Free Short Course: Cryptography - Module 1
Guy Coward: Hello everyone, thank you for joining us for the first webinar of cryptography a short course presented by it masters, on behalf of Charles Sturt University. Guy Coward: My name is Guy Coward and i'll be your MC for this webinar and for the duration of the course your mentor is the lovely and talented Matt Constable. Guy Coward: Wherever you're watching this we hope you're well. Guy Coward: Before we again some housekeeping all webinars for this course, will be held at 7:30pm Australian Eastern standard time with recording is made for those of you who cannot attend on a given occasion. Guy Coward: Despite the recordings if you can make it we hope you'll attend the live webinars and contribute to a collaborative learning environment with it a little bit of a bonus in attending the live show, I think. Guy Coward: We quite clearly use zoom for webinars and encourage questions in the chat throughout the course.
Guy Coward: We ask that you direct all questions relevant to course content to the Q and A section, so we can keep track of it, and the second or administration type questions dates times resource availability and the link to the support team chat. Guy Coward: Supporting being Hannah you can chat with panelists only or your fellow students as well, and you can make that choice by toggling through the drop down box as i've already said earlier, once you open the chat box. Guy Coward: And they're usually some really experienced attendees who are very good at sort of augmenting the discussion and maybe sometimes i'm going off on a tangent.
Guy Coward: Also, helping I guess those that are newer to the subjects would catch up, if you have what you feel is like maybe a really simple question that might sort of. Guy Coward: be beyond the scope of of the course maybe just check it in the chat and say hey what's this name, and then we can we can catch you up real quick there as a group together. Guy Coward: we'll have a q&a session at the end of the webinar and if a question you have is particularly relevant oh i'll just interject tonight's presentation. Guy Coward: Those of you who have never taken part in a short course with us, first of all welcome, and thank you for joining again. Guy Coward: It masters is a training organization that exists as a partner to CSU exclusive partner who we work with to create deliver a number of the Masters Courses. Guy Coward: We also market these courses on their behalf and hope for the best way to do that is give some away free, which is part of what tonight is about.
Guy Coward: If we do a good enough job Linda students will be encouraged to enroll in full masters or or graduate certificate if it suits them if it's the right time. Guy Coward: With That said, I really hope this short courses is useful and rewarding in its own right and we want you to learn some interesting information had a bit of fun hopefully make connections with Sony fellow students and they met. Guy Coward: Today, nearly 5000 people have enrolled in a short course so there's there's plenty of paper to talk with it's very exciting. Guy Coward: But it's always good to get a cybersecurity course kind of always gets a little bit numbers and I think it's also got a bit to do with matt.
Guy Coward: and his around tonight in usual moderation offer it masters looking after the chat painting painting the cat herding cats. Guy Coward: she's also responsible for the learned it masters.edu a new website for the new moodle page. Guy Coward: Of course, page I use those terms interchangeably throughout the course which is where you'll find the other materials needed links to readings discussion forums quizzes.
Guy Coward: The exam when it comes up and any sort of fun things that matt has to get you to play with outside he will give you instructions on that page as well. Guy Coward: If you have any questions tonight or later on, about the I guess the goings on, of course, the details of the course and we got some contact details there, and you can hit us up there. Guy Coward: Next week I had a brief chat about CSU just give you an idea of what studying with us is sort of about and how they short courses can help you in completing the postcard course if that's your bag. Guy Coward: So if you have any questions about that sort of stuff maybe just hold them over and we'll get to them next week now it's just time to welcome. Guy Coward: The wonderful matt Constable who's a stall lot of these short course program and always a joy to work with these got about 950 academic awards.
Guy Coward: Many, many industry certifications in the IT space is an iron man i'm pretty sure he cracked the enigma code and it's probably written about 15 books but yeah. Guy Coward: anything you can imagine, you probably done it Hello matt how are you what's your deal what's going on. Matt Constable: Thank you guys ever and welcome everyone Hello everyone hope everyone is safe and well and he once again guys, for your wonderful introduction and I didn't quite catch the enigma code and it was a little bit before my time i'm not quite that ancient. Guy Coward: or you're only two or three at the time was good prodigy. Matt Constable: wow that's so much be pretty old so.
Matt Constable: I definitely didn't do that but, as you saw I have worn a number of hats over many, many years and I like to think of myself as a jack of all trades, without necessarily being a master of any of them so. Matt Constable: And and and you know tonight is the start of what I hope is going to be a really interesting informative cryptographic short course for everyone. Matt Constable: This evening we're going to start off with a bit of a discussion on general cybersecurity and then we'll falter into the cryptography and as we go through the next four weeks.
Matt Constable: We will waive the two subjects together to hopefully give you a really good understanding of where cryptography fits within the cyber security landscape, as one of the many, many tools and mechanisms available to enhance the security around to our systems. Matt Constable: These this particular slide presentation this evening has been. Matt Constable: composed compose based on to the subjects that we run one is oddity I Father one cyber security fundamentals, which is a subject that i've been running for best part of probably 10 1213 years something like that.
Matt Constable: And that's one of the subjects and your team are stable and the other one is it see 593, which is a specific crypto course which is part is taught by CSU themselves, but all part of the same stable of subjects, if you like, so. Matt Constable: As I said, these we articulate with these two particular subjects, so in this first evening there's a bit of 5050 between those two subjects and then, subsequently we're really going to drill down more into the 593. Matt Constable: The network security and crypto and and I guess, really, the aim is to try and give you some basic introduction to crypto so we're not going to go. Matt Constable: into any really heavy duty buffs a hot that although part of that will start to show itself over the next couple of topics symmetric and I symmetric encryption, but we will look at the history of ciphers. Matt Constable: And some of the more common surface and introductory surface, to give you an idea of what crypto or cipher algorithms actually do, and the way in which they do it.
