Choosing Tokenization or Encryption - CRYPTOGRAPHY - AIPSI
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
May 2019
Volume 17 Issue 5
Trends in Security Executive Leadership and the Rise of the vCISO
The Mathematics behind RSA Encryption
Industrial Cybersecurity Enhancements
NIST Cryptographic Algorithm and Module Validation
Programs: Validating New Encryption Schemes
The Python Programming Language
Choosing
Tokenization or
Encryption
CRYPTOGRAPHY
Table of Contents
DEVELOPING AND CONNECTING CYBERSECURITY LEADERS GLOBALLY
Feature
14 Choosing Tokenization or Encryption
By Jeff Stapleton – ISSA member, St. Louis Chapter
This article discusses the similarities and differences between two popular cryptographic techniques: tokenization and
encryption. When making the decision between protection methods, there are several things to consider, including how
the data is used and the key management life cycle.
21 Trends in Security Executive Leadership and 37 NIST Cryptographic Algorithm and Module
the Rise of the vCISO Validation Programs: Validating New
By Donna Gallaher – ISSA member, Metro Atlanta Encryption Schemes
Chapter By Eric Lankford – ISSA member, Fort Worth Chapter
This article discusses the author’s personal experience The author provides a simplified overview of how
and observations with starting her own business as a crytographic algorithms and modules are validated
virtual CISO. according to the Cryptographic Algorithm Validation
Program and Cryptographic Module Validation
26 The Mathematics behind RSA Encryption
Program.
By William C. Barge – ISSA member, Northeast Indiana
Chapter 41 The Python Programming Language
The author describes the mathematics behind the RSA By Constantinos Doskas – ISSA Senior Member,
cryptosystem and a coding technique that can be used Northern Virginia Chapter
to decrease the chance of the calculation resulting in an This article continues the discussion about the basic
abnormal end. building blocks of the Python programming language.
It is the second article in the Python training series. The
31 Industrial Cybersecurity Enhancements
main topic of this article is file input/output procedures
By Cevn Vibert – ISSA member, UK Chapter and date processing.
This article highlights alerts and advice for end users
of automation and control systems (ICS/OT/IACS/
SCADA) and selected advisory notes for practitioners of
industrial cyber-physical security.
Also in this Issue
3 From the President
5 Sabett’s Brief
Cryptography As a Weapon
6 Women in Cybersecurity
A Historical 180 for Women in Technology
7 Crypto Corner
Another Quantum Breakthrough
8 Open Forum
Security Engineering and Integration
Principles and Myths
9 Cryptic Curmudgeon
Quantum and Crypto ©2019 Information Systems Security Association, Inc. (ISSA)
10 Security in the News The ISSA Journal (1949-0550) is published monthly by
11 Association News Information Systems Security Association
36 Career Center 1964 Gallows Road, Suite 310, Vienna, VA 22182
+1 (703) 382-8205 (local/international)
2 – ISSA Journal | May 2019
From the President
Hello, ISSA Members and Friends
Candy Alexander, International President
I
can hardly believe it has only been six months since I began in my role as president of our
association! Like most of life’s journeys, some days it seems like it has been a long six months,
and other days it seems like only yesterday. Either way, we are making some great progress
– together!
A lot of work has been going on behind the scenes. Thinking of it reminds me of the duck analogy: when
you see a duck swimming across a pond, it appears to take little to no effort to glide across the water. What
is not visible, however, is the effort that the little legs and feet are paddling swiftly, with precision and
strength under the water to move the duck forward. The same can be said with any organization – on the
surface it appears as though things are slow and with no or little effort, while behind the scenes actions are
being performed with precision and strength.
To that point, the International Board and I have worked through putting business processes in place,
such as the strategic goals that focus on our valued membership (growing and keeping members). Marc
Thompson has been working hard with headquarters’ staff on back-office improvements with the Your
Membership (YM) software used to manage our membership database, and a cleanup of our QuickBooks
use. All of this work is necessary in preparing the association to grow and provide you and our chapters
with world-class service that should be expected from an international professional association.
I am also very happy to say, for the first time in my years on the Board of Directors, we are currently de-
veloping a program management function with the assistance of Brian Shultz and Deb Peinert. This effort
will help the Board and me to monitor and evaluate the performance of existing programs offered by the
ISSA, as well as making knowledgeable decisions on proposed programs. All of this is part of the effort for
ISSA International to utilize sound business practices to ensure efficiencies and quality services.
You should have received the “Call for Nominations” for this year’s elections for the ISSA International
Board of Directors. The election is one of the most important processes of our association that all mem-
bers should participate in. Whether you are considering a run for an open seat on the International Board
or you cast your vote, it is important for all members to participate!
If you are choosing to become a candidate, know that it is an excellent opportunity to demonstrate your
leadership and business skills in a global organization! It is an experience of a lifetime and can be very
rewarding! If you are not looking to become a candidate, understand that your role in voting is just as
important. Take a moment and learn what each candidate offers and is looking to accomplish before you
cast your vote—your decisions pave the future for our association.
For those of you who are waiting for this year’s ESG/ISSA research on the “Life and Times of the Cyber-
security Professional,” we will be releasing the full report in May. Not to give away too much, but things
haven’t improve in many areas for us, including CISO burnout. But you probably already knew that. What
you may not know is that we have included some research around “privacy and security” and how it is
effective to us as professionals. Be sure to be on watch for the release of the report, which will be available
from the ISSA International’s NEW website (another back-office improvement item).
I will close by saying my virtual door is always open. Please feel free to reach out by sending me an email
at Candy.Alexander@ISSA.org.
