FRSecure CISSP Mentor Program Welcome Message

Only 46 more days. It’s almost time to start the FRSecure CISSP Mentor Program!

As of yesterday (2/23/21), we have more than 3,500 registered students for the 2021 class. That’s awesome! (and a little nuts) For context, we started the program in 2010 with six students. At the time, FRSecure was a teeny startup (3 employees), but our size didn’t matter. We started with a simple goal:

Provide quality information security training for free.

No strings. No ulterior motive. No marketing gimmicks. Nothing but helping people on their journey.

Why this goal?

We love people. By proxy, we love people in our industry, and by (another) proxy, we love the people served by our industry. Our mission (“to fix the broken industry”) is born from and rooted in love, and we will always do right by our mission. Makes sense, yeah? We’re all #MissionBeforeMoney around here!

Fast forward, this will be our 12th consecutive year. We’ve been a positive influence (to one degree or another) in the lives of more than 6,000 people through the CISSP Mentor Program in the past two years alone (3,500+ students this year so far, 2,400+ students last year). Everyone is welcome here, regardless of background, experience or education. If you don’t want to take the CISSP exam, or don’t feel ready, join us anyway. You’ll learn more about information security, and maybe you’ll pick up some life skills along the way!

Welcome Message

Posted in the 2021 CISSP Mentor Program Study Group on 2/19/21:

Hello 2021 FRSecure CISSP Mentor Program Class,

I’m Evan Francen, the founder and CEO of FRSecure (and SecurityStudio) and one of the instructors here. We’ll get to know each other once class gets going, but I wanted to introduce myself now and welcome you.

Welcome to the 2021 FRSecure CISSP Mentor Program!

I’m excited that you’re here and honored to be part of your journey.

A little history…

In 2008, we started FRSecure with this mission:

To fix the broken information security industry.

Our mission came from a deep passion to do things right and serve others. You see, information security isn’t about information or security as much as it is about people. People cause the havoc (intentionally or accidentally) and people suffer the consequences. If nobody suffered, nobody would care.

The information security industry is still young. There’s no shortage of work to do, and the sooner we get to work on the right things, the better off everyone will be. Two things are at (or near) the core of our information security industry problems:

  • People take advantage of other people. If there was a single motivator for me, this would be it.Attackers – people who don’t hide their intent to do others harm. Most people think we’re only concerned about the attackers, but there’s much more.Frenemies – people in our industry who sell products and services that are not in the best interests of the buyer and/or do not do what they claim.
    • “Experts” – yes, in quotes. There are people in our industry who are in it for the wrong reasons. They are motivated by selfishness and not to serve others. This wouldn’t seem so bad, but most of these people are charged with securing information that does not belong to them. Inflated egos intimidate and discourage others, ignorance leads to poor decisions, comfort leads to inactivity, etc., etc.
  • Information security fundamentals are not universally understood or applied. This is true in the public sector and private industry. It’s also true at home. If we (as an industry) mastered the application of fundamental information security concepts, we’d reduce the number of breaches by as much as ~80-90% (my conservative estimate) and significantly reduce the impact to society.

Fixing these problems is certainly easier said than done, but the pursuit continues…

So, where does the FRSecure CISSP Mentor Program fit in this equation, and what does it mean for you?

Simple. Our industry needs more good information security people. We need you!

The FRSecure CISSP Mentor Program was born out of our mission. In our first year (2010), there were six students. All six students went on to pass their exams and became CISSPs. Today, they are all working in our industry and making a positive difference in the lives of others. Last year was the 11th consecutive year for the program, and we had more than 2,400 registrations. It’s been an incredible experience for us, and for me personally. We do this because we love people, and we do it for no other reason. No strings, just #MissionBeforeMoney!

The 2021 CISSP Mentor Program

We’re sticking with the formula that works. Due to COVID still being COVID, we will once again teach all classes remotely. We’ve already surpassed last year’s record number of student registrations, and we’re on track for more than 5,000! This will be the best class yet, and I’m VERY excited to get to know some of you along the way! You’ll see me and some of the other FRSecure folks drop in here (the study group) from time to time. We’re here to help you as much as we are able (given day job and family stuff).

