Cryptography Basics

Sometimes you may think how you could transfer your data/information to someone without reveling information to others. Well the answer is cryptography. (note: this is related to basic/ for starting users).

What is Cryptography?

It is a way/practice by which you could hide information. You could actually hide information by writing in such a language which could be understood by recipient. Isn’t that great!! But there is nothing new in this. This is being used from ancient times and so many times breaks.

How does it work in modern time?

The information what you want to transfer is known as plain text & the process of converting it known as encryption. The process of re-converting them known as decryption. Any plain text is encrypted or decrypted using Key.

Types of cryptography

Broadly there are two types of cryptography:

Symmetric Key Cryptography: Also known as private key cryptography. Under this both receiver & sender use same key to encrypt & decrypt. This could be categorized further as block ciphers & stream ciphers. Some examples are Data Encryption Standard (DES), Advanced Encryption Standard (AES), RC4, RC2, etc. The major shortfall of this type, if the key is compromised than message would no longer be hidden.

Asymmetric Key Cryptography: Also known as public key cryptography. Under this there are two keys, one key is used to encrypt & other to decrypt the message. It covers major shortfall of private key cryptography as the sender would only have his private key and other person could only decrypt message if his public key is known.

Which is the unbreakable encryption?

You must be curious to know this. Well it will be “One Time Pad”. Every bit or character from the plaintext is encrypted by a modular addition with a bit or character from a secret random key of the same length as the plaintext, resulting in a ciphertext.

There many other concepts & advance/wide topics in cryptography. Please re-visit to know more & advance topics on this.

Access Control Basics

To start with, first of all:

What is Access Control?

It is a system/service which enables an ability to control access to areas and resources in computer-based information system or physical facility.

What is AAA?

AAA refers to Authentication, Authorization & Accountability.

Authentication: refers to a process of proving that you are someone whom you claim to be based below factors:

a.       Something you know, like passcode, password, etc

b.      Something you have, like smart card, etc

c.       Something you are, like biometric (fingerprint, retina scan, etc)

d.      Where you are, like in office, outside office, etc

Authorization: refers to a process which decides what a person can do or perform action on objects. Like based on your authorization level you may read some document but can’t write.

Accountability: refers to process which associates a subject with its actions. Like audit trails, logs, etc.

What are the models of Access Control?

The most common models are Discretionary Access Control & Non-Discretionary Access Control. Under Non-Discretionary Access Control, we have Mandatory Access Control (MAC), and Role Based Access Control (RBAC)

Discretionary Access Control (DAC): The owner of the object would decide that who is allowed to access & under what privileges.

Mandatory Access Control (MAC): The system would decide that who is allowed to access & under what privileges based on labels assigned to each object & subject. If both labels (subject & object) are same than access is provided.

Role Based Access Control (RBAC): The system would decide that who is allowed to access & under what privilege based on the role of individuals.

Spot the sign of Malware

Nice Article to read:

http://blogs.techrepublic.com.com/five-tips/?p=286&tag=nl.e101

Few Ways Hackers Break Security & Recommendations

Exploiting Defaults
When you install a software/application it comes with some default settings like default installation path, passwords, folder names, etc.

Many compliance suggest you to avoid this situation. Use customizes option as much as possible. Try to avoid installing operating systems into the default drives and folders. Don't install applications and other software into their default locations.

Man-in-the-Middle Attacks
The man-in-the middle attack intercepts a communication between two systems. For example, in an http transaction the target is the TCP connection between client and server. Using different techniques, the attacker splits the original TCP connection into 2 new connections, one between the client and the attacker and the other between the attacker and the server. Once the TCP connection is intercepted, the attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication.

The protection techniques, avoid clicking on links found in e-mails and always verify that links from Web sites stay within trusted domains or still maintain SSL encryption. Deploy IDS (Intrusion Detection System) systems to monitor network traffic as well as DNS and local systems.

