CYSEC 4 (CompTIA) REVIEWER

Chapter 1
Supporting IT Governance and Risk Management
- Identify the importance of IT Governance and Risk Management
- Assess Risk
- Mitigate Risk
- Integrate Documentation into Risk Management

IT Governance
a concept in which stakeholders ensure that IT resources align to objectives and add value.

- Also seeks to mitigate risks associated with IT resources.

- Concerned with what the organization can achieve with IT.
- IT resources must align with business needs.
- Enables IT management to determine how to achieve goals.

Impact of Good Governance

Process that enables an organization to make the best possible decision with respect to governance.

- Increases likelihood of creating business value from IT resources

- Security is no exception.
- Security resources create value by protecting assets crucial to business operations.
- Resources must be cost-effective and meet high- and low-level requirements.
- Good governance contributes to success and survivability of the organization.
- Resources failing to uphold good governance may bring harm to the organization.

IT Governance and Risk Management

- A CASP+ may not be directly in charge of guaranteeing good governance.
- Risk management is a crucial element of good governance.
- IT governance and risk management lay the groundwork for all you do.
o Everything from designing a secure network architecture to configuring access control.
- Stakeholders expect enterprise to adhere to a risk management framework.
- You may be called on to communicate how IT manages risks.

New and Changing Business Strategies

- New technology means new forms of business.
- Compare pre-Internet era to the current one.
- New opportunities for partnerships, outsourcing, relying on cloud providers, mergers, and demergers.
- All these business model have an impact on ERM (Enterprise Risk Management)

Partnership Strategies
- Partner agreements define roles, responsibilities, and actions each partner takes.
- Risk management involved in evaluating these agreements.
o Without risk management, each partner is exposing its business to loss and other risks.
- Security team must be involved in partnership agreements.
- Agreement should define:
 o How partners secure their data
o What data each partner can access
o How information should flow from partner to partner
- Each partner should consider what controls it needs to implement to mitigate risk.

Outsourcing Strategies
- Organization can shift business processes to an external service provider.
o Can save the organization time, effort, and money.
- Service provider is liable for some security risks.
- You should still evaluate and audit provider.
o Failure can lead to penalties if sensitive data or compliance requirements are involved.
- You must understand the scope of audit documents.
- Don’t assume security reports from providers are comprehensive.
o Ex. Technical penetration test may not reveal social engineering vulnerabilities.

Cloud Strategies
- Organizations offload infrastructure and other assets to an Internet-based resource.
- Like outsourcing, you typically rely on a third party.
- Cloud also offers improved automation whereas traditional outsourcing may not.
- Cloud may also provide new software, platforms, and other technology.
o You must incorporate this technology in ERC process.
o Raises unique security concerns.
 Ex. Flow of sensitive data over a virtualized networking platform
- Auditing requirements may differ from traditional outsourcing providers.
- Automated cloud resources may become opaquer to the enterprise.

Merger and Acquisition Strategies

- Two organizations decide it is more profitable to operate as one.
- Excellent opportunity to conduct risk management activities.
- Combined entity must consider ERM influencers like:
o Corporate culture
o Brands
o Business units
o Market opportunities
o Other issues
- Mergers can be challenging if security controls differ between the organizations:
o Different technologies to integrate.
o Different controls to align.
o Different reporting structures to streamline.
o Other issues.

Demerger and Divestiture Strategies

- Organization may split and restructure for a variety of reasons.
- Requires the careful application of ERM.
- Split entities may take business components with them or continue to share them.
- Risk assessment accounts for all assets in light of this restructuring.
- Both entities may retain access but have diverging security policies.
- Data ownership may also be an issue.
 o Owner is responsible for data’s security.
o Each split entity must agree to ownership terms.
o Ownership change may prompt a reclassification of data to align with policy.

Integration of Diverse Industries

Integration Element
Rules and policies
Legal requirements and
regulations
Geography
Foreign laws and customs
Security Concern
- Customization of rules/policies depends on industry.
- A business you integrate with may fail to uphold your requirements.
- Assess where rules and policies differ.
- Laws and regulations may differ between industries.
- You could be held liable if a business you integrate with is negligent.
- Export controls may limit the transfer of technology outside the country.
- Industries may prefer certain geographic locations over others.
- Assess risks associated with physical/natural environment.
- Operating in a foreign country puts the enterprise under a different
jurisdiction.
- Possible contradiction between foreign attitudes and your security
requirements.

Third-party Providers
- You can’t control all elements of a third-party’s security.
- How do you assess its risk, then?
- Ensure third-party provides security training and awareness programs.
o Share best practices for end security.
o Human element is the biggest risk.
- Consider provisioning security controls for the third-party.
o You can help them uncover and mitigate risks.

De-perimeterization
Perimeter-Changing Risk Consideration
Concept
Mobility - Remote employees may tunnel into your network of use mobile devices.
- Expands network’s boundaries; more difficult for you to control.
Cloud - You may have less control over cloud environments than local ones.
- Provider’s security guarantees may be insufficient.
- Security controls may not integrate properly with your environments.
BYOD - Work done in the office may not stay there.
- May put sensitive data at risk of being lost or stolen.
- Users may not secure their devices.
Outsourcing - May shift your security to an environment you have little control over.
- Third party may have its own security policies, or none at all.
- Outsourcing key elements of the organization may bring significant risk.

Users Behaviors
- New products, technologies, threats, and user behaviors are constantly changing.
- Users are the largest risk.
- End users are frequent targets of social engineering.
o Not as tech savvy or knowledgeable as IT/cybersecurity personnel.
- Analyze ways organizations does business with users.
 o Find weaknesses attackers exploits.
- Ex. SMTP spoofing to send fraudulent help desk requests over email.

New Products and Technologies

- New products
o These introduce new vulnerabilities and threats.
o Consult with HR and legal during ERM.
o Evaluate products’ vulnerabilities and assess risk.
- New technologies
o Evaluate vulnerabilities and threats.
o Different technology has different risks.
o Include HR and legal in ERM process.

New Threats
- Attackers are constantly inventing new attacks.
- New threats introduce new risks.
- Threats can be malicious or unintentional.
o Unintentional ex: New office in a coastal city that is subjected to hurricane.
o Malicious ex: New weakness found in existing network protocols.

