Designing an algorithm

Designing an algorithm

In this blog post I want you to show how I design my algorithms. It’s a simply and structured approach to write short, fast and easy to read code (although you can not always fulfill all of the three requirement).

Example

Count the islands in 2 dimensional map. The values of the fields on the map can be 0 = water or 1 = land. An island is land surrounded by water fields.

* This example is from a Google Job Interview posted on Glassdoor.com.

 

My approach for designing this algorithm

1) Visualize the problem

At first I visualize some examples of the problem in a spreadsheet. You will see that some questions arise…

algorithm_visualization

 

2) Ask questions to stakeholders and specify the problem

Next I ask questions (to stakeholders) to find out more about the problem. Examples:

  • “Are there any constraints to the size or shape of the 2d map?”,
  • “Do I also need to detect islands with more than 1 fields?”,
  • “Do I need to detect islands within islands?”,
  • “Are islands which are directly at the border of the map really islands or peninsulas?”

I write down the answers, so the the requirements specification is available for later purposes (e.g. when new requirements should be added, the code should be refactored, a bug is reported, the algorithm should be integrated into an other project, …).

For this example the following spec is valid:

  • Count the islands in 2d-map. There are 2 field values: 0 = water, 1 = land
    • The map can be of any size m times n
    • Islands can have multiple fields
    • Islands can have islands within them
    • Constraint: fields which border to the edge of the map are peninsulas

 

3) Write unit tests

Now I do not start coding right away. Following a Test Driven Development (TDD) it’s time to write unit tests based on the examples I’ve figured out in 1). My tests also focus on special cases.

Here you can see the unit tests for this example based on the (excel file):

def test():
 field1 = [[1, 0, 0, 0, 0, 0, 0, 0, 0, 0],
           [1, 1, 0, 1, 0, 1, 1, 0, 1, 0],
           [1, 0, 0, 0, 0, 1, 0, 0, 1, 0],
           [0, 0, 1, 0, 0, 0, 0, 0, 1, 0],
           [0, 0, 1, 0, 0, 0, 0, 0, 0, 0]]
 field2 = [[1, 0, 0, 0, 0, 0],
           [1, 1, 0, 1, 0, 1],
           [1, 0, 0, 0, 0, 1],
           [0, 0, 1, 0, 0, 0],
           [0, 0, 1, 0, 0, 0]]
 field3 =  [[0, 0, 0, 0, 0],
           [1, 1, 0, 1, 0],
           [1, 0, 0, 1, 0],
           [0, 0, 0, 1, 0],
           [0, 0, 0, 0, 0]]
 field4 = [[1],[1],[1],[1],[1],[1]]
 field5 = [[1,1,1,1,1,1,1,1]]
 field6 = [[0],[0],[0],[0],[0],[0]]
 field7 = [[0,0,0,0,0,0,0,0]]
 field8 = [[0],[0],[0],[1],[0],[0]]
 field9 = [[0,0,0,0,1,0,0,0]]
 field10 =[[0, 0, 0, 0, 0],
           [1, 1, 1, 1, 1],
           [0, 0, 0, 0, 0]]
 field11 = [[0, 0, 0, 0],
            [0, 1, 1, 0],
            [0, 1, 1, 0],
            [0, 0, 1, 0],
            [0, 0, 0, 0]]
 field12 = [[0]*250]*500 + [[0]*5 + [1]*240 + [0]*5] + [[0]*250]*500
 field13 = [[0, 0, 0, 0, 0],
            [0, 1, 1, 1, 0],
            [0, 1, 0, 1, 0],
            [0, 1, 1, 1, 0],
            [0, 0, 0, 0, 0],
            [0, 0, 0, 0, 0]]
 island_on_island = [[0, 0, 0, 0, 0, 0, 0],
                     [0, 1, 1, 1, 1, 1, 0],
                     [0, 1, 0, 0, 0, 1, 0],
                     [0, 1, 0, 1, 0, 1, 0],
                     [0, 1, 0, 0, 0, 1, 0],
                     [0, 1, 1, 1, 1, 1, 0],
                     [0, 0, 0, 0, 0, 0, 0]]
 assert(count_islands(field1) == 3)
 assert(count_islands(field2) == 1)
 assert(count_islands(field3) == 1)
 assert(count_islands(field4) == 0)
 assert(count_islands(field5) == 0)
 assert(count_islands(field6) == 0)
 assert(count_islands(field7) == 0)
 assert(count_islands(field8) == 0)
 assert(count_islands(field9) == 0)
 assert(count_islands(field10) == 0)
 assert(count_islands(field11) == 1)
 assert(count_islands(field12) == 1)
 assert(count_islands(field13) == 1)
 assert(count_islands(island_on_island) == 2)

 return "*** all tests pass! ***"

print(test())

