May 19, 2025 • 32 mins
Cybersecurity professionals need a solid understanding of secure communication protocols, not just for exam success but for real-world implementation. This episode unpacks the essential protocols covered in CISSP Domain 4.1.3, providing clear explanations of how each works and when to use them.
We begin with a timely discussion of the recent UnitedHealthcare hack, examining how ransomware crippled Change Healthcare systems nationwide. This case study highlights the critical importance of understanding security protocols and being able to articulate potential business impacts to leadership. Sean shares practical approaches for estimating downtime costs to help justify security investments.
The heart of this episode explores crucial security protocols including IPsec tunnels, Kerberos authentication, Secure Shell (SSH), and the Signal protocol. Each section covers how these technologies function, their ideal use cases, and their respective strengths and limitations. The discussion extends to transport layer security (TLS), layer 2 tunneling protocol (L2TP), and lesser-known protocols like secure real-time transport protocol (SRTP) and Zimmerman real-time transport protocol (ZRTP).
Sean breaks down complex technical concepts into accessible explanations, perfect for both CISSP candidates and practicing security professionals. Understanding these protocols isn't just about passing an exam—it's about making informed decisions when implementing security architecture in your organization. Whether you're preparing for certification or looking to strengthen your organization's security posture, this episode provides valuable insights into the fundamental building blocks of secure communications.
Check out cisspcybertraining.com for free resources including practice questions, training videos, and blog posts to support your cybersecurity learning journey.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Good morning, it's Sean Gerberwith the CISSP Cyber Training
Podcast.
And how are you all doing thisbeautiful day Today?
As you can see in my backgroundif you're watching the video, I
have changed locations.
I am currently in my new office, as I have just changed my jobs
from being a CISO of a largemultinational to now being a
(00:45):
consultant.
So a new twist in my life and anew change is.
It's awesome, very differentthan what I did before and I
will say it's also a little bitjust unnerving in some respects.
But it's good.
It's what needed to occur andwhere I'm at in this phase of my
career, so pretty excited aboutthat.
This was obviously a choice onmy own, just to get out there on
(01:08):
my own and start my ownbusiness, and it's been very
interesting to this point.
So interesting in a good wayand interesting in a little bit
terrifying way, but it's allgood nonetheless.
So today we're going to betalking about domain 4.1.3.
We're going to be gettingvarious secure communication
protocols as it relates to theCISSP.
So if you're following along inthe book, you'll be able to
(01:29):
find that I can't remember whatchapter it's in, but again, it's
domain 4.1.3.
But before we get started, thereis just going to talk real
quickly about the article thatmade news.
We talked about this in ourpodcast a couple of weeks ago,
as it relates to theUnitedHealthcare hack that
occurred, one of the things thatjust came up.
(01:51):
They are finally making somesort of restitution, or able to
make some movement, as itrelates to the UnitedHealthcare
challenge that they had with theAlpha V or Alpha V Black Cat
hacking group that gained accessthrough ransomware attack on
the US healthcare system.
They're able they said they'verestored nearly all of Change
Healthcare's systems forprocessing prescriptions, that
is to say, after a $22 millionransom that was paid from what
(02:13):
we understand.
Obviously, they haven'tdisclosed that specifically yet,
but all the tea leaves andpeople talking have basically
said that the ransom was paidtowards the folks that were
hacking into the change healthcare system.
The interesting part, though,is that they've been able to get
electronic payments back andoperational, and this involves
billing between the payments andbetween the care providers and
(02:35):
the insurers as well, so they'vebeen moving forward, which is
great, but it's been aninteresting part where I think
it's been scary for the USgovernment to realize how
intertwined this one health caresystem is tied with the US
government, very similar to whathappened with the colonial
pipeline.
I think that was also areverberation throughout the
(02:56):
environment that the criticalsystems, such as the health care
and so forth, are veryvulnerable to cyber attacks.
So, again, it's important to youas a security professional to
stay on top of these things.
One just so that you are awarethat they're happening right.
And also, as a securityprofessional, it's your
responsibility to talk to yourleadership and let them know how
(03:18):
this could happen.
I've seen various differentorganizations that utilize these
types of events in how they are, how they would respond to such
an incident and what would bethe potential downside of this
occurring.
So, as an example, if you hadlet's just say you had a
facility, a manufacturingfacility, a hospital, whatever
that might be that would to godown and, as you see in this
(03:41):
case here, just figure it wasdown for a month.
So you take out the, the wholeability for paying the ransom.
Let's just set that aside.
But if you were to go and say,okay, if my system was down for
a month, what would thatpotentially cost me in revenue,
employee opportunity cost foremployees, what would that cost
from a standpoint of justensuring that I have all my
(04:02):
licenses correct.
There's a whole litany of areasthat could really dramatically
affect what this would cost.
One thing to not get too hung upon, though, is getting into
making it so precise.
Precision is the enemy of beingcomplete, and so sometimes you
want to be directly correct, butyou don't necessarily need to
(04:22):
be precise to the point whereyou're talking about maybe a
million dollars here or amillion dollars there.
Now, I understand it's a lot ofmoney, but in a grand scheme of
things, you could real quickly,if you're just talking, let's
say I'm just guessing let's saya pharmacist and you'll say one
pharmacy goes down and let's saythat pharmacy generates X in
(04:42):
revenue every month.
Well, and your costs are Yevery month.
Well, if you just go that yourexpenses are this and your
revenue is this, and you canthen extrapolate that that you
would lose let's say, I don'tknow $100,000 in revenue in one
month.
Obviously you'd want more thanthat, but let's just say it's
$100,000 in one month.
(05:02):
If that's the case, then youextrapolate that out to be maybe
10, 15, 20 different pharmaciesthat you may have.
So now you're saying a milliondollars that would cost you to
be down for a month, and thatdoesn't include what it would
cost for the ransom and so forth.
So those are ways you can kindof peel back that onion and
quickly come together with somecosts to the senior leaders.
(05:24):
That won't be precise, but itwill be directionally correct,
and then you can highlight tothem is it worth spending the
time to ensure that you havebackup and recovery systems in
place, or is it not?
It may not, maybe it won't be,maybe you're fine with letting
it get totally just blown awayand start all over, but those
are things that you're going tohave to work through with your
senior leaders as you're tryingto come up with a plan around
(05:46):
this.
So therefore, it is reallyimportant as a security
professional that you understandthese attacks, you understand
how they did it and then alsowhat systems were affected,
because then you, as theprofessional, can come forward
with what you feel you could doto best protect your
organization, because that'swhat they're paying you to do.
That's the expectation.
Okay, so let's go ahead and getstarted in today's training.
(06:08):
Okay, so again, like we talkedabout, this is 4.1.3, and then
we're talking various securecommunication protocols.
So when we're talking aboutprotocols, there's various
protocols that are there.
You've got IPSec, you've gotKerberos, you've got SSH, you've
got signal protocol and soforth, and we're going to kind
of go over each of those alittle bit in depth and just
(06:30):
kind of talk to you about whyare they important, what are the
pros and cons for each of theseprotocols, so that you can
understand that when they'reasking you this question on the
CISSP because they're going toask you what is an IPsec tunnel
and you may not know what thatis because maybe you just didn't
deal with it in your currentcareer.
So therefore you're like I haveno idea the ultimate goal is to
give you just a briefunderstanding of what these
(06:51):
protocols do and why they'd beimportant for the CISSP.