Internal and External Influences

- Internal compliance
- External compliance
- Internal client requirements
- External client requirements
- Audit findings
- Top-level management
- Competitors

Policy Lifecycle
- Reasons for policies are numerous:
o compliance reasons
o growth of business
o meeting contractual obligations
o response to a breach
- begin crafting policy:
o download a free template.
o customize the template to fit your organization.
o consult with security experts.
o compare and contrast with other organizations.
- Policy should be easy to understand.
- Policy should be treated as legal document.
- Involve business leaders in policy development.
- Policy is a living document that must adapt to:
o New business methods.
o New technologies.
o Changing environments.
o Emerging risks.
Process and Procedure Lifecycle
- Process and procedures documents support policies.
- How-to style documents used by employees to implement policies.
- Must be tailored to the audience that uses them.
o Data handling procedures used by system admins have technical steps.
o Data handling procedures used by marketing employees are more generalized.
- Style varies between organizations and industries.
- Begin crafting processes and procedures:
o Use documents templated provided by security organizations.
o Consult with security experts.
o Compare and contrast to other organizations.
- Living documents that must adapt to changes.

Legal Compliance and Advocacy

- HR can guide policy in accordance with labor/privacy laws.
- Legal can ensure policy does not violate laws or other regulations.
- Regulatory agencies can provide support for regulatory requirements.
- Management’s input and approval ensures policy upholds business requirements.
- Employees can identify low-level business processes that prompt a policy change.
- Industry organizations can provide example policies or best practices.

General Privacy Principles

- Non-public data on individuals must be protected from exposure or tempering.
- Failure to protect privacy can lead to brand damage.
- Different places have different privacy requirements.
- Support user expectations of privacy when writing policies.
- PII (Personally identifiable information) can include details like phone numbers, addresses, birth dates, etc.
o Treated differently based on context (e.g., full name on LinkedIn vs. a dating site).
- Communicate to customers how you use their PII.
- Offer guidelines to help customers protect their PII.

Business Documents That Support Security Initiatives

- Master Service Agreement (MSA)
- Statement of Applicability (SOA)
- Business Impact Analysis (BIA)
- Interoperability agreement (IA)
- Interconnection Security Agreement (ISA)
- Memorandum of Understanding (MOU)
- Service-level agreement (SLA)
- Non-disclosure agreement (NDA)
- Business partnership agreement (BPA)

Guidelines for Integrating Documentation into Risk Management

- Download free policy templates.
- Consider hiring a consultant.
- Use direct, concise language.
- Include business leaders in policy development.
- Support policies with clearly defined process and procedures.
 - Make processes and procedures easy to follow.
- Compare policies, processes and procedures to be living documents.
- Incorporate best practices into policies based on your specific requirements.
- Involve HR, legal, management, and other entities in the policy development process.
- Ensure that policies have provisions for legal and regulatory compliance.
- Identify any sensitive PII that your organization handles.
- Be up front with your clients as to how their PII will be used.
- Advise your clients on best practices to maintain privacy.
- Draft a BCP (Business Continuity Plan) to maintain day-to-day operations in the event of an incident.
- Define in the BCP what components are at risk and how they should be preserved.
- Review you BCP and test it on regular basis.
- Identify business documents and agreements applicable to your enterprise needs.
- Use a partner agreement requiring strong security and legal and financial liability.

Chapter 2
Leveraging Collaboration to Support Security
- Facilitate Collaboration across Business Units
- Secure Communications and Collaboration Solutions

Governance, Risk Management, and Compliance Committee

A system for addressing these three information security needs in an enterprise.

- GRC solutions collect info on how these topics are integrated into business functions.
- Can detect deviations from policy, risk management, and legal compliance.
- Used by risk-averse organizations like financial institutions.
- Enterprise may form a GRC committee.
- Requires comprehensive knowledge of security architecture.
- Need to be able to communicate the "big picture."
- Don't think of security components in a vacuum.
- How do components work together to achieve security goals?
- Committee members appointed by board of directors.
o High-level managers from IT, cybersecurity, finance, etc.
o You may not be on the committee, but you'll be affected by it.

Communication with Stakeholders from Other Disciplines

Sales staff

- Generates revenue and has access to a lot data.

- Explain how their next sale may be at risk.

Programmer

- Creates and maintains enterprise applications.

- Ensure security is included early in development process.

Database administrator

- Manages database integrity and security.

- Research the latest trends in database security and vulnerabilities.
Network administrator

- Manages and protects the network from attacks.

- Research the current trends in network security and vulnerabilities.

Management

- Responsible for business strategy.

- Explain security in the context of profitability and appearance.

Financial

- Manages and monitors all financial transactions.

- Explain the cost of not being secure.

Human resources

- Tasked with hiring/background checks and user training.

- Include in policy development process.

Emergency response team

- Executes disaster response processes.

- Include in development of BCP.

Facilities manager

- Ensures work environment is safe and supports operations.

- Explain loss of productivity if facilities are impacted.

Physical security manager

- Maintains and protects devices and other physical components.

- Explain how a physical breach can lead to a breach of information.

Legal counsel

- Offers guidance on law as it pertains to business operations.

- Explain current business needs and ongoing strategy.

Collaboration within Teams

- Effectively implementing security requires collaboration.
- Find out what will support or inhibit this collaboration.
- Employees may be unaccustomed to a team environment.
o Could impact productivity and lead to security weaknesses.
- Promote teamwork to ensure a smooth process.
o Take advantage of team members' strengths.
o Include all team members in decision making.
o Communicate goals and progress.
o Create a shared vision to build trust.

Security Processes and Controls

- Processes and controls depend on security needs.
- You still need to communicate the importance of these processes/controls.
- You also need to provide objective guidance.
o Subjective conclusions are unconvincing and unhelpful.
 o Back up claims with evidence and industry-accepted analysis.
- Example: ISO/IEC 27001:2005 requires that management:
o Examine relevant security risks, threats, and vulnerabilities.
o Design and implement controls and risk treatments.
o Adopt ongoing and overarching risk management process.

Security Control Groups and Categories

- It helps to communicate controls by breaking them down into groupings.
- One grouping focuses on what the control is:
o Procedural
 A security policy.
o Technical
 A security event monitor.
o Physical
 A physical door.
- Second grouping focuses on what the control does:
o Detective
 Identifies a threat.
o Preventative
 Prevents an attack from occurring.
o Corrective
 Remediates a vulnerability.

Guidelines for Facilitating Collaboration Across Business Units

- Learn about the day-to-day work of the many disciplines in the enterprise.
- Convey the importance of security for each discipline.
- Target each discipline as its own audience.
- Involve relevant disciplines in policy and procedure development.
- Take advantage of team members' strengths.
- Include relevant team members in decision making.
- Communicate goals and progress to all team members.
- Create and communicate a shared vision.
- Provide objective guidance for security controls.
- Adopt a widely recognized standard for security controls like ISO/IEC 27001:2005.
- Communicate security controls in terms of categories and groups.
- Ensure GRC committee understands the "big picture" of security operations.