4) Write pseudo-code

So far I didn’t care about the design of the algorithm. That changes in this step. Because trying to figure out a solution by writing pseudo-code it easier than directly implementing the algorithm, I write down my thoughts on paper (or in a virtual document).

It is a good idea to bear the efficiency of the algorithm in mind. You can write down the estimated runtime of every line with the Big-O-Notation.

 

5) Start coding

Once I’ve figured out a good solution, I start coding. Because I’ve already written my unit tests in step 3 it’s very easy for me to verify if my implemented algorithm works properly.

I’ve come to the following first draft of the solution for the problem (python):

class FieldIsWaterException(Exception): pass

def count_islands(_map):
 islands = 0
 width = len(_map[0])
 height = len(_map)
 
 r = 1
 while r < height:
   f = 1
     while f < width:
       if _map[r][f] != 2 and _map[r][f] != 0:
         if check_island(_map, r, f, width, height) == True:
           islands += 1
       f += 1
   r += 1
 
 return islands

# should only be called on a field which isn't water
def check_island(_map, r, f, width, height, prev=None):
 
 # if this field is water then something went wrong
 if(_map[r][f] == 0): FieldIsWaterException("Error: called on water")
 
 _map[r][f] = 2 
 
 # check lower
 if prev != "LO":
   if r+1 < height:
     if(_map[r+1][f] == 1): 
       if check_island(_map, r+1, f, width, height, "UP") == False:
         return False
 else:
   return False     # edge of world
 
 # check left
 if prev != "LE": 
   if (f-1) >= 0:
     if(_map[r][f-1] == 1): 
       if check_island(_map, r, f-1, width, height, "RI") == False:
         return False
 else:
   return False     # edge of world
 
 # check right
 if prev != "RI":
   if (f+1) < width:
     if(_map[r][f+1] == 1): 
       if check_island(_map, r, f+1, width, height, "LE") == False:
         return False
 else:
   return False     # edge of world
 
 # check upper
 if prev != "UP":
   if (r-1) >= 0:
     if(_map[r-1][f] == 1): 
       if check_island(_map, r-1, f, width, height, "LO") == False:
         return False
 else:
   return False     # edge of world
 
 return True

6) Test efficiency and refactoring

Once I am finished with the first draft and the tests pass, I start refactoring my solution. I want my code to be fast and easy to understand.

In python you can easily profile your code by using the cProfile class:

def test2():
 island_on_island = [[0, 0, 0, 0, 0, 0, 0],
                     [0, 1, 1, 1, 1, 1, 0],
                     [0, 1, 0, 0, 0, 1, 0],
                     [0, 1, 0, 1, 0, 1, 0],
                     [0, 1, 0, 0, 0, 1, 0],
                     [0, 1, 1, 1, 1, 1, 0],
                     [0, 0, 0, 0, 0, 0, 0]] 
 assert(count_islands(island_on_island) == 2)
 
import cProfile
cProfile.run("test2()")

In the test2() function I created a map with an island on an island. The map consists of 7 columns and 7 rows. O(n*m) would be if the check_island() function would be called around 49 times. Executing cProfile.run() on the test2() function gives the following result:

algorithm_profiling

We can see that check_island is only called 17 times. This is because the algorithms does not check “water-fields” and no “land-field” is checked twice.

In first draft above from point 5 I violated the “Don’t repeat yourself” principle by writing down the same checks for the left, upper, lower and right field in the check_island() function. Therefore I refactor the code a little bit. Because I’ve written my unit tests I can be confident that I do not destroy the algorithm by refactoring it.