Ipsec uses authenticationthrough what they call a key
exchange or an internet keyexchange, ike.
This protocol is used toestablish the authenticated
communication between the twoparties by exchanging keys that
the two pairs or the two peersare connected to.
Now there's different types ofIP sec tunnels that you may have
(07:15):
.
You have a site-to-site VPN,which actually gives between two
Offices.
You may have one location here,another location here, and it
will connect the two have onelocation here, another location
here and it will connect the twospecifically utilizing what
they call an IPSec tunnel, andthis will form a single secure
wide area network between thetwo.
You also have what can occurthrough IPSec is a VPN, which
you've seen, you've probablydealt with.
(07:36):
Depending on where you're at inyour remote activities is a
good example is an employeeworking from home can use an
IPSec VPNpn to connect intotheir the company's internal
resources.
Again, same kind of point.
It allows a connection betweentwo parties and allows that
activity to be encrypted.
Therefore, if it's encrypted,you can't see into it and you
(07:56):
would have to decrypt it or haveto get yourself wedged in the
middle somehow as part of thekey structure to be able to
ensure that you could actuallysee the data that's being sent.
Now.
So let's get into some of thepros that are behind this.
Again, one of the aspectsaround a IPsec tunnel, an IPsec
protocol, is the fact that it issupported by many vendors and
(08:17):
many devices, which makes itreally interoperable when you're
dealing with various platforms,and that's awesome, especially
if you're trying to connect withsomething secure.
It works.
I've done it a couple of times,a few times myself, but the
main thing, as an architect, Italk about how we would connect
those tunnels together to ensurethat you'd have one connection
between them and you wouldprotect the data between those
(08:39):
two nodes.
It does operate the networklayer, which means it can secure
basically any type of traffic,regardless of the application or
the transport protocol that'sbeing used.
So it's at the network layer.
It's used by many vendors.
Okay, now some of the cons thatcome with this.
It can be complex and difficultto configure.
It's not a real simple solutionwhere it's just you hit an easy
(08:59):
button and you're in businessand you're in business.
Especially if you're dealingwith multiple gateways, dynamic
IP addresses, firewalls and soforth, it gets very point to
point and it can be a bitchallenging.
So, that being said, it's oneof those where it has its uses.
But from a networkingstandpoint and configuring it
with inside your network, it maynot be the best choice because
(09:20):
it can be hard to configure.
It does require PKI, which isyour public key infrastructure,
to manage the certs for theauthentication right.
And so now when you're dealingwith PKI, you have this search.
You have to have a centrallocation that will manage those
certs, just because you can'tindividually do it, especially
if you start getting in a largeweb, it will have to have some
(09:42):
sort of mechanism that willmanage the keys, the
certificates that are insideyour network and then that will
actively transmit them as needed, also a way to rotate them as
needed.
So it's an important piecewhere you will need some level
of PKI which includes pre-sharedkeys and it also has the
ability to have the ability toexchange keys as necessary.
(10:05):
So the next secure protocol iswhat we call Kerberos.
Now, with Kerberos, there arethree main components of it.
You have an authenticationservice, a ticketing granting
service, and then you have aserver service server, which,
okay.
So as we walk through this,we'll just kind of go over each
component as it relates.
So the authentication servicevalidates the user's credentials
(10:26):
and issues a ticket grantingticket.
Okay, if the credentials arevalid.
Now this ticketing grantingservice uses that ticketing
granting ticket, tgt, to issueservice tickets that allow
access to the networksthemselves.
And then the server service orservice server, accepts the
service tickets and the usersand provides the access required
(10:48):
, specifically set up.
Now what are some of theexamples that you can deal with?
Well, you have just a couple ofkey ones.
You've got Active Directoryauthentication and you have
single sign-on, so ActiveDirectory authentication.
This is where you use,obviously, in the Windows Active
Directory environment, and it'sused to authenticate users.
So when a user logs into acomputer, onto a system, active
(11:09):
Directory will then authenticateto you and grant you access to
the resources based on whatActive Directory is saying and
what's connected into ActiveDirectory and what you're
allowed to have access to.
So many people will think ofActive Directory as a networking
type product, and it is, butit's also a security product.
So again, that's how Kerberosworks through the authentication
(11:31):
through Active Directory.
Kerberos works through theauthentication through Active
Directory.
Also, with single sign-on,kerberos will allow users to log
in and access multiple serviceswithout reentering credentials.
As an example, rather than haveSean that has a password monkey
, and then monkey1, monkey2,monkey3, you can use this single
sign-on capability where it isalready federated against Sean.
(11:52):
Where it is already federatedagainst Sean and when Sean logs
in, it queries your ActiveDirectory environment and
therefore it knows that Sean hasaccess to this, but Sean only
has to remember one password.
So it does allow you to haveaccess to email, file shares and
all that stuff with just havingone specific password and
therefore you don't have to havemultiple passwords based on the
(12:14):
apps or the applications you'retrying to connect to.
So, again, kerberos worksreally good with active
directory and single sign-on.
It has three main servicesauthentication, service ticket
granting service and serviceserver.
Those are the three aspects toKerberos.
Okay, so let's go over the prosand cons of Kerberos.
So it does offer strongauthentication, such as your
(12:35):
public key, crypto,password-based authentication or
potentially one-time passwords,otherwise known as OTP.
It can create tunnels,obviously between different
hosts, allowing for portforwarding, x11 forwarding or
VPN connections.
So it does give you thatcapability similar to what the
IPSec tunnels will give you.
So it does give you thatcapability similar to what the
IPSec tunnels will give you.
Cons are is that it does havesome availability or does have
(12:58):
the ability to have someman-in-the-middle attacks,
especially if the server'spublic key is not verified.
So, obviously, if your publickey is out there and unverified,
you potentially could get aman-in-the-middle attack and
then it can consume bandwidthand CPU resources more than what
potentially, other protocolscan do.
Okay, so the next one is SSH,that's your secure shell.
Now, secure shell has been usedfor many, many years for
(13:21):
accessing as a secure protocolfor environments trying to gain
access to something, and one ofthe pieces that has been an
important part of SSH is thatit's encryption algorithms.
Now the original SSH that wasan open SSH has been deprecated
from a standpoint of thealgorithm being used is still a
(13:41):
SHA-1 type algorithm andtherefore it shouldn't be used
because it can be manipulated.
It isn't a strong, securealgorithm, but open SSH is still
available and used widely amongmany, many people.
So what does SSH do?
Is it provides a secure, remotelogin for a remote machine and
potentially the ability toexecute commands.
(14:03):
Now I would do an SSH shell tomultiple systems.
I would execute those commandson that system and it was a
great secure way of doing it inthe fact that you couldn't see
what I was actually running.
Now the encryption piece ofthis this encrypts the session
to protect the data from beingread by other individuals, which
we mentioned.
And the part that comes into iswhen I was working as a red
(14:25):
teamer.
We would do this so that wewould have access and we didn't
want any sort of decryption typetools to be able to sniff what
we were doing.
I shouldn't say decryption, Ishould say any sort of wire
shark thing that was sitting onthe network sniffing the traffic
.
We didn't want them to see whatcommands we were executing, so,
therefore, we would connectwith a secure shell into that
environment.
Now, the downside of doing that, obviously, is it does
(14:47):
highlight that you're doingsomething that you don't want
people to see.
So if a person's interested inseeing what you're doing and now
you kind of blinded them, itdoes tend to potentially
highlight the fact of whatyou're trying to accomplish may
not be something you want tolook at Now it does.