Once again, welcome! Thank you for letting us be part of your success. In know I speak for the other instructors (Brad Nigh and Ryan Cloutier) and the entire FRSecure team when I say that.

Let’s do this!

If you’ve thought about signing up, but haven’t yet, go do it. If you know somebody who could use some of this, tell them about it. See, more simple!

UNSECURITY Episode 120 Show Notes

Hey there. It’s time for another episode of the UNSECURITY Podcast, and we’ve got a special guest joining us this week!

Too many things going on to mention right now. Cool things going on at FRSecure and SecurityStudio, but I haven’t really had the time to process it all yet. In my last meeting of the day (2/22), a friend asked me how my day went. I couldn’t answer. Things went from this to that so fast, I never took a second to think about how my day was. Weird. Have you ever had this happen to you?

Well, let’s get to what we came here for…

The notes for episode 120 of the UNSECURITY Podcast.


SHOW NOTES – Episode 120 – Tuesday February 23rd, 2021

Opening

[Brad] Good morning and welcome to another episode of the UNSECURITY Podcast! This is episode 120, and the date is February 23rd, 2021. I’m your host Brad Nigh. Joining me is the my good friend and co-host Evan Francen. Hey Evan. How you doing?

Quick Catching Up

  • Welcome our special guest, Tony Alsleben.
    • Tony is the CISO for CentraCare.
    • CentraCare is a large integrated health system here in Minnesota.
    • Six hospitals, seven senior care facilities, 18 clinics, four pharmacies, and lots of specialty care services.
  • Cold snap has broken here in MN. Yay!
  • What’s new at FRSecure and SecurityStudio?

The Meat

News

Wrapping Up – Shout Outs

  • Thanks again for joining us Tony!
  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @BradNigh and Evan’s @evanfrancen. Other Twitter handles where you can find some of the stuff we do, UNSECURITY is @unsecurityP, SecurityStudio is @studiosecurity, and FRSecure is @FRSecure. That’s it. Talk to you all again next week!

…and we’re done.

UNSECURITY Episode 119 Show Notes

OK, we’re back to writing UNSECURITY Podcast show notes. We took eight weeks off from writing show notes because it was a little tedious and we weren’t sure if anyone cared that much anyway. Turns out people care about the show notes, read them, and they want them back!

To make things less tedious and more valuable, we’ll only tell you the topics we plan to talk about. We won’t do the verbatim stuff anymore. If you like the new show notes, let us know (unsecurity@protonmail.com). If you’d like something different, let us know that too!

On to the notes for episode 119 of the UNSECURITY Podcast…


SHOW NOTES – Episode 119 – Wednesday February 17th, 2021

Opening

[Evan] Good morning and welcome to another episode of the UNSECURITY Podcast! This is episode 119, and the date is February 17th, 2021. I’m your host Evan Francen, and joining me is the right side of my brain, Brad Nigh. Good morning Brad.

Quick Catching Up

  • It’s flippin’ cold in MN (and other parts of the country)
  • We need another vacation.

The Meat

News

Wrapping Up – Shout Outs

  • Who’s getting shout outs this week?
  • Closing – Thank you to all our listeners! Send things to us by email at unsecurity@protonmail.com. If you’re the social type, socialize with us on Twitter, I’m @evanfrancen and Brad’s @BradNigh. Be sure to follow the places we work and do cool things, SecurityStudio (@studiosecurity) and FRSecure (@FRSecure). That’s it. Talk to you all again next week!

…and we’re done.

L is for Layers

Learning the ABCs is important to understanding the English language, and the ABCs of Information Security are important for understanding the basic concepts in information (and people) protection. These ABCs are written as education for people who don’t speak information security natively and serve as good reminders for those of us already fluent in this confusing language.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

So, now the beloved letter “L”.

Lethargic Larry’s lackadaisical use of network layers, and his leisurely approach to security let lazy criminals move laterally throughout the lattice, leaving his league of lawyers lamenting the long laborious litigation laid before them from the lye leaked into the lotic.