Matt Constable: And as we go on we'll build on the complexity So hopefully you'll get something really interesting out of it i'll try to keep the maps and because it can be quite complex and not everyone's cup of tea or first, this is probably not my cup of tea either. Matt Constable: But it's necessary to to have a complete understanding of what goes on in the crypto world. Guy Coward: up at the picture, by the way.
Guy Coward: just got a bit of feedback in the chat about a bit of crackling MIC and if there's anything, in particular, you can do about it, but maybe just do a little, something I don't know. Matt Constable: Maybe, maybe, maybe let's just see if this one. Guy Coward: it's not too bad, by the way, it's just just a little bit yeah as it says it's workable. Matt Constable: Okay, just made any difference. Guy Coward: Yes, it's more clear.
Guy Coward: For some some don't like it. Matt Constable: back to where I was. Matt Constable: Okay, so keep on the side anyway. Matt Constable: This is about me so, as I said, you know i've been around the track quite a lot now spend a lot of time at university doing lots of different things, not just an Iit field, so my interests I guess. Matt Constable: very broad and that's why I say on that man of many talents master of none in order of importance.
Matt Constable: loves in life at the moment i'm engaged in a rather significant research project around cricket. Matt Constable: So that keeps me busy when i'm not working for the wonderful people that it masters and this this picture i'm actually quite proud of that was really crossing the finish line and my first ironman triathlon a few years ago. Matt Constable: And one of the another passion of mine that I really enjoy i'm getting out and doing some people say i'm crazy, but it is certainly a lot of fun.
Matt Constable: The other thing that I said they want to make known is that I will not have all the answers potentially to the questions that you asked so. Matt Constable: What I can guarantee, there is if if there's something that stumps me, I will do give my best effort in providing you with an answer that's. Matt Constable: that's that's appropriate and sufficient, but certainly there'll be people out there, that will know equally as much about cybersecurity and crypto is what I do and I coming on for interest. Matt Constable: And so, please make sure that you can engage with each other by the discussion forums on moodle and share that wealth of expertise we've got 920 people here in this presentation now. Matt Constable: there's bound to be a lot of expertise out there, that you can learn from so it's not just about coming and listening to me talk on the top. Matt Constable: and asking me questions also but also about building those networking.
Matt Constable: Opportunities amongst the cohort that's that's in this class as well it's really, really important that you think about that because you'll get a lot more from that then then you'll probably otherwise sing think so server and look at that. Matt Constable: All right, so the outline for this evening we're going to have a quick look at the introduction to solve security context so for about. Matt Constable: The first 18 or slow so slides are going to look at some basic definitions we're going to look at a thing, called the CIO read and how and talk about how that's important in cybersecurity.
Matt Constable: we'll look at some attack vectors so different typical ways of attacking them a look at the principle of Defense in depth and a little bit around security permanence. Matt Constable: Then we'll look at the fundamentals and then one way to categorize primitive elements of cryptography Okay, and that will allow us to then build upon those primitives we move forward in subsequent weeks. Matt Constable: So let's get started, I guess, so cyber security fundamentals a definition information security is really simply a bunch of tools or mechanisms by which. Matt Constable: Our network information assets are kept secure Okay, with the primary goals of protecting the confidentiality of that information so that is keeping secrets secret.
Matt Constable: To maintain the integrity of that information so that is we don't want unauthorized changes to our information if it's an authorized change that's fallen. Matt Constable: But if it's all through us we don't want that we're and that ensures that the integrity of our information is buying time. Matt Constable: And the last one is assure availability, the caveat with that is to ensure availability to those who are authorized okay so that's what it's really about confidentiality integrity and availability provided to authorized people systems in deterrence.
Matt Constable: So Leading on from that confidentiality integrity and availability form what is called the CIA triad. Matt Constable: If you look at this graphic on the left here we've got our information security systems in the middle here and we've got a confidentiality integrity and availability that make up the three sides of the triangle. Matt Constable: These are the important things of service Curie that we need to uphold and maintain. Matt Constable: Now this some of you may notice that this is this is quite a simple model, and there are other models, one of which i'll look on briefly on the next slide. Matt Constable: There are other ways other models that you can think about security components, but we use this one in it, I 581.
Matt Constable: Because, as a fundamental service as a cyber security fundamentals course it's important to keep things really, really, simple and they can build on that later on, so we like to start with this nice simple model where we look at only three components. Matt Constable: Now, on the flip side of that if we have hackers or attackers are criminals or other nasties in this triangle over here. Matt Constable: There are three alternate sides of this triangle, which is which are disclosure alteration and denial now interestingly and. Matt Constable: From the text up here clearly say that confidentiality is the opposite of disclosure integrity is the opposite of alteration that is unauthorized alteration and availability is going to be the opposite of denial. Matt Constable: So these are all the CIA da da Triads now when you implement your security mechanisms, it is possible to have. Matt Constable: confidentiality and integrity, but be in a state of denial so you've got a denial of service attack, for example.
Matt Constable: So, while the confidentiality and integrity of your information is still my name, it may be that it is not available to authorized to use it. Matt Constable: So it is possible to have one or two or even three of these from the da da triad. Matt Constable: At the same time, when you may only have it, you can mix and match, they can be mixed and matched so you can also have a system that's available. Matt Constable: And it's confidential still but the something has changed integrity of your falls and so that's a state of alteration, and so they can mix and match quite easily. Matt Constable: And quite often does. Matt Constable: A mechanic cube is a more complex model so it's got i'm not going to go into this one any debts.
Matt Constable: merely because, as I said, it's good to keep models nurse and soul to start to build our understanding and forth and really in terms of cryptography. Matt Constable: And mind things that we want to worry about confidentiality and integrity, which we will look in more detail when we come to that part my slide deck. Matt Constable: But this is an example mccumber cube is an example of a more complex model, and there are there are many others as well that you may choose to use. Matt Constable: Depending on your particular particular context so co di Detroit is quite a simple model, which has been around quite some time, and some people in some contexts prefer to use something more complex, but for our purposes, it does the job perfectly.
