Saturday, December 22, 2018

Hybrid Cryptography

We just love to mix things up. Well, yeah and why not? When we get the best of both the worlds, we can mix anything up. Even when it is so complex in itself like cryptography. In the last article, we learned about symmetric and asymmetric cryptography. It’s time to mix them both and explain you the hybrid concept.

We need to go back and recapitulate some points before we can move forward and appreciate the hybrid concept. In the symmetric cryptography, we understood that it is quite fast, however, the challenge was sharing the key between a large number of people. Everyone is required to keep the shared key as secret, and, if this gets compromised, the distribution of the key needs to be repeated again.  What if we could find a way to quickly transfer this key amongst multiple people without the dangers of compromising it? Asymmetric key offers secure key distribution but uses a lot of resources when multiple people are involved. It’s also quite slow and mathematically intensive.

Hybrid cryptography’s recipe is very simple – Take the swiftness of symmetric key cryptography for encrypting bulk data and take the time-proven trustworthy aspect of asymmetric key cryptography for key distribution. 

How does this work then? Alice and Bob as usual wish to communicate with each other. This type, however, Alice wants to ensure that only Bob to be able to read the message and no one else. Alice encrypts her message with a secret key, so he gets an encrypted message. She has two things now – encrypted message + secret key. This secret key needs to be protected and distributed. For this distribution, Alice uses the asymmetric key cryptography. This method has two keys – public and private one. Alice will not know what is Bob’s private key, so she finds out his public key and uses that. The public key of Bob is used to encrypt the secret key so that it can be sent across. The following diagram will help you understand this in a better manner.

When the complete package is received by Bob, he uses his private key to decipher the secret key. Once he gets the secret key, he uses it to decipher the message. Here, Alice has used the asymmetric cryptography to transfer the secret key. The secret key or the symmetric key is then used to decipher the message as it is quite fast.

At this point, we need to clear some questions which may have cropped up in your mind. Why are we using 3 keys here – secret, public and private?  The secret key is the one which is used in symmetric cryptography while the public and private ones are a part of the asymmetric cryptography. The next question is – Why did Alice use Bob’s public key to encrypt the secret key? She could have used her own public key or Bob’s private key. Hold your horses, let’s analyze, both these scenarios. If she would have used her own private key, anyone with Alice’s public key would be able to get the secret key. The purpose of maintaining a secret key would have defeated. If you have been paying close attention till now, Alice can never get hold of Bob’s private as it is the private key and no one can know about it except Bob.

I know this sounds too confusing the first time, but read it, again and again, to get a hold over it. How can I let you go without answering some of the questions? Write down your answers in the comment section below:

1. If I encrypt the symmetric key with your public key, what would that help me achieve?

2. The sender’s private key is used to encrypt the symmetric key. How would that help the receiver?

3. Akshay uses his public key to encrypt a message. Is that possible?

4. Bauaa Singh uses his symmetric key to encrypt a message containing a symmetric key. Will, that work?

In the next article, we will learn about digital signatures as it is based on the concept of hybrid cryptography. 

Saturday, December 15, 2018

Symmetric and Asymmetric Cryptography


Having learned about cryptography in the previous article, it is now time to learn about the types of cryptography. You are right, nothing is complete till we understand its types and subtypes and so on. Remember, your best friends, Alice and Bob!!! They are going to help us understand the types of cryptography.

Before we go into the details, we ought to recapitulate a few terms. 

1. Plain text – Data in a readable or understandable format.
2. Ciphertext – Random and unreadable text 
3. Encryption – Process of converting plain text into cipher text.
4. Key – Sequence of random bits
5. Algorithm – Rules by which encryption and decryption will take place.

It is really important to clearly understand these terms, else, the journey ahead will be difficult. So lets us begin.

Cryptography algorithms are either symmetric algorithms, which use symmetric keys (also called secret keys), or asymmetric algorithms, which use asymmetric keys (also called public and private keys). I know, this can be confusing, if you read this the first time, however, you’ll be able to sail through if you pay close attention.

If you and I share the same password, we are using the symmetric algorithm and if we use a public and a private password, we are using the asymmetric algorithm. This is not technically correct, however, explains it in a manner that you can understand.

Symmetric Algorithm

Alice and Bob, as usual, want to communicate with each other. Alice has an old age secret recipe of pancakes which Bob has requested from Alice. Given the current scenario of data breaches happening everywhere, Alice is skeptical of sending it as such. She discusses with Bob and they both decide to use symmetric cryptography for this purpose. In a cryptosystem that uses symmetric cryptography, the sender and receiver use two instances of the same key for encryption and decryption. This means that if Alice uses the key “123@encrypt” for encrypting, Bob will also use the same key to decrypt it. Each pair of users who want to exchange data using symmetric key encryption must have two instances of the same key.

The diagram below also illustrates the same.



Clearly, in symmetric encryption, it is the secrecy of the key that plays the most important role. If 3 people wish to communicate with each other, all 3 must have the same key and most importantly, all 3 of them must keep it secret. Hence, keeping the key secret is a big task, if there are many people involved.

We had learned that cryptography helps us achieve confidentiality. Symmetric cryptography can help us achieve that, but, can it help us achieve integrity, non-repudiation or authentication? Think for a minute. What is integrity? No unauthorized modification. But if the secret key is no longer secret, you cannot be 100% sure that no modification has taken place. There is also no way to prove who sent the message if two or three people are using the same secret key.

