Cyber Security TM256 Lecture Notes PDF
Document Details
Uploaded by GloriousSulfur
Arab Open University, Oman
Dr. Ahmed Mahfouz
Tags
Summary
These lecture notes cover cyber security, focusing on systems security, cryptography, and network communication concepts. The document details the fundamental principles of cyber security, including system components, security terminology, and various cryptographic techniques.
Full Transcript
Cyber Security TM256 Block 2: Systems security By Dr. Ahmed Mahfouz AOU, Oman Block 2: Systems security Part 1: An overview of systems security 1. What is a system? 2. Information systems 3. Attack vectors 4. What makes a system secu...
Cyber Security TM256 Block 2: Systems security By Dr. Ahmed Mahfouz AOU, Oman Block 2: Systems security Part 1: An overview of systems security 1. What is a system? 2. Information systems 3. Attack vectors 4. What makes a system secure? 5. The ISO 27000 information security standards Part 2 Principles of cryptography: fundamentals and symmetric systems 1. Evolution of cryptography 2. Fundamentals of cryptography 3. Modern symmetric systems and standards 4. Initialization Vector 5. Substitution–permutation network 6. Applications of symmetric systems 7. Limitations of symmetric systems 8. Steganography Learning outcomes Demonstrate an understanding of the theory and practice of systems security that includes identifying associated threats, controls and policies. Recognize threats, vulnerabilities and attack methods, and propose appropriate mitigation and security controls towards the design and implementation of secure systems and infrastructure. Communicate and analyze problems effectively within a computing environment using appropriate personal and technical skills. Demonstrate the ability to undertake ongoing learning to keep up to date with cyber security developments within digital systems. Working with NetLabs NetLabs is an online laboratory environment that will help you develop practical skills relating to different aspects of systems security. At different points during your study of the module, you will be asked to complete activities in NetLabs. These activities are prefixed ‘NetLabs Activity’ to differentiate them from the activities embedded in the module materials. Activity 2.2 NetLabs – Practical cyber security skills (CLMS) Part 1: An overview of systems security 1. What is a system? 2. Information systems 3. Attack vectors 4. What makes a system secure? 5. The ISO 27000 information security standards 1 What is a system? A system is a set of functional components, either people or digital technologies, working together to achieve a specific purpose. The components of the system are connected in an organized way and can interact with each other by exchanging information. Socio-technical system refers to systems that have interactions between people and technologies in a given operating context, without direct interaction with the physical environment. The term cyber-physical-social system refers to systems that combine digital (cyber) technologies and people (social) with interactions with their physical operating environment (Wang et al., 2010). In the context of cyber security, we deal with digital systems that combine digital technologies and people, who are connected through communication channels that enable them to exchange data and interact with each other. To secure such systems, we must understand the operation of the system and determine the security threats that are relevant to it. So, we can implement security controls that help in protecting such threats. Activity 2.3 Exploring examples of systems (CLMS) 2 Information systems Laudon and Laudon (2013, p. 143) define an information system as consisting of interrelated components working together to collect, process, store and disseminate information to support decision-making, coordination, control, analysis and visualization in an organisation. Valacich and Schneider (2013) define information systems as combinations of hardware, software and telecommunications networks that people build and use to collect, create and distribute useful data, typically in organizational settings. This figure illustrates the six components of an information system, which, broadly speaking, is a combination of technologies, processes and people. 2.1 Interaction in information systems An interface is a means through which two systems interact or a system interacts with the environment, as illustrated in the Figure. The interaction between a user and the web page uses a User Interface (UI), the database The web server interact through a software interface, termed an ‘Application Programming Interface’ (API) as these software components all operate at the application layer of the system. The web server and the database interact with the hardware components of the computers that they are running on, as well as the network components that allow them to communicate with each other, through the host layer of the system. 