So we're gonna begin with the topic of cryptographic tools, and we really have to start with a basic understanding of cryptography. So what I'd like to do is go over some sort of basic and essential elements just to make sure that we build and build that we're all starting off from the same point. So with cryptography,
Ah, we're gonna talk about, of course, how cryptography is used to protect confidentiality, integrity and authenticity, confidentiality, integrity and authenticity. And as a matter of fact, when I talk about cryptography, I take that a step further. And I actually usually talk about
privacy, also known as confidentiality.
We certainly talk about integrity
but I also like to add to that,
and I think it's important idea. Non repudiation.
Okay, So in talking about each of these privacy, integrity, authenticity and non repudiation,
when we talk about privacy and confidentiality, our main goal is to make sure we prevent unauthorized disclosure of information. We want to keep secrets secrets, so jot that down,
prevent unauthorized disclosure.
It's a good definition for confidentiality.
Now, when we talk about confidentiality and what are the threats because we always look at this in terms of threats and vulnerabilities, and then down the line, we'd want to talk about mitigating strategies. So with privacy and confidentiality, there really three main threats that we have to consider. We have to consider
and right now that's the greatest threat to confidentiality anywhere. Social engineering and social engineering is all about impersonation on one of the things that that, you know, you'll see, is that we, as technical people, tend to think in terms of technical solutions and technical ideas and technical attacks.
But the idea behind social engineering, why am I going to spend two hours trying to brute force the password when I can walk up to somebody's desk? Introduce myself? Is Kelly from the help desk? And I can say, Hey, we're pushing out some new patches on systems. If you don't mind, let me have access to your system for a couple of minutes.
Go grab a cup of coffee. By the time you get back, I'll be done.
And I'll tell you I do some social engineering pen tests on the side, and that's successful somewhere around 75% of the time. Social engineering is all about acting authoritatively. It's all about being convincing, and what you'll find is most people want to be helpful. So if you come in and hey, we've got to take care of this
a little sense of urgency. We've got to do this right away. It can't wait till lunchtime. I'm sorry to bother you, but
give me 10 minutes on your system on. And that's just one of many different social engineering attempts. We've all seen the phishing emails, the Nigerian prints wanting us to cash checks. I was looking at one yesterday. Ah, that was talking about
from the government. I was guaranteed a rebate for my taxes or tax refund.
And all I had to do was send this small amount to cover the processing fee to this address. You know, social engineering. We could go on and on and on on with. And one of the things that I find when I do consulting consulting with organizations is I find that many companies have a very robust technical pin testing program,
but they're not pin testing social engineering.
So if you think about a social engineering attack, what might a pen test for social engineering look like,
well, might be me calling different extensions, trying to solicit information. And I'll guarantee you, if I call enough people, I'm going to get the information that I want.
But it could be other things, like just I said, You know somebody from the help desk or purporting to be from the help desk? Let me see if I can get you to leave your computer without logging off. Ah, can I get one of your employees to open up an unsigned email or an attachment within an email that's not digitally signed?
And the answer is, of course, yes to that most times.
And if you followed any of the security breaches Ah, that have been in the news. There was a security company Ah, you may be familiar with. I'm not in the name, any names, but they had a huge compromise, and this is a vendor of the onetime password products. You've probably seen the little key fobs with the password that changes every 60 seconds,
and that's a token device so that you can authenticate along with the password.
So this organization had a huge compromise. Ah, that essentially led Attackers to disclose Ah predict are to determine predictably what those passwords would be. So it's a big, big compromise in the way that that attack became successful.
A targeted email sent to three people within the entire organization. This is a company that has thousands of employees. That email was simply sent to three people, and that's called spear fishing. And that would be testable that term. A targeted phishing attempts.
Um, it was also called wailing because what happened was the email was targeted to senior management,
and I know that seems interesting because you would kind of think it a security organization. Surely Senior management is onboard and is knowledgeable, and surely senior management wouldn't make the silly mistakes that we wouldn't even expect their inv users to make. And sometimes, unfortunately, that's not the case. Sometimes the folks at the very heart
top of the of the food chain, so to speak within a company,
have the greatest and highest level of permissions. And when it comes down to it, if I signed the check, I'm gonna dictate what permissions I have on the network. So, Tom, sometimes you have these folks that are very high up in an organization that demand full X access,
even though that might not be a requirement for their job, and they may not have the skill set to get that. So at any rate, this spear phishing whaling attack was sent to three people that essentially consigned It contained an unsigned document,
and what's interesting about that is the technology work.
The company spam filter, or male filter took that email and moved it over to the junk mail folder.
So one of the things we'll talk about in this class is technical solutions or not enough, because in that company the technology did exactly what it was supposed to.
one of the senior managers went to their junk mail folder, saw that email said, Oh, that looks interesting. Pulled it back, opened up the attachment the backdoor software was installed, and that gave the attacker foothold on the network.
One of the things again we'll talk about is you can put all the technical controls in place that you want.
There's not a single control you can put in place that somebody can't bypass.
And that's just a fact. It doesn't matter, you know. We'll talk about physical security very briefly we'll talk about an eight foot fence to deter determined intruders.
And then I always like to say, But what height fence will prevent
And the answer. That question is, there's no height fits that will prevent an intruder.
You got a 15 foot fence. I've got a 16 foot ladder.
Or if it's a high enough value target
we've seen with high value Ah, assets. We've seen Attackers tunnel in. We've seen Attackers coming from the sky. Now, again, this is not your normal type of attack. But if the value of the asset is great enough, that's exactly what's gonna happen.
