ISACA CISA Topic: Lesson 6 Part 3
December 16, 2022

7. Asymmetric Encryption

We know about symmetric key encryption, where you use the same passphrase, the same password, and the same key to both encrypt and decrypt. Let’s talk about asymmetry. The whole problem of the symmetric key and the risk of compromising the key was intriguing problem. And there was a mathematician at MIT named WhitDIFY, and he pondered the problem, and he travelled out west and stopped along the way, and he asked different mathematicians their opinion on this. He ended up at the Stanford Research Institute and was hired by a guy named Hellman to solve the problem. and he almost gave up. But he finally came up with an idea: two keys, two numbers, mathematically related. And by the way, if you go on Wikipedia, they have a very lovely way of describing this. Even if you’re not a mathematician, you sort of get what they’re talking about.

The idea is to encrypt with one and decrypt with the other. It doesn’t matter which one. But when you encrypt with one, you must decrypt with the other. We will freely give away one of them. We’ll call it the public key. We are not going to give each other away. We’ll call it the private key. If I want you to send me something that only I can read, I’m going to give you my public key freely. You will use the public key to do the encryption. You’ll send it back to me. I’m the only possessor of the private key to decrypt it. Now, the nice thing about it is that you and I don’t have to meet ahead of time. We do need to use a known algorithm. However, current thinking suggests that It’s okay for everyone to know the algorithm that actually improves security because you’ve got thousands of people trying to break this algorithm. So it only makes it better because all the weaknesses get published, known, and fixed. Okay, so I’m going to give you my public key. You’re going to encrypt with my public key. You’re going to send it back to me. I’m the only possessor of the private key.

You can actually look at public keys right now in any browser. If we were to actually open Windows, Internet Explorer, or any other browser here, we could see it. You might notice that I’ve switched to Windows 8 here with a slightly different wallpaper. I’m going to open Internet Explorer and go into the Internet options over here on the right hand side into the Internet options settings. and I’m going to go take a look. You can do this yourself. And it’s not just IE. You can do this with any browser, but especially with IE. I’m going to the content tab, and I’m now going to the certificates button. As you can see, a certificate is simply a public key on a document. The document has not only the key in it, but it also says, “When does the thing expire?” What is it good for? What can you use it for? Who issued it? It’s signed by other entities. We’ll talk about all that in just a moment. Let me go to certificates, click that, and I’m going to go to the Trusted Root Certification Authorities. In a moment, we’ll go over what CAS are. And here are all of the certificate servers in the world that hand out certificates—there’s GoDaddy and there’s Verisign. We’ll even find GoDaddy and have a little fun with it. We’ll pick GoDaddy right here. We’ll open it up. If you go to the details tab of a certificate and you scroll down just a little bit and find the public key, click it. This, folks, is a key.

This is the public key for GoDaddy’s trusted root certificate. It is 2048 bits long, and it uses RSA as its algorithm. And here it is, folks. Right here is an associated private key. but you never see that. That is something that is stored in an unpaged part of kernel memory in the operating system. And when it’s on disk and stored on disk, it’s encrypted. So we never visually see the private key, but there is an associated private key. So there we have it. There is the public key of a two-key asymmetric system. And when you have this asymmetric system, we call it public key infrastructure. PKI. So, for example, if you’re shopping online, and I’m going to just give you the short version of this, if you put stuff in your shopping cart and you click Proceed to checkout in the background, what’s happening is that website is slipping. In the background, you generate their public key, and then you generate a private key from that public key using a combination of something you create in your browser. I mean, you, as a user, don’t know this. Your browser will create a temporary session key, which is actually an asymmetric key to quickly encrypt everything. Put in your credit card number and all of your contact information, and whatever you put in when you hit the checkout button is sent back to the website from which you purchased.

