Showing posts from 2020

Zero Trust Model - The Present Necessity

When I was preparing for CISSP 3 years back, a line from the book AIO guide - Shon Harris really made an impact on me. It goes like this “ There are only two people in the world I trust - You and I and I m not so sure about you.” This statement summaries the entire zero trust model, I presume.
Given the current situation, a lot of organizations have enabled remote access for its employees. The remote access when enabled has increased the attack surface for the hackers. In this blog post, we will learn about the zero trust architecture and why it is essential to enable zero trust for everyone including the CEO of the organization. 
What is Zero Trust?
Simple terms - No trust in anyone. Everyone has to prove themselves via the identity verification whether the person is operating from the office or the comfort of his/ her home. Zero Trust is not about making a system trusted, but instead about eliminating trust.
The term ‘zero trust’ was coined by an analyst at Forrester Research Inc. in 20…

Cloud Computing - The Logical Model

At a high level, both cloud and traditional computing adhere to a logical model that helps identify different layers based on functionality. 
The four layers are : Infrastructure: The core components of a computing system: compute, network, and storage.The foundation that everything else is built on. The moving parts.Metastructure: The protocols and mechanisms that provide the interface between the infrastructure layer and the other layers. The glue that ties the technologies and enables management and configuration.Infostructure: The data and information. Content in a database, file storage, etc.Applistructure: The applications deployed in the cloud and the underlying application services used to build them. For example, Platform as a Service features like message queues, artificial intelligence analysis, or notification services. The security at different levels is mapped to the different layers. The application security is managed at the applistructure layer while the data security is…

The Blog turns 3 !!!

Well, time flies and that is absolutely correct. One more year has gone by and the blog has turned 3 now. This year has been full of ups and downs, even from the blog perspective. I have been quite busy and hence the number of posts has been less. New initiatives are also in progress.  However, one aspect that has been just going up is the love and respect from the readers.
This year saw mind maps, new courses on Simpliv, 50 posts and posters in the downloads section. The Udemy Courses also saw a jump in the number of students. Around 500+ students have enrolled in various courses from 37+ countries. They too have showered their love and support by rating the courses with 4 or 5 stars. By all means, keep this coming as such contributions help me subscribing to multiple channels to help you present the best content possible.
While the year 2020 has brought a lot of challenges, the biggest challenge is fighting the global pandemic - Covid19. Hope and faith are the biggest powers in such c…

Abstraction and Orchestration - In The Cloud

In the previous blog post, we dissected the definition of cloud computing as per NIST and ISO/IEC. Before you proceed further, I urge you to read it before continuing. In this blog post, we will learn about traditional virtualisation and how cloud is an extension of it via the abstraction and orchestration mechanism.
Consider this scenario :
John is a security administrator and wants to implement a firewall ( primary & secondary), a mailing server and a server managing legacy applications. In the traditional IT workspace, John would require 2 separate physical boxes for implementing the firewall ( one for primary & the other one for secondary), a mailing server box and probably as many boxes as the number of applications. This would be highly cost-prohibitive.
The intelligent minds gather together and hail virtualisation as the solution to reduce cost. Virtualization is a technology that lets you create useful IT services using resources that are traditionally bound to hardware. …

Defining Cloud Computing

When you download an image, where does it get stored? You select the path in your system and say then store in a folder in the D:. But if you upload a video on YOUTUBE, where does it get stored? If you own an Apple device and upload your documents to iCloud, where does it get stored? Answers to all these questions lie in just one word - The Cloud.
But what exactly is the cloud? In most basic of the terms, a cloud is someone else’s computer which has insane crazy amounts of space in it. Companies like Google, Apple, Amazon, Microsoft and many more have built huge data centres around the world. These data centres are the places which have terabytes of information being stored and processed every second. The cloud hence is just the servers that are working around the clock from these data centres.
But this is just a layman understanding of the cloud. We must understand what makes a cloud - A cloud. What if I have a small data centre with 10 Linux servers, Can I call that as a cloud service…

Let’s all float on the clouds .. digitally, of course!!!