...
# should only be called on a field which isn't water
def check_island(_map, r, f, width, height, prev=None):
 
 # if this field is water then something went wrong
 if(_map[r][f] == 0): FieldIsWaterException("Error: called on water")
 
 # if a land field has been checked once, no further need to check it
 _map[r][f] = 2 
 
 _checks = [["LO", r+1, f, "UP"], # check lower field
            ["LE", r, f-1, "RI"], # check left field
            ["RI", r, f+1, "LE"], # check right field
            ["UP", r-1, f, "LO"]] # check upper field
 
 for [_prev, _r, _f, _next] in _checks:
   if prev != _prev:                                         # if not previous field
     if _r < height and _r >= 0 and _f < width and _f >= 0:  # if in range
       if(_map[_r][_f] == 1):                                # if land
         if check_island(_map, _r, _f, width, height, _next) == False:
           return False
     else:
       return False         # edge of world 
 
 return True

Summary

This is it. This algorithms took me about 2 hours incl. specification, tests and refactoring. And believe me: Writing down your requirements and unit tests is definitely worth it in future. Regression tests prevent you from including bugs during implementation of further features and allows you to refactor your code. Specification allows you to write proper tests and to understand your code in future (comments in code also help, but the do not show you the goal of the code). Only if you have the requirements, you can check in future if new requirements conflict with old ones.

At the end I want to summarize the 6 steps shown in this blog post:

  1. Visualize the problem
  2. Ask questions to stakeholders and specify the problem
  3. Write unit tests
  4. Write pseudo-code
  5. Start coding
  6. Test efficiency and refactoring

If you are working in a team with other developers and testers you can split the work (e.g steps 1 – 3 is doing an other person than steps 4 – 6) and you can also add a 7th step called “review” where a senior is reviewing the code of the other team members. In this way the code get’s better and the others can learn from the senior developer.

 

Corporate vs. Product Security in Startups

Corporate vs. Product Security in Startups

When corporations search for an information security specialist most of the time their goal is to find someone who can keep their organization secure. He need to be able to protect the company’s secrets and resources. If this person takes over the Chief Information Security Officer (CISO) role then his main task is to write, maintain and control the Information security concept and the security guidelines of the whole company or a division within a larger corporation. If the person is recruited as cybersecurity specialist within the (local) IT department, then he or she might be actually implementing the security concept, is writing working instructions with checklists and writes inventory registers, configuration documents and security reports.

What both have in common is the focus on the company’s secrets and resources. This can include access restrictions and authorization mechanisms for the building and the IT, backups of company data and so on. In the Lean Startup Security Guide the role for these tasks is called Corporate Security Responsible.

On operational level some organizations split the security tasks in physical (facility) security and network (IT) security groups, but their goals are still the same: Securing the corporate’s secrets and resources. [1]

But for many companies there is also a need for an additional security team, the product security team. Those companies produce a product or operate a service and have a need to make their product or service secure. Most of the employees who focus on product security are simply part of the engineering teams. In some cases they have even different job titles and descriptions like “security engineer” or “security tester” and are involved each step during the software development life cycle (analysis & specification, design, implementation, testing, integration and maintenance). In many other cases this security engineering tasks are a little bit overlooked and are only thought about when the first issues from the production environment are reported. In the Lean Startup Security Guide the role for these tasks is called Product Security Responsible.

 

Relation to Startups

Because Software and Internet startups directly deliver software or they offer software as a service to their customers, they need to deal with corporate security and product security.

Ideally the product security team is separated from the corporate security team, since they operate in different environments and on different tasks. Therefore they also need different kinds of skills. While for product security it is necessary to have software development skills, for corporate security it is important to have knowledge on networks, off the shelf appliances and their configuration ( [1], chapter 2.2). Separation can also be important, because of the prioritization of tasks. What is more important: updating a flaw in the server configuration or updating a flaw in a company’s product? ( [1], chapter 2.1)

This separation in product and corporate security teams can also be the implemented in small software companies. Example: One of the software developers is responsible for product security and the system administrator (if there is one) is responsible for corporate security tasks. Both are steered and have to report to the CTO.

For startups which offer Internet services (e.g.: web shops, social media platforms, apps with constant server communication or software as a service products) it is a little bit more difficult to differentiate, since

  • the company’s secrets, like the customers and all the information about them and the source code of the software are part of the product and stored on servers which can be directly accessed through the Internet.
  • many startups use cloud services (Infrastructure or platform as a Service product from Amazon, Google, Microsoft, etc.) and they do not even have their own infrastructure.
  • the backend software which is written in Java, PHP, Ruby, Python, JavaScript, etc., might have interfaces to other off the shelf server software like the database, ERP or SAP systems, server monitoring software and other tools.
  • often either the system administrator or a developer is also responsible for DevOps (= a clipped compound of development and operations) tasks and software deployment is automated in many cases. So it might be the case that a developer (and not an administrator) is installing and configuring server software, like the web server software or tools to index and query databases.