Monday, December 3, 2018

Understanding Cryptography



“ $%^*^* Nh%&gfg  K97@#”. Well, I’m 100% sure that you did not understand what I meant to say through these words. This is what cryptography is all about. Nah, don’t think that if you are unable to read what was written, it becomes an implementation of cryptography. When you convert plain text (readable text) into something that cannot be read (deciphered) often called ciphertext, it is known as cryptography.

Why would you want to convert something which is readable into gibberish? From time immemorial, human beings have kept secrets to protect themselves and their countries. For this very reason, information must be protected and this assurance can be further provided by encrypting the data, ie. the process of converting plain text into cipher text. Remember, the three pillars of information security – CIA. Cryptography helps implement the confidentiality principle.

The formal definition is as follows:

Cryptography is a method of storing and transmitting data in a form that only those it is intended for can read and process. It is considered a science of protecting information by encoding it into an unreadable format.

Now it’s time to learn new terms :

Encryption is a method of transforming readable data, called plaintext, into a form that appears to be random and unreadable, which is called ciphertext. Plaintext is in a form that can be understood either by a person (a document) or by a computer (executable code).

Once it is transformed into ciphertext, neither human nor machine can properly process it until it is decrypted. This enables the transmission of confidential information over insecure channels without unauthorized disclosure.

The algorithm is the set of rules also known as the cipher, dictates how enciphering (encryption) and deciphering (decryption) takes place. The secret ingredient that makes this algorithm so hard to break is the KEY.

If you are confused, don’t be. We need to understand all of this through an example.

In cryptography, you need to make friends with Alice & Bob. They are the 2 most famous people in the world of cryptography. Now Alice wants to send a message to Bob. The message is “I passed my CISSP exam and Mayur helped me a lot in it”. This is what is plain text as you were able to read it. Bob, however, doesn’t want the world to know this. So Bob converts this message to “@#$% B$CG &*()&%VBNJIJJM” which is unreadable. He converts it to a ciphertext which you and I can’t read. How does he do that? He uses an algorithm and encrypts it. In order to do so, he uses a KEY, similar to a password or passcode which can change it back. It’s like using a lock and only the correct KEY combination can open the lock.

In encryption, the key (crypto variable) is a value that comprises a large sequence of random bits. Is it just any random number of bits crammed together? Not really. An algorithm contains a keyspace, which is a range of values that can be used to construct a key. When the algorithm needs to generate a new key, it uses random values from this keyspace. The larger the keyspace, the more available values can be used to represent different keys—and the more random the keys are, the harder it is for intruders to figure them out. For example, if an algorithm allows a key length of 2 bits, the keyspace for that algorithm would be 4, which indicates the total number of different keys that would be possible.

All this makes up a cryptosystem which contains all the hardware and software that is required to implement this.

In a nutshell, cryptography helps you protect your information by utilizing rules which are driven by a key.


What are your thoughts on this?

Monday, November 19, 2018

Understanding NAT – Network Address Translation


If you would like to send a letter to me, what would be the most important aspect for you to send it across? My address. If you would have observed, we usually write the address in a certain format – building number, followed by area, city, state and then the pin code. Why do we do that? To avoid confusion. In a similar fashion, computers when they need to talk to each other, need to use the addresses. The Internet uses the IP addressing scheme, through which each computer on the Internet is assigned an IP address and that can be used for communication. Now think, how would you communicate if these addresses go missing? Read on to find out.

A long time ago, when the Internet came into existence, the concept of IP addresses came to life. This was called the IPv4 addressing scheme. This scheme involved the addresses being recorded as say, for example, 10.22.10.150. So every computer on the Internet got one such address. Over time, with the population explosion, the number of computers and devices connected to the Internet increased so much that the number of addresses went in short supply. To overcome this problem, IPV6 was introduced which could solve the problem as the number of addresses offered by this scheme was extremely large (2^128). However, this scheme also required changes to be done with the software and the hardware which we used. Intelligent minds came together to find a short-term fix until we could start using the IPV6. This solution was called NAT – Network Address Translation.

To understand NAT, let’s take an example. Imagine that you and I live in a society where there are a lot of apartments. Let’s call this place as “Security Society”. My flat number is 3331 and yours is 3335. In a similar fashion, there are hundreds of apartments in this society. When you send a letter outside, you write your complete address – Flat Number 3331, Block S, Security Society. However, the main security guard at your society’s entrance puts your letter in another envelope and changes the address to “Security Society” and hands it over to the postman for delivery. When the postmaster brings back the reply, the delivery address is just mentioned as Security Society and not the complete address. Hence, he hands it over to the security guard at the entrance and goes back. The guard understands that this letter belongs to you and hands it over to the correct address - Flat Number 3331, Block S, Security Society. 

Let’s apply the same analogy to the world of computers to understand NAT. When a message comes from an internal computer with the address of 10.20.30.215, for example, the message is stopped at the device running NAT software (security guard), which happens to have the IP address of 1.2.3.4 (address changed). NAT changes the header of the packet from the internal address, 10.20.30.215, to the IP address of the NAT device, 1.2.3.4. When a computer on the Internet replies to this message, it replies to the address 1.2.3.4 (Security Society). The NAT device (security guard) changes the header on this reply message to 10.20.30.215 (actual address – flat number) and puts it on the wire for the internal user to receive. Thus, NAT hides internal addresses by centralizing them on one device, and any frames that leave that network have only the source address of that device, not of the actual internal computer that sends the message.