2.2 Security terminology – putting things together Assets are tangible/intangible things of value: cash value, system function, and assets (i.e., data, software and hardware). Assets are targeted by threats: theft, stopping a system or a system function. The estimated threat-level differs based on the context. Assets could be attacked by exploiting a vulnerability: If they are not protected (secured), they will succumb to it. An exploit is an unauthorized access to an asset that is part of the system. Assets could contain a vulnerability: Attackers will ‘exploit’ the vulnerability, if there is one. In the context of software and applications, the vulnerabilities are often unnoticed programming or logic errors that are exploited by malicious attackers whose intent is to impede, distort or stop a function Figure 2.4 Terminology of systems security of the system. A security mechanism responds to an attack: The security mechanisms help the system to ensure that its security objectives are achieved by taking steps that will respond to an attack. 2.2 Security terminology – putting things together Availability: Multiple, redundant instances of key components of a system, such as web and database servers, or backups of data stored by the system, help ensure that the system is always fully functional and available to the user. Authentication: Multi-factor authentication can be used to ensure that only legitimate users can use the system. Authorization: Using access control techniques, like role-based access control, can ensure that only specific users can perform specific operations on the system. For example, only system administrators would be allowed to change the software installed on the web and database servers. Confidentiality: Techniques like cryptography and access control can be used to ensure that only authorized users have access to the data handled by the system. Integrity: Again, a combination of cryptography and access control can ensure that only authorized users can make changes to the data in the system. Accounting: and Non-repudiation Mechanisms to ensure that all actions performed on the system are logged with the identity of the user performing them, together with the date and time, provide accounting and non-repudiation capabilities. 3 Attack vectors An attack vector is the means an attacker typically deploys to launch an attack on a system. The objective is to gain access into the system and the data within the system. There are two primary objectives that, if compromised, can cause the highest impact – confidentiality and availability. Information is either stored or communicated. When communicated, there are two parties involved (a source and a destination) and the communication happens via a communications medium (a note, a letter, a file on disk or in memory, an email, a file download, etc.). The objective is to preserve the confidentiality and therefore the integrity and availability of the information. At all times, availability implies the ‘availability of data in its original and intended form’. 3 Attack vectors The only way to get information is to access it. Accessing it when it is stored requires access to the system where it is held. Accessing when it is being communicated (in transit) requires access to the communications medium, which could be a wired or wireless network. Malicious actors who intend to get to the information compromise either the authentication mechanism or the access control mechanism to access the system or overhear the information in transit across the network. Following this, malicious actors tend to make a copy of the information or change the information content to their advantage. It should be noted that, in some cases, just accessing part of a message isn’t helpful unless the attacker can also understand the context in which the information is being exchanged. Attack vectors are generally classified by how the attacker targets the system to compromise it. An attack vector indicates how a threat actor gains unauthorized access to a victim system and compromises the security of data. 3.1 Interception Interception is the act of preventing someone or something from reaching the intended destination in an uncompromised manner. In the context of real-world systems, interception happens when information is in transit across a wired or wireless network (packet-sniffing). Malicious actors attempt to retrieve information and piece it together to reconstruct the information transfer between the two parties. Confidentiality requires that only users who are authorized to access data can read it. Figure 2.6 Interception attack vector In most breaches of confidentiality, the intent of the attacker is to access the personal information (e.g., name, address, bank details, card number, PIN) of users who are registered to various online services. 3.2 Modification An interception is often a precursor to modification. An attacker can intercept data, modify it and put it back (Figure 2.7). The recipient of that data will obviously miss the original message or see two different messages. Effectively, there is an integrity breach as a result of modifying the data. Typically, the attacker’s intent is to send a wrong message to the receiver as a means of breaching other security objectives. Figure 2.7 Modification attack vector In the context of a system, an integrity breach results in wrong data and that, in turn, can affect all other processes that use the data. 3.3 Interruption In the context of information security, an interruption would occur if the communication between a sender and a receiver is deliberately stopped by an attacker, resulting in the two parties being unable to communicate (Figure 2.8). Interruptions are caused by attacks on the communications infrastructure (network) or on individual units of the system, such as servers or applications running on the servers. The availability of the system ensures the availability of the data stored on it. Similarly, Figure 2.8 Interruption attack vector the availability of communications services ensures that components of a system can have access to data that is stored remotely. 