 

Therefore the borders blur a little bit. A hacker can get access to sensitive company data through misconfiguration or exploits in off the shelf server software, but he or she can also get access through misconfiguration or exploits in the backend software which is developed by the company. For such companies it is advisable to build a joint corporate and product security team, since many of the tasks and skills overlap.

Nevertheless, especially in those cases it’s important to have clear responsibilities, rules and guidelines. If a developer is configuring off the shelf server software, then he or she also needs to have expertise in doing so, or the whole task needs to be reviewed by someone who has the knowledge.

Because this is a very important organizational topic, there is an own safeguard on “Corporate vs. product security” in the Lean Startup Security Guide.

 

[1] P. Watson, “Corporate vs. Product Security,” May 2013. [Online]. Available: https://www.sans.org/reading-room/whitepapers/bestprac/corporate-vs-product-security-34237. [Accessed 19 06 2016]

 

Online survey on IT Security in Austrian Software Startups

Online survey on IT Security in Austrian Software Startups

In this blog post I am publishing the survey results of an online survey I’ve conducted for writing my master thesis. Because my thesis targeted “Information Security in Software Startups” the survey is all about “How Austrian Internet and software startups deal with information security”. The results of the survey showed me where I need to have a special focus during specification of the Lean Startup Security Guide.

 

Figuring out the number of candidates needed

With an estimated population size of 325 Software and Internet startups in Austria (according to http://www.austrianstartups.com/map/), a confidence level of 90% and a margin of error of 10%, the calculated minimum sample size needs to be 56 samples. This means that 56 people, who work in different startups, need to take part in the survey. In other words: 17.23% of all Internet startups in Austria needed to take the survey.

 

The survey results

Altogether 60 of about 325 (18.5%) Austrian software and Internet startups participated in the online survey.

Getting to know the audience

The first questions had the goal of getting to know the survey audience. The following questions were asked:

1) What roles do you take in your startup? (multiple answers possible)
q1

  • More than 90% of all participants are in a managing role as CEO or CTO (only very few interviewees stated to be CEO and CTO in one person).
  • Only 16% of the interviewees own the IT security or privacy responsible role. All participants which stated to be IT security or privacy responsible also owned the CTO role.

2) In what kind of startup do you work at? (single choice)

This question ensured that only Internet and software startups were considered in the result interpretation.

q2

  • Fintech are Software Startups in the financial sector.
  • The 7% other consist of startups in the Biotech and Electronics sector. They have conducted the survey because they either have an online shop or also produce software products (but not as their main product).

3) Where is your startup located? (country; single choice)

This question was asked to ensure that only Austrian Startups are participating the survey.

4) Number of employees in your startup? (single choice)

q3

The answers to this and the next question shows a problem I faced. It was particularly hard to find very early stage startups with just a few employees. This might be due to the fact that very early stage startups do not invest much time in being visible to investors and the public yet.

Nearly 63% of all interviewed startups had more than 4 employees. Nearly 28% even had more than 9 employees.

5) How old is your company in years? (single choice)

q4

Like already described in the previous question most interviewed startups are already out of the early stage phase in terms of employees. This can also be seen in the answers to this question, since only around 37% are 2 years or less of age.

6) Cloud Services

More than 83% of the interviewed startups use Software as a Service (SaaS) and 51% use Infrastructure as a Service (IaaS) for their business. Only 11% stated that they do not use cloud services at all.

7) Processing of personal data – 49% stated to process personal data only within the European Economic Area and 44% even do this only on their own servers. More than 28% stated that they either don’t know where their data is processed or that they process data outside of the European Economic Area.

 

Questions about information security

Question 1: Are startups willingly taking risks in terms of cybersecurity by lacking information security processes and mechanisms?

This question is tricky to answer, because it is hard to distinguish between lack of knowledge and willingly taking risk. In many cases even the interviewees in a personal interview couldn’t answer this question, because many times they were somewhere in between those two situations.

