Locks! Exciting right?

They are often a part of our first line of physical security and they are an integral part of our layered defense.
In this video, I cover the exciting and wondrous world of locks at the level you need for the CISSP exam.

Remember, the CISSP exam is a management-level exam, you need the right point of view to pass the exam.

https://youtu.be/ltYPtvOnx1M

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we’re going to continue with physical security and we’re going to start out with looking at locks.
I know, right?
How exciting, locks!
And now that I got that out of my system, let’s actually look at locks.
Locks are only a preventative measure.
They don’t deter.
They don’t detect.
They don’t do anything else.
If the door is locked, you can’t get in.
You are prevented access.
And to gain access, you’re required to have the physical key that can unlock the door.
But keys can be shared, keys can be copied, locks can be picked and locks can be bumped.
But first off, let’s look at how a lock actually works.
So keys like the ones over here on the right have a Bitting code.
And it is called that because that is how far the metal is bitten down on that specific section of the key.
And as you can tell how far the metal is bitten down, it’s a little bit of a weird term, but since it is the right term for it, we’re going to use it.
So the image over here on the right, the first one is of a lock that is locked.
You can then see the second picture.
Someone inserted the wrong key.
And to unlock the door, we need the tumblers to align up in the way that they do on the third picture.
On the second picture, you can see the division between the red and the purple part of the pin is not aligned, on the third picture they are.
When they align, we can turn the cylinder and unlock the lock.
Didn’t I tell you this was going to be exciting?
And this type of lock, Yale locks are in general not very secure, but they’re very cheap to implement.
So people can steal the key, they can make copies of it, but they can also pick the lock or even bump the lock.
Any lock with cylinders and keys like we use over here on the right, can be picked and they can be bumped.
Now, how long that takes really depends on two things.
The skills of the person doing it and the quality of the lock.
With a lock pick set, we’re basically trying to lift those little tumblers until they align in the right position that the key would have had them in.
And we can open the lock.
I actually bought a set of lock picks maybe two years ago just to see how easy it was.
And once you get some practice, it is actually not that difficult.
That said, lock bumping is often faster.
For lock bumping, the attacker has a key that matches the door and then all the bittings is shaved down all the way.
You can see a picture one over here at the bottom on the right, and it is called lock bumping because you insert the key into the lock and then you hit or bump the key with a hammer or screwdriver or something like that.
That then makes the pins jump up and you quickly turn the key, opening the door.
This also takes some skill and some practice.
But if you do it right, you can open a door in just a few seconds.
And then obviously you also understand this is illegal.
And if you ever try it, it should be only for academic purposes, something you learn so you can understand the attackers better.
Now, let’s look at Master Keys and Core Keys.
And Master Key is a given key that can open any doors in a certain area or a certain security zone.
Think of this as admin privileges for doors.
Since these keys can open so many more doors, we obviously need to keep these keys more secure.
We need to make sure both who has them at all times and where they are.
If I say, Hey, can I borrow your key really quickly, I just need to go do something, then the default answer should probably be no, because I can borrow your key, make a copy of it real quick like and then return it to you.
You are just as compromised as if I had stolen the key, whereas if the key had been stolen or vanished, well then maybe we changed the locks.
If I just borrow it and make a copy, we would have no clue.
Again, just like with the admin privileges, we don’t let someone else borrow our account to login just to check on something real quick.
Big. No, no.
Then we have core locks.
You can see an image of one over here on the right and there are called core locks or interchangeable core locks because they are easy to replace.
They’re pretty easy to recognize because they have that figure-eight shape and important here, they are made for convenience.
They are regular locks with the tumblers we’ve looked at already.
But with a master key, you can remove them and add a new lock in a few seconds.
If you are compromised, then, instead of changing the entire lock, you just change the core.
Much easier, right?
But as in most cases, much easier also comes with some security concerns.
So to remove that core, we have a specialized control key.
We insert that control key and we can extract the entire core.
Now, if an attacker gets hold of that, they can do exactly the same.
So here, just like with the master key, we need to keep that core key very, very secure.
We might even here want to implement dual controls.
So the only time someone can get the core key is when two authorized people sign it out.
Now, let’s finish out the exciting world of locks with combination locks.
Combination locks are not very frequently used, but they can be appropriate in some areas where we need low security.
And it is not feasible for every employee to have a key for their access.
Keyword here, right?
Low security and it is low security for a few reasons.
They have a finite set of combinations that can work and they’re not very difficult to break.
Combination locks can either be the dial type.
If you think like the round dial on a safe, they can be push button or they can be a keypad and they are very susceptible to brute force and shoulder surfing.
On top of that, we’re pretty bad about configuring them with weak security.
In many places there are just the street number.
That way the employee doesn’t have to remember the three or four digit code it has.
They go to the location and know the street number.
Now they open the lock, but that is so common knowledge that the attacker does the same.
So not very secure at all.
On top of that, the more we use a combination lock, over time, the keys wear down and it is easier to open.
You now know some of the keys that are being used.
For instance, if you have a phone number pin and we can tell from the keypad which four keys are used, they’re no longer 10000 combinations.
They’re now 256.
If only three keys are used, we’re now down to 81 options.
So combination locks should really only be used in areas that do not need a lot of security and places where we don’t keep anything important, but preferably they should be avoided.
And if we have to, well, then make sure that it’s not the street number that is the combination and we need to make sure that we replace them every so often.
And with that, we are done with the wonderful world of locks.
And I will see you in the next lecture for more physical security.

