Digital signature vs digital certificate in tabular form

Running head: Cryptography 1

Cryptography 6

Cryptography

Aisha Tate

UMUC

August 29, 2019

Hi Aisha

You are heading in the right direction. You need to have specific details correct. Please use this guide and use scholarly/peer-reviewed articles. You appear to have just googled the information. Here is the checklist. Create appropriate tables and use the correct sources. Please see my notes below.

Best wishes,

Dr K

Student Name: Aisha Tate

Date: 7-Sep-2019

This form provides the same classroom instructions in a checklist form to help students and professors quickly evaluate a submission

Project 5: Requires the Following TWO Pieces

Areas to Improve

1. Paper

2. Lab Experience Report with Screenshots

1. Paper

IT Systems Architecture

You will provide this information in tabular format and call it the Network Security and Vulnerability Threat Table

security architecture of the organization

the cryptographic means of protecting the assets of the organization

the types of known attacks against those types of protections

means to ward off the attacks

Include and define the following components of security in the architecture of your organization, and explain if threats to these components are likely, or unlikely:

LAN security

identity management

physical security

personal security

availability

privacy

Then list the security defenses you employ in your organization to mitigate these types of attacks.

Plan of Protection

Learn more about the transmission of files that do not seem suspicious but that actually have embedded malicious payload, undetectable to human hearing or vision. This type of threat can enter your organization’s networks and databases undetected through the use of steganography or data hiding. You should include this type of threat vector to an organization in your report to leadership.

Provide the leadership of your organization with your plan for protecting identity, access, authorization and nonrepudiation of information transmission, storage, and usage

Data Hiding Technologies

describe to your organization the various cryptographic means of protecting its assets. descriptions will be included in the network security vulnerability and threat table for leadership

Encryption Technologies

1. Shift / Caesar cipher

2. Polyalphabetic cipher

3. One time pad cipher/Vernam cipher/perfect cipher

4. Block ciphers

5. triple DES

6. RSA

7. Advanced Encryption Standard (AES)

8. Symmetric encryption

9. Text block coding

Data Hiding Technologies

1. Information hiding and steganography

2. Digital watermarking

3. Masks and filtering

Network Security Vulnerability and Threat Table

Describe the various cryptographic means of protecting its assets. descriptions will be included in the network security vulnerability and threat table for leadership

Encryption Technologies

1. Shift / Caesar cipher

2. Polyalphabetic cipher

3. One time pad cipher/Vernam cipher/perfect cipher

Access Control Based on Smart Card Strategies

Describe how identity management would be a part of your overall security program and your CAC deployment plan:

2. Lab Experience Report

Summarizes the Lab Experience and Findings

See note below*

Responds to the Questions

Provides Screenshots of Key Results

Yes

Lab Experience Report Feedback

· I am puzzled that your payload changed the size of the image file. You just added a text file? Right? You do not have to resubmit your Lab file.

Cryptography

Introduction

This is a security assessment report on cyber security threats against varying cryptographic mechanisms and set out control access programs to try to stop/inhibit such security threats for a property management firm. Within the report, there will be an overview of the property management firm’s network. Moreover, I will try to establish the different potential threats that he company faces. The report will also feature the property management needs to consider installation of stored information protection features as well as control to access of its employees. Perhaps, the report will also explain the enrolment of CAC (Control Access Cards) for authentication purposes. Then lastly, the report will cover email security and encryption types that can be used to aid in email security.

It system architecture

A distributed system is the network system used within our company’s offices. The constituents of this system includes; WLAN, LAN and a WAN. The office’s LAN is made up of a computer network. LAN mainly used for one purpose within the office: sharing of resources which includes printers and data storage infrastructures. The connection is wired. Besides being fast, it is also characterised for enhancing security. The function of WAN is interconnection of the LAN in offices of the entire firm. The primary advantage of this system is that the firm’s agents and employees can work from different workstations yet have the access to the company’s resources (Rouse, 2017). The LAN also is also connected to the internet through a firewall. All of the firm’s offices are connected to WLAN. This allows the firm’s agents to connect there devices (i.e. phones and laptops) to the company’s LAN hence access of the internet. Through this, they are able to access to important resources.

Lab Findings

The lab findings for project 5 involved the utilization of cryptography; gaining experience and an understanding of stenography and encryption/decryption. The three stenography programs used were OpenStego, QuickStetgo and OurSecret in addition, the two encryption/decryption programs used were VeraCrypt and AxCrypt. The Security Manager (SM) and the System Administrator (SA) for the system conducted research on their own systems to determine which tools they could recommend to the managers of the organization.

OpenStego was used to hide a secret message inside of a picture. This allowed the SM and SA to create messages, store the message in a text file, and lastly, text a file within the message of an existing image. This process then granted the message to be extracted from the picture with the payload. The most distinguished difference between the original image (757 kb) and the image with the payload (1.59 MB), was that the image was much larger in size with the payload.

The same technique was utilized in the hiding of a secret message inside of an image was identified when using QuickStego. The main contrtrast between using QuickStego and OpenStego was that QuickStego was more of a basic tool in terms of stenography. QuickStego didn’t grant the SM and SA access to encrypt or decrypt the payload tex data thats hiddin in the image. OurSecret included the same capabilities of hiding a secret message inside of an image, just like OpenStego and QuickStego. The most obvious distinction was that OurSecret had the ability to encrypt files hidden in an image, as well as assign a password that the user would need in order to extract the hidden files. OurSecret mirrored and mimicked OpenStego in regards that the file size would be larger if the file contained a hidden message within an image.

