious code and it will be accepted? Returning to the Wikipedia example, Would wikipedia be more reliable if they had a filter of the information typed in their web trying to upload only reliable and factual information, without removing the option to be able to update something in the web, professors and organizations would feel more reliable as using wikipedia as a source to be quoted. It is the same with open-source code. The question doesn't rely only if it is open, it relies in how they manage their security certifications and standards to protect their clients. For example, Google is an open source software.... And it doesn't mean organizations are not allowed to use it.