Book Image

Modern Cryptography for Cybersecurity Professionals

By : Lisa Bock
Book Image

Modern Cryptography for Cybersecurity Professionals

By: Lisa Bock

Overview of this book

In today's world, it is important to have confidence in your data storage and transmission strategy. Cryptography can provide you with this confidentiality, integrity, authentication, and non-repudiation. But are you aware of just what exactly is involved in using cryptographic techniques? Modern Cryptography for Cybersecurity Professionals helps you to gain a better understanding of the cryptographic elements necessary to secure your data. The book begins by helping you to understand why we need to secure data and how encryption can provide protection, whether it be in motion or at rest. You'll then delve into symmetric and asymmetric encryption and discover how a hash is used. As you advance, you'll see how the public key infrastructure (PKI) and certificates build trust between parties, so that we can confidently encrypt and exchange data. Finally, you'll explore the practical applications of cryptographic techniques, including passwords, email, and blockchain technology, along with securely transmitting data using a virtual private network (VPN). By the end of this cryptography book, you'll have gained a solid understanding of cryptographic techniques and terms, learned how symmetric and asymmetric encryption and hashed are used, and recognized the importance of key management and the PKI.
Table of Contents (16 chapters)
1
Section 1: Securing Our Data
5
Section 2: Understanding Cryptographic Techniques
9
Section 3: Applying Cryptography in Today's World

Outlining the current threat landscape

Over the past three decades, there has been substantial growth in the amount of digital data, both at rest and in transit. The digital wave has become an ocean of all types of data, such as email, movies, images, and tweets. With this growth comes the threat of attacks on our data, which we face on a daily basis.

In this section, we'll take a look at how our world has transformed with the adoption of digital technology, along with an overview of the current threat landscape.

Let's start with a look at the growth in digital information over the years.

Digitally transforming our world

In 1946, the world got a glimpse of the future. That was the year that the Moore School of Electrical Engineering of the University of Pennsylvania introduced the Electronic Numerical Integrator and Computer (ENIAC) system. The ENIAC was enormous, as it filled a room and was capable of performing calculations faster than any other computer at the time.

When computers first appeared, the cost to own and operate a system was extremely high. Ordinary citizens knew very little about computers. Due to their prohibitively large costs, computer systems were owned mainly by governments, industry, and universities. In 1980, the cost of a gigabyte (GB) hard drive was approximately $1.2 million. By 1990, the price was down to $8,000, and costs continued to decrease. As shown in the following graphic, from 1995 to 2000, the price of drives per GB went down substantially:

Figure 1.1 – The cost of hard drives per gigabyte

Figure 1.1 – The cost of hard drives per gigabyte

By 2010, the cost of drives per GB was approximately $0.10. Along with the cost of hard drives, the price of computers in general went down as well. With more affordable pricing, more and more businesses and consumers were embracing technology, as we'll see next.

Rapidly advancing technology

The industry continued to develop desktops, laptops, games, mobile devices, and IoT devices that began to collect and exchange more and more data. Concurrently, businesses, universities, governments, and consumers began to invest heavily in information technology, spending billions on hardware and software designed to improve the quality of life.

Today, a large percentage of the world is using digital technology and the internet, for a wide variety of purposes. Applications include e-commerce, social media, mobile banking, and email, all generating data.

Data includes anything you can see or hear and can be digitized in a multitude of different types and formats, including the following:

  • Voice over Internet Protocol (VoIP), also known as IP telephony, is a group of technologies primarily used to transmit phone calls over the internet
  • Documents such as spreadsheets, word processor documents, presentation files, and Portable Document Format (PDF) files
  • Images that include Joint Photographic Group (JPG), Tagged Image File Format (TIPP), and Bitmap Image File (BMP)
  • Video that includes a wide range of formats, such as Moving Picture Experts Group (MPEG) and Advanced Video Coding (AVC), originating from a variety of sources

Some may argue that not all data needs to be protected. However, much of the data that is in storage on a server or in motion while traveling across the network should be encrypted, mainly because this flood of data represents an opportunity for cybercriminals to obtain and exploit the data.

Every minute of every day, companies face a variety of threats to the security of their data. Let's explore this concept next.

Threatening the security of our data

Early systems, such as the ENIAC, were standalone systems and not networked. The biggest threat to these systems was a physical attack, such as someone destroying the components. As time passed, and businesses began to adopt computer technology, there still remained little threat to the security of data.

From the 1960s through to the 1990s, scientists developed protocols for the Advanced Research Projects Agency Network (ARPANET), which was the precursor to what we know now as the internet. Some significant events during this time period include the following:

  • 1972 – Ray Tomlinson creates electronic mail (email).
  • 1973 – Scientists began to use the term internet.
  • 1974 – The first Internet Service Provider (ISP) begins offering its service.
  • 1982 – Formalization of Transmission Control Protocol (TCP) and Internet Protocol (IP), or TCP/IP, the standard protocol suite for the internet.
  • 1983 – Scientists created top-level domains for the Domain Name System (DNS), such as .edu, .com, and .gov.

While there were a few reports of viruses making their way through computer systems, most anyone who worked with or knew about the internet never thought anything malicious could happen. That was until 1988, when Robert Morris, a Cornell University student, wrote and released a worm.

Important note

A worm is a self-propagating virus that can spread on its own.

The worm, later dubbed the Morris worm, created a crippling effect on the fledgling internet. As a result, Robert Morris was tried and convicted under the 1986 Computer Fraud and Abuse Act. Soon afterward, the idea of cybersecurity began to take hold. And more specifically, it became more apparent that our data could be at risk.

Over the next three decades, many more threats emerged, such as social engineering, malware, and denial of service attacks:

  • Social engineering: This is a combination of methods designed to fraudulently obtain information about an organization or computer system. Effective social engineering techniques rely on the malicious actor's ability to con someone into providing information, by using social skills and powers of influence.
  • Malware: This is malicious software that includes viruses, rootkits, spyware, and trojans. Most malware is designed to infiltrate a computer system or network to gain unauthorized access to critical information. Other forms of malware, such as ransomware, are designed to lock a system and its resources until someone pays a ransom.
  • Denial of Service (DoS): These attacks will send numerous requests to a system in an effort to interrupt or suspend services to legitimate users. In most cases, the malicious actor(s) will use a Distributed Denial of Service (DDoS) attack, which is more effective as it uses armies or botnets to launch an attack.

As outlined, there are many different types of data, such as images, documents, and video. Data can be a part of an organization, such as a business or government entity, or belong to an individual. Let's compare the two next.

Categorizing data

Data can represent either an individual's information or details that relate to a business or organization.

An individual's private data is generally referred to as Personally Identifiable Information (PII), which is information that can be used to identify someone. PII can include bank account records, social security numbers, or credit card information.

Proprietary business data includes information that if exposed can result in harm to the organization. Protected business data includes financial data, earnings reports, employee records, and trade secrets.

On any network, there are several goals or services we strive to provide, such as confidentiality, integrity, and availability. Let's explore this concept in the next section.