3.4 Replay An attacker first intercepts data and then communicates a copy of the same data, without any modification, to the sender or the recipient after a delay (Figure 2.9). The intent is to solicit a response from the receiver that may contain information of interest to the attacker, such as an encryption key. A man-in-the-middle (MITM) attack might use a replay attack vector, as well as a modification attack vector. Figure 2.9 Replay attack vector A replay attack vector compromises confidentiality, which in turn can lead to a breach of integrity, availability, authentication and non-repudiation. 3.5 Fabrication Fabrication means fabricating a message or data. This attack vector is an extension of the replay attack vector. The attacker fabricates a message and sends it to the receiver. The fabricated message is often based on observing message exchanges over an extended period of time. In a sense, the attacker mimics a sender (Figure 2.10). Fabrication is used to solicit responses from the recipient and extract information that is of Figure 2.10 Fabrication attack vector interest to the attacker. It can be used to breach one of the five security objectives – confidentiality, integrity, availability, authentication and non-repudiation. 3.6 Breaching of security objectives Activity 2.4 Exploring breaches of security objectives (CLMS) 3.7 Network communications 4 What makes a system secure? Protecting the whole system, comprising applications, host devices and networking components, together with people and processes. One of the key challenges in securing systems is that in most cases an attacker only needs to succeed once but the defenders of the system need to successfully prevent every attack. To do this, defenders can adopt strategies like having multiple defensive layers, one at each layer of the system. This approach is called defense in depth. For example, technologies like firewalls and cryptographic protection of communications can protect the network layer of the system from the attack vectors we considered earlier. Cryptography can also be used at the application and host layers of the system to meet confidentiality and integrity objectives. Across all layers, techniques like logging, multi-factor authentication and access control mechanisms can be used to ensure authenticity, accounting and non-repudiation objectives are met. 4 What makes a system secure? Each component (hardware, operating system, applications) has to be secured in order to achieve complete system security. Systems security comprises the set of controls and protection measures taken to ensure its information infrastructure (networks, computers, servers, etc.) and resources (power supply, maintenance, etc.) are safe from interference, malicious intrusions or being shut down. In practice, we must consider the complexity, performance and, ultimately, financial cost associated with implementing security controls on each component, and weigh this against the impact and likelihood of a successful attack on the system (i.e., the risk). Consideration of these aspects as well as those applicable to a larger system forms the focus of a series of information systems security standards known as the ISO/IEC 27000 series of standards. 5 The ISO 27000 information security standards The ISO 27000 series of international standards from the International Organisation for Standardization (ISO) provides guidelines for what are termed Information Security Management Systems (ISMSs). The series is formally called ISO/IEC 27000:2018. The year denotes the latest version of the standards. The ISO 27000 series evolved from British Standard 7799, which was originally published in three parts, addressing three domains of security implementation: 1. Best Practices of Information Security 2. Information Security Management Systems – Specification and Guidance for Use 3. Risk Analysis and Management Conforming to these standards demonstrates that an organisation meets a level of information security maturity. 5.1 What does the ISO 27000 series address 5.1 What does the ISO 27000 series address The standards provide recommendations to establish, implement, operate, monitor, maintain, review and improve an ISMS implementation by addressing the following functions: risk assessment security policy asset management security of human resources physical and environmental security access control information system acquisition, development and maintenance information security incident management and response management business continuity management compliance. 5.2 Information security standards across industry sectors Figure 2.12 ISO standards for specific industry sectors Network security and application security are also addressed separately, in ISO/IEC 27033 and 27034, respectively. ISO/IEC 27035 addresses what happens when a security incident occurs and how to respond, with guidelines on information security incident management and response management. 