For the purposes of the Information Security ABCs, “L” is for “Layers”.

To best apply the word “layer” with our definition of “information security”, let’s review both definitions quick. The word “layer” has several definitions in the English language, and here are two:

  • a thickness of some material laid on or spread over a surface: a layer of soot on the windowsill; two layers of paint.
  • something lying over or under something else; a level or tier: There can be multiple layers of metaphor in a single poem.

You remember our definition of “information security” right? Maybe. Well, in case you forgot, it’s managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

So, what is an “information security layer” or “security layer” for short?

What is a Security Layer?

In the context of information security, we use the term layers to describe the controls, most often preventative controls. A single layer is less strong (or effective) than multiple layers. For multiple layers, we just stack one layer on top of another (logically) to make our security (and protection) stronger. Here’s an analogy:

  • Bullet-resistant glass is constructed using multiple layers of laminated glass. The more layers there are, the more protection we get from the glass. Note, the glass is bullet “resistant” and not bullet “proof”. A projectile that is powerful enough, will get through. The point is, the layers make the protection stronger.

  • Attacker-resistant networks are constructed following the same concept, but using multiple layers of network protection (segmentation and isolation, maybe provided by firewalls) instead of multiple layers of laminate glass. The more layers there are, the more protection we get from the network. Like the bullet resistant glass, attacker resistant networks are never attacker “proof”.

Multiple layers make protections stronger, they compliment and compensate for each other. Here are a couple more examples:

  • The most common control for authentication is a username and password, a single layer (or often referred to as “factor”). If we add another layer to the authentication, maybe a hardware token (like YubiKey or RSA SecureID), a biometic (like Face ID), or a software token (like Google Authenticator or SMS text), we’ve significantly strengthened the control. We call this multi-factor authentication (MFA), but it’s also multiple layers.
  • A building is protected by exterior controls (walls, windows, doors, etc.). A single layer of protection might be provided by the walls and a single entry door. Once an attacker breaches the door (or wall or window) and gains entry to the building interior, there would be nothing left to stop them from taking anything they wanted or assaulting anyone inside. A simple multi-layer approach might employ additional locked doors between the single exterior entry point and office spaces, between office spaces and mail rooms, between office spaces and data closets, etc., etc.

Layers are important for safety

As one who lives in a cold weather climate, I can assure you that layers are an essential part of staying safe in cold weather. As with all things, having the appropriate number of layers is critical, too many layers and you overheat and struggle to move, not enough layers and you will freeze.

When it comes to using layers in security the same principal applies, too many layers prevents effective use and not enough layers leads to unnecessary risk and danger.

Layers are part of defense in depth

We like to use the analogy that security is like an onion, we say this because an onion has many layers and each layer is needed to make a whole onion, in security it is no different. You may need many layers to make the whole security program effective.

Layers are the cornerstone of defense in depth, defense in depth is a security concept that states; security should be implemented in overlapping layers that provide the three elements needed to secure assets, prevention, detection and response, while seeking to offset the weakness of one security layer by strengthening it with two or more additional layers. This is the #1 reason for using Multi Factor Authentication (MFA) to strengthen the security of your username and password.

Let’s take a deeper look at the various security layers, we encounter most often.

Physical

The physical layer consists of the things you can touch, fences, locked doors, surveillance cameras, man in the middle traps (a room that one door locks behind you before the door in front of you can be opened) security guards, etc. This is the fist layer of any security program; all the other layers are ineffective if the systems can be physically accessed by bad actors. Having an appropriate level of physical controls in place is critical to ensuring the rest of the security layers are effective. After all,

“It doesn’t matter if your server runs the greatest security software of all time when someone steals the server.”  

Access Control

The access control layer comes in two forms physical access and logical access, both serve the same purpose, to limit access to sensitive systems and data to authorized personnel (approved users only). The most common physical access controls are door locks, and the most common logical access controls are passwords (used in combination with a username).

