Table of contents
|Introduction to Project||3|
|A.P1||Explain different IT Security threats that can affect an organisation.|
|A.P2||Explain the principles of information security when
protecting the IT systems of organisations.
|A.P3||Explain why organisations must adhere to legal
requirements when considering IT system security.
|B.P4||Explain the principles and uses of cryptography to secure and protect data.|
|A.M1||Assess the impact that IT security threats can have on
organisations’ IT systems and business whilst taking account of the principles of information security and legal requirements.
|B.M2||Analyse how the principles and uses of cryptography impact on the security and protection of data|
|AB.D1||Evaluate the effectiveness of the techniques used to protect organizations from security threats whilst taking account of the principles of information security and legal requirements.|
Introduction to project
In this assignment me and a group of people have come together and constructed an IT consultancy/ company who will provide IT security protection plans to a banking organisation called SSBC. The company name we have given is Towers. They have come to the realisation that their IT system would be the target for cyber criminals and has contacted our company to investigate and report on the current security threats to their website and software. They have also asked us to investigate Cryptography methods and how these could be used to keep their website and software secure.
Improving our efficiency we have split our job responsibilities between the five people in our group. I have been assigned the business analyst job role what will who analyses an organisation domain and documents its business or processes or systems, assessing the business model or its integration with technology.
James Davies is the project manager who will plan discussions and events what will set a path of good reputation and development in the company. Daniel who will be the head of cyber security who will prevent attacks and make sure the company is secure and safe. Caitlin being the CEO of the company who will make critical decisions to point the company in the correct way. Tawsif is the assistant CEO who will assist in sorting out meetings for the group to brainstorm ideas and help to make difficult decision with Caitlin.
We have discussed that we needed to gather more information about SSBC and the different sectors within their company that could have vulnerabilities and what they have done so far to prevent attackers getting hold of sensitive information .
One of the sectors what the employees, we have looked on what they have in place to prevent employees being a risk to their data. one of the measures they have would be employing managers in each section of their employment who will have routine cheek ups being either every week or month that will track their records to see if their data is secure. another prevention method would be doing background checks of their employees what will tell them if they will be a potential risk to the company or not.
Another sector that we looked at would be internal operations and how they can affect the organisation. internally they will have a cyber-security team that will always try and find vulnerabilities within their system and the different types of training for every employee to provide the best level of protection and progression for each employee from a trainee to a expert.
The third sector that we looked at would be external operations one of their external operations or services in this example would be ATM machines they have scattered across the country. they have a team to create the best ATM machine with the least amount of exploits. in addition security cameras as a precaution in case a thief tries to steal from one.
A.P1- Explain different IT Security threats that can affect an organisation.
Firstly looking at the internal threats that SSBC might be facing, starting off with the obvious malicious employees who are willing to leak sensitive data such as usernames and passwords or card details to the public. One way that you can combat this would be doing background checks on your employees on who looks they potentially might leak data. In addition they should also perform behavioural checks frequently what can stop an employee who is starting to develop a vendetta against the company and who might be a liability to the company.
Another internal threat to the company would be employees who have very little training. This can be a threat to the company because they might make more vulnerability within their system or website. on the other hand they might get tricked into believing a phishing email asking to pay for a shipment out of the companies account providing private credentials.
Another internal threat to the company could be employees bringing their own devices to the company site and connecting to the network. when employees bring their own devices to their company it poses a threat as that device has not been tested if it potentially vulnerable or might have a harmful application already downloaded that will be able to attack the network. one way of getting around this problem would be getting company only devices and restricting what an employee at your company is able to download and view.
Now looking at the external threats one being hacking what has and is becoming a bigger problem large corporation are facing. for example one aspect of this would be SQL Injection with this the attacker will be able to have access to the database if this problem is not solved, containing usernames, passwords, card numbers, pins etc…
Another form of hacking that can affect SSBC would be XSS being cross site scripting with this they are able to enter Java scripts within a reflective form and can bypass some of the sites policies. Therefore they have to employ a cyber-security expert who can sanitise their website so this vulnerability is no longer a possibility.
Another form of an external threat could be governments and the legislation’s that they pass. for example if they pass a new legislation in data protection this might affect the company as they will have to make changes in their company to accompany the new changes. another legislation that is always changing that might affect the security threats would be the minimum wage, with the minimum wage increasing again and again a company might not be producing enough profit to pay additional money to keep a cyber-security team.
this also leads on to my next point being competition that the business faces. if the competition offers better competitive wage and training, they will be able to hire better skilled workers luring them away from SSBC.
One physical security threat that any company would face would be theft of their equipment or data, this could even contain one of a company’s own employees stealing from them or a robbery. another form of this would be a malicious attack on the equipment someone who is damaging their computer systems beyond repair. Therefore on site security should be a priority with alarm system around the premises.
Another physical security threat towards data could be natural disasters and threats such as fires and floods. A counter measure could be putting redundant drives into a secure box able to withstand harsh conditions.
Social engineering and software driven threats
Malware, also known as malicious and software, is a term for any sort of software designed with malicious intent.