Because of this difficulty I used the following approach for the online survey:

Ask the startups…

  1. if security is important for their startup
  2. why security is not important for them
  3. if they are afraid of being hacked
  4. if they performed a risk assessment
  5. if they have an information security responsible
  6. what kind of measure they have implemented

While the first 3 questions target the personal feeling of the survey participant, the other 3 target the actual situation within their company. I combined and interpreted the answers of those 6 questions to give an answer to this first question.

The answers

  • 33% stated that information security is very important for their company
  • 58% stated that information security is important for their company
  • 9% stated that information security is not really important for their company
    • Of these 9%…
      • 29% never thought about it
      • 71% don’t have enough resources for it
  • 19% stated that they are definitely afraid of being hacked, while the other 81% think that it might be possible. None of them think that they aren’t a potential target or that they have spent too much money on IT security to be hacked.
  • 12% stated that they have performed an information security risk assessment
  • 19% stated that they have the role “IT security responsible”
  • The answers to question 6) will be answered separately below

Conclusion for Questions 1

Although more than 91% of the participants stated that IT security is an important topic for their company, only very few companies (19%) have an employee who is responsible for IT security. Furthermore only around 30% of the young companies seem to implement something like a well-though cyber security concept. Together with the fact that 100% of all participants thought that they could be hacked, this indicates that most of the young companies are aware of the security risks and also know that they are not perfectly prepared for an attack. Although most of them did not perform a risk analysis and therefore do not know all of the potential threats which they are facing, it seems like they are willingly accepting the remaining information security risks. But without a risk assessment, employee training on security and an information security responsible, this topic can certainly not be described as “managed”. In my opinion the risks are (partially) known but simply neglected in many cases.

Question 2: Do accelerators, investors and venture capitals care if their startups have an eye on Information security?

This question has been targeted with the survey question: “Who cares about information security in your startup?” The results:

  • 49% of the CEOs
  • 74% of the CTOs
  • 59% of the Developers
  • 5% of the Investors
  • 5% of the Accelerators and Incubators

This shows that nearly none of the accelerators or investors actively trigger their startups to invest resources into information security.

Question 3: How many startups did already experience security breaches?

From all questioned startups around 14% stated that they had been victims to successful hacker attacks (5% of them even more than once).

q5

While this certainly seems like a small number in percentage, in absolute terms more than 45 companies in Austria have already been victims. And most of them have not even been existing for more than 4 years (74%). Furthermore some of the startups might not even know that they have been victims to successful hacker attacks (dark figure).

Question 4: Would your startup implement a very lean Security process and lean Security measures if it would only cost between 2 and 4 working days (depending on company size)?

q6

The previous questions already showed that there is much space for improvement. The answers to this question confirm this, because more than 76% of all participants are willing to implement a “Lean Startup Security Guide” or are willing to discuss such a guide with their colleagues. This also highlights the relevance of the Lean Startup Security Guide.

Question 5: What kind of risk evaluation techniques, information security measures and processes do Austrian startups implement to deal with cyber security threats?

  • 88% of the participants perform regular data backups
  • 54% encrypt personal or sensitive data
  • 40% perform code reviews with focus on information security
  • 35% execute penetration tests
  • 30% have security trainings for employees and founders
  • 33% centrally manage their employees’ devices (laptops, phones, tablets)
  • 30% have security policies
  • 19% have an IT security responsible
  • 12% have performed an information security risk assessment
  • 2% implement information security standards

The results show that only the first two safeguards are implemented by more than 50% of the software and Internet startups. The fact that 40% perform code reviews with focus on IT security, but only 30% train their employees on information security topics, indicates that there is a higher focus on product security than on corporate security.

Additional results

  • 83% of the survey participants did not know the “Österreichisches Informationssicherheitshandbuch” or the “IT Sicherheitshandbuch for KMU”
  • 30% have a privacy responsible in their company
  • 35% have at least someone in their company who knows something about the EU privacy laws
  • 9% of the startups handle privacy by consulting their lawyer

 

My conclusion

The survey showed that many startups lack on their information security handling. Many of them do this on purpose. In parallel they are willing to implement lean security safeguards if the effort only takes between 2 and 4 working days. This is why I created the Lean Startup Security Guide to improve the information security level of Internet and software startups.

Sicherheitsanalyse zu Clickadpays – Ein Paradies für Hacker?