Candy Alexander, CISSP CISM
ISSA International President
May 2019 | ISSA Journal – 3
DEVELOPING AND CONNECTING CYBERSECURITY
LEADERS GLOBALLY
Now Indexed with EBSCO
Editor: Thom Barrie
editor@issa.org
Advertising: vendor@issa.org
International Board Officers Board of Directors Editorial Advisory Board
President Mary Ann Davidson
Candy Alexander Distinguished Fellow James Adamson
Distinguished Fellow Ken Dunham, CISSP, CISM, Jack Freund, Senior Member
Distinguished Fellow
Vice President Alex Grohmann, CISSP, CISA, CISM, Michael Grimaila, Fellow
Roy Wilkinson CIPT, Fellow
Distinguished Fellow Yvette Johnson
Shawn Murray, C|CISO, CISSP, CRISC,
Secretary/Director of Operations FITSP-A, C|EI, Senior Member John Jordan, Senior Member
Anne M. Rogers Deborah Peinert Steve Kirby – Chairman
CISSP, Fellow
Wayne Proctor, CISSP, CISM, CISA, CRISC Mollie Krehnke, Fellow
Treasurer/Chief Financial Officer Distinguished Fellow
Pamela Fusco David Vaughn, C|CISO, CISSP, LPT, GSNA, Joe Malec, Fellow
Distinguished Fellow Senior Member Abhinav Singh
Stefano Zanero, PhD, Fellow
Kris Tanaka
Joel Weise
Information Systems Security Association Distinguished Fellow
1964 Gallows Road, Suite 310, Vienna, VA 22182
+1 (703) 382-8205 (local/international) Branden Williams,
Distinguished Fellow
Rajat Varuni
The Information Systems Security Association, Inc. (ISSA)® is a not-for-profit, interna-
tional organization of information security professionals and practitioners. It provides
Services Directory
educational forums, publications and peer inte raction opportunities that enhance the
knowledge, skill and professional growth of its members. Website
With active participation from individuals and chapters all over the world, the ISSA is webmaster@issa.org
the largest international, not-for-profit association specifically for security profession-
als. Members include practitioners at all levels of the security field in a broad range of Chapter Relations
industries, such as communications, education, healthcare, manufacturing, financial, chapter@issa.org
and government.
The ISSA international board consists of some of the most influential people in the se- Member Relations
curity industry. With an international communications network developed throughout memberservices@issa.org
the industry, the ISSA is focused on maintaining its position as the preeminent trusted
global information security community. Executive Director
The primary goal of the ISSA is to promote management practices that will ensure the execdir@issa.org
confidentiality, integrity and availability of information resources. The ISSA facilitates
interaction and education to create a more successful environment for global informa- Advertising and Sponsorships
tion systems security and for the professionals involved. vendor@issa.org
The information and articles in this the best knowledge of the author and the official policy of ISSA. Articles may poration and is not owned in whole or in
magazine have not been subjected editors. If the reader intends to make be submitted by members of ISSA. The part by any manufacturer of software or
to any formal testing by Information use of any of the information presented articles should be within the scope of in- hardware. All corporate information se-
Systems Security Association, Inc. The in this publication, please verify and test formation systems security, and should curity professionals are welcome to join
implementation, use and/or selection any and all procedures selected. Techni- be a subject of interest to the members ISSA. For information on joining ISSA
of software, hardware, or procedures cal inaccuracies may arise from printing and based on the author’s experience. and for membership rates, see www.
presented within this publication and errors, new developments in the indus- Please call or write for more information. issa.org.
the results obtained from such selection try, and/or changes/enhancements to Upon publication, all letters, stories, and All product names and visual represen-
or implementation, is the responsibility hardware or software components. articles become the property of ISSA tations published in this magazine are
of the reader. The opinions expressed by the authors and may be distributed to, and used by, the trademarks/registered trademarks
Articles and information will be present- who contribute to the ISSA Journal are all of its members. of their respective manufacturers.
ed as technically correct as possible, to their own and do not necessarily reflect ISSA is a not-for-profit, independent cor-
4 – ISSA Journal | May 2019
Sabett’s Brief
Cryptography As a Weapon
By Randy V. Sabett – ISSA Distinguished Fellow, Northern Virginia Chapter
I
f you’ve been in the infosec field the FBI Internet Crime Report perhaps tachment, be wary.
for any appreciable amount of time being the most unbiased (since it com- Trust but verify.
and had to deal with the export of prises any company that filed a report Question anything
cryptography, you undoubtedly ran into of ransomware to www.ic3.gov and just that doesn’t look
the notion that cryptography was once the amount paid for the ransom). With right. Better to annoy your IT department
classified as a weapon (i.e., munition) $3.621M paid by a total of 1493 victims, than get hit by a ransomware attack.
because the government had concerns it means that for this sample set, an av- But if you do get hit, those backups that
about the power of strong cryptogra- erage payment of $2,526 was made by you have religiously been making and
phy and what could happen if it fell into victims. That’s more than double what it storing will get you out of trouble right?
the wrong hands. Although not truly a was four years ago. Shouldn’t the num- Not necessarily. We’ve seen a couple of
weapon that could directly cause phys- ber be getting smaller? But if we want instances recently where the most recent
ical harm, the government put cryptog- a real eye-opener, we can look at costs backups were also affected by the ran-
raphy on the Commerce Control List beyond just the ransom. About one somware (because they contained the
(CCL) under the Export Administration year ago, the city of Atlanta fell prey to ransomware executables). Even worse,
Regulations (EAR), which covers so- we’ve seen situations where the backups
called “dual use” technology and mu-
nitions. Thus, “crypto is a weapon” was Atlanta fell prey to cannot be relied upon to restore the af-
fected entity to a reasonably up-to-date
(and perhaps still is, in some circles) a ransomware and wound status. In some cases, the backups were
common phrase. For a really fun read
about the history of this topic, I would
up expending $2.6M for incomplete. In others, the backups had
highly suggest a book called Crypto: a ransomware incident somehow gotten corrupted and were un-
usable. Again, a situation where “trust
How the Code Rebels Beat the Govern- that had a demand of but verify” would make sense. When
ment – Saving Privacy in the Digital Age
by Steven Levy. approximately $50k. was the last time you verified that your
backups could restore you to a working
Another, more insidious type of wea- state? I’d ask you all to raise your hands,
ponization of cryptography continues ransomware and wound up expending but I don’t want anyone to incriminate
to play itself today and is the subject of $2.6M for a ransomware incident that themselves…you know who you are.
this month’s column. Although the se- had a demand of approximately $50k.