UC
(Unified Collaboration)

The integration of a large number of communication platforms that traverse different networking technologies.

- Also called unified communications.

- UC is shifting from older technologies to Internet-based technologies.
- Requires additional security to uphold CIA of communications.
- Security that worked on private networks may not necessarily work across the Internet.

Tool - Security Considerations

Web conferencing - Draft acceptable use policy.
- Use SSL/TLS where available.
- Configure app's features appropriately.
 Video conferencing - Similar concerns to web conferencing.
- May want to avoid revealing faces or locations.

Instant messaging - Implement transport encryption where available.

- Draft AUP for regulating presence information.
Email - Use transport encryption protocols like PGP and S/MIME.
- Harden internal email servers.
- Implement anti-malware on end-user workstations.
Telephony - Similar concerns to web conferencing.
Collaboration Sites - Internet-exposed sites should use SSL/TLS.
- Configure the site's access control hierarchy.

Remote Access
A solution that enables users to access resources and services located outside of the user's network or physical
location.

- Desktop sharing:
o Remote log-in enables users to connect to their desktop while physically away.
o Real-time collaboration enables users to share their desktops to others.
o Requires strong authentication and transport encryption.
- Remote assistance:
o Enables a specialist to temporarily control a user's computer to provide help.
o Also requires strong authentication and encryption.
o Assistance should be by invitation only to prevent social engineering.

Guidelines for Securing Communications and Collaboration Solutions

- Research UC tools to see which fit best in your enterprise.
- Use transport encryption in conferencing/telephony software.
- Ensure strong authentication for meetings and remote sessions.
- Select apps and tools that are highly configurable.
- Use encryption protocols like PGP and S/MIME for email.
- Encourage end users to invite remote assistance and reject unsolicited assistance.
- Restrict employees from divulging sensitive presence information.

Chapter 3
Using Research and Analysis to Secure the Enterprise
- Determine Industry Trends and Their Effects on the Enterprise
- Analyze Scenarios to Secure the Enterprise

Ongoing Research
- Security is a task that never finishes.
- Threats will evolve.
- You must stay up-to-date through ongoing research.
- Best practices for research:
o Seek out reputable sources of information like NIST and ISACA.
o Subscribe to security mailing lists like Bugtraq.
o Follow social media groups dedicated to information security.
 o Consult vulnerability databases like the CVE.
o Follow security vendor announcements.
o Exercise discretion with unverified sources.
o Corroborate with multiple sources.

Situational Awareness
An understanding or perception of your environment from a business or technological aspect.

- You need a thorough understanding of your enterprise environment.

- With awareness, you can more easily combat future threats and vulnerabilities.
- Important skill to develop through:
o Data collection logs.
o Use of latest technologies.
o Continuous research into new threats/vulnerabilities.
- Example: You discover a new vulnerability in an OS you use.
o You find an exploit on the Internet.
o You can assess its impact on the enterprise.
o Exploit could lead to privilege escalation on servers.
o You move to secure your systems against this specific threat.

Threat Intelligence
The investigation and collection of emerging threats and emerging threat sources.

- An exercise in situational awareness.

- Security organizations are at the forefront of threat research.
- Identifies both attacks and attackers.
- Also identifies current threats.
o Vulnerability may not be patched yet or cannot be.
o Threat may not have a known matching vulnerability.
- Can also inform mitigation efforts against zero-day vulnerabilities.
o There may be stopgap measures.
o Can prevent damage before full fix is available.

Threat Modeling
The threat intelligence process of identifying and assessing possible attack vectors that target systems.

Identify
Attacker
Objectives

Identify Identify
Mitigation Vectors and
Techniques Requirement
s
Technology Evolution
The ongoing process by which older technology is replaced by newer technology to meet changing business needs.

- Staying up-to-date on new technologies is critical.

- Examples of emerging security technologies:
o Machine learning threat management tools.
o Cloud access security brokers (CASB).
o Blockchain tools.
o User behavior analytics (UBA).
o Containerization security tools.
o Homomorphic encryption.
- New Internet-based technologies often go through RFC process.
o Supports peer review of new technologies.
- Organizations commonly adhere to ISO standards.
o New technology goes through standardization process.

Social Media as a Business Tool

- Business must adapt to a highly connected society.
- Use of social media can greatly impact the business.
- Two major platforms are Facebook and Twitter.
o Facebook can help keep a business in front of customers.
o Twitter can help a business interact with individual customers.
- Social media strategies can provide significant benefits.
- Consider the security implications of social media.
o Research security and privacy features of each platform.
o May lead to oversharing of sensitive data.
o Platforms evolve and may add or remove security features at will.
o Monitor platforms closely and emphasize best practices for end users.

Al
Artificial intelligence: A scientific discipline that encompasses human-like intelligence exhibited by non-living
machines.

Machine learning: An approach to Al using algorithms to parse input data and make predictions about an
environment based on this data.

Deep learning: Machine learning which constructs knowledge as a hierarchy of layers, comparing complex
concepts to simpler ones.
 - Standard machine learning requires human definition of factors.
o System does its own classification of these factors when analyzing input.
o Gradually improves its classification and predictive abilities.
- Deep learning defines factors itself.
o Makes independent predictions.
o Security system can discover unprecedented threats/vulnerabilities.

Machine learning

Network traffic input -> Human determines malicious factors -> Systems classifies factors -> Decision made
(MALICIOUS or BENIGN)

Deep Learning

Network traffic input -> Systems determines and classifies factors -> Decision made (MALICIOUS or BENIGN)

Global Information Assurance Industry and Community

Component Description
CERT - A team of security professionals that provide incident response services
to the private and public sectors.
Conventions/Conferences "Hacker" conferences: Business conferences:

- DEFCON - BlackHat
- HOPE - Source Conferences
- DerbyCon - GFIRST
- ShmooCon - SecureWorld Expo

Threat actors - Hacker sites, social media, and conventions can give you an opportunity
 to learn more about what they know and plan to do.

Threat Intelligence - McAfee Global Threat Intelligence

- SecureWorks Counter Threat Unit
- Recorded Future Cyber Threat Intelligence
- Accenture iDefense

Security Requirements for Contracts

1. Request for information (RFI):

- Presents the organization's need to contractors.

- Asks for qualifications and experience.
- CASP+ should stay involved if security clearance is a requirement.

2. Request for proposal (RFP):

- Asks candidates how they can fulfill needs stated in RFI.