Access control gives us the ability to restrict and monitor who is accessing what, and physical and logical access controls can have many sublayers. For example a locked door could have additional layers (controls) of security such as a surveillance camera or security guard. Logical examples include multi-factor authentication (MFA) covered earlier, or performing logical access audits on a periodic basis.

Application

The application security layer is all about providing protection to applications and the data applications use. Security controls on the application layer require additional consideration, as poorly configured security controls can degrade the performance, stability, and overall usability of an application. Inadequate or missing security controls at the application layer present significant risks, such as data loss, data integrity issues, backdoors/malware, additional unauthorized network access and service interruption.

Ransomware, Distributed Denial of Service (DDoS) attacks, SQL injection and cross site scripting are some of the attacks targeted at the application layer.

Taking a multi-layered approach to application security is a best practice. Using a Web Application Firewall (WAF) for web facing applications, secure web gateway services for Internet access, logging and monitoring of application activities and training aimed at improving user behaviors are a great starting points to consider for a multi-layered approach to application security.

Network

The network layer is responsible for connecting systems together. Systems within an organization are likely to need communication capabilities with each other to operate, and connectivity to the Internet may also be required. This is the layer where a standard firewall lives. You know, that thing we traditionally think of when we talk about cybersecurity (BTW, cybersecurity is not information security. They’re like cousins)?

Think of the network layer as your first chance and last chance; it is your first chance to detect suspicious traffic/behaviors, and it’s your last chance to stop data from leaving your network. The network layer has two directions that must be considered in your protection approach, inbound (sometimes called “ingress”) and outbound (sometimes called “egress”). Controlling and monitoring data and traffic in both directions are critical, although this contrary to current practice in many organizations.

The Crunch Shell and Gooey Center

Most networks are secured (poorly) with a “crunchy shell” and “gooey center”. Traditionally, we’ve focused so much on establishing a strong perimeter (“crunchy shell”) that we neglect to account for what happens when an attacker get’s through the perimeter. There are few restrictions in place, and we’re left with our “gooey center”. In most networks, once an attacker gets through the perimeter (trivial in many cases), they have free reign to move laterally throughout the network until they find valuable data. Once the attacker finds valuable data, they are rarely restricted in exfiltrating the data because of ineffective egress traffic restrictions.

The two most common mistakes in network security layering include:

  • Too much focus on the perimeter.
  • Too much focus on restricting traffic inbound and no (or very little) focus on traffic outbound.

An important note about the “perimeter”, especially with the explosion of remote work due to COVID-19, is there is no perimeter. At the very least, there are many perimeters. All the more reason for a layered approach.

Some of the tools used to secure the network layer are firewalls, security incident and event management (SIEM) tools, network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), logging and packet capture devices, network-based data loss prevention (DLP), email filtering, and web filtering.

The better the network layer is secured and monitored the higher the your chances of seeing something in time to stop the “something” from being very bad. Some of the controls we use to secure the network layer are physical and some are logical. The best approaches are usually a blend of both. When it comes to the securing the network layer, less is more and, more is less.

Whoa, did I just blow your mind?! How can it be both more and less you might ask.

The answer is painfully simple, the more restrictive you are with what you allow on the network without the knowledge of what it does or why, the less issues you will have to chase down later. Knowing what something is, why it’s on the network, why it’s important to the business and how it works/behaves during normal operation are invaluable when it comes to securing the network layer. The better you understand what’s on the network and how it operates the better your firewall rules, IPS, IDS, WAF, log data, SIEM and other security controls can be configured. This always results in less things to chase and less time elapsed between detection and response.

Remember when it comes to network access Less is More! (concept of least privilege)

While the network layer has traditionally gotten the most attention from security professionals over the years, and is where the concept of perimeter defense is rooted, it is only one of the many layers you need to design and manage an effective information security program.