This demonstrates the far-reaching ef- On that somber note, have a good month
curity industry has dealt for years with and make sure you check your backups!
ransomware and has educated countless fects of these attacks and the amount of
time (and money) that it can take to re-
numbers of people on how to avoid it,
mediate such an attack.
About the Author
we still have numerous entities from the
Randy V. Sabett, JD, CISSP, is an attor-
very small to the immensely large get- With business email compromise (BEC)
ney with Cooley LLP (www.cooley.com/
ting hit by ransomware that maliciously being one of the top attack vectors en-
rsabett), a member of the advisory boards
encrypts their data. In a 2015 column I countered by the FBI, it means that
of the Georgetown Cybersecurity Law In-
wrote that “[t]he Cyber Threat Alliance people still feel compelled to click that
stitute and the RSA Selection Commit-
(CTA) conducted a study that found the link or file that arrives in an email from
tee, and is the former Senior VP of ISSA
Cryptowall ransomware package had someone you don’t recognize or some-
NOVA. He has completed FBI Citizen
netted approximately $325M for its cre- thing that you weren’t expecting. With
Academy training in 2017, was a mem-
ator. With ransoms generally between the frequency and severity of ransom-
ber of the Commission on Cybersecurity
$500 and $1000 and potential damage ware both increasing, people need to be
for the 44th Presidency, was named ISSA
hard to calculate, the study found the careful in their browsing and clicking
Professional of the Year for 2013 and an
main vector of entry was via phishing.” habits. Even if you get an email pur-
ISSA Distinguished Fellow in 2018, and
A variety of 2019 statistics exist relat- portedly from someone you know but
can be reached at rsabett@cooley.com.
ed to ransomware attacks in 2018, with weren’t expecting a message with an at-
May 2019 | ISSA Journal – 5
Women in Cybersecurity
Women in Cybersecurity explores gender disparity in the cybersecurity field.
Its aim is to provide inspiration and awareness through research, history, and trends and to
develop strategies for bringing and keeping women in the cyber workforce.
A Historical 180 for Women in
Technology
By Curtis Campbell – ISSA Senior Member, Chattanooga Chapter
In the 1940s in Britain and the US, com- work for the war effort. Women’s labor the Civil Service marriage bar in 1946
puter work was considered women’s formed the hub of the British wartime [3].
work. In fact, most computer-related information machine, with over 1.1 mil- During the 1960s, computers became
jobs were performed by females, and they lion women workers representing mu- the new train set for young British men.
were good at it. By the 1960s, men had nitions factories and armed forces [2]. Computer jobs, once feminized, sud-
replaced thousands of women pioneers in Along with these feminized labor pools denly became men’s jobs as early train-
the field. Today, the industry is searching came the stereotyping of female opera- ing preparation for government or in-
for answers on how to recruit women to tors by age and career span. When wage dustry leadership. Thinking computers
the field and get them to stay. This shift is stereotyping occurred next, the result would help men to grow up more pow-
part of a bigger story in early technologi- was limited career paths and push back erful than women, this gender change
cal and workforce development in Britain from the women. was part of a government initiative to
and the US regarding women’s rights and revolutionize, modernize, and comput-
roles at work. Understanding how and
why this quick change happened helps re- It was after WWII that the erize Britain [2].
While Britain was revamping the work-
write the future of women in technology. definition of “computer”
W
force, a team of US women was gaining
omen were the first comput- shifted forever and notoriety as computer programmers on
ers, when a computer was
a person. Women’s roles in became a machine. the Mark 1 and the ENIAC comput-
er projects, for the US viewed this as a
early computing systems in the 20th whole new kind of work for women. As
century portray them as formative to programming became renamed “soft-
technology. Performing manual calcula- By the end of WWII in the US, nearly ware engineering” [2], an estimated 30
tions, women formed the first informa- 250,000 women worked as telephone and 50 percent of programmers were
tion networks. The term “girl” became operators, a job mostly performed today female [1]. The only downside was that
interchangeable with “computer.” Thus, by computers, ironically with recorded women were paid at the low end of the
the computer of today is named for the female voices. It was after WWII that workforce scale.
people it replaced [3]. the definition of “computer” shifted for-
ever and became a machine [2]. By the mid ’60s, programming jobs
In those days, the job of computing was transitioned from scientific applications
thought to be a de-skilled job, best suit- What happened next was troubling but to commercial applications for custom-
ed to women. Yet, early computing was fortunately short-lived. After WWII, ers [2]. IBM became a major employer
anything but. Prior to WWII, most Brit- women’s employment numbers in Brit- of women in support roles, not sales
ish women who did computer work used ain were still growing, but with the war roles, giving the impression that wom-
desktop calculating machines, working over, the Marriage Bar, a Civil Service en lacked management skills. Although
as clerks or scientific assistants on mil- regulation forcing women to resign their women were encouraged to work in
itary applications. During this time, jobs once married, was reinstated. This software engineering, there was a bias;
women were seen as office machine purposefully ensured women were not they were still being paid less than men.
operators and being trained to run ma- given career opportunities to continue And the inflexibility of computer com-
chines. working after they married. Opposed by panies to help women with child-care
During WWII, single, childless, and the US, USSR, Sweden, Denmark, and obligations compounded the problem,
widowed women between the ages of Finland, Britain saw the light and ended driving women away.
twenty and thirty were recruited to Continued on page 20
6 – ISSA Journal | May 2019
Crypto Corner
Another Quantum Breakthrough
By Luther Martin – ISSA member, Silicon Valley Chapter
O
ne of the more interesting bits they act like a single state instead of as previous record of 14
of news in the field of quan- separate states. This is hard to achieve, entangled qubits was
tum computing was the recent but it’s essential to have on a large scale set in 2010. It took
announcement of a record 18-qubit en- for the operation of the quantum algo- eight more years be-
tanglement. This was demonstrated by a rithms that can be used to crack encryp- fore the record ad-
team of researchers led by Xi-Lin Wang tion. vanced to 18 entangled qubits. Progress
of the University of Science and Tech- To get entanglement, you generally in this area is difficult and slow, and the
nology of China and has been described need particles to overlap in either space quantum computers that you hear about
as a “significant breakthrough [that] or time. Superconductors and super- that comprise 50 to 70 qubits have many
puts us one big step closer to realizing conducting qubits work because of the fewer qubits entangled—definitely fewer
large-scale quantum computing.” properties of lots of coupled electrons than the new record of 18.
