PGP and Philip Zimmermann

PRZ_closeup_cropped

Source: Wikipedia

Therefore, using PGP is good for preserving democracy.
-Philip Zimmermann

PGP is a Program

Pretty Good Privacy (PGP) is a program written by Philip Zimmermann in 1991 when the cryptographic algorithms or software are highly regulated and subject to export control. The symmetric-key cipher used in the PGP v1.0 is called “BassOmatic.”

The International Data Encryption Algorithm (IDEA) was a symmetric-key block cipher. It was then incorporated in the early version of PGP v2.0 but found to be insecure. IDEA is optional in the OpenPGP standard.

PGP for Preserving Democracy

  • The 1994 Communications Assistance for Law Enforcement Act (CALEA) mandated that phone companies install remote wiretapping ports into their central office digital switches, creating a new technology infrastructure for “point-and-click” wiretapping, so that federal agents no longer have to go out and attach alligator clips to phone lines.
  • In April 1993, the Clinton administration unveiled a bold new encryption policy initiative, which had been under development at the National Security Agency (NSA) since the start of the Bush administration. The centerpiece of this initiative was a government-built encryption device, called the Clipper chip, containing a new classified NSA encryption algorithm. The government tried to encourage private industry to design it into all their secure communication products, such as secure phones, secure faxes, and so on.
  • Throughout the 1990s, I figured that if we want to resist this unsettling trend in the government to outlaw cryptography, one measure we can apply is to use cryptography as much as we can now while it’s still legal. When use of strong cryptography becomes popular, it’s harder for the government to criminalize it. Therefore, using PGP is good for preserving democracy. If privacy is outlawed, only outlaws will have privacy.

Source: Why I Wrote PGP

OpenPGP Message Format (RFC 4880)

In July 1997, PGP Inc. proposed to the IETF that there be a standard called OpenPGP. They gave the IETF permission to use the name OpenPGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the OpenPGP Working Group.

OpenPGP provides data integrity services for messages and data files
by using these core technologies:

  • Digital signatures
  • Encryption
  • Compression
  • Radix-64 conversion

References

CISSP PRACTICE QUESTIONS – 20200606

Effective CISSP Questions

You are writing code to develop a server that receives logs from a massive number of IoT devices for training the machine learning model. If every client establishes a connection to the server, it will hinder the scalability of the system. However, the amount of data is critical to the reliability of the model. Which of the following is the best solution?
A. Enable HTTP Keep-Alive to prevent from data loss
B. Ensure the accountability to trace back to the subject
C. Have the server listen to UDP port
D. Implement a SIEM server to train the model

Continue reading

What is SDLC?

SDLC

SDLC may stand for either the System Development Life Cycle or the Software Development Life Cycle. The author typically refers to them as the System SDLC or Software SDLC for simplicity.

  • A system is a collection of related elements or components that work together to achieve a common purpose.
  • A life cycle is a collection of predefined stages and processes.

Information System

  • Information is useful data, or data with meaning, relevance, and purpose.
  • An information system typically comprises components such as 1) data, 2) computer systems, 3) operating systems, 4) software, 5) networks, 6) data centers, 7) people, 8) business processes, and so forth.
  • An information system and its components are either bought or made. Security engineering addresses security concerns across the system development life cycle (SDLC).
  • This post introduces the Peacock Model as a metaphor for the information system.

The Peacock

Software

  • Software is a collection of computer instructions and data organized in a logical way to solve problems.
  • It exists in either the text-based script or binary-based machine code; the binaries entail the process of compiling the text-based source code to the binary-based executable.
  • A program is the generic term of a script or executable that persisted in the storage. When a program is loaded into the memory and executed by the processor, the program becomes a process.
  • Software used to solve business problems is typically called applications.

Systems Engineering

Systems Engineering is a discipline of applying knowledge to create or acquire a system that is composed of interrelated elements collaborating for a common purpose throughout the system development life cycle (SDLC), or system life cycle (SLC).

