The CIA triad is a very fundamental and important security model in Information Security. There are three key (triad) principles that every organization should subscribe to. If any of these key areas of security can be breached, there is a serious flaw in the policies and practices of the organization.Confidentiality ensures that private information is accessed by only those that have the appropriate authorization to do so. Encrypting data is an example of this principle of ensuring confidentiality. We saw an application of confidentiality in my post on the ‘Java Hashing Class’. When we entrust our private data to an organization it is absolutely essential that this information is kept just that - private. A company can easily go out of business if a breach in users’ private data is leaked.Integrity is about data consistency. Organizations need to be certain that their data is not being modified in any way by unauthorized or even authorized people or processes. If a bank employee decided to access your savings account and pull one zero off your balance, you wouldn’t be too happy. Data must also be consistent while in storage and also in transit.Availability is the concept that a resource is available to you when you want to access it. My online banking site needs to be accessible when I want to use it, even if that means accessing it at 2:00 am on a Sunday. Most websites that serve a business or public need must adhere to this principle of the triad or else they would simply go out of business. Ebay, for example, would be seriously hurt if their site was inaccessible for even a short time. A DOS (Denial of Service ) attack is when a website is flooded with too many requests in a very short period of time that the site crashes from the load. The attacker is not trying to gain access, their goal is to make the site unavailable to it’s users.All of these security principles are important to every organization. However, each organization needs to understand their business and may stress more importance on one of the principles over another.

In the security field, random numbers are critical for generating encryption keys, such as when you connect to your bank site over an SSL(secure) connection. It is a widely accepted fact that computers by themselves cannot generate truly random numbers. This is due to the fact that “chance” is not part of the computer’s characteristics. It is very difficult to program a computer to do something by chance.

Wikipedia defines a algorithm:

“In mathematics, computing, linguistics, and related disciplines, an algorithm is a finite list of well-defined instructions for accomplishing some task that, given an initial state, will terminate in a defined end-state.”

Programs are written using algorithms or instructions that the computer follows exactly and are entirely predictable. This is where pseudo random numbers comes into play. Pseudo-Random Number Generators or (PRNG’s) are algorithms that use mathematical formulas to produce a series of numbers that appear to be random. PRNGs are also deterministic; meaning, if the original starting point is known then the sequence of numbers can be generated again a later point. That starting point is also known as a ’seed’. A seed is a number needed to initialize the PRNG. If the seed is known, then the random numbers or keys can be determined and that is precisely why a good random seed is critical. In some cases the random seed is deliberately shared between two systems. The seed then becomes the secret key and each system should be able to generate a matching sequence of random numbers, which would be used to sync up remote systems.

The other method used to generate random numbers is True Random Number Generators or TRNG. In this method randomness is introduced from physical phenomena independent of the computer. An example of a really good physical phenomenon that is used is radioactive material. The rate at which radioactive material decays is truly unpredictable. Another physical phenomenon is atmospheric noise, also a true unpredictable source.

Both the TRNG method and the PRNG have their own unique set of characteristics. For example, a PRNG is extremely efficient in that a series of random numbers can be generated in a very short time period. The TRGN method, on the other hand, is not efficient. TRGN are non-deterministic and PRGN are deterministic. It is important, therefore, to understand the application uses of random numbers and to pick the appropriate generator or method for that application.

Here are some good sources for futher reading.
random.org
wikipedia on PRNG
newsforge

Egress filtering is an important concept in security. While we understand that a firewall is a hardware/software solution that prevents the bad guys from getting into your network by closing ports and allowing only ones that are are absolutely necessary. Egress filtering allows only certain traffic out of your network while the rest is blocked from leaving. This is critical in case something malicious slipped through your network and now wants to ‘phone home’ with information about your shopping habits. Or perhaps your computer has been compromised and is infected with a virus or worm and, as a result, you have a bot on your computer. This bot will attempt to establish communication with whoever is controlling it by connecting to the outside world. A firewall with egress filtering will halt thease nefarious activities.

The million dollar question is “Do I need a software firewall on my home PC to prevent outbound traffic? “. I would say that for Ingress filtering, the answer is absolutely yes. If you are running Microsoft XP Service Pack 2 you already are running a firewall or if you are behind a router you are protected from the outside. For myself, I find software firewalls to be taxing on my system. Also, many people install a firewall like ZoneAlarm or Norton Internet Security and then ,when prompted if the program should be allowed to connect to the internet, they answer yes to everything, which is essentially useless. In short, if you’re careful with your system and are not in the habit of installing software you find on the internet blindly, or clicking on links in an email, I would say you should be fine. The other alternative is to get a less susceptible OS, OS X on a MAC. I did!

Here is a a good article on the subject.