That hacker’s intent is often theft of your private information or the creation of a backdoor to your computer so someone can gain access to it without your permission. However, software that does anything that it didn’t tell you it was going to do could be considered malware.
A viruses is a type of malware that will most commonly infect the program file or personal files.
A worm being a type of malware that will replicate it self across a network
Trojan horses –
This is malware that looks and in some situation operate as a legitimate program however have the power to take control over the computer system.
A rootkit is a software that gains the right to administrative rights for a malicious intent
Ransomware is a virus that will encrypt all your personal files and will lock you out of your own computer until you pay a fee to unlock your computer however with no guarantee of it happening.
wiretapping – wiretapping is a method monitoring communications for live recording and monitoring . This can be done by placing a monitoring device between connections or on the other hand through built in mechanisms. Packet sniffers are programs to capture data being transmitted in and out of a network for example wireshark or burpsuite are some commonly used tools.
port scanning – Port scanning is where an attacker will send messages to potentially every open port on the network to see what ports are open and closed to see what can be potentially vulnerable for example by using NMAP “Nmap 192.168.0.*-Sv -VV” this will scan every open port. port scanning is not illegal however it will raise caution to the network administrator.
A List of different port scans;
TCP 20 and 21 (File Transfer Protocol, FTP)
TCP 22 (Secure Shell, SSH)
TCP 23 (Telnet)
TCP 25 (Simple Mail Transfer Protocol, SMTP)
TCP and UDP 53 (Domain Name System, DNS)
UDP 69 (Trivial File Transfer Protocol, tftp)
TCP 79 (finger)
Idle scanning – idle scanning is a TCP port scanning method what consists of sending spoof packets to the victim’s computer network to see what port are open and what services are available for example they might have a SQL database with an open port. This is done by impersonating another computer what in the industry called a zombie computer what is not transmitting or receiving information however observing. This can done by a tool called Nmap using the command “-sl”.
Active threats :
Dos attack –
Dos stands for denial of service, what this attack will do is send a server with a bulk of requests over and over until the server can not handle it what can leave it vulnerable. There are three different types of Denial of service attacks the first being a network centric attack what will overflow the victims server resource by consuming the bandwidth.
The second type of Dos attack would be protocol attacks what targets the network layer or the transport layer protocols in the packets this takes advantage of the flaws in the protocol to overwhelm the victim
The last attack is called the application layer what will overload the application service with large volume calls.
Spoofing is a attack where the victim gets impersonated by the attacker through means of devices or a user on a network, then launching attacks through the network stealing data. spreading malware and bypass any security policies the computer network has in place.
there are three types of spoofing attacks the first being IP Address spoofing this is considered to be the most common and frequently used spoofing method. in this attack the hacker/ attacker sends IP packets from a false source address in order to disguise the real source. This method is mostly used in attacks such as Distributed Denial of service to make the server think the requests are coming from legitimate IP address or on the other hand to bypass IP address based authentication.
Man in the middle –
a man I the middle attacks is where the attacker is secretly spies then relays or sometimes alters the communication data between two parties, in this example illustrates how data passes through the original source then the data is sent to the man In the middle who has the possibility withhold the packets being sent and alter data back to the original source. one prime example of this in the everyday world would be the caution of using open Wi-Fi.
For example a internet café will have this service running for customers to use, however a hacker will still use this Wi-Fi source and create an evil copy and de-authenticate everyone off on the network forcing them to join the evil copy. The hacker now has power to display fake webpages such as Facebook or PayPal on their devices, which will look identical to the legitimate webpage however when credentials are sent the page will refresh to original page and the victim will have no Idea.
Address resolution protocol poisoning –
Address resolution protocol poisoning also better know as ARP poisoning is a form of an attack where the attacker will change their MAC address to mimic their victims, the aim of this is to cause any traffic means for the device to be to the attacker instead. This form of attack will allow the attacker to intercept packets on a network, modify them or stop all in going and out going traffic. overall this is a very effective version of a man in the middle attack.
Smurf attack –
A smurf attack is a form of a distributed denial of service also known as DDoS however this version accomplishes this by exploiting vulnerabilities of the internet protocol and internet control message protocols. the hacker creates malware that is attached to the a spoofed IP address. however unlike normal DDOS this attack wants the IP Broadcasted by having the packet included with the ICMP ping message what sets a loop between the network nodes as the ICMP message asks for the malicious packet to be received and to send the reply back.
Buffer overflow –
A buffer overflow is what happens when a program or process tries to write more data to a fixed length block of memory or also know as buffer. as buffers only created to contain a fixed amount of memory. Exploiting this vulnerability allows the hacker to control or crash the program or allow them to modify the programs/ processes variables. overall Buffer overflow ranks high in the top 25 most dangerous errors in enumeration.
Techniques to exploit buffer overflow vulnerabilities vary based on the operating system and programming language for example “C” and “C++” are very popular among programmers however it is liable to buffer overflow attacks as it has no built in protection against this attack. But the goal is always to manipulate and change a computer’s memory to destabilise or control the programs execution.