Matt Constable: So what should security provide what should it actually gave us. Matt Constable: It should a good secure Defense in depth system should ensure that any authorized users are able to perform only the tasks that they need to perform in order to fulfill their role in the organization, whatever that is so, no more, no less. Matt Constable: Security should ensure that users obtain only the information they are authorized to help so again no more or less. Matt Constable: Security should also ensure that the users cannot cause damage to data applications or operating environment. Matt Constable: And that's a bit of which can be a bit of a tricky one, because if you've got full access rights to something, then there is the potential for you to break it. Matt Constable: So that's a bit more of a tricky one and can sometimes involve policies and procedures as well outside that technical scope of tools that we can implement.
Matt Constable: And lastly, it should ensure that data exchanges are conducted in a secure and safe manner, and this is, in particular where our cryptography comes into equation. Matt Constable: So this graphic here is quite a busy one and I guess All I want you to get out of it. Matt Constable: Is that there are lots of different ways in which your information security system or your information systems can be attacked or compromised or damaged. Matt Constable: or otherwise might not work well, so there's lots of words in here, some of them are bigger, some of them are small it doesn't necessarily indicate the more important than the others.
Matt Constable: It just it's just a graphic to show there's lots of things happening what's the things that can potentially happen, there are certain point in one's obviously viruses and Trojans. Matt Constable: Common we see lots of them all the time, and particularly in this period that we're going through where. Matt Constable: You know code is making or recording or has required a lot of people to work from home and the reliance on Internet connections and online systems has gone through the roof, then these sorts of things have started to creep into our daily lives more more than ever. Matt Constable: There are a number of one to this is terrorism is a very little word there terrorism, which is interesting to say there's also crime there's warfare and there's alteration.
Matt Constable: it's a hacker's, of course, as hacking the spam this as a criminal elements, so that there's lots of different ways in which our systems can be compromised damage and then, if we don't. Matt Constable: get access to them, so to fix confidentiality integrity and availability of assistance, something I want you to think about. Matt Constable: Is as we go through the slide decks and, indeed, as you go through, just as a learning. Matt Constable: Learning exercise as you go through any sort of security system or you're working on a new security tool, you might be coming up with a new design for a secure network. Matt Constable: Think about those elements of confidentiality integrity and availability and make sure that you're covering off each one of those elements in whatever it is you're doing. Matt Constable: Now the important part about, that is what you'll find over time, if you don't already know it is that not all tools and mechanisms for helping us enhanced security.
Matt Constable: they're going to cover all of those three bases so cryptography perfect example can help us confidentiality and integrity tick by ability not so much, so you can't say one size fits all in security it's definitely a many tools many tools approach. Matt Constable: So what causes those trips we just looked at Okay, so this is, and there are many ways to categorize threats many, many wines, you can categorize and by. Matt Constable: The way is it deployed potentially by the ways you protect against them by the demonstrate they they cause or by the particular systems, I attack lots and lots of different ways. Matt Constable: In cyber security fundamentals course we categorize them in this particular wise, so we rank them or write them as technology weaknesses. Matt Constable: weaknesses of configuration weaknesses in policy or simple human error, so if we break down each one of those to a small degree right now. Matt Constable: Some examples of a technology weakness, for example, looking at the tcp IP protocol stack now, it was initially designed as an open protocol.
Matt Constable: And way back when it was first written and developed, it was developed for survival not security, so it just had to work to connect hosts and networks together. Matt Constable: In that educational context, and then a little bit later on a military content but it wasn't about security because he was hardly anyone that was using it to connect it with the network was very small. Matt Constable: And so there was no real worry about security, because no one had access to, but, of course, as things exploded, the Internet arrived and it became this all encompassing thing which it is now.
Matt Constable: That interwoven in every single aspect of our lives, then obviously that provides us with a huge opportunity of gaining access to information or markets that we didn't have previously. Matt Constable: But it also provides significant opportunity for criminals, as well, and so security is an exceptionally important part of every IT system that that we implement, we need to think about it carefully. Matt Constable: Because the tcp IP protocol was open built for survival and there are thousands probably hundreds of thousands of applications and services that rely on that any weaknesses that are with that all protocol SEC now also can potentially. Matt Constable: impact the applications and services that run on top of it so that's a technology weakens.
Matt Constable: operating systems are another one, there are millions and millions of lines of code in contemporary operating systems that big bloated behemoth. Matt Constable: And, of course, trying to get these operating systems to market really quickly in development sometimes bugs introduced which then led to vulnerabilities then lead to exploits which then lead to breaches of our competence reality integrity or availability now it's a double edged sword. Matt Constable: operating system development or indeed any software development because there's a there's a very foreign law, and you have to tread. Matt Constable: in getting that product to market, so it can be used, but making sure that it's also sufficiently secure and anytime you make a change to things, there is a potential to introduce arms, which is about abilities exploits problems with the seo. Matt Constable: Network equipment also as well if you just think of switches and routers as pieces of team, then it could be, for example, that because of budget constraints or because of.
Matt Constable: A poor poorly designed network, it may be that you incremental purchase switches and routers that insufficient for what you really need in terms of capacity, so how much throughput the head or perhaps in the features that you require. Matt Constable: And this can be difficult to upgrade yes, you can upgrade the software potentially at a cost but is that really going to do the job, particularly if you're talking about you, you bought. Matt Constable: A router with hundred Meg interfaces when infection a 10 gig interfaces and very different platform that you have to apply to. Matt Constable: So there's some examples of technology weaknesses in terms of configuration weaknesses, these are all things that you've seen probably many times before, a lot of you, in your experiences so things like. Matt Constable: pauly secure unsecured accounts, particularly system to cancel run processes in the background that we often don't think about. Matt Constable: system accounts or indeed any accounts with reason I guess password So if you don't have a properly are correct, robust and implemented.