Authentication uses public keycrypto, which to authenticate
the remote computer and allow itto authenticate to the user
(15:10):
itself.
Now, what are some examplesaround Secure Shell?
You have remote servermanagement, and then you have
secure file transfer.
Those are some key examples ofhow secure shell has been used.
So, as an example, right,obviously, administrators will
use SSH to securely log into andmanage servers and update the
server configurations, restartservers and so forth, and our
(15:32):
services.
The key around that, though, isjust the fact that it's a great
secure communication method toremote into a system and allows
you to have access to what youneed to do over the internet and
protect it.
Secure file transfer obviouslyallows you to, using SCP or SFTP
, which is your secure filetransfer protocol and it allows
you to transfer files over thenetwork that are encrypted and
(15:54):
protected, obviously, so youcan't from the beginning of
where you beginning.
At this point to the endpoint,they are encrypted, allowing it
to basically be protected duringthat entire process.
So, remote server management,secure file transfers.
Now, what are some of the prosand the cons of dealing with SSH
, some of the pros and the consof dealing with ssh?
(16:17):
Ssh provides a strongencryption and authentication,
insuring the security of thedata being transferred over the
network, but it also supportsvarious cryptographic algorithms
, obviously allowing for usersto have the optimum level of
performance.
It works great, but it has hadsome issues in the past,
especially with the brute forceattacks, with using the uh
algorithms such as sha1, wherethey're able to guess private
(16:39):
passwords, or using passwordsand the private key, if we're
using their various commoncombination sprays that they
have.
It also could be subject to manin the middle.
Where they can, hackers canintercept and modify the
communication between the userand the server, as, especially
if they're trying to verify theidentity using, obviously, the
certificates and thefingerprints that are associated
with it.
So there's pros and the conswith it Again.
(17:01):
Also, another con is if you areusing an older version of SSH,
you could be setting yourself upfor potentially having issues
just because of that olderalgorithm that's being used.
Now that other one is a signalprotocol.
This one came around because ofWhatsApp and algorithm that's
being used.
Now.
That other one is a signalprotocol.
This one came around because ofWhatsApp in their secure
messaging protocol.
Basically what it comes,there's a end-to-end encryption
(17:21):
which only obviously securescommunication between the users
that you can read each of themessages.
So the communication betweenpoint A to point B with the
WhatsApp application is secure.
It protects past communicationsbeing compromised if the keys
are stolen in the future.
So that's obviously the forwardsecurity secrecy aspect of it.
It has that ability and it usesAES-256 and SHA-256 to secure
(17:45):
the communication path.
So, again, the Signal protocolis used in apps such as WhatsApp
and the Signal for end-to-endencryption.
I noticed that I know some folksthat have used Signal for
end-to-end encryption.
I noticed that I know somefolks that have used Signal from
end-to-end and basically youhave the app on your phone, they
have the app on their phone,you can secure communicate back
and forth with them and nobodycan intercept that conversation.
(18:05):
It works really well.
The only problem is if they'renot in your network, obviously,
then the Signal app doesn'treally work, but it does really
have a good way to allow peopleto have access to secure,
encrypted communication streams.
It does provide some we'regetting the pros and the cons of
it.
It does provide forwardsecurity, meaning the key is
compromised in the future.
(18:26):
It doesn't affect your securityor past future messages.
That's one of the thingsthey're seeing more and more of.
Is this forward security justbecause?
Or secrecy just because thefact that we know so much data
is being stolen and thereforeall that people need at this
point is getting the keys andthey can have access to it?
It does provide end-to-endencryption, meaning that only
(18:46):
the sender and the receiver candecrypt the messages.
You know it's that signal pointA to point B, but because of
that your network can be limited.
This is limited to only thepeople that have the compatible
devices and the apps loaded ontheir systems.
It also may be subject to legalor political pressure,
depending on which governmentsmay allow it or not allow it,
especially if you're dealingwith governments maybe in Asia
(19:09):
or say, china or Russia.
They may not want that.
They may want you to be able tosee those communication streams
.
So therefore, if they won'tallow that app within their
country, so something toconsider as you're looking to
deploy that within yourorganization.
Okay, next one is secure remoteprocedure call, or RPC.
So there is an authenticationand encryption methodology for
(19:32):
this as well.
So it verifies the identity ofcommunicating programs to
prevent any sort of unauthorizedaccess, and it does protect the
data being transferred,obviously through a level of
encryption.
Now, how does RPC work?
It's used with distributed appswhere procedure calls may occur
within a specific remote server, a specific remote server.
So a client application mightuse a secure RPC to connect to a
(19:56):
database and query the remoteserver and retrieve the results
in a secure form or fashion.
So it's just a remote aspect ofthis, and it does allow the
client application to use thissecure RPC to connect and
execute on this remote serverand therefore the query itself,
the request, will be encryptedas well.
Now, what are some of the prosthat go along with this?
(20:17):
It provides confidentiality,integrity, obviously for these,
preventing unauthorized access.
It supports various encryptionalgorithms, which is a positive
right, depending upon whatyou're going to be using.
It allows for flexibility andinoperability.
But yeah, it's flexible, let'sjust go with that.
It's very flexible, flexibleand it does allow that to occur,
and within your organization itcan be deployed relatively
(20:39):
easily and it makes it a simpleprocess.
Now, some of the cons that goalong with this is obviously, it
does need additional overheadfor encryption and decryption,
which may affect the performanceand latency of the
communication.
It does rely on keydistribution systems such as
Kuberos and or public key cryptoto allow this to happen, which
does include increasedcomplexity and some level of
(21:01):
security risk.
So it's one of those that I'veseen it used within
organizations not on a high end,not a lot, but it is used
depending upon your database.
Administrators use RPC quite abit's.
It's more of a niche type ofuse.
It's not something that's abroad brush kind of computer
secure protocol that's beingused.
(21:22):
Next one is a tls transportlayer.
Security now in tls is one ofthat's the primary one that's
used.
It came up, it moved away fromssl to tls and I think I can't
remember what version we're onright now, but uh, it's, I think
, 1.4 maybe.
Uh, the other versions havebeen deprecated just due to the
fact of, obviously, time and uh,the as new tls versions come
(21:45):
out, they will increase,obviously, the the version of
that as it goes on.
So it encrypts data that's sentover the internet, such as web
browsing, email messaging, andobviously it's the main purpose
is so that you can't interceptthe communications.
It has user certificates toauthenticate to the
communicating parties and thatway that sure the files, or any
of the files, haven't beenaltered during the transmission.
(22:07):
So what I talked about.
What are some of the main usecases around it?
Web browsing is most commonlyused and it's a secure form of
HTTP.
It allows for secure HTTPconnections to occur.
So obviously, when you get theHTTPS, that's TLS that's working
to encrypt that data.
Email encryption TLS is used tosecure email communications.
I've seen it in some cases.
(22:29):
I haven't seen a lot of it, butit can do that between your
email clients and the emailserver.
It protects the contents,obviously, of the emails that
are going through.
Now what are some of the prosand cons that go with TLS?
It does provide for strongencryption of the data in
transit and it does preventunauthorized access or
modification by individuals.
The cons are is it adds a lotof computational overhead again
(22:53):
for the encrypting anddecrypting of the data, and
you're going to see this prettymuch with any encryption you're
going to deal with is it worksreally well if you've got a
pretty solid system in place,but if you don't, it will cause
you some churn and it will causeyou some issues.