Sicherheitsanalyse zu Clickadpays – Ein Paradies für Hacker?

Wie man sich vor Hackern und Malware schützt.

Click ad pays erfreuen sich zunehmender Beliebtheit. Sie versprechen meist Unternehmern kostengünstige Werbung und Privatpersonen passives Einkommen von zuhause aus. Das Prinzip ist einfach und immer recht ähnlich: Die Benutzer, egal ob Privatperson oder Unternehmer, müssen sich täglich Werbungen ansehen und bekommen im Gegenzug eine kleine Aufwandsentschädigung, Werbepakete, Gewinnausschüttungen oder Ähnliches.

In einigen Fällen sieht man auf einer Übersichtsseite viele kleine Banner und Werbetexte. Diese Banner verlinken wiederum auf die Webseiten der Werbenden (bzw. auf eine andere Seite in der dann die Webseite des Werbenden per iFrame eingebunden ist). Hat man die Webseite des Werbenden dann eine bestimmte Zeit lang angesehen, so darf man sie verlassen und auf die nächste Werbung klicken. Je nach Plattform variiert die Anzahl der zu besuchenden Werbungen und die Art und Höhe der Belohnung dafür. Die meisten Benutzer sehen vor allem die Möglichkeit Geld mit den Netzwerken zu verdienen, die Gefahren werden dabei leider häufig außer Acht gelassen.

Tipp: Du kannst die Erläuterungen gerne überspringen und zum Abschnitt “Wie schütze ich mich” gehen um zu sehen wie du dich schützen kannst!

 

Die Gefahr dabei

Der Benutzer wird, auf eine ihm unbekannte Seite, weitergeleitet. Diese kann vom Inhalt her dem Werbebanner entsprechen, muss es aber nicht. Ebenso kann sie zwar legitime Inhalte enthalten, im Hintergrund aber versuchen den Besucher der Webseite mit Malware zu infizieren. Das Ganze könnte folgen ablaufen:

  1. Der Benutzer eines Click ad pays klickt auf einen Banner so wie jeden Tag um sich 10 Webseiten anzusehen und dafür durchs Werbenetzwerk belohnt zu werden
  2. Nachdem der Benutzer weitergeleitet wird, werden diesem legitime Inhalte angezeigt. Zum Beispiel: Werbung für Produkte, Informationen zu passiven Einkommensmöglichkeiten, Rezepte, usw.
  3. Unbemerkt im Hintergrund wird jedoch im Browser des Benutzer eine bösartige Software ausgeführt. Diese hat der Betreiber der Webseite platziert um die Besucher zu infizieren und Vollzugriff auf deren Computer und ihre Daten zu bekommen. Die Schadsoftware scannt den Browser des Benutzer im ersten Schritt nach Schwachstellen ab, wie zum Beispiel ein veraltetes Flash – Plugin. Wird eine Schwachstelle gefunden, so wird diese im nächsten Schritt ausgenutzt um ohne Kenntnis des Benutzer eine Schadsoftware auf dem PC zu installieren. Mit Hilfe dieser Software kann der Angreifer dann weitere Programme, wie zum Beispiel einen Keylogger oder eine Ransomware nachinstallieren. Was dann folgt sind meistens Datendiebstahl, Erpressung oder ähnliches.

Wie ist das Ganze möglich?

Möglich werden solche Angriffe durch einen Code der im Browser des Benutzers ausgeführt wird. Dieser Code ist in der “Programmiersprache des Webs”, also in JavaScript geschrieben. An sich ist JavaScript nichts schlechtes und ermöglicht erst die Vielzahl an modernen Webseiten und Webanwendungen. So können mit Hilfe von JavaScript zum Beispiel Daten im Hintergrund von einem Server nachgeladen werden ohne die Webseite neu laden zu müssen. Ein Beispiel dafür sind die Statusmeldungen von Facebook, die immer automatisch nachgeladen werden sobald der Benutzer zum Ende der Seite scrollt.

Prinzipiell wird der JavaScript-Code in einer sogenannten Sandbox ausgeführt. Diese soll verhindern, dass der Code einer Webseite unbefugte Dinge macht und Schaden anrichten kann. Häufig kommt es aber (so wie überall) zu Fehlern im Browser oder in Plugins (zb. Flash, PDF-Viewer, …), die es möglich machen aus dieser Sandbox auszubrechen. Und genau, solche Möglichkeiten nutzt bösartige Software um dich zu infizieren.

