Do you foresee a different security measure overtaking cryptography? Or do you think cryptography will simple evolve further? Do you believe we will reach a point in which we cannot advance our internet security measures?
I do think for the foreseeable future that cryptography will just evolve and with our computing power getting better every year the standard encryption key length will just get longer. However, I’ve read some articles in the past discussing how Blockchain could be used in the future to help secure messages, prevent denial of service attacks, and much more.
It can provide safe guidance for the company to evaluate the risk. ensures the confidentiality, integrity, and availability (CIA) of critical system resources. It helps to system categorized the import of risk as high, moderate, and low which can help the company to prioritize the relevant control and decision making.
Hi Nicholas,
The security control baseline provides the starting point of the minimum control coverage for a system based on the identified security category and impact level (low, moderate, and high) for that system. The security control baseline can also be tailored based on the organization’s need and consider factors such as risk assessment results, identification of common controls, scoping considerations, and compensating controls selected. Once the security control baselines are in place, additional controls can be added as needed or existing controls can be enhanced or strengthened.
The textbook mentioned that they key issue with Cryptography is human error. What are some things that employees can do to combat this? Or is human error in cryptography inevitable?
I believe the most effective way to avoid human error is to set up an automated solution to prevent security attacks. It can have better control of how security policies are implemented for all encrypted communications and comprehensive monitor the system.
Reducing human error comes down to training and being aware of human tendencies. The examples the book mentioned in cryptography came down to people using the same greetings over and over. As far as I know, this would have been a known issue at the time and best practices were not followed. But also one of the biggest issues would be divulging the key to someone else, like if the user has it written down in plaintext somewhere. You can try to reduce human error, but it is inevitable to a certain extent. At the end of the day, humans are the ones using the systems or the ones that programmed and designed them.
To combat human error, companies has to start at the source by hiring the right candidates that are detail oriented and qualified. Next, training has to be improved to reduce human error. Finally, cryptography should be automated, a code should be created that follows a formula to automatically encrypt the message. For example, when we enter our passwords for log-in, most websites encrypt it automatically.
The RC4 key length was commonly used because of export restrictions. The United States and other countries did not allow greater than 40 bits to be used so they could allow the governments to crack the keys if needed. That being said, it is not a strong key to use, and given the right software tools, could be cracked in minutes.
If a CA found out the certificate is forged or if the private key is revealed, the certificate will be revoked and added to the Certificate Revocation List (CRL). Changing the owner of the certificate or update the certificate might also let CA revokes the certificate and reissue a new one.
A CA might revoke to a digital certificate if it is found to be compromised by someone claiming to be the sender. Or if the private key has been exposed. Once a digital certificate has been exposed it is safe to use for encryption.
Speed or latency is what came to me first. Additional encryption, or even longer keys will result in an exponentially longer time to decrypt. Organizations that employ hardware and software to conduct DPI (Deep Packet Inspections) will need to take this into account, Packets will require decryption, and re-encryption post the inspection. Therefore longer keys might increase the latency and some organizations have a low tolerance for latency.
The use of external service providers for information systems services are becoming a necessity for many organizations. What are the security concerns related to using an external service provider and how can these be mitigated? What has been your experience with external service providers at your organization?
My greatest concern related to using an external service provider is that the organization using the service provider has no direct control over security, but they are still responsible for the risks that are incurred by the activities outsourced. Not only that, but so many third parties use their own third parties, so it becomes even more challenging to not only control but monitor security risks. The other concern I would have would be in the case of a security incident, what would happen if the responsibilities related to research, investigation, notification were not clear? It would be really easy for the different parties to blame each other and for the right actions to not be taken because the parties are not clear who is supposed to do what. The contract is going to be the best way to manage the risk, and making sure there are provisions for data protection, for incident response, and for audit (if applicable) is necessary. This means IT and information security need to be involved up front before an engagement is entered into with an outsourced provider. In my experience, my organization uses a lot of external service providers (as is common in banking) and we do a lot of monitoring and oversight of our critical information systems service providers, assess specific risks, and have controls around the greatest risks that we’ve identified. We also get SOC reports and penetration tests sent to us each year and review them in detail to determine if there are any concerns that we should be aware of.
Should the government be able to force companies, such as Google or Apple, to build backdoors into the encryption of their devices, software, applications, etc. for law enforcement to access user data with a court order?
No. When you build it. It will be leaked. Just like the alleged CIA hacking arsenal exposed known as the “Vault7 dump” released by WikiLeaks. It’s not the tools or the policies that had imperfections, the human is still the weakest link in security. Someone will leak and expose the “backdoors”. Because there’s always money to be made. Therefore it is an organization’s best interest to no have any “backdoors”.