They’re the only ones who possess the private key needed to actually decrypt it. So even if somebody intercepts it along the way, they don’t have the private key, so they can’t get your credit card information. Now it is true that, given enough time and computing power, any encryption can be broken eventually. It may take 100 years, but any can be done. Des40, the data encryption standard, was broken in less than a month. The problem with encryption is that nothing is ever truly secure. If you want a completely secure system, don’t have a system.But what you have to do is make a judgement about what is a reasonable level of security. And as an IS auditor, we’re looking at, okay, are they intending to encrypt stuff to transmit, send things encrypted, encrypt email attachments, encrypt this, encrypt that? And are they actually doing it, and are they doing it using a 128-bit key, which is how long the key is? This key right here is 2048 bits long, or is it a 40-bit key? Or what is their intent, and are they actually following through on it? So this is the idea of asymmetric encryption. The last thing that we have is something called hashing. Hashing is not encrypting a file per se; instead, we’re going to run it through an encryption algorithm and come up with a fixed-length output. And if that file gets changed even the slightest bit when we run it through the same hashing algorithm, the output will be very different. So I have a command prompt open, and I’m going to show you an example of hashing just so you can see it.

This helps demystify the whole encryption hashing process. I have downloaded a free tool called MD Five Sum. You can get it yourself on the Internet. There are many other tools. And we see that MD 500 is right here. And I’m going to do an MD five sum on this thing. And it has a description of how to use it. We’re going to use it to create a hashing algorithm output. So again, I’m going to create a new text file, and we’re going to change it very slightly and see how very different the output is. So right now, going out to my C drive, I’m just going to create a very simple file. And let’s start with a really simple text. And let’s open the text file. This is the original with a period. See that? Let’s save it. Okay, now I’m going to open up my command prompt, and I’m going to run this hashing algorithm. We’re going to see the output here. So I’m going to type MD Five Sums, which is before text, and then press Enter. Okay? As you can see, this is the MD five-sum of the preceding text. See that right there? Look at that. Eight. six one Now we’re going to change one tiny, little, tiny thing on that text file. Let’s go there. Let’s open it up. I’m going to change the period to a comma backspace.

Changing it from a period to a comma I’m going to save it and then run this thing again. And let’s just see. Look at the difference. Eight, one, C, six, E, and now it’s three, C, zero, E—very, very different. Now, how does this mean anything to you? The is the auditor. Very frequently, you will run into a situation where you have to prove that a file has changed or not changed. I mean, I’ve heard of companies claiming that their product is the original and has not been tampered with. And right in front of a judge? No, it has been changed. I can show you the documented MD Fivehash from before, and I’m running it now, and you can see it’s extremely different. Somewhere along the way, this has been changed. It is not the same. And so we can use it to absolutely prove that files have been tampered with or not, that they have integrity or not. There are many applications that use some kind of hashing algorithm to prove that this has not been changed along the way, either during data transmission or in some kind of file. There are Windows or Linux programmes where we can run MD5, or another hashing algorithm, or another algorithm against important files to ensure that they have not been changed. The next thing we’re going to talk about is the significance of using this in terms of encryption when we send files and something called digital signatures.

8. Digital Certificate

We now understand that with asymmetric encryption, it takes two keys: one to encrypt and one to decrypt. And with hashing, we’re less concerned with encryption and more concerned with running something for an algorithm. So we see a fixed-length result. You change one little thing, and the result is very different. So we can see whether or not the thing is changing, changed. Both of these techniques, however, are based on cryptography. And we talked about the idea of a certificate, and we know that a certificate is a key in a file, in a document. And the certificate will also include, like I said before, how long this thing is good for and who issued it. What’s it used for? Is it used for email? Is it used for authentication? What’s it used for? Is it used for just regular data encryption? So we have these certificates that we give away.

Now, on all of the major operating systems, you can create certificates from them. They either have a service or they will generate their own. And so there are tools and services that you can use to make your own certificates. The only thing about it is that they’re only known to you. So they’re not really for e-commerce. We’ll talk more about certification authorities in just a minute. So with the certificate, I can have it assigned to a user account or to my computer. And the user account is for when I want to do things, like when I want to authenticate. I can use the certificate to help prove my identity, or if I want to encrypt something, the device, the computer, can have a certificate when it needs to make a connection to a server and have an encrypted network session. And so you can have both users and computers have certificates, and all operating systems have the ability to do that. Now let’s talk about where the certificates actually came from.