- CASP+ should be involved in this phase.
- Will contractor's services and equipment create new vulnerabilities?

3. Request for quote (RFQ):

- Sent to remaining candidates to discuss pricing.

- CASP+'s role may be less important in this phase.
- CASP+ may still be involved in testing of solution.

4. Agreements:

- SLAS, OLAS, etc., come into play.

- CASP+ should ensure correct agreement is chosen.
- CASP+ should also ensure agreements account for unique security needs.

Guidelines for Determining Industry Trends and Their Effects on the Enterprise
- Consider security to always be ongoing.
- Conduct frequent research into threats and vulnerabilities.
- Seek out reputable sources of information.
- Subscribe to social channels that focus on security.
- Stay current on newly found vulnerabilities.
- Exercise discretion with unverified sources.
- Stay aware of your enterprise environment.
- Take advantage of threat modeling.
- Research security implications of Al.
- Consult RFC proposals and ISO standards for technologies.
- Draft policies on proper use of business tools.
- Caution employees against oversharing sensitive info on social media.
- Consult services like CERT and threat intelligence.
- Attend security conferences and conventions.
- Follow attacker spaces to keep up-to-date on their activities.
- Research potential business partners to include security requirements in contracts.

Baselines and Benchmarks

Security baseline: A group of security configurations that apply to a particular system in the enterprise.
 - Baselines measure what should be using metrics.
o Metrics should accurately measure relevant info about a system.
- Baseline used as a reference point in future analysis.
- You'll want to create baselines for many different systems.

Security benchmark: The current state of a system after it has been run through a test.

- Example: Traffic is monitored for 24 hours.

o Statistics gathered contribute to network benchmark.
- Compare benchmarks to baselines.
o Can reveal if security requirements are being met.

KPIs
A quantifiable metric used to determine if a system or other asset is meeting the enterprise's strategic and operational
goals.

- Measures what is considered vital to the company's success.

- Aggregated data often presented as a dashboard.
- Executives use dashboard to spot positive or negative trends.
- KPIs can report multiple statistics like time of day, day of week, etc.
o Requires that you actually have this data.
- KPI software can drill down into more and more detail.

Common Security KPIs

- Number of vulnerabilities that have been discovered and remediated.
- Number of failed login attempts.
- Number of systems not in compliance.
- Number of security incidents in the last month.
- Average response time for a security incident.
 - Average time required to resolve a help desk call.
- Number of unresolved technical issues in a project or system.
- Number of employees who have completed security training.
- Percentage of test coverage on in-house applications.

Prototyping and Testing

- Model solution scenarios to test hardware, software, processes, etc.
- Software testing can be done in a sandbox.
- Request demonstration conducted by vendor.
- All key requirements must be evaluated.
- New solution needs a breaking-in period.
- Monitor new solution carefully during operations.
- Examine the problem the solution is supposed to solve.
- Increase stress testing as necessary.

CBA
(cost-benefit analysis)

The process of determining whether the cost of a solution outweighs its benefit to the organization.

- If it does, the solution may not be viable.

o May be removed or deprecated.
- You will need to seek out solutions that:
o Uphold security.
o Are reasonably priced.

ROI and TCO

Return on investment: A determination of how much money or benefit will be gained in relation to the amount of
money that is being spent.

- (Gain from investment / Money spent on investment) * 100

- Example:
o IPS costs $1,000.
o Halts an intrusion that would have cost $5,000.
o ROI is 500%.

Total cost of ownership: The total cost of acquiring, implementing, and maintaining a solution.

- IPS example:
o Added costs for tech support, license renewal, etc.
- Enables more objective assessment of ROI.

Solution Attributes
Attribute Description
Performance - How much work a solution can accomplish in a given time.
- Umbrella term that encompasses other attributes.

Availability - Whether or not a solution is usable at a given time.

- If solutions go down, business needs cannot be met.

Capability - What a solution can do within its intended purpose.

 - If solutions are missing features, business needs cannot be met.

Latency - The reaction time of a solution.

- Delays in processing can lead to weakened security.

Scalability - The ability of a solution to expand given changing conditions.

- Solutions that aren't scalable may become ineffectual in the future.

Usability - How easy or difficult a solution is to learn and use.

- If it's too difficult to use a solution, productivity may drop.

Maintainability - How much upkeep or maintenance a solution requires.

- If a solution is hard to maintain, it may be more hassle than it's worth.

Recoverability - The ability of a solution to return to a prior state after an adverse event.
- If a solution can't recover, an incident may render it useless.

Trend Data
- Stay informed about the general direction of information security.
- Looking at data as a whole can expose trends.
- Trends can indicate future issues and help you prepare to mitigate them.
- Absorb new information from various sources.
- Exercise critical thinking.
- Don't be tripped up by distractions or misleading information.

Review Existing Security

- Current solutions should be providing the most benefit possible.
- Consistent reviews ensure ROI increases.
o Pleases business stakeholders.
o Increases overall security.
- Conduct internal reviews of security every year at minimum.
- Check reviews against policies to see if standards are being met.
- May need to involve external resources to verify security.

Gap Analysis
The process of identifying the differences between an existing state and a desired state, as well as identifying how to
close the gap.

1• Identify existing controls

2• Identify existing results

3• Identify desired results

4• Identify gap

5• Identify solutions

6• Identify solution requirements

AAR
(after-action report)
An analysis of events that can provide insight into the directions to take in the future.

- After an incident, document what the incident means for your security.
- Identify security elements that need improving.
- Learning from successes and mistakes fine-tunes your judgment.
o Questions to answer in an AAR:
o What actions did you take?
o Is this the optimal solution?
o Are there better solutions?
o Did the teams react quickly and efficiently?
o How would you respond differently?
o Does security policy need to change?

Reverse Engineering
The process of analyzing a system’s structure to reveal how it functions at the base level.

- You can identify how a legacy system works.

- You can identify vulnerabilities.
- Some solutions are easier to deconstruct than others.
o Java files can be easy to decompile into source code.
o Obfuscated code is difficult for humans to analyze.
o Hardware can be difficult to reverse engineer.

Guidelines for Analyzing Scenarios to Secure the Enterprise

- Create a security baseline for each system.
- Use KPIs and other metrics to measure systems for a baseline.
- Conduct routine benchmarks and compare them to baselines.
- Prototype and test multiple solutions.
- Request a live environment test from a vendor.
- Determine the ROI and TCO of a solution.
- Analyze security solution attributes.
- Collate information from various sources to identify trends.
- Exercise critical thinking when dealing with unverified information.
- Review the effectiveness of existing controls.
- Use judgment to solve problems without a clear solution.
- Perform gap analyses.
- Write an after-action report.
- Think of questions to ask in an AAR.
- Reverse engineer systems when possible.

