Data Security - PDF
Document Details
Uploaded by RighteousSweetPea
Tags
Summary
This document provides an overview and information on data security. It discusses the differences between data security and compliance, and various types of data security strategies. The document also examines business challenges related to data security and compliance and describes security tools and protocols.
Full Transcript
1 DATA SECURITY 2 CONTENTS Why is data security important? Difference between data security and compliance Types of Data Security Data Security strategies Data Security Trends How data Security and other facets...
1 DATA SECURITY 2 CONTENTS Why is data security important? Difference between data security and compliance Types of Data Security Data Security strategies Data Security Trends How data Security and other facets interact 3 WHY IS DATA SECURITY IMPORTANT? Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its entire lifecycle. It’s a concept that encompasses every aspect of information security from the physical security of hardware and storage devices to administrative and access controls, as well as the logical security of software applications. It also includes organizational policies and procedures. DATA SECURITY AND COMPLIANCE 4 What’s the difference? Data security is the application of deterrents or security controls to protect data. The level of deterrents or security is commensurate to how the individual or entity uniquely “values” the data. Compliance is applying a baseline of security controls (people, process, technology) defined by a standard. The baseline is applied to a specific type of data….typically regulated; such as health information, financial, personally identifiable information DATA SECURITY AND COMPLIANCE 5 Does Compliance equal highest level of security? No, it ensures a repeatable, stable baseline of security that can be measured to meet a specific regulatory requirement Does highest level of security mean you are “secure”? Maybe, depends on where you place your security. Can you cover 100%...probably not. Data Security and Compliance are key pieces to GW’s information risk management…ensuring compliance and placing highest security controls on assets that matter the most COMPLIANCE LANDSCAPE 6 http://www.higheredcompliance.org/matrix/ BUSINESS CHALLENGES 7 Digital transformation is profoundly altering every aspect of how today’s businesses operate and compete. The sheer volume of data that enterprises create, manipulate and store continues to grow, driving a greater need for data governance. In addition, computing environments are more complex than they once were, routinely spanning the public cloud, the enterprise data center and numerous edge devices ranging from Internet of Things (IoT) sensors to robots and remote servers. This complexity creates an expanded attack surface that’s more challenging to monitor and secure. FRAMEWORKS AND STRATEGIES…MORE 8 THAN TECHNOLOGY NIST 800-53 ISO27001 National Cybersecurity Framework BUSINESS CHALLENGES 9 The need for data compliance is magnified by maximum fines in the millions of dollars. Every enterprise has a strong financial incentive to ensure it maintains compliance. BUSINESS CHALLENGES 10 Security and compliance are often characterized as two sides of the same coin—you can’t have one without the other. As cloud-resident data increases, it raises the ante for the organization to secure ever- growing data and meet compliance requirements BUSINESS CHALLENGES 11 BUSINESS CHALLENGES 12 Effective compliance program BUSINESS CHALLENGES 13 Usage of enterprise data security technologies ADVANCED DATA SECURITY… 14 Part of a defense in depth strategy to apply higher levels of security to high value information/assets Penetration tests/Red team analysis Application code reviews System hardening Logging Intrusion detection Staff with advanced training/credentials (forensics, malware analysis) EXAMPLES OF DATA SECURITY ≠ 15 COMPLIANCE 40 million credit cards stolen, Target was PCI (Payment Card Industry) compliant, attacked through HVAC vendor TYPE OF DATA SECURITY 16 ENCRYPTION – using DATA MASKING – an algorithm to organizations can allow transform normal text teams to develop characters into application using real unreadable format. data DATA RESILIENCY – determined by how well DATA ERASURE – uses an organizations endures or recovers from any type software to of failures – from completely overwrite hardware to power data in any storage shortages and other device. events that affects data availability. DATA SECURITY CAPABILTIES AND SOLUTIONS 17 Data discovery and classification tools – Data and files activity sensitive information monitoring – analyze can reside in structures data usage patterns, and unstructured enabling security teams repositories including to see who is access data, databases, data spot anomalies and warehouse, big data identify