| Information Security and Privacy Basics | System Access & Passwords | Malicious Software (Malware) | Cryptography | Cryptographic Techniques |
|---|---|---|---|---|
|
What is Privacy?
There are numerous competing definitions. Some, such as Louis Brandeis, refer to it is as “the right to be left alone”. Others refer to it as a right comparable to the right to freedom, democracy and equality - Daniel Therrien called it a “foundational value in Canadian society, a fundamental right”. One useful definition of it is “informational self-determination” where individuals are empowered to control information about themselves. This can entail that individuals control who sees their information, who uses it, what they use their information for alongside who they can share it with.
|
What is a Password?
The measure of how effective a password is against brute-force/guessing attacks is referred to as password strength. Although there is no strict, agreed-upon definition of password strength, NIST provides multiple password guidelines that are commonly followed. These guidelines are: there are no complexity rules, there should be at least 8 characters, support at least 64 characters, allow any character, blacklist frequently used passwords, no password hints allowed, do not force users to periodically change passwords, allow passwords to be copy-pasted into the password fields, use multiple factor authentication and have at least ten attempts before system lockout.
A memorizable secret that is shared between the system and user.
|
What is a Trojan Horse?
This type of malware is known to be hidden within a seemingly innocuous or desirable program. For example, you might find this type of malware attached in an email and it tries its best to appear to be from a legitimate source to gain your trust. The malware may also be hidden in, for example, a flashlight application for a user’s smartphone.
|
What is Cryptography?
Loosely means secret writing. It is the study and practice of techniques that are used for secure communication amidst adversaries in third parties. The term from Ancient Greek refers to “hidden, secret” and “to write”. While it is used in information security, it is not the end-all be-all solution that solves all problems.
|
What is Asymmetric-Key Encryption?
There are two keys used; a public key (can be used by anyone for encryption) and a private key (used for decryption). Both keys need not be kept secret; only the private key should be hidden from adversaries. The public key must be published and does not require a key exchange protocol, although it does require a trusted public directory.
|
|
What is the CIA Triad?
The CIA triad represents what information security means for a computer system. Confidentiality means that data is seen only by authorized entities. Integrity signifies that the data/system is changed only as specified by the system and is guarded against improper information modification or destruction. Lastly, Availability means that the data/system is available when needed and can be accessed as desired - ensures timely and reliable access to the data/system alongside being able to use it.
Includes the three concepts of confidentiality, integrity and availability. A computing system is said to be secure if all three of these objectives are met.
|
What is Identification?
Identification asks what your “name” is - who you are. There are various ways to identify different entities. A person can be identified by their name, government-issued IDs, cryptographic keys, address, etc. A computer can be identified by its serial number, physical appearance and location, network address, MAC address and cryptographic keys. Objects can be identified via barcodes, URLs and cryptographic keys as well. Identification is a security problem because entities can lie about their identity and can impersonate others. It is important for a system to guard against identity theft.
Act of indicating an entity’s identity.
|
Who is John von Neumann?
An early computer scientist who had the idea of a computer virus, which extends back to 1949. The computer scientist also wrote the “Theory and Organization of Complicated Automata”. Employees at Bell Labs gave life to their idea in the 1950s with a game called “Core Wars”.
|
What is Information Theory?
Invented by Claude Shannon, it is the scientific study of how digital information is quantified, stored and communicated. It is the mathematical representation of the parameters and conditions that affect how information is processed and transmitted.
|
What is Symmetric-Key Encryption?
The key for encryption and decryption are the same. The secret key must be shared in a secure manner, which requires a secure key exchange protocol or key agreement protocol-key establishment protocol.
|
|
What is NIST?
The National Institute of Standards and Technology (NIST) published The NIST Computer Security Handbook to provide readers with a solid knowledge foundation required to secure computing resources.
A regulatory agency part of the United States Department of Commerce that operates under the mission of promoting industrial competitiveness and innovation. Among its achievements, the agency also published a Computer Security Handbook.
|
What is Authentication?
Informally, during authentication you must prove that you are who you claim to be. There are four basic approaches to authenticating system users: ask about something the user knows such as a password or PIN, something the user has such as an ATM card, security badge, browser cookie, etc., something the user is such as confirming via biometrics such as face, voice pattern, gait and fingerprint alongside asking about something about the user’s context such as their location, time and recent actions. Multiple authentication factors increase the assurance level or confidence the system has about someone’s claimed identity.
Verification of the identity that an agent claims to have.
|
What are common ways individuals contract computer viruses?
A computer virus is a computer program that can replicate itself, it modifies other programs or files to insert a copy of itself - it is capable of further replication. Downloading software from untrustworthy sources and/or clicking on links in phishing e-mails are involved in contracting them.
|
What are some limitations of cryptography?
