Paul Herring

PH

Senior Manager of Cloud Services who has worked in Telcoms, network support and PKI support for 26 years. Paul has a PhD in Educational Technologies and an MSc in Cyber Security

Location Oxfordshire, United Kingdom

Activity

  • I enjoyed the course and look forward to the next one.

  • I do not think that it is possible to develop secure systems just based upon compliance with development and security standards. Zero day issues are becoming more common which has meant that software patching has become the necessary evil of every IT Support person's job. Also, Hakeem makes a very valuable point when stating that cod is very large and can be...

  • GDPR is EU-based data protection legislation that strives to protect the rights of individuals PII and to ensure that PII is handled in a responsible way, is not held for any longer than it is needed to fulfil the reason for collecting it. Is not used for other reasons that has not been authorised by the individual associated with the PII and provides laws...

  • The challenge is to be able to enforce the act against a person or persons who for example hack into a company’s customer files and steal Personally Identifiable Information (PII) if they reside in a country that is outside of the EU and does not comply with Data Protection International Laws. It these circumstances it is very difficult to bring a perpetrator...

  • IFS takes best practice described in ISO 27000 and other frameworks and guides companies and individual Security Officers through the process of becoming and retaining compliance with best practices.

  • Compliance with Standards ensures that your systems design will follow best practice security design, will have more chance of being interoperable with other products (if that is needed). As Fidele quite rightly states there will be times when some systems will need to conform more rigorously to Standards than just at a basic level if it is to be accepted and...

  • Experience show us that there is no software vendor on the market that is capable of providing completely secure software. Acceptance of this assumption means that we must also accept that all vendors will produce software security patches to protect against known vulnerabilities. Which begs the question m, what about the vulnerabilities that are still to be...

  • It is important to use an iterating method like agile when security is added because it is important that security is re-evaluated at each stage and changes made to the developing code to ensure that the overall security of the application isn't compromised as new functionality is added. It is also important that iterative testing is undertaken at each stage...

  • I learned about SDLC and how Security can be added to the cycle to ensure that the end result will be more secure and will address the CIA of customer PII

  • I would use the agile model because it allows small changes and modifications to be done over the development cycle and can adapt functionality based on customer feedback. However, it is worth noting that in this case it is more likely that carers rather than end customers (who may also have some form of dementia) will provide feedback on the success, or...

  • A reoccurring issue that finally resulted in vendors choosing stronger cryptographic algorithms was the cracking of RC4 which led to users and vendors adoption of WPA2. One of the biggest breaches reported that was associated with a WEP hack was in 2006 when credit card processing terminals in a US department store chain called TJ Maxx were hacked and millions...

  • It is important to consider CIA in the development process because otherwise the software you develop is likely to be vulnerable to attacks with a consequence that user PII will be stolen. This will mean that your company could infringe GDPR/DPA regulations and be subject to a very large fine. Also, a breach will also damage your company's reputation and could...

  • Security should always be considered during any software development, from the initial requirement, design, implementation and testing stages. However, software development is dependent on other parts of the solution (applications are dependent on secure OS design and both can be dependent on the firmware that is used) any part can mean that security can...

  • @FideleAKOBE great to speak to you again. Yes, it will be good to work together again. How many courses have you got to go until the dissertation?

  • Computer systems and networks have been developed from stand-alone system built to complete a single task, quickly (such as Colossus development to crack German codes). These early systems relied on physical security (locked rooms security guards and restricted physical access) to protect them as these systems weren't connected to external networks. Later...

  • Dennis and Robbie make very good points. History shows us that it is very difficult to make systems secure and often requires frequent security patching as and when vulnerabilities are discovered. Policies, standards and legislation work well as guidance toward secure software but factors such as software peer review, rigorous testing, standardised and best...

  • Paul Herring made a comment

    Hello everyone,
    My name is Paul Herring and I have worked in various IT roles for more years than I am prepared to admit ;-). Currently I am an Operations Manager with a Computer Security company.

    I am currently studying towards the MSc in Cyber Security and this will be my final course before going onto the dissertation. Although this is a prerequisite of...

  • Hi Krisl, sorry I have only just seen your message. How many were you able to decrypt?

  • A very interesting introduction into Network Security. I look forward to learning more in the coming courses.

  • I still feel that cyber attacks are inevitable. To quote John Chambers (CEO of Cisco "There are only two types of companies: those that know they’ve been compromised, and those that don’t know.” Bejtlich (2018)

    References
    Bejtlich (2018) 'The Origin of the Quote "There Are Two Types of Companies"', [online] Available from:...

  • The red team provides a way of confirming a networks ability to protect against attack and ensures that the blue team can take steps to improve security and remove vulnerabilities based upon the red teams findings.

  • Paul Herring made a comment

    I agree with Sabiha, the battle between the blue team (defensive) and red team (hackers) is ongoing with each side trying to get the upper hand. However, we should also consider state agencies that use red team techniques to gain advantage over other country's state projects etc. (for example Stuxnet). In these situations organisations with the role of...