risks. platforms and cloud environment Vulnerability assessment and risk Automated analysis tools – these compliance reporting solutions ease the – comprehensive data process of detecting protection solutions. and mitigating vulnerabilities DATA SECURITY STRATEGIES 18 Access Physical security management and of servers and controls – the Application security and user devices – a principle of “least- patching – all software should be updated to cloud provider privilege access” the latest version will assume should be followed responsibility throughout your entire IT environment. Employee Education – Network and endpoints Backups – maintain training employees in security monitoring and usable, thoroughly the importance of good controls – implementing tested backup copies of security practices and a comprehensive suite all critical data is a core password hygine - of threat management, component of any “human firewall” detection, and response robust data security tools and platforms… strategies. 19 COMMON DENOMINATORS What are the common denominators? Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding likelihood and impact of these risks Accepting a level of risk 20 COMMON RISK FACTORS Awareness of information in your care Access to information…need to know principle Dissemination of information…technology makes it easy Lack of knowledge or training of staff…knowing your role, how to identify and what to do in situations Increased visibility of data loss…fines, reputational hit, accreditation risks, grants 21 BEST PRACTICES YOU CAN TAKE Referencing back to the Common Denominators slide Knowing what data you have Knowing the value of the data Knowing the risks to your data Understanding the risk tolerance Ensure you and your team are leveraging available resources (tools, training, seminars) Never hesitate to ask for assistance…better to be safe 22 DATA SECURITY TRENDS AI – this allows for rapid decision- making in times of critical need. Quantum – a revolutionary technology, Multicloud security – the definition of data security has expanded as cloud capabilities grow, HOW DATA SECURITY AND OTHER 23 SECURITY FACETS INTERACT Achieving enterprise-grade data security - the key to applying an effective data security strategy is Data security and BYOD - the use of adopting a risk-based approach to personal computers, tablets, and protecting data across the entire mobile devices in enterprise enterprise computing environments is on the rise despite security leaders’ well- founded concerns about the risks that this practice can pose Data security and the cloud - securing cloud-based infrastructures requires a different approach than the traditional model of situating defenses at the network’s perimeter. SECURITY COMPLIANCE MANAGER A Tool for Managing Security Configurations and Compliance WHAT IS SECURITY COMPLIANCE MANAGER? Security Compliance Manager (SCM) is a tool developed by Microsoft to help organizations manage security configurations and ensure compliance. It includes pre-configured baselines for Windows OS and other Microsoft products, allowing administrators to assess, customize, and deploy security configurations. KEY FEATURES OF SECURITY COMPLIANCE MANAGER 1. Pre-configured Baseline Templates 2. Customization of Baselines 3. Compliance Assessments 4. Security Configuration Deployment 5. Reporting and Documentation PRE-CONFIGURED BASELINE TEMPLATES - Includes templates for Windows OS, Office, and more. - Baselines adhere to industry standards and best practices. - Administrators can use these templates as a starting point for security configurations. CUSTOMIZATION OF BASELINES - Users can modify baselines to meet specific requirements. - Export options include GPO backups, DCM packs, and SCCM formats. - Customized baselines can be deployed across the organization. COMPLIANCE ASSESSMENTS - SCM allows comparisons between existing configurations and predefined baselines. - Helps identify non-compliance and security gaps. - Facilitates continuous monitoring and improvement. SECURITY CONFIGURATION DEPLOYMENT - Supports exporting baselines to Group Policy or SCCM. - Simplifies deployment and management of security settings. - Ensures consistency across all systems and devices. REPORTING AND DOCUMENTATION - SCM provides detailed reports and documentation on each setting. - Useful for auditors and compliance officers. - Enables organizations to maintain transparency in security configurations. USE CASES FOR SECURITY COMPLIANCE MANAGER 1. Ensuring Compliance with Regulations 2. Security Hardening of Systems 3. Configuration Management for Large-Scale Environments 4. Security Auditing and Assessment DISCONTINUATION AND MODERN ALTERNATIVES - Microsoft has discontinued SCM; it is no longer supported. - Recommended alternative: Microsoft Security Compliance Toolkit. - The toolkit includes updated security baselines for modern security and