William Slater's CYBR 515 Blog

William Slater's CYBR 515 Blog
CYBR 515 - Security Architecture and Design

Friday, September 23, 2011

Post 016 - CYBR 515





About the CISSP Certification...

These are two articles about one of the most prestigious and most sought after IT professional certifications in the world - the CISSP:

1. (ISC)2 at a crossroads: CISSP value vs. security industry growth



1. The first article deals with the age old issue of quality vs. quantity. The (ISC)2 folks are pushing for more people to get the CISSP certification, saying that the Information Security field will need 2 million more professionals in the next 24 months - that is the Quantity side of the argument. Critics of this approach say that (ISC)2 is too focused on numbers and that they haven't done enough for existing CISSPs. And apparently there are only about 76,000 Information Security professionals who have a current CISSP certification. - That is the Quality side of the argument.

2. This link contains MANY valuable resources for those you think that they might like to explore the idea of getting a CISSP.

Personal comment:
I earned my CISSP certification in July 2004 and I have continuously and faithfully kept it current by going to school, and training courses, and keeping up with the (ISC)2 requirements for the Continuing Professional Education units. None of this is easy or cheap, but if you consider the weight and prestige the CISSP carries in the Information Technology industry, you will quickly understand why I worked so hard to get it and why I work even harder to keep it current.

Finally, it certainly doesn't hurt your Google rankings. Don't believe me? Search on these three strings:

PMP CISSP CHICAGO

I just have one thought-provoking question: When you have a CISSP certification, why are people so insanely jealous about it? Who knows? Maybe it's brain envy?!?

;-)

Best regards,

William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL 60622
United States of America


Monday, September 19, 2011

Post 015 - CYBR 515






Haedes and Cerberos in the Underworld (right)
(from Gamespot.com)

CERBEROS is another name for KERBEROS







Week 4 Assignments
Theme for the Week - Key Distribution and User Authentication
Learning Objectives:
Construct a model of a Kerberos realm that depicts all main principals.
Discuss how a certificate can be used for authentication.
Explain how a secure private key exchange can be conducted using public key cryptography algorithms.
Describe how authentication can be accomplished using asymmetric encryption/decryption.
Readings:

Chapter 4 in your textbook.
Designing an Authentication System: a Dialogue in Four Scenes (MIT)

This week:
Our last two lessons have been mainly theory. We examined symmetric and asymmetric encryption and theorized how they could be used to provide authentication and encryption for a secure network infrastructure. This week, we examine specific implementations of those concepts. Kerberos is used to provide third party authentication and is the principle authentication mechanism for Microsoft Active Directory domains. Certificates are widely used as a means to authenticate users and distribute secret keys. Federated Identity Management allows us to authenticate across multiple systems using a single sign-on. At the heart of each of these services is a combination of symmetric and asymmetric encryption algorithms, and we'll study each of these implementations in considerable depth in this week's lesson. You author uses a variety of models to explain the main concepts of this lesson. Remember to slow down and study the terms and symbology for each. The models are pictures, and each is worth a thousand words. Time spent studying them is time well spent. If you have any problems or questions trying to figure something out, please post it to the discussion forum. Also, textbooks are not without errors. The author has an errata page on his Web site. Please refer to it or ask questions if you think you have found something that is in error.
I'll briefly touch on one very important concept here, because I want to be sure that you know it well as you approach your studies. Keys for asymmetric encryption are special. Unlike symmetric keys where you can choose your key at random, asymmetric keys must be created using a key generator that produces a mated pair. If I use one key to encrypt, the only key that can unencrypt is the other key in the pair.

Let me say that again: One key encrypts and ONLY THE OTHER KEY IN THE PAIR DECRYPTS.
There is no other key in the known universe, including the one used for encryption, that can unencrypt. This is an extremely powerful concept. Think about it; if you encrypt something using your private key and I can unencrypt it using your public key, then I have a reasonable assurance that it came from you. If I receive something that was encrypted by any other key, your public key won't unencrypt it, and I'll know it didn't come from you.
We are now ready to begin work on our assignments. There is about eight hours of work this week, so I suggest that your get started early. It would also be wise to get on the discussion forum as soon as possible. That way, you will have a better chance at capturing the question you want to answer. Now let's get started.