Matt Constable: Paul our password policy, then you can get yourself into a fair bit of trouble miss configuration. Matt Constable: of any top it says Internet services here, but it can be any type of service any type of service at all could be your DNS DNS SAP your active directory your web services mile ftp you think you name it if you've missed configured it or haven't secured properly open to attack. Matt Constable: default settings a common one, particularly in small organizations that are not in larger organizations, because they generally tend to have more staff more knowledgeable staff. Matt Constable: A bigger picture approach to the design and implementation of security, but certainly in smaller organizations or, as I said, don't have a great it support base default settings devices can be just placed into a network and default settings and that can cause real issues potentially. Matt Constable: Miss configured network equipment can also result from the same things that have just been talking about with unsecured apartments. Matt Constable: Now Trojan horse programs and viruses and just a couple of examples of things that can lead into your network should you have configuration weaknesses as well and there's no debt, they can get into your network and other ones as well.
Matt Constable: But certainly configuration weaknesses can let them in as well, and now in that regard we're talking. Matt Constable: An example, might be miss configuration of some firewall rules or something or some miss configuration of intrusion detection systems that allows at the slip through the net. Matt Constable: Or to be delivered to say the email inbox have a user who then click something and deploys this thing everywhere, because the security systems haven't been adequately configure. Matt Constable: Policy weaknesses again pretty straightforward so really the big features we're talking about here is just not having written a security policy so whether that's acceptable use policy, whether it's a password policy. Matt Constable: As it says a non existent disaster recovery plans and not having a policy, about what you're going to do in the event of a disaster and how you're going to keep your network and systems up and operational I can that's a really big one staff politics or into departmental politics can.
Matt Constable: manifest itself as policy weaknesses as well with people arguing over who does what it can be Gray zones, there can be areas of responsibility that I left out, because now, I want some or there's arguments about it to politics can do that. Matt Constable: High turnover and staff can also lead to issues with particularly policy deployment or policy enforcement. Matt Constable: As you turn over staff, you need to retrain them to make it as new staff come in, they need to be trained and understand how things operate that can be a bit of a long finger process and so that can lead to issues with that as well. Matt Constable: Not by applying concise access, controls, so not implementing policy is also a.
Matt Constable: Potential policy weakness, because in in on top of saying this is our access control policy they they needs to be a defined methodology for implementing it and understanding how to test it to ensure that it actually works. Matt Constable: So that can also be an example of a policy witness and things like so this one here is really software and hardware installation charges to deposit policy policy so that's really talking about a change management policy and how that fits together within your organization. Matt Constable: And last but certainly not least, is human error and we can't avoid this, and we cannot ignore it, because it will happen always happen. Matt Constable: People make mistakes simple as that and systems make mistakes, because of the input from us as humans configuring them designing them putting them into price Okay, so a lot of this boils down to human error. Matt Constable: Of course, we can have accidents, of course, we can add ignorance okay and that's, not to say, people are stupid that's just to say they're aware, or they don't know about a certain process for policy or implementation or something going on, but I probably should. Matt Constable: Work leg can be an issue as well if you're either work which, in the IT industry let's face it, who isn't most of the time, and that really impact your effectiveness and therefore can impact on security, if you are in a role that is really heavily skewed.
Matt Constable: course we're always going to have the dishonest cohort so people who don't do the right thing. Matt Constable: you're not going to get away from that a social engineering is a big one, and we talked quite a lot about that in rti father was quite an interesting I think it's a really interesting topic and a really useful one because I haven't got the stats here with me, but in 581 we talk about. Matt Constable: How often attacks or breaches of confidentiality integrity and availability actually caused by internal actors so say not people out on the Internet, which is what everyone thinks about the linemen thinks about. Matt Constable: But there's lots of things that happened inside your network. Matt Constable: Because the the level of trust and the level of access of the people inside your network is typically much higher than those that exist out, so I didn't work and so that opportunity for things to go wrong is a more hardened. Matt Constable: And then disgruntled employees, probably feels a little bit into that dishonestly record as well, so employees get upset with with something a the perceived or real and then my type some sort of nefarious action on your organization.
Matt Constable: Now the switching depth is a really important component of this of software security and really. Matt Constable: Although it would not normally reference Wikipedia it's certainly good for not so good for academic writing, but really good for general knowledge. Matt Constable: Defense in depth as the phone numbers appear so you said it's an information assurance concept in which multiple layers of security controls. Matt Constable: applies throughout information to the system, the purpose of protecting the information that's held within that information technology system so talks about multiple lions. Matt Constable: Multiple layers a harder to defeat Okay, so the more levels of security, you have to get through, in order to get to the internal information, the more difficult it is, we know that most attackers let's say a very, very. Matt Constable: let's say, and I just want to take your network and do it, then all service, for example, will try to take the path of least resistance okay so.
Matt Constable: If they want to get into your information and and gets I tried sacred intellectual property, and they need to do it in such a way that's not going to trip any alarm bells so you don't know they're there. Matt Constable: And the more layers you put in place and more likely it is or the heart of the challenges for them to get deep into your network to get that. Matt Constable: Intellectual property, the greater the chance that you will notice something before they get it that's, not to say you will defeat every hacker and you certainly why but. Matt Constable: The more lies you've got a better protected, you are, as it says there is no such thing as perfect security only really good chicken. Matt Constable: In a successful Defense in depth application, we have to understand what the vulnerabilities are inherent in our systems, so we have to know what the problems are before we can fix them. Matt Constable: On top of that, we also have to understand how those vulnerabilities can be attacked or will be potentially attacked.
Matt Constable: With those two pieces of information, we can then move forward and come up with some ideas of how we're actually going to protect against that, but we must know those two things first. Matt Constable: And this graphic here, I think, highlights quite a few things in and i'm sorry if it's a little bit, but I don't know it's just my eyes over there is a bit blurry. Matt Constable: But we know that this is a perfect example of a setup which has lots of different lines so on the inside, here we have a mission critical assets and then around it, we have all these different lines okay we've put out prevention.