Here’s why this breakthrough is inter- that overlap in space. The approach used To crack a 2,048-bit RSA key, such as
esting, and what it means for the future to set the record of 18 entangled qubits the ones that today’s standards require,
of quantum computing and enterprise used photons that got their entangle- a quantum computer will need at least a
IT technologies such as encryption. But ment by overlapping in time. This can register of 2,048 entangled qubits. That’s
first, some background that’s needed happen when you split a photon into two far from what’s available today. And it
to understand exactly what this break- new photons, each of which has half the seems very unlikely that the current rate
through means. energy of the original photon through a of progress in creating more entangle-
Classical bits have one of two discrete process called “parametric down con- ment will make it possible in the next
values: a logical zero, or a logical one. version.” By being created at the same several years.
Quantum bits, or qubits, behave very moment in time, the daughter photons Because of this, estimates that we have
differently. Until you measure them to are entangled, and by cleverly manip- just a few years until today’s encryption
see which state they are in, they repre- ulating photons such as these, the re- will be vulnerable to attacks by quan-
sent only the probabilities that you will searchers were able to get 18 qubits that tum computers seem premature. The
find a logical zero or a logical one when were entangled. level of precision with which researchers
you do this. You can assemble several In light of this new record for the num- can precisely control quantum states is
qubits into a quantum computer to per- ber of entangled qubits, what can we impressive, but it still doesn’t seem to
form calculations that are difficult or say about the potential vulnerability of be enough to let them build a quantum
impossible on classical computers. enterprise encryption to attacks that computer big enough to crack today’s
Quantum supremacy, or being able to quantum computers would allow? In encryption. Lots of basic research is still
do calculations that are impractical or particular, does this record suggest that needed to get to that point.
impossible on classical computers, is of- we need to accelerate our plans to have For now, it seems hard to justify wor-
ten measured in terms of how many qu- a post-quantum encryption strategy in rying about your encryption becoming
bits a particular quantum computer has, place and to worry about well-funded vulnerable to adversaries with quan-
but the number of qubits by itself isn’t attackers defeating encryption anytime tum computers. It seems very likely that
enough to tell us how close the computer soon? NIST’s effort to standardize encryption
is to being able to crack encryption. There is lots of hype surrounding the algorithms that are quantum-safe will
In particular, the calculations needed to potential for quantum computers to be completed and widely deployed well
crack encryption require lots of entan- eliminate the security that common en- before quantum computers are a serious
gled qubits: hundreds or thousands of cryption algorithms provide. Some esti- threat to security.
them. Entanglement is a quantum phe- mates suggest that quantum computers
nomenon that is much like the classical capable of cracking today’s encryption About the Author
concept of correlation, or being statis- will be available in just a few years. Luther Martin is a Distinguished Tech-
tically related. It’s what happens when But a closer look at the facts suggests nologist at Micro Focus. You can reach
two or more states are so correlated that that this is probably not the case. The him at luther.martin@microfocus.com.
May 2019 | ISSA Journal – 7
Open Forum
The Open Forum is a vehicle for individuals to provide opinions or commentaries on infosec ideas, technologies, strategies, legislation, standards, and other topics of interest to
the ISSA community. The views expressed in this column are the author’s and do not reflect the position of the ISSA, the ISSA Journal, or the Editorial Advisory Board.
Security Engineering and
Integration Principles and Myths
By Mark Kadrich – ISSA member, Silicon Valley Chapter
I
t is an ages old were whole and usable? Why would you must comply with policy, no chang-
problem. We’re do this? Well, to make sure that the pro- es to designs without a review, all
asked to drain cess you’re using works and gets you up design changes must have associated
the proverbial swamp and instead we and running with minimal loss. In ev- test plan updates, only secure coding
find ourselves fighting the alligators that ery instance where I was called in after techniques, no beta or alpha prod-
swim in it. After getting bit a few times a disaster and I ran the disaster recovery ucts.
we become all too willing to disregard plan, something went wrong, thus pre- • Functional requirements – What do
any pretense of engineering best prac- venting the systems from coming back you want the solution to do? How
tices in order to get the quick win. We online properly. Investigation discov- fast should it detect threats? How fast
look at the most recent threat, look up ered that the DRP was never tested, so should you handle them? (instantly
vendors, identify the best one for the the process flaws were never discovered. isn’t an option in this universe) This
budget, slap in a solution, and call it a The moral of the story is, if you don’t test should be a comprehensive list of be-
win. But did you really win? it on a regular basis, you don’t know if it’s haviors that you want to see in your
Ask yourself this: Do you have a set of going to work when you need it. security solution. For example, the
comprehensive requirements that out- The second reason that I see these huge infection or compromise of a gener-
line how your security solution is sup- failures is because of the shoddy way al system shouldn’t enable the com-
posed to behave? Can you evaluate how the original engineering was done. No promise of critical system. Yes, cost
well it’s working? Do you understand requirements, no documentation, no is a requirement and getting budget
how it fails? Can you even tell if has implementation plan, no testing plan, would be in the project plan.
failed? no follow-up. For many security people • Requirements analysis – How are the
Most organizations don’t have a policy the acute requirement is to STOP THE requirements ordered and are there
regarding how they do network engi- PAIN. Unfortunately, that’s no longer conflicting requirements that would
neering except to say that only IT is au- good enough. We can mask the pain, but interfere or prevent the system from
thorized to modify the network. Design, that doesn’t make the problem disap- functioning properly? The result
implementation, test, and validation are pear. Please understand that I do know would be a list in decreasing priority
all too often left to a vendor or a contrac- that the “unknown” flaws in software of the requirements.