Assignment 4_1 (On-line Quiz)
Take this ten question true/false and multiple choice chapter quiz over the reading assignment. Quizzes are a "participation grade," which means that you can retake them as many times as necessary. However, please be aware that low scores are a sign that you need to go back to the reading assignment, slow down, and read more carefully.

You need to take the quiz by the end of the week to earn credit.
Assignment 4_2 (Post to this week's discussion forum)
Post a substantive answer to one of the following questions below. Please select a question that has not been previously answered by one of your classmates, until all questions have been answered at least once. Once that has been done, you may select any question that has only been answered once. Once you have submitted your initial post, read each initial post and respond to at least three. Remember to cite your sources.
1. Your text says that certificates are unforgeable. Why can't they be forged? Please note that you could also argue that they can be forged and explain how to do it.
2. What is a Kerberos realm and how does it provide third party authentication?
3. How does single sign-on authenticate across different systems?
4. If a certificate is used to distribute a public key, how can you be sure that it is a valid key?
5. How can I set up my own Certificate Authority (CA) server on the Internet and issue certificates for fun and profit? You might want to use the Internet to answer this question.
6. What is in a certificate and, if it is issued to me, why don't I have to protect it?
7. How do I know when something needs to be encrypted using my public key, or when I need to use my private key to encrypt it?
8. I am in the process of logging on to a Microsoft Active Directory domain. What process does my computer go through to get a Kerberos session ticket? You might want to use Microsoft Technet to answer this question.
9. How do the concepts we have studied for the past three weeks relate to designing a secure network architecture? "I don't know," will not get you full credit for this question.
10. What is the biggest threat to current encryption technologies and how would you counter it?
Our trivia question for the week: What cipher was discussed at length in Edgar Alan Poe's short story, The Gold Bug, how does it work, and what message was it used to encrypt?
General Posting Guidelines (for participation): Postings are counted as participation for the week. Make sure all postings for this week's assignments are posted to this week's discussion forum. You must post at least two substantive messages to get minimum credit for participation (a 'C' grade). Two messages on different days gets a 'B' for participation - more postings (including answering other questions) get more credit. To qualify for an 'A' grade, you must post at least three critical thinking messages on three different days. Postings on the last day of the lesson will not count for credit since other students will not have sufficient time to respond or participate in your discussion. Post early and often. Don't wait until the last minute!

Assignment 4_3 (Attach to this assignment)
Complete your reading assignment first. Based on what you read in your text and the MIT Kerberos document, "Designing an Authentication System: a Dialogue in Four Scenes," explain how Kerberos works in your own words. You may access this document from the link in your reading assignment above. You may also use appropriate sources from the Internet. If you wish, you can provide a practical example of how Kerberos is being used. Remember to cite your sources using APA style with in-text citations and a reference list. This paper should be 1-2 pages in length. Feel free to use figures to help make your point. Save your work to a Word document as CYBR515 Assignment 4_3 and attach it to this assignment.


Assignment 4.4 Milestone 1 (Attach to this assignment)
Our first deliverables are due this week. They consist of a Visio diagram that depicts your interpretation of the current network and a written summary of network vulnerabilities that you uncover. Please include CYBR515 Assignment 4_3 and your name in the file name for your diagram and summary and attach them to this assignment. Remember, you only have one opportunity to attach documents, so please attach both documents at the same time.





Post 014 - CYBR 515













Anonymous (upper)

LulzSec (lower)


High Profile Hacker Groups in Recent New Releases: Anonymous and LulzSec

I agree that Anonymous and LulzSec bear watching, my view of them and their skills is that they are bunch of attention starved, narrowly focused, miscreants with above average IQs.