Chapter 4
Integrating Advanced Authentication
and Authorization Techniques
- Implement Authentication and Authorization Techniques

- Implement Advanced Identity and Access Management

Authentication
The method of validating a particular entity or individual's identity.

- Mechanisms determine if an entity has the right credentials for access.

- Advanced authentication covers complex processes.
- Must apply processes to interconnected networks, hardware, apps, and services.
- Organizations open up new locations, support remote users, and combine networks.
- Example: Customer info needs to be protected.
o More access points may increase likelihood of a breach.
o Cost of poor authentication could be devastating.
o Important to take advantage of advanced authentication frameworks.

Identity Proofing
The process of verifying that a user's identity characteristics are accurate and unique before their identity is
established in a system.

- Authentication comes after, when the identity is already in place.

- Proofing creates a trusted foundation for later authentication.
- In-person proofing:
o Employed in high-risk scenarios.
o More secure; requires co-location of user and proofing agent.
o Can be time consuming, costly, and requires training.
o Example: Bringing driver's license when applying for a loan at a bank office.
- Remote proofing:
o User presents identity info over the Internet.
o Alleviates hassle of in-person proofing.
o More susceptible to fraud; can be done from anywhere.
o Example: Submitting social security number when signing up for online tax filing service.

Certificate-Based Authentication
An authentication framework in which certificate authorities and digital certificates provide a number of security
guarantees.

- Servers and clients can verify each others' authenticity through certificates.
- Certificates prove subject's identity.
- Certificates can authenticate various actions and requests.
- Client and server can be assured of who they are communicating with.
- Revoking certificates can lock out accounts if there's an issue.
- Certificates can bypass the need for passwords.
Context-Aware Authentication
The process of authenticating a user based on various characteristics about the user's or system's environment.

- System can more confidently verify identities.

- Passwords can be stolen; context is hard to spoof.
o Especially if multiple factors are used.
o Especially if factors are hidden.
- General factors:
o User's identity characteristics.
o Resource being requested.
o Characteristics of resource being requested.
o Location of user and/or resources.
o Time the resource is being requested.
- Example: front door requires more than a key.
o Is the door being accessed at the normal time?
o Is the person's physical appearance recognized?

Push-Based Authentication
An authentication method in which a system sends a user a push notification on a mobile device for the user to either
approve or deny.

User tries to access resource -> User receives push notification -> User is authenticated

- Authenticates user out-of-band (separate channel).

o Minimizes risk of main channel compromise.
- Bypasses SMS vulnerabilities (interception, redirection).
o Sends message over encrypted channel to custom app.

802.1X
A standard used to provide a port-based authentication mechanism over a LAN or wireless LAN.

- Encapsulates frames in EAP.

- Provides support for RADIUS authentication.
- Supports password-based as well as certificate-based credentials.
- Three roles:

Supplicant - Authenticator - Authentication Server

1 – Request initialized

2 – Identity provided
3 – Access challenge issued

4 – Credentials provided

5 – Access granted

Authorization
The process of determining what rights and privileges a particular entity has.

- Occurs after the entity has been authenticated.

- Not all users need access to the same resources.
- Example: Delegating permissions for a network share folder.
o Folder holds manufacturing information.
o Manufacturing personnel are granted access.
o Product development personnel are denied access.
- There are more advanced authorization schemes.

OAuth

An open authorization framework that enables users to access secure APIs without sharing their password.

- Uses a token.
o Short string combined with a secret string.
- User names and passwords can bring about an increased attack surface.
o Requires storage of credentials.
o Credentials may be passed over the network.
o OAuth mitigates this risk.
- Used by sites like Facebook, Twitter, etc.
- Helps limit enterprise apps' exposure of user credentials.

OAuth Process

XACML
An XML-based standard for access control and authorization.

- Highly flexible.
 - Enables centralized or distributed management.
- Three-level hierarchy:
o Rules
o Policies
o PolicySets
- Rules have three components:
o Subject
o Resource
o Action
- Alleviates need for apps to have their own access control methods.
- Can integrate new policy requirements as they change.

SPML
(Service Provisioning Markup Language)

An XML-based authorization framework for automating and managing the provisioning of resources across
networks and organizations.

- Enables assets assigned to entities to be tracked and managed.

- Automatically changes provisioning parameters when updates are needed.
- Used with SAML and XACML for secure access to resources.
- Can save manual processing time and avoid human-related errors.
- Uses a Requesting Authority.
o Client that creates provisioning requests.
- Sends request to Provisioning Service Point (PSP).
o Processes request and creates/modifies user accounts.

Trust Model
A model that defines the relationship between authentication services so that they may accept each other's assertions
of users' identities and permissions.

- Determine how organizations authorize users' access to various resources.

- Two major types: hierarchical and peer.
- Hierarchical:
o Has one authority that verifies all resources under it.
o Quick and effective.
o If authority is compromised, entire hierarchy is compromised.
o Example: Certificate-based authentication/PKI.
- Peer:
o Relies on transitive relationship: A trusts B, B trusts C, therefore A trusts C.
o Can avoid a single point of failure.
o Are complex and harder to manage.
o Example: Active Directory trust between forests and domains.

Trust Models Figures

 Athentication Protocol Description
PAP - Sends user IDs/passwords as plaintext.
- Used to connect to non-Windows servers that don't support strong encr
- Insecure and obsolete.

CHAP - No passwords sent over the network.

- Uses MD5 hashing and challenge-response.
- More secure than PAP, but still insecure and obsolete.

EAP - Allows entities to choose authentication method.

- Supports future authentication methods.
- Used in wired/wireless networking and 802.1X authentication.

PEAP - Open standard.

- Encapsulates EAP in a TLS tunnel.
- Protects against man-in-the-middle attacks
LEAP - Cisco's proprietary EAP implementation.
- Mutual authentication between client and RADIUS server.
- WEP key generation is a vulnerability.

LDAP
(Lightweight Directory Access Protocol)

A directory service protocol that runs over TCP/IP networks.

- Client authenticates to service.

- Service's schema defines:
o Tasks client can perform.
o Directory query format.
o Directory server response.
- LDAP is extensible.
- Secure LDAP incorporates SSL/TLS.
o Forces client and server to establish secure connection.
o Closes connection if interrupted or dropped.
o Requires certificate infrastructure.
AD
(Active Directory)

Microsoft's LDAP-compatible directory implementation.

