Year: 2015

Posted on

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Ben RothkeThe Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography (2009) by Simon Singh

Executive Summary

It’s not clear who first uttered the quip: Of course I can keep a secret. It’s the people I tell it to that can’t. But what’s clear is that there are plenty of times when it’s a matter of life and death to ensure that secrets remain undisclosed.

In The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, author Simon Singh reveals the often hush-hush world of the science of secrecy.

How powerful are these cryptography tools? Until about only a decade ago, the U.S. Department of Commerce categorized strong cryptographic tools the same way it did F-15s and M-16s (more about that in Chapter 7).

Singh is a particle physicist who understands the science well and, more importantly in the case of this book, knows how to explain those details quite well.

Sit back and be enthralled by the fascinating world of cloak-and-dagger spies, and how without strong cryptography, we wouldn’t have online banking, Amazon Prime, and other things that make life meaningful.

Review

For anyone who ever had to study for the CISSP certification examination, the cryptography domain was almost always the hardest and most intimidating of the ten exam domains. While the ISC2 recently retired the cryptography domain and put it under Security Engineering, any topic with obscure terms such as hash function, public key cryptosystem, side-channel attacks and the like will certainly be intimidating.

In The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography, while not a comprehensive overview of cryptography, this masterful book by Simon Singh is a history of encryption, with a focus on the 16th century to the end of the 20th century. As a history book, Singh strikes a good balance between writing about the history, and providing a good technical and mathematical overview of the topic of cryptography

With a Ph.D. in physics, Singh follows in the footsteps of fellow physicist, Richard Feynman, who was a great explainer. Feynman noted that if a specific topic couldn’t be explained in a freshman lecture, it was not yet fully understood. In the book, Singh spends about 400 pages on this freshman lecture. It’s worth noting that a number of freshman university courses use this book as a reference; it’s that good.

I first became acquainted with Singh when he gave a most entertaining keynote at an information security conference about a decade ago, where he dispelled the claim that Stairway to Heaven contained subliminal satanic messages.

Classic cryptography goes back thousands of years. While the book provides details into cryptography from the times of the Bible, Caesar and more; its focus is predominantly on the modern era, starting with the cryptography used by Mary, Queen of Scots in the mid-1500s, up to the topic of quantum cryptography.

The book covers a wide range of topics, from both a historical and technology perspective. Singh takes a broad approach to the topic and doesn’t focus entirely on ciphers and algorithms, rather he brings historical stories like the Rosetta stone, Man in the Iron Mask, Manhattan Project, Navajo Code Talkers and much more.

While encryption and cryptography have their roots in the world of mathematics and number theory, the book often places a focus on the human elements. While many cryptosystems work perfectly in the pristine environs of a lab, they will fail miserably when incorrectly implemented. Singh gives numerous examples, from Mary, Queen of Scotts to the German Enigma cipher machine, where the human element leads to extreme failures.

A number of the eight chapters start with a story, which Singh then uses as a lead to provide the underlying details of a specific aspect of security and cryptography.

For the story of Mary, Queen of Scots in Chapter 1, the message is that the underlying cipher needs to be reasonably impenetrable. In Chapter 4 on cracking the Enigma machine, the message is that even the strongest of cryptography devices finds its kryptonite if its users don’t follow the directions.

Chapter 5 on Language Barrier is perhaps the most fascinating chapter in the book. Singh details the story of how the U.S. used Navajo Indians and their obscure language as a means of ensuring the Japanese would have a much harder time deciphering the messages. By the time the war ended, the Japanese were never able to read a single message when Navajo was used.

The chapter also details the story of the Rosetta stone. While not a cryptographic issue in the common sense, hieroglyphics had been indecipherable for thousands of years. Singh writes how common wisdom at the time was that the Ancient Egyptian language of hieroglyphs should be treated as symbols and not letters. Singh highlights the story of how Jean-François Champollion was able to decipher the stones by using new research that the hieroglyphs were indeed letters, not symbols.

Anyone involved with cryptography knows terms such as Diffie–Hellman and RSA on a first-name basis. Those cryptosystems are the very backbone of today’s Internet security infrastructure. Singh does a good job of explaining how they work and what makes them secure. For RSA, it’s built on a very simple premise, that factoring the product of two huge prime numbers is difficult.  While most people may be oblivious to it, much of the underlying security for online banking and the Internet is built on top of RSA.