Heap overflow –
A heap overflow is a different version of a buffer overflow, this attack happens when a chunk of memory is allocated to the heap section and the data is written to this section without any bound checking. By exploiting this vulnerability it will corrupt it will cause the application to overwrite crucial internal structures.
Format string attack –
A format string attack is where data submitted of an input string is seen as a command by the application or website. This means the attacker could execute code and cause a fault or exploit another vulnerability In the running application. By entering executable scripts it causes new behaviours that will compromise the security and stability of the website or application.
Structured query language injection (SQL) –
SQL injection attack is where the attacker can execute malicious statements in the address bar or into a form also know at a malicious payload. This will control a web server’s database, therefore this is considered to be one the most dangerous website application vulnerabilities as the hacker will be able to easily access private credentials such as usernames passwords then being able to escalate their privileges to administrator. one of the main applications that will help with this process is SQLmap what will automatically find vulnerabilities if possible in the dump the database information if given the correct commands.
“sqlmap -u “https://target.com/index.php?name=abc” –risk=3 –level=5 –dump”
Cyber attacks –
A cyber-attack is where attacker will deliberately target a exploitation In a computer system. Cyber attacks use various ways to try to either alter data, corrupt or steal information what will lead to information and indemnity theft and will result in a cybercrime.
Cloud computing risks
Cloud computing is fundamentally runs from two users being the consumer the one who will decide how much data they will need to store on the cloud, who will need access and rights to their data and how much will they will pay depending on the provider being either pay by consumption or a different model such as pay monthly. The other user previously mentioned being the provider an automated system requiring very low operating expense and a fast delivery making for a good end user experience.
However there are some risks when coming to cloud computing for example the first being the loss or theft of property when there is a breach, criminals will be able to have access to a mass of sensitive data. Another risk would be loss of control over the end user actions for example when a company provides their employees cloud computing they are at risk as data can easily copied and uploaded by their employees to their personal account putting their customers information risk.
Thirdly would be availability because none of the service provided has no guaranteed 24/7 up time. If a business was to rely on a cloud service they are putting their business at a massive risk. If the cloud service goes down and offline some business out there today might seize and will not be able to operate without their data. Therefore loosing potential revenue and customers to the competition.
protecting the IT systems of organisations.
What is personal data
Personal data is private credentials that we withhold from the public but may share private personal data to certain people or companies. For example, you share some of your banking credentials, such as your banking number and national insurance number so you can get paid via your bank account.
What kind of personal data is available online
Banking – Your banking details would be the most targeted information with someone with malicious content. information containing your banking number, expiry date, pin number and national insurance number. All of this information will be enough to impersonate a individual and wipe their bank account.
Education – This data will lead into identity theft by knowing what you have done and all of your qualifications, names, addresses.
Travel – This data if stolen can lead to big expenses for example if a hacker mimics and impersonates you and gains the information to board your flight, boat, train or bus or cancel any travel plans.
Dating – This can detrimental to an individual who has their dating life leaked out the public. There was an example of this on the site of Ashley Madison where the site got hacked and sensitive data was leaked what lead to divorce and breakups.
Social media – this can also be a very sensitive as secret messages between people being leaked especially from celebrities and powerful leader will spark controversy on the public. Just recently there was A suspected cyber criminal claims to have accessed six million Instagram accounts and says that “Facebook/Instagram has not yet fully understood the full scope of the exploit”.
What is information security
information security is defined as the “state of being protected against the unauthorised use of information, especially electronic data, or the measures taken to achieve this”
There are three sectors of information security the first being confidentiality. This sector is about protecting and disclosing secret information for any unauthorised parties. one way that many parties and large corporations achieve this is by Encrypting the information what this is doing is making sure that only people that are authorised to look at the data are able to read the information.
Another way to ensure information confidentiality would be to enforce file permissions and access control list to restrict access to sensitive information for example departments in a business can only view files and documents that are suitable to their job role.
The second sector to information security would be Availability, this abides to the fact that only authorised people are able to access their information when needed. one of the main ways to ensure data availability would be to do backups. by doing Regular backups when the server is offline can limit the damage caused by damage to hard drives from future events. For information services that are highly critical, reliability is a must otherwise data might be lost forever.
However one of the main factors that can cause downtime in availability in information would be a DDoS attack. DDoS standing for distributed denial of service will slow down and crash the server denying users of the website access to their information. This Attack can be very costly to a large corporation therefore back up servers and other precautions must be put in place to make sure this does not happen.
The final section of information security would be integrity, this means the overall consistency and accuracy of the data throughout the entire network. The data being stored must not be changed whilst being sent to the end user, therefore, there must steps during this process and beforehand to make sure unauthorized personnel are unable to modify the data. One of the measures would be to include file permission within an organization to prevent any accidental damage to any file. On the other hand, a company must protect their data even from non-human errors that may occur for example an EMP, server crashing or a power surge, therefore, it is crucial to have backups or redundancies such as a raid 1 to restore the affected data to the original state.
