Information Security IBK3IBV01 College 5 Paul J. Cornelisse
Information SecurityIBK3IBV01 College 5
Paul J. Cornelisse
Vigenère square (cnt’d)
To decrypt the ciphertext using the known keyword, do the reverse of the above stepsFirst, write the keyword above the ciphertext, Then, find the first letter of the keyword, in this instance “K,” and follow the column down until the associated ciphertext letter is encountered, which is “Y.”
Follow the row to the left and the letter found on the outmost column is the plaintext letter, being “O.” Continue this process until the message is decrypted
The second major family of substitution is transposition ciphersThese ciphers use the same letters as the plaintext but reorganize them until the message is scrambledThe Spartan scytale is an example of a simple form of transposition
Cryptographic Keys
More complex ciphers use secret keys that control long sequences of intricate substitutions and transpositionspartnership between simple ciphers creates a powerful and modern form of communication security
Private, or secret key encryption, often referred to as a symmetric key, is a class of algorithm that uses a single key to encrypt or decrypt messagesFor maximum security, each pair of correspondents has a separate key; it is vital that both parties keep the key secret
Cryptology
Somewhat morehttp://www.youtube.com/watch?v=CR8ZFRVmQLg
DES is a nonlinear block cipher. The plaintext is broken into 64-bit blocks and encrypted using 56-bit key and 8 parity bits, totaling 64 bitsEncryption is achieved through dividing the blocks in a left (L) and right (R) parts and applying a series of permutations and substitutions 16 times.DES is insecure because its key length is relatively short
AES resulted from a worldwide competition that started in 1997 under the sponsorship of the National Institute of Standards and Technology (NIST)AES is an iterative block cipher based on substitutions and permutations. The fixed blocks are each 128 bits long, or 16 bytes. This is double the length used by DES, increasing the number of possible blocks by 2ˆˆ64This algorithm uses key lengths of 128, 192, or 256 bits.
Public key encryption
The first public key encryption cryptosystem was proposed by Ralph Merkle in 1974, and introduced two years later, in 1976, by Professor Martin Hellman from Stanford University and Whitfield Diffie, then at Northern Telecom (Bosworth et al. 2009)
Public key encryption uses two separate keys to encrypt and decrypt. Another name for public key encryption is asymmetric encryptionEach correspondent has a public key and a private key; What is encrypted using one key is decrypted using the other key
Public key encryption enables secure electronic business transactions, applied through keys and certificatesThis cryptosystem supports confidentiality, access control, integrity, authentication, and nonrepudiation services
Public and secret keys
Risk Management
Risk Management
Just because there is a threat does not mean that the organization is at riskThis is what risk assessment is all about
Risk Management
Facilitated Risk Analysis and Assessment Process (FRAAP)First used in 1995
Risk Management
FRAAPIs driven by the business ownersTakes days instead of weeks or monthsIs cost-effectiveUses in-house experts
Risk Management
The FRAAP was developed as an efficient and disciplined process for ensuring that threats to business operations areIdentifiedExaminedDocumented
Risk Management
The process involves analyzing onesystemapplicationplatformbusiness process orsegment of business operation
at a time
Risk Management
Team of internal subject matter expertsIncludes:
business managerssystem users, familiar with the mission needs of the asset under review
Andinfrastructure staff who have a detailed understanding of potential system vulnerabilities and related controls
Risk Management
A sample FRAAP procedure has been included in Appendix A of the book
Risk Management
The team’s conclusions as towhat threats existwhat their risk levels areand what controls are needed
are documented for the business owner’s use in developing the FRAAP
Risk Management
The team does not attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates unless the data for determining such factors is readily available
Risk Management
The team will rely on their general knowledge of threats and probabilitiesThese are obtained from national incident response centers, professional associations and literature, and their own experience
Risk Management
Additional efforts to develop precisely quantified risks are not cost-effective
Risk Management – risk considerations ;-)
Estimates take an inordinate amount of time and effort to identify and verify or developThe risk documentation becomes too voluminous to be of practical useSpecific loss estimates are generally not needed to determine if a control is needed (e.g. for compliancy or ‘survival’)
Risk Management
After identifying the threats and establishing the relative risk level for each threat, the team identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls
Risk Management
Once the FRAAP session is complete, the security professional can assist the business owners in determining which controls are cost-effective and meet their business needs
Risk Management
Once each threat has been assigned a control measure or has been accepted as a risk of doing business, the senior business manager and technical expert participating sign the completed document
Risk Management
The document and all associated reports are owned by the business unit sponsor and are retained for a period to be determined by the records management procedures (usually 7 years but depending on common law)
Risk Management
Each risk assessment process is divided into three distinct (types of) sessions/meetings:
Risk Management
Divided into three phases:The pre-FRAAPThe FRAAPThe post-FRAAP
Risk Management
1. The pre-FRAAP meetingNormally takes about an hour and has the business owner, project lead, scribe and facilitator as participants
Risk Management (Pre FRAAP)
Assess current level of risk assessment understandingDetermine what the managers and employees want to learnExamine the level of receptiveness to the security programMap out how to gain acceptanceIdentify possible allies
Risk Management (Deliverables Pre FRAAP)
Prescreening resultsScope statement Visual diagram Establish the FRAAP team (15 to 30 members)
Meeting mechanics Agreement on definitionsPre FRAAP Meeting summary
Risk Management
2. The FRAAP sessionTakes approximately 4 hours and includes 15 to 30 people, although sessions with as many as 50 and as few as 4 people have occurred.
Risk Management
Risk Management
The business manager/owner will present the project scope statementThe technical support will give a five-minute overview of the process using an information flow model or diagramThe facilitator will review the term definitions to be used for this FRAAP session
Risk Management
The facilitator will then reiterate the objectives and deliverables of this initial stageAt this point, stage two of this process should be briefly discussed
Risk Management
The FRAAP session definitions should be included in the meeting noticeAlso it will be necessary to notify those individuals that are needed to be present for stage two, that they will be staying for an additional hour
Risk Management
Have all members introduce themselves and provide the following information for the scribe to capture:
Team member name (first and last)DepartmentLocationPhone number
Risk Management
Risk Management (Activities during FRAAP session)
Identify Threats Using a ChecklistIdentifying Existing ControlsEstablish Risk Levels
Risk Management
Risk Management
Risk Management
Risk Management
Risk Management
A total of four deliverables come out of the FRAAP sessions:
Threats were identifiedRisk level establishedCompensating controls selectedControl “owner” identified
Risk Management
Post-FRAAP is where the results are analyzed and the Management Summary Report is completedThis process can take up to five workdays to complete.
Risk Management
Management Summary Report:Title PageTable of ContentsAttendee ListScope Statement SummaryAssessment Methodology UsedSummary of Assessment FindingsWhere to Obtain Full DocumentationConclusions
Risk Management
1. Restricted physical access areas should be considered throughout GLBA *)
Action Plan: A physical security risk assessment will be conducted to determine if there is a need to create restricted access areas and/or increase physical access controls.
*) Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, enacted law requiring protection of particular information
Risk Management
2. Power failure could cause corruption of information or prevent access to the system
Action Plan: Network UPS may not be adequate for a power outage out of regular business hours. Install a backup domain controller at Ualena Street and connect it to the Ualena Street UPS.
Risk Management
Complete the Action Plan