tor that uses some proprietary method- can create significant excitement when
exploits are unleashed, but my conten- • Engineering implementation plan –
ology to verify their own work. They call This document captures the details
themselves “one stop shops” and they tion is that if properly engineered, a net-
work should be resilient enough to pre- of implementation. This is usually
“offload your stress,” thereby allowing where the IT department says “trust
you to do day-to-day work. And that’s vent significant or widespread damage,
loss, or downtime. us.” Resist the urge to do so. Engi-
one of the myths: vendors produce great neering implementation must be
solutions without oversight. Breaking the engineering process down based upon tangibles and not person-
In my travels I’ve learned that failure can to some basic elements: alities. This plan will outline where
usually be traced back to either failures • Project plan – You need one of these and in what order things must hap-
in process or failures of basic engineer- because it keeps things on track and pen. It will also be fed back into the
ing. Let’s look at the process failure first. on budget. It defines when things are project plan for tracking.
There are two reasons that processes fail. supposed to happen, who’s responsi- • Test and acceptance plan – Also grist
First and foremost, processes fail be- ble for them happening, and what the for the project plan when completed.
cause they are either obsolete or poorly critical elements to success are. Using the functional requirements
designed. A great example of this is di- • Operating principles – These would and operating principles, you create
saster recovery. When was the last time be the basic policies or high-level a plan that determines if the solution
you tested your backups to see if they behaviors. For example, all designs Continued on page 9
8 – ISSA Journal | May 2019
Cryptic Curmudgeon
Quantum and Crypto
By Robert Slade
R
ecently I saw yet another post- a full-scale machine of around 2,000 gether and test each
ing stating that “quantum com- qubits to seriously attack current asym- other’s ideas, some
puting advances and quantum metric systems. I’d estimate that it’s at pretty good results
computers being freely available will least five years away. And, even then, come out. Maybe not a magic bullet that
make our current cryptographic sys- you could make asymmetric keys big- will fix all problems forever, but when
tems redundant.” [Sigh.] ger—meaning you’d need larger quan- has that ever happened in security?
I’ve been studying the security implica- tum computers.
Is the NSA doing something about this?
tions of quantum computing for more Third, please don’t confuse the existing Yes. (No, they don’t tell me what they are
than a dozen years now. We are not quite “quantum cryptography” with using doing, but someone else will probably
at the quantum cryptopocalypse yet. quantum computers to crack crypto. come up with it first, anyway.)
First, it’s only asymmetric cryptography Quantum cryptography isn’t crypto at
Quantum computing will have much
that is under any immediate and direct all: it’s just key exchange.
more serious effects on a number of
threat. People who think that quantum Quantum key exchange and the BB84 areas of security besides cryptography,
computing will automatically produce a algorithm is a lovely, elegant idea that and crypto is not the most important ...
universal decryptor have spent too much not only makes for theoretically perfect (And I really wish that people would pay
time watching “Sneakers.” In fact, the confidentiality and protection but for attention to some of the more import-
Shor algorithm only works against RSA the first time allows you to automati- ant benefits and/or dangers of quantum
(due to the reliance on factorization), cally detect eavesdroppers! Of course, computing in regard to security.)
so Diffie-Hellman and Ellyptic Curve that’s in theory. In reality, as with all
Cryptography (ECC) are still reasonably crypto, the devil is in the implementa- About the Author
safe. In fact, even if all those are attack- tion details. And the implementation Rob Slade is both an artificial intelli-
able (which is probably likely in the long details are eminently attackable. (In the- gence program gone horribly wrong, and
term), we can still go back to symmetric ory, there is no difference between theo- hooked up to various email addresses,
and Kerberos. (I really like Kerberos. It’s ry and practice, but in practice, there is.) and not. At the same time. The only way
elegant, mature, and pretty workable.) New cryptographic algorithms are be- to tell is to obtain more information than
Second, it’s taking a while to get full- ing researched and developed all the anyone would want to know about him,
scale quantum computers online. The time, and a particular field of interest available at http://twitter.com/rslade, It
largest quantum processor is only right now is quantum-proof crypto. A is next to impossible to get him to take
around 200 qubits, and it’s not a full lot of really clever people are looking profile or “bio” writing seriously, but you
quantum computer so it doesn’t run the into the problem. Of course, the histo- can try at rmslade@shaw.ca.
Shor algorithm. The largest full-scale ry of cryptography is the story of real-
quantum computer is currently only ly clever people making really stupid
about 50 qubits. We are going to need mistakes, but overall, when they get to-
Security Engineering and Integration Principles and Myths
Continued from page 8
is complete and functional. Portions the trauma of scrutiny can save you the ters at technical conferences and security
of this plan will be used for ongoing trauma of a surprise failure or worse, events. He is presently a free-range CISO
testing. catastrophic and cascading failure of helping customers create and manage se-
Establishing a process and adhering to your network and your career. curity IT environments. He has been the
basic engineering principles can help president of the Silicon Valley Chapter
you by uncovering minor mistakes that
About the Author and is presently a director-at-large. He
can become major issues in crisis. Hav- Mark Kadrich is a well-known speaker may be reached at mark@kadinfosec.
ing a documented plan that has endured and evangelist on network security mat- com.
