Skip to main content


Showing posts from May 19, 2013

1.6.9 TKIP

TKIP Temporal Key Integrity Protocol (TKIP) is a security protocol defined by the IEEE 802.11 wireless networking specification. TKIP was designed to replace WEP without requiring the replacement of legacy hardware. Customers could take advantage of it by updating firmware instead of having to replace hardware. 1 TKIP is a "wrapper" that goes around the existing WEP encryption.  TKIP comprises the same encryption engine and RC4 algorithm defined for WEP.  However, the key used for encryption in TKIP is 128 bits long.  This solves the first problem of WEP: a too-short key length. 2 It is the encryption method used in Wi-Fi Protected Access (WPA). References: CompTIA SY0-301

1.6.6 LEAP

LEAP LEAP (Lightweight Extensible Authentication Protocol) is a proprietary EAP protocol, also known as Lightweight EAP. It was created by the company Cisco Systems for its line of Wireless LAN Access Points as a way to address the security weaknesses in WEP. Security of LEAP relies on the strength of the organization’s password policy. With LEAP the organization should use complex passwords that make it computationally infeasible to attempt an offline dictionary or brute force attack. 1 References: CompTIA SY0-301

1.6.3 WEP

WEP Wired Equivalent Privacy (WEP) is the original security standard used in wireless networks to encrypt the wireless network traffic 1 . It adds security to 802.11 Wi-Fi networks at the data link layer (OSI model Layer 2) using a combination of hexadecimal digits. Hexadecimal digits include ten numbers (0 – 9) and six letters (A – F). WEP uses a combination of these hexadecimal digits to create WEP keys. For example: 8734CDEA08432FACDE65748ACC There are three keys sizes in use with WEP: 10, 26 and 58 digit key lengths. A 10 digit hexadecimal key size results in a 40 or 64-bit WEP key. Note: each hexadecimal character represents four bits, resulting in a 40-bit key. 40-bit keys can be concatenated with a 24-bit initialization vector (IV) to generate a 64-bit WEP key. A 26 digit hexadecimal key size results in a 104 or 128-bit WEP key. Note: as each hexadecimal character represents four bits, this yields a 104-bit key. If this is concatenated with a 24-bit initiali

1.6.2 WPA2

WPA2 Wi-Fi Protected Access II (WPA2) is a security protocol developed to protect wireless network communications. WPA2 is also known as the IEEE 802.11i standard. It is certified by the Wi-Fi Alliance in 2004: Table 1: Wi-Fi Security Timeline 1 Date Milestone September 1997 IEEE 802.11 standard ratified, including WEP April 2000 Wi-Fi CERTIFIED program launched, with support for WEP May 2001 IEEE 802.11i task group created April 2003 WPA introduced with: • IEEE 802.1X authentication • Temporal Key Integrity Protocol (TKIP) encryption • Support for EAP-Transport Layer Security (EAP-TLS) September 2003 WPA mandatory for all Wi-Fi CERTIFIED equipment June 2004 IEEE 802.11i amendment ratified September 2004 WPA2 introduced with: • IEEE 802.1X authentication • AES encryption • Support for EAP-TLS A

2.1.6 Risk-avoidance, transference, acceptance, mitigation, deterrence

Risk-avoidance, transference, acceptance, mitigation, deterrence Risk Avoidance Risk Avoidance involves identifying a risk and making the decision to no longer engage in the actions associated with that risk. Risk avoidance should be based on an informed decision that the best course of action is to deviate from what would/could lead to being exposed to the risk. One of the problems with risk avoidance is that it may require you to also avoid activities that may be otherwise beneficial. Risk avoidance is the most effective countermeasure to risk, however it is often not possible due to organizational requirements and business drivers. Risk Transference With risk transference, you share some of the burden of the risk with another entity, such as an insurance company. You do not completely offload the risk, you mitigate it through partnerships. An example policy might pay out if you could prove that all necessary measures to reduce the risk were taken and you still

2.1.5 Qualitative vs. Quantitative Risks

Qualitative Vs. Quantitative Risks Risk is the potential that a specific action (or lack of action) will lead to a loss, where “loss” is an undesirable outcome. In information security risk is defined as "the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization". 1 In the book, Security Risk Management Body of Knowledge , Julian Talbot posits that, “A security risk is any event that could result in the compromise of organizational assets, the unauthorized use, loss, damage, disclosure or modification of organizational assets for the profit, personal interest or political interests of individuals, groups or other entities constitutes a compromise of the asset, and includes the risk of harm to people.” Risk = Threat × Vulnerability Risk management is the process of identifying and reducing risk to a level that is comfortable and then implementing controls to maintain that level

2.1.4 Risk Calculation in Projects

Risk Calculation in Projects Few systems are free of risks. The job of the risk/security professional is to identify the risk, estimate the potential cost and recommend appropriate action. Risk Management is a field that has seen major growth and development in the past few years.  This growth has risen to meet the growth of risk in the field.  The expectation for any projects is that it be successful, which means they meet deadlines, stay on budget and fulfill the statement of work. In IT for example, you should continually try to uncover the risks in your systems. For example, are your employees streaming Netflix videos on company time, are they visiting suspected compromised sites? These actions are each potentially very harmful to the organization. How does the cost of preventing or avoiding the risk compare to the cost of allowing or ignoring it. There are a range of methods for calculating risk and minimizing the danger they pose to the success of your project.

2.1.3 Importance of Policies in Reducing Risk

Importance of Policies in Reducing Risk Policies are used by organizations to define and govern behavior. Information is the core resource of IT organizations. As a result several types of policies are created to preserve and protect it in a consistent and reliable manner. Policies are created to fulfill legal, regulatory and security requirements. Let’s focus on the security-related policies. Privacy Policy In a (business) transaction there is an exchange of resources. In a business-to-consumer transaction, the consumer usually exchanges money for a product or service. Often, to facilitate the transaction, personally identifiable information (PII) is generated. The value of this information is becoming more apparent. The Privacy Act of 1974 1 established guidelines and restrictions on how the US federal government can collect, use and share PII. Other federal laws establish rules for corporations and other organizations to manage its users’ private information in specific circum

2.1.2 False Positives

False positives “A legitimate file inadvertently detected as 'infected', 'malicious' or 'suspicious' (also known as a False Positive or a False Alarm).” (f-secure) From mathematics to medicine, from internet security to robotics, the term False positive is used as a jargon that implies a paradoxical condition where a value is said to be TRUE although it is FALSE in reality. A false positive is also known as a false alarm or false detection. The security definition of a false positive goes like this “The erroneous identification of a threat or dangerous condition that turns out to be harmless. E.g., false positives often occur in intrusion detection systems.” (PC MAG encyclopedia) A false negative occurs when a security system fails to realize an actual risk. Anytime a virus gets through an anti-virus scan, it is termed as a false negative. Possible reasons for a false negative include a check not yet being written (maybe the vulnerability is new), us

2.1.1 Control Type

Control Type The very essence of computer security is the assessment and management of security risks in an organization. Evaluating and taking necessary actions to tackle these risks is defined as control. A security risk could be anything from malicious code to social engineering. Risk management includes Risk acceptance, avoidance, mitigation, deterrence, and transference. Control type is a risk mitigation strategy employed in various levels for effective risk management. Control types are mitigation strategies followed in order to control the impact of risks by defending vulnerabilities and preventing exploits, thereby reducing the likely impact of a security risk. This is brought about by a strategy called multi-layered defensive strategy or “Defense in depth”. Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. (Rouse) This strategy was first developed by the milita