So it requires the certificatesto be issued and managed by
trusted authorities, which canincur, obviously, costs and risk
(23:13):
if they are compromised.
So the ultimate goal is againis you want to utilize TLS as
much as you possibly can withyour environment?
It is relatively turn key, itworks really really well and
it's one of the standardprotocols that are being used
for secure encryption.
Okay, another protocol thatyou'll see in VPNs is what they
call L2TP, layer 2 TunnelingProtocol.
(23:34):
This one has been around for awhile and it works really well
for private VPNs.
It enables tunneling of datapackets between networks and it
operates on the data link layerto facilitate creation of
tunnels over public networks andit helps maintain privacy.
The L2TP does not provideencryption itself.
It's often paired with IPSec toensure that the communications
(23:55):
is occurring.
So you again, it has theability to do this, but it does
work in conjunction in concertwith IPSec.
So one of the examples outthere I was able to dig up off
the internet was one calledNordVPN.
Nordvpn does use a IPSeccombination of L2TP and IPSec to
establish this communication.
(24:18):
The main thing that it's workedwith is that if you utilize,
because it's got ageo-restricted capability, it
does allow you to use thiswithin different countries as
well.
So, okay, so let's go into thepros and cons of l2tp.
L2tp is compatible with variousplatforms and devices, such as
Windows, linux, mac, android andso forth, so it's been around,
(24:38):
it's available to them and itdoes work well.
It can provide strongencryption and authentication
when they're combined with otherprotocols such as IPSec.
So it does.
It's a very good product.
When it works in conjunctionwith that, it can be slower than
other VPN protocols due to thedouble encapsulation that's
occurring with it between IPSecand the L2TP itself, and it can
(25:01):
be blocked or throttled byfirewalls if they detect that it
has a signature.
So what I mean by that is justthat, depending on the protocol
that's being used, if thefirewall doesn't want L2TP to be
used, they could block it atthe specific firewall, which
would then throttle or limityour capability with utilizing
that specific protocol.
(25:21):
So you're going to have to lookat what works best for your
organization.
Also, get with your networkfolks, because one of the pieces
that will come into is they'regoing to have to help you enable
some of this, because one ofthe pieces that will come into
is they're gonna have to helpyou enable some of this.
So, if you have networkindividuals within your
organization, maybe find outwhat are the things they utilize
right now as a key encryptionprotocol or secure communication
protocol, and then get withthem to see which one it is and
(25:45):
then, if you feel that thedeployment of it is sufficient
for your needs, you may want torecommend something different to
them, and if that's the case,then maybe they'll be interested
in opening up and make somechanges.
Now, one that I hadn't beenaware of and I didn't see it in
the CISSP book was SRTPtransport protocol.
So it's a secure, real-timetransport protocol and, because
(26:06):
I was looking up there, what aresome other ones out there
besides the standards?
You know, your L2TP, your VPNconnections, so on and so forth,
how, what, which ones are outthere that you're that might be
beginning becoming to be used?
Srtp one.
This one came up and it wasinteresting just in the fact
that I didn't really know muchabout it.
It provides encryption, messageauthentication and integrity
(26:30):
for real-time communicationssuch as VoIP, so therefore it's
over VoIP.
Srtp is a good option for that.
So what it does is it uses AESand is a default cipher for the
encryption of the data flow.
That goes between two points,and it allows message
authentication for the messagesand then replay protection
against any replay attacks,ensuring that they cannot be
(26:50):
intercepted and then replayedback at you.
Now, one example of this is ZRTP, which I hadn't heard of before
either, and we'll kind ofquickly go into that one as well
, but it's a protocol thatnegotiates encryption keys for
SRTP using Diffie-Hellman keyexchange.
Now, zrtp does not rely on athird party or a certificate
(27:12):
authority, but uses shortauthentication strings.
So typically you'd have a CAthat you would utilize for you
as your trusted party for yourcertificate.
It uses what they call a shortauthentication string to confirm
the identity of the parties.
Now, this authentication stringcan be verified by voice or by
(27:33):
other means, such as a QR code.
So it's that.
Can you verify the QR code?
You click on it.
Yes, this is me.
That's one of.
The ZRTP allows that encryptionto occur, and this can occur
over voice or video calls on IPnetworks.
I hadn't really even thought ofwhat that was, so that's
something that was interesting.
And new, srtp prevents,obviously, eavesdropping and
(27:55):
from audio and video streams, sothat's positive, right.
So you have encryption feed.
One of the big issues that raninto VoIP is the fact that there
was no good way to encrypt.
This.
Srtp does obviously have thegood protection from voice and
video and it's using encryptionauthentication algorithms to do
so.
Now, what are some of thenegatives?
Well, it does add latency tothe communication and it may not
(28:17):
be compatible with some legacydevices or protocols, and it
does increase the cost andcomplexity of these systems,
adding delays and bandwidthconsumption.
So on old systems, it may notwork very well.
Something to think about ifyou're looking to use SRTP.
Lastly, we're going to realquickly talk about ZRTP, which
is the Zimmerman Real-TimeTransport Protocol.
(28:38):
This obviously works inconjunction with the SRTP and
ZRTP works together.
As we mentioned, it works onthe public key infrastructure
and it is tied into VoIP-typecommunications.
The ultimate goal again is itdeals with the SAS match.
All right, zrtp.
(28:59):
So, as we mentioned, zrtp worksin conjunction with SRTP, but it
also works with Signal, whichis what the WhatsApp
communication protocol is.
It's a key protocol thatnegotiates for encryption
between two endpoints, obviouslyin a VoIP call, and it uses the
Diffie-Hellman key exchange and, independent of the signaling
protocol that's specificallyused, so it's paired up with the
(29:20):
signal protocol.
It does not rely on PKI.
Instead, it generates theephemeral keys which are used to
protect againstman-in-the-middle attacks.
So well, let's use the exampleof Signal Now.
Signal, obviously, is a securemessaging app and it utilizes
this for voice and video calls.
It can verify the identity ofthe contacts by comparing the
(29:41):
short authentication stringsdisplayed on their devices
during the call.
So, are you who you say you are?
If they match, this means thekeys have been exchanged
securely between the two andthere's no man in the middle.
Signal will allow the view andverify the public key
fingerprints of their contacts,which then are derived from the
ZRTP's master key.
It does provide end-to-endencryption right?
(30:03):
So from a pro standpoint, itgives you great protection
against that type ofcommunication and it does not
require any prior setup.
It automatically negoti thekeys for you, so it makes it
simple, and hence that's why oneof the things that they wanted
to have happen with whatsapp isit wants to be simple and to the
point.
It requires support from bothends of, though, of the voip
(30:23):
application.
So, again, like signal, you gotto have connection on both ends
for this to occur, which maynot be totally compatible with
all types of other protocolsthat are out there, and you may
have to introduce some latencyin this due to the additional
cryptographic operations thatare in place.
So, again, something to kind ofconsider as you're looking at
the various protocols.
Again, that is ZRTP and SRTP.
(30:46):
So, zimmerman, real-timeTransport Protocol and Secure
Real-Time Transport Protocol.
Okay, that is all I've got fortoday.
I hope you all enjoy this.
Head on over tocisspcybertrainingcom.
I've got some great CISSPtraining out there.
A lot of free content, more andmore free content that's coming
and available to you.
You can go check out my webblog, and all of these videos
(31:08):
are out there available to you.