Why we need information security
Every company needs a form of an information security program or policy within their organisation. A security program will provide a framework to keep the company at the highest potential security level when accessing the different types of risks you may face on a daily basis. Keeping the policy up to date will help a company to mitigate the variety of security threats.
However, the most important factor to keep in consideration is customer satisfaction and the reputation a company such as SSBC a banking business must withhold to a high standard. Therefore it is important to keep their policies up to date and run risk assessments to better help improve their security and retain private credentials from unauthorized access.
requirements when considering IT system security.
Computer misuse act 1998
- Unauthorised access to computer material
- One of the examples of breaking unauthorised access to computer material would be finding or guessing a individual’s password with the intent of using it. The penalty for this offence would be up to six months of jail or a big fine.
- Unauthorised access with intent to commit or facilitate a crime
- An example of breaking this law would be being caught having access to an account that does not belong to you with malicious intent.
- Unauthorised modification of computer material
- In this example, the attacker has already gained access and is changing or modifying data. For example, this law could include deleting and adding viruses to the computer, with the intent of causing harm to the machine what in return will slow down the efficiency of a business. the penalty of breaking this law could range from five years to a fine depending on the situation.
- Making supplying or obtaining anything which can be used in computer misuse offences
- This law states that any making, supply or distribution of any virus, worms, Trojans, spyware etc.. or obtaining any files that can cause damage to a computer system will result in a five-year sentence and/or an unlimited fine.
A case of a computer misuse act 1998:
‘Bumbling nerd’ who broke into Pentagon computers loses battle against extradition
This is a case of a British hacker being able to break into the one of the world’s most fortified computer system. being labelled “The world’s most dangerous hacker” by the American authorities his name is Gary McKinnon. He was accused of hacking into highly sensitive US military computers between February 2001 and March 2002. The US Justice Department indicts him on eight counts of computer-related crimes and accuses him of causing $566,000 (£370,000) of damage.
The American system wanted him to face trial in America however after doing a higher plea he faced a trial in the UK. However, from gaining access to the pentagon’s computer system the Crown Prosecution Service says Mr. McKinnon will not face charges in the UK. Director of Public Prosecutions Keir Starmer QC says the chances of a successful conviction are “not high”.
▪ Data protection act 1998
The data protection act controls how personal information of the public is used by different organisations, companies and the government. personal data is defined at names, addresses, bank details and even goes into more detail such as ethnic background, political opinions, religious, health care and criminal records.
A Data controller is a person who determines the purpose of personal data and how it is a going being stored and processed. the subject is the person who has given the rights to the individuals/ organizations to hold their personal data.
Eight main provisions of the data protection act:
- personal data must be used lawfully
- This principle requires personnel to process your personal data fairly and lawfully. one of the conditions of this act is that you must have legitimate methods for collecting and using personal data. this entails that you must not buy private credentials and data from an origination or individual that you have not gained rights to.
- Another way of this principle protects data would be that it demands that companies must not use your personal data in unjustified and adverse ways that will have negative effects on the individual, for example, a company must not sell personal data without the person’s consent otherwise the company could face up to a £20,000 fine for unlawfully trading personal information.
- The origination who holds your personal information such as a bank is entitled to be transparent about how they intent to use the data and give you appropriate privacy notices when collecting your personal data.
- This principle demands the company to handle the personal information only in a way they would reasonably be expected and make sure any personnel in the company must not do anything unlawful with the personal data such as using it personal gains.
- The second principle is that personal data must be obtained for limited purposes only. you and the controller of the data must only use the data in ways that you have agreed upon when the individual registered the information with the controller.
- you must comply with the act and the processing requirements this includes the duty to give privacy notices prior to the individuals when the company collects the personal information.
- in addition, the organisation must disclose with the individual for the specified purposes of the personal data and if the individual wish to divert from the original purpose they must discuss the new purpose in a way that is fair.
- The third principle of this act is that personal data must be adequate and not excessive, the origination must only collect the information that they need and no more. For example, a bank can not employee can only ask for certain digits of your credentials and cant gather any more information such as medical records of the individual that could lead to identity theft.
- The fourth provision of this act is that personal data must be accurate the holder must try and make sure that the private data it holds is correct and accurate. The organisation must take reasonable steps in their security policy to ensure that the accuracy of the data.
in addition if the subject / individual challenges the accuracy and authenticity of the information it is clear that the company must display this information to them to make sure they have recorded the information is accurate.
- The fifth provision is that personal data must not be kept no longer than necessary, this principle means that an organisation may not retain the information about a customer two years past necessary.
- The sixth provision of the data protection act would be the Data subjects right, each data subject that a company holds information is able to read information being held about them. other steps that an origination has to respect about the act and data subject:
- you will have a right of access to copy the information comprised about you.
- you will have a right to object to the process of your information that may cause damage or distress
- you have a right for preventing your data for direct marketing
- you have a right to inaccurate data about you blocked or erased and in return the right to sue or claim some compensation for any damage or distress caused by the breach of this act.
- The Seventh provision of this act would be that personal data must be secure. data belonging to the correct individuals must only be viewed by them and no one having any unauthorised access. an organisation design and organise a security policy to fit the personal data that they hold and what they will do in a security breach. If personal data is lost, modified or destroyed the company must have practices in place to recover and prevent any damage or distress to the individuals/ data subjects.
