Posts

Mind Map - Access Control

Image
The foundation of information security is controlling how resources are accessed so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be technical, physical, or administrative in nature. These control types need to be integrated into policy-based documentation, software and technology, network design, and physical security components. This mind map covers all the major aspects of the domain of access control. A caveat here that this mind map is just a helping tool for revision of the concepts and is not a replacement of the book/resources you need to study to get a detailed understanding of all the concepts. There are 2 parts to this mind map. You can d ownload the high-quality pdf from the downloads section.

Block Ciphers - Mode of Operation (Part 2)

Image
In the previous blog post , we learnt about the Electronic Code Book (ECB), Cipher Block Chaining (CBC) and Cipher Feedback (CFB) modes of operation. While the ECB mode has been made for very small blocks, the CBC mode works the best with large blocks and the CFB stands somewhere in the middle with handling mainly streams of data. In this blog post, we will learn about the remaining modes of operation. So strap in and let’s get going. Output Feedback (OFB) To appreciate and better understand the OFB mode’s operations, we need to relook at what was offered by the Cipher Feedback mode (CFB). To reiterate, let’s look at the diagram of the CFB mode. Here, the ciphertext from the previous block is used to encrypt the next block of plaintext. If a bit in the first ciphertext gets corrupted, then this corruption can get carried on. Now let’s look at how the output feedback mode. It looks at extremely similar to the CFB mode , the only difference is that the values used to encr

Mind Map - Security Basics

Image
While every individual has his/her own way of learning various concepts, certain learning tools such as mind maps do help the individual remember the concepts in stressful situations in a better manner. To help you out, I have prepared a set of mind maps ( available for download in the Downloads Section ). While this is surely an excellent learning tool, please note that it is not a replacement of the book you may refer to understand various concepts. This mind maps will cover various domains for the SSCP/ CISSP / CompTIA Security+ exams. All these concepts are extremely important from an exam point of view. How to use this mind map? The Yellow Circle represents the concept while the White Box next to it represents a short explanation for it. Move from LEFT to RIGHT to study this. Let me know your thoughts on this in the comments section below...

Block Ciphers - Mode of Operation (Part 1)

Image
Block ciphers have several modes of operation and each mode works in a specific way. Each mode of operation has its own utility and performs well under specific circumstances. Sometimes you may find that there is a trade-off between security and convenience when one of the modes is implemented. For the CISSP exam, we need to learn about the following 5 modes of operation. Electronic Code Book (ECB) Cipher Block Chaining (CBC) Cipher Feedback (CFB) Output Feedback (OFB) Counter Mode (CTR) In part 1 of this blog post, we will learn about ECB, CBC and CFB mode. The next part will cover the OFB and CTR modes. Electronic Code Book Mode It’s important to understand the meaning of KEY before any of the modes is understood. KEY is not a password that protects your information. A key is basically instructions for the use of a codebook that dictates how a block of text will be encrypted and decrypted. It’s not the codebook itself, just the instructions on how to use that codebo

Understanding the Birthday Paradox - Cryptography

Image
We learnt about the one way hash function in the previous blog post. We understood that a strong hashing algorithm does not produce the same hash value for two different messages. If the algorithm does produce the same value for two distinctly different messages, this is called a collision. An attacker can attempt to force a collision, which is referred to as a birthday attack. This attack is based on the mathematical birthday paradox that exists in standard statistics. It’s the game of probability which one needs to play to appreciate this paradox. Well, let’s assume that you go to a party and the host asks if anyone shares the same birthday as him. Before you start running to get yourself a calculator and start making mathematical assumptions, you need to ask the following two questions: How many people must be in the same room for the chance to be greater than even that another person has the same birthday as you?            It’s 253 How many people must be in the same

Cryptographic Hash Function Explained: A Beginner’s Guide

Image
Your fingerprints help identify you uniquely. Your fingerprints are made of multiple lines that run in a fashion that is unique for every individual on this planet. A slight change in the fingerprint will result in altogether a new person. Well, hash values can be thought of as fingerprints for files and it’s time for us to understand in detail about them. Hash values are generated by a mathematical function called the one-way hash function. A one-way hash is a function that takes a variable-length string (a message) and produces a fixed-length value called a hash value.  Furthermore, a one-way hash function is designed in such a way that it is hard to reverse the process, that is, to find a string that hashes to a given value (hence the name one-way.) A good hash function also makes it hard to find two strings that would produce the same hash value. All modern hash algorithms produce hash values of 128 bits and higher. For example - If I want to send across a message to my fri

New Year Greetings

Image
Dear Reader, Wishing you a very happy and a prosperous new year. While the beginning always calls for new resolutions, I firmly believe that any day is a good day for making a resolution or setting up a new goal for yourself if you truly mean it. Well, many of us, however, take up lofty goals and end up getting disappointed in the end. "I will score a GPA of 9+ this year" or " I will become the best blogger in 1 year" etc.. - the list is endless if you think. While making goals is a good thing, the problem with such statements is that its output oriented. You focus so much on the end result that in some time you start feeling pressurised and you leave it altogether. It's time to change this approach. Hence, you can decide to be just consistent and input-oriented. Instead of just making a new year resolution - " I will clear the CISSP exam in March 2020", change it to " I will study for 2 hours every day for the CISSP exam." You will f

Don’t be Held for Ransom! Tips for Preventing Ransomware

Image
“****, my system has been attacked by ransomware…” has been one of the most commonly said statements in this year alone… The last 12-18 months have seen ransomware evolve from a relatively small hacker operation into a global IT epidemic, and one of the most dangerous security threats facing enterprise organizations today. There is one good thing about ransomware too. It doesn’t discriminate!!! It will attack your system irrespective of the fact your organization is the leader or the follower… you work for greater good or bad.  Before we move further, a brief about ransomware. Ransomware is a type of crypto-malware used for cyber extortion. Ransomware holds a victim’s computer or their files hostage via encryption while demanding payment in exchange for decrypting the files and releasing access to the user’s device. Ransomware is usually spread through phishing attacks containing a malicious email attachment, infected program, or link to a compromised website. Ransomware attacks

6 Best Practices for Email Security

Image
While multiple modes of communication have mushroomed in the past few years, the good old fashioned email remains the top means of communication for the businesses. It also remains the top priority for all social engineers out there who come up with new creative ways to use it to spread malware, enter into the networks or grab a bunch of high profile passwords. The numbers prove it all. Users sent 30 trillion emails in 2018 and around 92% of the malware was delivered through it. If the problem is so severe, why can’t we do something about it? Well, technology can help only to a certain extent. Post that we need to apply common sense which people seem to abandon the moment they step into the virtual world. When I was a kid, I remember, my mother told me not to open doors for strangers if I was alone. This good old fashioned advice seems relevant in the virtual world too. However, we just don’t seem to follow it. Here are 6 best practices/pieces of advice which can help your bu

[ CyberSecurity Awareness Series] The VEC Scam

Image
Bob heaved a sigh of relief after he saw the mail. The payment had been processed and he had immediately received the payment confirmation from the vendor. It was the end of the month and he wanted no non-compliance on the part of his company towards payments of dues. In fact, Bob had looped in the finance department in the emails to ensure payment was processed immediately by the department post validation of invoice. The next day, he receives a call from one of his vendors, IAMVendor, to settle down the dues for this month. Bob tells them that the payment had already been made and in fact, IAMVendor had also sent them the payment confirmation message. In order to avoid any confusion, Bob decides to send them the payment confirmation as well as the invoice sent by them. The next day, Bob receives emails from other vendors too, asking for details as to when the payments will be processed. Bob calls up his finance department and asks them to check with their bank as to why has the