Im Normalfall kommt der 0815-Internetbenutzer eher selten auf Seiten, die versuchen ihm mit bösartiger Software zu infizieren. Das kommt daher, dass der Benutzer nur Seiten ansurft welche er kennt und denen er vertraut. Durch das Klicken auf Werbung in Werbeplattformen kommst du aber auf viele verschiedene Seiten ohne vorher zu wissen wer oder was dahinter steckt. Und genau da liegt auch die Gefahr.

Wie schütze ich mich?

Zum Glück gibt es einfache Möglichkeiten um sich zu schützen:

Zuerst die Basics, die du ohnehin immer beachten solltest:

  • Verwende einen aktuellen Browser, der automatisch Sicherheitsupdates durchführt. Mozilla Firefox und Google Chrome sind Beispiele für solche Browser.
  • Verwende einen Virenschutz der automatisch Sicherheitsupdates durchführt, wie zum Beispiel Avira, Kasperky oder Avast.
  • Halte dein Betriebssystem up to date. Automatische Betriebssystem-Updates sind Pflicht!
  • Aktiviere die Firewall deines Virenschutzes oder die deines Betriebssystems.
  • Deaktiviere und deinstalliere den Flash Player und Java, sofern du diese Programme installiert hast. Beide Programme haben sich in der Vergangenheit als sehr unsicher und anfällig für Viren herausgestellt. Inzwischen haben die Browser schon standardmäßig einen Videoplayer eingebaut – das heißt du benötigst den Flashplayer nicht mehr.

Nun zu den speziellen Tipps für die Verwendung von Click ad pays:

  1. Verwende einen Browser den du ansonsten nicht verwendest. Das heißt, wenn du normal mit dem Google Chrome im Internet surfst, dann verwende Mozilla Firefox.
  2. Installiere ein Browser Plugin, welches dir erlaubt JavaScript auf Webseiten gezielt zu deaktivieren. Beispiele: NoScript für Firefox oder ScriptSafe für Chrome.
  3. Deaktiviere JavaScript mit diesen Plugins standardmäßig und aktiviere es nur für die Werbenetzwerk Seite.

Sobald du nun Werbung auf der Click ad pay -Seite ansiehst, so siehst du nur den bloßen formatierten Inhalt (HTML + CSS) der Seite. Skripte können nicht ausgeführt werden. Dadurch kannst du dir sicher die Werbeseiten ansehen.

Wenn du diese Sicherheitsmechanismen verwendest, dann bist du einigermaßen gewappnet und kannst per Klick auf den Button unterhalb kostenlos anmelden.

 

Erweiterter Schutz fürs surfen im Internet

Es gibt eine weitere Methode, die einen hohen Sicherheitsgrad verspricht. Diese ist nicht nur Werbeplattform-Benutzer ein äußerst wirksamer Schutz, sondern für jeden der sich häufig auf unsicheren & unbekannten Webseiten aufhält. Das wäre unter anderem Webseiten auf denen man sich urheberrechtlich geschützte Inhalte ansehen und downloaden kann (Serien und Filme Streaming, Plattformen auf denen gecrackte Programme heruntergeladen werden können) oder aber auch Pornoseiten.

Wer sich hier schützen möchte geht wie folgt vor:

  1. Installieren einer Software mit der man virtuelle Maschinen betreiben kann. Beispiele dafür sind VMware Player und Virtual Box.
  2. Erstellen oder herunterladen einer virtuellen Maschine. (Eine virtuelle Maschine ist ein virtueller Computer, der auf deinem Betriebssystem simuliert wird. Mehr dazu im Link.). Gratis VMs zum Herunterladen findest du zum Beispiel hier oder hier.
  3. Wenn du ab jetzt auf unsicheren Webseiten  unterwegs bist, dann verwendust du dazu nur mehr deine neue virtuelle Maschine. Solltest du dich nämlich wirklich mit einer Malware oder Virus infizieren, so ist davon nur die virtuelle Maschine betroffen – nicht dein tatsächliches Betriebssystem. Das heißt, dass alle deine Daten auf dem PC sicher sind. Der Hacker kommt nur an die in der virtuelle Maschine. Zu beachten: In der virtuellen Maschine darfst du dann natürlich nicht auf Seiten wie Facebook gehen oder gar Online Banking machen. Damit würdest du nämlich wieder Benutzernamen und Passwörter in die VM bringen. Ist diese infiziert, so hätte wiederum der Angreifer deine Daten.

