Uncategorized

Hash functions are a class of mathematical algorithms that take any digital data as input and generate an encoded value as output.  These methods have many uses in computer science with some critically important security applications. Hash functions are used to help authenticate the source and integrity of files and to generate digital signatures.If you are preparing for the CISSP, Security+, CySA+, or another security certification exam, you will need to have an understanding of how hash functions can help protect systems, basic hashing terminology and the common algorithms that may be encountered.  While it will not be necessary to know the inner workings of hash functions, you will need a high level understanding of the properties of hash functions and why some hash functions are more appropriate than others for security applications. The Message and Message Digest The input to the hash function is commonly called the message.  The message can be any digital data including text, images, audio, and even very large program files.The output of the hash function is often called the message digest but be aware that there are many other names for the message digest, sometimes based on the way the hash function is being used.  Common alternate terms include hash, hash value, hash total, CRC, fingerprint, checksum, and digital ID. How Hash Functions Are Used Perhaps the easiest way to begin understanding how hash functions work is to consider a few hashing examples.  Below, we apply a standard security hashing algorithm called SHA-256 to three sentences: 1) Humpty Dumpty sat on a wall: 1b9ed7aa6346ee2c6e0faf0f75997b9308916160239b1844e7a77bee183f355d 2) Mary had a little lamb: efe473564cb63a7bf025dd691ef0ae0ac906c03ab408375b9094e326c2ad9a76 3) Mary had a little lomb: 94c6af4c0b5d493181a0a762b9023b90b295fbad1e28a6f1616a4af59209ba7c  At a glance we can identify two characteristics of a security grade hash function.  First, regardless of the length of the input, the output of the hash function is a fixed length.  Second, a minor change in the input will produce a significant change in the output. Examples 2 and 3 differ by a single character (lamb vs lomb), but the outputs are completely different.Hash functions provide a quick, easy and reliable method to verify the integrity of a message.  Suppose, for example, that an important software patch was available for system administrators to download from a website and run on their servers.  If the software publisher also provided a message digest, the administrators could run the patch through the hash function after downloading to ensure that the patch had not been infected with malware or been otherwise corrupted. The Characteristics of Cryptographic Hash Functions While there are many hashing algorithms, not all of them are well suited for security purposes.  The subset of hash functions that are suitable for security use are called cryptographic hash functions.  The ideal cryptographic hash function meets the following basic requirements:It accepts a message of any length It produces a fixed-length message digest It is easy (and therefore fast) to compute the message digest for any given message The hash is irreversible - it is not possible to generate a message from its message digest A small change in a message should generate large changes in the message value The hash is collision free, meaning it is not feasible that two different messages would result in the same hash valueCommon Hashing Algorithms Over the years, numerous hashing algorithms have been introduced and recommended for security purposes.  Some algorithms have gone out-of-favor after weaknesses have been identified. The exam will expect you to be familiar with current algorithms, along with some of the older ones.  It is recommended that you review the following descriptions and pay particular attention to the length of the message digest for each algorithm.Secure Hash Algorithm (SHA-1)  Designed by the U.S. Government (National Security Agency).  Produces a 160-bit message digest. Went out of favor because of possible collisions.Secure Hash Algorithm (SHA-2, SHA-3) SHA-2 replaced SHA-1 and includes a set of variants - SHA-224, SHA-256, SHA-384, and SHA-512.  The number in the variant indicates the length of the digest. SHA-224 has a 224-bit message digest, and so on.  SHA-3 was introduced in 2015 as a “drop in replacement” for SHA-2. It includes the same variants.Message Digest 5 (MD5) MD5 and its predecessors MD2 and MD4 produce 128-bit digests. These algorithms are no longer recommended due to detected vulnerabilities.Message Digest 6 (MD6) Developed in 2008 to replace MD5 and earlier MD types.  Produces variable length message digests up to 512-bits.Hash of Variable Length (HAVAL) A similar algorithm to MD5 that produces variable length digests of 128, 160, 192, 224 or 256-bits.  HAVAL is vulnerable to collisions.Hash Message Authentication Code (HMAC) Combines a shared key with hashing for an additional layer of security.  Produces a variable length message digest.Understanding hash functions is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam...

Job rotation and mandatory vacation policies are two security best practices that help to prevent employee fraud and abuse.  Both of these practices discourage fraud and other abuses because employees know another person will be soon be assuming their duties and the new person would be likely to discover any patterns of bad behavior.Although job rotation and mandatory vacations are often thought of as human resources policies, they must also be considered in their IT security context where they play a significant role in access control.  If you are studying for a security certification exam you will need to understand how the policies are defined and their importance in the security framework. Job Rotation A policy that compels employees to rotate into different jobs, or at least rotate some of their duties, has many benefits for the employee and the organization.  Employees are less likely to become stale or “burned out” in their positions and will become enriched by learning new skills. Also, by cross-training the staff, no business critical skills are limited to a single person and the organization is better able to cope with injury, illness and employee turnover.Routine job rotation is a powerful fraud deterrent and helps prevent other misdeeds such as sabotage and information misuse as well.  It is much harder for a fraudster to cover their tracks if another employee will be stepping into their shoes. The same logic makes job rotation useful in detecting fraud once it has occurred, and even finding innocent mistakes as the next employee transitions into the role with a fresh set of eyes.Of course, no solution is perfect and job rotation can also expose a company to risk.  As an employee learns additional roles in the organization and the procedures associated with those roles, that employee is more likely to discover vulnerabilities to be exploited.Job rotation policies place a responsibility on IT security staff to ensure that the principle of least privilege is maintained.  As employees transition through multiple roles and are assigned new duties, they are likely to be granted additional system privileges.  Left unchecked, they will almost certainly accumulate more privileges than they need to perform their current duties. This accumulation of excess privileges is called privilege creep.  To counter privilege creep it is important to periodically review the privileges and other access rights of rotating employees and remove rights that are no longer needed to do their jobs. Mandatory Vacations Mandatory vacation policies have a fraud deterrent purpose similar to job rotation.  Many companies will have a policy of requiring employees in sensitive positions to take mandatory vacations of five or ten consecutive business days.  These policies are particularly common in the finance industry where complex embezzlement and fraud schemes might require the bad actor to take steps daily to cover up the crimes.As with job rotation, the knowledge that another person will be performing their duties and examining their work is often enough to deter the fraudster.  If they are undeterred, the mandatory vacation policy makes it more likely they will be caught. It is not uncommon for security conscious organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes.Understanding job rotation and mandatory vacation policies is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....

Preparing for your next security certification exam?  After trying your hand at this practice test question, join the FREE CertMike Study Group for the CISSP, Security+, CySA+, or SSCP certification to receive new questions each week.  You'll also receive free access to my customized study strategies.   Which one of the following characters is most important to restrict when performing input validation to protect against XSS attacks?   A. ' B. ! C. < D. $   Correct Answer: C   Cross-site scripting relies upon embedding HTML tags in stored or reflected input. The < and > characters are used to denote HTML tags and should be carefully managed when seen in user input.  Learn more about cross-site scripting attacks.   Would you like to receive free practice test questions on a weekly basis? Sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....