Matt Constable: policy management, monitoring response operations we've got at data security or application security in some endpoint security and network security and then find the perimeter security now some of these tools on this diagram will exist at multiple levels and that's Okay, they will. Matt Constable: But you can set if we go from the outside, in a more way, as we have the longer it's going to take us as a hacker to get into that mission critical asset and that information that we want. Matt Constable: It also recognizes quite nicely that there are also inside threats, so people on the inside, that exist inside his perimeter which, incidentally, is a very fluid concept. Matt Constable: And this diagram recognizes that so that's one less potentially two layers. Matt Constable: And layers these internal threat actually have to penetrate before they get to the information they want or, alternatively, the information that's going to be damaged in some way so that our confidentiality integrity and availability are threatened.
Matt Constable: Of course now, with the advent of public and private cloud technologies, there are. Matt Constable: Even though that's a separate abstracted layer there's a bigger opportunity for attack is that consumer gain access to the private or public cloud to then infiltrate on the inside of our network. Matt Constable: Because often more more often than not, are certainly Republic cloud, but more of another product that as well we don't necessarily we don't manage those particular environments, and so we don't see. Matt Constable: necessarily what's outside those environments trying to come, in particular, with a product about if. Matt Constable: Someone comes in and gets inside the private cloud, and you don't manage it someone else's responsible that the provider. Matt Constable: Am I getting saw that private cloud it can it can be a really quick way on into the inside, your network, so I think this is a relatively good diagram that takes into account a number of different lives and lots of different aspects of what Defense in depth relationship look like.
Matt Constable: Alright, so that's it for cyber security fundamentals to report, is there any. Matt Constable: particular questions or. Guy Coward: here's a few goodies Martin get through. Guy Coward: Radio will take from the top Tonio Tony Tony is asking I know Russian answering this question, but what can be languages, the cryptography course using if I was to enroll in your subject. Matt Constable: The crypto course doesn't actually use any language specifically so it's more around the service online tools and packages which you can use in it is a five by three, which is the network security and crypto subject but there's no there's not a lot of. Matt Constable: Programming in terms of actual coding itself so it's more looking at the ciphers in the mathematics behind the cryptography algorithms.
Matt Constable: But in general in some of the other subjects where there is a little bit of coding it's mainly using Python so if you're familiar with Python then or, if you want to get to me with Python that would be the one I would point you to. Guy Coward: You thanks Tony i've just sent you a link to the subject on sees us handbook online, so you can have a look at the subject itself as well. Guy Coward: raise wondering about whether information security should also cover information at rest, not just network information assets. Matt Constable: yeah, of course, absolutely should cover all aspects of your information, so these that graphic is just showing. Matt Constable: Network information network information assets, but equally applies to the concept of Defense in depth and a lot of those mechanisms on That applies equally to information at rest absolutely.
Guy Coward: Thank you right there's quite a few good questions i'll just go through about five or so. Guy Coward: And then it'll keep going and he's wondering what would you call a compromised firewall man in the middle attack or packet sniffing or something else apologies if this answer is no apologies necessary and. Matt Constable: So that is insane I have a good question um compromised firewalls can involve all sorts of all sorts of things that could be something like men in the middle of tech, maybe, although a lot of formal systems are pretty good at detecting those sorts of things.
Matt Constable: Generally, an attack in the water cases attacks on phone calls themselves is more around trying to take the firewall out. Matt Constable: So denial of service or trying to gain administrative access to the firewall itself and a lot of phone calls are really good and indeed it's one of the things we talked about in Father one substituting for the middle. Matt Constable: Is the abilities that calls need to have to be able to take the log a text to themselves so there's.
Matt Constable: Look, in terms of problem was in the firewall itself, it would more I would think in my experience anyway i'd say the ball around and all a service and trying to get administrative access. Matt Constable: In terms of going through the firewall definitely so there's lots of different tunneling type of touches you can use to bypass the firewall and get through. Matt Constable: Even a really good strict set of rules now, you can certainly use in in encryption and cryptography technologies in order to boss or your local or go through a firewall without being being noticed. Matt Constable: And that would generally be, as I said in my experience that's what I found is that people will try to go through the firewall and try to bypass a little bass music using either some sort of tunneling top protocol or trying to you know, for example, use. Matt Constable: ssh, for example, over a different protocols are trying to pretend it say web traffic or ftp traffic or something like that.
Matt Constable: But certainly you know even something like a firewall that has been physically damaged or blowing a power supply that's that's a compromise fall as well, so there's lots of different aspects of that. Matt Constable: In terms of the actual firewall itself, but in general attack vectors will tend to try and bypass or fall rather than directly attacking itself. Guy Coward: we've got a nice funny in the chatroom Richard Harris, what would you call it compromised firewall answer mcafee.
Guy Coward: And and just me on that apology don't don't we no apologies from anyone please for sounding name if you have a question and i'm going to hell no you think it might sound check it in. Guy Coward: A firm asks can technological weaknesses be found in both it and ott systems it's info technology and operational technology systems and can they be different, can the same rules tools techniques and hardware, be used to ensure the security systems. Matt Constable: Also, yes, on both. Matt Constable: Cases yeah so.
Matt Constable: Absolutely technology weaknesses can be found in any system any type of system. Matt Constable: So that that's exactly the same, and you can fundamentally use the same theories ideas tools techniques and mechanisms to be able to protect both systems So yes, yes, about is a simple answer. Guy Coward: You Thank you and I think that also and answers Andrews question, who is wondering about if all the weaknesses, a fixer improved in the system does that mean assistance bulletproof force we're still vulnerable.
Matt Constable: Yes, no such thing as bulletproof no because I guess the answer to that is well, you may have one particular system that is exceptionally difficult to compromise. Matt Constable: there's you know really do you have any useful information system or network system that has you know one component or one tool. Matt Constable: And while you might have really good so you might have a firewall that's rock solid and never gets defeated.