Look at these names from the bust by the FBI in the San Francisco area in July 2011:

Their names are: Christopher Wayne Cooper, 23, aka "Anthrophobic;" Joshua John Covelli, 26, aka "Absolem" and "Toxic;" Keith Wilson Downey, 26; Mercedes Renee Haefer, 20, aka "No" and "MMMM;" Donald Husband, 29, aka "Ananon;" Vincent Charles Kershaw, 27, aka "Trivette," "Triv" and "Reaper;" Ethan Miles, 33; James C. Murphy, 36; Drew Alan Phillips, 26, aka "Drew010;" Jeffrey Puglisi, 28, aka "Jeffer," "Jefferp" and "Ji;" Daniel Sullivan, 22; Tracy Ann Valenzuela, 42; and Christopher Quang Vo, 22.

I also believe that they suffer from lack of discipline, lack of adult leadership, and lack of imagination and that they couldn’t make a real living in Information Technology if their lives depended on it.

References:

Softpedia. (2011). 'Leaked' FBI document calls Anonymous a national security threat: Retrieved from the web at http://news.softpedia.com/newsPDF/FBI-Cracks-Down-on-Anonymous-and-LulzSec-Members-in-US-212451.pdf on September 17, 2011.

ITWorld. (2011). Psych profiles show LulzSec, Anons older, more politically focused than they let on, FBI concludes. Retrieved from the web at http://www.itworld.com/security/202439/leaked-fbi-document-calls-anonymous-national-security-threat?source=ITWNLE_nlt_top10_2011-09-16 on September 17, 2011.

Post 013 - CYBR 515



To give you some idea about my interest in Information Security, these are all the domain names that I currently own:

=====At NETWORKSOLUTIONS.com======

ABSOLUTELY.PRO

ANDREASVOLLENWEIDER.COM

BESTPROJECTMANAGER.NET

BILLSLATER.BIZ

BILLSLATER.COM (TM)

BILLSLATER.NET

CHICAGOCOMPLIANCE.COM

CHICAGOCOMPLIANCE.NET

CLOUDQUASAR.COM

CLOUDQUASAR.NET

COMPLIANCECHICAGO.COM

COMPLIANCECHICAGO.NET

DATACENTERMIGRATORS.COM

ISMSARCHITECT.BIZ

ISMSARCHITECT.COM

ISMSARCHITECT.NET

ISMSARCHITECT.PRO

ISMSARCHITECT.US

ISO27001.PRO

ISO27001ARCHITECT.BIZ

ISO27001ARCHITECT.COM

ISO27001ARCHITECT.NET

ISO27001ARCHITECT.US

ISO27001CHICAGO.COM

ISO27001CHICAGO.NET

ISO27001PROJECTMANAGER.COM

ISO27001PROJECTMANAGER.NET

ISO27001PROJECTMANAGER.PRO

ISOC-CHICAGO.ORG

LESSONSLEARNED.PRO

NBFORREST.COM

PALACEOFPOLICIES.COM

PALACEOFPOLICIES.NET

PLANETAFGHANISTAN.COM

PLANETAFGHANISTAN.NET

SLATERTECH.COM

TOTALLYUBIQUITOUS.COM

TOTALLYUBIQUITOUS.NET

TOTALLYUBIQUITOUS.US

WILLIAMSLATER.COM

WILLIAMSLATER.NET

WINDOWS8MYDATA.COM

WORLDFAMOUSITSECURITY.COM

WORLDFAMOUSITSECURITY.NET

WORLDFAMOUSSECURITY.COM

WORLDFAMOUSSECURITY.NET

=====At GODADDY.com======

BILLSLATER.CO

BILLSLATER.INFO

BILLSLATER.ME

BILLSLATER.MOBI

BILLSLATER.US

SLATERTECH.BIZ

SLATERTECH.CO

SLATERTECH.INFO

SLATERTECH.NET

SLATERTECH.ORG

SLATERTECH.US

=====At REGISTER.com======

DATACENTERMANAGER.COM

DATACENTERMANAGER.NET

OFFSHOREFAILURES.COM

OFFSHOREDISASTERS.COM

=====At WORLDSITE.WS======

WILLIAMSLATER.WS

Post 012 - CYBR 515














People's Liberation Army cyber warriors (right picture)