You can also go to YouTube andsee them as well, along with
some of the show notes will beavailable as well.
If you need your CISSP training, I am here to help you with
that.
I definitely can help you getwhat you need to pass the CISSP
exam.
Guaranteed, no question aboutit.
You can pass the CISSP.
You go through my program, youwill pass the test.
(31:29):
It's just you have to put inthe work to do it, and CISSP
Cyber Training is here for youto help you with that.
Go check it out Again.
If you have some free CISSPquestions, you can get those as
well at CISSP Cyber Training, orgo to free questions,
freecisspquestionscom and getaccess to those questions as
well.
Have a wonderful, wonderful dayand we will catch you on the
(31:51):
flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Let's go.
Speaker 2 (00:22):
Cybersecurity knowledge All right, let's get
started.
Good morning, it's Sean Gerberwith the CISSP Cyber Training
Podcast.
And how are you all doing thisbeautiful day Today?
As you can see in my backgroundif you're watching the video, I
have changed locations.
I am currently in my new office, as I have just changed my jobs
from being a CISO of a largemultinational to now being a
(00:45):
consultant.
So a new twist in my life and anew change is.
It's awesome, very differentthan what I did before and I
will say it's also a little bitjust unnerving in some respects.
But it's good.
It's what needed to occur andwhere I'm at in this phase of my
career, so pretty excited aboutthat.
This was obviously a choice onmy own, just to get out there on
(01:08):
my own and start my ownbusiness, and it's been very
interesting to this point.
So interesting in a good wayand interesting in a little bit
terrifying way, but it's allgood nonetheless.
So today we're going to betalking about domain 4.1.3.
We're going to be gettingvarious secure communication
protocols as it relates to theCISSP.
So if you're following along inthe book, you'll be able to
(01:29):
find that I can't remember whatchapter it's in, but again, it's
domain 4.1.3.
But before we get started, thereis just going to talk real
quickly about the article thatmade news.
We talked about this in ourpodcast a couple of weeks ago,
as it relates to theUnitedHealthcare hack that
occurred, one of the things thatjust came up.
(01:51):
They are finally making somesort of restitution, or able to
make some movement, as itrelates to the UnitedHealthcare
challenge that they had with theAlpha V or Alpha V Black Cat
hacking group that gained accessthrough ransomware attack on
the US healthcare system.
They're able they said they'verestored nearly all of Change
Healthcare's systems forprocessing prescriptions, that
is to say, after a $22 millionransom that was paid from what
(02:13):
we understand.
Obviously, they haven'tdisclosed that specifically yet,
but all the tea leaves andpeople talking have basically
said that the ransom was paidtowards the folks that were
hacking into the change healthcare system.
The interesting part, though,is that they've been able to get
electronic payments back andoperational, and this involves
billing between the payments andbetween the care providers and
(02:35):
the insurers as well, so they'vebeen moving forward, which is
great, but it's been aninteresting part where I think
it's been scary for the USgovernment to realize how
intertwined this one health caresystem is tied with the US
government, very similar to whathappened with the colonial
pipeline.
I think that was also areverberation throughout the
(02:56):
environment that the criticalsystems, such as the health care
and so forth, are veryvulnerable to cyber attacks.
So, again, it's important to youas a security professional to
stay on top of these things.
One just so that you are awarethat they're happening right.
And also, as a securityprofessional, it's your
responsibility to talk to yourleadership and let them know how
(03:18):
this could happen.
I've seen various differentorganizations that utilize these
types of events in how they are, how they would respond to such
an incident and what would bethe potential downside of this
occurring.
So, as an example, if you hadlet's just say you had a
facility, a manufacturingfacility, a hospital, whatever
that might be that would to godown and, as you see in this
(03:41):
case here, just figure it wasdown for a month.
So you take out the, the wholeability for paying the ransom.
Let's just set that aside.
But if you were to go and say,okay, if my system was down for
a month, what would thatpotentially cost me in revenue,
employee opportunity cost foremployees, what would that cost
from a standpoint of justensuring that I have all my
(04:02):
licenses correct.
There's a whole litany of areasthat could really dramatically
affect what this would cost.
One thing to not get too hung upon, though, is getting into
making it so precise.
Precision is the enemy of beingcomplete, and so sometimes you
want to be directly correct, butyou don't necessarily need to
(04:22):
be precise to the point whereyou're talking about maybe a
million dollars here or amillion dollars there.
Now, I understand it's a lot ofmoney, but in a grand scheme of
things, you could real quickly,if you're just talking, let's
say I'm just guessing let's saya pharmacist and you'll say one
pharmacy goes down and let's saythat pharmacy generates X in
(04:42):
revenue every month.
Well, and your costs are Yevery month.
Well, if you just go that yourexpenses are this and your
revenue is this, and you canthen extrapolate that that you
would lose let's say, I don'tknow $100,000 in revenue in one
month.
Obviously you'd want more thanthat, but let's just say it's
$100,000 in one month.
(05:02):
If that's the case, then youextrapolate that out to be maybe
10, 15, 20 different pharmaciesthat you may have.
So now you're saying a milliondollars that would cost you to
be down for a month, and thatdoesn't include what it would
cost for the ransom and so forth.
So those are ways you can kindof peel back that onion and
quickly come together with somecosts to the senior leaders.
(05:24):
That won't be precise, but itwill be directionally correct,
and then you can highlight tothem is it worth spending the
time to ensure that you havebackup and recovery systems in
place, or is it not?
It may not, maybe it won't be,maybe you're fine with letting
it get totally just blown awayand start all over, but those
are things that you're going tohave to work through with your
senior leaders as you're tryingto come up with a plan around
(05:46):
this.
So therefore, it is reallyimportant as a security
professional that you understandthese attacks, you understand
how they did it and then alsowhat systems were affected,
because then you, as theprofessional, can come forward
with what you feel you could doto best protect your
organization, because that'swhat they're paying you to do.
That's the expectation.
Okay, so let's go ahead and getstarted in today's training.
(06:08):
Okay, so again, like we talkedabout, this is 4.1.3, and then
we're talking various securecommunication protocols.
So when we're talking aboutprotocols, there's various
protocols that are there.
You've got IPSec, you've gotKerberos, you've got SSH, you've
got signal protocol and soforth, and we're going to kind
of go over each of those alittle bit in depth and just
(06:30):
kind of talk to you about whyare they important, what are the
pros and cons for each of theseprotocols, so that you can
understand that when they'reasking you this question on the
CISSP because they're going toask you what is an IPsec tunnel
and you may not know what thatis because maybe you just didn't
deal with it in your currentcareer.
So therefore you're like I haveno idea the ultimate goal is to
give you just a briefunderstanding of what these
(06:51):
protocols do and why they'd beimportant for the CISSP.
Ipsec uses authenticationthrough what they call a key
exchange or an internet keyexchange, ike.
This protocol is used toestablish the authenticated
communication between the twoparties by exchanging keys that
the two pairs or the two peersare connected to.
Now there's different types ofIP sec tunnels that you may have
(07:15):
.
You have a site-to-site VPN,which actually gives between two
Offices.
You may have one location here,another location here, and it
will connect the two have onelocation here, another location
here and it will connect the twospecifically utilizing what
they call an IPSec tunnel, andthis will form a single secure
wide area network between thetwo.
You also have what can occurthrough IPSec is a VPN, which
you've seen, you've probablydealt with.
(07:36):
Depending on where you're at inyour remote activities is a
good example is an employeeworking from home can use an
IPSec VPNpn to connect intotheir the company's internal
resources.