Matt Constable: In your environment because we've got to contextualize it to the individual environment we're talking about, because each industry at enterprise it environment will have. Matt Constable: A different weaknesses vulnerabilities and therefore different techniques sports against it but yeah even if you have one technology which is rock solid chances are you can have another one which will have weaknesses somewhere that will make that rock solid device less secure. Guy Coward: And last one for now Craig in your opinion is better to have more complicated passwords passwords or to have the user change their passwords on a 90 day or for any sort of basis. Matt Constable: In my opinion, are both but the answer to that is it depends, it depends on what your users can handle and controller so, for example, i've worked in some places where we would have 20 character password that had to have all you know basically. Matt Constable: alphanumeric and then other special characters in them as well, and the head that you know, we had to rotate them every 90 days, and then there was no you couldn't go back and use the same one for 12 password changes and all those sorts of things. Matt Constable: Yet of work in other organizations, where, if you had more than eight passwords that on ahead alpha characters.
Matt Constable: US would be you know really annoyed and an upset about it, so I guess it comes down to two things one is, what can you use this tool right, and to what operationally does your organization require so how secure, do you really need to be. Matt Constable: Obviously, the more complex passwords are, the more often, you get them to change and the less often you allow them to reuse passwords and more secure you're going to be. Matt Constable: But it's it's really a question for. Matt Constable: Your environment and what it can tolerate. Guy Coward: Excellent let's keep going.
Guy Coward: And that's everyone for sending those questions and yeah. Matt Constable: All excellent questions alright, so now let's get to the party, the crypto fundamentals. Matt Constable: So cryptography is the science or study of the techniques of secret writing especially code and software systems methods and a lot.
Matt Constable: So what it's really about is scrambling plain text to turn it into ciphertext so making our information secret keeping it confidential from those who shouldn't be looking at it. Matt Constable: There are other cryptographic techniques which we are in, week four primarily so we're looking at hashing and with Paul, and I also provide us with integrity of data, but the real key with crypto is secrecy, a confidentiality. Matt Constable: crypto really is essential in contemporary communication, but often not use so much outside of military education now talking about tertiary and higher education in some aspects, particularly around research or other big businesses now. Matt Constable: Sure, when we use a web browsers he go to our Internet banking parent that's encrypted Okay, the height CDP this now. Matt Constable: Total button a destination bar shows us that that's encrypted, so there is, and there are a number of applications and sites websites and.
Matt Constable: web enabled services that we use every day that do have http s to the encrypted fast when you talk about how we communicate by business typically we do it by email. Matt Constable: Inside of email, there are, there is the ability, and so the email protocols that people use so whether time apple pop or whatever, there is a capacity to implement encryption but it's not used as often as what it probably should be. Matt Constable: So we need to start thinking about crypto and how we make it intrinsic to systems because, in order to be at its best encryption should be part of our communication systems known an add on, so it should be an intrinsic part of it that was written right from day one, better for Canada.
Matt Constable: Now of course crypto is generally thought of as being a good thing, so you know things like security nuclear launch codes for protecting our financial medical or other personal details. Matt Constable: Well, as I said before, because of the ubiquity of the Internet and things like the Internet of Things, and the Internet of everything which is definitely if it's not here already it's it's coming. Matt Constable: It opens up so many other side as individuals that opens up so many more opportunities for information for marketing business for collaboration okay that we didn't have 20 3035 years ago. Matt Constable: Now, or not as much, and certainly before the advent of the Internet, we it was really good to do that it was a slow process. Matt Constable: But, of course, because everyone's now connected the criminal element and as Assad is also connected and they can use it, they can use encryption for keeping their secret secret as well, which, from a law enforcement perspective or a good versus evil talk battle then that's obviously bad. Matt Constable: So, as I said, the crypto goals number one is confidentiality, and that is protecting information from casual prying eyes or deliberate attempts to scale we'll talk about a thing called comfort computation and feasibility shortly, and that is really sort of this argument about confidentiality.
Matt Constable: We need to remember that the information we're protecting with our cricket our encryption doesn't always have to be over real, significant value to anyone other than us, so it may be that it's just really important allows. Matt Constable: It may not be important to the world at large, but if it's important to us and it becomes compromised or someone else steals it uses it either against us, or for their own benefit and that's a problem. Matt Constable: And of course confidentiality is the common blame and definition of what security is really about So if you spoke to the average Joe on the street and. Matt Constable: And said okay what's encryption useful for this is explain a little bit of warning corruption is it scrambling things up, what do you think it's useful I would probably so while it's for keeping secrets it's for keeping things confidential. Matt Constable: And of course crypto and encryption softens directly address that by taking a plain text. Matt Constable: and turning into something that's scrambled and can't be unscrambled by anyone other than the intended recipient okay that's that's in theory, now we know in practice and it's not necessarily the case, but again that's where this.
Matt Constable: concept of computational and feasibility comes into into it my talk about that shortly. Matt Constable: Another thing that could do can provide is integrity, so there are some components of crypto that will perform varick verification and validation of data post transit and we'll look at some of those in subsequent weeks. Matt Constable: Fundamentally. Matt Constable: integrity is a bed digitally signing data so that any changes to a signature in transit will.
Matt Constable: identify the fact that the underlying data has had its integrity compromised once been in transit, and that could be for any reason it's not necessarily that there's been. Matt Constable: A man in the middle attack, for example, it might just be that the transmission is filed for some reason or something's become corrupted or a lot, so it doesn't necessarily tell us we're being attacked, but it tells us that something's not quite right, with the data and we need to investigate. Matt Constable: Now the interesting thing about integrity attacks these that they can actually be really, really dangerous and they can be sometimes really built to confirm, because I deliberate integrity attack. Matt Constable: Typically, designed to result in. Matt Constable: an unexpected but seemingly legitimate result so so, for example, a really simple example is we talk about.