- The final Provision in place for the data protection act is that all data must be kept inside Europe, one of the main reasons for this principle to be put in place is that some countries outside of Europe that do not have effective data protection rules that may put the data subject’s private information at risk and vulnerable if handled outside of Europe.
A case involving the Data protection act 1998:
In 2011 Sony was fined £250,000 after the information commissioner’s office found that Sony is guilty is allowing a serious breach of the 1998 data protection act. This happened after failing to use up to date security software on it play-station network.
Personal data included emails, addresses, names, payment card details, account passwords and dates of birth were also comprised. Sony executives vowed after the scandal and to rebuild their services from the ground up to be more secure.
Being an employer you will have to deal with the responsibilities to make sure that your employee’s personal data will be respected and properly processed and protected. For example their employment records, information about their worker’s health issues. Employees have all the same rights to a normal individual however under most circumstances in a job role in a network there will be an agreement for the employer to being able to monitor their emails.
▪ Copyright, designs, and patents act 1988
- The Law states that creator’s; literary, sound recording, films, broadcasts, musicals, dramatic, artistic work and typographical arrangement of a published edition, to have full rights and control in the ways which that they want their material want to be used and how others are unable to; copy the work, issue copies of the work to the public for money, perform or broadcast the work to the public lastly they are unable to modify or adapt the work.
- Types of work protected
- Literary this contains, newsletters commercial documents, manuals, computer programs, manuscripts, leaflets, song lyrics & articles etc.
- Dramatic containing plays, dance, etc.
- Musical recordings and score.
- Artistic this would entail photography, painting, sculptures, architecture, technical drawings/diagrams, maps, logos would all be protected under this law.
- Typographical arrangement of published editions such as magazines, periodicals will be protected.
- Sound recording this will mean that recordings of other copyright works, such as musical and literary will be protected
- Film meaning video footage, films, broadcasts and cable programmes will fall under this category.
- However, after a certain period of time, the copyright act for a piece of material will no longer cease to exist. For example Literacy, Dramatic, Musical and artistic work will only last under the copyright act for 70 years, sound and recordings will last for 50 years, Typographical arrangement of published editions will last for 25 years, films lasting for 70 years, crown copyright this is materials such as documents, reports produced by government bodies will last for 125 years. parliamentary copyright is a material made by the house of commons or the house of lords and will protect them for 50 years.
- Copyright case:
For this act, we will be looking at one of the most famous Copyright act cases between some of the leading companies in fashion being Gucci against Guess. In 2009 Gucci decided to sue Guess for infringing five of Gucci’s trademarks, in addition, using a very similar logo.
Guess being caught out on using some of Gucci’s distinctive marks such as a green and red stripe handbags whilst using a repeating, inverted GG pattern on the product, in addition, the Guess used some of the brown and beige colours what was mostly used in with the diamond shape patterns. In the court Gucci Initially asked for $221m however, the judge told them that they were only entitled to $4.7m from damages.
▪ Telecommunications (lawful business practice) (interception of communications) regulation 2000
- This act allows for a business to intercept their communications of their own telecommunications. For example, if an employee is doing email abuse or through telephone communication, so the company will be able to detect and record this allowing them to retain a good reputation. However, this act also goes against the regulation of investigatory powers Act (2000) therefore to make sure that the business does not breach the regulations both the business and the employee have to discuss this and for the employee to give consent.
▪ Fraud act 2006
- This act has three main segments the first being “Fraud by false representation” meaning that the individual provides false or misleading information pretending to be someone else. the second segment to this act is “Fraud by failing to disclose information” This means that if a person fails to disclose any information that they have held back and kept a secret from the company they are breaching the third section of this act under legal terms. The third segment of this act os “Fraud by abuse of position” This is where the holder of data from a subject abuses their position for their own personal gain.
- Fraud act case:
The case I will be Looking at will be between Edwin and Lorrain Mclaren who was convicted of fraud and money laundering, this case totalling to an outstanding £1.6 million. The man was considered to be the brains of the operation and was convicted of 29 different charges and his wife only charged with 2. Overall the case was said to have a cost of around £7.5 million, with £2.5 million was to be paid in legal aid for their defence lawyers. The criminals were finally convicted after a very long court case lasted a year and was prosecuted of four high profile bankers. however, the convictions were wrongfully overturned a couple months later when the Appeal Court ruled that due to the length of the trial and the complexity of the subject matter the jury of this case would not have been able to reach a fair verdict.
▪ Legal liability and contractual obligations act
- This is a law that is aimed to affect two different parties binding them in law and both having equal responsibility. the Obligation under lines a contract and that only legal liability can be decided by the courts even if the settlement before hand between the two parties is made outside the court however when coming to a decision the two parties must come to a agreement first. One way that most companies help to prevent any claims against them is through liability insurance what will cover the liability arising from a wrongful act or an infringement of the right and not from the contractual obligations.