Host / Platform

The host layer is where virtualization happens and where operating systems live, virtual or not. This is also the layer that computers/servers/Internet of Things (IoT) and all other devices (with a unique IP address) reside. When we discuss this layer, in the cloud as IaaS or other, we refer to it as the platform layer and there are some distinct differences in how to secure it. Securing this layer comes with the challenge that most devices need to interact with many applications and services hosted locally and remotely. When we consider all the various other layers and systems at play, we must consider virtualization, application stacks, code libraries, 3rd party services, integrations and data movements, security patches, upgrades, cloud services and on and on.

Adding to the challenge, we must do this while balancing the needs of the business and risk.

The WORST ENEMY of security is complexity; therefore, we must combat complexity at all times. This is a huge challenge when dealing with the (sometime unreasonable) demands of the business. Using a simplified approach whenever possible, and leveraging a layered approach to information security will make your life easier and your protections more effective. Believe it or not, the fundamentals are still the most effective security controls out there.

Honorable mentions for “L”

  • Lag
  • LAMP
  • LAN
  • Laptop
  • Laser Printer
  • Latency
  • Lazy Loading
  • LCD
  • LDAP
  • Lead
  • Leaderboard
  • Leading
  • Leaf
  • LED
  • Let
  • Left-Click
  • Leopard
  • LFN
  • LIFO
  • Lightning
  • Link
  • LinkedIn
  • Linux
  • Lion
  • LISTSERV
  • Live Streaming
  • Load Balancing
  • Localhost
  • Log File
  • Log On
  • Logic Error
  • Logic Gate
  • Login
  • Long
  • Loop
  • Lossless
  • Lossy
  • Low-Level Language
  • LPI
  • LTE
  • Lua
  • LUN

So, there it is folks. The letter “L” is for “Layers”.

The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics). APPLY THE BASICS!

On to “M”!

The Burn(out)

If you work in this field (information security) long enough, burn out is something you’re sure to encounter. You will fight against burn out yourself, meet somebody who is on the verge of burn out, or sadly, meet someone who has already burned out.

We work our asses off. The hours are long. The stress is real. Isolation comes with the territory.

If you are on the verge of burning out, please seek help (from me, a colleague, a friend, a counselor, etc.). We need you. We need you to fight beside us. We need your ideas. We need your perspectives. We need your wisdom. We need your support. We need your passion. We need your skill. We have serious information security problems in society. In fact, we’ve created more problems than we’ve solved.

WE NEED YOU FOR THE CREATION AND IMPLEMENTATION OF SOLUTIONS TO SOCIETY’S INFORMATION SECURITY PROBLEMS.

The letter below is hypothetical. It’s not written to anyone in particular or with anyone in mind (except the information security professional). It’s a raw dump of frustrations I’ve heard over the years from my brothers and sisters in arms.


Dear <INSERT NAME OR TITLE>,

I’m tired.

You may not care, but you should. I’m holding shit together while you focus on life. Some of my frustration stems from your view that information security (or “cybersecurity”) isn’t part of life. The truth is, information security IS part of life. It’s a damn life skill!

Before you ask why I’m tired, I’ll tell you. I’m tired because:

  • I work 80+ hours a week to protect you and all that you are responsible for.
  • I’m fighting a fight I cannot win, especially without your help.
  • I’m asking you to help, but you aren’t listening.
  • We’re under relentless attack, but you don’t see it, so you don’t care.
  • You think “it won’t happen to me” and I’m afraid it already has.
  • I’m losing support from my family because they’re sacrificing their time with me while I protect you (and worse, they don’t understand why I’m doing it).
  • You won’t step up and take responsibility for what’s yours.
  • I need you to help me solve problems, but I can’t get you to participate.
  • You think this is my responsibility, but it’s not, it’s yours.
  • I tell you things with honesty and transparency, but I don’t think you trust me.
  • We’re understaffed and underfunded, but you keep telling me to do more with less.
  • I need you to champion this cause, but you do nothing more than tolerate it.
  • I want to teach you about information security, but you are too smart or too busy for education.
  • You don’t see the value in me because I’m nothing more than a cost center to you.
  • You will blame me when things go wrong, but you don’t notice when things seem OK.
  • Your demands for more technology and gadgetry makes protecting you harder than it already was.
  • I sit behind a screen all day and my physical health is declining.
  • I deal with the dark shit of this world, mostly alone, and my mental health is at risk too.