Matt Constable: Financial Transaction Okay, and it may be that someone the financial transaction is pleased to pose it $1,000 into Fred to count. Matt Constable: Someone will intercept that transmission and also you know, please deposit $1,000 into pills account okay that might go to the Bank and the Bank. Matt Constable: Was you know, thinking of this probably should get a friend, but it's building okay all looks okay well we'll send it through so that's one example, or it could be that the value is changed, so instead of saying $1,000 in matson 1100 dollars as a really simple example so it's not. Matt Constable: it's not a totally stupid request it still looks like it could be it's plausible but it sort of the unexpected and so because of that particularly. Matt Constable: If in the example of financial tracks phone into transactions, if there are altered by a little bit, for example, small amount.
Matt Constable: Or, for example, the the Cabinet being sent to is only one digit different and they can be really I might go on for agents and pick a lot man and i'll give you an example of that would be. Matt Constable: You know, financial transactions, I can think of a couple of examples for many years ago where tell us who are employed, and this is, these are two different places, but i'll use the term tellers plural so. Matt Constable: Tell us would. Matt Constable: Take interest transactions and we're an interest transaction was so that interest with such that it would only deposit a cent. Matt Constable: or two cents so typically in in one case it was less than three cents and the other kinds of Western five cents, if it was less than that, instead of. Matt Constable: putting it into the candidate any interest they siphoned it off and now we're putting it into their own account.
Matt Constable: This is only 123 cents, at a time, and so it was something again it was an unexpected result but it wasn't because it was so small, it just wasn't picked up. Matt Constable: And these towers were doing this for years and years and years and ended up softening off literally millions of dollars from clients. Matt Constable: Because no one noticed that three cents interest was missed or if I didn't miss it that our bank error, we don't care, because only three cents, but you went up all those ones to three cents of all the many thousands of clients at the bank head over time. Matt Constable: And being there it goes now that's obviously something example where encryption would necessarily help with that because that's an insider attack, but it's an example of how a text on the integrity of the data that can be miniscule and still result in really big outcomes. Matt Constable: Mobility Okay, so we mentioned this, because although it is a component and a major component of the so I tribal it's unfortunately not something that cryptic and help with. Matt Constable: And it's important to understand this, because then we we understanding that crypto and encryption systems are not the be all and end all but they are part of a good Defense in depth strategy.
Matt Constable: authentication, so this is confirming that the person that. Matt Constable: You think sent you a transaction or information really deep and this is obviously really clearly important for commercial transactions, the flip side of that is non repudiation as well with the card, and I, I sent you something. Matt Constable: and Matt Constable: And that is something Both of these are things that crypto systems or systems enabled with encryption technology and we'll get into this a little bit more in week three can help with both of those authentication and non repudiation.
Matt Constable: supports to help your understanding of crypto you can't prove something secure secure Okay, so you can run an algorithm a million times and never break it you still can't say definitively that it's 100% cure. Matt Constable: Because it only takes one time where it files to be insecure. Matt Constable: And there is a difference between encryption algorithms and the way whichever implemented and we'll see that as we go along. Matt Constable: proprietary algorithms are not trustworthy so just because someone comes up with a whiz bang algorithm and says hey This is great or right it.
Matt Constable: doesn't mean it's trustworthy it needs to be tested, it needs to be used for a wall laid out in the wall before you really know whether it's trustworthy. Matt Constable: Most important thing about any crypto system is the secrecy of the key. Matt Constable: doesn't matter how good an algorithm you use. Matt Constable: If you don't keep the key secret it's not going to work.
Matt Constable: As I said before, crypto should be intrinsic the system so ingrained within the system to be a best value. Matt Constable: Remember that no matter how good your crypto is it can be cut given to fish home and resources and again comes down to this principle computation visibility, which I promise we'll get to in a minute. Matt Constable: And lastly, secure today does not mean secure forever.
Matt Constable: The pages of history are littered with encryption techniques or ciphers that are now long now no longer useful because we can easily break them and we're actually going to look at some really good examples of that next week, starting from next one. Matt Constable: it's a crypto primitives where we were a little bit behind tone, but i'm using the excuse of God talking POPs off for a few minutes. Matt Constable: To crypto primitives. Matt Constable: This is, this is one way of categorizing the basics of crypto okay and we're doing it this way because I it articulates with a subject for that one song security fundamentals, but, even more importantly, is it perfectly articulate with the topics of the next three or four weeks.
Matt Constable: So we've got generation array of numbers, we got symmetric encryption asymmetric encryption and we've got hashing digital has. Matt Constable: Now, each of these can be used on their own for different purposes, but in a crypto system they're generally used together each providing a little piece of the puzzle. Matt Constable: So random numbers and literally random strings of bits so ones and zeros Okay, now it is true that truly random numbers are not really possible using algorithms alive, because algorithms are written by people they're predictable, just like we are. Matt Constable: They not truly 100% random by the maybe some.
Matt Constable: Recent research with Mike about that, but in general the random number generators we're talking about in the systems are not really random. Matt Constable: But they don't need to be they only need to be pseudo random because they only need to be unpredictable not totally random and again this ties into this computation and feasibility concept which I keep teasing you read. Matt Constable: number two is symmetric encryption, also known as single encryption conventional encryption traditional compute encryption whatever you want to talk about. Matt Constable: It is it use a single K. Matt Constable: generally shared my cost estimate, because if you don't share it with anyone, and you can encrypt of doing it, but that single K.
Matt Constable: is used to both encrypt and decrypt so if we quickly look at this example graphic here we have a sender he's got some plain text, I want to send to the recipient they pass it through an encryption cipher or algorithm if you will. Matt Constable: They use they they also put a shared secret K through that same software, the plain text and it POPs it a cipher text a lot, I am intelligible piece of text that doesn't just strings of digits it doesn't make any sense whatsoever. Matt Constable: That then gets sent across the wine business who might send it by email, we might transmitted by ftp we might send it across a local area network or wider in it, where. Matt Constable: We could send it across a wireless connection doesn't matter can send it by sneaking it using a carrying a USB key, for example.