Cryptography does not solve problems with bad implementations, social engineering, denial of service (DOS and DDOS attacks) and malicious code.
|
What is the One-Time Pad?
Created by AT&T Bell Labs engineer Gilbert Vernam in 1919, the patent for the machine that encrypts it using XOR and a secret key is the US Patent 1,310,719. It includes the scheme (Gen(1^n), Enc(k ; m), Dec(k ; c)). Gen(1^n) outputs a truly random n-bit string key, Enc(k ; m) encrypts m with pad k where the pad and message are the exact same length. The message is encrypted by doing the bitwise XOR of m and k. Dec(k ; c) decrypts c with pad k by doing the bitwise XOR of c and k to recover the original message. It is a perfect encryption scheme, assuming that the pad is not reused and not leaked alongside being truly random. Its perfect encryption also assumes that the ciphertext is not changed by a third-party adversary.
|
|
What is PIPEDA?
The Personal Information Protection and Electronic Documents Act (PIPEDA) outlines ten principles for the privacy-sector: identify the purpose of data collection, obtain consent, limit collection, limit use, disclosure and retention, use appropriate safeguards, give individuals access, be accurate, be open, be accountable and provide recourse.
The privacy law in Canada’s privacy-sector that was enacted April 13, 2000.
|
What is Authorization?
Informally, authorization indicates what exactly you can do in a system once you have proven your identity. Authorization encapsulates two main components: Policy (definition of what the user can do) and Access Control Mechanism (enforcement of policy). Policies can be coarse or detailed, and access control mechanisms require that the correct mechanism is being used to enforce the definitions in policy.
Specification of access rights and privileges to resources that an authenticated identity has.
|
What is a Worm?
This type of virus is a program that spreads with little-to-no user involvement and typically starts by exploiting a security flaw on a remote machine. It does not need to inject itself into other computer programs. It typically progresses by first exploiting a security flow on a remote machine/its new host, then its payload is code that causes it to seek out new hosts before repeating the first step.
|
What are the three algorithms in an encryption scheme?
In order to be useful, the scheme (Gen, Enc, Dec) must provide correct decryptions such that if Alice locks a message in the box, the intended recepient should be able to recover the message when unlocking the box the message is in.
- Gen which generates the two keys for the two individuals
- Enc which uses one of the two keys to lock the message - Dec which uses the other associated key to unlock the message |
What is Minimum Security?
A secure encryption system should resist a brute force attack granted the computing power of adversaries. In short, an attacker should not be able to force their way into a system by trying all possible keys. Should aim to have a large enough key space such that the attacker would not be able to exhaustively try every single password in a reasonable number of time even with unlimited computing resources.
|
|
What is the Principle of Easiest Penetration?
Informally, the Principle of Easiest Penetration means that you should expect that the intruder can use any of the available means to penetrate your system. This further indicates that the system is most vulnerable at its weakest link, and that intruders will pursue the weakest link rather than the most convenient-to-fortify or most obvious link.
The expectation that an intruder can use any available means of penetration.
|
What are common attacks against passwords?
These four are common attacks used for directly finding user passwords. Key-logging, or Keystroke Loggers, are monitoring software designed to record the keystrokes of a user. Attackers can wait for the user to sign-in to the system and then review their keystrokes to find their password. Phishing refers to attackers attempting to steal user data by disguising malicious programs or content as trustworthy. This typically includes the attachment of malicious software to e-mails. Social engineering refers to tricking users into believing that the attacker is a legitimate and trustworthy entity. Shoulder surfing refers to physically looking over a user’s shoulder and watching them sign-in to a system or view user information.
Key-logging, phishing, social engineering and shoulder surfing.
|
What is a Logic Bomb?
This type of attack is a dormant payload within a program that triggers if some condition is met. It may be hidden, and can be triggered in various ways such as an insider affecting it or a future event occurs. Examples of how insider’s can affect it include modifying a specific file or entering a certain sequence of numbers. Examples of future events include a specific date or time occurring or a user visiting a certain website.
|
How can cryptography be used in real life?
Cryptography is used when paying with cards, in cryptocurrency, electronic money, banking transaction cards, password systems, e-commerce, computer networks, etc.
|
What is the Data Encryption Standard (DES)?
Emerging from the NIST competition that had started in 1972, it uses a Feistel Network with the approach of generating complexity through repetition of simple operations (called rounds). The same algorithm is used for both encryption and decryption by using subkeys reverse order. Its security depends on the Feistel function f. It faced criticisms from the start because its design process was not open, its decisions were unjustified and the key was shorted than the requirement. It was later replaced by a different standard.
|
Support Us on Ko-fi