U.S. Military Cyber Warriors at U.S. Cyber Command (left picture)

Computer-based attacks emerge as threat of future, general says

(click headline for linked article)

The new Bellevue University M.S. in Cybersecurity program that I started in on August 29, 2011 is already kicking my rear end with the amount of academic work required (see assignment lists in previous posts in this blog). Nevertheless, when I read articles like this, I know I will remain in the program, because the U.S. is going to need dudes like me to train its future cyberwarriors.


Post 011 - CYBR 515











PKI Architecture Picture


Week Three Assignments
Theme for the Week - Asymmetric Encryption
Learning Objectives:
Explain the use of public and private keys in Public-Key Cryptography.
Demonstrate a simple one-way hashing function.
Differentiate between RSA, Diffie-Hellman, DSS, and Elliptic curve algorithms for public key cryptosystems.
Describe the process used by the Diffie-Hellman algorithm to exchange secret keys.
Readings:
Chapter 3 in your textbook.
ASCII Table
"A Method for Obtaining Digital Signatures and Public-Key Cryptosystems", R.L. Rivest, A. Shamir, and L. Adleman
"Multi-user cryptographic techniques" Diffie and Hellman
This week:
Our lesson this week covers asymmetric encryption, which uses different keys to encrypt and decrypt. It solves a fundamental problem with symmetric encryption caused by the need to securely distribute the same key to both sender and receiver. With asymmetric encryption, one key may be freely distributed to everyone, and the other is kept secret. For example, if I want to send you an encrypted message, I would ask for your public key and you could freely send it to me as clear text. I would use your key to encrypt the message and you use your private key to unencrypt it.
Asymmetric encryption is less efficient than symmetric encryption because the algorithms are more computationally intensive. Because of this, it is not often used to encrypt data for transmission across a network. However, it can be used very effectively for secure exchange of symmetric keys and for authentication.

Regarding authentication, you should keep in mind that authenticity is very important when it comes to data. In an exchange of data, a recipient must have a reasonable expectation that both the data and originator are genuine. If the architecture is not designed to provide that assurance, then hackers will capitalize on its weaknesses, damage will occur, users will develop other means of obtaining reliable data, and the system will fall into disuse. Therefore, it is a very important element of a secure network architecture.
You are now ready to proceed with the assignments below. Please read the directions carefully and submit the assignments as directed.

Assignment 3_1 (On-line Quiz)
Take this ten question true/false and multiple choice chapter quiz over the reading assignment. Quizzes are a "participation grade," which means that you can retake them as many times as necessary. However, please be aware that low scores are a sign that you need to go back to the reading assignment, slow down, and read more carefully.