Despite all this, believe it or not, I LOVE what I do. I love what I do because I love doing good, fighting against evil, and protecting people like you. It scares me to think of doing anything else for a living. You pay me well, so I’m not complaining about money.

You know this isn’t about money, right?!

My work and passion runs deeper than money. Money provides the means to my cause, but it’s not the cause. I do what I do because I want to make a positive difference in your life and I want you to be healthy. I do this because I care about you, obviously more than I care about myself sometimes. I’m here to serve. I am here to help. I answer the phone when you call. I’m here to respond when things go wrong, even if it means I take the blame.

This is my duty and my promise to you.

Sometimes I ask myself if it’s worth it. Is the frustration worth the reward? Is this all worth it, knowing that I’m destined to fail?

You might be inclined to ask “what do you mean, destined to fail?!”

I’m destined to fail because you ask me (directly or indirectly) to do the impossible, you won’t enable me to succeed even it were possible, and you have expectations of me that can’t be met

You ask me to keep you “out of the news,” but I can’t promise you that. No matter what I do, I can’t protect you from all the bad things that can/will happen. I’ve always told you the goal is risk management, and not risk elimination. Risk elimination just isn’t possible.

I don’t want you to take pity on me, and I don’t want any outward acknowledgement. I want you to own what’s yours! I want you to get in this game and play ball. You can delegate all sorts of things to me and others, but you will never be able to absolve yourself of your ultimate responsibility. The wolves in our industry will fool you into thinking they can solve all your problems without your attention or worry, just your money. They can’t. It’s a lie. They prey on your ignorance to mislead you and steal your money, not unlike the attackers we’re trying to fight against in the first place!

All of us need you to step up. We need you to own what’s yours. We need you to lead. Ultimately, the security and safety of all things and people under your control is your responsibility. It’s time to step up before I give up. I’m your best hope, but we’re hopeless without each other.

-Information Security Professional (on the verge of burnout)

K is for Key

In kindergarten (or thereabouts) we learned the ABCs of the English language (assuming we’re from the U.S.). Learning the ABCs provided the foundation necessary to form words. Before long, words became sentences, sentences became paragraphs, and paragraphs became chapters, reports and books.

The ABCs of Information Security are important in much the same way the ABCs for English are. We start with learning and mastering basic concepts. Basic concepts begin to combine with other basic concepts to form the foundation of an information security program. In time, advanced techniques are applied on top of the solid foundation, and a world class information security program is born.

The Information Security ABCs are written as education for people who don’t speak information securitynese yet, and they’re good reminders for people who already speak information securitynese fluently.

TRUTH: If more people and organizations applied the basics, we’d eliminate a vast majority of breaches (and other bad things).

Here’s our progress thus far:

And here we are, ready for “K”. “K” doesn’t get much respect in the English language, appearing with a frequency of only 1.1% (compared to “E” and its 11.16%). All letters deserve respect, and “K” can brag that it isn’t as lonely as poor “Q” (.196%).

Some alliteration…

Our kindhearted kin are kayoed, watching their kingdom go kaput while losing the kitty to knave knuckleheads, all because they didn’t know key concepts, built knotty networks, and failed to kindle interest from kleptocratic leaders.

For the purposes of the Information Security ABCs, “K” is for “Key”.

The word “key” has many applications in information security. It’s one of a few words that fit across the spectrum of what information security is:

Information security is managing risk to unauthorized disclosure, modification, and destruction of information using administrative, physical, and technical means (or controls).

There are physical keys, logical (or technical) keys, and all the “other” keys.

Physical Keys

Physical keys are used to open physical locks. Physical locks are used to secure physical things. Physical “things” might be a locker, a door, a window, a safe, or any number of other “things”. Don’t confuse physical key locks with other physical locks. Combination locks and keypad locks aren’t physical key locks, but they have keys too. The key in these locks is the combination.

Confused? Don’t be. Here are the most common types of physical key locks.