compliance needs. SECURITY POLICY Guidelines for Information Security and Risk Management INTRODUCTION TO SECURITY POLICY A Security Policy is a formal document that outlines an organization’s rules and procedures for protecting its data and information systems. It ensures the confidentiality, integrity, and availability of data, providing guidelines for secure operations and compliance with regulations. PURPOSE AND SCOPE - **Purpose**: To define guidelines for safeguarding organizational assets and data. - **Scope**: Covers employees, contractors, systems, and data within the organization. KEY COMPONENTS OF A SECURITY POLICY 1. Information Classification 2. Access Control 3. User Responsibilities 4. Data Protection 5. Incident Response and Reporting 6. Physical and Environmental Security 7. Network and System Security 8. Third-Party and Vendor Management 9. Training and Awareness 10. Compliance and Legal Requirements INFORMATION CLASSIFICATION - Categorizes data based on sensitivity and criticality. - Defines levels of access and handling requirements (e.g., Confidential, Internal, Public). - Guides how data should be stored, transmitted, and disposed of. ACCESS CONTROL - Establishes procedures for granting and revoking access. - Includes guidelines for authentication and authorization. - Enforces least privilege principle and regular review of permissions. INCIDENT RESPONSE AND REPORTING - Defines what constitutes a security incident and how to report it. - Outlines the organization’s incident response plan. - Steps include containment, mitigation, communication, and post-incident review. DATA PROTECTION - Details encryption standards, data storage, and data transmission requirements. - Includes backup, retention, and secure disposal practices. - Ensures compliance with data protection regulations. COMPLIANCE AND LEGAL REQUIREMENTS - Specifies adherence to regulations (e.g., GDPR, HIPAA, PCI-DSS). - Includes procedures for audits and compliance reviews. - Ensures policies are up-to-date with changing laws and standards. POLICY REVIEW AND UPDATES - Sets a schedule for periodic review and updating of the policy. - Assigns responsibility for maintaining the policy. - Adapts to new security threats and changes in the organization’s environment. WINDOWS SECURITY SETTINGS Overview and Configuration of Key Security Settings in Windows OS INTRODUCTION TO WINDOWS SECURITY SETTINGS Windows Security Settings are configurations and policies that control user access, system security, and data protection. These settings help prevent unauthorized access, data breaches, and malware attacks by enforcing security policies and restrictions. KEY WINDOWS SECURITY SETTINGS 1. Account and User Rights Management 2. Local Security Policy 3. Windows Firewall and Network Protection 4. User Account Control (UAC) 5. BitLocker Drive Encryption 6. Windows Defender Antivirus 7. Group Policy Management 8. Credential Guard 9. Device Guard and Application Control 10. Security Baselines ACCOUNT AND USER RIGHTS MANAGEMENT - Account Policies: Password policy, account lockout policy, and Kerberos settings. - User Rights Assignment: Assigns privileges like "Log on locally" and "Shut down the system". - Secures user accounts to prevent unauthorized access. LOCAL SECURITY POLICY - Security Options: Controls system settings like UAC behavior and network security. - Audit Policy: Configures which events are logged in the Event Viewer. - Allows granular control of security settings on individual systems. WINDOWS FIREWALL AND NETWORK PROTECTION - Manages inbound and outbound traffic to and from the computer. - Allows creating firewall rules and configuring IPsec policies. - Essential for protecting against network-based attacks. USER ACCOUNT CONTROL (UAC) - Prompts for administrative approval when changes affect system settings. - Reduces the risk of malware gaining elevated privileges. - Configurable through Local Security Policy and Group Policy. BITLOCKER DRIVE ENCRYPTION - Provides full-volume encryption for protecting data at rest. - Can be enforced through group policy. - Ensures data is secure even if the device is lost or stolen. GROUP POLICY MANAGEMENT - Use Group Policy Editor (GPE) for centralized management of security settings. - Configures user rights, security policies, and software restrictions. - Enables policy-based security management across large environments. WINDOWS DEFENDER ANTIVIRUS - Built-in antivirus and anti-malware solution for Windows. - Provides real-time protection and regular updates. - Configurable through Group Policy and PowerShell for automated deployments. CREDENTIAL GUARD AND DEVICE GUARD - Credential Guard: Protects credentials from being stolen through isolation. - Device Guard: Uses hardware-based security to lock down devices. - Prevents attacks like Pass-the-Hash and unauthorized application execution. BEST PRACTICES FOR WINDOWS