You need to take the quiz by the end of the week to earn credit.
Assignment 3_2 (Post to this week's discussion forum)
This week's discussion forum is similar to the one we had last week. Your assignment is to post a substantive answer to one of the following questions that is at least 3 paragraphs in length with proper attention given to spelling and grammar. Again, we ask you to select a question that has not been previously answered by one of your classmates, until all questions have been answered at least once. Once that has been done, you may select any question that has only been answered once. Once you have submitted your initial post, read each initial post and respond to at least three. Remember to cite your sources.
1. If a digital signature is merely composed of a string of ones and zeros, why can't I successfully alter it?
2. How can the Diffie-Hellman key exchange process transfer keys or other secrets without compromising them? If possible, provide a figure that shows an example.
3. When you receive something that was encrypted using your public key, how can you tell who sent it?
4. What is it about asymmetric encryption algorithms that makes them significantly more computationally intense than symmetric encryption algorithms?
5. Why can't I decrypt a password that has been encrypted using a hashing function? Include an explanation of how hashing works.
6. What is the difference between RSA, Diffie-Hellman, DSS, and Elliptic curve algorithms for public key cryptosystems?
7. Why doesn't encryption provide a secure form of authentication? As part of your post, explain what this question means.
8. Why does our author write stuff like MDm = H(SAB||M)2? Why not leave the formulas out and just explain these concepts using the English language?
9. Your book states that encryption protects against passive attack and message authentication protects against active attack. What does that mean and how does it work?
10. If I have an asymmetric key pair, how do I determine which key is used for encryption and which one is used for decryption? In your post also answer how I determine which one is public and which one is private.
Our trivia question for the week: What computer was used to break the German Enigma Cipher during World War II, and where was it located?
General Posting Guidelines (for participation): Postings are counted as participation for the week. Make sure all postings for this week's assignments are posted to this week's discussion forum. You must post at least two substantive messages to get minimum credit for participation (a 'C' grade). Two messages on different days gets a 'B' for participation - more postings (including answering other questions) get more credit. To qualify for an 'A' grade, you must post at least three critical thinking messages on three different days. Postings on the last day of the lesson will not count for credit since other students will not have sufficient time to respond or participate in your discussion. Post early and often. Don't wait until the last minute!

Assignment 3_3 (Attach to this assignment)
This assignment provides you with the opportunity to work with hashing functions. Study the simple hash function on pp 68 and 69 of your text. Once you are comfortable with the way that it works, complete the attached worksheet and save it to a Microsoft Word document as CYBR515 Assignment 3_3 and attach it to this assignment.


Assignment 3_4 (Semester Project, First Deliverable - Due Week 4)
We begin our semester project this week. Our goal is to create a plan for a secure network that incorporates authentication, authorization, and auditing, encryption, protection against malware and spam, defense in depth, and monitoring. Your first assignment is to read the scenario located in the Course Documents area of this course and produce the first set of deliverables. You have two weeks to complete this assignment, and your first deliverables are due at the end of Week 4. Those deliverables consist of a Visio diagram that depicts your interpretation of the current network and a written summary of network vulnerabilities that you uncover. As in other diagrams that you will make for this course, your network diagram doesn't have to depict every object. Instead, you can summarize objects.

Sunday, September 11, 2011

Post 010 - CYBR 515



Breech Baby Picture (right)




Data Breach or Data Breech?

The words Breach and Breech are often confused and misused.

BREACH
When you are talking about the loss of data inside of a protected computer network, that is a BREACH. And you can read the latest about Data Breaches at Data Breach Watch. This website is the best and most current on the web with news about data breaches.

BREECH
When you are talking about the unfortunate, and sometimes deadly situation of a baby being born with the feet coming out of the birth canal first, that is a BREECH BABY.

See below about the usage and definition of the word, "breech."

Main Entry:breech

Pronunciation: brech

Function:noun

Etymology:Middle English, breeches, from Old English brec, plural of brec leg covering; akin to Old High German bruoh breeches, Latin braca pants

Date:before 12th century

1 plural \bri-chez also bre-\ a : short pants covering the hips and thighs and fitting snugly at the lower edges at or just below the knee b : PANTS

2 a : the hind end of the body : BUTTOCKS b : BREECH PRESENTATION; also : a fetus that is presented breech first

3 : the part of a firearm at the rear of the barrel

-From Merriam-Webster

Saturday, September 10, 2011

Post 009 - CYBR 515

The U.S. and Offensive Cyberwar capabilities

To go on the offensive is called in legal terms, "going outside of Title 10", referring to the U.S. Code.So if a school is going to teach offensive cyberwarfare techniques, they should also teach about the legal implications of going outside of Title 10, because even the best cyber vigilantes can easily run afoul of U.S. Federal Laws such as Title 10 unless they have legally been given an authorization such as a secret executive order to operate outside the bounds of Title 10 of the U.S. Code.

