In the previous Module, we talked about roles and responsibilities, clarification, the states of data, configuration management, right? We hope it went well for you, so we can go to the next chapter-Module 03. Let’s continue with our CISSP online course! Let’s see what can we expect from Module 03. CISSP online training continues in a way that will guide you through Security Engineering. We will take a look at principles of secure design and security models, security computer architecture, security models and evaluation criteria and much more. So let’s continue with CISSP training online!
We are now talking about architecture system, I mean we are talking about the design and requirements of system architecture. How should security be built into an information system by design? The whole point of it is to be carefully balanced. Taking care of your security is supporting your business! What are the elements of architecture system? Or if you prefer, Trusted Computer Base (TCB). TBC actually stands for the total of your hardware, software, and firmware. It enforces the security policy of your system.
Computer Architecture CPU
You don’t need to be an expert in this field, but it is important to learn some basics for better understanding CPU, We will focus on a process and the memory. As you may already know, there is a primary memory, a secondary memory, volatile and nonvolatile storage, and cache storage. For better understanding, let us take a look at the four cycles of CPU. We have Fetch, Decode, Execute and Store. Fetching is, simply said, when the control unit gets the instruction from system memory. It is identified by a unique address and the control unit uses that memory address to get the program instruction. The data pointer then keeps the track of where the data area is stored in the computer. Decode redirects the needed data from system memory onto the ALU. Execution means that ALU performs an operation on the data. Then we come to storing-where ALU stores the result of the operation in the memory.
There are many execution types such as multitasking, multiprogramming, multithreading, multiprocessing and more.
When you think about memory you probably know that there are RAM and ROM. With random access memory, you can access any piece of information you want, which is very useful for you. System memory is RAM. It’s dynamic and frequently changing. It has to be refreshed. There is also a type of RAM called Cache, which you can relate to CPU we mentioned before. It works by speeding things up. What about ROM? It’s a memory which can be read-only one time. You cannot modify it and write on it. But, with using EPROM you can actually rewrite the information.
Security Models and Access
The main point of security models is to dictate how a system will enforce security policy. There are Clark-Wilson, Biba, Bell-LaPadula. Bell-LaPadula is best known and has three rules. The first is that the subject cannot read data from higher security level than subject’s security level. The second, he cannot write data to a security level that is lower than its own. And the third, the subject can online read or write functions with the same subject’s security level.
There are also DAC, MAC and Role Based. DAC is used for ease of use and sharing capabilities. MAC systems are used for very secure environments. Role Based is simply said-the system which cannot be used without admin’s involvement.
Here we have distributed computing. It can be explained as client-server, and P2P. Then we come to SOA. It’s an architecture and a vision on how heterogeneous applications should be developed and integrated into the enterprise. It’s abstraction, composable, reusable, autonomous and much more.
Cryptography-history,symmetric and asymmetric cryptography, hybrid cryptography…
You really need to know at least the basic about the cryptography. You need to learn that cryptography can do much more for you than just privacy. It’s important to know that the symmetric, asymmetric and hybrid cryptography work together to provide the security services that we all need. Getting your integrity through hashing, digital signatures, and MACs.
What is hybrid cryptography? It is the combination of public and private key cryptography, where the exchange of the encrypted session key is done using public key cryptography. The encrypted session is then pursued with private or symmetric key cryptography. So, what is the reason? The reason is that the private key cryptography is generally much quicker than public key cryptography.
Symmetric vs Asymmetric Cryptography
Let’s take a look at the differences between the symmetric and asymmetric cryptography.
Symmetric-where one key is shared between two or more entities. It is out of band and has a less complex algorithm. It’s also faster.
The asymmetric-each user has a ”Key Pair” (one public and one private). It’s used to encrypt symmetric session keys. It’s slower but more complex.
Now we are going to talk about PKI-Public Key Infrastructures. When someone sends you a key you wanted, and once you received it-can you really be sure it’s the key you asked for? No, you can’t. You need to prove your identity or someone who sends you the key. The only thing to be sure that you’re receiving the right public key from the person or company you want is to see the certificates. And remember, always encrypt your data when using an open SSL/TSL.
RSA Diffie Hellman and ECC
Now, we are talking about the major asymmetric encryption algorithms used for encrypting or digitally signing data. Diffie Hellman key agreement algorithm is not for encryption or decryption, but to enable two parties who are involved in communication to generate a shared secret key for exchanging information confidentially.
The ECC or Elliptic Curve Cryptography is providing similar functions as the RSA. It’s being implemented in smaller devices (like mobile devices). ECC requires less computing power when compared to RSA. Its systems are based on the idea of using points on a curve to define the public or private key pair.
How can we explain hashing? Well, easily said, it’s the transformation of a string of characters into a usually shorter fixed-length value (or key) that represents the original string. It is used to retrieve and index items in a database. It’s faster to find the item using the shorter hashed key than to find it using the original one. It can be seen in many encryption algorithms.
Digital Signatures MACs and Hashes
It is true that the digital signatures, MACs, and hashes can do the similar jobs. But there are some differences between them. All of them allow someone to send a message and to check the value along with that message. Also, they allow someone receiving a message to verify that the message corresponds to the check value. They all do provide the protection between the message exchange, but they cannot protect from an active attacker.
Hashing is an unkeyed operation and everyone can compute the hash into a message. MACs and digital signatures ensure that someone without a key can’t modify a message without being detected. With MACs, the sender and the receiver have the same key, which is not the case with the digital signatures. In digital signatures, the sender has a signing key, and the receiver the verification key, which allows the receiver to validate messages.
PKI Public Key Infrastructures
What does PKI do? Public Key Infrastructures support the distribution and identification of public encryption keys, to enables users or computers to both securely exchange data over networks and to verify the identity of the other party. Without PKI, the encryption can still happen to sensitive data. But, there wouldn’t be any assurance of the identity, known as authentication, of the other party.
PKI includes these elements:
-CA or certificated authority; a trusted party that acts as the root of trust providing services that authenticate the identity of the individuals or other entities.
-Subordinate CA; a registration authority certified by a root CA to issue certificates for specific uses permitted by the root.
-database; certificated one, which stores certificated requests and issues, but also revokes certificates.
-certificate store; resides on a local computer as a place to store issued certificates and private keys.
What is an IPSec? It’s an encapsulation framework, tunnel vs. transport mode. It dictates what portion of the IP Packet is to be encapsulated. Let us take a look at the IPSEC-SUB PROTOCOLS. There is an authentication header which provides integrity and authenticity through the use of an ICV. Then there is ECP which provides the same through a MAC. IKE is just a management of secure connections.
Attacks on Cryptography
When we come to attacks on cryptography, it’s a good thing to keep in mind, that everything you encrypted, can be decrypted, right? There are different kinds of attacks. Known plaintext, Ciphertext only, Chosen Plaintext and Chosen Ciphertext. Also, there is a well known Meet in the Middle (targeted towards algorithms where there are multiple keys).
All in all, it is a great thing to know all about security services in cryptography. Privacy, Authenticity, Integrity, and Non-Repudiation. It’s recommended to get to know to use them.
Now, it’s the time for you to take your exam! The Security Engineering Skill Certification Test. Skill level is the beginner, it has 40 questions and lasts for an hour.
Hope we interested you and motivated you further to become a CISSP! Talk to you in Module 04, be sure you learned all in this one.