NAT provides great security benefits in addition to solving the problem of the number of IPV4 address. When an attacker wants to target a system, he will not have the actual IP address and thus will continue to attack the natted IP address. Take a cue from the analogy shared above, the spam or marketing emails from companies will land up with the security guard who will just discard them and you will not be bothered.

There are 3 types of NAT implementation:

1. Static Mapping – Here the NAT software will have a bunch of public IP addresses and every private address will be mapped to a particular system always. So computer A always receives the public address x, computer B always receives the public address y, and so on. This is generally used for servers that need to keep the same public address at all times.

2. Dynamic Mapping – The NAT software will again have a bunch of public IP address, but this will get allocated dynamically to the private addresses. So if you send a request to communicate you will be given the public IP A which is first in the list, unlike static mapping where you were always mapped to public IP C.

3. Port Address Translation (PAT) – A pat on the back for you since you have made it to this point in the article. PAT is an extension of NAT and helps us to reduce the cost of buying multiple IP addresses. Here we will have only one IP address similar to one security guard at the main gate. Let’s take an example - The NAT device has an IP address of 10.40.81.5. When computer A needs to communicate with a system on the Internet, the NAT device documents this computer’s private address and source port number (10.10.44.3; port 43,887). The NAT device changes the IP address in the computer’s packet header to 10.40.81.5, with the source port 40,000. When computer B also needs to communicate with a system on the Internet, the NAT device documents the private address and source port number (10.10.44.15; port 23,398) and changes the header information to 10.40.81.5 with source port 40,001. So when a system responds to computer A, the packet first goes to the NAT device, which looks up the port number 40,000 and sees that it maps to computer A’s real information. So the NAT device changes the header information to address 10.10.44.3 and port 43,887 and sends it to computer A for processing. 

Although NAT is a short-term solution, it has been well received by the networking and the security community. Eventually, the world will move to IPV6 in entirety, but NAT and PAT offer cost-efficient and secure ways to handle the problem of depleting IP address today and even in future.

What are your thoughts on this? 

Saturday, October 27, 2018

Asynchronous & Synchronous Communication



Try to read the sentence written after this statement - “youwillpasscisspexamifyoustudyhard”. Clearly, you need to focus on the letters and your mind will try to discern the different words for you. Similarly, if I speak to you without pausing, it would again be difficult for you to discern and understand what I am communicating. So irrespective of the way we communicate – verbal or written, we need to follow certain grammatical rules so that the other party is able to clearly discern and understand what is being said. These grammatical rules for the written language include punctuation symbols such as comma, semicolon, spaces etc. while for verbal communication we use various aspects such as pausing, hand gestures, tones. 

In a similar manner, technological communication protocols also have their own grammar and synchronization rules when it comes to the transmission of data. We have two kinds of transmission ways – Synchronous & Asynchronous. Both of them utilize aspects similar to verbal and written communication. 

Asynchronous transmission utilizes bits for starting and pausing the transmission. If two systems are communicating over a network protocol that employs asynchronous timing, then “start” and “stop” bits are used. The sending system sends a “start” bit, then sends its character, and then sends a “stop” bit. This happens for the whole message. The receiving system knows when a character is starting and stopping; thus, it knows how to interpret each character of the message. It is similar to how we communicate in a written letter – I will insert spaces, commas, full stop, etc. to indicate “start”, “pause” or the “end” of the letter.

Just like when we speak verbally, we do not explicitly say “Pause” or “Stop” or “Start” to indicate the beginning or an end of a conversation, in a similar manner, synchronous transmission does not employ any explicit “start” or “stop” bits to indicate the beginning or the end of any transmission. If two systems are going to communicate using the synchronous transmission technology, they do not use start and stop bits, but the synchronization of the transfer of data takes place through a timing sequence, which is initiated by a clock pulse. So, synchronous communication protocols transfer data as a stream of bits instead of framing them in start and stop bits. The synchronization can happen between two systems using a clocking mechanism, or a signal can be encoded into the data stream to let the receiver synchronize with the sender of the message. This synchronization needs to take place before the first message is sent.

In simple terms, asynchronous transmission is like a communication that happens on the satellite phone where the sender and receiver both say “Over” to indicate that they have sent the message while the synchronous transmission is like a normal communication that is done where our pauses at specific intervals indicate the start and the end of transmission. 

Now, having understood this, a question would pop up in your mind. What is the use of this transmission techniques? In today’s digital age where everything is just data that needs to be sent across, there must be rules that govern this transmission. In addition to the rules, the two systems must agree on a way to receive and process data. Synchronous transmission is utilized where we have a predictable data stream (such as Netflix streaming) while Asynchronous transmission is utilized where an unpredictable amount of data can be sent across (Internet connections, torrent downloads).
Ultimately, it’s all about timing.

And speaking of timing, this is a special article for me, as this is the 75th one. :)

Monday, October 22, 2018

The TCP Handshake


We learned about the TCP protocol in the article “Understanding TCP and UDP.” A brief mention was made in that article on the 3-way handshake process. Before we delve into that further, we must recapitulate about the TCP (Transmission Control Protocol).  TCP is a reliable and connection-oriented protocol, which means it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. 

Now, before any data is sent across, handshaking takes place between the two systems that want to communicate. Once the handshaking completes successfully, a virtual connection is set up between the two systems. It’s just like a high profile deal that gets signed. Just like in a deal, both the parties discuss on various parameters such as the financial settlement, payment of outstanding dues, shareholding etc., in a similar manner, the two hosts (systems or computers) must agree on certain parameters, data flow, windowing, error detection, etc. 

