Do you need to be proficient at Math to get into the field of Network and(or!) Security?

This is an incredibly common question regarding entry into the field.

One of the reasons for this question is that the people considering an education or career in the field are concerned that their level of math is not up to the demands of the role.

Others(like myself) may have a great interest in the field, but believe they are lacking in their mathematical ability.

Academic check-list

Something that any student going through college should consider is that universities place a great emphasis on your math grade at GCSE, In my experience this had a far greater weight than my level 3 diploma in IT.

However the actual math you will interact with – especially within an academic setting is likely to be relatively small, most undergraduate courses do not go deep enough into the systems and protocols to touch upon how they work, just that they do.

I believe one of the reasons academic institutions rely on a students math grade so much is that it is a good indicator of a students qualities and ability to succeed on the course. A person good at math is likely to enjoy or at least be adept at problem solving and logical problems that are a key component of networking and security. Given the lack of information the admission officer has on you – this criteria has even more emphasis.

The area matters 

The course or job you choose will differ in math though. For example a networking course is likely to have less math than a computer science degree would, but the trade off for this is a richer wealth of knowledge on a wider area of topics and a deeper understanding of how they work at their base level (but less focused knowledge about networking).

But even then, the math should not scare anyone away from a pursuing an interest in the field.

Don’t let fear stop you

I think one of the things we need to work on in the UK is overcoming this fear of math that is rooted in the entity style of teaching still taught in many schools.

For example – my parents are unable to read or write properly and have never had any education past the age of fifteen. So any homework I was given was promptly discarded of and I’d go to school to be ritually humiliated in front of my peers for being so awful at math.

By the time I reached secondary school I believed that I simply wasn’t any good at math and so stopped attending altogether.

Of course the reality is that math like all skills is an incremental learning experience in which one builds up a depositary of knowledge and context that can be built upon to improve your skill and work out even harder problems in the future

So my advice would be to not let a fear of math scare you away from pursuing a job or degree in the field.

The math in undergraduate degrees and entry level positions should not be feared. Any deficiency you do have can be easily overcome by committed study and the resources online are plentiful.

There’s no reason you can’t start learning today, and turn one of your greatest fears into your biggest strengths.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Fundamental Math; Elliptic Curve

ECClines-3.svg

 

Math is the underpinning of all technology. Whilst math itself is simply a man made creation, those rules and systems are the foundations of security. It is sad, then that by the time student’s reach college in the UK, many have a deep fear of mathematics.

Unlike linguistics, math has few ambiguities which is why it is a great foundation for technology.

Today we will be learning about the elliptic curve.

The math behind an elliptic curve is very complex and can take some time to digest, so we will be working from a high level and getting more complex as we progress.

The elliptic curve is a set of points that satisfy an equation based on two variables with the points marking out a set of degree.

The example equation we often see is – y2 = x3 + ax + b

Which creates the representation seen in the image below.

Curve

 

We can think of this diagram as a drawn version of the points mapped out to give a visual representation.

A deeper view would show us the individual points of the equation marked out.

Some interesting qualities about elliptic curves are that they offer horizontal symmetry and any non-vertical line will intersect the curve in at least three places.

These idiosyncrasies are what go into making the elliptic curve one of the most secure forms of cryptography today.

Elliptic curves are important because Asymmetric schemes like RSA and Elgamal require exponentiation in integer rings  which are not only computationally demanding but many experts predict that these forms of cryptography could be broken within years.

Elliptic curves can be defined over finite fields, not just real numbers, For purposes of cryptography we are interested module a prime b – or rather, elliptic curves over prime fields.

 

 Curve22

http://cs.ucsb.edu/~koc/cren/docs/w03/09-ecc.pdf

To make a graphical representation we first generate points on an elliptic curve through point addition P+Q=R – (Xp, Yp) + (Xq, Yq) = (XrYr).

Then to get a geometric graphical representation we draw a straight line through P and Q (if P = Q we draw a tangent line) mirror third intersection point of drawn line with elliptic curve along x-axis.

Elliptic curve can be used for key exchange and offers performance advantages over public key encryption methods such as RSA.

Elliptic curve is based on the discrete logarithm model.

The discrete logarithm is

 

 

Security job progression

So one of the first questions you might ask when seriously considering a job in the security field is what jobs can I do? and what progression is possible?

Vulnerability scanner – This is the easiest role by far, and essentially see’s you running ready made software against the companies network in order to assess vulnerabilities and make note of any insecure or misconfigured/open ports.

Whilst the software does require some training, anyone who desires to – can reasonably expect to learn it in a matter of weeks. Which is why this role is not only in short supply but also commands a relatively low wage.

Pentesting – Penetration testing goes a step further and you can be expected to create a virtual attack within the network’s environment and assess how much information and damage can be done from these exploits.

The nice thing about Pentesting careers is that there is no substitute for hard work. You may be able to secure junior positions with the ability to run other peoples exploits however if you want to command a good wage or consider freelance then the ability to understand and write your own exploits is invaluable.

