Rob and Family

20130710_172314

For Fourth of July we met Rob’s sister and mother. Yesterday we had a quick happy hour and then dinner to wish his sister, Debs, safe travels back to South Africa.

Posted in life | Comments Off on Rob and Family

Fourth of July 2013

We celebrated the fourth of July at our house with a bunch of friends. Click on a picture and use your right and left arrow keys to go through them all. We didn’t take many pictures though.

[AFG_gallery id=’12’]

Posted in life | Comments Off on Fourth of July 2013

10. Exam Essentials for PKI and Cryptographic Applications

Asymmetric key cryptography is another way of saying public key encryption.

Understand the key types used in asymmetric cryptography: public keys are freely shared whereas private keys are kept secret. to encrypt a message, the use the recipient’s public key. To decrypt a message, use your own private key.
To sign a message, use your own private key. to validate a signature, use the sender’s public key.

Be familiar with the three major public key cryptosystems: RSA (which depends upon the difficulty of factoring the product of prime numbers), El Gamal (an extension of the Diffie-Hellman key exchange algorithm that depends upon modular arithmetic), the Elliptic Curve Algorithm (depends on the elliptic curve discrete logarithm problem and provides more security than other algorithms when both are used with keys of the same length).

A good hash function has the following fundamentals:
They must allow input of any length
Provide a fixed-length output
Make it relatively easy to compute the hash function for any input
Provide one-way functionality
Be collision free

Major hashing algorithms:
SHA
SHA-1 (160-bit message digest)
SHA-2 (variable lengths up to 512 bits)

Digital signatures are generated and verified, first using a hashing function to generate a message digest, then encrypt the digest with your private key. to verify the digital signature on a message, decrypt the signature with the sender’s public key and then compare the message digest to the one you generate yourself, if they match, its authentic.

know the components of the Digital Signature Standard (DSS).
DSS uses the SHA-1 message digest function along with one of three encryption algorithms: DSA, RSA or ECDSA
(Digital Signature Algorithm, Rivest, Shamir Adleman, Elliptic Curve DSA)

Understand the PKI.
In the pki, certificate authorities (CAs) generate digital certificates containing the public keys of system users. Users then distribute these certificates to people with whom they want to communicate. Certificate recipients certify a certificate using the CA’s public key.

Common applications of cryptography to secure email are: s/mime protocol, another popular security tool is Phil Zimmerman’s PGP.

Common applications of cryptography to secure web activity: The de facto standard for secure web traffic is the HTTP over TLS or the older SSL.

Common applications of cryptography to secure networking: IPSec protocol standard provides a common framework for encrypting network traffic and is built in to a number of common operating systems. In IPSec transport mode, packet contents are encrypted for peer-to-peer communication, in tunnel mode, the entire packet, including header information, is encrypted for gateway-to-gateway communications.

IPSec is a security architecture framework that supports secure communication over IP. IPSec establishes a secure channel in either transport mode of tunnel mode, for direct communication between computers or to setup a VPN between networks. IPSec uses two protocols: AH (authentication header) and ESP (encapsulating security payload).

Common cryptographic attacks:
Brute-Force: or exhaustive key search, is a cryptanalytic attack that can, in theory, be used against any encrypted data. Such an attack might be utilized when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier. It consists of systematically checking all possible keys until the correct key is found. In the worst case, this would involve traversing the entire search space.

Known plain-text: the attacker has samples of both the plaintext (called a crib), and its encrypted version (ciphertext). These can be used to reveal further secret information such as secret keys and code books. The term “crib” originated at Bletchley Park, the British World War II decryption operation.[1][2]

Chosen ciphertext: the cryptanalyst gathers information, at least in part, by choosing a ciphertext and obtaining its decryption under an unknown key. In the attack, an adversary has a chance to enter one or more known ciphertexts into the system and obtain the resulting plaintexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

Chosen plain-text: the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. The goal of the attack is to gain some further information which reduces the security of the encryption scheme. In the worst case, a chosen-plaintext attack could reveal the scheme’s secret key.

Meet-in-the-middle: a generic attack, applicable on several cryptographic systems. The internal structure of a specific system is therefore negligible to this attack. It is possible though to combine it with other kinds of attack as has been done.
Naturally it requires the ability to encrypt and decrypt, and the possession of pairs of plaintexts and corresponding ciphertexts.
When trying to improve the security of a block cipher, a tempting idea is to simply use several independent keys to encrypt the data several times using a sequence of functions (encryptions). Then one might think that this doubles or even n-tuples the security of the multiple-encryption scheme, depending on the number of encryptions the data must go through.
The Meet-in-the-Middle attack attempts to find a value using both of the range (ciphertext) and domain (plaintext) of the composition of several functions (or block ciphers) such that the forward mapping through the first functions is the same as the backward mapping (inverse image) through the last functions, quite literally meeting in the middle of the composed function.

