Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Re[2]: MS in information security

from [Craig Wright] Network Security [Permanent Link]
Subject: RE: Re[2]: MS in information security
Date: Tue, 28 Feb 2006 10:25:43 +1100 

Hi Vladimir,
I am sorry, but I do not find your first sentance clear and I am not sure what 
you stating.
 
In answer to cryptography being everything:
 
Kerckhoff's Principle, "The security of a cryptosystem must not depend on the 
secrecy of the system used. Rather, the security of a cryptosystem may depend 
only on the secrecy of the keys used." (Jea Guillaume Hubert Victor Francois 
Alexandre Auguste Kerckhoffs von Nieuwenhof (1835 to 1903) in La cryptographie 
militaire).
 
A systems security is only ever as safe as the security of the keys. This leads 
us to a number of issues:
1   Personal - people can compromise any crypto system either intentionally or 
not. Trust in the tools alone is a good way to be compromised.
2   No algorithim is perfect, they all have a defined life and expected time to 
compromise. This time function is also time dependant as crack times decrease 
as a function of time to an inverse exponential degree.
 
Next there is the fact that it is possible to make a "secure system" without 
crypto. By securing a private fibre link between two offices using all methods 
of ensuring that the line is not tapped etc it is possible to make a fairly 
secure point to point link. The alternative is to encrypt the nodes over a less 
secure and less costly media. The level of security using any crypto is going 
to be less in this manner as the security again goes to the security of the 
keys which are easier to attack becasue of people than a burried fibre line 
(excluding attack by back-hoe).
 
Crypto is a compromise due to cost. All be if often a good one, it is still a 
security comprmise.
 
Think of the BEST crypto system, the time to crack creates a cost to crack. 
When this becomes prohibitive there are other means to compromise the system 
(ie Security is a RISK function). It is no good to place more expenditure to 
the protection than the value of the information (cases of life threatening 
attacks are excluded from this arguement and would be dealt with separately). 
This is not economic.
 
So if you have information worth $1,000,000 and THE BEST crypto system costing 
all of that - there is still a way to compromise it. Find an engineer who will 
accept $250,000 to give you the keys (and it is not likely to cost this much).
 
Thus the best crypto system is compromised without effort. As stated, crypto is 
but one tool in a toolbox
 
Regards,
Craig

        -----Original Message----- 
        From: Vladimir B. Kropotov [mailto:slyman2000@Mail.ru] 
        Sent: Mon 27/02/2006 10:39 PM 
        To: Craig Wright 
        Cc: security-basics@securityfocus.com 
        Subject: Re[2]: MS in information security
        
        
        Hi Craig.
        
        
        CW> Although the maths is useful to have and I will never tell
        CW> anyone not to study, it is in this case not a part of the answer.
        CW> Security is not just about crypto.
        
        Unfortunately in year 2000 I was amazing, that crypto is the Only way
        to real security, but now I agree with this opinion.
        Only cryptography suppose absolutelly open information about all, but
        encryption keys. You can get all - hardware. storage devices, traffic,
        files, etc. But you will take NOTHING.
        Another security measures is like an additional wall, you can jump
        over the wall, you can brake it, and get control on protected system.
        Security without cryptography is a kind of superficial glance to
        security, only Cryptography is real base for Real security.
        
        Regards
        Vladimir
        


Liability limited by a scheme approved under Professional Standards Legislation 
in respect of matters arising within those States and Territories of Australia 
where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If 
you are not the intended recipient, you must not use or disclose the 
information. If you have received this email in error, please inform us 
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the 
email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may 
not rely on this message as advice unless it has been electronically signed by 
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a 
Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments 
due to viruses, interference, interception, corruption or unauthorised access.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: RE: Sun cans Trusted Solaris, was Why Easy To Use Software Is Putting You At Risk, jchambers
Next by Date:  RE: AD Aware Firewall/Proxy device, Steven Jones
Previous by Thread:  Re: Re: RE: MS in information security, deepakjmanohar
Next by Thread:  Re: Snort as Firewall (WinXP), ilaiy
Indexes:  [Date] [Thread] [Top] [All Lists]