  • Cyber attacks are a real threat that everyone should consider and put protective measures in place on their computers and networks. Cyber security is also not a one solution fits all, there is a requirement to use different techniques to mitigate the risk of successful network penetration by attackers.

  • Paul Herring made a comment

    By running nmap with -A and T4 additional information is provided about the possible version of the OS on the target machine (note HTTP scan suggests CentOS is being used (although this might be a false positive result):
    Server with firewall down
    oot@cueh:~# nmap -A -T4 192.168.5.100
    [...].
    Not shown: 996 closed ports
    PORT STATE SERVICE...

  • Paul Herring made a comment

    Server with no firewall running:
    root@cueh:~# nmap 192.168.5.100
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-24 06:47 EDT
    Nmap scan report for 192.168.5.100
    Host is up (0.0071s latency).
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    3306/tcp open mysql
    MAC Address:...

  • Paul Herring made a comment

    The basic nmaps can gave the following results:
    root@cueh:~# nmap 192.168.5.100
    Starting Nmap 7.70 ( https://nmap.org ) at 2020-05-24 06:23 EDT
    Nmap scan report for 192.168.5.100
    Host is up (0.018s latency).
    Not shown: 996 closed ports
    PORT STATE SERVICE
    22/tcp open ssh
    80/tcp open http
    111/tcp open rpcbind
    3306/tcp open mysql
    MAC...

  • I work for a highly regulated company. Policies and procedures must follow realword use cases and not be driven purely by the whim of the security team. It is important to follow best practices relating to security but it must be reflective of the business and support the business to work in safe ways that balance a need for CIA data security and the need to...

  • Badly configured switch fabric can result in network loops and network segment downtime. However implementation of soanni g tree and other techniques can mitigate the risk of this issue. Malware can also cause havoc on networks when they propagate through connected network hosts and cause huge increases on network traffic (possibly as a DDoS attack) or take...

  • I have really enjoyed this short course. It has been informative and challenging. I particularly enjoyed the practical tasks and would like to see more examples of these in the coming weeks.

  • I still think that encrypted data is difficult to keep secret. As technology advances there will be greater threats to our 'secure' data and algorithms and processes will need to change to meet this threat. It is also important to take into account the human factor as it is easy for people to make mistakes or to become sloppy in the encoding process (as has...

  • To ensure crypto integrity it was important that OTP was used once and then destroyed, the sender and receiver were aware of which OTP was in use and both parties had a copy of OTP. This made distribution and concealment of OTP of prime importance. Also, use by only two operators, or scaling up of OTP meant that a stringent and secure handling, storage and...

  • HMAC is used in VPN connections, TLS protected services like online banking and online shopping and password and data encryption.

  • the quick brown fox jumps over the lazy dog

  • Paul Herring made a comment

    The best way to defend against these types of attack is to use random #(non-dictionary) passwords that are in excess of 14 characters long (Kevin Mitnick actually suggests 25 or more characters long) that are a mix of numbers, Upper and lower characters and special characters and to not end with a special character or symbol and do not start with a number or...

  • I was able to recover passwords for all but six of the hashes given using https://hashtoolkit.com/

  • The use of knowledge-based authentication is simply to increase the likelihood that the person logging in is who they say they are. This is not to say that a skilled social engineer could not get this information using a spear phishing attack. To protect against this sort of activity it is wise to use random words that have no connection with the question...

  • Paul Herring made a comment

    By its very nature technology provides predictable outputs. algorithms such as Random Number and Pseudo random number generators can be used to provide randomness with a key but it is possible (as the BBC article has shown) for outside agencies to manipulate the method to ensure a deterministic result. Also, organisations like NSA have adapted and installed...

  • It is inevitable that data encrypted with algorithms considered to be secure now will be broken in the future. The increase in key length an use of elliptic curve encryption methods will secure data now by ensuring that the cost, time and effort to break encrypted messages is too costly. For now cryptologist and researchers are working on ways in which...

  • I agree with Nicholas, cyber attacks are inevitable and there is probably a lot truth in the view that companies fall in to those who have been hacked and those who don't yet know they have been hacked. Given this view everyone needs to acquire skills to identify and deal with potential attacks as quickly and effectively as they can

  • Paul Herring made a comment

    Hi everyone, my name is Paul Herring. I work for an IT security company that provides PKI managed services. I am particularly interested in this course because I am becoming more involved in network security in my job.

  • Algorithms get ever more complex and crypto keys increase in size, however, the tools to break encryption is also becoming more advanced with state and academic researchers and cryptanalysts finding ways to cause (possibly theoretical) collisions in algorithm outputs and the threat posed by quantum computing in the future it is possible that all algorithms...

  • Encryption of messages has evolved over many hundreds of years from simple substitution codes to more complex methods that has included technology. Encryption methods have become more complex, but there is an increased need to continue developing better ways to encrypt communication as technology and knowledge of encryption by cryptologists becomes ever more...

  • Without cryptography people would not be able to take part in online shopping, banking, communicating with friends using social media and working from home (especially during the Covid-19 crisis).