5.3 Benefits of ISO 27001 certification Implementing ISO 27001 helps businesses to: improve risk management provide a normalized interoperability between organizations, or groups within organizations demonstrate good security practices resulting in a competitive advantage win business with companies in regulated sectors fulfil regulatory compliance (GDPR) and pre-requisites for large contracts establish market reputation for secure practices avoid financial losses and regulatory penalties arising from security breaches. Summary In the first part of Block 2, you have explored what is meant by an information system and looked at how the different security concepts you learned about in Block 1 can be applied to such systems. The Khan Kreatives example illustrated the different elements that make up an information system and how systems security concepts apply in practice. You were also introduced to the NetLabs environment, which you will continue to use during the module to practice and develop hands-on cyber security skills. The material covered this week also highlighted how cryptography is an important foundation of many systems security solutions. The next three parts of this block will focus on the core principles of cryptography, its applications in different contexts and ways in which it can be attacked. Block 2 will end with an exploration of operating systems security, including how authentication, authorization and accounting capabilities are integrated into systems. In combination with the content on cryptography, this will give you a clear foundation on which to build your understanding of network, host and application security, which will be covered in Block 3. The content of Block 2 is designed to provide you with well-rounded exposure to the foundational principles of systems security. You will gain an understanding of the elements of systems security and how they come together to make a system secure. As you progress through the material, you will be required to access and digest different types of information relating to systems security. The activities will further engage you by illustrating the core knowledge areas with examples, programming exercises, short articles and industry opinions for your critical analysis and review. These should help prepare you for presenting your arguments in your assignments as part of this module. Don’t forget to make use of your learning journal throughout this module. Recording your reflections, learning and discussions with peers on the forums should help you to develop your understanding of key concepts and skills, and help you prepare for your assessment. Part 2 Principles of cryptography: fundamentals and symmetric systems 1. Evolution of cryptography 2. Fundamentals of cryptography 3. Modern symmetric systems and standards 4. Initialization Vector 5. Substitution–permutation network 6. Applications of symmetric systems 7. Limitations of symmetric systems 8. Steganography 1 Evolution of cryptography The origins of cryptography date back to the ancient Egyptians and Romans. Substitution ciphers, where each character in a message is substituted by another, were prevalent during the Roman era and evolved to include use of the Caesar cipher around 50 BC. Edward Hebern invented an electromechanical machine in which the encryption ‘key’ was embedded in a rotating disc (1914). Arthur Scherbius, a German electrical engineer, invented the Enigma machine, which used multiple rotors (1918). Alan Turing was able to crack the Enigma (1940). Claude Shannon at AT&T provided the basis for modern cryptography with his work titled ‘The Mathematical theory of cryptography’ (1940). Public key cryptography was developed in 1975, followed by a key exchange algorithm called Diffie-Hellman (DH) in 1976. The Data Encryption Standard (DES) protocol was formally used in banking in the USA in 1977, which also saw the publication of the Rivest–Shamir–Adleman (RSA) algorithm. Code breaking and new, improved encryption standards continued apace and in 2001. The DES was replaced by the AES. Meanwhile, the Secure Hash Algorithm (SHA-1) was declared deprecated in 2011. The mathematical techniques of cryptography have also influenced cryptocurrencies such as ‘Bitcoin’. Quantum computing, while still in early stages of development, is seen as a major force of change in encryption techniques. 1.1 Uses and vulnerabilities Cryptography is widely used in network communications including ordinary telephone, mobile and satellite communications and, of course, on the internet itself. Cryptography is used in social media, cloud services, email and online streaming of video and audio. It is also used to secure confidential data held in numerous government and private databases. Cryptanalysis is used to detect vulnerabilities in established and proposed cryptographic techniques. Vulnerabilities can range from something simple, such as a password that can be easily guessed, to complex new mathematical techniques that make a previously safe method vulnerable. Kerckhoff's principle is the concept that a Cryptographic system should be designed to be secure, even if all its details, except for the key, are publicly known. Reverse