So technical controls air Not enough physical controls or not enough
administrative controls, which would be policies and procedures. Those aren't enough either. So the idea is layering layer defense, defense and them. We want physical controls. We want door locks. Absolutely. We want technical controls. We want male filters and encryption and all those good things.
We also want administrative controls where we train our people
where we emphasize principle of Lise privilege need to know and those ideas and ideally, when we have that layering of defense, we don't necessarily talk in terms of preventing determined intruders. But we can certainly delay them long enough so that, ideally, they would be detected. So,
you know, going back to confidentiality. Social engineering and technical controls do very little
against social engineering.
So what would be the solution? Separation of duties so very important and along with separation of duties, the idea of need to know
so confidentiality. You know, you'll find if you do any sort of social engineering pen testing. If you experiment around with that, you'll find that many people will give you information. That's critical. But the idea about separation is Jude of Judy's. I can't get somebody to give me the password to the server
because that's not their job, and they don't know that information.
So by using separation of duties, we make sure that people have very distinct, very well defined roles and on Lee the knowledge to complete those roles. So that helps me enforce confidentiality.
We train our people as a matter of fact, with social engineering the first time someone fails a social engineering pen test they ought to immediately be retrained
doesn't mean they have to go through a 40 hour social engineering class But it does mean that there is an immediate address off a failure on their part there retrained. And then the 2nd 3rd time. You know, we really have to start looking at administrative action, whether it's riding up employees,
putting them on an improvement plan, whatever that might be.
Hey, so, social engineering, because it is a social issue, it's not really gonna have a technical control. It's gonna have more of an administrative control. And that right now is our greatest threat to confidentiality
Second threat to confidentiality
a media reuse, whether it's reusing the same hard drive to store sensitive information, whether it's using a thumb drive. And I know a lot of organizations sort of band thumb drives. They're not very welcoming most corporate environments, but they're still other types of removable media that we allow.
You know, we allow Devi ours and rewriteable DVDs.
We allow, um, other storage devices that might be plug in play, so whatever our media is, and I know we're not really in the days where we're talking about using floppies any longer, but you know any type of removable media
when we re use that media we run the risk of leaving remnants behind.
Um, for example, when I first got into I t. And this was about 20 years ago, I started out as a hardware cognition
and one of the things that I would do to get better working with Hardware's. I go around from yard sale, the yard sale or ham radio shows, and I would pick up computers, get him really cheap on this was about at the time of 3 86 computers for 86 computers.
So I take those home I take him apart. I'd put him back together, usually with
mostly the same number of pieces that I started with, Um, and one of the things that shocked me time after time after time, I'll ask you this. I just come up with an idea. If I bought maybe somewhere around 10 to 15 computers over the course to three years,
how many computers do you really think were cleansed
of remnants of data,
as in how many of those computers that I purchased had been wiped clean?
And you probably know the answer to that. And that's exactly zero. And that's very, very common, you know, if you purchase a computer if you go online and somebody's got a computer for sale on Craigslist. This letter, the other chances are very good that they may have deleted some sensitive files, but they rarely rarely sanitized the disc
media re use. People don't
think about it, But when you take media regardless of what it ISS and you use it for a different purpose, you must wipe that, Dr.
Now, when I talk about wiping the drive, there's different soft. They're different software applications that will do this for you. Sometimes you'll hear, hear people refer to it as sanitizing or zero izing. So basically what's happening is you get this little program that's just gonna overwrite to the disk over and over and over and over. And that's a testable idea,
because a lot of times people feel like, oh, I've deleted the files
and you guys know being technical people when you delete a file, you're not deleting the file, which you're deleting is the pointer to the file. That file still exists in your hard driving. This is easy to find is anything.
Deleting a file will never be a correct answer on this test you'll always have to go a step further.
Formatting a Dr will never be a solution on this exam. Formatting is such an easy to reverse process that even if you format a hard drive
within five minutes, I can restore it to its original state and pull most of the data. Really, the way that you ensure all that is gone destroyed the drive.
That's always the best solution. If you have confidential information, don't reuse the drive. And really, if we are talking about hard drives today, there's no excuse not to do that hard. Tribes are so cheap today compared to what they were 10 years ago or 20 years ago. You know, you usedto have to pay
$500 for 10 Meg hard drive.
Now you get a two gigabyte hard drive for 60 bucks, so there's no reason not to physically destroy a hard drive. If it has sensitive information, watch for the questions on the exam because they will specify whether or not you want to reuse the drive or not.
So if you're gonna reuse the drive, obviously physical destruction is not gonna work.
If it's magnetic media,
de grousing is another very successful method. But let me stress to you Dig. Housing is on Lee. A process for magnetic media, which you're doing is you're exposing that magnetic drive to a very strong magnet. You're wiping out the cylinders, the heads and sectors that air creating this part of a low level format.
So, yeah, that's a decent step towards getting rid of the data.
The best solution, though, is gonna be physical destruction.
So if you're gonna want to reuse the hard drive zero ization or deke housing, if your top priority is getting rid of remnants, then that's gonna be physical destruction. And I will mention I've heard students say things like, Yeah, we put a nail through our hard drive
That's not sufficient. I mean, that might render the hard drive inoperable. You know, for somebody that's just a common user. But when we talk about destruction, I mean shredding. I meet incineration. That's really the only way you're gonna get that assurance.
Okay, So media reuse a huge threat. The confidentiality destroy your media. If the data is that since