The following diagram will help us understand the agreement that takes place between the two hosts.



The host (lovely lady here) that initiates communication sends a synchronous (SYN) packet to the receiver. This means that “Would you be interested in establishing a data connection with me?”
The receiver acknowledges this request by sending a SYN/ACK packet which translates to “Yes, I am interested in taking this conversation further. I have acknowledged your request and sending you the details of how to communicate with me.”

The lady accepts this “SYN+ACK” packet and sends an “ACK” packet which translates to “Ok… I understand the terms and conditions. Let’s begin the conversation.”

After this, the host and the other system starts transmission of data between each other. If all were so good in this world, we would not have to deal with the following problems which arise when the lovely lady turns out not to be so lovely.

The lady here has a change of heart and decides to play a trick on the receiver. What she does is, she withholds the last step of the handshake – “ACK”. Since the 3 way-handshake is not complete, the other system keeps on waiting for that. In the meantime, this lady starts another connection with the server and again withholds the last “ACK” packet. If she does it multiple times, it results in what is called as a “SYN Flood” attack. This is actually flooding the victim system with SYN packets, eventually, the victim system allocates all of its available TCP connection resources and can no longer process new requests.

This is an example of DoS attack – Denial of Service. The victim system will not be able to provide any services to any client as all its resources are locked with one system. 

There is another attack – DDoS attack. This is a distributed denial of service attack. Here the attack is from multiple different systems which leave the handshake open and the result is again the denial of service. To put it in the same example, let’s consider that this lovely lady brings together a lot of her friends and ask them to start the handshake process with the victim and leave it in the middle. This would result in a DDoS attack.

There is one more attack mechanism we need to learn about before we say goodbye to each other.


One of the values that are agreed upon during a TCP handshake between two systems is the sequence numbers that will be inserted into the packet headers. Once the sequence number is agreed upon, if a receiving system receives a packet from the sending system that does not have this predetermined value, it will disregard the packet. This means that an attacker cannot just spoof the address of a sending system to fool a receiving system; the attacker has to spoof the sender’s address and use the correct sequence number values.

If an attacker can correctly predict the TCP sequence numbers that two systems will use, then she can create packets containing those numbers and fool the receiving system into thinking that the packets are coming from the authorized sending system. She can then take over the TCP connection between the two systems, which is referred to as “TCP session hijacking”.

Understanding TCP & UDP


Have you ever wondered what happens behind the scenes when you click a video on your favorite website? Or when you are trying to log onto a secure website? There are multiple protocols that run behind the scenes to help you out and allow you to watch that favorite video of yours or buy that dress which you longed for.

Two such important protocols are TCP ( Transmission Control Protocol) and UDP (User Datagram Protocol). These are one of the two most common protocols used during networking and setting up a secure infrastructure. Multiple services run on the top of this protocol or in simple terms utilize their services. Before we go further and understand the technicalities involved, we must try to learn what happens in simple terms.

Everything we work upon is actually one and zeros only in the computer universe. The data that is sent across from one computer to another is a bunch of ones and zeros flowing from here to there. For the sake of simplicity, we will call this bunch as a packet. Say, when you click on YouTube to watch a video, you actually send a command asking YouTube to send some packets from its computer (or server) to your smartphone. Similarly, when you are logging on to Flipkart and checking out from the cart, you are actually sending packets from your computer to Flipkart’s computer. Easy Peasy, Right? So where do TCP and UDP come into this video watching and flipkarting?

TCP is a connection-oriented protocol while UDP is a connectionless protocol. What does this mean? Connection-oriented means that this protocol will ensure that packets (remember, a bunch of 1s and 0s) will be delivered to the destination computer with a 100% guarantee. Connection less protocol means that it will try its level best to deliver the packets, but may not be 100% sure that the packets actually got delivered. The analogy is similar to a registered post and a normal postal letter. In a registered post (TCP), the letter will be delivered to you in hand, while the normal postal letter (UDP) is thrown at your doorstep. You are lucky if you get it.

If you are paying close attention, I have taken two examples above to drive the point of TCP and UDP. Both the examples (video watching and flipkarting) are one of the applications of UDP and TCP respectively. Let’s understand how. When you watch a video, a lot of data is sent across to your computer. Even if one of the packets out of these thousands of packets gets lost in the transmission, you may not even notice as the overall effect on your video may be extremely minimal. This is where UDP is used. Since UDP is a connectionless, best effort protocol, it is used while playing video where even if you lose a few packets, you will not suffer. Since it is a connectionless protocol, it is easy to implement and requires fewer resources and is faster than TCP. On the other hand, when you are doing a payment on an e-commerce website, no packet loss is acceptable as it may affect the transaction. Hence TCP, a connection-oriented protocol needs to be used. TCP will do a 3-way handshake to establish this connection. In order to set up this connection and deliver your packets with 100% guarantee, TCP requires more resources, however, it makes it more reliable. (We will understand about the 3-way handshake and related attacks in the next article.)

If you are a developer, you must decide which protocol to use while delivering a service. TCP and UDP can be used in conjunction with other services too. Say, you develop an email application – SMTP service. If you wish to ensure that the mail gets delivered with 100% guarantee, you may implement SMTP with TCP.