engineering is a process in which software are deconstructed to extract design information from them. 1.2 Principles of cryptography and the CIA triangle, non-repudiation and authentication 1. Non-repudiation 2. Confidentiality 3. Integrity 4. Availability 5. Authentication - digital signatures and public key infrastructures 1.2.1 Non-repudiation Non-repudiation is a service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory). Non-repudiation can be provided through the careful use of different encryption algorithms, together with digital signatures and certificates. Non-repudiation can be applied both to the sender of a message (so that they can’t deny that they sent it) and also to the receiver (so that they can’t deny that they have received it) – like signing for a parcel on delivery. 1.2.2 Confidentiality If I want to send some printed legal documents that I don’t want anyone else to see to a friend overseas, I could do one of the following: I could lock them in a secure box using a padlock to which my friend and I each have a key (this is analogous to using a symmetric cryptographic algorithm). As long as the padlock is not broken, I can be reasonably confident that the documents will remain confidential. My confidence is in the robustness of the padlock and the fact that the keys are secure. I could use a padlock that my friend had previously sent me. In this case, they alone have the key to the padlock. This is like using asymmetric cryptography. There are different encryption methods and different types of ‘key’ that are used to encrypt digital information. 1.2.3 Integrity Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity. In electronic transmission of data, it is important that the recipient knows that the message they have just received has not been tampered with. Cryptography can be used to ensure that a message’s integrity can be trusted. Methods include the use of a hash and the use of a digital signature. 1.2.4 Availability Ensuring timely and reliable access to and use of information. Availability of the document could be affected by inadequate poor cryptographical methods. Losing a key also leads to a loss of availability. 1.2.5 Authentication – digital signatures and public key infrastructures Authentication is the process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. Asymmetric cryptography provides the additional property of allowing for authentication. This encryption method relies on a linked key pair – the private and the public key. Digital signatures is a way in which that the sender of a message, Bob, for example, can self-authenticate the message. The receiver, Alice, can have confidence that the message has come from the sender and not from an imposter. One way of doing that is by sending a hash of the message, either by a separate channel from the message or else encrypted in some way. Bob could use his private key to sign the hash. Alice could then obtain Bob’s public key and use it to decrypt the hash. By comparing this with a freshly generated hash, Alice can be certain that the message came from Bob and has not been tampered with. A digital signature, digital certificate and public key can be used to guarantee that Bob is the originator of a message or the author of a piece of information. However, Alice needs to trust that the digital signature or certificate is genuine or that the public key really does belong to Bob. Example – Man-in-the-middle attack Suppose that Alice wants to send a confidential document to Bob. She rings Bob and asks him to send her his public key. A few minutes later she receives an email from Bob that contains his public key. However, Alice is concerned that someone might be eavesdropping, let’s call her Eve, and might carry out a man-in-the-middle (MITM) attack to intercept Bob’s email (Figure 2.14). If Eve is successful in this attempt, she may then swap Bob’s key with her own public key. If Alice sends the encrypted document to Bob, how can she be sure that Eve can’t intercept it and use her private key to decrypt the document? (Remember that Eve has fraudulently sent Alice her public key claiming to be Bob, so the message that Alice sends is encrypted with Eve’s public key but decrypted with Eve’s private key.) Alice needs someone who she believes in to verify that the key is indeed Bob’s key. There is, therefore, a problem of trust. 1.2.5 Authentication – digital signatures and public key infrastructures There are two main methods to provide public trust in key distribution: 1. The first is to have a well-known and trusted central agency that will vouch for the information. 