And I was joking about GoDaddy, but GoDaddy actually is an issuer of certificates. So it starts with a service run by an organization—Verisign thought GoDaddy, Microsoft—there’s a whole bunch of them. And they have a server that has a special kind of service on it. And that special service is called a certification authority or a certificate server. And the whole purpose of this server is to issue these certificates. And what you can do is go to GoDaddy and purchase a certificate. You can go to Verisign and purchase a certificate. Some of them are \$10, and some of them are \$600. It depends on what the usage is for. And basically, they’ll check you out and get information from you. And if you want to use it for e-commerce, they’ll scrutinise you a little more closely than if you just want it for personal use. The whole idea is that they are a known entity; they are a known certificate authority.

They have issued the certificate, and we all know it comes from them because we looked in our browser and saw all of those Trusted Root Certification Authority certificates. So, for example, if we look in a browser right now, we can see that Windows 8 right now, which ships with Internet Explorer 10, comes with the certificates of the top trusted routes. So let’s go take a look here in Internet Options. Let’s take one more look here. We go to content, we go to certificates, and we go to Trusted Root Certification Authorities. These are all the known organisations with certificate authorities. They’re actually servers that issue these certificates. As a result, it ships and comes with the operating system. So we already now know thecertificate of GoDaddy or the certificatesof thought, verisign, Microsoft, et cetera. Now, here’s where it becomes significant. They issue us a certificate because we’re going to have an e-commerce website or we’re going to use encrypted email or something like that. They issue it to us. Between you and me, I never have to give you my public key until the last minute. But if I receive a certificate from a known entity, a trusted route, you have their public key, and you will use their key to verify the certificate that I have.

Remember how we were talking about the public key and the private key? We’re talking about how if I want to have you give me something that only I can look at, I need to give you my public key. You encrypt it with the public key and give it back to me. I possess the private key, and I can look at it. That’s the whole basic concept behind e-commerce and shopping online, that in the background. I slip you my public key; you encrypt it and send it back to me. I look at it with my private key. This is a distinction you’ll need to understand for the exam. Now, what if I need to prove that something came from me? I can go the exact opposite way. I can give you and everyone else in the world my public key. I’m the only one who possesses the private key. I can attach to this whatever it is a little something created by my private key—basically a little sort of encryption.

Now, you don’t have to decrypt it, but I created this little digital signature attached. I’m the only possessor of the private key who can actually do this. It’s attached to the email attachment file, the network packet, or whatever, the IP packet, and you have my public key. When you receive this thing that I have signed with my private key, you can use my public key to verify the signature. So be clear in your mind if you have Sue and Sally, and Sue needs to send something to Sally that only Sally can read. Sally has got to send Sue her public key. Sue encrypts it, and she sends it. Sally uses the private key to look at it. If Sue needs to know that something came from Sally, Sally will use the public key, or excuse me, her private key, to digitally sign that thing. Send it. Sue uses Sally’s public key to verify the signature. So this is how the concepts of encryption and digital signatures work. The reason why, if I have a website and you’re purchasing from me, you trust my certificate is because it has been digitally signed by one of those trusted roots, one of these certificate authorities. And you’ve got the public key to prove that signature is valid.