Here's some interesting references about the U.S. and Offensive Cyberwar capabilities.

References:

Emptywheel. (2011). Hiding our Cyberwar from Congress. An electronic analysis of Michael Viker's testimony before a congressional subcommittee. Retrieved from the web at http://emptywheel.firedoglake.com/2011/01/14/hiding-our-cyberwar-from-congress/ on September 10, 2011.

Emptywheel. (2011). Congress to DOD: You Must Start Briefing Us on (Some) Cyberwar Now. An electronic analysis of Robert Chesney's notes that the HASC Mark on the Defense Authorization bill includes a section on cyberwar. Retrieved from the web at http://emptywheel.firedoglake.com/2011/05/10/congress-to-dod-you-must-start-briefing-us-on-cyberwar-now/ on September 10, 2011.

Wilson, C. (2007). Information Operations, Electronic Warfare, and Cyberwar: Capabilities and Related Policy Issues. A report prepared for Congress. Retrieved from the web at http://www.fas.org/sgp/crs/natsec/RL31787.pdf on September 10, 2011.

Friday, September 9, 2011

Post 008 - CYBR 515

Here are some more good and free resources on Information Security topics:

Cybersecurity Plan for the State of Michigan

http://www.michigan.gov/documents/itstrategicplan/I_Cyber_Security_Web_234559_7.pdf

Security in a Windows Infrastructure

http://www.microsoft.com/brasil/security/content/resources/resources/SOG_download.pdf

Security and Privacy Made Simpler

http://www.bbb.org/us/storage/16/documents/SecurityPrivacyMadeSimpler.pdf

Telecommunication Security

http://www.iso.org/iso/telecommunication_security_h_bertine_gsc.pdf

Security Policy

http://security.arizona.edu/files/ISS701.pdf

Lifecycle of Document Security

http://www.adobe.com/security/pdfs/acrobat_livecycle_security_wp.pdf

Post 007 - CYBR 515

Here are some good, free resources on Information Security topics:

Engineering Security

http://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf

COINTELPRO and the Subversion of Anonymous

http://www.sott.net/articles/show/234259-The-New-COINTELPRO-Cyberwarfare-hacktivists-and-the-Subversion-of-Anonymous

Reengineering Security

http://classic.marshall.usc.edu/assets/036/8598.pdf

Computer Security Accidents that Might Have Led to Nuclear War

http://nuclearfiles.org/menu/key-issues/nuclear-weapons/issues/accidents/20-mishaps-maybe-caused-nuclear-war.htm

IT Security and Audit Policies

http://it.delhigovt.nic.in/doit/IT_Security_Audit_Policy.pdf

Social Networking Treatise

http://www.law.cornell.edu/socsec/spring01/readings/martin.pdf

Introduction to Network Analysis

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/SecurityTactics/1597490733.pdf

PERL Scripting and Live Response

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/SecurityTactics/159749173X.pdf

Dumpster Diving

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/SecurityTactics/1597492159.pdf

Targeting Intellectual Property

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/SecurityTactics/1597492558.pdf

Open Source Security

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/OpenSourceSecurity/1597490741.pdf

Advanced Operators - Security Tactics

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/SecurityTactics/1597491764.pdf

Introducing NMAP

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/OpenSourceSecurity/1597492418.pdf

Vulnerability Assessment

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/OpenSourceSecurity/1931836086.pdf

Trademarks and Domain Names

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/9781597492560.pdf

Controls and Safeguards

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/9781597492393.pdf

Business Continuity/Disaster Recovery Plan Development

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/1597491721.pdf

Having Fun with Sysinternals

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/1597490792.pdf

Creating an Attack Lab

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/1597490113.pdf

Behind Cybercrime

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/Cybercrime/1597490482.pdf

Incident Response - Live Forensics and Investigations

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/Cybercrime/1597491330.pdf

Initial Triage and Live Response: Data Analysis

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/Cybercrime/9781597492690.pdf

PDA, Blackberry, and iPod Forensics

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/Certification/9781597491976.pdf

Handheld Forensics

http://www.elsevierdirect.com/downloads/SyngressFreeE-booklets/ITManagement/1597491381.pdf

Post 006 - CYBR 515

Weather Forecast: Partly Cloudy with a Chance of Certifications

I think that we will look back at 2011 as the point when Cloud Computing got real and finally took off. And with all the government focus to control IT budgets and move IT operations and applications into secure Cloud Data Centers.