I agree with you and if those tools got leaked it would cost companies like Google and Apple a lot of money to create a patch, a new backdoor for government agencies to use, and they will also get a bad reputation which may impact selling devices to future customers.
With computing power continues to increase and the breakthrough in quantum computing, current encryption will eventually be broken. What other possible ways to conduct authentication and authorization?
Hi Xiduo, Good point. Today, key length of about 100 bits are considered strong, but businesses need a longer key in the future to remain secure in the face of ever-increasing computer speed. Based on Moore’s Law (overall processing power for computers will double every two years), the processing speed of microprocessors will be 15 times faster in 30 years.
Hi Xiduo,
Other ways to conduct authentication and authorization include biometric screening, voice recognition, and facial recognition. Biometric screening includes fingerprint scans and iris scans. Voice recognition takes note of the tone, inflection and other characteristics of an individuals voice. Facial recognition involves a scan of the face and and identifying facial characteristics are used for identification purposes. Facial recognition can be very sensitive. We piloted facial recognition in my organization and the software initially was very sensitive, for example it did not recognize an employee when he shaved his beard, but the setting can be adjusted. While these methods are not perfect, they do serve as an alternative means for authentication but would be best served if combined in a dual or triple authentication approach. If the current encryption is broken, then the fall back could be biometric, facial, voice, combined with secure token or RFID badge technology to name a few.
I think this is a good question, May organizations are using VPN to connect to their network, Does this bring added security concerns if the home users network is corrupted?
Hi To-Yin,
As with anything the organization must perform the cost benefit analysis as well as risk determination. One reason that might deter an organization from using VPN is that there can be performance and availability issues. The network can slow down, the connection can be spotty, or disconnect completely, especially in the current environment when so many people are working from home and stressing the network.
Great question To-Yin. I was actually wondering that same thing. I think that many people are not aware of what VPN is. Another reason is that most VPN providers are not free and require the user to pay a subscription or one-time fee in order to use their VPN for an extended time. The disadvantage of VPN is that it can slow down your internet connection. In addition, VPNs can potentially block a user access to websites such as Netflix and Pandora. I also read that some free VPN providers may sell your internet history to third parties., so be careful which VPN provider you do decide to use.
VPN can still be susceptible to man-in-the-middle attacks, and are at risk because employees connect via their home networks, which may not have the appropriate security software to protect the connection. VPN connections can be weak depending on what network strength each employee has at home. There is also the disadvantage of employees being able to work anywhere, meaning public wifi at libraries, coffee shops, restaurants, etc. that may be vulnerable to hackers.
Hi Michael, This is a good question. SDLC could help us find specific needs for different users but there are some advantages of developing programs with SDLC skipped. One of the advantages is program development will be much faster when programmers creating the workflow instead of going through a lot of user inputs and requirements.
NIST SP 800-53 discusses two approaches for identifying when additional security controls may be needed: the requirements definition approach and the gap analysis approach. Are there any scenarios you can think of where you might want to use one approach over the other?
I think this varies depending on the situation. If you rely on the transaction remaining secure, asymmetric encryption is the correct answer. The drawback to asymmetric is the increased costs and complexity, but in a majority of situations, the cost of implementing asymmetric encryption will be less than the cost of the data being passed over being compromised
Is there any sensitive data that shouldn’t be encrypted for any sort of reason? Financial reasons aside, could there be any information out there that is safer without it?
I’m not sure if I can think of any data that should not be encrypted, but data needs to be encrypted well if you are going to the trouble of encrypting it. For example, if a company uses the same key for all of their databases, they are setting themselves up for failure. If that key is exposed, then the entire system is at risk. Like I said, I cannot think of an example of data that should never be encrypted, but one of the disadvantages of encryption is the processing speed. It slows the processing way down, which also takes up bandwidth on the network. Overall, I would lean towards encryption being considered for all data.
The security trend seems to be longer and more complex keys for better encryption. How will longer keys impact computer processors or servers with keys longer than 2048 bits keys?
The longer and more complex a key length is the more difficult it is for computers to crack the key, which makes it more secure. However, the downside to this is the computer that needs to decrypt the key will require more resources. If an excessive amount of CPU resources are being used to decrypt the key then this can make the machine run more slowly which can impact productivity.
Do you foresee a different security measure overtaking cryptography? Or do you think cryptography will simple evolve further? Do you believe we will reach a point in which we cannot advance our internet security measures?
I do think for the foreseeable future that cryptography will just evolve and with our computing power getting better every year the standard encryption key length will just get longer. However, I’ve read some articles in the past discussing how Blockchain could be used in the future to help secure messages, prevent denial of service attacks, and much more.