- case of legal liability and contractual obligation act:
The case we will be looking will be the Eric Glennie vs the University court of Aberdeen in this example there was a slip on the tennis court so the pursuer brought this act forward and into action for damages and injuries when Eric fell on the astro-turf court owned by the university in this example being the defendant. The university was accused of having moss covering parts of the tennis court what caused the victim to slip however because there was a little evidence of this being the cause of him sipping the case failed against the University of Aberdeen.
B.P4 – Explain the principles and uses of cryptography to secure and protect data.
Cryptography in networking and information security, is one main key features of keeping private data is safe. cryptography follows four main subjects to keep your information safe. First being confidentiality so the information can not be understood by anyone who is has unauthorised access. this work by using a algorithm or a cipher used in the encryption and decryption process the encryption works with different types off keys. The strength of the secure encrypted data is dependent one two main aspects the first being how complex the algorithm and how secure the key is.
The second principle of cryptography is integrity private data should not be modified whilst holding the information or between transit. The third principle is Non-repudiation this is assuming that someone being the creator or the sender of the cannot stop or deny at the later stage about their intentions in their creation or the transmission of the data. The fourth principle is Authentication the sender /receiver can confirm each others the authenticity and the origin and destination of the data.
What is cipher text?
Caesar’s Cipher a text conversion used in simple cryptography, Caesar’s cipher substitutes one piece of information for another. This is most frequently done by offsetting letters of the alphabet
and sliding everything up by 3, you get
where D=A, E=B, F=C.
Principles and uses of encryption
Digital right management (DRM)
- this principle entails any type of encryption what controls the digital media, the purpose of a Digital right management is to prevent unauthorised distribution of the media, For example there is software on DVD’s what will limit the amount of copies a user is allowed.
Password storing and salts
- This type of encryption will start with the original copy of the user’s password then the “salt” will add a random generated of characters then it goes through a hashing algorithm what will encrypt your password with the slat added on. Therefore if hacker does breach into the servers they will not be able to gain the original password even if the decrypt decrypt the hash.
- Image 4:
Obfuscation and stenography
- Obfuscation and stenography this is a method to encrypt information however having it in plain sight, for example hiding a zip file behind a GIF or hide a larger URL behind a smaller URL.
- For example tools that cover URL:
- Tools that hide data in images:
- Pict Encrypt
- ImageHide Encrypter
- To make sure customer feel safe when doing transactions with your business you will have to provide security otherwise it will drive customers away and lose to competition. Therefore to protect the company’s website you will need a SSL security to provide your customer with a safe, secure shopping environment.
- A SSL certificate insure the customers that the company is legitimate, you can purchase a SSL can be purchased from a web purchase company who is a certificate authority. The company providing the SSL certificate will research your business, check your business’s references and assures their identity.
- SSL also encrypts data going from and to the website the security can be provided by the server host or by a different third party. The client’s computer connect to the website and looks for the SSL certificate and if it checks out then it does the first connection called a handshake. After this procedure is done the Host will decide what Encryption will be used to secure the data this can be seen by a padlock in the address bar.
- Now when data leaves the client computer it will be encrypted and then decrypted when it arrives at the server.
- SSL: Secure Socket Layer
- Two step authentication is used when you enter your password when you are using not your main computer or a different IP Address. Then the server sends a code to your phone making sure that you are the correct person signing into the account. This is based on something you know and something you personally own, to stop unauthorised access.
File/Folder/ Disk encryption
- Disk encryption is when you are encrypting the whole disk of your computer or device. or on the other hand you are able to create partitions and only encrypt the specific partition.
- File or folder encryption is when you apply encryption to specific files and folders. or to encrypt external removable drive such as USBt’s or SD cards
Encryption of communication data e.g police, mobile phone.
- This principle entails that communication between devices such as mobile phones this is called communication data however when you encrypt the communication it is simply called encryption of communication data what is commonly used in the police service. Only officers with the key will be able to Decrypt the data and understand what the other individuals are saying
- methods of communication data: symmetric, SSL, Key encryption, Public key Encryption.
legal and ethical issues
ISC code of ethics canons are abide to follow these rules the Internet Activities Board (IAB) states what actions is a violation of the internet such as
computational hardness assumption
we let the the computer the difficulty of the task and what encryption to use, the encryption method technique is used to decipher the hardness of the problem. There are many theories to this and many people speculate that a computer is not smart enough to decide however there has been no solution to this at the current point of time.
cryptography methods/ applications
private (symmetric) encryption
- The sender of the data and the receiver both have the same key for encryption and decryption.
public key (asymmetric) encryption
- The sender and recipient of the data have similar keys. in a Asymmetric anyone can get a individual’s public key what normally what will be held on a server which will be able to encrypt their message/ data what they are planning on to send what will be sent to the recipient who will be able to decrypt the data with their private key and only them.
- shift cipher also known as Caesar’s cipher is where each letter of the message being sent is replaced by a letter by any number of positions down the alphabet.
One time Pads
- This is a randomly generated string of different characters or numbers that will only have one set value for different letters of the alphabet and numbers.