  • Breaking of German and Japanese codes was very important to the shortening of WW2. Examples include passing battalion and regiment strengths and structure of the German army prior to the Battle of Kursk to the Russians which resulted in the German army defeat. Other examples include the allies ability to interpret if deception plans prior to and during D Day...

  • YCAJSDGRDALVHSCUCWCPB (clue for the key something used in cryptography) ;-)

  • Al Kindi is credited with developing frequency analysis, which allows the cryptographer to analyse a coded message and using the knowledge of the most often used letters to decrypt substitution encrypted messages. Letter frequencies can be made more difficult to find if a onetime pad is used and the key is changed regularly. Another method would be to use a...

  • I agree with Simon codes within codes would make decryption more difficult. However, it would also probably make the message difficult to decrypt by the legitimate recipient of the message as well. Especially if the sender inadvertently made a mistake when encoding the message.

  • The methods tend to rely on substitution of characters or symbols. If the cryptanalyst is aware of frequency analysis then it is possible that any of the early codes could be broken.

  • The use of cryptography and the development of cryptoanalysis has been an ongoing process and has certainly become more complex since the early codes like Caesar Cypher, the more complex, but still weak nuanced (the use of specific numbers or symbols to represent frequently used words or phrases) and stenography (messages were sent and received in beer barrels...

  • All codes can be broken given enough time and resources. The aim behind cryptography is more to make something so difficult to break that the attacker won't expend the effort required to break it, or the time to break it is suitably long enough that the information in the message is no longer useful to the attacker (for example messages associated with battle...

  • Paul Herring made a comment

    Hello everyone. My name is Paul Herring and I am an IT Operations Manager supporting network and PKI services for customers. Although I have supported PKI systems for many years I do not have a crypto background and would like to learn more about how cryptography has developed from early cyphers to today cryptographic techniques.

  • This was an excellent introduction to automotive security. I look forward to learning more in the mini courses to come in this subject area.

  • The course has enabled me to understand the pros and cons to the development of smart cars and our gradual move to vehicle autonomy. Security of modern cars was driving force for me to take this course and I have found it to be very enlightening and rather disturbing. Churchill was once quoted as saying "those who do not learn from history are doomed to repeat...

  • I agree with Mohammed and Shola, hackers could target a specific car manufacturer to remove a particular car model from the market. Also it is possible that hackers living in a nation may target a car manufacturer based in a nation who us enforcing economic sanctions, etc. in retaliation.

  • The motivation of car manufacturers to produce smarter cars if purely affected by the increased desire of customers to have more autonomous vehicles. Unfortunately, this has come at the price of less then adequate security of the CAN and general vehicle design. It is often felt that security stifles innovation and functionality, however, this is misguided as...

  • A great introduction into IoT. I look forward to learning more.

  • A very interesting week that helped to highlight the legal, ethical and social aspects of IoT use. I agree with Ben who highlights privacy concerns; I think that this is a key potential issue with IoT.

  • The question really is how ethical is it to collect this data and this really depends on the real reason for collecting it and the protections against misuse is deployed by the company. When looked at from a humanitarian perspective it seems a very good thing to do as it has the potential to increase crop yields whilst reducing CO2 and other pollutants caused...

  • The right to tinker offers up a number of issues for me. Firstly, tinkering by the enthusiast may enable better performance or new functionality in their product. However, when that tinkering has an influence on safety or security features then there is the possibility of putting people in harms way, opening up the chance of identity theft and/or fraud,...

  • tinkering will happen, but it is important to protect company IP whilst at e same time ensuring consumers security and privacy is upheld by governance and law.

  • Paul Herring made a comment

    One example is when Three 'bricked' Samsung Note 7 smart phones deliberately to stop owners from continuing to use their phones after batteries in some phones over heated and caused fires or the battery to explode.

  • Concerns have been raised about data collection by Samsung smart televisions and by the always listening nature of Amazon Echo. Both of these examples may constitute the spy in the living room risk that could allow law enforcement and criminals to have easy access to personal information, etc.

  • The issue surrounding Internet sites not being compliant with GDPR is worrying. People are presented with requests to agreement with cookies as a matter of course now and it seems that the data collected by these companies is not being protected or used appropriately.

  • Paul Herring made a comment

    I want to learn about the legal and ethical implications of IoT when compared to the convenience they can bring to end users.

  • The most interesting aspect is that IoT can in some cases appear to be invisible to the consumer, but is able to provide very useful functionality to the user. I have immensely enjoyed this week and look forward to learning more.

  • Initially I thought it was a gimmick, but the description in this course suggests that the use and need for IoT run more deeply than merely being used as a way of getting a device to play music using a voice command, or putting the heating on from a smart phone.

  • Amazon Alexa speakers have a physical and a digital presence. They are able to play music requested from a digital data store and they are also able to act as a control mechanism for other smart devices in the home when these devices are available.

  • IoT are devices that use communication methods to cooperate, alert or do other functions and can be interacted with using the Internet.

  • Intelligent systems in modern cars, smart heating systems in houses, smart meters, smart TVs, Alexa devices, smart phones, home security systems and autonomous lawn mowers to name few.