SECURITY SETTINGS 1. Enforce Strong Password Policies 2. Enable Multi-factor Authentication (MFA) 3. Apply Security Baselines for Consistency 4. Regularly Update and Patch Systems 5. Use BitLocker and Credential Guard 6. Implement Firewall Rules for Network Security 7. Monitor System Logs and Audit Policies Principles of Information Security Sixth Edition Data Encryption Copyright © 2018 Cengage. May not be copied, scanned, or duplicated, in whole or in part, except for use as permitted in a license distributed with a certain product or service or otherwise on a password-protected website for classroom use. Learning Objectives Upon completion of this material, you should be able to: – Chronicle the most significant events and discoveries in the history of cryptology – Explain the basic principles of cryptography – Describe the operating principles of the most popular cryptographic tools – List and explain the major protocols used for secure communications Introduction Cryptology: the field of science that encompasses cryptography and cryptanalysis. Cryptanalysis: the process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. Cryptography: the process of making and using codes to secure information. Foundations of Cryptology Cryptology has an extensive and multicultural history. All popular Web browsers use built-in encryption features for secure e-commerce applications. Restrictions on the export of cryptosystems began after World War II. Terminology Algorithm Bit stream cipher Block cipher Cipher or cryptosystem Ciphertext/Cryptogram Code Decipher Decrypt Terminology Encipher Encrypt Key/Crypto variable Keyspace Link encryption Plaintext/Cleartext Steganography Work factor Cipher Methods Plaintext can be encrypted through: – Bit stream: each plaintext bit is transformed into a cipher bit one bit at a time. – Block cipher: message is divided into blocks (e.g., sets of 8- or 16-bit blocks), and each is transformed into encrypted block of cipher bits using algorithm and key. Substitution Cipher Substitutes or exchanges one value for another Monoalphabetic substitution: only incorporates a single alphabet in the encryption process Polyalphabetic substitution: incorporates two or more alphabets in the encryption process Vigenère cipher: advanced type of substitution cipher that uses a simple polyalphabetic code; made up of 26 distinct cipher alphabets The Vigenere square Transposition Cipher Also known as a permutation cipher; involves simply rearranging the values within a block based on an established pattern. Can be done at the bit level or at the byte (character) level. To make the encryption even stronger, the keys and block sizes can be increased to 128 bits or more. Exclusive OR (XOR) A function within Boolean algebra used as an encryption function in which two bits are compared. – If the two bits are identical, the result is a binary 0. – If the two bits are not identical, the result is a binary 1. Very simple to implement and simple to break; should not be used by itself when organization is transmitting/storing sensitive data. Table 8-3 XOR Table First bit Second bit result 0 0 0 0 1 1 1 0 1 1 1 0 Table 8-3 Example XOR Encryption Text value Binary value CAT as bits 010000110100000101010100 VVV as key 010101100101011001010110 Cipher 000101010001011100000010 Vernam Cipher A cryptographic technique developed at AT&T and known as the “one-time pad.” This cipher uses a set of characters for encryption operations only one time and then discards it. To perform: – The pad values are added to numeric values that represent the plaintext that needs to be encrypted – Each character of the plaintext is turned into a number and a pad value for that position is added – The resulting sum for that character is then converted back to a ciphertext letter for transmission – If the sum of the two values exceeds 26, then 26 is subtracted from the total Book-Based Ciphers Uses text from a predetermined book as a key to decrypt a message. Book cipher: ciphertext consists of a list of codes representing page, line, and word numbers of plaintext word. Running key cipher: uses a book for passing the key to cipher similar to Vigenère cipher; sender provides encrypted message with sequence of numbers from predetermined book to be used as an indicator block. Template cipher: involves use of hidden message in book, letter, or other message; requires page with specific number of holes cut into it. Hash Functions Mathematical algorithms that create a message summary or digest to confirm message identity and integrity Convert variable-length messages into a single fixed-length value Message authentication code (MAC) may be attached to a message Used in password verification systems to store passwords and confirm the identity of the user Figure 8-4 Various hash values Source: SlavaSoft HashCalc. Cryptographic Algorithms Often grouped into two broad