Types of Keyed Locks

IMPORTANT: Every physical key lock is susceptible to compromise (picking, bumping, impressioning, etc.), but some are much harder than others to bypass.

  • Pin cylinder (or pin tumbler) locks – a lock with pins that must be aligned with a shear line to turn the cylinder (open the lock). The key is specifically shaped to lift the pins to align with the shear line. The number of pins in these locks vary, but the most common are 5 and 6-pin locks.

  • Lever (or lever tumbler) locks – the key lifts each of the levers to the exact height required to move the locking bolt. The most common lever lock is one with three levers, but you’ll need a five-lever lock (or more) to get home insurance in many cases.

  • Wafer (or wafer tumbler) locks – like the pin tumbler lock but uses flat wafers instead of pins.

  • Warded locks – obstructions are used within the lock to prevent anything but the correct key to turn. One of the oldest lock designs, and only used in low security applications today.

  • Disc detainer (or disc tumbler) locks – uses slotted rotating rings where the slots must be aligned to unlock. Harder to pick and sometimes sold as “high security” locks.

Keys open locks. Simple, right?

Again, don’t forget that ALL physical locks susceptible to picking or bypass. Here’s a look at a couple of pick sets.

Logical Keys

Logical keys are very commonly used to protect assets too. The three most widely used references to logical keys in information security are:

  • Secret Key – this often refers to a type of cryptography (“secret-key” encryption, or algorithm) and the key itself. Secret-key encryption is also referred to as symmetric encryption (not to confuse anyone). In this type of encryption, the same key (secret key) is used to encrypt and decrypt data. The key can take the form of a simple password, a passphrase, or any other combination of bits/bytes. Popular symmetric-key algorithms include AES (Rijndael), Twofish, DES, 3DES RC4, and others.
  • Public Key – this term refers to a type of encryption and the key itself too. Public-key cryptography is also referred to as asymmetric cryptography because one key is used to encrypt the data and a separate (but related) key is used to decrypt the data. If the public key is used to encrypt, only the private key can decrypt, and vice versa. The public key is often freely distributed while the private key is kept, you guessed it, private. Common asymmetric-key algorithms include RSA, Diffie-Hellman (key exchange), Elliptic Curve Cryptography, and others.
  • Private Key – private keys are paired with public keys in asymmetric encryption algorithms. These are sometimes referred to as secret keys, but not the same secret keys as those used in symmetric encryption (because we like to reuse words and confuse people I guess).

It’s common to use asymmetric encryption to establish communications and exchange secret keys, then use symmetric encryption to exchange data. This is because symmetric encryption is stronger (per bit of key length) and faster.

Other Uses of “Key”

The word key and security (and information security) are like second cousins. They’re different but related to each other. The image of a key (or padlock with keyhole) is often used symbolically to reference information security, like the graphic below.

Then there are information security “key” concepts, like:

  • Information security is risk management.
  • Information security protects the confidentiality, integrity, and availability of information.
  • Information security is a business issue, not an IT issue.
  • You can’t prevent all bad things from happening (eliminate risk), so you must have something in place to detect the bad things and something in place to respond appropriately too.
  • And many, many more…

More use of the word “key”:

  • Key Chain
  • Key Distribution Center (KDC)
  • Key Escrow
  • Key Fob
  • Key Generator (Keygen)
  • Key Length
  • Key Performance Indicators (KPI)
  • Key Risk Indicators (KRI)
  • Key Value Store
  • Key-Value Pair (KVP)
  • Keyboard
  • Keyboard Buffer
  • Keyboard Macro
  • Keyboard Shortcut
  • Keycap
  • Keygen
  • Keylogger
  • Keypad
  • Keystroke
  • Keystroke Logger
  • Keyword
  • Keyword Stuffing

So, there you go. The letter “K” is for “Key”. The key to good information security is understanding information security for what it is (see the definition earlier in this post) and to master the basics. Mastery isn’t just knowing what the basics are (lots of “experts” know the basics), but to master them in application too (few “experts” are good at applying the basics).

On to “L”!