And whilst those skills can take many years to learn, they can not be brought by anyone unwilling to do the work.Thus commuting to learning these skills will transform you into a marketable and valuable asset that will have moderate power and maneuverability within the global job market.

Risk Analysis – You might think being last in the list that risk analysis  would require the most commitment to learning, however this is not really the case. Risk analysis is a separate set of skills, and not everyone has the patience to do it well.

Someone hired for the role of Risk analysis/assessor is expected to perform the role of the pen-tester but to also understand every facet of company and organizational policy,needs and requirements as well as patiently developing an exhaustive list of the findings carried out during the various tests. They will also need to assess the risk of future attacks and implement or suggest security measures based on the probability.

Whilst you could learn Risk Analysis from the internet it really needs to be consolidated in an academic/working environment as you will be working on very clinical frameworks that require patience, attention to detail and a thorough understanding of all security threats and their respective counter measures.

There are other jobs within the security field, such as application/mobile and national security but these is a general career path that shows what the jobs entail as well as the amount of work needed to succeed in these roles.

Ultimately the path is not an easy one, however you will be at the front line ensuring that companies and organizations are secure and constantly learning and growing into a true professional. With that knowledge you become one among few, instead of common among many and will earn a wage that reflects this.

So the next time you find yourself slacking off remember that the future you want depends on the work you do today.

 

 

 

 

Bring Your Own Virus

Bring your own device has been widely talked about for several years now, and it’s inherent dangers should be widely known. Yet according to IT research and advisory company Gartner 38 percent of employers expect to stop providing devices to employees by 2016 and 50 percent will demand their employees bring their own devices by 2017[1].

There’s no denying that BYOD has it’s advantages, according to a Cisco study conducted in 2013 the average BOYD user saves 37 minutes per week, with the US saving an estimated 81 minutes per week[2].

However the flip side to time saved and employee happiness is that implementing a BYOD policy opens up a whole host of attack vectors that your company is unlikely to be ready for.

One of the most prominent issues is the nature of personal devices today, and the multitude of applications stored onto them. If a user brings a device into work with a rouge application knowingly or mistakenly it is entirely possible that the data collected could be used in an attack against the company.

Equally the threat posed if an employee loses their device can be a major problem, without the ability to monitor the employees use of their devices trade in’s, repairs and even casual use can all pose a threat to the integrity of company data.

Privacy is also a concern, it is not considered ethical to ensure compliance by monitoring the use of personal devices, however it’s a given that at some point at least one employee will browse malicious sites or mistakenly download a virus and this can easily lead to hole’s in the companies security.

Whilst these potential pitfalls can be avoided by implementing strict download policies, monitoring or ensuring passcodes on devices and ensuring 24/7 use of a threat and vulnerability scanner/firewall it is imperative that companies recognize both the real cost effectiveness of implementing BYOD aswell as the many avenues of attack that will be opened if BYOD is implemented without foresight.

[1] ‘Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes‘ Available From: (http://www.gartner.com/newsroom/id/2466615) 1st May 2013 [Accessed 24th November 2015]

[2] Jeff Loucks The Financial Impact of BYOD‘ Available From: (https://www.cisco.com/web/about/ac79/docs/re/byod/BYOD-Economics_Econ_Analysis.pdf) 2013 [Accessed 24th November 2015]

Hi, Can I have your password please?

Whilst many people might suspect and consequentially defend against physical and system based attacks, one facet of security that is often overlooked is Social Engineering.

Social engineering as the name suggests is a highly involved and developed field that plays on the engineering of human psychology to provoke results such as information that can be used in an attack. Sometimes the entire attack can be carried out through social engineering.

Social engineering in part plays on peoples propensity (especially in the UK!) to be helpful and go out of their way to ensure that the ‘customer’ has a good experience.

From an objective point of view, social engineering is a wonderful blend of science, creativity, art and psychology, a good social engineer doesn’t need to force his victim to hand over information – he makes the victim *want* to give away the information.

In a world where many systems are becoming ever more secure, the ROI of spending weeks and months plotting an attack against a system vs making a phone call or gaining physical access to the building is a thought worth considering – especially since many employees don’t get specific training to deal with the threats posed by social engineering.

Social engineering is everywhere, sales men want to elicit information to clinch a sale, media wants to persuade you to think a certain way and politicians want to make you believe in them.

One of the most common methods of attack is via phone, it has the benefit of being untraceable to the attacker (if intelligently performed) and the attack can be carried out over any distance. Often the victims are help desk operators due to the nature of their roles. Their malleable mind is trained to be of utmost assistance and to please the caller in anyway they can, so when I ring and ask them to reset a password or pretend I’m a fellow employee they act on instinct.

Personal attacks are also popular too, especially those in which people will ring or text and pretend to be from your bank and ask you to read your card and pin/password.

Whilst we as security practitioners might wonder how people ever fall for these ploys it’s important to remember that the ‘general’ public simply don’t have security and suspicion in their mind all of the time, and tend to want to believe in the good of those they are interacting with.