We need to make sure that we have the proper protection profile for our assets, both tangible and intangible. How do we do that?

The answer is simple yet complex; we do proper risk assessments.
In this video, I cover how we use risk assessments at the level you need for the CISSP exam.

Remember, the CISSP exam is a management-level exam, you need the right point of view to pass the exam.

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we’re going to look at our risk assessment.
We have now a very clear picture of all the assets that we have, we have identified the risks and now we do our qualitative and quantitative risk analysis.
We do our risk register.
And then we probably also do an uncertainty analysis, because even with the quantitative risk analysis, everything that we do here is really just our best guesses. We guess if this happens, then this is how bad it’s going to be.
Even if we are great at what we do, we do not have a magic crystal ball where we can see all the right numbers, but our hard work and our due diligence and due care should give them a reasonable, accurate picture of how bad the risks are and how much mitigation costs would be, after we have done all that we hand it off to senior management.
Now, what they do with that information is entirely up to them.
They can choose to act on our recommendations.
They can also choose not to.
So for any risk in our enterprise, we would choose a different risk strategy.
That could be mitigation, We’ll put something in place that’s going to minimize that risk to an acceptable level.
As always, everything here is done on a cost-benefit analysis, because this is something that senior management understands very well.
If we put in this countermeasure, that’s going to cost us $250,000, but it’s going to save us $1M every year, well, then that is pretty simple math.
And when I say we want to get the risk down to an acceptable level, that is where our risk appetite comes in.
With that mitigation, it is often not just one countermeasure.
There might be multiple things we need to do to get that risk down to an acceptable level.
After you put in a countermeasure, whatever risk is left over is the residual risk.
If that risk is still above our risk appetite, well, then we would do something else to either mitigate, transfer, accept, or avoid that risk, which then brings us to risk transference.
That is us transferring the risk to someone else.
Most often that would be through buying insurance, but it could also be by sharing the risk.
The insurance makes sense.
We pay them a certain amount of money and if something bad happens, they give us money back.
This sharing of risk could be us doing a project with someone else.
If we want to launch a new product and that comes with an inherent risk, then if we go in and we’re 50/50 partners with someone else, well then we only have half the risk.
Obviously, we also only have half the reward.
In most cases, like I said, risk transference is buying insurance.
As the next option, we have risk acceptance, we accept the risk is there.
We know it.
We have done a due diligence.
We have done our due care.
We know that this risk is going to cost us $250,000 a year, but they countermeasure to mitigate the risk.
It’s going to cost us one million or in this case, we’ll probably just live with it.
That would be risk acceptance or we could choose risk avoidance.
Here again, we have done our due diligence, we have done our due care, we have determined that it is not financially viable to mitigate the risk, to transfer it or to accept it.
Whatever it is we are doing, we’re just going to stop.
If we determine that our employees use laptops that costs us $1M in losses every year from lost laptops and lost data, but we don’t really need laptops.
Everybody is at their desk. Well, then we can stop issuing laptops.
In most companies that would probably not work. But you get the idea right.
We stop whatever is causing the risk.
And then finally, we have risk rejection.
This is never OK, ever.
This is us knowing that the risk is there, but we’re kind of just ignoring it. Never OK.
Our risk response should always be based on analysis and it should be one of the four other categories.
And now that is abundantly clear, let’s talk a little more about the assessment.
Normally when we start a risk assessment, we would go in and assess the current countermeasures, what is in place now, because very, very rarely do we start from a blank slate, we’ll go in and we identify how good are the current countermeasures.
Are they good enough or do we need to improve them?
Maybe we need to implement entirely new countermeasures.
So let’s look at the actual risk analysis.
We briefly touched on these before, qualitative risk analysis is us sitting down and guessing how likely is this to happen and how bad is it when it does?
How exposed are we?
It is vague. It is guessing.
It is pretty quick to do.
And what we use this for is mostly to identify the areas where we want to do quantitative risk analysis.
Remember, qualitative risk analysis is the quality of something, that’s pretty good, that’s nice.
It’s not a specific number.
It’s more your opinion, which then takes us to the quantitative risk analysis that is fact-based.
Before we looked at some examples, let’s look at some other key terms that you need to know both for the certification and for your job.
Remember, the Risk = Threat x Vulnerability, and threat is a potential harmful incident.
It is really anything that can cause damage to our organization, to our data, whereas the vulnerability is a weakness in our systems that can allow the threat to come to fruition.
A tsunami can be a threat.
But if our data center is in the mountains, well, then there’s no vulnerability and there is no risk for you.
It might be snow, or volcanic activity, or a pandemic, or whatever can harm your business in your area.
Sometimes for the calculation we had earlier with risk, we might also add impact.
In that case, it would be Risk = Threat x Vulnerability x Impact.
And the reason we would add that vector to our equation is there are also other factors we need to consider.
Let’s say we have two data center right next to each other.
They are completely identical in hardware and software.
Everything is the same.
The threats and the vulnerabilities would also be the same then.
But one data center is manned and the other is unmanned.
Well, then the impact in this case to the data center would be much, much higher.
So adding that impact gives us a clearer picture and the fuller risk analysis.
Let’s finish these definitions and then in the next lecture we will look at some examples.
Total risk is the potential risk x vulnerability x the asset value.
And then finally, residual risk.
That is the total risk minus our countermeasures.
Now, just because we have mitigated something, that doesn’t mean we’re done.
If the residual risk is still too high, we keep going.
And with that, we’re done with this lecture.
I will see you in the next one for the examples

