CISSP Fix

Cryptography is a technique of encrypting and decrypting messages. When the text is encrypted, it is unreadable by humans. When the text is decrypted, it is readable by the humans. The terms used in cryptography are as follows: Plain text: This text can be read by a user. Cipher text: This text can be converted to a non-readable format. Encryption: It is the process of creating a cipher text from a plain text. Decryption: It is the process of converting a cipher text to a plain text. Cipher: It is an algorithm that is used to encrypt and decrypt text. Key: Keys are the elements that are used in the technology of encrypting and decrypting text. For more information read Cryptographic attack

Cryptographic attacks are methods of evading the security of a cryptographic system by finding weaknesses in such areas as the code, cipher, cryptographic protocol or key management scheme in the cryptographic algorithm. The following are the cryptographic attacks usually performed by an attacker: Known plaintext attack: In a known plaintext attack, an attacker should have both the plaintext and…copy of it with the encrypted data. This is used to find patterns in the cryptographic output that might uncover a vulnerability or reveal a cryptographic key.Chosen ciphertext attack: In this type of attack, an attacker can choose the ciphertext to be decrypted and can then analyze the plaintext output of the event. The early versions of RSA used in SSL were actually vulnerable to this attack.

The new requirements include the following components:

* The minimum professional experience requirement for CISSP certification will be 5 years of work experience in two or more of the 10 domains of the CISSP CBK, or four years of work experience with an applicable college degree or a credential from the (ISC)2-approved list. The current requirements for the CISSP call for four years of work experience in one or more of the 10 domains of the CISSP CBK, or three years of experience with an applicable college degree or a credential from the (ISC)2-approved list.

Its not too long when security professionals needed the system to redefine the security checking methods in corporate world. Its very difficult to compete with the whole Black hat army with bare hands. “Survivial of the fittest” to make new world security evolves in penetration testing.

First question flash in our mind is What on Earth is this Penetration testing?

It is basically a process of attacking on a system. Lets take an example:

The U.S. Department of Defense (DoD) announces the official approval of the EC-Council Certified Ethical Hacker (CEH) certification program as a new baseline skills requirement for U.S.cyber defenders. Specifically, the new Certified Ethical Hacker program is required for the DoD’s computer network defenders (CND’s), a specialized personnel classification within the DoD’s information assurance workforce.

The Certified Ethical Hacker requirement falls under the auspices of DoD Directive 8570 Information Assurance Workforce Improvement Program. The current version (incorporating Change 2) was signed by Assistant Secretary of Defense, John G. Grimes and was officially instated on February 25, 2010. Directive 8570 provides clear guidance to information assurance training, certification and workforce management across all components of the DoD.

CISSP is added the Department of Defense Directive 8750.

In August of 2004, the U.S. Department of Defense recognized Directive 8570.1, which involves that every full- and part-time military service member, defense contractor, civilian and foreign employee with privileged access to a DoD system, regardless of job series or work-related area of expertise, to get a viable certification record that has been recognized by the American National Standards Institute (ANSI) by January 1, 2010 in order to maintain his or her job.

The IEEE 802.1X standard defines a method of authenticating and authorizing users to connect to an IEEE 802 LAN. It blocks users from accessing the network on the failure of authentication. IEEE 802.1X supports the Extensible Authentication Protocol-Transport Level Security (EAP-TLS) and Protected EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MS-CHAP v2) protocols. In the IEEE802.1X authentication system, an access point receives a connection request from a wireless client and forwards the request to the RADIUS server. The RADIUS server then uses the Active Directory database to determine whether the client should be granted access to the network.

The access router is the common name of the exterior router present in the screened host firewall architecture. It is attached to the perimeter network and the internet. Access router is used to protect both the perimeter network and the internal network from the Internet. It allows anything that is outbound from the perimeter network. Access router seldom do packet filtering. The rules for packet filtering, which is used to protect internal machines are always same on both the interior router and the exterior router.

In the land attack, the attacker sends the spoofed TCP SYN packet in which the IP address of the target is filled in both source and destination fields. Now, on receiving the spoofed packet the target system becomes confused and goes into the frozen state. Now-a-days the antivirus can easily detect such attacks.