- This will normally change one for a different day of the week to keep their encrypted data secure and very difficult to crack.
- This is symmetric operation which will operate in blocks of data, this type of encryption will break messages into fixed block sizes. for example it will take the plain text being sent and converts it into block of ciphertext usually the same length of the client provided secret key.
Hash Functions (e.g. MD4, MD5, SHA-2 SHA-3)
|Keys for comparison||MD4||MD5t||SHA – 2||SHA – 3|
|Security||MD4 first developed in 1990 and has later influenced later designs and is considered to be one of the least secure mash methods.||MD5 is a widely used hash what is a extension of MD4 being a bit slower however is more secure than MD4 but still not as secure as others.||SHA-2 is called secure hash Algorithm 2 A key aspect of cryptographic hash functions is their collision resistance: nobody should be able to find two different input values that result in the same hash output. much more secure than MD4 and MD5 however the still not as secure as SHA-3||SHA-3 a newer version of SHA that is much more secure and less sensitive to extension attacks meaning it is more robust. and the best method for encrypting your data.|
|Message digest length||128 Bits||128 bits||24, 256, 384, or 512 bits||arbitrary|
|Attacks required to find out original message||Hashcat, simple online websites such as : https://md5hashing.net/hash/md4/ what will decrypt the message easily||Brute forcing, Hash-cat, simple online websites such as : https://md5hashing.net/what will decrypt the message easily||findmyhash, hashcat, bruteforce||findmyhash, hashcat, bruteforce|
|Speed (Average per 1m ms )||627.4||604||737.8||1056.4|
|Maximum message size||264 − 1||Unlimited||2128 − 1||unlimited|
|Operations||And, Xor, Rot, Add (mod 232),Or||And, Xor, Rot, Add (mod 232),Or||And, Xor, Rot, Add (mod 232),Or, Shr||And, Xor, Rot, Not|
Stream ciphers –
A stream cipher is a type of encryption what encrypts your data 1 byte at a time, a stream cipher implements a pseudo random as the key for the bits this is a number or a sequence of number randomly generated to substitute the plain text. The generator being used should be always random and unpredictable and the same key should never be used.
A.M1 – Security breaches
In summary of the video the message that the video is trying to get across is that customer satisfaction is one of the main factors when looking at IT security threats and how it will affect your business. When private credentials get stolen, modified or destroyed you lose the trust of your customers and will hurt your company’s reputation.
A security program will provide a framework to keep the company at the highest potential security level when accessing the different types of risks you may face on a daily basis. Keeping the policy up to date will help a company to mitigate the variety of security threats.
However, the most important factor to keep in consideration is customer satisfaction and the reputation a company such as SSBC a banking business must withhold to a high standard. Therefore it is important to keep their policies up to date and run risk assessments to better help improve their security and retain private credentials from unauthorised access.
There are three key sectors within information security being confidentiality. Availability, integrity that is the key to maintain. For example, availability can cause downtime in availability in information would be a DDoS attack. DDoS standing for distributed denial of service will slow down and crash the server denying users of the website access to their information. This Attack can be very costly to a large corporation therefore back up servers and other precautions must be put in place to make sure this does not happen.
In addition, if a business is not abiding data on a legal level it can result in a big consequence to the company, for example, Sony in 2011 they were fined £250,000 after the information commissioner’s office found that Sony is guilty is allowing a serious breach of the 1998 data protection act. This happened after failing to use up to date security software on it play-station network.
Personal data included emails, addresses, names, payment card details, account passwords and dates of birth were also comprised. Sony executives vowed after the scandal and to rebuild their services from the ground up to be more secure.
Another legal requirement businesses have to go through to protect sensitive information for example one of the provisions of the data protection act 1998 states that personal data must be secure. data belonging to the correct individuals must only be viewed by them and no one having any unauthorised access. an organisation design and organise a security policy to fit the personal data that they hold and what they will do in a security breach. If personal data is lost, modified or destroyed the company must have practices in place to recover and prevent any damage or distress tot eh individuals/ data subjects. In result of a breach of this act it is enforced by the information commissioner office which views these cases can give out a fine up to £500,000 for any serious breach to this act.
A.M2- Analyse how the principles and uses of cryptography impact on the security and protection of data
one principles and uses of cryptography that heavily protects private data would be the most common cipher text or other known as Caesar’s Cipher this is a text conversion what this technique does is replaces one piece of information for another. Another form of this Caesar’s cipher is shift cipher is where each letter of the message being sent or password is replaced by a letter by any number of positions through the alphabet. This protects your passwords and messages as it can be very difficult to decrypt and discover the original text what can make it a good way to protect your data.
Another very simple method of protecting data between two users or a small group would be one time pad. A one time pad is a random generated string of different types of letters and numbers in combination with unique characters that have a set value for example “87880h = Hello” . One time pads are held with the individuals using them making it secure to use however if a hacker to criminal finds the text document for the translation of the code it would be easy for the cyber criminal to decipher.