Digital signatures can help us with the authenticity, integrity, confidentiality, and non-repudiation of digital messages or documents.

In this video, I cover digital signatures, what they are, how they work, and where we use them, all at the level you need for the CISSP exam.
Learn how Digital Signatures provide integrity and non-repudiation and everything that comes with it.
Plus, exam tips to help you pass your CISSP certification!

Remember, the CISSP exam is a management-level exam, you need the right point of view to pass the exam.

https://youtu.be/p91oGWwUea4

You can get all my courses, free study materials, my free CISSP course and much more on https://thorteaches.com/

Transcript:

In this lecture, we are going to talk about digital signatures and PKI– Public Key Infrastructure. In PKI, we can use both symmetric and asymmetric encryption as well as hashing, and we use that to provide and manage digital certificates, just like we do with asymmetric encryption, we keep our private key secret.
But for PKI, we also store a copy of the key pair somewhere secure.
And that is a key repository, because what if I just kept my private key on my computer and the computer was stolen?
Even if we have full disk encryption, they can’t get you the key, that is nice, but my key is still gone.
Which means that any of the messages that were sent using my public key, I can no longer open because my private key is gone.
So to make sure we can still access the data that we need, regardless if the key is destroyed or lost, we have a key repository.
I have worked in a couple of places where for one reason or another, I needed a new desktop.
After I got the desktop, I would contact the department that handled our digital signatures.
We had the right policies in place on how and when you can retrieve them.
I think in our organization at the time, the request had to come from someone that was a senior director or higher and someone that was in your reporting structure.
They say, yes, Thor is getting a new PC and he needs his private key.
Then we would have two security administrators access the key repository and find my key.
And we had two because it is a dual control.
That means that no single security administrator can access the key repository and retrieve keys that they should not.
Having that dual control significantly reduces the chance of someone doing something malicious.
And I say reduce because it does not remove.
It is just much less likely that two security administrators are both in agreement on doing something wrong. It’s the same dual control you see in movies, when on the spaceship, they have to turn the key at the same time to stop the self-destruct or to start it.
To make sure that Bob, who just lost all his space money in a poker game, doesn’t get angry
and destroy the space station, we have that dual control.
Even if you use digital signatures just for private use, make sure you have a copy of your secret key stored somewhere secure.
And that last part is important, secure.
The attackers will always look for the weak implementation.
So you need to make sure it is not there.
A Key Escrow is similar to our own key repository.
It is a backup of our key pairs that is kept somewhere, but it is kept by our third party and most often it is kept at the request of law enforcement.
Let’s say for whatever reason, our organization is under investigation by some branch of law enforcement.
They can then demand we put our keys in key escrow.
So in six months we can’t say, oh no, we can’t open all those emails because we lost the private key.
And I’m sure that key escrow is a real thing because many companies did that.
They chose to lose the private key so they would not incriminate themselves with the proof of their wrongdoings in the emails or on the servers.
Now, let’s take a look at how a digital signature works and the actual flow of the data.
Over here on the right, you can kind of see a flow.
I am sending an email to Bob and remember, digital signatures give us integrity and non repudiation.
We can add confidentiality to that.
But the way it is most commonly used, it is only integrity and non repudiation.
I send my email to Bob, that is the data packets you see here.
Then I have a hashing algorithm that provides a hash of the data.
I then encrypt that with my private key and that gives us the digital signature along with the data.
I send that over the Internet, Bob receives it, he then uses my public key to decrypt it, then he uses the same hashing algorithm and those two hashes from the algorithm and the one I sent, they have to match.
If they do, we have message integrity.
And since Bob decrypted this with my public key, then that proves that message came from me.
That provides us now repudiation.
We have talked about we can technically add confidentiality to this as well, although it is not very common.
The way we would do this is after I have encrypted the message with my private key, I would then encrypt it again using Bob’s public key.
Since he should be the only person that has his private key, he is the only one that can decrypt my email.
So as you can see on the flow here, we used to hashing for integrity.