So this is how we have this whole PKI system working. The Public Key Infrastructure Certificate Authority hands out keys. We give out the public keys, and I either sign something with a private key, send it out, and you verify it with the public key, or you take my public key, encrypt it, and send it to me, and I decrypt it with the private key. That’s the whole concept of public key infrastructure concept.So here are the components. The CA is the certificate authority, or certification authority. This is the thing—the server, the service, actually—that runs on a server that issues certificates and digitally signs them. The certificates are keys, basically for a file or a document. When I, as an entity, as a company, want to get a certificate from a CA, if I’m doing e-commerce, I will apply to a registration authority. And like in the case of Verisign or GoDaddy, the two services are run by the same company. The registration authority takes all my contact information and checks me out. Okay? The CA says they’re legitimate; it’s fine; please go ahead and issue a certificate. The CA gives me the certificate, and now I can use it on my website. I can import it into my website, and it runs automatically on my server or my computer. I will have a certificate repository database, and I can view my certificates using a certificate management system. And we can actually do that.

Even here, using Windows, we can actually see this. I’m going to actually open up the built-in Windows certificate management system. I simply launched an MMC console. I’m going to snap in the certificate services right here. So here are the certificates. I’m going to add it right here; just for myself is fine. And we’re going to actually take a look right here. I can see over here the certificates that I, as a user, have right now. I can look in the personal store and go take a peek. I have none at the moment. If I thought a certificate was necessary, I could right-click, finish all tasks, and request one. I could also go to GoDaddy’s site or Verisign’s site, fill out some forms, pay a fee, and request a certificate. That way, when you do it here in Windows, you’re basically using Active Directory and Certificate Services to distribute certificates within your corporate domain.

So we have the certificate management system. Right here, we have a certificate repository database. And if I look here, I can see that there are trusted root certificates already here. And I can open them up and go to GoDaddy right here. This is the very same one we were looking at before. You can see that the certificate says it was issued to, issued by, and is valid from this point to that point. We can see the details. We can also see that the signature itself is using SHA-1 RSA, that it’s a particular version of the certificate, and that it’s valid from and to. It’s used as a certification authority certificate. Here’s the public key: As a result, we can see a variety of information about it. So this is the whole idea behind PKI, and the beauty of it is that you get a certificate authority, which, by the way, you can install within your own company for free. And then we can import these into emails and create VPN connections or encrypt files, or we can put them on smart cards for authentication. We can use them for all kinds of purposes. So the process is that I need to get the key pair.

A CA has to give it to me. So the CA is going to issue me the certificate. They’re going to digitally sign my keys so that everybody knows that it’s legit. And it will also certify me as the identity, the person, the user, whatever, certify me. And then, if necessary, revoke my certificate. My certificate has an expiration date. And if the application, like the browser, is paying attention, it can look at the expiration date and say, “Oh, this is expired; I no longer trust you.” Forget it. Unfortunately, if we choose to revoke certificates, such as when someone leaves a company, we revoke the certificate because they no longer need it or they were engaging in fraudulent behavior. It’s actually up to the end consumer to verify that the certificate was revoked. There are servers on the internet where browsers can check the revocation list, also known as the certificate revocation list, or CRL, to see if the certificate has been revoked. Unfortunately, that takes time, and a lot of people have that turned off on their browsers. Or how many times have you seen this? You click something, and up pops a message saying the certificate is not trusted. Do you want to proceed?

People just say yeah, and they go ahead anyway. So, if you’re going to use certificates, you must first ensure that they are valid and that they haven’t been revoked or expired. So we know that we understand the concept of encryption with the certificate. We can also use the certificate to create digital signatures. We’ve actually seen how hashing works. And we can use this for email attachments, Internet browsing, and using SSL, the successor to SSL, TLS, Transport Layer Security. We can use it for VPNs when we’re connecting across the Internet from home to our workplace using IPsec or some other kind of VPN. We can use it for wireless if we want, using encryption for Web and WPA 2, which are the two most common forms of encryption for wireless. So we can use encryption for that. We don’t have to use certificates for any of these, including HTTP, which uses SSL and now TLS. So the concept of encryption is something that we can use in almost any situation. And the most secure way of maintaining those keys is through the use of certificates.