Matt Constable: The point is, once it gets to the recipient the recipient is not going to be able to read the software takes unless it cryptic sutter they pass it through the same algorithm. Matt Constable: Using the same key and they decrypted to yield the initial client texts that the sanderson and setting this section here during transmission, the information is 100% protected within. Matt Constable: limits. Matt Constable: At this end it's plain text that the recipient can actually say so that, in a nutshell, is symmetric encryption we're going to expand on that in much greater detail next week, so this is really just a little timestamp so far as to say it uses a single over them single K. Matt Constable: Now, here it is.
Matt Constable: symmetric encryption uses the notion because it's that simple okay it uses the notion of being computationally secure and what that means is. Matt Constable: that the time it would take for an attacker to brute force or compute all the possible key combinations is so large and they would need so many resources that they're not going to be able to do that, within the time frame that the encrypted information is useful to them. Matt Constable: Okay, so what that means, it takes them longer to break it and, by the time they get the information that they've got is now no longer useful to them it's worthless. Matt Constable: So that is it's just not worth the effort so so long as your encryption system is computationally secure then you've got the best level of protection that you can really hope for, particularly with symmetric encryption. Matt Constable: Now, the ability to use ciphers or encryption algorithms is a little bit hamstrung by the fact that because we only have a single key.
Matt Constable: And that K is not really protected, and it needs to remain secret in order for encryption to be new Marina and we have to share that key somehow between our communicating parties. Matt Constable: question that raises is how do we keep this secure header particularly an online environment, how do we transmit it, so it is secure and doesn't get compromised, because as soon as someone there's a key. Matt Constable: Even if I don't know the algorithm they not that many algorithms to go through and there'll be able to decrypt out information. Matt Constable: This is something that will learn a lot more on in in the coming weeks, but it's a question just keep it in the back your mind, because the answer will reveal itself for the next couple of weeks. Matt Constable: I symmetric encryption is permitted number three, this is also called public key encryption and in this system we actually had two keys, we have a private key and public key that are generated as I pay. Matt Constable: Now the public key we publish on the Internet and we'll talk about how that's protected in such complex as well, but we we publish the public key on the public Internet so anyone can download that and then using that they can encrypt information to send to you.
Matt Constable: Now, the only way, you can decrypt that information is using a private key that was generated as part of the private, public a pen. Matt Constable: So, assuming you keep the private key to yourself and it's secrecy is maintained and you're the only person that can decrypt that information that has sent you that has been encrypted with the public key that you put out on the Internet. Matt Constable: Okay, now, when you send information out you would encrypt it with your private key. Matt Constable: Okay, which only you have you send it to someone and, if I can decrypt it with a public key they know they have two things one is it, they know. Matt Constable: that one is that they've got a secret communication with company name in time, but the other thing is they know that it's come from you. Matt Constable: And that's making the assumption that that private key is secure and you've created it okay so there's a couple of questions, a, how can we know for certain that someone a public key that we're using has actually been created by the person that's named in the public key.
Matt Constable: And how do we know that the private key has been compromised Okay, there are two important questions again, you need to think about questions will reveal the answers will reveal themselves over the next couple of months. Matt Constable: Now, the thing about a symmetric encryption, is it is slow metric encryption it's a two key process more complex albums yeah sure it's a little slower but it's definitely more secure. Matt Constable: The other thing that layout is it protects against breaches, while sharing piece, because we can check in we give someone a public key and we keep the private key separate and secret okay so we're not actually sharing anything.
Matt Constable: Again there's a question there, how can we confirm the identity of publications so think about that and we'll talk about that for. Matt Constable: The last one is there hashing functions Okay, so how would you talk about in week four, and these are quite nifty little things because they're a mathematical algorithm. Matt Constable: That takes a file or message, or whatever it is, we want to send and it doesn't matter how big it is, it can be infinitesimally small or can be messy doesn't matter how big it is.
Matt Constable: you send that file through this hassle of these wonderful mathematical algorithm and it comes up with. Matt Constable: A smaller fixed size message quarter digester has it's just literally a string of hexadecimal characters and how big that myth is is determined by the algorithm you're actually using so if you're using so, for example, a 56 bit hash function, then it will produce a 56 bit value. Matt Constable: Now the great thing about that that value is that it is completely tied to the actual fall and content that you have hash with you know. Matt Constable: The other thing is a one way, so encryption two ways right, we can encrypt and then the other end, we have to decrypt Okay, so we can see what's going on how does that work at why because the. Matt Constable: The fundamental role is to prove integrity, so this is where integrity comes in confidentiality encryption integrity through a hashing functions that we need to be one way. Matt Constable: And you will see this on vendor so example if you go to download something from Microsoft or Cisco or any other vendor they will often not always but often provide you with a hash value.
Matt Constable: And what you do is you download the image that you want the gamma the headspace you run the image through the same hashing algorithm and then you compare the output that you've got. Matt Constable: To the hash algorithm you downloaded off their website or gotham website and if the hospital use match this what. Matt Constable: You fall you fall is integrity has been nine times in the downline so you've got exactly what they put up see if I had no problems in transmission.
Matt Constable: everything's great, so in that context they using it to confirm or you're using it to confirm that what you think you downloaded you actually have and you've got the right file okay. Matt Constable: In in in I crypto system it's used to ensure or to prove that the integrity of the communication has been maintained as it's been transparent. Matt Constable: So computational and feasibility to do this again. Matt Constable: So the properties of the hash is that it's computationally infeasible defined two messages to has to the same digest so, in other words, if a hacker was to. Matt Constable: find a hash value. Matt Constable: It would take it would be impossible well not not impossible, but it