Let’s extend this discussion to understanding the differences between these protocols. If reliability is a requirement, we will go for TCP, else UDP. Since TCP requires a lot of resources to get implemented, it would be prudent to send small amounts of data which require reliability. If a high volume transaction like a video streaming (Netflix) needs to be done, UDP would be a better choice.

What are your thoughts on this?

Saturday, October 20, 2018

[CyberSecurity Awareness Series] When George Got Whaled



The button clicked. An exact amount of 9,99,000 $ was transferred immediately to an offshore untraceable account. This triggered an alert on the bank’s server. The response team quickly swung into action. Suddenly multiple alerts came rushing in like a raging torrent. Multiple transactions of 9,99,000 $ started popping up on the screen. The response team immediately knew it was under attack and triggered the alarm bell, but by then it was rather too late.  

3 Hours Earlier

It was a quiet afternoon and George was enjoying his cup of coffee. Looking outside his glass window, the view from the 22nd floor was amazing. The bank was doing well and the record quarterly profit cemented his position and power as the top man for the bank. George’s phone chimed. He quickly looked at it and smiled. The smile was palpable. The picture message sent made George bring back the memories of last night.

His smile continued and he logged on to his laptop. Due to the regulatory compliance and a freezing period, all major transactions were on hold. Since the declaration period was over yesterday, George was waiting for the go-ahead from the regulatory committee to lift the ban on high-value transactions. Before we go further, it would be nice to introduce the man here. George, a 37-year-old man with great looks and an MBA from the Ivy League was one of the youngest CEOs of the Elegant Bank Corp. Married to a beautiful wife, George was living a dream. Well, and sometimes, dreams do crash.
The mail came and as per process, George had to log in to the bank’s main server and confirm the process of allowing high-value transaction from the evening. He logged on to the bank’s server remotely using his credentials. He received an alert on his phone that the bank’s server is being accessed now. He had to enter a code on his RSA token and voila, it was done. 

The Investigation

George received a call from the response team alerting him that multiple transactions were happening and it could be an attack. George panicked and for a moment he felt as if a white flash of light crossed his eyes. He gathered himself and tried logging in the bank’s server, but to his shock, he was logged out. He tried logging in again and the message said “Wrong Password”. He called up the response team only to find another shocking news. According to the response team, George had changed his password 2 hours earlier and had updated the access control list too. Only George and Mr. Rishabh, one of the boards of directors could access the bank’s server remotely. 
George immediately called in an emergency meeting of the board of directors. He instructed the response team to take any measures to disable the bank’s servers. He also called in the law enforcement and explained to them about the situation.

Swipe Me In

The law enforcement took complete control of all the devices of the bank and started the forensic investigation. Meanwhile, the media had a field day as the news broke out in the morning that the Elegant bank had been hacked to the tune of 4.5 billion $. Funds transferred to the offshore accounts were untraceable and recovering the money was next to impossible. But what lead to this attack? Who could have cracked the high-level security deployed by the bank? The cyber security team of the bank was carrying out their own internal investigation too. 

George was feeling miserable. He felt as if he had been torn apart. He took his mobile phone and logged onto the app “SwipeIt”. The user “FlowerAngel” was not accessible. That was strange for George. He checked it again, but the app said that the profile was no longer accessible.  George was focused on understanding the problem when the desk phone rang. 

The law enforcement agencies had come to meet George. They asked George to hand over his phone and also showed him the search warrant for his office and his home. The next day a story got published in the national daily which shocked quite a many.

The Night Before

The law enforcement agencies were quick to join the dots from the logs and George’s confession was the final confirmation. George had a terrible habit of meeting strangers through the SwipeIt app and spending the nights with them. You could find people nearby who wanted to enjoy and a person had to just swipe in to confirm that.

The night before, George met “Flower Angel”, a young 19-year-old girl. They instantly hit it off and ended up in the hotel nearby. While George was completely drunk, the girl had to just plug in the flash drive into his laptop. The Trojan installed itself on the laptop and the next day when George logged on to the bank’s server, the Trojan replicated his exact moves and gave complete control to the hacker. While there were other security aspects deployed by the bank to mitigate such threats , the technology alone cannot solve the problem when the password is known and complete admin privilges are available with a person of such a high stature.

This is an example of The Whaling attack. Top people are always on the radar of people having malicious intent. They need to be careful. As a cybersecurity professional, we also need to keep in mind such cases when developing a cybersecurity protection mechanism for the top management personnel. 

What are your thoughts on this?

Saturday, October 6, 2018

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel


Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels?

Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready to hear the answer to the question and what follows after that.

When you access a system, you are the “subject” and the system which you trying to access is the “object”. This works in this fashion – one who accesses is the subject and the one which is being accessed is the object.  Subjects can have varied levels of control over the system. Say, you are trying to access “Amazon.com”. When you access it, you see a front end interface, new offers etc. If I ask to curate an offer for me, you would not be able to do it, as you do not have access to that particular file/folder/database/application/system. So it should be clear that all systems have some kinds of access controls implemented so that you can access the information that you “need to know”.

There is one more concept that needs to be understood and then we would combine all of them to give you one tasty treat. There are multiple access control models. One of them is the Mandatory Access Control Model. Let’s understand it through an example. Jack Ryan works for the Indian Intelligence agency. To complete his mission, should he choose to accept it, he must have access to files which are classified as “Secret”. Moreover, his next mission is in Afghanistan. Mandatory Access control model helps implement that Jack Ryan can access only “Secret” files and that too only of Afghanistan. How? In MAC, users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system.