 

Das wars mit der Click ad pay Sicherheitsanalyse.

Noch Fragen? Die Beantworte ich gerne. Hinterlasse einfach ein Kommentar

 

Efficiently writing a master thesis

Efficiently writing a master thesis

This blog post shows a methodical approach for writing a master thesis and how the Lean Startup Security Website has been created. I have used the following approach to plan and schedule all tasks which were necessary for writing my master thesis.

Overview

The activity diagram on this page shows all the different activities I had to do for writing my master thesis and their relation and dependencies to each other. I have categorized all the different activities into three “Activity stages”:

  • Getting Information,
  • Implementation and
  • Writing & Documenting

to highlight the type of a certain activity. Furthermore I’ve colored the activities with different background colors to emphasize the 6 major tasks. Those main tasks are explained in more detail in the following paragraphs.

 

Steps for writing a master thesis

Strategy & Literature research

Strategy

At first I created a mind-map (knowledge map) as you can see in the first figure. In this mind map I wrote down all the different stakeholders and topics which are related to “IT Security in Startups”. Based on this extensive mind-map I defined the procedure which resulted in the activity diagram shown on this page.

Writing a master thesis - mind map
Mind map

The abstract, research question, demarcation and objectives are also based on the initial mind map.

Literature research

The next obvious step had been an exhaustive research on all topics which I identified on the initial mind map. All of them can be assigned to the main topics Startups, IT Security and Privacy. A majority of used references are papers, white papers, industry standards, laws and IT Security and Startup books and blogs.

Writing a master thesis
Activity diagram

Master thesis (document)

The master thesis arose in parallel to the information procurement and implementation and had been adapted and redesigned if any of the two other activity stages brought new understandings. For structuring the chapters of this thesis I compared the structure of various other master theses with each other to find an easy to read construction and to ensure that a golden thread is running through my paper.

 

Questionnaire and Interviews

I have interviewed stakeholders from the Startup scene (CEOs, CTOs and employees) and conducted an online survey to get answers to the 2 research questions.

Because IT Security is a delicate subject to many companies I have ensured absolute non-disclosure to each interviewed person. Otherwise I would have doubt the uprightness especially of CEOs and CTOs. Therefore there will be no publication of company or person names or of single questionaries’. Instead I will publish aggregated and anonymized information.

 

Lean Security Methods

I have defined lean security methods in parallel to the questionnaire and surveys and the methods are also part of the master thesis. The different methods, practices and recommendations are mainly based on:

  • My experience as Startup CTO and IT Security master student
  • Common industry standards like ISO/IEC 27001, ISO/IEC 20000, ISO/IEC 22301, “BSI Grundschutz” and the BSI 100-x standards
  • EU privacy regulations and Austrian privacy law (DSG2000)
  • The “IT Sicherheitshandbuch” and “IT Risikoanalyse” documents from the Austrian Federal Economic Chamber (WKO)
  • Papers from the SANS Institute concerning Security

My goal has been to find light-weight mechanisms and methods which can be easily implemented by companies before, during and after foundation. So the methods can be used from 1-person company’s until a company size of around 20 people.

 

Practical Implementation

To verify the practicability and duration of the “Lean Security Methods” I’ve implemented all the measures into the Startup I work at: Rentog (https://rentog.com).

I’ve used all the findings, issues and obscurities which occured during implementation to update and enhance the Lean Security Methods. Additionally I created several templates during the implementation. These templates are available in the “Template” section.

 

Publication

All the defined lean security methods and recommendations and the corresponding templates are published on http://leanstartupsecurity.com. With the publication of the methods the objective “…improve the overall security level of Startups in the IT and Internet field…” is targeted. It is also possible for visitors to post comments so that I can learn from the users and that I can further improve the methods.

 

Summary

Writing a master thesis is not an easy tasks and takes some time. Especially research can be exhausting and sometimes you don’t even notice that you are heading in the wrong direction. For those reasons it is very helpful to have a clear plan and strategy on how to write your master thesis. I have used a simple mind-map and an activity diagram to visualize and organize everything. These techniques will allow you to stay focused during your research and will help you to better plan your tasks.