The book closes with the next generation of secrecy, which is quantum cryptography.  As a particle physicist, quantum mechanics is Singh’s bread and butter. When Singh wrote the book, quantum cryptography was not a practical technology, and that is still the case.

As a side note, if and when quantum cryptography becomes practical, it would be so powerful as to be able to break every RSA key in existence.

Conclusion

The Code Book was first published in 1999, around the time Windows 2000 came out. While the latter became obsolete in 2005, The Code Book is still quite germane given the value of the information in the book, which is still relevant and of interest.

For those looking for an encyclopedic reference, David Kahn’s The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet is the definitive tome on the topic.

For those looking for a more informal and selected overview of some of the core topics from the last 600 years of cryptography, this book is readable and interesting, and a perfect read for those looking for an introduction to the topic.

Those looking for a captivating and very readable book on the history of modern cryptography will find The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptographya valuable read, and one that is certainly worthy of being in the Cybersecurity Canon.

 
[Palo Alto Networks Blog]
Posted on

Getting the Most Out of IPv6

What is NPTv6?

IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix to another IPv6 prefix (port numbers are not changed). NPTv6 for IPv6 addresses is similar to NAT for IPv4 addresses. However, NPTv6 does not translate an entire IPv6 address; it translates only the prefix portion of the address. The host portion of the address is untranslated and therefore remains the same on either side of the firewall.

Why Would I Translate IPv6 Prefixes When IPv6 Addresses Are So Abundant?

With the limited addresses in the IPv4 space, NAT was required to translate private, non-routable IPv4 addresses to one or more globally-routable IPv4 addresses. But in the case of IPv6, the reason to translate prefixes is not due to a dearth of addresses. You might want to use NPTv6 to translate IPv6 prefixes for the following reasons:

  • You can prevent the asymmetrical routing problems that result from Provider Independent addresses being advertised from multiple data centers. Asymmetric routing can occur if a Provider Independent address space (/48, for example) is advertised by multiple data centers to the global Internet. By using NPTv6, you can advertise more specific routes from regional firewalls, and the return traffic will arrive at the same firewall where the source IP address was translated by the translator.
  • Private and public addresses are independent; you can change one without affecting the other. That is, you need not change the IPv6 prefixes used inside your local network if the global prefixes are changed (for example, by an ISP or as a result of merging organizations). Conversely, you can change the inside addresses at will without disrupting the addresses that are used to access services in the private network from the Internet. In either case, you update a NAT rule rather than reassign network addresses.
  • You have the ability to translate Unique Local Addresses to globally routable addresses. Thus, you have the convenience of private addressing and the functionality of translated, routable addresses.
  • Your IPv6 prefixes are less exposed than if you didn’t translated network prefixes. However, NPTv6 does not provide security; you must set up firewall security policies correctly in each direction to ensure that traffic is controlled as you intended.

See more information on NPTv6 in the PAN-OS 7.0 Administrator’s Guide.

[Palo Alto Networks Blog]

Posted on

The New PA-7080: Delivering Breach Prevention at Scale

Today we announced the release of our highest-end firewall, the PA-7080. It is pretty common in our industry for vendors to come out with a new bigger chassis with more speeds and feeds. So why is the PA-7080 big news and why is it important?

There is a yawning gap between what large enterprises, cloud providers and telecom service providers need in order to meet their security challenges and the capability of the technologies they have in place today. The basic limitations of those technologies create that gap.

Traditional firewall vendors have focused their efforts on building faster and bigger chassis firewalls but have missed the bigger picture. Their concept of security and scale is confined to how many packets per second their device can process in the course of making traffic decisions based on port, protocol and IP address. While these devices can certainly pass traffic, they arenot adding value. They fail to identify and control applications, fail to detect threats and fail to provide an automated closed loop response that actually prevents successful attacks. In effect, they are passively passing traffic, making security decisions at a layer in the protocol stack that is irrelevant to the modern threats on large-scale networks.

Attempts to address this problem by adding “firewall helpers” in the network or adding full traffic security into old chassis firewalls have not worked.  The performance impacts and operational hurdles are too great and ultimately do not add much security value. As a result, our largest and most critically important networks have the least effective security. This is why the PA-7080 is so important.