categories, symmetric and asymmetric. Today’s popular cryptosystems use a combination of both symmetric and asymmetric algorithms. Symmetric and asymmetric algorithms are distinguished by the types of keys used for encryption and decryption operations. Symmetric Encryption A cryptographic method in which the same algorithm and “secret” are used both to encipher and decipher the message; also known as private- key encryption. Can be programmed into fast computing algorithms and executed quickly. Both sender and receiver must possess the same secret key. If either copy of the key is compromised, an intermediate can decrypt and read messages without sender/receiver knowledge. Symmetric Encryption Encryption Data Encryption Standard (DES): one of the most popular symmetric encryption cryptosystems. – 64-bit block size; 56-bit key Triple DES (3DES): created to provide security far beyond DES. – Advanced Encryption Standard (AES): developed to replace both DES and 3DES ▪ Adopted by NIST in November 2001 as the federal standard for encrypting non-classified information Figure 8-5 Example of symmetric encryption Rachel at ABC corp. generates a secret key. She must somehow get it to Alex at XYZ corp. out of band. Once Alex has it, Rachel can use it to encrypt messages, and Alex can use it to decrypt and read them. Asymmetric Encryption A cryptographic method that incorporates mathematical operations involving two different keys (commonly known as the public key and the private key) to encipher or decipher a message. Either key can be used to encrypt a message, but then the other key is required to decrypt it. Also known as public-key encryption. Uses two different but mathematically related keys – Either key can encrypt or decrypt a message – If Key A encrypts a message, only Key B can decrypt – Greatest value when one key serves as a private key and the other serves as a public key RSA algorithm was the first public-key encryption algorithm developed/published for commercial use. Figure 8-6 Example of asymmetric encryption Alex at XYZ corp. wants to send a message to Rachel at ABC corp. Rachel stores her public key where it can be accessed by anyone. Alex retrieves Rachel’s key and uses it to create ciphertext that can be decrypted only by Rachel’s private key, which only she has. To respond, Rachel gets Alex’s public key to encrypt her message. Encryption Key Size When deploying ciphers, the size of the cryptovariable or key is very important. The strength of many encryption applications and cryptosystems is measured by key size. For cryptosystems, the security of encrypted data is not dependent on keeping the encrypting algorithm secret. Cryptosystem security depends on keeping some or all of elements of cryptovariable(s) or key(s) secret. Encryption key power It is estimated that to crack an encryption key using a brute force attack, a computer needs to perform a maximum of 2^k operations (2k guesses), where k is the number of bits in the key. In reality, the average estimated time to crack is half that time. The estimated average time to crack is based on a 2015-era PC with an Intel i7- 6700k Quad core CPU performing 207.23 Dhrystone GIPS (billion instructions per second) at 4.0 GHz** Key Length Maximum Number of Estimated Average Maximum Time to Crack (Bits) Operations (Guesses) Time to Crack 16 65,536 0.0000003 seconds 0.00000016 seconds 24 16,777,216 0.00008 seconds 0.00004 seconds 32 4,294,967,296 0.02 seconds 0.01 seconds 56 7.E+16 4.02 days 2.01 days 64 2.E+19 42.93 years 21.47 years 19,005,227,625,557,100, 9,502,613,812,778,540, 128 3.E+38 000,000 years 000,000 years Table 8-5 Encryption key power Maximum Number Key of Estimated Average Length Maximum Time to Crack Operations Time to Crack (Bits) (Guesses) 3,233, 6,467,143,840,295,770, 571,920,147,890,000, 000,000,000,000,000, 256 1.E+77 000,000,000,000,000, 000,000,000,000,000, 000,000,000,000,000, 000,000,000,000,000 years 000,000,000,000 years 748,844,096, 374,422,048, 666,088,000,000,000,000, 333,044,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 512 1.E+154 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000,000,000,000,000,000, 000 years 000 years Table 8-5 Encryption key power (3 of 3) **Note: The authors acknowledge that this benchmark is based on a very specific application test and that the results are not generalizable. However, these calculations are shown to illustrate the relative difference between key length strength rather than to accurately depict time to crack. Even using the much more conservative TechSpot 7-zip benchmark, which clocked this CPU at 25,120 MIPS (or 25.12 GIPS), the estimated average time to crack would only be approximately 8.25 times slower than the numbers shown, resulting in an average time to crack of 16.6 days, as opposed to the 2.01 days shown above for a 56-bit key length. Some new 2016-era CPUs are approximately twice as