2. The second method of establishing trust is through a concept known as a web of trust. Activity 2.6 The web of trust (CLMS) 2 Fundamentals of cryptography Plaintext is unencrypted information that can be read directly by humans or a machine. Ciphertext is an encrypted information. A cipher or cryptographic algorithm is the mathematics responsible for turning plaintext into ciphertext and reverting ciphertext to plaintext. Encryption is the process of converting plaintext to ciphertext. Decryption is the process of reverting ciphertext to plaintext. A cryptographic key is a value that is used to control the output from an encryption (or decryption) process for a given plaintext. A key is a string of bits and is of a specific size, depending on the cipher. An encryption key is a type of cryptographic key and is a piece of information used in combination with an algorithm (a ‘cipher’) to transform plaintext into ciphertext. (A decryption key would be used to reverse the process.) Symmetric cryptography is a cryptographic scheme in which both the encryption and decryption processes use the same cryptographic key. Asymmetric cryptography is a cryptographic scheme in which the encryption and decryption processes use different cryptographic keys. 2.1 Encryption and decryption using ROT13 The ROT13 algorithm is a substitution cipher because it transposes every letter in a message with a letter that is 13 letters higher in the alphabet. If the count requires the letter to be ‘above’ the letter ‘z’, the algorithm starts at the beginning again with ‘a’. Figure 2.15 shows an algorithm for encrypting a plaintext input into ciphertext using ROT13 encryption. ROT13 is a variation of the Caesar cipher (which traditionally used 3 as the key). It is used in some places on Microsoft Windows Registry keys. Figure 2.16 The ROT system of encryption Figure 2.15 Algorithm for ROT13 encryption 2.2 Base64 encoding Base64, which is a group of binary-to-text encoding techniques that represent binary data in four 6-bit (24 bits sequence). It is widely used for encoding email attachments due to the way that Simple Mail Transport Protocol (SMTP) developed. Base64 is used as a step in some encryption schemes. It is also used as part of Hypertext Transfer Protocol (HTTP) authentication, to encode non-HTTP- compatible characters that may be in the user’s name or password. For example, the word ‘Cat’ consists of three characters that in ASCII binary are 0100 0011, 0110 0001 and 0111 0100. The algorithm concatenates these and splits the result into groups of six bits as shown in this table: 2.3 Hashing Figure 2.17 The hash algorithm The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. (NIST) The output of the hash function should depend uniquely on the data; any slight change in the data should produce a completely different hash. Furthermore, it should not be possible to reconstruct the data from the hash. Since a hash has a fixed length that is smaller than the original data, it is possible that two different sets of data produce an identical hash. This is known as a hash collision and can lead to problems. Activity 2.9 NetLabs – Hashing things out (CLMS). 3 Modern symmetric systems and standards Ciphers can be categorized into two types: ‘block’ and ‘stream’. 1. A block cipher divides the plaintext into fixed lengths of bits; examples are 3DES and AES. 2. A stream cipher encrypts one bit or one byte at a time. Stream ciphers are faster than block ciphers and, in general, more efficient for streaming video or audio; examples are Rivest Cipher 4 (RC4) and Software-optimized Encryption Algorithm (SEAL). Digital Encryption Standard (DES) : It uses a key of Fifty-four bits to encode any number between 0 and 254. 3DES is an implementation of the DES algorithm that uses three passes of the DES algorithm instead of one as used in ordinary DES applications. It provides much stronger encryption than DES. Advanced Encryption Standard (AES) is another block cipher and is one of the most secure symmetric system. Like 3DES, the protocol is open; the protection of data is in both the mathematics and the preservation of the secret key which can be 128, 192 or 256 bits. 3 Modern symmetric systems and standards Software-Optimized Encryption Algorithm (SEAL) is a stream cipher and can optionally be used in IP sec as part of, for example, a virtual private network system. The Blowfish system was designed by Bruce Schneier in 1993 and uses a 64-bit block size with a variable-length key (up to 256 bits). Another system, Twofish, is derived from it. Twofish has a larger, 128-bit block size. In the Rivest Cipher (RC) series, RC4 is a stream cipher with a variable-length key up to 2048 bits. It was used in WPA on Wi-Fi networks but is no longer considered secure. RC5 and RC6 are both block ciphers. Salsa20 and ChaCha20 are stream cipher families that was developed by Daniel Bernstein in 2005 and 2008 respectively. ChaCha20, along with another encryption method created by Bernstein known as Poly1305, is used by Google in an application of Transport Layer Security (TLS) (i.e., used in websites whose address starts ‘https’). 4 Initialization Vector in Block Cipher Figure 2.18 The block cipher A binary vector used as the input to initialize the algorithm for the encryption of a plaintext block sequence to increase security by introducing additional cryptographic variance and to synchronize cryptographic equipment. (NIST) 4.1 Random number generation Computers can generate numbers that appear to be random quite easily. These numbers can be used in simulations and for some games and are known as pseudo-random numbers. They usually rely on a number, called the ‘seed’, to start them and then produce a string of numbers that eventually repeat. If the seed and the algorithm are known, the numbers can be predicted. Pseudo-random number algorithms can be seeded by some environmental input, such as the last digits of an internal clock or even a capture of some aspect of the user’s mouse movements. A truly random number relies on an external random event. Hardware random number generators generate values using random natural phenomena such as electronic noise in circuits or the random radio noise generated in the Earth’s upper atmosphere. 