A more secure method what companies are doing to help to protect your private data would be password storing and salts. This will start with the original copy of the users password then the salt will add a random generated of characters to the starting password. Then going through a hashing process what will encrypt your password in combination with the salt making it a very secure procedure to keep private data safe. Even if a cyber criminal is able to breach into a server and gain access to the password users database they will have to decrypt the passwords hash for example SHA1, SHA2 and MD5. in addition not being able to use that string as the password as it still includes the salt.
SSL standing for secure socket layer has a massive impact on security’s and protection of private data with cryptography, one service provider for SSL being Digicert provide more than 8 Billion web connections everyday. SSL is a certificate insures that the customers that visit your web page is a legitimate business. a SSL certificate is to make sure your customers feels safe when doing online transactions with your company/ business otherwise if you do not provide security for your customers it will drive them away to the competition.
SSL works by encrypting data going from and to the website the security can be provided by the server host or by a different third party. when the clients or customers computer connects to the website it will look for a SSL certificate if the website has the website has the certificate the server accepts the connection called a handshake. Now when data leaves the client’s computer it will encrypted and then decrypted at the server and ensuring the customer of a safe transaction as a symbol will appear in the left side of the address bar, most common symbol being the padlock.
Private or symmetric encryption is a method where the sender and the receiver of the data share the same key what is used to encrypt and decrypt the data being sent. one advantage to this method is this type of encryption is very secure, it is one of the worlds most used and is the U.S. government’s standard. However the problem arises when you need to share the data/ key. For example they are not simple strings of texts they are complex algorithms and if someone gets your private key can decrypt messages sent to you and the party.
Another method is public or asymmetric, this is where the sender and receiver of the private information have similar keys. With this method anyone is able to get yours or a different individual’s public key what will be held on the host server. data being sent to you will first be encrypted with the public key then only you will be able to decrypt the data. Therefore in are opinion this is a more secure method to send your data rather than asymmetric as if the hacker is able to get your private key they will be able to decrypt your messages sent to you however will not being able see what you are sending to the other individual.
In this section I will be evaluating the effectiveness of all the different techniques used to help protect companies from various security threats while taking account of the principles of information security and legal requirement. The first technique I will be looking at companies and organisations monitoring ingoing and outgoing traffic online, the reason why businesses need to take this step for their security is to make sure their staff are treating their customers correctly and giving them the correct information. However there are times when employees have a vendetta against the business what may leak out data to competitors such as sales sheets and customer information what they will be able to use against them. One of the problems with this is the legal issues that come with this.
One of the acts that combat this from being a problem in the work place is the Telecommunications (interceptions of communication) regulation in 200. This act allows a company to intercept their communications only of their own telecommunications. This act goes against the regulation of investigatory powers act (2000). As a result the business must make sure they do not breach this regulation by having an agreed upon contract where the employee agrees and give consent for the business to monitor their actions.
Another technique used to help protect private data would be SSL certificates these are issued and purchased by a company who is certificate worthy. A SSL certificate is to certify your company’s website and assures potential customers who connect to your website are safe to make any transaction.
A SSL certificate works by encrypting your data going from and to the business website, when the clients computer tries to connect to the webpage it will look for a SSL certificate beforehand if the website has one then a secure connection is made between the clients computer and the host server. Now when the data leaves the clients computer it will encrypted and then only be decrypted by the server when it arrives. The security can be handled either by the host server or by a different third party what can be a cause of concern of breaking the data protection act (1998).
The reason behind the issue is the final provision of the act being that all data must be kept inside Europe. Therefore if the third company or host server is outside of Europe it breach this provision at put that data at risk because some countries outside of Europe do not have as good and effective data protection rules and regulations what will put your clients data at risk.
Anti-malware protection or virus protection has become a cliché yet a necessity to install on all computers within a business, most anti-virus software normally updates their databases regularly within a couple days or a couple of hours in some cases to give the best protection they can. For example recently there was a exploit with WPA2 short for Wi-Fi protected access is one of the most common methods of securing your network and commonly used throughout domestic use and by massive cooperation’s all around the world. The method to exploit the vulnerability is called Krack short for key reinstallation attack where if successful the attacker will be able to get in proximity of the victim and inject malicious malware to their device.
However within 12 hours of the vulnerability being know of Microsoft has already released a patch for their windows defender to help protect the client from the attack but no any routers. Therefore it should be mandatory for any company especially a banking service as SSBC to install protection against malware.
Another technique used to help to protect your private data and credentials would be using Two step authentication, a lot of companies are starting to use this as a means to identify you for example google. This is used when you enter your password when you are using not your main computer or a different IP Address. Then the server sends a code to your phone making sure that you are the correct person signing into the account. This is based on something you know and something you personally own, to stop unauthorised access. This is a very secure way of making sure that only your clients with access can log in to your servers, however this can be a volubility when a thief has access to one of your devices connected via this method for example your phone which will automatically login into your email and then enabling them to gain access you that service.
In conclusion there are many ways to keep your data safe that are very effective and keep up to data such as anti-malware software that keep their databases updated every day to keep your data safe from malicious intent. However business have to keep in mind different acts and regulations when coming to data and security otherwise they might get a fine depending the severity of the data breach.