fast as the version shown here on the 7-zip benchmarks, but they do not include Dhrystone benchmarks (such as the Intel Core i7-6950X with 10 cores/20 threads). Source: www.techspot.com/review/1187-intel-core-i7-6950x-broadwell- e/page4.html. Cryptographic Tools Potential areas of use include: – Ability to conceal the contents of sensitive messages – Verify the contents of messages and the identities of their senders Tools must embody cryptographic capabilities so that they can be applied to the everyday world of computing. Public-Key Infrastructure (PKI) Integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services enabling users to communicate securely PKI systems based on public-key cryptosystems PKI protects information assets in several ways: – Authentication – Integrity – Privacy – Authorization – Nonrepudiation Public-Key Infrastructure (PKI) (2 of 2) Typical PKI solution protects the transmission and reception of secure information by integrating: – A certificate authority (CA) – A registration authority (RA) – Certificate directories – Management protocols – Policies and procedures Digital Signatures Created in response to rising the need to verify information transferred via electronic systems. Asymmetric encryption processes used to create digital signatures. Nonrepudiation: the process that verifies the message was sent by the sender and thus cannot be refuted. Digital Signature Standard (DSS) is the NIST standard for digital signature algorithm usage by federal information systems. DSS is based on a variant of the ElGamal signature scheme. Digital Certificates Electronic document/container file containing key value and identifying information about entity that controls key. Digital signature attached to certificate’s container file certifies file’s origin and integrity. Different client-server applications use different types of digital certificates to accomplish their assigned functions. Distinguished name (DN): uniquely identifies a certificate entity. Figure 8-7 Digital signature in Windows Internet Explorer Source: Windows Internet Explorer. Figure 8-8 Example digital certificate Source: Amazon.com. Table 8-6 X.509 v3 Certificate Structure X.509 v3 Certificate Structure Version Certificate Serial Number Algorithm ID Algorithm ID Parameters Issuer Name Validity Not Before Not After Subject Name Subject Public-Key Information Public-Key Algorithm Parameters Subject Public Key Issuer Unique Identifier (Optional) Subject Unique Identifier (Optional) Extensions (Optional) Type Criticality Value Certificate Signature Algorithm Certificate Signature Source: Stallings, W. Cryptography and Network Security, Principles and Practice. Hybrid Cryptography Systems Except with digital certificates, pure asymmetric key encryption is not widely used. Asymmetric encryption is more often used with symmetric key encryption, as part of a hybrid system. Diffie-Hellman Key Exchange method: – Most common hybrid system – Provides foundation for subsequent developments in public-key encryption Figure: Example of hybrid encryption Rachel at ABC corp. stores her public key where it can be accessed. Alex at XYZ corp. retrieves it and uses it to encrypt his session (symmetric) key. He sends it to Rachel, who decrypts Alex’s session key with her private key, and then uses Alex’s session key for short-term private communications. Steganography The process of hiding messages; for example, hiding a message within the digital encoding of a picture or graphic so that it is almost impossible to detect that the hidden message even exists Also known as the art of secret writing Has been used for centuries Most popular modern version hides information within files that contain digital pictures or other images Some applications hide messages in.bmp,.wav,.mp3, and.au files, as well as in unused space on CDs and DVDs Protocols for Secure Communications Most of the software currently used to protect the confidentiality of information are not true cryptosystems. They are applications to which cryptographic protocols have been added. Particularly true of Internet protocols. As the number of threats to the Internet grew, so did the need for additional security measures. Securing Internet Communication with S- HTTP and SSL Secure Sockets Layer (SSL) protocol: developed by Netscape; uses public-key encryption to secure channel over public Internet. Secure Hypertext Transfer Protocol (S-HTTP): extended version of Hypertext Transfer Protocol; provides for encryption of individual messages between client and server across Internet. S-HTTP is the application of SSL over HTTP – Allows encryption of information passing between computers through protected and secure virtual connection Securing E-mail with S/MIME, PEM, and PGP Secure Multipurpose Internet Mail Extensions (S/MIME): builds on Multipurpose Internet Mail Extensions (MIME) encoding format and uses