- Structures organizational objects into a hierarchy.

- An object is a user, computer, or group.
- Objects are grouped into domains.
- Admins can centrally manage and control access to objects.
- Users can find resources anywhere on the network.
- Schema controls how accounts are created.

Guidelines for Implementing Authentication and Authorization

- Research the pros and cons of authentication and authorization schemes.
- Implement strong identity proofing to ensure users are who they say they are.
- Implement certificate-based authentication in web servers.
- Implement context-aware authentication to strengthen verification decisions.
- Implement push-based authentication for an out-of-band authentication factor.
- Incorporate 802.1X in network access control mechanisms.
- Use OAuth to secure client credentials that your app uses.
- Implement XACML to streamline access control policy integration.
- Implement SPML to securely automate resource provisioning.
- Configure RADIUS to use a secure protocol like PEAP.
- Encrypt LDAP communications with SSL/TLS.
- Take advantage of access control features provided by Active Directory.

Attestation
The technique of verifying that only the individuals who need certain access privileges have those privileges.

- Upholds principle of least privilege.

- Agent attests to the accuracy of access information.
o Held accountable for security audits.
- User-focused:
o Agent monitors privileges specific users have.
o Useful for changes in employment.
o Example: Verify added/removed privileges for promoted/demoted employee.
- Resource-focused:
 o Agent looks over system to see the access permissions that users have on the system.
o Useful for mission-critical resources.
o Example: Customer records database has a list of users with the proper permissions.

Identity Propagation
The technique of replicating an authenticated identity through various processes in a system.

- System with multiple, discrete layers can accept the same identity.
- Often employed in mixed environments with systems from different vendors.
o Systems may differ in design or architecture.
- System must have fine-grained authorization rules.
o App developer needs their identity propagated through all processes.
o Database admin only needs propagation through front-end and records database.

Dynamic Role Membership

- Entities may be assigned roles that determine level of access to resources.
- In RBAC, entities may be assigned one or more roles.
o Describe job function(s) they are responsible for fulfilling.
o Resources required to fulfill job function(s) are available to relevant roles.
- Users may have alternating job functions.
- RBAC should be able to swap roles when necessary.
o Can be automated for greater efficiency.
- Example: Partner cloud environment.
o Admins need to be able to access partner's cloud when necessary.
o Admins assume a partner access role.
o Make role dynamic to ensure principle of least privilege.
o Conditions that change role membership may vary.
 Example: User logs in, assumes role, logs out, role is removed.

SSO
A technique that enables a user to authenticate once and receive access to several independent software systems.

- User doesn't need to sign in again when accessing specific systems.

- Example: Active Directory users aren't prompted to re-authenticate.
o Applications retrieve Kerberos service tickets automatically.
- Benefits:
o Compromised credentials can be recovered with a single action.
o Central server can delegate credentials and approve actions.
o Reduces time spent logging in.
o User only needs to remember one set of credentials.
- Drawbacks:
o Compromise of one set of credentials can provide unauthorized access to many systems.
o If authentication servers are down, all systems may be inaccessible.
o Secure SSO requires multiple authentication factors.

Identity Federation
The practice of linking a single identity across multiple disparate identity management systems.

- Provides centralized management structure for identities.

 - Streamlines user experience into a single account.
- Windows 10
- OneDrive
- Can create a single point of compromise.
- Example: Enterprise closely integrates its domains with other companies.
o No need for each domain to manage identities separately.
o Can reduce risk and lower cost.

Identity Federation Description

Method
SAML - XML-based framework for exchanging security-related information.
- Communicated in assertions over HTTPS.
- Conveys identity of subjects and authorization decisions.
- Clients request assertions from SAML authorities.
OpenID - An authentication method for participating sites.
- User registers with OpenID system and signs in to sites with a single account.
- Site verifies identity with OpenID.
- Used by companies like Google and Amazon.
Shibboleth - Based on SAML and often used by universities or public service organizations.
- User attempts to retrieve resources from Shibboleth-enabled site.
- Site sends SAML authentication info over URL queries.
- User goes through an identity provider to authenticate using this SAML info.
WAYF - SSO implementation that asks users what institution they are from.
- User connects to a web resource, which refers to an identity management
system.
- User must permit WAYF system to provide identity info to service provider.
- Service provider decides whether to allow user access.

Guidelines for Implementing Advanced Identity and Access Management

- Implement user-focused attestation when personnel routinely switch job functions.
- Implement resource-focused attestation to verify sensitive resource privileges.
- Implement identity propagation in systems of different design that work together.
- Ensure you have fine-grained control over identity propagation.
- Implement dynamic role membership to uphold least privilege.
- Implement secure SSO to make signing in easier for users.
- Implement identity federation to streamline identity management.
- Implement identity federation to reduce cost and risk.
 - Use a SAML-based federation framework to securely manage identities.

Chapter 5
Implementing Cryptographic Techniques
- Select Cryptographic Techniques
- Implement Cryptography

Data in Transit Encryption

The process of securing the delivery of data that is transferred between parties.

- Also called transport encryption

- Can support confidentiality, integrity, authenticity, non-repudiation of transmissions
- Secure protocols must defend against passive and active attacks
- Passive attacks monitor communications to glean information
o Example: Eavesdropping on a VoIP call
- Active attacks can intercept and modify transmission contents
o Example: Man-in-the-middle can tamper with both sides of a transmission
o Rogue web/proxy servers can trick users into trusting them

Data in Transit Encryption Protocols

- Some data, by nature, must be encrypted
o Applies to both internal- and external-facing data
- Protocols:
o SSL/TLS for web-based encryption with PKI (SSL – Secure Socket Layer, TLS – Transport Layer
Security, PKI - Public Key Infrastructure)
o SSH for remote session encryption (SSH – Secure Socket Shell)
o IPSec for cross-network encryption (Internet Protocol Security)
o WPA/2 for wireless network encryption (Wi-Fi Protected Access 2)

Data at Rest Encryption

The process of securing information that is stored on a medium and is not currently being modified or transferred to
another medium.