In most systems based upon the MAC model, a user cannot install software, change file permissions, add new users, etc. The system can be used by the user for very focused and specific purposes, and that is it. These systems are usually very specialized and are in place to protected highly classified data.


So how does this all relate to the questions we asked in the beginning. The US government has designated four approved security modes for systems that process classified information. Since these systems process classified information, the mandatory access control model will be the only that would be implemented. Before we understand the four different security modes, it would be better to understand what does “Security Mode” mean.

Security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification. The mode of operation is determined by:
  • The type of users who will be directly or indirectly accessing the system.
  • The type of data, including classification levels, compartments, and categories, that are processed on the system.
  • The type of levels of users, their need to know, and formal access approvals that the users will have.

Saturday, September 15, 2018

SSCP 2018 Exam Changes



With effect from 1st November 2018, (ISC)2 would be doing a domain refresh in the course content of SSCP certification. This is in line with a refresh cycle of 3 years for every certification which (ISC)2 offers.

In this post, we look at changes which will take place in this refresh. We will look at it from a perspective of what will remain the same for an exam giver and what would change.

Question 1. Have the domains changed completely?

No, the weight of the domains has changed. There are minor changes. So if “Security Operations & Administration” had a weight of 17% in the earlier exam (2015), it has been reduced to 15% in the new exam outline.

Question 2. Would the changes affect my already bought course material?

No, the course content broadly remains the same. The course content does not change. Your old books or exam material will remain fully valid. 

Question 3. Is there a change in the exam format too just like CISSP?

Absolutely No. The format remains the same. You will have 125 questions to answer in 3 hours where 100 questions will be graded. 25 questions are research questions, however, from an examination point of view, you’ll not be able to differentiate amongst them. There is no negative marking, hence you must attempt all the questions. You need to secure 700 out of 1000 points to clear the exam.

Question 4. Where can I identify the changes that have been brought in topic wise with respect to various domains?

Here are the exam outlines for your reference: 



Domain Wise Changes are also mentioned here for your assistance:

Domain 1 Access Controls
New Additions:
Federated Access, IAM systems, Subject-based & Object-Based Access Controls.

Domain 2 Security Operations and Administration
New Additions:
Software inventory and licensing, Data Storage, Periodic audit review.

Domain 3 Risk Identification, Monitoring, and Analysis
New Additions:
Risk management frameworks (e.g., ISO, NIST), Remediation validation, Audit finding remediation, Legal and regulatory concerns (e.g., jurisdiction, limitations, privacy).

Domain 4 Incident Response and Recovery
New Additions:
Support incident lifecycle (Preparation, Detection, analysis, and escalation, Containment, Eradication, Recovery, Lessons learned/implementation of new countermeasure)

Domain 5 Cryptography
New Additions:
Web of Trust (WOT) (e.g., PGP, GPG) 
Note – In this domain, some restructuring has taken place. Although the new exam outline shows some topics, they were also present in the older CBK too.

Domain 6 Network and Communications Security
New Additions:
Transmission media types (e.g., fiber, wired, wireless), Network relationships (e.g., peer to peer, client-server), Wireless security devices (e.g., WIPS, WIDS), Bluetooth, 

Domain 7  Systems and Application Security
Removed: Secure Big Data Systems (Application vulnerabilities, Architecture or design vulnerabilities)

Question 5. Has the cost of the exam changed?

No, the cost of the exam remains the same. You need to pay 250USD or equivalent and book the exam through the Pearson Vue Centre only.

Question 6. When will these changes go into effect?

All changes will reflect from 1st November 2018. 

Question  7. Do these updates affect the experience requirement for the SSCP?

No. The changes do not affect the experience requirement. For the SSCP, a candidate is required to have a minimum of one year of cumulative work experience in one or more of the seven domains of the SSCP CBK.

Question 8. Where can I practice exam based questions for the new changes?

I have created two courses for the same. The links to these courses are given below. Please be rest assured that these practice questions have been made considering the new changes that have been brought in. SSCP Mock Exam 2 is also coming in November.



Question 9. Is there a training available with respect to the new course changes?

For official training, you can check the (ISC)2 website. 
I would be uploading the complete training course on Teachable which will reflect all the changes. This training will contain all the new topics and the updated course content. A new tab called the “SSCP Training Course” will be available in November on the website.

Overall, the changes brought in by (ISC)2 do not reflect any major changes as such. Certain topics which have been added reflect the importance which (ISC)2 wants to showcase in certain areas. From a domain perspective too, the weight of “Cryptography” has increased, which makes more sense.

In case you have any more questions regarding the SSCP 2018, feel free to drop in as comments in the comment section below. I will be happy to answer them for you.

Happy Learning.

Tuesday, September 4, 2018

Single Sign On & Kerberos


Imagine Susie wants to log on to a company database, her own system, a web server, her webmail and other multitudes of applications. Since she needs to access so many resources, it is extremely important to have a set of credentials for accessing each of this resource. This means Susie must remember an approximate dozen passwords in order to access these resources. Susie finds a solution to this problem. She writes down every single username and password to access them.

Clearly, Susie is not alone in doing so. You may also be doing the same. Clearly, from an information security point of view, this is not a great solution. It may sound that different ids and passwords would provide more security, it ultimately ends up in more work for the administrator since there are more requests of password reset or greater chances of a breach if that notebook gets in the wrong hands.

