SANS MGT512 Day 2

As I mentioned in the last post, Day 2 gets pretty technical. However, for this class, the importance is to understand the concepts so that, as a manager, you can make educated decisions around technical concepts. You don’t have to know the math for Elliptic Curve Cryptography, nor do you have to memorize the seven layers of the OSI stack. You should be able to understand when someone says, ” This is a layer 7 firewall.” though.

Day 2 is titled Protecting Data and Networks so, unsurprisingly, that’s the focus of the day. This day, similar to day 1, lays a foundation for security that covers the concepts and tools that we need to secure our data as well as the network infrastructure. The network portion also gives us the basic knowledge we need as managers to be able to understand why we would want to encrypt something at layer 3 vs. layer 7.

The day is pretty much split in half, with the focus of the first half being on encryption and privacy, and the second half being on networking. Encryption looks at:

  • Encryption Concepts (things like symmetric vs. asymmetric encryption)
  • Encryption algorithms; enough to have an understanding of how they work, but without having to do really hard math.
  • Encryption applications; things like VPNs and Email encryption
  • There’s also a short unit on privacy where we discuss the overlap of privacy and security and what some of the key privacy concepts are (PII, Consent, and some legal precedents)

The network section is a bit of a deeper dive as it’s good for managers of technical staff to have a slightly deeper knowledge base. With this knowledge you will have to ask fewer questions and you’ll be better prepared to discuss products with vendors and concepts with non-IT management. The sections are broken up in layers (TCP/IP stack layers, not OSI stack layers) and are as follows:

  • Layers 1 and 2 overview and attacks
  • Layer 3; more discussion on VPNs and encryption at this layer, as well as an introduction to IP version 6.
  • Layer 4 with discussion of both TCP and UDP.
  • Application layer discussing proxies, firewalls, and other technologies that apply to network layer security

Day 2 is a heavy day and your head will be very full by the end of it. However, I’m pretty confident that you’ll find it is either an excellent refresher for those who once knew this stuff really well, or a solid, practical, introduction for those who may have come from non-technical areas of the business. In either case, it does a great job of preparing you for the topics around system security that come on day 3.

End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed

Here’s a good look at what the Signal protocol is all about.

“WhatsApp recently announced that client communications are now end-to-end encrypted using Open Whisper System’s “Signal Protocol” (previously Axolotl). This has received quite a bit of press lately due to WhatsApp’s massive user base, along with the controversial going dark debates. Less importantly, the crypto-nerd in me loves Signal. Because of all of this, I thought I would write a blog series on some of Signal’s design decisions that I feel are well-designed.”

Source: End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed

It’s About Privacy Not Morality

ashley_madison

When it was announced, back in July, that the Ashley Madison site was hacked, like many, I thought about the fact that a bunch of people would be getting their just desserts. However, when the data was leaked (and continues to be leaked) a couple of days ago I started to think more about privacy than karma. All the jokes about those affected by the Ashley Madison breach are distracting us from the fact that people’s lives are being negatively affected by a criminal act over which they had no control. People who had an expectation of privacy, Ashley Madison bragged about it a lot, lost that because someone else decided that a cheating spouse deserves less privacy than someone else. Today it’s a site that caters to people who have different morals from many of us (or none at all depending on your point of view), tomorrow it could be the site you’re using to find a new job while still working the one you have.

Data breaches are happening so often these days that people are trying to group them into which ones are more serious than others. Is stealing nude photos from a celebrity’s phone worse than stealing credit cards from an adult website? If you shop at Target are you more deserving of having your credit card information stolen than if you shop at Neiman Marcus? Most people would scoff at those comparisons and say; “They’re all bad.”. So why do we think that people who signed up for Ashley Madison, whether they used it or not, are more deserving of losing their privacy than those who’ve signed up for Match.com?

We’re losing our privacy, or ability to have any, at an alarming rate these days. Tying privacy to morality, socio-economic level, social status, or anything else means that someone will always consider us undeserving of it. Everyone needs privacy and no one but the person requesting that privacy should get to decide whether they “deserve” it or not.