May 2019 | ISSA Journal – 9
Security in the News News That You Can Use… Compiled by Kris Tanaka – ISSA member, Portland Chapter A New Cryptocurrency Mining Malware Uses Leaked NSA Exploits to Spread across Enterprise Networks https://techcrunch.com/2019/04/25/cryptojacking-nsa-malware/ Enterprises beware—there’s a new malware strain in town that is after your computing power. The malicious software, named Beapy, is spread via email. By using DoublePulsar and EternalBlue, the same NSA-developed exploits that helped spread WannaCry, hackers can gain access for Beapy to infect computers with crypto- currency mining malware. This is just one more reminder to think before you click. Sony’s Blockchain-Based DRM System Will Likely Be a Part of the PlayStation 5 https://beincrypto.com/sonys-blockchain-based-drm-system-will-likely-be-a-part-of-the-playstation-5/ Last month, Sony patented a Digital Rights Management (DRM) system that runs on blockchain. Although the company has not officially rolled out DRM, it is contemplating applications in a wide range of fields. One possibility could be the upcoming PlayStation 5 platform where the system would allow users to trade dig- ital rights to games on the Sony PlayStation Network. Europe Agrees New Cloud-Based Digital Signature Standard https://www.cbronline.com/news/digital-signature-standard Free at last—at least in the EU. Inspired by a push from European regulators to create a “Digital Single Market,” the Cloud Signature Consortium has developed a new cloud-based signature standard. The guideline allows digital signature providers to use cloud-based certificates from any EU-certified “Trust Service Pro- vider.” The result? Businesses will no longer be tethered to specific hardware or proprietary technologies. Some Enterprise VPN Apps Store Authentication/Session Cookies Insecurely https://www.zdnet.com/article/some-enterprise-vpn-apps-store-authentication-session-cookies-insecurely/ Warning! Carnegie Mellon University CERT Coordination Center (CERT/CC) and the Department of Homeland Se- curity’s Computer Emergency Response Center (US-CERT) report that at least four virtual private network (VPN) applications store authentication and/or session cookies in a non-encrypted form inside a computer’s memory or log files saved on disk. This means that an attacker can retrieve this information and then use it on another system to resume the victim’s VPN sessions without needing to authenticate. Singtel and NUS Claim Quantum Breakthrough https://www.computerweekly.com/news/252461710/Singtel-and-NUS-claim-quantum-breakthrough Beam me up, Scotty. Researchers from Singtel and the National University of Singapore (NUS) are another step closer to advancing quantum key distribution (QKD), a protocol that transmits light particles, or photons, over a network, so that two communicating parties can agree on and generate an encryption key to establish a secure communication channel. Does this mean we’ll have Star Trek-type transporters soon? Not really. But thanks to QKD’s resistance to all types of computational hacks, including next-generation quantum computing threats, increased security in government, banking, and military applications is now in the works. Report: Health-Related Data Least Likely to Be Encrypted https://healthitsecurity.com/news/report-health-related-data-least-likely-to-be-encrypted According to a recent report from the Ponemon Institute, health-related information and non-financial data are the least likely type of data to be encrypted. Furthermore, keys for external cloud or hosted services were ranked as the most difficult to manage. It’s hard to believe but despite these encryption challenges, 60 percent of respondents said their organization still transferred sensitive or confidential data to the cloud, regardless of whether the information was encrypted or made unreadable. Surprised? Absolutely. Re- member, just because it is in the cloud, doesn’t mean it is secure. Peter Shor Wins 2018 Micius Quantum Prize http://news.mit.edu/2019/mit-professor-peter-shor-wins-micius-quantum-prize-0426 And the winner is…Peter Shor! The MIT professor will receive $150,000 for his groundbreaking work in the field of quantum computation, including his factoring algorithm. Shor’s algorithm was designed to use a quantum computer to quickly break through the RSA (Rivest-Shamir-Adelman) encryption algorithm, which is based on the difficulty of prime factorization—a major concern for the security of classical computing systems. How WhatsApp, FaceTime and Other Encryption Apps Shaped the Outcome of the Mueller Report https://www.washingtonpost.com/technology/2019/04/19/how-whatsapp-facetime-other-encryption-apps-shaped-out- come-mueller-report/?utm_term=.e3d88780732c End-to-end encryption has gone mainstream. And while the free technology offers protection to those with legitimate fears of overreaching surveillance, it also gives protection to cybercriminals and creates challenges for law enforcement investigations. Is it possible to have a healthy balance between privacy and the pursuit for justice? Do intelligence services have the right to hack into devices if they are not able to gain information through “proper channels?” Security in the News would like to hear what you think about the encryption debate. Share your thoughts with Editor Thom Barrie. 10 – ISSA Journal | May 2019
Association News
Infosec Organization Donates $20,000
for Scholarship Funds
T
International Board Election: Call for he North Texas Chapter of the Information Securi-
Nominations ty Systems Association (NTXISSA) recently donated
$20,000 to the Collin College Foundation for student
S
ervice on the ISSA International Board of Directors can scholarships. NTXISSA has held cybersecurity conferences at
give you an opportunity to guide the future direction the college for several years, and the partnership between the
of the association. Seats up for election this year are as college and the information security organization continues
follows: to flourish.
• Vice President* – 3-year term According to Chris Armstrong, president of NTXISSA, the
• Secretary/Chief Operations Officer* – special 2-year term chapter understands the value of investing in community.
“Our chapter members are constantly seeking talented local
• Treasurer/Chief Financial Officer* – 3-year term staff at all levels and the consistent connection with Collin
• Directors* – four open seats: three seats for 3-year terms allows unique career opportunities for students and a route to
and one seat having a special 2-year term. Of the top four qualified talent for our hiring needs,” said Armstrong.
vote getters for Director, the candidate having the least According to Lisa Vasquez, Collin College vice president of
votes among them will have the 2-year term. advancement, this generous gift will go a long way to support
* Effective with this year’s elections (per the by-laws), all can- Collin College students. “Many people believe that Collin
didates for the role of Director must be an experienced chapter County is so affluent that there is no need for scholarships,
leader, ISSA Fellow, or have comparable experience. All can- but that is not the case,” Vasquez said. “More than 28,000
didates for the role of Officer (President, Vice President, Sec- local students didn’t have enough money for college and ap-
retary, or Treasurer) must have previously served a full term plied for financial aid and scholarships through Collin Col-
as an Officer or Director on the ISSA International Board of lege. We can’t thank NTXISSA enough.”
Directors.