9. Different Kinds of Attacks

All right, we’ve talked about encryption. Let’s talk about different kinds of hacker attacks. The difference between viruses and worms I’ll talk a little bit about things like logic bombs, spyware, adware, trapdoors, asynchronous attacks, and things like rounding down and salami attacks. starting first of all with the concept of Trojans. Viruses, worms, spyware, and logic bombs You don’t need to know these in great detail, but you do need to know in general what they are starting out with. The idea of a Trojan And this goes back to the whole idea of the Trojan horse in the Iliad. So the idea with a Trojan is that I am going to slip inside of something else, a malicious bit of software that will grant me access to your computer. That something else It could be an email attachment; it could be a video; it could be some music; it could be a picture; it could be whatever.

I recall a virus—actually a Trojan—that was circulating a few years ago, and it was hidden inside of a video that was widely circulated. And the thing that I noticed was that the extension for the video was not what I expected. Like a video, I expect it to be in MOV, M4V, or WMV format. I expect a video file extension. This contained an exe, which stood for executable. How many people would notice that? So this video is getting passed around; people double-click it, and yes, they’re watching the video. But in the background, this Trojan is silently installing itself, taking over, and providing a backdoor into that computer. Actually, what it was doing was telling the computer in the background to make a connection to a malicious site so that stuff could be stolen off the computer.

So the idea of a Trojan horse is commonly embedded inside something that people pass around, hidden behind something that seems legitimate, and it’ll be something popular and fun, like a game or whatever. If you go to online sharing sites and you’re sharing software or whatever, you have to be concerned that someone may have been Trojanized. These applications, these games, these videos, and whatever else And the Trojans were making a connection to something else in the background. So that is one thing we have to be concerned about, the idea of Trojan. What’s the difference between a virus and a worm? Well, they’re both a form of malware, but viruses generally have to stay embedded inside a document of some kind. And when you double-click something, you run a program, you do something, you do macros on an office document, and the virus runs. A worm can detach itself; it doesn’t have to stay embedded; it is self-propagating. And so we pick up the worms by sharing something, like sending emails. The worm is attached, and then it self-propagates.

And in the background, it can then maybe use your contacts to send out messages to other people. So you might have gotten plenty of emails from someone who says, “Hey, look at this picture.” It never came from them. Instead, the image depicts a worm propagating. And the worm just simply looked for your contacts and sent out this generic message: “Hey, look at this picture,” and there may be a picture or not. I’ve also noticed it in Skype and other places where you might have contact lists. So there are viruses and worms. A worm is a self-propagating virus. And, you know, interestingly enough, viruses originally came about because people were experimenting with computer programmes that could learn and adapt. It was a very, very early experiment with artificial intelligence. Can this thing or this programme learn? And what were the lessons learned from that that were then applied to more malicious purposes? There are new viruses every single day. There are many new viruses every day, and they are all man-made.

So you have to realise that there are people out there who don’t have anything better to do. And I’m very sorry to say that there are countries that are actually proud of the fact that some college student created a notorious virus. I mean, I have actually seen ministers—not religious ministers, but like cabinet-level government ministers—in other countries say, “See, we’re every bit as good as the US.” Or whatever, because we were able to produce this virus that disrupted the world for a couple of days. So they are all man-made. If you feel like you’re running in place, security is really just like protecting the border. But security is such a huge field now. And as an IS auditor, we’re really concerned with: are they keeping up with their antiviruses? Generally, you get your antivirus signature updates and download updates for your antivirus a couple of times a day.

So we have to see if they’re doing that now. Spyware is anything like that, and it’s like a virus. They’re all in the same family in that they run in the background and collect usernames, passwords, or sensitive information before sending it off. So this is spyware. Adware is more of a nuisance. You have a browser, and all these things pop up, and you don’t care about seeing that stuff. I have to warn you right now that if you go online to play free games, even on what seems like a legitimate site, it may be legitimate, but the links that are connected to it could very easily get you malware, adware, and all kinds of undesirable stuff, a logic bomb.This is basically a virus that has a date on which it will go off, and it will sit dormant until that date or some event triggers it months or a year later.