So what needs to be done? Well, as usual, the intelligent minds gathered together and found a solution to this problem. They called it the Single Sign-On. You can call this a double-edged sword too. Why? We’ll learn about it a minute. 

Single Sign-On allows a user to enter credentials one time and be able to access all resources in primary and secondary network domains. This reduces the amount of time users spend authenticating to resources and enables the administrator to streamline user accounts and better control access rights. It improves security by reducing the probability that users will write down passwords and also reduces the administrator’s time spent on adding and removing user accounts and modifying access permissions. If an administrator needs to disable or suspend a specific account, he can do it uniformly instead of having to alter configurations on each and every platform.

This sounds really great as it solves all of our problems. Just one username and password and the world is yours, (Now that’s a lot), the resources are yours. 

Wish, life could be so simple. Single Sign-On (SSO) operates on an assumption that all platforms support the credentials in the same manner and will talk to each other, which is extremely rare, given the multitude of platforms and technologies which companies employ. Remember, the double edge sword mentioned earlier. It is simply that if you leak that one super powerful username and password to Thanos, you will see your resources vanishing like the Avengers.

So simply speaking, SSO technology allows you to access multiple resources through a single username and password. You enter the credentials and voila, you have everything you are authorized to access. It does help Susie as she doesn’t need to remember multiple passwords. She can keep one complex passphrase which is easy to remember, yet is extremely complex. 

One of the most commonly used SSO technology is Kerberos. 

If you have seen Harry Potter, you may remember the three-headed dog that was guarding the philosopher’s stone. The photo below may refresh your memory. Confused, as to why a three-headed dog related to SSO here? Kerberos is the name of a three-headed dog that guards the entrance to the underworld in Greek mythology. This is a great name for a security technology that provides authentication functionality, with the purpose of protecting a company’s assets.



So let’s understand everything about Kerberos but in a very simple manner. 

Kerberos is an example of a single sign-on system for distributed environments and is a de facto standard for heterogeneous networks.  Kerberos is like a family in which there are multiple family members and each has a role to play. Let’s hear the names of all these members with their introduction.

Key Distribution Centre – He is just like the father who is having all the money. The Key Distribution Center (KDC) is the most important component within a Kerberos environment. The KDC holds all users’ and services’ secret keys. It provides an authentication service, as well as key distribution functionality. The clients and services trust the integrity of the KDC, and this trust is the foundation of Kerberos security.

The father has a helping hand known as the TGS – ticket-granting service (the mother) which generates the ticket.

Principal – They are the users or the applications which ask for services from the KDC. You can think of them as the kids in the family. They have new requests every day for the father. (KDC). Let’s say, Cathy is one of the kids and requests for a chocolate from the father. So here, Cathy is the principal and the father will act like the KDC.

Hopefully, you understood the analogy. 

Now let’s take up a real situation to help out things into perspective.  This is how the Kerberos process would take place.

1. Cathy comes to Evil Corp to complete her assignment. She logs into her system by providing her credentials.

2. Her request goes to the Kerberos software in her system.

3. This software sends her request to the KDC (remember, KDC is the one which has all the secret keys).

4. KDC sends back Cathy a ticket (not to Europe for holiday !!), which is encrypted with her password.

5. If Cathy entered the right password, then the ticket would be decrypted. Understand it in this manner, if Cathy entered the right password in the beginning, her ticket which is received from the KDC would be valid, if not, then it would be an invalid ticket.

6. Now Evil Corp is in the business of selling user’s information on the black market. 

7. Cathy wants to access this database where all such illegal information is stored. 

8. In order to access this information, Cathy sends a request to access to this database server.

9. Cathy’s system sends a request to this database server, her system sends the TGT to the ticket-granting service (TGS), which runs on the KDC, and a request to access the database server.

10. Why is everyone sending each other tickets? I know. This is because of the trust factor. KDC is one whom everyone trusts. So everyone sends his/her requests to the KDC so that KDC can confirm to everyone whether this is an authorized entity requesting access or not.

11. The TGS creates and sends a second ticket to Cathy, which she will use to authenticate to the database server.

12. What does the second ticket contain? This second ticket contains two instances of the same session key, one encrypted with Cathy’s secret key and the other encrypted with the database server’s secret key.

13. Cathy’s system sends this second ticket to the database server for authentication. 

14. When the database server receives this second ticket, it verifies this by decrypting it. 

15. If it successfully decrypts it, this means it is a valid request. Post this validation, Cathy will get this access to the database server.

This is an extremely simplistic overview of what is going on in any Kerberos exchange, but it gives you an idea of the dance taking place behind the scenes whenever you interact with any network service in an environment that uses Kerberos.

What are your thoughts on this? Share your thoughts in the comments section below.

Monday, August 20, 2018

Copyright, Trademark, Patent, or License? Understanding the Differences


Copyrights, trademarks, patents, and licenses are each a different form of intellectual property (IP) rights protection recognized by U.S. law. The distinctions among them can be subtle and often the same product or service may involve more than one of these IP rights. How can you tell them apart when deciding how to protect your company’s assets? Here’s how.

Copyrights

Copyright protects the rights of “authors” in their original creative works. Copyrightable works include artistic creations, like novels, paintings, films, and songs, but also business-related works like software code, website designs, architectural drawings, marketing reports, and product manuals.
The author of a copyrighted work has the exclusive right to:
  • Reproduce (print or copy), publish, perform, display, film and/or record the creative content.
  • Create derivative works from the original work (for example, updates, revisions, summaries, translations, and adaptations).