Then we use the private and public key for non repudiation and in some cases confidentiality.
Then we send it over the Internet.
Here we mainly use symmetric encryption.
And then Bob again uses the hashing and the asymmetric.
And I have had students that ask me, “Thor do I really need to understand this flow?”
And my default answer is, every time, if I teach it to you, then yes, it is possible to see it on the exam.”
Now, that doesn’t mean you will see it on the exam.
I have no clue.
The question databank for the actual exam is huge.
You may or may not see something on the flow until digital signatures, but why take that chance?
This flow, I think is pretty simple and I have said it before.
The exam is not going to give you definition questions.
You may get something where they might describe the flow of a digital signature and knowing that you can then pick the right answer.
Or they might say we want integrity, non repudiation and confidentiality.
And then the four answer options will give you a flow saying encrypt with Thor’s private key, then encrypt with Bob’s public key.
Then they might say private key, public key, then hash it, then send it.
And if you don’t completely understand the flow, then how can you answer what we should do to get integrity, non repudiation and confidentiality?
Or they might just want integrity and non repudiation.
Well then it is a regular digital signature.
Most of the questions on your exam, you’re going to have to use logic, figure out what are they really asking, and with that knowledge, find the most right answer or the least wrong.
Now, let’s finish this lecture by looking at digital certificates.
Digital certificates are public keys signed with a digital signature.
They can either be client based or server based.
If they are server based, that can be SSL or TLS.
It is assigned to a specific server and stored on the server.
If it is client based, well, then it is your digital signature.
It is assigned to you and stored on your PC.
Since we already covered your digital signature, let’s look at the server based ones, for SSL and certificates, we will most likely use a public CA– Certification Authority.
And that could be someone like GoDaddy or VeriSign, regardless if it is a public or something we have internally in our company, the CA’s job is to issue and revoke certificates.
Then we have an ORA– Organizational Registration Authorities, and that is something we have within our organization.
It authenticates a user or a system and then it issues a certificate.
On top of issuing the certificates, it also looks at which ones have expired and would have been compromised.
And for that it uses a certification revocation list.
Let’s say one of our server certificate has been compromised.
Well, then the ORA revokes that certificate.
Or if an employee leaves our organization, we keep the certificate to make sure that we can decrypt messages.
But we retired from active use.
I have had some students that suggested that we should delete the certificate when they leave the organization.
And no, first off, we need to be able to read their emails.
And what if in six months we get a court order saying we suspect the employee that left you has been part of insider trading, you have ten days to provide us with all the emails from this time period.
So, yeah, we keep the certificates after they leave.
Up till some years ago for SSL and TLS certificates, we did the same thing.
Now we have moved to an online certification status protocol, which is a client server hybrid, and that is OCSP– Online Certification Status Protocol.
Before we will check every single certificate to see if it was expired with the new version we just checked is this specific certificate expired.
And that, of course, is much, much faster.
And the certification and revocation is an ongoing process.
The list is never static, which is also why it makes so much more sense to use that server client hybrid instead of having to go back every time and check.
And while we’re on this topic, let’s take a real quick look at the Clipper chip.
The Clipper chip was a chipset that was developed and promoted by the US NSA.
And what they said was the intention behind it was an encryption deviceto secure data and voice messages, but somehow they were also smart enough to leave built in back doors so they can listen in on all our conversations.
So the intent was that this little chip would be embedded in every device to secure us.
And while it might have secured some things, obviously the main purpose was for them to listen in.
So luckily when they published this, there was a huge public outcry.
It was seen as a huge invasion of privacy, which we now know it was, and that made them pull the plug on it, which was very, very lucky, because after the fact, we discovered a bunch of security holes in the Clipper chip that would have made many more people able to listen in and see everything that you did, not just the NSA.
Many of the security flaws that the Clipper chip had came from the Skipjack cipher, a cipher that was never secure.
And with that, we are done with this lecture.
I will see you in the next one.