Man-in-the-middle: a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances.

Birthday: Exploits the mathematics behind the birthday problem in probability theory. This attack can be used to abuse communication between two or more parties. The attack depends on the higher likelihood of collisions found between random attack attempts and a fixed degree of permutations (pigeonholes), as described in the birthday problem/paradox.

Replay: network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution (such as stream cipher attack).

Posted in CISSP-Study | Tagged , , | Comments Off on 10. Exam Essentials for PKI and Cryptographic Applications

9. Exam Essentials for Cryptography and Symmetric Key Algorithms

Understand the role that confidentiality, integrity, and nonrepudiation play in cryptosystems.

Know how cryptosystems can be used to achieve authentication goals by providing assurances as to the identity of the user. one possible scheme that uses authentication is the challenge-response protocol, in which the remote user is asked to encrypted a message using a key known only to the both of them communicating parties. using either symmetric or asymmetric cryptosystems.

The basic terminology of cryptography.
Plaintext
Ciphertext
etc

Understand the difference between a code and a cipher and explain the basic types of ciphers. Codes are cryptographic systems of symbols that operate on word or phrases and are sometimes secret but don’t always provide confidentiality. ciphers, however are always meant to hide the true meaning of a message. know how the following types of ciphers work;
transposition ciphers, substitution ciphers (include 1 time pads), stream ciphers and block ciphers.

Know the requirements for successful use of a one-time pad.
The key must be randomly generated, at least be as long as the message to be encrypted, must be protected against physical disclosure and must be only one time used then discarded.

The concept of zero knowledge proof.

Understand split knowledge: It ensures that no single person has sufficient privileges to compromise the security of the environment.

Understand work function. (or work factor). It’s a way to measure the strength of a cryptography system by measuring the effort in terms of cost and/or time to decrypt messages. usually the time and effort required to perform a complete brute-force attack against an encryption system is what a work function rating represents.

The importance of key security: The cryptographic keys provide the necessary elements of secrecy to a cryptosystem. modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security.It’s generally agreed that the 56-bit key of the des is no longer sufficiently long enough to provide security.

Know the difference between symmetric and asymmetric cryptosystems.
Symmetric key cryptosystems are fast, rely on a shared secret key but lack support for scalability, easy key distribution, and nonrepudiation. Asymmetric cryptosystems use public-private key pairs for communication between parties but operate much more slowly than symmetric algorithms.

Be able to explain basic operational modes of DES and 3DES.
ECB: Electronic Code Book
CBC: Cipher Block Chaining
CFB: Cipher Feedback Mode,
OFB: Output Feedback Mode (least secure)

3DES uses three iterations of DES with two or three different keys to increase the effective key strength to 112 or 168 bits, respectively.

AES is the Advanced Encryption Standard and is the US government standard for the secure exchange of sensitive but unclassified data. AES uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits to achieve a much higher level of security than that provided by the older DES algorithm.

Posted in CISSP-Study | Tagged , , | Comments Off on 9. Exam Essentials for Cryptography and Symmetric Key Algorithms

Supermoon

Jaime took these awesome pictures of the supermoon.
Supermoon

IMG_1755

IMG_1758

Here is a cool article on “the supermoon

Posted in life | Comments Off on Supermoon

8. Exam Essentials for Malicious Code and Application Attacks

Understand the propagation techniques used by viruses. File Inflection, service injection, boot sector infection, macro infection.

Most antivirus programs use signature-based detection algorithms to look for telltale patterns of known viruses. It’s essential to update virus definition files in order to maintain protection against newly authored viruses as they emerge.

Passwords are the most common access control mechanism in use today and it is essential that you understand how to protect against attackers who seek to undermine their security. Understand password crackers, dictionary attacks and social engineering and how they are used to defeat password security.

Application attacks are one of the greatest threats to modern computing. Attackers exploit buffer overflows, trap doors, time of check to time of use vulnerabilities and rootkits to gain illegitimate access to a system.

As applications move to the web, developers and security professionals must understand the new types of attacks that exist in this environment and how to protect against them. The most common are xss and sql injection attacks.

Before launching an attack, attackers use IP sweeps to search out active hosts on a network, then port scan, then vulnerability probe which they attack weaknesses found. Understand these attacks to limit the amount of information an attacker can get.

Posted in CISSP-Study | Tagged , , | Comments Off on 8. Exam Essentials for Malicious Code and Application Attacks

Father’s Day 2013

frommom

We watched Man of Steel today.

