We provide expert witness testimony on information security issues.
As the world’s computer systems become more interconnected, and governments and businesses rely more on those systems, information security has become core design goal for software engineers, a source of constant unease for managers and executives, and a matter of national security for policy makers.
What We Do
At Quandary Peak, we help clients:
- Analyzing potential security breaches to determine whether unauthorized access occurred.
- Offering expert opinions on whether a security-related patent is being infringed.
- Determining from system logs and metadata whether documents or other data were improperly downloaded or modified.
- Validating whether security mechanisms employed were sufficient and consistent with organizational policies and applicable government regulations.
- Assessing whether users’ private data is being collected, monitored, and used consistently with the applicable privacy policies, regulations and standards.
What We Know
- Symmetric and asymmetric cryptographic systems and protocols
- Secure software license activation
- Secure hashing functions
- Authentication mechanisms
- Digital Rights Management (DRM)
- Firewalls and intrusion detection/prevention systems
- Digital signatures
- SSL, TLS, IPsec, SFTP, and SSH
- WEP and WPA
- Electronic payment systems
- Elliptic curve technologies
- Identity based encryption and attribute based encryption
- Secure booting and TPM
Our knowledge spans all areas of information security.
Data in its raw form is seldom useful – when combined with the relevant context, it provides information that can be exceedingly valuable, both for the business and its adversaries. Securing this information is crucial and in some cases critical for the survival of the organization itself.
Confidentiality, Integrity, and Availability
The triad of confidentiality, integrity, and availability (CIA) forms the crux of information security.
Confidentiality: Only those having access rights to information should be allowed to access it. In computer systems, this can be seen as access control lists, or OS level file permissions etc.
Integrity: Ensures that data is indeed accurate and consistent and has not been tampered with over its entire lifecycle – unauthorized modifications cannot be made to the data without detection.
Availability: The information is available when needed. That is, everything involved in protecting the information i.e., computing systems, security controls and communications channels, must be functioning correctly.
History of Information Security
Information security has its genesis in the early days of cryptography – the Caesar Cipher as it is known, was employed by Julius Caesar to communicate securely with his generals. It was a rather trivial substitution cipher, which could be broken easily and now makes for interesting puzzles in newspaper columns across the world.
The presence of an encrypted message tells one that a message exists and is encrypted because it’s considered valuable and all one has to do is decrypt it. The art of Steganography goes to lengths of completely concealing the existence of an encrypted message, even in plain sight. In ancient Greece, hidden messages were tattooed on the shaved head of a slave and the hair allowed to grow back. If the messenger were captured, there would be no visible evidence of any encrypted message. Modern steganography can make one question, if computer images are really what they seem or if they carry a hidden message.
The medieval times saw flurry of activity in cryptanalysis with pioneering work done by Al-Kindi, an Arab mathematician around 800 A.D. Up until the 1800s various forms of ciphers for encrypting information were created and eventually broken, sometimes centuries later.
During the World War there was intense activity in the field of cryptography – the story of Germany’s complex code encryption machine, Enigma, and its later successful decryption by the famous Alan Turing and a lesser known Polish mathematician, Marian Rejewski, is an often-heard wartime story.
Rapid advancements in the telecommunication industry especially that of computer networks, saw an exponential growth in the need for secure communication and protection of information. The prevalence of the personal computer and the dominance of the Internet and consequently the World Wide Web, along with growing concerns of international terrorism, fueled the need for better methods of protecting the computers and the information they store, process and transmit. This gave rise to the domains of computer security tasked with the duty of formally analyzing and creating ways of protecting information that even if it fell in the hands of an adversary and even if they knew the encryption algorithm, the information would still be protected.
Information Security in the 21st Century
As of 2015, we have seen great advances in the field of information security with practical applications all around us. The RSA public-key cryptographic algorithms have made secure communication over the web so that we may shop with our credit cards on online stores, without worrying about someone eavesdropping on our connection and stealing the credentials. The Advanced Encryption Standard (AES) is one of the strongest cryptographic specifications that is infeasible to break given current computing power and limited human life-span.
Trusted computing is a new buzzword in the recent years. It mandates that the computer will consistently behave in expected ways and that those behaviors will be enforced by computer hardware and software. This is achieved by loading the hardware with unique encryption keys, randomly generated at manufacturing time and thus can’t be changed, and is inaccessible to rest of the system. The U.S. Army requires that every new PC it purchases must come with a Trusted Platform Module (TPM).
Information security is field with a rather bright future for a long time to come. Understanding what security is and what it entails will help organizations in the long run to protect their sensitive and valuable information.
Computers and systems by themselves are not responsible for securing information. Stringent process must be put into place to ensure that the information is protected and disseminated, the way it is intended. Ensuring information security is non-trivial and is a job best left to experts – it must be built into any system right from the start and cannot (or rather should not) be “added to” the system later since it wouldn’t be adequate.