  • NIST SP 800-64 R2 proposes the NIST SDLC in terms of information systems. It is superseded by NIST SP 800-160 V1, which aligns with the more generic SDLC defined by ISO 15288. However, the author believes the legacy NIST SDLC still plays an important role in the CISSP exam. NIST SP 800-160 V1 is crucial to ISSEP.
  • ISO 15288 is a standard of Systems and software engineering — System life cycle processes. It applies to both systems and software engineering.

ISO 15288 - System Life Cycle Processes

Security Engineering

Security Engineering is a specialty discipline of systems engineering. It addresses the protection needs or security requirements throughout the system life cycle.

SDLC and RMF

Software Development

  • The Software SDLC was as long as the period of the project taking months or years in the traditional waterfall model. However, it is much shorter nowadays. The life cycle is as short as an Agile iteration or Scrum sprint of weeks.
  • The life cycles are iterated or conducted repeatedly. In Agile, an iteration or sprint typically completes a life cycle that shall deliver the committed scope of software (or values/increment).
  • The life cycle in software development varies. There are many well-known methodologies and approaches available. However, the ISC2 official courseware, study guide, and even the CBK propose their software SDLC. We can just choose one out of them to develop software. ISO 15288 is also applicable to software development if you want.
  • However, when it comes to information systems, the NIST SDLC (system SDLC) can be treated as the standard for CISSP aspirants.

SoftwareDevelopmentApproaches

CISSP PRACTICE QUESTIONS – 20200603

Effective CISSP Questions

Alice frequently sends emails to Bob, which are split and encapsulated as IP packets transmitted through a series of intermediate nodes. However, the transmission path may vary because of the availability, quality, and bandwidth of circuits. Which of the following least affects the email transmission path?
A. DNS MX Records
B. Digital signature
C. Routing tables
D. Awareness training

Continue reading

CISSP PRACTICE QUESTIONS – 20200602

Effective CISSP Questions

You are implementing the network for a small company where a bridge connects two network segments as a broadcast domain. The bridge maintains a MAC table or cache to make forwarding decisions. If TCP/IP is implemented to support network communication, which of the following is not true?
A. Hosts across the bridge must have the same subnet mask.
B. The network is vulnerable to sniffing attacks when the bridge reboots.
C. A router is required if two or more logical IP subnets are implemented.
D. Eavesdropping traffic across the bridge can result from cache overflow.

Continue reading

Security through Obscurity

TheKerchoffPrinciple

Security through Obscurity

  • The idea of “you ain’t gonna know me” may not be reliable.
  • According to the Google dictionary, obscurity is “the state of being unknown, inconspicuous, or unimportant.”
  • Security through obscurity or Security by obscurity means protecting our assets on the reliance of making our assets or safeguards invisible, unknown, unaware, less attractive, in secret, or lack of importance or value.
  • Security by design and open security is the opposite concept of security through obscurity.

Open Design

  • Kerckhoffs’s principle states “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
  • Shannon’s maxim articulates Kerckhoffs’s principle by assuming “the enemy knows the system” and “one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.”

Defense-in-depth

We all agree it is not sufficient to enforce security solely through obscurity. Security experts advise that obscurity should never be the ONLY security mechanism. In some cases, security through obscurity can be implemented as part of the defense-in-depth or layered defense strategy.

In recent years, security through obscurity has gained support as a methodology in cybersecurity through Moving Target Defense and cyber deception.

  • NIST’s cyber resiliency framework, 800-160 Volume 2, recommends the usage of security through obscurity as a complementary part of a resilient and secure computing environment.
  • The research firm Forrester recommends the usage of environment concealment to protect messages against Advanced Persistent Threats.

Source: Wikipedia

OnionAndPeacock

The Onion Model

The Onion Model above depicts the layered defense or defense-in-depth strategy. It implements a variety of categories of safeguards or security controls in serial and integrates people, process, and technology (PPT) or personnel, operations, and technology (POT) capabilities across the organization to enforce security.

References