Copyright protection arises automatically at the time the work is fixed in tangible form, either directly or through use of a machine, like a computer or a movie projector. Copyrights have a term equal to the life of the author plus 70 years. If a company is the owner of the copyright, it has a term equal to 95 years after the date the work is first made public.


Copyrighted works can be registered with the U.S. Copyright Office. Registration is optional but highly recommended. Registration provides legal benefits to the author, including the ability to enforce the copyright against infringers in court. Copyrighted works (registered and unregistered) can display the © symbol to provide notice that the author considers the work to be protected by copyright.

Trademarks

trademark is a symbol, word, slogan, design, color, or logo that identifies the source of a product or service, and distinguishes it from those made or provided by others. Trademarks can represent:
  • The product or service itself (ex. iPhone)
  • A feature or element of the product or service (ex. FaceTime)
  • The manufacturer or provider of the product or service (ex. Apple).
A “service mark” is a trademark that identifies a service instead of a tangible product.
The owner of a trademark has the right to prevent infringers from unfairly competing with the owner by using marks that are “confusingly similar.” In the United States, trademark rights can arise in two ways:
  • Automatically by use of the trademark in the marketplace in connection with a product or service (“common law” or unregistered trademarks).
  • By registration of the trademark with the U.S. Patent and Trademark Office (PTO) (“registered” trademarks).

Although not required by law, registering a trademark with the PTO confers many benefits on the trademark owner. For example, a U.S. trademark registration gives the owner nationwide rights to use the mark in connection with the goods and services included in the registration. Common law trademarks only create rights in the specific geographic territories where the owner is actually using it.

Common law trademarks can be used with the ℠ or ™ symbols. Registered trademarks can be used with the ® symbol. Both types of trademarks are valid so long as your business continues to use them. However, registered trademarks must be renewed periodically with the PTO.

Patents

Patents protect the rights of inventors. A patent is a 20-year exclusive property right granted by the PTO for an invention. 
A patent entitles you to exclude others from making, using or selling your invention. Once your patent is issued, you have an obligation to enforce it against unauthorized third parties violating your rights. If you don’t, a court can declare your patent “abandoned” and unenforceable.
Most patents are utility patents that protect “any new and useful process, machine, article of manufacture, or composition of matter, or any new and useful improvement thereof.” To obtain a utility patent, you will need to prove to the PTO, through claims in your patent application, that your invention is useful, novel and non-obvious. Other types of patents often sought by businesses include:
  • Design patents, which concern “new, original, and ornamental design embodied in or applied to an article of manufacture” not affecting the article’s function;
  • Business method patents, which protect new methods of doing business, such as those used in banking, tax compliance and e-commerce, for example; and
  • Plant patents, which protect invented or discovered asexually reproduced plants that are new and distinct.
Licenses

Licenses are contracts that transfer IP rights from the owner of the rights (the Licensor) to a third party who wants to use them (the Licensee). They can be exclusive (rights are granted to only one Licensee) or non-exclusive (rights are granted to multiple Licensees). A Licensee typically pays the Licensor a royalty in exchange for the right to use the IP rights. Royalties are usually based on a percentage of the revenue the Licensee generates from the sale of products using the licensed IP rights.
Licenses can be valuable assets for your business. For the Licensor, licenses can generate a significant revenue stream from royalty payments. For the Licensee, licenses can enable it to sell superior products in the marketplace.

Sunday, August 5, 2018

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC



Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization.

These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, which differs depending on the type of access control model embedded into the system. For every access attempt, before a subject can communicate with an object, the security kernel reviews the rules of the access control model to determine whether the request is allowed.

So let’s understand what do these models have to say about themselves:

1. Discretionary Access Control Model

If you have used any platform such as Windows, Mac or Linux, you can easily understand and appreciate this model. If you create a folder in any of these, you can easily add/delete/modify the permissions which you want to give to different subjects. Sounds confusing? Well, it isn’t. Let’s take an example to understand this.

                             



I have created a folder named “SSCP Video Course”. Now since I’m the owner, it is my discretion to assign various permissions for users. I can go to the”Security” Tab and “Edit” permissions and define what users need to be given “Full control” or which users can only be given “Read” Access.
A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner.

There is another term which is used quite often with reference to the models. It is the Access Control List. An ACL for a file would list all the users and/or groups that are authorized access to the file and the specific access granted to each.

While all seems good in the world of DAC, there are some issues with this model. While this model offers the best flexibility amongst any of the model, it is also its weakest point. For example, if a user opens an attachment that is infected with a virus, the code can install itself in the background without the user being aware of this activity. This code basically inherits all the rights and permissions that the user has and can carry out all the activities a user can perform on the system. It can send copies of itself out to all the contacts listed in the user’s e-mail client, install a back door, attack other systems, delete files on the hard drive, and more. The user is actually giving rights to the virus to carry out its dirty deeds, because the user has very powerful discretionary rights and is considered the owner of many objects on the system. And the fact that many users are assigned local administrator or root accounts means that once malware is installed, it can do anything on a system.

2. Mandatory Access Control (MAC) Model

Do not confuse this with Apple MAC, this model is not even remotely related to it. This model is the complete opposite of the DAC model.  In a mandatory access control (MAC) model, users do not have the discretion of determining who can access objects as in a DAC model. An operating system that is based on a MAC model greatly reduces the number of rights, permissions, and functionality a user has for security purposes.