Again, same kind of point.
It allows a connection betweentwo parties and allows that
activity to be encrypted.
Therefore, if it's encrypted,you can't see into it and you
(07:56):
would have to decrypt it or haveto get yourself wedged in the
middle somehow as part of thekey structure to be able to
ensure that you could actuallysee the data that's being sent.
Now.
So let's get into some of thepros that are behind this.
Again, one of the aspectsaround a IPsec tunnel, an IPsec
protocol, is the fact that it issupported by many vendors and
(08:17):
many devices, which makes itreally interoperable when you're
dealing with various platforms,and that's awesome, especially
if you're trying to connect withsomething secure.
It works.
I've done it a couple of times,a few times myself, but the
main thing, as an architect, Italk about how we would connect
those tunnels together to ensurethat you'd have one connection
between them and you wouldprotect the data between those
(08:39):
two nodes.
It does operate the networklayer, which means it can secure
basically any type of traffic,regardless of the application or
the transport protocol that'sbeing used.
So it's at the network layer.
It's used by many vendors.
Okay, now some of the cons thatcome with this.
It can be complex and difficultto configure.
It's not a real simple solutionwhere it's just you hit an easy
(08:59):
button and you're in businessand you're in business.
Especially if you're dealingwith multiple gateways, dynamic
IP addresses, firewalls and soforth, it gets very point to
point and it can be a bitchallenging.
So, that being said, it's oneof those where it has its uses.
But from a networkingstandpoint and configuring it
with inside your network, it maynot be the best choice because
(09:20):
it can be hard to configure.
It does require PKI, which isyour public key infrastructure,
to manage the certs for theauthentication right.
And so now when you're dealingwith PKI, you have this search.
You have to have a centrallocation that will manage those
certs, just because you can'tindividually do it, especially
if you start getting in a largeweb, it will have to have some
(09:42):
sort of mechanism that willmanage the keys, the
certificates that are insideyour network and then that will
actively transmit them as needed, also a way to rotate them as
needed.
So it's an important piecewhere you will need some level
of PKI which includes pre-sharedkeys and it also has the
ability to have the ability toexchange keys as necessary.
(10:05):
So the next secure protocol iswhat we call Kerberos.
Now, with Kerberos, there arethree main components of it.
You have an authenticationservice, a ticketing granting
service, and then you have aserver service server, which,
okay.
So as we walk through this,we'll just kind of go over each
component as it relates.
So the authentication servicevalidates the user's credentials
(10:26):
and issues a ticket grantingticket.
Okay, if the credentials arevalid.
Now this ticketing grantingservice uses that ticketing
granting ticket, tgt, to issueservice tickets that allow
access to the networksthemselves.
And then the server service orservice server, accepts the
service tickets and the usersand provides the access required
(10:48):
, specifically set up.
Now what are some of theexamples that you can deal with?
Well, you have just a couple ofkey ones.
You've got Active Directoryauthentication and you have
single sign-on, so ActiveDirectory authentication.
This is where you use,obviously, in the Windows Active
Directory environment, and it'sused to authenticate users.
So when a user logs into acomputer, onto a system, active
(11:09):
Directory will then authenticateto you and grant you access to
the resources based on whatActive Directory is saying and
what's connected into ActiveDirectory and what you're
allowed to have access to.
So many people will think ofActive Directory as a networking
type product, and it is, butit's also a security product.
So again, that's how Kerberosworks through the authentication
(11:31):
through Active Directory.
Kerberos works through theauthentication through Active
Directory.
Also, with single sign-on,kerberos will allow users to log
in and access multiple serviceswithout reentering credentials.
As an example, rather than haveSean that has a password monkey
, and then monkey1, monkey2,monkey3, you can use this single
sign-on capability where it isalready federated against Sean.
(11:52):
Where it is already federatedagainst Sean and when Sean logs
in, it queries your ActiveDirectory environment and
therefore it knows that Sean hasaccess to this, but Sean only
has to remember one password.
So it does allow you to haveaccess to email, file shares and
all that stuff with just havingone specific password and
therefore you don't have to havemultiple passwords based on the
(12:14):
apps or the applications you'retrying to connect to.
So, again, kerberos worksreally good with active
directory and single sign-on.
It has three main servicesauthentication, service ticket
granting service and serviceserver.
Those are the three aspects toKerberos.
Okay, so let's go over the prosand cons of Kerberos.
So it does offer strongauthentication, such as your
(12:35):
public key, crypto,password-based authentication or
potentially one-time passwords,otherwise known as OTP.
It can create tunnels,obviously between different
hosts, allowing for portforwarding, x11 forwarding or
VPN connections.
So it does give you thatcapability similar to what the
IPSec tunnels will give you.
So it does give you thatcapability similar to what the
IPSec tunnels will give you.
Cons are is that it does havesome availability or does have
(12:58):
the ability to have someman-in-the-middle attacks,
especially if the server'spublic key is not verified.
So, obviously, if your publickey is out there and unverified,
you potentially could get aman-in-the-middle attack and
then it can consume bandwidthand CPU resources more than what
potentially, other protocolscan do.
Okay, so the next one is SSH,that's your secure shell.
Now, secure shell has been usedfor many, many years for
(13:21):
accessing as a secure protocolfor environments trying to gain
access to something, and one ofthe pieces that has been an
important part of SSH is thatit's encryption algorithms.
Now the original SSH that wasan open SSH has been deprecated
from a standpoint of thealgorithm being used is still a
(13:41):
SHA-1 type algorithm andtherefore it shouldn't be used
because it can be manipulated.
It isn't a strong, securealgorithm, but open SSH is still
available and used widely amongmany, many people.
So what does SSH do?
Is it provides a secure, remotelogin for a remote machine and
potentially the ability toexecute commands.
(14:03):
Now I would do an SSH shell tomultiple systems.
I would execute those commandson that system and it was a
great secure way of doing it inthe fact that you couldn't see
what I was actually running.
Now the encryption piece ofthis this encrypts the session
to protect the data from beingread by other individuals, which
we mentioned.
And the part that comes into iswhen I was working as a red
(14:25):
teamer.
We would do this so that wewould have access and we didn't
want any sort of decryption typetools to be able to sniff what
we were doing.
I shouldn't say decryption, Ishould say any sort of wire
shark thing that was sitting onthe network sniffing the traffic
.
We didn't want them to see whatcommands we were executing, so,
therefore, we would connectwith a secure shell into that
environment.
Now, the downside of doing that, obviously, is it does
(14:47):
highlight that you're doingsomething that you don't want
people to see.
So if a person's interested inseeing what you're doing and now
you kind of blinded them, itdoes tend to potentially
highlight the fact of whatyou're trying to accomplish may
not be something you want tolook at Now it does.
Authentication uses public keycrypto, which to authenticate
the remote computer and allow itto authenticate to the user
(15:10):
itself.
Now, what are some examplesaround Secure Shell?
You have remote servermanagement, and then you have
secure file transfer.
Those are some key examples ofhow secure shell has been used.
So, as an example, right,obviously, administrators will
use SSH to securely log into andmanage servers and update the
server configurations, restartservers and so forth, and our
(15:32):
services.
The key around that, though, isjust the fact that it's a great
secure communication method toremote into a system and allows
you to have access to what youneed to do over the internet and
protect it.