NTXISSA conference benefits
Nomination Armstrong adds that he has spoken with several NTXISSA
All nominations must be received by 11:59 p.m. US Eastern members who attribute an accelerated career trajectory to the
time, May 21, 2019. All candidates and campaign activities annual conference they hold at Collin College. This year the
must follow the election guidelines. Information on the re- chapter plans to extend an internship opportunity to a Collin
sponsibilities of the International Board of Directors can also College student to help make the North Texas ISSA Cyber
be found in Article VI of the ISSA By-Laws. Visit the election Security Conference 7 (#NTXISSACSC7) another success.
webpage for further information. Reprinted with permission, Colin College News, Feb. 4, 2019
The North Texas Chapter at their recent chapter meeting celebrating their $20,000 donation to the Collin College Foundation for student scholarships with
faculty and students of Collin College.
May 2019 | ISSA Journal – 11PAID ADVERTORIAL
The Future Is Passwordless
Why the Digital Age Is Killing the Password
By Stephen Cox, Chief Security Architect, SecureAuth
T
he password has become a daily part of modern life. • Many users share or distribute passwords, nullifying any
Employees start their day by typing passwords into access control value. It’s impossible for security teams to
their laptops; consumers depend on passwords to know who’s really accessing resources.
conduct online banking transactions and Amazon shopping Many organizations want to protect their workforce and cus-
sprees. Passwords control our home security systems and so- tomers from these risks, particularly phishing scams and the
cial media accounts. inevitability of stolen credentials. Two-factor authentication
The password may seem to us like a byproduct of the dig- has offered some help, but many criminals have learned to
ital age, but our ancestors used passwords too. Watch old bypass those controls as well. It’s become clear that passwords
gangster movies and you’ll see passwords used to admit or are no longer sophisticated enough to protect teams in an era
deny entrance to criminal lairs. Just gaining entrance to an of sophisticated criminals—which is where passwordless au-
alcohol-serving speakeasy during the American prohibition thentication comes in.
required a password. Even today, some secret societies and
underground nightclubs require special phrases to prove
membership.
Passwordless benefits
It’s ironic that while many people think of passwords as a dig-
So, yes, passwords have always been a useful tool—but they’ve
ital creation, it’s actually the digital age that’s retiring them.
also always been easy to compromise. Those speakeasy pa-
More and more organizations are adopting a passwordless
trons sometimes gave up passwords; secret agents could often
approach to security.
guess them. Other times police simply ignored the doorman
and used brute force to get inside. It’s an approach that might seem intimidating or counter-in-
tuitive to customers who like the feeling of safety a complex
Those same patterns plague today’s digital passwords, which
password gives them. But passwordless authentication offers
is why security experts are dismissing them as an antiquated
a superior user experience and stronger security in several
concept.
ways:
The password as security • With passwords eradicated, phishing scams and stolen
credentials become less of a threat.
vulnerability • Consumers and workforces don’t need to create and mem-
orize a collection of complicated passwords, call the help
While many organizations rely on passwords to protect fi-
desk when they forget them, or wait while they’re locked
nancial and medical data, intellectual property, and other
out of accounts.
valuable assets, passwords are prone to a number of security
flaws. Consider these issues: • Companies can save on help desk costs by reducing sup-
port tickets and calls to reset passwords.
• Many passwords are too simple and easily guessed. Many
customers and employees use the same passwords for a • Workforce users won’t be sharing passwords with other
variety of systems and applications. “123456” and “pass- employees or writing them on sticky notes attached to
word” are the most popular; pet names and children’s their monitor.
birthdays that can be easily gleaned from social media are • Security controls can verify user identity based on more
also common. accurate indicators, rather than a password that unlocks
• Instead of layering passwords with other security controls, access for anyone who knows it.
many teams protect their assets with only a password. This
is true of organizations with large workforces or consumer Contextual authentication
bases. The centerpiece to passwordless security is adaptive authenti-
• Criminals can force their way past basic password con- cation. By offering contextual evaluation and deep risk anal-
trols, or in some cases just walk in. Stolen credentials can ysis, adaptive authentication technology offers a seamless
unlock the keys to the organizational kingdom, giving user experience while bolstering security.
criminals free reign inside a network.
12 – ISSA Journal | May 2019Adaptive risk checks and machine learning work even when different levels of risk when creating customized authentica-
standards like FIDO2 and Web Authentication (WebAuthn) tion work flows.
are implemented. Consumers and workforces can easily ac-
cess their required accounts and resources unless the system Implement device recognition
detects the need for a second method of authentication. At One of the easiest ways to strengthen security while also
that point, the user is asked to present identity confirmation offering a great user experience is device recognition. This
to counter the risk—allowing them access if they do so suc- pre-authentication risk analysis can distinguish between de-
cessfully, or stopping the criminals in their tracks. vices that match a previously validated footprint and devices
The key is basing adaptive authentication on your risk poli- that seem illegitimate. Unique characteristics like browser
cies, so that validation requirements match the requisite level fonts, time zones, IP addresses,w or browser plug-ins can
of security. identify a device that has been previously associated with a
successfully authenticated user. An illegitimate user logging
Using adaptive authentication to go passwordless in from an unrecognized device can be stopped.
Adaptive authentication technologies are sophisticated and Assign entitlement risk scores
nuanced, but they must be implemented correctly to accu-
Your workforce will contain a variety of users with different
rately distinguish between the legitimate users and the mali-
levels of entitlement to resources. Senior leaders or employees
cious actors. The following best practices can help.
in sensitive payroll or accounting roles may have a higher risk
Consider both convenience and security score since they regularly access funds and important data; a
production assistant would likely have a lower risk score. This
Your workforce users might have one set of authentication re-
can determine the work flows needed to authenticate access,
quirements at the corporate headquarters and another when
and alert your team if a low risk user is somehow accessing a
they’re logging in from a conference. Convenience is a large
sensitive or high-value resource.