digital signatures based on public-key cryptosystems. Privacy Enhanced Mail (PEM): proposed as standard to use 3DES symmetric key encryption and RSA for key exchanges and digital signatures. Pretty Good Privacy (PGP): uses IDEA Cipher for message encoding. Securing Web Transactions with SET, SSL, and S-HTTP Secure Electronic Transactions (SET): developed by MasterCard and VISA in 1997 to protect against electronic payment fraud. Uses DES to encrypt credit card information transfers. Provides security for both Internet-based credit card transactions and credit card swipe systems in retail stores. Securing Wireless Networks with WEP and WPA Wired Equivalent Privacy (WEP): early attempt to provide security with the 8002.11 network protocol. Wi-Fi Protected Access (WPA and WPA2): created to resolve issues with WEP. Next Generation Wireless Protocols: Robust Secure Networks (RSN), AES–Counter Mode CBC MAC Protocol (CCMP). Bluetooth can be exploited by anyone within approximately 30 foot range, unless suitable security controls are implemented. Table: WEP Versus WPA WEP WPA Encryption Broken by scientists and Overcomes all WEP shortcomings hackers 40-bit key 128-bit key Static key- the same value is Dynamic keys-each user is assigned used by everyone on the a key per session with additional network keys calculated for each pocket Manual key distribution- Automatic key distribution each key is typed by hand into each device Authentication Broken; used WEP key itself Improved user authentication, using for Authentication stronger 802. 1X and EAP Source: www.wi-fi.org/files/wp_8_WPA%20Security_4-29-03.pdf. Securing TCP/IP with IPSec and PGP Internet Protocol Security (IPSec): an open-source protocol framework for security development within the TCP/IP family of protocol standards. IPSec uses several different cryptosystems – Diffie-Hellman key exchange for deriving key material between peers on a public network – Public-key cryptography for signing the Diffie- Hellman exchanges to guarantee identity – Bulk encryption algorithms for encrypting the data – Digital certificates signed by a certificate authority to act as digital ID cards Securing TCP/IP with IPSec and PGP (2 of 2) Pretty Good Privacy (PGP): hybrid cryptosystem designed in 1991 by Phil Zimmermann – Combined best available cryptographic algorithms to become open source de facto standard for encryption and authentication of e-mail and file storage applications – Freeware and low-cost commercial PGP versions are available for many platforms – PGP security solution provides six services: authentication by digital signatures, message encryption, compression, e-mail compatibility, segmentation, key management Figure: IPSec headers Summary Encryption is the process of converting a message into a form that is unreadable to unauthorized people. The science of encryption, known as cryptology, encompasses cryptography (making and using encryption codes) and cryptanalysis (breaking encryption codes). Two basic processing methods are used to convert plaintext data into encrypted data—bit stream and block ciphering. Summary (2 of 5) The other major methods used for scrambling data include substitution ciphers, transposition ciphers, the XOR function, the Vigenère cipher, and the Vernam cipher. The strength of many encryption applications and cryptosystems is determined by key size. Hash functions are mathematical algorithms that generate a message summary, or digest, that can be used to confirm the identity of a specific message, and confirm that the message has not been altered. Summary (3 of 5) Most cryptographic algorithms can be grouped into two broad categories: symmetric and asymmetric. Most popular cryptosystems combine the two. Public-key infrastructure (PKI) is an integrated system of software, encryption methodologies, protocols, legal agreements, and third-party services. PKI includes digital certificates and certificate authorities. Digital signatures are encrypted messages that are independently verified by a central facility, and which provide nonrepudiation. Summary (4 of 5) Steganography is the hiding of information. It is not properly a form of cryptography, but is similar in that it is used to protect confidential information while in transit. S-HTTP (Secure Hypertext Transfer Protocol), Secure Electronic Transactions (SET), and SSL (Secure Sockets Layer) are protocols designed to enable secure communications across the Internet. IPSec is the protocol used to secure communications across any IP-based network, such as LANs, WANs, and the Internet. Summary (5 of 5) Secure Multipurpose Internet Mail Extensions (S/MIME), Privacy Enhanced Mail (PEM), and Pretty Good Privacy (PGP) are protocols that are used to secure e-mail. Wireless networks require their own cryptographic protection. Originally protected with WEP and WPA, most modern Wi-Fi networks are now protected with WPA2.