Be sure and read the IEEE Computer Magazine from August 2011. They are already publishing scholarly articles about the best uses for Cloud applications on Mobile Devices and using mathematical principles to model how to determine the best configuration for your Cloud Planning. Translation: This represents a big departure from the previous crop of Cloud Articles that just addressed security in the Cloud. In other words, people assume “it's real; it's here; so now what's the best way to use it?"

The Windows Live Public Skydrive link below has some important resources to get ramped up on knowledge about Cloud Computing: https://skydrive.live.com/redir.aspx?cid=bf9ea3001ee4c8dc&resid=BF9EA3001EE4C8DC!160

I am also in a Cloud Computing Pathway certification program that is online, self-paced and self-study. I passed my Cloud Computing Foundation certification exam on June 28, 2011. Just four more courses and exams and I will earn the Cloud Computing Expert Certification. More about the program at this link: http://store.theartofservice.com/all-products/cloud-computing-pathway-comple-elearning-bundle.html

By the way, I have known all this Cloud Stuff was coming for the last 6 years, when Bill Gates and Ray Ozzie wrote their famous "Cloud Memos" as publicly released documents, to the employees at Microsoft in October 2005. You will find those memos on that skydrive link, which is of course, in the Microsoft Cloud: https://skydrive.live.com/redir.aspx?cid=bf9ea3001ee4c8dc&resid=BF9EA3001EE4C8DC!160

Also, many of you will remember that in 2008 I was the first Data Center Manager for Microsoft's Flagship Cloud Data Center - the Chicago Data Center, located in a suburb of Chicago. So I have been kind of a "Cloud Computing Advocate" for quite a while now.

This is an article I wrote about Cloud Computing at the end of 2008. Welcome to the Cloud (Again)!

This is my Cloud page.

See you in the Cloud, my friends!

Best regards,

Bill
William Favre Slater, III
MBA, M.S., PMP, CISSP, SSCP, CISA, ISO 27002, ISO 20000, ITIL v3, Cloud Computing Foundation
Project Manager / Program Manager
slater@billslater.com
williamslater@gmail.com
http://billslater.com/career
Chicago, IL
United States of America

Wednesday, September 7, 2011

Post 005 - CYBR 515


Week 2 Assignments

Theme for the Week - Symmetric Encryption

Learning Objectives:
Demonstrate a simple symmetric encryption and decryption technique.
Explain the role played by random and pseudorandom numbers in cryptography.
Differentiate between block ciphers and stream ciphers.
Describe the five ingredients of a symmetric encryption scheme.
Readings:
Chapter 2 in your textbook.
Special Forces Field Manual FM-31-4 (Pearson Companion Site under Documents.)
This document is located in the Documents folder as SpecialForcesCode.pdf. Please note that you will have to register to gain access to this site.

This week:
When protecting information from compromise by intruders to our network, there is no stronger tool available to us than Cryptography. Data that is properly encrypted in unintelligible to unauthorized recipients. They might be able to intercept it, but they are prevented from making any use of it. Understanding how encryption works and how to apply it helps us to be better planners. This week, we begin our discussion by looking at Symmetric Encryption, which involves the process of encrypting and decrypting data using the same key. We'll examine the principles that make this possible, and study some basic algorithms that are in common use today. We'll also explore the role played by random and pseudorandom numbers in improving the strength of our encryption.