If you ask any of the companies where do they store the user’s data, most of the companies answer - It’s all in the cloud. It may be your digital identities or your food eating habits or the grocery items you order, all of them is ( not so safely, I doubt the security too) stored in THE CLOUD.
But what exactly is the cloud that everyone seems to be on the top of these days? In the simplest terms, cloud computing means storing and accessing data and programs over the Internet instead of your computer's hard drive. hard drive. The cloud is just a metaphor for the Internet.
If everyone’s data ( even if you did not sign up for it, believe me, your data is surely there) is stored in the cloud, shouldn’t we understand it in detail, especially the security aspect of it? Well, my aim is exactly that - To help you get to the bottom, I mean on the top of it, of this Mr Cloud. 
I will cover all the 14 domains of the CCSK and overlapping domains of the CCSP going forward. This will entail the cl…

The Future is Inevitable - Post Covid-19 World

While the future is unknown to everyone, there are a few key aspects that will become inevitable in the post COVID world. The world is changing and governments around the world are making decisions on the fly. While we would not know when the onslaught of the coronavirus will end, there are some aspects which will be learning lessons to individuals, corporations and governments around the world. 
Digital is the Future
No matter which industry you belong to, digital will be an inherent part of your business going forward. From the acceptance of digital payments to enabling digital infrastructure so that employees can work remotely, digital will be the key feature in the business plans of the organizations.  The post COVID world will not allow you to survive if digital does not occupy any role in your business plans. The offering from the provider companies will also increase and this will be a win-win situation for all. 
Broadband Access for All
If digital is the future, then the oxygen for…

Understanding the Trusted Platform Module

“Trust” is what was the starting point of discussion on PKI. The public key infrastructure is based on the premise to enable trust between unknown parties to ensure the secure transmission of information. Another element that ensures trust is the Trusted Platform Module.

The previous discussion ended on questions about key management and key security. Keys is one of the most critical components of the PKI and hence keeping them secure and maintaining their history is of paramount importance. What would you do if you have to keep a piece of information ( in this case - keys) secure? Keep it under lock and key ( pun intended).

Whenever we face such difficult questions, intelligent minds have always come to our rescue. Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG), and was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889. A…

The Workings of PKI

In the previous blog post, we learnt about the various pieces of the puzzle called the public key infrastructure. It’s time to learn how these pieces work after fitting together.

The PKI is made up of the following different components.
• Certification authority
• Registration authority
• Certificate repository
• Certificate revocation system
• Key backup and recovery system
• Automatic key update
• Key Management

To help understand the workings of a PKI, let’s try to take a day to day example and then try to learn through it on the workings of the PKI. Let’s say that Oslo wants to get him a passport. He needs this to prove to everyone that he is Oslo when he visits another country. The passport issued by the Government will be his way to enable trust with another country’s systems and people. They may not know him, but they will trust the passport that he is carrying. Now Oslo wants to apply for the passport. So he goes to the registration authority or the passport office and submit…

What is Public Key Infrastructure (PKI)?

Quite often in the world of cryptography will you hear the term, PKI or Public Key Infrastructure. While people often use this term loosely without understanding ( and even appreciating) the whole gamut which this word entails, it is extremely important for a security professional to understand what PKI represents.

Have you ever visited a store like that of Best Buy or Big Bazaar etc? They provide you with almost everything you can imagine. Public Key Infrastructure, henceforth referred to as PKI in the blog post, is a set of programs, procedures, algorithms, communication protocols, security policies that work together to enable secure transmission of information. PKI is an ISO authentication framework that uses public-key cryptography and the X.509 standard. PKI is not just an encryption standard or a technology, it is a complex assortment of various aspects that work together.

We have learnt about confidentiality, integrity, privacy, non-repudiation and PKI offers all of that. It …

Mind Map - Access Control

The foundation of information security is controlling how resources are accessed so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be technical, physical, or administrative in nature. These control types need to be integrated into policy-based documentation, software and technology, network design, and physical security components.

This mind map covers all the major aspects of the domain of access control. A caveat here that this mind map is just a helping tool for revision of the concepts and is not a replacement of the book/resources you need to study to get a detailed understanding of all the concepts.

There are 2 parts to this mind map. You can download the high-quality pdf from the downloads section.

Block Ciphers - Mode of Operation (Part 2)

In the previous blog post, we learnt about the Electronic Code Book (ECB), Cipher Block Chaining (CBC) and Cipher Feedback (CFB) modes of operation. While the ECB mode has been made for very small blocks, the CBC mode works the best with large blocks and the CFB stands somewhere in the middle with handling mainly streams of data.