Secure file transfer obviouslyallows you to, using SCP or SFTP
, which is your secure filetransfer protocol and it allows
you to transfer files over thenetwork that are encrypted and
(15:54):
protected, obviously, so youcan't from the beginning of
where you beginning.
At this point to the endpoint,they are encrypted, allowing it
to basically be protected duringthat entire process.
So, remote server management,secure file transfers.
Now, what are some of the prosand the cons of dealing with SSH
, some of the pros and the consof dealing with ssh?
(16:17):
Ssh provides a strongencryption and authentication,
insuring the security of thedata being transferred over the
network, but it also supportsvarious cryptographic algorithms
, obviously allowing for usersto have the optimum level of
performance.
It works great, but it has hadsome issues in the past,
especially with the brute forceattacks, with using the uh
algorithms such as sha1, wherethey're able to guess private
(16:39):
passwords, or using passwordsand the private key, if we're
using their various commoncombination sprays that they
have.
It also could be subject to manin the middle.
Where they can, hackers canintercept and modify the
communication between the userand the server, as, especially
if they're trying to verify theidentity using, obviously, the
certificates and thefingerprints that are associated
with it.
So there's pros and the conswith it Again.
(17:01):
Also, another con is if you areusing an older version of SSH,
you could be setting yourself upfor potentially having issues
just because of that olderalgorithm that's being used.
Now that other one is a signalprotocol.
This one came around because ofWhatsApp and algorithm that's
being used.
Now.
That other one is a signalprotocol.
This one came around because ofWhatsApp in their secure
messaging protocol.
Basically what it comes,there's a end-to-end encryption
(17:21):
which only obviously securescommunication between the users
that you can read each of themessages.
So the communication betweenpoint A to point B with the
WhatsApp application is secure.
It protects past communicationsbeing compromised if the keys
are stolen in the future.
So that's obviously the forwardsecurity secrecy aspect of it.
It has that ability and it usesAES-256 and SHA-256 to secure
(17:45):
the communication path.
So, again, the Signal protocolis used in apps such as WhatsApp
and the Signal for end-to-endencryption.
I noticed that I know some folksthat have used Signal for
end-to-end encryption.
I noticed that I know somefolks that have used Signal from
end-to-end and basically youhave the app on your phone, they
have the app on their phone,you can secure communicate back
and forth with them and nobodycan intercept that conversation.
(18:05):
It works really well.
The only problem is if they'renot in your network, obviously,
then the Signal app doesn'treally work, but it does really
have a good way to allow peopleto have access to secure,
encrypted communication streams.
It does provide some we'regetting the pros and the cons of
it.
It does provide forwardsecurity, meaning the key is
compromised in the future.
(18:26):
It doesn't affect your securityor past future messages.
That's one of the thingsthey're seeing more and more of.
Is this forward security justbecause?
Or secrecy just because thefact that we know so much data
is being stolen and thereforeall that people need at this
point is getting the keys andthey can have access to it?
It does provide end-to-endencryption, meaning that only
(18:46):
the sender and the receiver candecrypt the messages.
You know it's that signal pointA to point B, but because of
that your network can be limited.
This is limited to only thepeople that have the compatible
devices and the apps loaded ontheir systems.
It also may be subject to legalor political pressure,
depending on which governmentsmay allow it or not allow it,
especially if you're dealingwith governments maybe in Asia
(19:09):
or say, china or Russia.
They may not want that.
They may want you to be able tosee those communication streams
.
So therefore, if they won'tallow that app within their
country, so something toconsider as you're looking to
deploy that within yourorganization.
Okay, next one is secure remoteprocedure call, or RPC.
So there is an authenticationand encryption methodology for
(19:32):
this as well.
So it verifies the identity ofcommunicating programs to
prevent any sort of unauthorizedaccess, and it does protect the
data being transferred,obviously through a level of
encryption.
Now, how does RPC work?
It's used with distributed appswhere procedure calls may occur
within a specific remote server, a specific remote server.
So a client application mightuse a secure RPC to connect to a
(19:56):
database and query the remoteserver and retrieve the results
in a secure form or fashion.
So it's just a remote aspect ofthis, and it does allow the
client application to use thissecure RPC to connect and
execute on this remote serverand therefore the query itself,
the request, will be encryptedas well.
Now, what are some of the prosthat go along with this?
(20:17):
It provides confidentiality,integrity, obviously for these,
preventing unauthorized access.
It supports various encryptionalgorithms, which is a positive
right, depending upon whatyou're going to be using.
It allows for flexibility andinoperability.
But yeah, it's flexible, let'sjust go with that.
It's very flexible, flexibleand it does allow that to occur,
and within your organization itcan be deployed relatively
(20:39):
easily and it makes it a simpleprocess.
Now, some of the cons that goalong with this is obviously, it
does need additional overheadfor encryption and decryption,
which may affect the performanceand latency of the
communication.
It does rely on keydistribution systems such as
Kuberos and or public key cryptoto allow this to happen, which
does include increasedcomplexity and some level of
(21:01):
security risk.
So it's one of those that I'veseen it used within
organizations not on a high end,not a lot, but it is used
depending upon your database.
Administrators use RPC quite abit's.
It's more of a niche type ofuse.
It's not something that's abroad brush kind of computer
secure protocol that's beingused.
(21:22):
Next one is a tls transportlayer.
Security now in tls is one ofthat's the primary one that's
used.
It came up, it moved away fromssl to tls and I think I can't
remember what version we're onright now, but uh, it's, I think
, 1.4 maybe.
Uh, the other versions havebeen deprecated just due to the
fact of, obviously, time and uh,the as new tls versions come
(21:45):
out, they will increase,obviously, the the version of
that as it goes on.
So it encrypts data that's sentover the internet, such as web
browsing, email messaging, andobviously it's the main purpose
is so that you can't interceptthe communications.
It has user certificates toauthenticate to the
communicating parties and thatway that sure the files, or any
of the files, haven't beenaltered during the transmission.
(22:07):
So what I talked about.
What are some of the main usecases around it?
Web browsing is most commonlyused and it's a secure form of
HTTP.
It allows for secure HTTPconnections to occur.
So obviously, when you get theHTTPS, that's TLS that's working
to encrypt that data.
Email encryption TLS is used tosecure email communications.
I've seen it in some cases.
(22:29):
I haven't seen a lot of it, butit can do that between your
email clients and the emailserver.
It protects the contents,obviously, of the emails that
are going through.
Now what are some of the prosand cons that go with TLS?
It does provide for strongencryption of the data in
transit and it does preventunauthorized access or
modification by individuals.
The cons are is it adds a lotof computational overhead again
(22:53):
for the encrypting anddecrypting of the data, and
you're going to see this prettymuch with any encryption you're
going to deal with is it worksreally well if you've got a
pretty solid system in place,but if you don't, it will cause
you some churn and it will causeyou some issues.
So it requires the certificatesto be issued and managed by
trusted authorities, which canincur, obviously, costs and risk
(23:13):
if they are compromised.
So the ultimate goal is againis you want to utilize TLS as
much as you possibly can withyour environment?
It is relatively turn key, itworks really really well and
it's one of the standardprotocols that are being used
for secure encryption.
Okay, another protocol thatyou'll see in VPNs is what they
call L2TP, layer 2 TunnelingProtocol.
(23:34):
This one has been around for awhile and it works really well
for private VPNs.
It enables tunneling of datapackets between networks and it
operates on the data link layerto facilitate creation of
tunnels over public networks andit helps maintain privacy.