And in fact, it’s actually a very common thing to infect a whole bunch of machines—thousands of machines—and you can actually pay people to do this. They’ve got armies of machines; they’ve taken over the internet, and you pay for the service, and they’ll use all those machines that are just doing normal stuff, but they’ve already been infected, and they can control them remotely, and then they can send your logic bomb, whatever. And the logic bomb goes off at a certain date or at a certain trigger and does something. So it’s very common to have a logic bomb go off to attack a website or destroy something. And, obviously, you have to be cautious with disgruntled employees; they may have planted logic bombs, they’re long gone, and then something goes off, and it’s extremely difficult to trace that. Now you can actually look at these viruses and these common threats, worms, and whatever.

There are a number of websites that will actually take you to these different things, where you can actually see them. And we can actually go take a look at some of these. We’re just going to one website here, where they are posting security threats here.And there are several websites that will do or offer this. We can see an overview of threats at this time and on this date. We can see where the highest threats are at this time. We can go to the threats tab and take a look at that, and we can see the severity of threats at the moment. We can see the severity of different ones. We can look at what the most common risks are right now, as well as the highest risks, and then provide them with information about them. There are online dictionaries, online encyclopedias, and online reporting centres where you can go and take a look at what’s trending right now.

We can look at common vulnerabilities. What are some of the biggest vulnerabilities right now? And I’d like to introduce you to a CVE, or common vulnerability and exposure. CVE is a way of designating the particular exploit, the virus, the exploit, the Trojan, or whatever it is. And the way the CVE numbers go, it’s basically a date: the year followed by whatever number comes after that. So this particular exploit right here, with a severity of four out of five, has a CVE of 2013, number 1293 in 2013. The date right now, as of recording this video, is April 23. As a result, 1293 CVEs had been discovered by April 23. Actually, as of April 9, 2013, 1293 new things had been identified and marked in 2013. In fact, both hackers and security professionals will use CVE numbers so that they know exactly what they’re talking about. So you can take a look at all of these different things, and you can see that right now, according to this vendor, they determine that the threat level right now, or the “threat constellation,” as they’re calling it, is at level two elevated. It’s worth your while to go and periodically take a look at some of these sites to see what is trending. Sans.org does it as well. You can also see the different antivirus vendors and just see what’s trending, because as time goes by, what’s trending will change. So this is the idea of looking at different viruses and risks that are going on at the moment. Let’s talk about a DoS attack, a denial of service attack.

Denial of service is when you have hundreds or thousands of computers that have been compromised and all, at the same time, overwhelm another server with too much traffic or too many requests, and then the server is overwhelmed and it can’t function properly. This is denial of service, distributed denial of service, where I’m not doing it with just one machine, I’m doing it with hundreds of thousands. And there are many, many denial-of-service tools that require no brains or effort to run whatsoever. You can do your own Google search to find ng it with hunThis is the idea of me being able to log in in a way other than the traditional way of using a username and password. Developers who write software often write trapdoors for themselves so that they can just quickly get in and do something. Sometimes they forget to remove those trapdoors.

So trap doors are just back doors into a piece of software where you don’t have to go through a normal authentication and authorization process. An asynchronous attack means that it doesn’t have to be live; it can happen at different times. Then there’s the rounding down and salami attacks. Well, perhaps you’ve seen movies where this guy is an accountant and he’s seeing all of these paychecks go by and there are just fractions of pennies that people are supposed to be paid or fractions of pennies for these invoices. And how do you pay a fraction of a penny? So he rounds it down to the penny, but there’s a fraction left over. And if you have thousands of them, it adds up to money. And so this is how you can scam money without being noticed. Or a salami technique is where you’re very finely slicing a tiny bit off, just skimming a tiny bit off the top, and taking that. So, wrapping up salami techniques, they tend to be financial attacks where we’re skimming money in some way; the next thing we’ll look at are logical access controls that we can use to try to prevent unauthorised access.