In this week's reading, our author has included a link to an example of a real-world symmetric cipher from an old U.S. Special forces manual that is in the public domain. You can get to this document on the author's companion web site as SpecialForcesCode.pdf. You will use this manual for decrypting a message in one of your assignments.
You are now ready to proceed with the assignments below. Please read the directions carefully and submit the assignments as directed.
Assignment 2_1 (On-Line Quiz)
Take this ten question true/false and multiple choice chapter quiz over the reading assignment. Quizzes are a "participation grade," which means that you can retake them as many times as necessary. However, please be aware that low scores are a sign that you need to go back to the reading assignment, slow down, and read more carefully.

You need to take the quiz by the end of the week to earn credit.


Assignment 2_2 (Attach to this week's discussion forum)
Answer one of the following questions and post a substantive answer to this week's discussion forum. Your answer should be at least 3 paragraphs in length with proper attention given to spelling and grammar. Please select a question that has not been previously answered by one of your classmates, until all questions have been answered at least once. Once that has been done, select a question that has been answered by only one of your classmates. Once you have submitted your initial post, read each of your classmates' initial posts and respond to at least three of them. In your response, provide your comments and any additional information you might have. Remember to cite your sources. Please note that this assignment also contains a trivia question that you can post against for credit. Posts to the trivia question will count the same as a response, not as the initial post.

1. How would you go about decyphering a message that was encrypted using symmetric encryption if it is the case that you have the encryption algorithm but not the sender's key?

2. If you wanted to use symmetric encryption to send a secret message, how could you get the key to the recipient? Describe at least two different methods of transmitting the secret key.

3. How does the exclusive OR function work? Provide an example

4. What is the difference between a random number and a pseudo-random number and how is each used for encryption/decryption?

5. If you really wanted to generate truely random numbers, how could you do it? Include in your answer why random number generators are important for encryption.

6. What is the difference between a block cipher and a stream cipher? Provide an example of each.

7. What are the ingredients of symmetric encryption and how does it work?

8. Why isn't it a good idea to send the same message twice, once when it was encrypted and once in plain text?

9. What does C = E(K3,D(K2,E(K1,P))) mean (from your text)? Describe the symbols and their use.

10. If long keys are more secure than short ones, why not just use a really long key, say 65,536 bytes? In your answer, include an explanation of the purpose of key length. Is there a "perfect" size for keys?

Our trivia question for the week: What is the orange book and why is it called the orange book?

General Posting Guidelines (for participation): Postings are counted as participation for the week. Make sure all postings for this week's assignments are posted to this week's discussion forum. You must post at least two substantive messages to get minimum credit for participation (a 'C' grade). Two messages on different days gets a 'B' for participation - more postings (including answering other questions) get more credit. To qualify for an 'A' grade, you must post at least three critical thinking messages on three different days. Postings on the last day of the lesson will not count for credit since other students will not have sufficient time to respond or participate in your discussion. Post early and often. Don't wait until the last minute!
Assignment 2_3 (Attach to this assignment)
Chapter two in your text contains several models that are presented in the form of figures. Choose one of the models and explain what it represents in sufficient detail that someone who has never read the book or studied network security would understand it. Your answer should be at least 1000 words in length. Any sources must be in APA or MLA format. Save your explanation to a Word document as CYBR515 Assignment 2_3 and attach it to this assignment.


Assignment 2_4 (Attach to this assignment)
The Special Forces Field Manual explains an encryption process that uses a double transposition cipher (see your reading list for a link to this document on the author's companion website.) Using the information provided in the manual, the code words listed in the order they were used to encrypt the message, and the cypher text below, decrypt the message. Save your work to an Excel spread sheet as CYBR515 Assignment 2_4 and attach it to this assignment. Include your unencrypted, plain text message in the file. If you need help figuring out how to work the cipher in reverse, you may use the Internet and other appropriate sources to find the solution. You may also post questions to the discussion forum. However, do not share the unencrypted message with any other students.
Code words: (1) redmustang (2)nightmoves

YETAR TRIXL XWITL RSXHE
NAGPV OHSIC UOPEB ESYCO