Stealing Passwords
Multi-factor authentication is the best possible & recommended ways to protect. However, there are many places which are still depended only on passwords. With the increasing capacity of computers passwords can be cracked easily by the use of Dictionary attacks, brute force attacks, and hybrid attacks (few example). Other factor involve with human capacity. As a human we can remember only some length & as a result human may write their password at different places. There are other factors like insecure protocols that transfer passwords in clear text, keystroke loggers, shoulder surfing/video surveillance, same password at different places, etc which would create this risk. Password theft, password cracking, and even password guessing are still serious threats to IT.

The best protection against these threats is to deploy multifactor authentication systems and to train personnel regarding safe password behavior.


Trojan Horses
Trojan horse is defined as a "malicious, security-breaking program that is disguised as something benign". For example, you download what appears to be a movie or music file, but when you click on it, you unleash a dangerous program that erases your disk, sends your credit card numbers and passwords to a stranger, or lets that stranger hijack your computer to commit illegal denial of service attacks. A Trojan horse could be delivered via e-mail as an attachment, it could be presented on a Web site as a download, or it could be placed on a removable media (memory card, CD/DVD, USB stick, floppy, etc.).

In any case, protection is automated malicious code detection tools, such as modern anti-virus system and other specific forms of malware scanners, and user training.

Extensive Learning
External hackers, learn how to overcome your security barriers by researching your organization. This process can be called reconnaissance, discovery, or footprinting. Ultimately, it is intensive, focused research into all information available about your organization from public and non-so-public resources.
If you've done any research or reading into warfare tactics, you are aware that the most important weapon you can have at your disposal is information. Hackers know this and spend considerable time and effort acquiring a complete weapon store. What is often disconcerting is how much your organization freely contributes to the hacker's weapon stockpile. Most organizations are hemorrhaging data; companies freely give away too much information that can be used against them in various types of logical and physical attacks. Here are just a few common examples of what a hacker can learn about your organization in very less time:
• The names of your top executives and any flashy employees you have by perusing your archive of press releases.
• The company address, phone number, and fax number from domain name registration.
• The service provider for Internet access through DNS lookup and traceroute.
• Employee home addresses, phone numbers, employment history, family members, previous addresses, criminal record, driving history, and more by looking up their names in various free and paid background research sites.
• The operating systems, major programs, programming languages, specialized platforms, network device vendors, and more from job site postings.
• Physical weaknesses, vantage points, lines of sight, entry ways, covert access paths, and more from satellite images of your company and employee addresses.
• Usernames, e-mail addresses, phone numbers, directory structure, filenames, OS type,Web server platform, scripting languages,Web application environments, and more from Web site scanners.
• Confidential documents accidentally posted to a Web site from archive.org and Google hacking.
• Flaws in your products, problems with staff, internal issues, company politics, and more from blogs, product reviews, company critiques, and competitive intelligence services.
A hacker will spend over most of their time in information-gathering activities. The more the attacker learns about you, the easier the subsequent attack becomes.
As for defense, you are ultimately at a loss—mainly because it is already too late. Once information is out on the Internet, it is always out there. You can obviously clean up and sterilize any information resource currently under your direct control. You can even contact third-party information repositories to request that they change your information. Some online data systems, such as domain registrars, offer privacy and security services (for a fee, of course). You can also control or limit the output of information in the future by being more discrete in your announcements, product details, press releases, etc.
However, it is the information that you can't change or remove from the Internet that will continue to erode your security.
The only way to manage uncontrollable information is to make changes to your environment so that it is no longer correct or relevant.

Social Engineering

Firewalls, IDS’s, IPS’s, and anti-malware scanners have made intrusions and hacking a difficult task.
However, the bad news is many hackers have expanded their idea of what hacking means to include social engineering: hackers are going after the weakest link in any organization's security—the people.
People are always the biggest problem with security because they are the only element within the secured environment that has the ability to choose to violate the rules. People can be coerced, tricked, duped, or forced into violating some aspect of the security system in order to grant a hacker access. The age-old problem of people exploiting other people by taking advantage of human nature has returned as a means to bypass modern security technology.
Protection against social engineering is primarily education. Training personnel about what to look for and to report all abnormal or awkward interactions can be effective countermeasures. But this is only true if everyone in the organization realizes that they are a social engineering target. In fact, the more a person believes that their position in the company is so minor that they would not be a worthwhile target, the more they are actually the preferred targets of the hacker.