The L2TP does not provideencryption itself.
It's often paired with IPSec toensure that the communications
(23:55):
is occurring.
So you again, it has theability to do this, but it does
work in conjunction in concertwith IPSec.
So one of the examples outthere I was able to dig up off
the internet was one calledNordVPN.
Nordvpn does use a IPSeccombination of L2TP and IPSec to
establish this communication.
(24:18):
The main thing that it's workedwith is that if you utilize,
because it's got ageo-restricted capability, it
does allow you to use thiswithin different countries as
well.
So, okay, so let's go into thepros and cons of l2tp.
L2tp is compatible with variousplatforms and devices, such as
Windows, linux, mac, android andso forth, so it's been around,
(24:38):
it's available to them and itdoes work well.
It can provide strongencryption and authentication
when they're combined with otherprotocols such as IPSec.
So it does.
It's a very good product.
When it works in conjunctionwith that, it can be slower than
other VPN protocols due to thedouble encapsulation that's
occurring with it between IPSecand the L2TP itself, and it can
(25:01):
be blocked or throttled byfirewalls if they detect that it
has a signature.
So what I mean by that is justthat, depending on the protocol
that's being used, if thefirewall doesn't want L2TP to be
used, they could block it atthe specific firewall, which
would then throttle or limityour capability with utilizing
that specific protocol.
(25:21):
So you're going to have to lookat what works best for your
organization.
Also, get with your networkfolks, because one of the pieces
that will come into is they'regoing to have to help you enable
some of this, because one ofthe pieces that will come into
is they're gonna have to helpyou enable some of this.
So, if you have networkindividuals within your
organization, maybe find outwhat are the things they utilize
right now as a key encryptionprotocol or secure communication
protocol, and then get withthem to see which one it is and
(25:45):
then, if you feel that thedeployment of it is sufficient
for your needs, you may want torecommend something different to
them, and if that's the case,then maybe they'll be interested
in opening up and make somechanges.
Now, one that I hadn't beenaware of and I didn't see it in
the CISSP book was SRTPtransport protocol.
So it's a secure, real-timetransport protocol and, because
(26:06):
I was looking up there, what aresome other ones out there
besides the standards?
You know, your L2TP, your VPNconnections, so on and so forth,
how, what, which ones are outthere that you're that might be
beginning becoming to be used?
Srtp one.
This one came up and it wasinteresting just in the fact
that I didn't really know muchabout it.
It provides encryption, messageauthentication and integrity
(26:30):
for real-time communicationssuch as VoIP, so therefore it's
over VoIP.
Srtp is a good option for that.
So what it does is it uses AESand is a default cipher for the
encryption of the data flow.
That goes between two points,and it allows message
authentication for the messagesand then replay protection
against any replay attacks,ensuring that they cannot be
(26:50):
intercepted and then replayedback at you.
Now, one example of this is ZRTP, which I hadn't heard of before
either, and we'll kind ofquickly go into that one as well
, but it's a protocol thatnegotiates encryption keys for
SRTP using Diffie-Hellman keyexchange.
Now, zrtp does not rely on athird party or a certificate
(27:12):
authority, but uses shortauthentication strings.
So typically you'd have a CAthat you would utilize for you
as your trusted party for yourcertificate.
It uses what they call a shortauthentication string to confirm
the identity of the parties.
Now, this authentication stringcan be verified by voice or by
(27:33):
other means, such as a QR code.
So it's that.
Can you verify the QR code?
You click on it.
Yes, this is me.
That's one of.
The ZRTP allows that encryptionto occur, and this can occur
over voice or video calls on IPnetworks.
I hadn't really even thought ofwhat that was, so that's
something that was interesting.
And new, srtp prevents,obviously, eavesdropping and
(27:55):
from audio and video streams, sothat's positive, right.
So you have encryption feed.
One of the big issues that raninto VoIP is the fact that there
was no good way to encrypt.
This.
Srtp does obviously have thegood protection from voice and
video and it's using encryptionauthentication algorithms to do
so.
Now, what are some of thenegatives?
Well, it does add latency tothe communication and it may not
(28:17):
be compatible with some legacydevices or protocols, and it
does increase the cost andcomplexity of these systems,
adding delays and bandwidthconsumption.
So on old systems, it may notwork very well.
Something to think about ifyou're looking to use SRTP.
Lastly, we're going to realquickly talk about ZRTP, which
is the Zimmerman Real-TimeTransport Protocol.
(28:38):
This obviously works inconjunction with the SRTP and
ZRTP works together.
As we mentioned, it works onthe public key infrastructure
and it is tied into VoIP-typecommunications.
The ultimate goal again is itdeals with the SAS match.
All right, zrtp.
(28:59):
So, as we mentioned, zrtp worksin conjunction with SRTP, but it
also works with Signal, whichis what the WhatsApp
communication protocol is.
It's a key protocol thatnegotiates for encryption
between two endpoints, obviouslyin a VoIP call, and it uses the
Diffie-Hellman key exchange and, independent of the signaling
protocol that's specificallyused, so it's paired up with the
(29:20):
signal protocol.
It does not rely on PKI.
Instead, it generates theephemeral keys which are used to
protect againstman-in-the-middle attacks.
So well, let's use the exampleof Signal Now.
Signal, obviously, is a securemessaging app and it utilizes
this for voice and video calls.
It can verify the identity ofthe contacts by comparing the
(29:41):
short authentication stringsdisplayed on their devices
during the call.
So, are you who you say you are?
If they match, this means thekeys have been exchanged
securely between the two andthere's no man in the middle.
Signal will allow the view andverify the public key
fingerprints of their contacts,which then are derived from the
ZRTP's master key.
It does provide end-to-endencryption right?
(30:03):
So from a pro standpoint, itgives you great protection
against that type ofcommunication and it does not
require any prior setup.
It automatically negoti thekeys for you, so it makes it
simple, and hence that's why oneof the things that they wanted
to have happen with whatsapp isit wants to be simple and to the
point.
It requires support from bothends of, though, of the voip
(30:23):
application.
So, again, like signal, you gotto have connection on both ends
for this to occur, which maynot be totally compatible with
all types of other protocolsthat are out there, and you may
have to introduce some latencyin this due to the additional
cryptographic operations thatare in place.
So, again, something to kind ofconsider as you're looking at
the various protocols.
Again, that is ZRTP and SRTP.
(30:46):
So, zimmerman, real-timeTransport Protocol and Secure
Real-Time Transport Protocol.
Okay, that is all I've got fortoday.
I hope you all enjoy this.
Head on over tocisspcybertrainingcom.
I've got some great CISSPtraining out there.
A lot of free content, more andmore free content that's coming
and available to you.
You can go check out my webblog, and all of these videos
(31:08):
are out there available to you.
You can also go to YouTube andsee them as well, along with
some of the show notes will beavailable as well.
If you need your CISSP training, I am here to help you with
that.
I definitely can help you getwhat you need to pass the CISSP
exam.
Guaranteed, no question aboutit.
You can pass the CISSP.
You go through my program, youwill pass the test.
(31:29):
It's just you have to put inthe work to do it, and CISSP
Cyber Training is here for youto help you with that.
Go check it out Again.
If you have some free CISSPquestions, you can get those as
well at CISSP Cyber Training, orgo to free questions,
freecisspquestionscom and getaccess to those questions as
well.
Have a wonderful, wonderful dayand we will catch you on the
(31:51):
flip side, see ya.
Popular Podcasts
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.