1011195_10151392625096486_194172470_n

For Father’s Day, my wife got me some awesome motorcycle mesh overpants. Perfect for my drive back and forth from work.

As another gift, look what my son and I did!
16 years later

Posted in life | Comments Off on Father’s Day 2013

7. Exam Essentials for Software Development Security

Describe the functioning of viruses, worms, trojan horses and logic bombs.
Viruses: oldest form of malicious code objects.
Trojan Horses: Cover application with secret, usually malicious, payload.
Logic bombs: Dormant malicious code that awaits for an event to trigger.
Worms:A viruses designed to spread itself.

Understand the impact each type of threat may have on a system and the methods they use to propagate. Know the basic functioning of agents (aka bots) and the impact they may have on computer/network security.

Understand the functionality behind Java applets and ActiveX controls and be able to determine the appropriate security controls for a given computing environment.

Applets are code objects sent from a server to a client to perform some action (opposite of an agent/bot), like an online mortgage calculator. ActiveX is the Microsoft version of Java Applets.

Explain RDBMSs. Functions of tables/relations, rows/records/tuples, columns/degrees/fields/attributes. Know how relationships are defined between tables and roles of various types of keys. Describe database security threats posed by aggregation and inference.

Row=Cardinality
Column=Degree

Know storage:differences between primary memory and virtual memory, secondary storage and virtual storage, random access storage, sequential access storage, and volatile storage and nonvolatile storage.

Expert and neural networks function.
Expert has a knowledge base with if/then rules and an inference engine to draw conclusions based on it (like twenty questions)

Neural simulate the functioning of a human mind to a limited extent by arranging a series of layered calculations to solve problems. Neural networks require extensive training on a particular problem before they are able to offer solutions.

The different models of systems development:
Waterfall model describes a sequential development process that results in the development of a finished product.

The spiral model uses several iterations of the waterfall model to produce a number of fully specified and tested prototypes.

Agile development models place an emphasis on the needs of the customer and quickly developing new functionality that meets those needs in an iterative fashion.

Software maturity models help software organizations improve the maturity and quality of their software processes by implementing an evolutionary path from ad hoc, to mature software processes.

SW CMM: Software Capability Maturity Model
1: Initial
2: Repeatable
3: Defined
4: Managed
5: Optimizing

IDEAL
I: Initiating
D: Diagnosing
E: Establishing
A: Acting
L: Learning

To memorize, remember this “I, I Dr. Ed, AM LO”
then write it out in two columns

Initial——–Initiating
Diagnosing—–Repeatable
Establishing—Defined
Acting Managed
Learning Optimizing

Know the 3 basic components of change control:
1: Request Control
2: Change Control
3: Release Control

The 4 rings of the ring protection scheme:
0: operating system itself resides here, processes running in this level are often said to be running in supervisory mode or privileged mode. Level 0 processes have full control of all system resources so its essential to ensure that they are fully verified and validated.
The kernel implements the reference monitor, an operating system component that validates all user requests for access to resources against an access control scheme.
1 & 2: device drivers and other operating system services. Most operating systems do not employ these rings.
3: user applications and processes reside here, usually called user mode or protected mode.

The security kernel is the core set of operating system services that handles user requests for access to system resources. the reference monitor is a portion of the security kernel that validates user requests against the system’s access control mechanisms.

Software testing should be designed as part of the development process. Testing should be used as a management tool to improve the design, development, and production process.

4 security modes approved by the DoD: compartmented security mode (all system users must have an appropriate clearance to access all information processed by the system but do not necessarily have a need to know of all information in the system), dedicated security mode (are authorized to process only a specific classification level at a time, all users must have clearance and a need to know that information), multilevel security mode (authorized to process information at more than one level of security even when all system users do not have appropriate clearances), and system-high security mode (authorized to process only information that all system users are cleared to read and have a valid need to know. not trusted to maintain separation between security levels and all information processed by these systems must be handled as if it were classified at the same level as the most highly classified information processed.).

Posted in CISSP-Study | Tagged , , | Comments Off on 7. Exam Essentials for Software Development Security

6. Exam Essentials for Risk and Personnel Management

3rd party governance is the system of oversight that may be mandated by law, regulation, industry standards, or licensing requirements.

Overall risk management is the process of identifying factors that could damage or disclose data, evaluating those factors in light or data value and countermeasure cost, and implementing a cost-effective solution for mitigating or reducing risk is knows as risk management. Risk management lays the foundation for reducing risk overall.