The PA-7080 architecture provides a prevention capability that scales not just speeds and feeds, but in the ability to control applications, to identify threats and deliver real time automated response.  Combining power, intelligence and simplicity it gives large enterprises and service providers a security capability that is relevant to threats they face — without compromising the performance integrity of their networks, data centers and cloud infrastructure.

Our engineers made a lot of thoughtful and clever design decisions to make the PA-7080 ideally suited for operation in service provider and large enterprise environments.

For more

[Palo Alto Networks Blog]

Posted on

Partners: Follow Us on Twitter to Stay Informed

For Palo Alto Networks, August is the beginning of a new year. And with a new year comes the opportunity to try new things.

As we look to expand the scale of our go-to-market capabilities, channel partner awareness and adoption of programs, training and tools becomes vital to our future success. To help you, our partners, stay better informed we have created a new dedicated Palo Alto Networks partner Twitter handle @NextWavePartner.

By following us on Twitter @NextWavePartner, you will have access via your smartphone, tablet, computer and even via SMS text message, to relevant and timely information that will help maximize your partnership with Palo Alto Networks.

This is just one of many new things we are going to do this year to drive better partner awareness. Don’t miss out. Kickoff the New Year with Palo Alto Networks by trying something new — start following us today.


[Palo Alto Networks Blog]

Posted on

The University of the Cumberlands Knows No Boundaries

For Donnie Grimes, (ISC)² Global Academic Program (GAP) instructor and vice president of information systems and creator of the Master’s program in cybersecurity for the University of the Cumberlands, based in Williamsburg, Kentucky, breaches know no boundaries – and neither should cybersecurity education.

A GAP member since 2014, the University has historically served people from the Appalachia area; and until 2014, had no cybersecurity offering. Over the past 10-15 years, however, its sphere of influence has increased, with thriving graduate programs and students representing 58 different countries and most U.S. states. With a 40-year stint as a two-year school, Cumberlands is now a four-year college with 5,500 students. Cumberlands is one of the largest online schools in Kentucky, with an online population of approximately 4,000.

In 2012, Cumberlands tasked Grimes with developing the graduate cybersecurity curriculum for the University. As part of this process, he researched hundreds of different programs but couldn’t find many in cybersecurity, let alone those that adequately prepared students to enter the field. He found many schools that offered Master’s programs, but he believed they were really just glorified computer science programs. They included classes on data structures and programming, and just tacked one or two classes on at the end of the program and called them a “Master’s” in cybersecurity.

His vision for the Cumberlands was to create a Master’s program that was more in line with certification programs, such as the CISSP®, that exposes students to real-world concepts and prepares them for the pursuit of continual learning, which is essential for success in the field. Grimes designed the curriculum around the CISSP CBK®, with each course based upon a different CISSP CBK domain. He believes this approach provides a great foundation for students and ensures well-rounded graduates.

He worked to get the University and the information security program accredited through the Commission on Colleges of the Southern Association of Colleges and Schools (SACS). While there have been no graduates yet, there are 120 students enrolled in the program, including CIOs from a wide variety of industries. Their feedback has been very positive, and Grimes sees this compliment from professionals working in the field as the best they could receive.

Grimes implemented a process to review modifications to the CBK domains so they can keep up with industry fluctuations. Says Grimes, “We are not afraid of change. Our goal is to keep the program flexible enough to accommodate the realities of a dynamic industry.”

In discussing why the Cumberlands became a GAP school, Grimes comments that it was a “…value-add for our program and a natural fit because our curriculum was already aligned with the CISSP. We were already encouraging our graduates to sit for the CISSP exam because it validates their core knowledge. Becoming a GAP school streamlines the process and helps us keep our curriculum aligned with real-world concepts they can apply not only to their education process, but that will contribute to their success in the field.”

So what’s next for this rapidly growing school? Grimes would like to create courses that train future cybersecurity leaders and to see the University reach students in more parts of the world. The University also plans to launch a PhD program in information security this year. The University is currently working with the NSA and DHS to become a National Center of Academic Excellence. He reflected, “Our extensive online program means that students’ educational opportunities are not limited by their physical location. Breaches know no boundaries, and as an educational institution, we shouldn’t either. Regional colleges have an important role in stemming the cybersecurity skills shortage, and we should take advantage of virtual learning systems to improve the cybersecurity situation globally.”

For more information on the GAP, please visit https://www.isc2.org/global-academic-program/default.aspx.

(ISC)² Management

[(ISC)² Blog]

English
English
Exit mobile version