What are the benefits of having a security control baseline?
It can provide safe guidance for the company to evaluate the risk. ensures the confidentiality, integrity, and availability (CIA) of critical system resources. It helps to system categorized the import of risk as high, moderate, and low which can help the company to prioritize the relevant control and decision making.
Hi Nicholas,
The security control baseline provides the starting point of the minimum control coverage for a system based on the identified security category and impact level (low, moderate, and high) for that system. The security control baseline can also be tailored based on the organization’s need and consider factors such as risk assessment results, identification of common controls, scoping considerations, and compensating controls selected. Once the security control baselines are in place, additional controls can be added as needed or existing controls can be enhanced or strengthened.
The textbook mentioned that they key issue with Cryptography is human error. What are some things that employees can do to combat this? Or is human error in cryptography inevitable?
I believe the most effective way to avoid human error is to set up an automated solution to prevent security attacks. It can have better control of how security policies are implemented for all encrypted communications and comprehensive monitor the system.
Reducing human error comes down to training and being aware of human tendencies. The examples the book mentioned in cryptography came down to people using the same greetings over and over. As far as I know, this would have been a known issue at the time and best practices were not followed. But also one of the biggest issues would be divulging the key to someone else, like if the user has it written down in plaintext somewhere. You can try to reduce human error, but it is inevitable to a certain extent. At the end of the day, humans are the ones using the systems or the ones that programmed and designed them.
To combat human error, companies has to start at the source by hiring the right candidates that are detail oriented and qualified. Next, training has to be improved to reduce human error. Finally, cryptography should be automated, a code should be created that follows a formula to automatically encrypt the message. For example, when we enter our passwords for log-in, most websites encrypt it automatically.
Why is an RC4 key length of 40 bits commonly used and is it a strong key to use?
The RC4 key length was commonly used because of export restrictions. The United States and other countries did not allow greater than 40 bits to be used so they could allow the governments to crack the keys if needed. That being said, it is not a strong key to use, and given the right software tools, could be cracked in minutes.
Why might a CA revoke a digital certificate?
Compromised private key.
If a CA found out the certificate is forged or if the private key is revealed, the certificate will be revoked and added to the Certificate Revocation List (CRL). Changing the owner of the certificate or update the certificate might also let CA revokes the certificate and reissue a new one.
A CA might revoke to a digital certificate if it is found to be compromised by someone claiming to be the sender. Or if the private key has been exposed. Once a digital certificate has been exposed it is safe to use for encryption.
Can an organization have “too much” encryption? Is there any situation where implementing additional encryption methods might do more harm than good?
Speed or latency is what came to me first. Additional encryption, or even longer keys will result in an exponentially longer time to decrypt. Organizations that employ hardware and software to conduct DPI (Deep Packet Inspections) will need to take this into account, Packets will require decryption, and re-encryption post the inspection. Therefore longer keys might increase the latency and some organizations have a low tolerance for latency.
The use of external service providers for information systems services are becoming a necessity for many organizations. What are the security concerns related to using an external service provider and how can these be mitigated? What has been your experience with external service providers at your organization?
My greatest concern related to using an external service provider is that the organization using the service provider has no direct control over security, but they are still responsible for the risks that are incurred by the activities outsourced. Not only that, but so many third parties use their own third parties, so it becomes even more challenging to not only control but monitor security risks. The other concern I would have would be in the case of a security incident, what would happen if the responsibilities related to research, investigation, notification were not clear? It would be really easy for the different parties to blame each other and for the right actions to not be taken because the parties are not clear who is supposed to do what. The contract is going to be the best way to manage the risk, and making sure there are provisions for data protection, for incident response, and for audit (if applicable) is necessary. This means IT and information security need to be involved up front before an engagement is entered into with an outsourced provider. In my experience, my organization uses a lot of external service providers (as is common in banking) and we do a lot of monitoring and oversight of our critical information systems service providers, assess specific risks, and have controls around the greatest risks that we’ve identified. We also get SOC reports and penetration tests sent to us each year and review them in detail to determine if there are any concerns that we should be aware of.
Should the government be able to force companies, such as Google or Apple, to build backdoors into the encryption of their devices, software, applications, etc. for law enforcement to access user data with a court order?
No. When you build it. It will be leaked. Just like the alleged CIA hacking arsenal exposed known as the “Vault7 dump” released by WikiLeaks. It’s not the tools or the policies that had imperfections, the human is still the weakest link in security. Someone will leak and expose the “backdoors”. Because there’s always money to be made. Therefore it is an organization’s best interest to no have any “backdoors”.