Social engineering is a vast and creative exploit, however defense is not so vast and the right conscious choices can make all the difference.

Whilst training employee’s is a great idea, it’s important to note that many attacks actually occur from with inside the company; disgruntled employee’s for example.

In these cases the training will be known and can be exploited. The old ‘something you are something you know’ practice is good here – if you can ensure that verification of identity is at least a two step reliant on something you are as well as a unique code or PIN then you can at least ensure a deeper level of security.

As with any system you can never make it completely secure, however a comprehensive security policy and commitment to personal and corporate education can make the difference. The fact is that social engineering can and does happen and the better educated you are the better you can deal with it.

You can read more about how social engineering happens, and an in depth look at the tactics here. In addition this paper from sans.org showcases some of the best ways to prevent social engineering here.

 

 

 

 

 

 

Sweet32- A personal look.

So recently news broke about the attack dubbed ‘Sweet32’ that can potentially decrypt session cookies from an estimated 1% of of the Internets HTTPS traffic and potentially effects 600 of the most visited websites.

You can read more about it here.

Now of course even the news sources aren’t getting too hyperbolic over this because not only is it effecting an estimated 1% of the traffic (although that’s not negligible) it’s also not the easiest of attacks to carry out as it requires several conditional steps, and has never been tested outside of the lab.

Conditional steps are never good in an exploit because it often means a lot of variables, for example in this attack you have to sniff the traffic, then control the JavaScript on the victims page in their browser. It’s not unfeasible but it’s a fairly verbose and also directed attack.

Which is fine if the attacker is sniping  particular target(s), but it’s also quite resource heavy, needing 38 hours to collect 785GB of data to get to the (sadly inedible) cookie.

Regardless of the efficacy of the attack in a live situation, the fact remains that this exploit is a great opportunity to learn more about vulnerabilities.

Now the main vulnerability here, or rather the source that enables this to work is old 64 bit block ciphers. Larger cipher blocks like AES (128 bit) are immune to this attack because it negates collisions.

Collisions, which we talked about earlier in the post titled ‘Security Fundamentals; Cryptography’ can be used to return plain text.

So if you are using protocols that can be vulnerable to collisions, then you have an insecure system. Even hash functions like SHA1 which don’t as-of-yet have any live collisions shouldn’t be used because we know computational power will eventually break that barrier – probably sooner rather than later.

The real takeaway however is that you should never be surprised at how many companies, both large and small will use insecure protocols. As with the recent impetus on rolling out  HTTPS for example, companies really struggle to balance peoples conflicting needs with security, and often compromises are made.

 

 

 

 

 

Information security

Information security as the name implies is the act of keeping information secure.

What many people fail to realise is that this goes beyond the powers of personal security measures, and into the realms of corporate and state security policies.

As soon as you give any information away, as soon as you use a credit card in a shop or sign up to a website you are placing your data in their hands. Your email and password is stored onto their system and you are completely reliant upon their security to keep it safe.

Now in utopia, where trees are ever green and your car never breaks – these people would safely handle your data and do every single thing they can to ensure they follow data protection laws and keep you safe.

However unfortunately we know that’s simply not the case. Over the recent years we have heard countless stories regarding the encroachment of peoples privacy and data, both from maliciousness and plain foolishness.

The sad truth is that as one recently apprehended Russian hacker would tell you, many companies still store sensitive data (like credit card details) in plain text files, completely open to anyone with the knowledge to grab them.

Security is hard, and that is why being a security expert grants such a high demand and wage. Many simply don’t want to – or are fearful of implementing the security required to protect your data. Often it’s a case of trying to meet everyone’s needs, which leads to compromise.

Then, of course is the government aspect which can’t go unmentioned with what we know today. The government are a bit like over protective parents, their intent is somewhere in the right place, yet the methods and tactics they have used in the past to protect you have been completely irresponsible and a real genuine invasion of privacy.

The problem we have however – is that if we are to live in society, and to function in what constitutes as a ‘normal’ life, then we are going to have to end up placing trust into all of these people. But you can choose what you share, and more importantly the damage that would be done should those you trust fail to keep your information safe.

This is why using an arbitrary email address and password for superficial things (not business) is a great idea, as is having separate credit cards with differing limits and I would go as far as to suggest using a VPN and ensuing a private browsing session, as you would be amazed how much telemetry and tracking goes on as you nonchalantly browse the web. There’s far more you can do too. Being selective with who you give your information to is the most obvious of course – an ounce of prevention is worth a pound of cure.

The good news – (if you can call it that) is that as a security practitioner you will always be needed. As we enter the precarious wasteland of IOT devices and their glaring flaws in security; often from manufacturing – your skills will always be required. And on another level, whilst you won’t be receiving any knighthoods from the queen, your role in security really can prevent peoples lives from being torn apart.

It’s a brave new world, and the more information we have the better we will be to deal with it; and even come to embrace it.