Keeping an eye on new Vulnerabilities

Hackers always keep any eye on development of vulnerabilities using web search, blogs, etc. The more the hacker can discover about possible attack points, the more likely it is that they can discover a weakness you have not patched, protect, or even become aware of. To combat vulnerability research on the part of the hacker, you have to be just as attentive as the hacker.
You have to monitor developments on new vulnerabilities by checking blogs, discussion forums, etc. and you need to watch the third-party security oversight discussion groups and web sites to learn about issues that vendors are failing to make public or that don't yet have easy solutions. These include places like securityfocus.com, US CERT, CVE, etc.

Insider

All too often when hacking is discussed, it is assumed that the hacker is some unknown outsider. However, studies have shown that a majority of security violations actually are caused by internal employees. So, one of the most effective ways for a hacker to breach security is to be an employee. This can be read in two different ways. First, the hacker can get a job at the target company and then exploit that access once they gain the trust of the organization. Second, an existing employee can become displeased and choose to cause harm to the company as a form of revenge or retribution.

In either case, when someone on the inside decides to attack the company network, many of the security defenses erected against outside hacking and intrusion are often ineffective. Instead, internal defenses specific to managing internal threats need to be deployed. This could include keystroke monitoring, tighter enforcement of the principle of least privilege, preventing users from installing software, not allowing any external removable media source, disabling all USB ports, extensive auditing, host-based IDS/IPS, and Internet filtering and monitoring.

Information Security Policy

Every organization should have IS policy in place which would deal with Risk Management, Crisis Management, Incident Management, etc. These types of policies ensure that you have right things at the right place.

Having only policy won’t help you but you should ensure that your organization adhere those policies. Organisation should have proper team & department for information security. After all, information is the most vital piece for organization success.

IS Blog

This is my another Blog
http://www.isaca.org/Blogs/462458/default.aspx

Cloud Computing Risk Assessment

Sometime back I came across this paper from ENISA and found really informative. While could computing is still an emerging market, I feel there is worth to review this risk assessment & it should be reviewed if you are a Cloud Provider, Cloud Customer, vendor or may have interest to explore cloud computing security. Below you will find top risk assessed and you may visit ENISA site for details.


TOP SECURITY RISKS



LOSS OF GOVERNANCE: in using cloud infrastructures, the client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security. At the same time, SLAs may not offer a commitment to provide such services on the part of the cloud provider, thus leaving a gap in security defences.

LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..

ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.

COMPLIANCE RISKS: investment in achieving certification (e.g., industry standard or regulatory requirements) may be put at risk by migration to the cloud:

 if the CP cannot provide evidence of their own compliance with the relevant requirements

 if the CP does not permit audit by the cloud customer (CC).

In certain cases, it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e.g., PCI DSS (4)).

MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.


DATA PROTECTION: cloud computing poses several data protection risks for cloud customers and providers. In some cases, it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. This problem is exacerbated in cases of multiple transfers of data, e.g., between federated clouds. On the other hand, some cloud providers do provide information on their data handling practices. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place, e.g., SAS70 certification.

INSECURE OR INCOMPLETE DATA DELETION: when a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data. Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective), either because extra copies of data are stored but are not available, or because the disk to be destroyed also stores data from other clients. In the case of multiple tenancy and the reuse of hardware resources, this represents a higher risk to the customer than with dedicated hardware.

MALICIOUS INSIDER: while usually less likely, the damage which may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles which are extremely high-risk. Examples include CP system administrators and managed security service providers.
 
 
Source: http://www.enisa.europa.eu/