- Full disk encryption:

o Encrypts entire storage device
o Useful for protecting mobile devices that may be lost or stolen
o Example product: BitLocker
o Block-level encryption works on blocks of data in fixed sizes
- File encryption:
o Encrypts individual files and folders
o VeraCrypt creates containers to be used as files
o EFS encrypts files and folders in Windows NFTS (EFS – Encrypting File System, NFTS – New
File Technology System)
- Database encryption:
o Encrypts a database in whole or in part
o Can incorporate data at rest and in transit encryption
o Individual records can be encrypted
Data at Use Encryption
The process of securing data as it is being processed by the system’s CPU or stored temporarily in volatile memory

- Encrypting data that’s being used requires more novel techniques

- Processor may need to read data and keep it private at the same time
- Wiping key material from RAM may be insufficient
o Attacker may capture memory before it’s wiped
- Data in use encryption is an emerging field
- Secure encrypted enclaves:
o Software code and data are segmented into memory ranges
o Only code in the same range can read the data
- Homomorphic encryption:
o Processor operates on ciphertext input
o Decrypted result is the same as if the processed input were plaintext

Hashing
A process that transforms plaintext input into an indecipherable fixed-length output and ensures this process cannot
be feasibly reversed

- Resulting output is called a hash, hash value, or message digest

- Input can vary in length; hash output is fixed-length
- Small changes in input produced significant changes in output
- Used in password authentication, digital signatures, and file integrity verification

Hash Function Resistance

Message Authentication Codes

Digital Signatures
A message digest that has been encrypted again with a user’s private key

- Enabled by asymmetric algorithm

- Encrypted hash is attached to message as a digital signature
- Digital signatures uphold:
o Authenticity
o Integrity
o Non-repudiation
- Example: Financial institution must validate changes to customer accounts
o Request arbiter must verify that contents have not been tampered with
o Arbiter must guarantee that sender cannot deny sending the request

Code Signing
The method of using a digital signature to ensure the source and integrity of programming code
 - Apps on the Internet are untrusted
- Verify author’s identity before installing apps
- Developer signs the code with their private key
- Recipient uses sender’s public key to verify signature
- Does not prevent attackers from distributing malware
o Attacker can get their malicious code signed
- Users should install software from only trusted publishers

Blockchain
A concept in which an expanding list of transactional records is secured using cryptography

- Each record (block) is hashed

- Hash of previous block is added to hash calculation for next block in the chain
- Block are securely linked; they can validate the integrity of each prior block
- Block contains timestamps and actual transaction data
- Blockchain is recorded as a digital ledger
- Decentralized in a P2P network
o Mitigates risks of single point of failure/compromise
- Everyone can openly view transactions
- Blockchains can fork into different paths
- Consensus dictates the trusted path
- Example application:
o Financial transactions
o Online voting systems
o Identity management systems

Cryptocurrency and Bitcoin

An alternative digital currency that is secured through the use of cryptography, typically by using a blockchain
Bitcoin mining: the process of performing calculations to “discover” new blocks to add to the blockchain

- Mining is like solving a complex math puzzle

- Miners compile transactions into a discovered block and broadcast it to the network
- Other nodes validate the blocks and transactions
- New block is added to the main chain if consensus is reached
- Miners are rewarded with bitcoin for their efforts
- Parties remain pseudonymous; transactions is open to the world
o Anyone can validate the integrity of the transactions
- Bitcoin is often associate with illicit activity
o However, it is increasingly accepted by legitimate vendors

PKI Concepts (Public Key Infrastructure)

PKI Concepts Description
Digital Certificate - Associates’ credentials with a public key
- Incorporates digital signatures
Wildcard - Special character that replaces characters in a string
- Used to secure all of a website’s subdomains
Certificate - Trusts certificates more directly than a CA hierarchy
pinning - No need to go up the hierarchy to the root CA
CRL (Certificate - List of revoke certificates
Revocation List) - Server publishes CRL at regular intervals
OCSP (Online - Alternative to CRL
Certificate Status - Client requests certificate status; receives a response from server
Protocol)
OCSP stapling - Shifts burden of contacting CA to web server
- Web server queries OCSP server; send certificate status to client
PKI token - Hardware device that stores digital certificates and private keys
- Can be USB key fob or smart card
Key Escrow - Alternative to key backups
- Enables trusted third party to access under certain conditions
Issuance to - Automatic vs. Manual certificate requests
entities - Using wildcard certificates vs. separate certificates
- Certificate lifespan
- Private CA vs. public CA (or both)
Issuance to entity - Users: Short Expiration; avoid wildcards
subgroups - Systems: Long expiration; easier to centrally manage
- Applications: Moderate expiration; managed centrally

PFS (Perfect Forward Secrecy)

A characteristics of session encryption that ensures if a key used during a certain session is compromised, it should
not affect data previously encrypted by that key
 - Without PFS, long-term keys are at risk of exposing all data if compromised
o Data previously captures by attackers can be decrypted
o Example: Decryption of past HTTPS traffic through compromised web server
o Example: Decryption of past emails through compromise of user’s device
- In PFS, ephemeral keys are not used twice to generate other keys
o Attacker will only be able to decrypt one piece of information
- Standard in SSH and OTR (OTR - Off-the-record)
- Optional in IPSec and TLS
o Many TLS-enabled sites fail to incorporate PFS
- Minor overhead of PFS does not justify leaving it out

Key Stretching
The technique of strengthening weak cryptographic keys against brute force attacks

- Original key is run through a stretching algorithm

- Increases the time it takes to perform a cryptographic operation
- Can be useful deterrent against brute force cracking
- Adds performance overhead
- Techniques:
o Repeatedly looping hah functions
o Repeatedly looping block ciphers
o Configuring cipher’s key schedule to increase key setup time

PRNG (Pseudorandom Number Generation)

The process by which an algorithm produces numbers that approximate randomness without being truly random

- PRNG are based on an initial seed state

o A number that defines the first stage in generation
- Seed state is run through a formula to output a PRN
- Crypto key generation often uses PRNs
- Specialized hardware can generate true randomness from physical phenomena
- True randomness is not always practical
- PRNG will always produce the same number sequence with the same seed state
- Seed state must therefore be truly random
o If not, attackers could use the seed to generate compromised keys

Steganography
A security technique that hides a secret message by enclosing it an ordinary message

- Hides content and its existence

- Information is embedded in text, images, or other media
- Commonly used in digital watermarking
Stream Vs. Block Ciphers
Cipher Type Description
Stream cipher - Encrypts data one bit at a time
- Relatively fast and requires little overhead
- Ciphertext is same size as plaintext
- Produces fewer error and errors affect only one bit
- Doesn’t provide integrity assurances
Block Cipher - Encrypts data in blocks, usually 128-bit
- Strong and more secure than stream
- Worse performance than stream
- Mode of operation defines how plaintext is transformed into repeated blocks
- Some ciphers provide integrity assurances

ECC (Elliptic Curve Cryptography)

A public key encryption technique that leverages the algebraic structures of elliptic curves over finite fields