factor in passwordless authentication, but credentials and
two-factor authentication may still play a role when needed. Use risk analysis to evaluate users with data that’s hard to
imitate
Streamline password management
Contextual factors such as geo-location, geo-velocity, and IP
Since some users may still need passwords, you can help boost
reputation data can help identify illegitimate users. For in-
employee productivity and satisfy customers with options for
stance, an account user who’s in Vancouver in the morning
self-service password resets. You can free up your help desk
and then somehow in London in early afternoon indicates an
staff to focus on other issues and help users unlock accounts
anomaly and a need for additional authentication.
faster, getting your workforce back to work faster while help-
ing customers complete transactions. Another boon: single The digital age has surpassed older technologies like pass-
sign-on, which can help mitigate password fatigue. words. While they may still play a limited role in the future,
superior security controls and analytics offer a smoother
Tailor the authentication process to different user types with
user experience and stronger protection against criminals
flexible work flows
using stolen credentials. With breaches on the rise, teams
Banking customers checking their account balances won’t are looking to the passwordless approach as a critical tool
need the same level of security as a bank’s financial officer to defeating attackers and protecting their customers and
tasked with transferring large sums of money. Consider the workforces.
May 2019 | ISSA Journal – 13DEVELOPING AND CONNECTING
ISSA CYBERSECURITY LEADERS GLOBALLY
Choosing Tokenization
or Encryption
By Jeff Stapleton – ISSA member, St. Louis Chapter
This article discusses the similarities and differences between two popular cryptographic
techniques: tokenization and encryption. When making the decision between protection methods,
there are several things to consider, including how the data is used and the key management life
cycle.
A
common question is how to choose between encryp- 2. Encipherment: rendering of text unintelligible by means
tion and tokenization. Unfortunately such a simple of an encoding mechanism [1].
question is rather difficult to answer. An informa- 3. Encryption is the (reversible) transformation of data by
tion security professional might respond with “it depends,” a cryptographic algorithm to produce ciphertext (i.e., to
which is actually quite reasonable but sadly unhelpful. Both hide the information content of the data) [5].
techniques are within the cryptography domain and share
similarities and have differences. This article compares both 4. Cipher: Series of transformations that converts plaintext
techniques in an effort to help answer the conundrum: when to ciphertext using the cipher key. [4]
to use encryption and when to use tokenization. Both protect Regardless of which encryption definition seems more fa-
data via confidentiality, but neither provides integrity or au- miliar or makes the reader the most comfortable, a basic
thenticity [10]. description of encryption is the use of cryptographic keys to
transform data (cleartext) from a readable to an unreadable
Encryption (ciphertext) form. However, this is only half an explanation.
First things first, to discuss between tokenization versus en- Decryption is the inverse of encryption, the use of cryp-
cryption, definitions for each need to be established. Every- tographic keys to transform ciphertext back to its original
one know what encryption is, or at least most have a concept cleartext. Figure 1 provides a graphical view of symmetric en-
of the technology, but ironically there are various similar but cryption and figure 3 shows a similar depiction of asymmet-
slightly different definitions. ric encryption. Symmetric encryption uses the same (secret)
key for encrypt and decrypt functions, whereas asymmetric
1. Encryption1 is the process of encoding a message or in-
encryption uses two different keys, the public key for encrypt
formation in such a way that only authorized parties can
and the private key for decrypt.
access it and those who are not authorized cannot.
Figure 1 shows Alice using the symmetric encryption func-
1 “Encryption,” Wikipedia – https://en.wikipedia.org/wiki/Encryption.
tion with two inputs, the cleartext and the secret key, and one
14 – ISSA Journal | May 2019Choosing Tokenization or Encryption | Jeff Stapleton
A,” Chuck and Bob use “Key C,” and Dave
and Bob use “Key D.” Consequently, cleart-
ext encrypted by Alice, Chuck, or Dave can
be decrypted by Bob but not by the other
parties. Nevertheless, Bob must manage a
symmetric key for each party, which is not
particularly scalable. Asymmetric cryptog-
raphy can reduce the number of keys that
Figure 1 – Symmetric encryption need to be managed.
Figure 3 illustrates Alice using the asymmetric encryption
output, the ciphertext. Similarly, Bob uses the symmetric de- function with two inputs, the cleartext and Bob’s public
crypt function with two inputs, the ciphertext and the secret key, and one output, the ciphertext. Conversely, Bob uses
key, and one output, the cleartext. When it is just Alice and the asymmetric decrypt functions with two inputs, the ci-
Bob, they need to establish a shared key; but when multiple phertext and his associated private key, and one output, the
parties are involved, there are key management consider- cleartext. The public key is mathematically derived from the
ations. private key, but the private key cannot be derived2 from the
public key, so Alice cannot access Bob’s private key. Public
COMMON SHARED KEY UNIQUE KEY PER PAIR
keys3 might be used as either a data encryption key (DEK)
Alice Key B Alice Key A for data encryption or a key encryption key (KEK) for key
management. Alice needs to validate that the public key be-
Chuck Key B Bob Chuck Key C Bob
2 This article does not address quantum computer risks (QCR) or post-quantum
Dave Key B Dave Key D cryptography (PQC).
3 Note that only reversible asymmetric algorithms (e.g., RSA) can be used for
Figure 2 – Symmetric Key Management encryption.
Figure 2 shows symmetric key management
when multiple parties are involved. The
left side shows when Bob shares a common
“Key B” with Alice, Chuck, and Dave. How-
ever, cleartext encrypted by Alice might be
decrypted by Chuck or Dave, so there is a
distinct lack of confidentiality or privacy.
The right side shows when Bob establishes a
unique key per pair. Alice and Bob use “Key
Figure 3 – Asymmetric encryption
Members Join ISSA to:
l Earn CPEs through Conferences and Education
l Network with Industry Leaders
l Advance their Careers
www.issa.org
l Attend Chapter Events to Meet Local Colleagues
l Become part of Special Interest Groups (SIGs)
that focus on particular topics
Join Today: www.issa.org/join
Regular Membership $95* CISO Executive Membership $995
(+Chapter Dues: $0- $35*) (Includes Quarterly Forums)
*US Dollars /Year
May 2019 | ISSA Journal – 15You can also read