In this blog post, we will learn about the remaining modes of operation. So strap in and let’s get going.

Output Feedback (OFB)

To appreciate and better understand the OFB mode’s operations, we need to relook at what was offered by the Cipher Feedback mode (CFB). To reiterate, let’s look at the diagram of the CFB mode.

Here, the ciphertext from the previous block is used to encrypt the next block of plaintext. If a bit in the first ciphertext gets corrupted, then this corruption can get carried on. Now let’s look at how the output feedback mode. It looks at extremely similar to the CFB mode , the only difference is that the values used to encrypt the next blo…

Mind Map - Security Basics

While every individual has his/her own way of learning various concepts, certain learning tools such as mind maps do help the individual remember the concepts in stressful situations in a better manner. To help you out, I have prepared a set of mind maps ( available for download in the Downloads Section). While this is surely an excellent learning tool, please note that it is not a replacement of the book you may refer to understand various concepts.

This mind maps will cover various domains for the SSCP/ CISSP / CompTIA Security+ exams. All these concepts are extremely important from an exam point of view.

How to use this mind map?

The Yellow Circle represents the concept while the White Box next to it represents a short explanation for it. Move from LEFT to RIGHT to study this.

Let me know your thoughts on this in the comments section below...

Block Ciphers - Mode of Operation (Part 1)

Block ciphers have several modes of operation and each mode works in a specific way. Each mode of operation has its own utility and performs well under specific circumstances. Sometimes you may find that there is a trade-off between security and convenience when one of the modes is implemented.

For the CISSP exam, we need to learn about the following 5 modes of operation.

Electronic Code Book (ECB)
Cipher Block Chaining (CBC)
Cipher Feedback (CFB)
Output Feedback (OFB)
Counter Mode (CTR)

In part 1 of this blog post, we will learn about ECB, CBC and CFB mode. The next part will cover the OFB and CTR modes.

Electronic Code Book Mode

It’s important to understand the meaning of KEY before any of the modes is understood. KEY is not a password that protects your information. A key is basically instructions for the use of a codebook that dictates how a block
of text will be encrypted and decrypted. It’s not the codebook itself, just the instructions on how to use that codebook.

Coming back t…

Understanding the Birthday Paradox - Cryptography

We learnt about the one way hash function in the previous blog post. We understood that a strong hashing algorithm does not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. This attack is based on the mathematical birthday paradox that exists in standard statistics.

It’s the game of probability which one needs to play to appreciate this paradox. Well, let’s assume that you go to a party and the host asks if anyone shares the same birthday as him. Before you start running to get yourself a calculator and start making mathematical assumptions, you need to ask the following two questions:

How many people must be in the same room for the chance to be greater than even that another person has the same birthday as you?            It’s 253

How many people must be in the same room for th…

Cryptographic Hash Function Explained: A Beginner’s Guide

Your fingerprints help identify you uniquely. Your fingerprints are made of multiple lines that run in a fashion that is unique for every individual on this planet. A slight change in the fingerprint will result in altogether a new person. Well, hash values can be thought of as fingerprints for files and it’s time for us to understand in detail about them.

Hash values are generated by a mathematical function called the one-way hash function. A one-way hash is a function that takes a variable-length string (a message) and produces a fixed-length value called a hash value.  Furthermore, a one-way hash function is designed in such a way that it is hard to reverse the process, that is, to find a string that hashes to a given value (hence the name one-way.) A good hash function also makes it hard to find two strings that would produce the same hash value. All modern hash algorithms produce hash values of 128 bits and higher.

For example - If I want to send across a message to my friend an…

New Year Greetings

Dear Reader,
Wishing you a very happy and a prosperous new year. While the beginning always calls for new resolutions, I firmly believe that any day is a good day for making a resolution or setting up a new goal for yourself if you truly mean it. Well, many of us, however, take up lofty goals and end up getting disappointed in the end.

"I will score a GPA of 9+ this year" or " I will become the best blogger in 1 year" etc.. - the list is endless if you think. While making goals is a good thing, the problem with such statements is that its output oriented. You focus so much on the end result that in some time you start feeling pressurised and you leave it altogether.

It's time to change this approach. Hence, you can decide to be just consistent and input-oriented. Instead of just making a new year resolution - " I will clear the CISSP exam in March 2020", change it to " I will study for 2 hours every day for the CISSP exam." You will find tha…