Posts

Showing posts from 2018

Hybrid Cryptography

Image
We just love to mix things up. Well, yeah and why not? When we get the best of both the worlds, we can mix anything up. Even when it is so complex in itself like cryptography. In the last article, we learned about symmetric and asymmetric cryptography. It’s time to mix them both and explain you the hybrid concept.
We need to go back and recapitulate some points before we can move forward and appreciate the hybrid concept. In the symmetric cryptography, we understood that it is quite fast, however, the challenge was sharing the key between a large number of people. Everyone is required to keep the shared key as secret, and, if this gets compromised, the distribution of the key needs to be repeated again.  What if we could find a way to quickly transfer this key amongst multiple people without the dangers of compromising it? Asymmetric key offers secure key distribution but uses a lot of resources when multiple people are involved. It’s also quite slow and mathematically intensive.
Hyb…

Symmetric and Asymmetric Cryptography

Image
Having learned about cryptography in the previous article, it is now time to learn about the types of cryptography. You are right, nothing is complete till we understand its types and subtypes and so on. Remember, your best friends, Alice and Bob!!! They are going to help us understand the types of cryptography.
Before we go into the details, we ought to recapitulate a few terms. 
1. Plain text – Data in a readable or understandable format. 2. Ciphertext – Random and unreadable text  3. Encryption – Process of converting plain text into cipher text. 4. Key – Sequence of random bits 5. Algorithm – Rules by which encryption and decryption will take place.
It is really important to clearly understand these terms, else, the journey ahead will be difficult. So lets us begin.
Cryptography algorithms are either symmetric algorithms, which use symmetric keys (also called secret keys), or asymmetric algorithms, which use asymmetric keys (also called public and private keys). I know, this can …

Understanding Cryptography

Image
“ $%^*^* Nh%&gfg  K97@#”. Well, I’m 100% sure that you did not understand what I meant to say through these words. This is what cryptography is all about. Nah, don’t think that if you are unable to read what was written, it becomes an implementation of cryptography. When you convert plain text (readable text) into something that cannot be read (deciphered) often called ciphertext, it is known as cryptography.
Why would you want to convert something which is readable into gibberish? From time immemorial, human beings have kept secrets to protect themselves and their countries. For this very reason, information must be protected and this assurance can be further provided by encrypting the data, ie. the process of converting plain text into cipher text. Remember, the three pillars of information security – CIA. Cryptography helps implement the confidentiality principle.
The formal definition is as follows:
Cryptography is a method of storing and transmitting data in a form that only…

Understanding NAT – Network Address Translation

Image
If you would like to send a letter to me, what would be the most important aspect for you to send it across? My address. If you would have observed, we usually write the address in a certain format – building number, followed by area, city, state and then the pin code. Why do we do that? To avoid confusion. In a similar fashion, computers when they need to talk to each other, need to use the addresses. The Internet uses the IP addressing scheme, through which each computer on the Internet is assigned an IP address and that can be used for communication. Now think, how would you communicate if these addresses go missing? Read on to find out.
A long time ago, when the Internet came into existence, the concept of IP addresses came to life. This was called the IPv4 addressing scheme. This scheme involved the addresses being recorded as say, for example, 10.22.10.150. So every computer on the Internet got one such address. Over time, with the population explosion, the number of computers …

Asynchronous & Synchronous Communication

Image
Try to read the sentence written after this statement - “youwillpasscisspexamifyoustudyhard”. Clearly, you need to focus on the letters and your mind will try to discern the different words for you. Similarly, if I speak to you without pausing, it would again be difficult for you to discern and understand what I am communicating. So irrespective of the way we communicate – verbal or written, we need to follow certain grammatical rules so that the other party is able to clearly discern and understand what is being said. These grammatical rules for the written language include punctuation symbols such as comma, semicolon, spaces etc. while for verbal communication we use various aspects such as pausing, hand gestures, tones. 
In a similar manner, technological communication protocols also have their own grammar and synchronization rules when it comes to the transmission of data. We have two kinds of transmission ways – Synchronous & Asynchronous. Both of them utilize aspects simila…

The TCP Handshake

Image
We learned about the TCP protocol in the article “Understanding TCP and UDP.” A brief mention was made in that article on the 3-way handshake process. Before we delve into that further, we must recapitulate about the TCP (Transmission Control Protocol).  TCP is a reliable and connection-oriented protocol, which means it ensures packets are delivered to the destination computer. If a packet is lost during transmission, TCP has the ability to identify this issue and resend the lost or corrupted packet. 
Now, before any data is sent across, handshaking takes place between the two systems that want to communicate. Once the handshaking completes successfully, a virtual connection is set up between the two systems. It’s just like a high profile deal that gets signed. Just like in a deal, both the parties discuss on various parameters such as the financial settlement, payment of outstanding dues, shareholding etc., in a similar manner, the two hosts (systems or computers) must agree on cert…