Xiduo,
I agree with you and if those tools got leaked it would cost companies like Google and Apple a lot of money to create a patch, a new backdoor for government agencies to use, and they will also get a bad reputation which may impact selling devices to future customers.
With computing power continues to increase and the breakthrough in quantum computing, current encryption will eventually be broken. What other possible ways to conduct authentication and authorization?
Hi Xiduo, Good point. Today, key length of about 100 bits are considered strong, but businesses need a longer key in the future to remain secure in the face of ever-increasing computer speed. Based on Moore’s Law (overall processing power for computers will double every two years), the processing speed of microprocessors will be 15 times faster in 30 years.
Hi Xiduo,
Other ways to conduct authentication and authorization include biometric screening, voice recognition, and facial recognition. Biometric screening includes fingerprint scans and iris scans. Voice recognition takes note of the tone, inflection and other characteristics of an individuals voice. Facial recognition involves a scan of the face and and identifying facial characteristics are used for identification purposes. Facial recognition can be very sensitive. We piloted facial recognition in my organization and the software initially was very sensitive, for example it did not recognize an employee when he shaved his beard, but the setting can be adjusted. While these methods are not perfect, they do serve as an alternative means for authentication but would be best served if combined in a dual or triple authentication approach. If the current encryption is broken, then the fall back could be biometric, facial, voice, combined with secure token or RFID badge technology to name a few.
Since VPN is so secure, why not everybody is using it? What is the disadvantage of VPN?
I think this is a good question, May organizations are using VPN to connect to their network, Does this bring added security concerns if the home users network is corrupted?
Hi To-Yin,
As with anything the organization must perform the cost benefit analysis as well as risk determination. One reason that might deter an organization from using VPN is that there can be performance and availability issues. The network can slow down, the connection can be spotty, or disconnect completely, especially in the current environment when so many people are working from home and stressing the network.
Great question To-Yin. I was actually wondering that same thing. I think that many people are not aware of what VPN is. Another reason is that most VPN providers are not free and require the user to pay a subscription or one-time fee in order to use their VPN for an extended time. The disadvantage of VPN is that it can slow down your internet connection. In addition, VPNs can potentially block a user access to websites such as Netflix and Pandora. I also read that some free VPN providers may sell your internet history to third parties., so be careful which VPN provider you do decide to use.
VPN can still be susceptible to man-in-the-middle attacks, and are at risk because employees connect via their home networks, which may not have the appropriate security software to protect the connection. VPN connections can be weak depending on what network strength each employee has at home. There is also the disadvantage of employees being able to work anywhere, meaning public wifi at libraries, coffee shops, restaurants, etc. that may be vulnerable to hackers.
What is a plan that you would implement in case one of the phases of the SDLC is skipped during the security and privacy assessments.
Hi Michael, This is a good question. SDLC could help us find specific needs for different users but there are some advantages of developing programs with SDLC skipped. One of the advantages is program development will be much faster when programmers creating the workflow instead of going through a lot of user inputs and requirements.
NIST SP 800-53 discusses two approaches for identifying when additional security controls may be needed: the requirements definition approach and the gap analysis approach. Are there any scenarios you can think of where you might want to use one approach over the other?
Can cryptography be combined with another type of secured technique?
Symmetric or Asymmetric encryption? why?
I think this varies depending on the situation. If you rely on the transaction remaining secure, asymmetric encryption is the correct answer. The drawback to asymmetric is the increased costs and complexity, but in a majority of situations, the cost of implementing asymmetric encryption will be less than the cost of the data being passed over being compromised
Is there any sensitive data that shouldn’t be encrypted for any sort of reason? Financial reasons aside, could there be any information out there that is safer without it?
I’m not sure if I can think of any data that should not be encrypted, but data needs to be encrypted well if you are going to the trouble of encrypting it. For example, if a company uses the same key for all of their databases, they are setting themselves up for failure. If that key is exposed, then the entire system is at risk. Like I said, I cannot think of an example of data that should never be encrypted, but one of the disadvantages of encryption is the processing speed. It slows the processing way down, which also takes up bandwidth on the network. Overall, I would lean towards encryption being considered for all data.
The security trend seems to be longer and more complex keys for better encryption. How will longer keys impact computer processors or servers with keys longer than 2048 bits keys?
The longer and more complex a key length is the more difficult it is for computers to crack the key, which makes it more secure. However, the downside to this is the computer that needs to decrypt the key will require more resources. If an excessive amount of CPU resources are being used to decrypt the key then this can make the machine run more slowly which can impact productivity.