5 Substitution–permutation network 6 Applications of symmetric systems chip and PIN bank cards transmission of data on the internet WPA2 (Wi-Fi) Internet Protocol Security (IPsec) Transport Layer Security (TLS). 6.1 Transmission of data All other applications of symmetric encryption algorithms involve the transmission and receipt of data across a physical medium. Symmetric encryption is commonly employed to help keep messages private as they traverse the internet. Symmetric encryption and decryption can be carried out relatively quickly and using common computer processors, without slowing them down or taking up so much processing power. There is a need for designers to consider security from the design stage and there has been criticism that many Internet of Things (IoT) devices did not have security built in. 6.2 Bulk data encryption – an example of hardening Security hardening refers to any method used to make it more difficult for an attacker to succeed in stealing confidential information. One method for encrypting data is Microsoft’s BitLocker. This can be used to protect the contents of a computer’s entire storage system, be it a hard drive or solid-state drive. BitLocker encrypts the complete volume or partition of a drive. Other full disk encryption systems include FileVault, which is included in Mac operating systems, and Linux Unified Key Setup (LUKS), a Linux specification. All these are based on AES. The encryption and decryption must take place at speed, so that a user who has been authenticated as a valid user is able to access all the software and data needed without being aware of the cryptography running in the background. 6.3 Investigation of a modern encryption method 7 Limitations of symmetric systems Symmetric systems rely on the ability of the sender and receiver to keep a key secret. As you have seen, the protocol used in the exchange of data can, and should, be public, so that its effectiveness can be analyzed independently. But any key used must be secret. This leads to three major limitations of symmetric keys: Limitation due to susceptibility to Brute-Force Attack (BFA) Limitation due to the key distribution problem Limitation due to the multiple key problem 8 Steganography Steganography is the study of hiding information inside other information, which could be text documents, but in the digital age is typically image or audio files. The information is often encrypted and can only be retrieved from the cover file with the use of a password. A typical steganography program, Steghide for example, works by compressing and encrypting the secret information and then manipulating pixels or audio samples in a way determined by a pseudo-random number that has been seeded by the pass phrase. Steganography can be used to counter plagiarism and copyright theft. Recording studios and production companies embed information into their files to help track them or to record copyright tags (Null Byte, 2018). Summary In this week we introduce a review of basic cryptographical topics, and we also looked at the principles of the CIA Triangle, non-repudiation and authentication in the context of cryptography. In the context of using cryptography for authentication, the use of web of trust was contrasted with the work of certificate authorities. You also looked at currently used symmetric cryptography systems including 3DES and AES. Initialization Vectors, and substitution–permutation networks were considered along with the importance of random number generation. Finally, we looked at the limitations of symmetric systems before considering one final application – steganography. The NetLabs activities provided an opportunity to gain some practical experience of the different concepts covered. If you haven’t had a chance to complete them, you should try and do so before moving on to Part 3 where you will continue to explore cryptography, this time looking at asymmetric cryptography techniques. References Backlund, A. (2000) ‘The definition of system’, Kybernetes, 29(4), pp. 444–451. doi: 10.1108/03684920010322055. Laudon, J.P. and Laudon, K. (2013) Management information systems: managing the digital firm. Available at: https://pmt- eu.hosted.exlibrisgroup.com/permalink/f/gvehrt/TN_cdi_askewsholts_vlebooks_9780273790327 (Accessed: 30 November 2021). Schwab, K. (2016) The Fourth Industrial Revolution: what it means, how to respond. Available at: https://www.weforum.org/agenda/2016/01/the-fourth-industrial-revolution-what-it-means-and- how-to-respond/ (Accessed: 30 November 2021). Valacich, J. and Schneider, C. (2013) Information systems today: managing in the digital world. Available at: https://pmt- eu.hosted.exlibrisgroup.com/permalink/f/gvehrt/TN_cdi_askewsholts_vlebooks_9781292000015 (Accessed: 30 November 2021). Wang, E.K., Ye, Y., Xu, X., Yiu, S.M., Hui, L.C.K. and Chow, K.P. (2010) ‘Security issues and challenges for cyber physical system’, 2010 IEEE/ACM International conference on green computing and communications (GreenCom), and International conference on cyber, physical and social computing (CPSCom), pp. 733–738.