Understanding TCP & UDP

Image
Have you ever wondered what happens behind the scenes when you click a video on your favorite website? Or when you are trying to log onto a secure website? There are multiple protocols that run behind the scenes to help you out and allow you to watch that favorite video of yours or buy that dress which you longed for.
Two such important protocols are TCP ( Transmission Control Protocol) and UDP (User Datagram Protocol). These are one of the two most common protocols used during networking and setting up a secure infrastructure. Multiple services run on the top of this protocol or in simple terms utilize their services. Before we go further and understand the technicalities involved, we must try to learn what happens in simple terms.
Everything we work upon is actually one and zeros only in the computer universe. The data that is sent across from one computer to another is a bunch of ones and zeros flowing from here to there. For the sake of simplicity, we will call this bunch as a pa…

[CyberSecurity Awareness Series] When George Got Whaled

Image
The button clicked. An exact amount of 9,99,000 $ was transferred immediately to an offshore untraceable account. This triggered an alert on the bank’s server. The response team quickly swung into action. Suddenly multiple alerts came rushing in like a raging torrent. Multiple transactions of 9,99,000 $ started popping up on the screen. The response team immediately knew it was under attack and triggered the alarm bell, but by then it was rather too late.  
3 Hours Earlier
It was a quiet afternoon and George was enjoying his cup of coffee. Looking outside his glass window, the view from the 22nd floor was amazing. The bank was doing well and the record quarterly profit cemented his position and power as the top man for the bank. George’s phone chimed. He quickly looked at it and smiled. The smile was palpable. The picture message sent made George bring back the memories of last night.
His smile continued and he logged on to his laptop. Due to the regulatory compliance and a freezing p…

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Image
Imagine a system that processes information. This information is classified in nature. When we say, its classified, it means that the information has been labeled according to the data classification scheme finalized by the organization. This scheme can be company specific, such as public, internal and confidential or military/government specific such as Confidential, Top Secret, Secret, Public. As a general user or a security professional, you would want that proper controls to be implemented and the system to be secure that processes such information. Imagine a scenario where such a malicious user tries to access this information. What clearance must this person have? Will he/she have access to all classified levels?
Hey!!, stop imagining. Let’s discuss something else now. Hold on, I know, I had asked you to imagine the scenario above. But answers to all your questions would follow, so keep on reading further. We need to learn and understand a few terms before we are ready to hear …

SSCP 2018 Exam Changes

Image
With effect from 1st November 2018, (ISC)2 would be doing a domain refresh in the course content of SSCP certification. This is in line with a refresh cycle of 3 years for every certification which (ISC)2 offers.
In this post, we look at changes which will take place in this refresh. We will look at it from a perspective of what will remain the same for an exam giver and what would change.
Question 1. Have the domains changed completely?
No, the weight of the domains has changed. There are minor changes. So if “Security Operations & Administration” had a weight of 17% in the earlier exam (2015), it has been reduced to 15% in the new exam outline.
Question 2. Would the changes affect my already bought course material?
No, the course content broadly remains the same. The course content does not change. Your old books or exam material will remain fully valid. 
Question 3. Is there a change in the exam format too just like CISSP?
Absolutely No. The format remains the same. You will have…

Single Sign On & Kerberos

Image
Imagine Susie wants to log on to a company database, her own system, a web server, her webmail and other multitudes of applications. Since she needs to access so many resources, it is extremely important to have a set of credentials for accessing each of this resource. This means Susie must remember an approximate dozen passwords in order to access these resources. Susie finds a solution to this problem. She writes down every single username and password to access them.
Clearly, Susie is not alone in doing so. You may also be doing the same. Clearly, from an information security point of view, this is not a great solution. It may sound that different ids and passwords would provide more security, it ultimately ends up in more work for the administrator since there are more requests of password reset or greater chances of a breach if that notebook gets in the wrong hands.
So what needs to be done? Well, as usual, the intelligent minds gathered together and found a solution to this pro…

Copyright, Trademark, Patent, or License? Understanding the Differences

Image
Copyrights, trademarks, patents, and licenses are each a different form of intellectual property (IP) rights protection recognized by U.S. law. The distinctions among them can be subtle and often the same product or service may involve more than one of these IP rights. How can you tell them apart when deciding how to protect your company’s assets? Here’s how.
Copyrights
Copyright protects the rights of “authors” in their original creative works. Copyrightable works include artistic creations, like novels, paintings, films, and songs, but also business-related works like software code, website designs, architectural drawings, marketing reports, and product manuals. The author of a copyrighted work has the exclusive right to: Reproduce (print or copy), publish, perform, display, film and/or record the creative content.Create derivative works from the original work (for example, updates, revisions, summaries, translations, and adaptations).
Copyright protection arises automatically at the ti…

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Image
Identity and Access Management is an extremely vital part of information security. An access control model is a framework which helps to manage the identity and the access management in the organization. There are 5 main types of access control models: discretionary, rule-based, role-based, attribute-based and mandatory access control model. Every model uses different methods to control how subjects access objects. While one may focus on rules, the other focus on roles of the subject. As a security professional, we must know all about these different access control models. While one company may choose to implement one of these models depending on their culture, there is no rule book which says that you cannot implement multiple models in your organization.
These models are built into the core or the kernel of the different operating systems and possibly their supporting applications. Every operating system has a security kernel that enforces a reference monitor concept, which differs…