Risk analysis is the process by which upper management is provided with details to make decisions about which risks are to be mitigated, which should be transferred, and which should be accepted. To do so, the following must be analyzed:
assets, asset valuation, threats, vulnerability, exposure, risk, realized risk, safeguards, countermeasures, attacks, and breaches.

Threats come from numerous sources, including IT, humans and nature. Threat assessment should be performed as a team effort to provide the widest range of perspectives.

Quantitative risk analysis focuses on hard values and percentages. A complete quantitative analysis is not possible because of the intangible aspects of risk. The process involves asset valuation and threat identification and then determining a threat’s potential frequency and the resulting damage; the result is a cost/benefit analysis of safeguards.

Exposure Factor (EF) is an element of quantitative risk analysis that represents the percentage of loss that an organization would experience if a specific asset were violated by a realized risk.

(SLE) Single Loss Expectancy is an element of quantitative risk analysis that represents the cost associated with a single realized risk against a specific asset. SLE=AV*EF

(ARO) Annualized Rate of Occurrence is an element of quantitative risk analysis that represents the expected frequency with which a specific threat or risk will occur within a single year.

(ALE) Annualized Loss Expectancy is an element of quantitative risk analysis that represents the possibly yearly cost of all instances of a specific realized threat against a specific asset. ALE=SLE*ARO

Use the ALE formula before and after a safeguard is implemented, (ALE before – ALE after) – cost of safeguard = value of safeguard to company.

Qualitative risk analysis is based on scenarios than calculations. exact dollar amounts are not assigned in possible losses; instead, threats are ranked on a scale to evaluate their risks, costs, and effects.

The Delphi technique is simply an anonymous feedback-and-response process used to arrive at a consensus to properly evaluate risks and implement solutions.

Reducing risk, risk mitigation, implementing safeguards and countermeasures. Assigning risk or transferring a risk places the cost of loss a risk represents onto another entity or organization. Accepting risk means the management has evaluated the cost/benefit analysis of possible safeguards and has determined that the cost of the countermeasure greatly outweighs the possible cost of loss due to a risk.

Total risk is the amount of risk an organization would face is no safeguards were implemented. To calculate total risk, use this formula: threats * vulnerabilities * asset value = total risk. residual risk is the risk that management has chosen to accept rather than mitigate. the difference between total risk and residual risk is the controls gap. to calculate residual risk: total risk = controls gap = residual risk.

To properly plan for security, you must have standards in place for job descriptions, job classification, work tasks, job responsibilities, preventing collusion, candidate screening, background checks, security clearances, employment agreements, and nondisclosure agreements. be developing these mechanisms, you ensure that new hires are aware of the required security standards.

Separation of duties is the security concept of dividing critical, significant, and sensitive work tasks among several individuals, ensuring no one person can compromise system security.

Least privilege, users are granted the minimum amount of access necessary to do their tasks/jobs. Limiting user access limits vulnerability of sensitive information.

Job rotation serves: knowledge redundancy, reduces risk of fraud, data modification, theft sabotage and misuse of information.

Mandatory vacations are used to audit and verify the work tasks and privileges of employees to detect abuse, fraud or negligence.

Vendor, consultant, and contractor controls are used to define the levels of performance, expectation, compensation, and consequences for entities, persons, or organizations that are external to the primary organization. These are usually called SLAs.

Termination policy defines the procedures for terminating employees. Right? It should include items such as always having a witness, disabling the employee’s network access, and performing an exit interview. A termination policy should also include escorting the terminated employee off the premises and requiring the return of security tokens and badges and company property.

Before training and education can take place, awareness of security as a recognized entity must be created, then can come training, teaching employees to perform their work tasks and to comply with the security policy. All new employees require some level of training so they will be able to comply with all standards, guidelines, and procedures mandated by the security policy.

In order to manage the security function, an organization must implement proper and sufficient security governance. the act of performing a risk assessment to drive the security policy is the clearest and most direct example of management of the security functio. this also relates to budget, metrics, resources, information security strategies, and assessing the completeness and effectiveness of the security program.

Posted in CISSP-Study | Tagged , , | Comments Off on 6. Exam Essentials for Risk and Personnel Management

We Bought a Boat!!!

IMG_20130602_162812

Yes, it’s true. It was a deal we couldn’t pass up and it didn’t break the bank. We did talk about how we should probably buy a truck first, but we honestly couldn’t pass this up. We hope to take it with us on our houseboat trip. Hopefully even sooner than that!


I’m riding on a dolphin, doing flips and shit
This dolphin’s splashing, getting everybody all wet
But this ain’t Seaworld, this is real as it gets
I’m on a boat, motherfucker, don’t you ever forget

Posted in life | Comments Off on We Bought a Boat!!!