- Support similar levels of security to non-ECC

- Uses smaller keys sizes than non-ECC
o Reduces overhead of storage and transmission of keys
- Multiple types of elliptic curves
- Curves have different mathematical properties
o Example: Curves over prime field vs. binary field
- Curve over prime fields expressed as:
o Length of a prime number (p) in the field
- NIST recommend P-256, P-384, and P-521
o Differ based on the length of p in the field
o Typically, higher number is more secure but slower
- NIST curves’ security has been called into question due to possible NSA (National Security Agency)
backdoor

Guidelines for Selecting Cryptographic Techniques

- Select protocols that incorporate transport encryption.
- Select protocols that incorporate data at rest encryption.
- Consider implementing data in use encryption techniques.
- Ensure solutions use strong hash functions that are resistant to attacks.
- Use MACs to verify message integrity and authenticity.
- Digitally sign any apps you develop.
- Implement solutions with key stretching algorithms.
- Ensure TLS-enabled sites enforce PFS.
- Consider how blockchain technology can apply to your data integrity needs.
- Ensure you are selecting the appropriate PKI components for your business needs.

Cryptographic Implementations
- Proper implementations:
 o Choose a strong industry-standard scheme like AES or RSA
o Use algorithms with strong key lengths, like 128-bit (symmetric) and 2,048-bit (asymmetric)
o Store keys in management systems
o Regulate access to management systems
o Employ PFS in asymmetric encryption
o Ensure encryption covers all areas of enterprise
o Weigh benefits with cost of encryption
- Improper implementations:
o Choose an obsolete scheme like DES
o Use algorithms with weak key lengths, like 56-bit (symmetric) and 1,024 (asymmetric)
o Store data in insecure and easily accessible locations
o Fail to account for increased cost and overhead
o Employ encryption in only some areas of the enterprise

Cryptographic Design Considerations

Design Principle Considerations
Strength - The longer the key, the harder it is to break the encryption
- Some algorithms have multiple length options
Performance - Longer keys typically require more overhead
- Asymmetric encryption is typically slower than symmetric
Feasibility to - Older systems may not support the latest encryption standards
implement - Certain implementations can be costly, like an internal PKI
Interoperability - Devices from different vendors may not support the same protocols you do
- Test devices to discover interoperability issues with encryption

DRM (Digital Rights Management)

Technology that attempts to control how digital content can and cannot be used after it is published

- Used to protect copyrighted work from being copied and distributed

- Can use encryption to make media inaccessible if a user does not have the key
- Often used by companies that publish intellectual property
- Can limit customers’ ability to share content with others
- Example: Music from online store is only playable on certain hardware or software
o Prevents user from copying song
o May have an expiration date
- Can still be bypassed through software or hardware

Watermarking
A DRM mechanism that uses steganographic techniques to embed data within media to enforce copyright
protection

- Platforms can validate a file’s authenticity through its watermark

- Hidden data may include source and identify info
o Ex: Copyright owner, media distributor
- Doesn’t prevent users from copying data
- Can alert distributors to unauthorized use
o Ex: Watermarked audio file can be traced back to its source
- Some tools can remove watermarks
SSL/TLS
- Network security protocols that employ digital certificates and public key encryption
- Guarantee:
o Authenticity (certificate authorities)
o Integrity (MACs)
o Confidentiality (shared key)
- De facto protocol for protecting HTTP web traffic
- CA is a weak point
o If it is compromise, the trust relationship is compromised
- Internet-facing web servers must rely on public CAs
- Intranet-facing web servers can rely on private Cas
- Client may ignore warnings about illegitimate certificates
o Can lea to man-in-the middle attacks

SHH
- Protocol use for secure remote access and transfer of data
- Consists of a client and server
- Implements terminal emulation software for remote login sessions
- Entire session is encrypted; prevents eavesdropping
- Support PFS by default
- Used on Unix/Linux, requires third party software on Windows
- Often used to execute commands on a remote device like a file server or router

PGP and GPG (Pretty Good

Privacy and GNU (recursive acronym for “GNU's Not Unix) Privacy Guard)
Publicly available email security and authentication utilities that use a variation of public key cryptography to
encrypt emails

- The sender encrypts the mail contents and then encrypts this key
- Encrypted key is sent with email
- Receiver decrypts key, then uses this key to decrypt contents
- PGP also uses PKI to digitally sign emails for authentication
- Requires end-user plugins
o May make integration and management difficult
- GPG is the open-source alternative
o Complaint with PGP services
 o Meet latest IETF (Internet Engineering Task Force) standards

S/MIME (Secure Multipurpose Internet Mail Extension)

An email-based encryption standard that adds digital signatures and public key cryptographic to traditional MIME
communications

- MIME defines advanced characteristics of email messages

o Ex: Send text not using ASCII, send non-text file attachments
- S/MIME provides assurance of:
o Confidentiality
o Integrity
o Authenticity
o Non-repudiation
- Built into most modern email client
- Sender and receiver rely on same CA
- Support centralized management
o No specific plugins necessary

Mobile Device Encryption

- Modern mobile devices support hardware encryption
o Data on lost/stolen device is inaccessible to anyone without the key
o Entire file system and all data is secure
- Software encryption available from some apps
o Data available to app is encrypted as a second layer of defense
o Older devices may not support hardware encryption
- Company-owned devices controlled by MDM (Mobile Device Management)
o Devices encryption is commonly enforced through MDM

Additional Cryptographic Implementations

Secure cryptoprocessor: A SoC that carries out cryptographic operations, often for a larger physical system

- Resistant to tampering
 - Used in TPM (Trusted Platform Module)

Cryptographic module: Any software or hardware solution that implements one or more cryptographic concepts

- Can implement different encryption algorithm

- Facilitate implementation of algorithms encrypting data

CSP (Cryptographic Service Provider): A Windows software library that implements Microsoft’s CryptoAPI

- Developers design apps to call a CSP to perform crypto services

- CSP specifies algorithms, key length, digital signature format, etc.

Guidelines for Implementing Cryptography

- Follow overall proper implementation guidelines.
- Choose an implementation that upholds design principles.
- Implement DRM to protect intellectual property.
- Use watermarking to embed identity information in a file.
- Keep in mind that DRM/watermarking can be bypassed.
- Use SSL/TLS for secure web communications.
- Use SSH to execute commands on a remote host.
- Implement PGP/GPG to encrypt email, but be aware of extra software needed.
- Use S/MIME to encrypt email with the use of a CA.
- Consider using software encryption with hardware encryption of mobile devices.

t0 b3 c0ntinU3….