The two encryption/decryption tools that were used during this lab exercise were VeraCrypt and AxCrypt. While conducting the OpenStego portion of the lab exercise, it was noted that the SM and SA tested and used the VeraCrypt encryption/decryption tool to encrypt directories, drives, or partitions as containers. Later, those files could generate an encrypted file container, encrypt a non-system partition/drive and/or encrypt the system partition or the entire system drive. The SM and SA also used this tool, to encrypt and decrypt files or folders. It’s noted that AxCrypt worked as a separate program within its own window, in addition to fully integrating into Windows Explorer.

To determine which tool would be best for the organization, the SM and SA discusses which type of message that needs to be sent and the purpose of the message. OpenStego would be the best contender due to the fact that you only need to send an encrypted message hidden inside of another message. QuickStego would be best recommened if you only needed to send a hidden message within an image but didn’t need to be encrypted. If a hidden message needed to be encrypted and password protected, then the SM and SA would recommend the use of OurSecret. When it comes to determining which encryption and/or decryption tool to use, the SM and SA decides on whether or not they would use VeraCrypt or AxCrypt. Once this happens, the SM and SA would need to verify and confirm their decision with the Chief Information Security Officer (CISO) to discuss the way ahead for the organization in terms of cryptography. (See Checklist above)

Types of attacks

A cyber-attack is a deliberate use of codes to manipulate computer systems and networks in an attempt to manipulate and compromise the confidentially of certain information (Ledford, 2018). Perhaps there are different motivations behind every cyber-attack. It can be political or social. The internet is the main channel through which this happens. The targets also varies. The activity might be targeted towards a corporate organization, the government or an individual. The cybersecurity attacks are carried out by use of malicious programs like fake websites, viruses, unauthorized web access a mong other means. The intention can be either for financial gain or boosting of the ego of the perpetrator through causing harm to the organization.

From the article, “Types of attacks”, we learn of the examples and definition of the different types of cyberattacks.

1. Back door attack – this is a type attack where an attacker takes advantage of the vulnerabilities and flaws of a system though use of viruses, worms and Trojan horses to gain access into system after which he sets up a backdoor (Oppenheimer 2010). This allows him access to important information without the administrator realizing.

2. Denial of service. This can be abbreviated as DDoS. Denial of service attack is carried out by numerous systems relaying ICMP packets to a server. The objective of this attack is preventing being to gain access to a certain site they might want to access. This is the type of attack that is common among us as agents of a property management firm. The main source of leads and traffic is the website. This is where clients get to know of our services and thereafter reach out. Therefore, sometimes the competitors might want to deploy malicious program to deter clients from reaching us.

3. Phishing – this is an attack where something malicious is sent through the email. At most times, they will send out a link and request you to click on it. Moreover, you might be requested to download something over the net. When sending out such emails, they will try to eliminate all sources of suspicion and make it look genuine. Once you do that, you will have your system infected. Just as the other types of security attacks, phishing is also one which a property management firm is exposed to. Our clients are the primary targets of this attack, mostly there information on our system. Besides the threat of our clients losing money there is also the threat of money laundering. On top of it all, such events might lead to tarnishing of the name of the firm leading to reduced client flow.

4. Use of SQL – This is a programming language which facilitates communication with the database. When an attacker uses SQL, he or she will send out malicious codes which will lead to your database giving out more information than what it is usually meant to share (Menegaz, 2012). The attacker will do this by taking advantage of the commonly identifies SQL vulnerabilities. (See checklist above)

5. Cross-site scripting. This is abbreviated as XXS. This kind of attack is targeted at vulnerable websites with weak security systems for the purpose of attaining user credentials or other classified information. Just as the SQL, XXS is also carried out by use of malicious codes. In XXS, the site is not the primary target but rather its visitors. As a property management firm, our clients who have accounts/portals on our website are the ones who could fall prey of such as attack. This is because on registration with the firm, a client is required to submit confidential information about his property and himself which is meant to be between the firm and the client.

Security mechanisms

A security mechanism consists of policies and that are meant to detect, inhibit or recover from a security threat posed by an attacker. Example of security mechanism include:

1. Physical security – this is a mechanism that requires installation of physical barriers crucial network resources. This can includes installation and locking of doors. The advantage of this is to prevent mishandling of equipment by new unskilled agents or even their clients.

2. Authentication – authentication means that the information given by a person on his or her identity is true. Users have to undergo a three tier identification process before approval of the authentication process. The first step involves input of credentials by user, which are known to him or her. These includes PINS, private key and passwords, which they themselves created. The next is provision of a resource they are expected to have. Provision of a genuine resource means you pass the authentication step and vice versa. Examples of these resources are security cards and security tokens. The last means of authentication is assessment of a certain physical character trait. A good example is ones fingerprints, voice or patterns of the retina. A strong authentication process involves incorporation of two or more of the three mentioned authentication procedures. The common ones is use of fingerprint and retina pattern identification.

3. Authorization mechanism – this involves giving the user access to the network and whichever resource they might want to retrieve. The administrator of the network is the person infested with the powers to grant access to the network to only identified workers of the property management firm. Thereafter is when they can have access to whichever resource they were after. The managing broker of the firm will be given access to all information on the network. On the other hand, the agents of the firm will only have access to shared data and data/information that they themselves have uploaded on their personal portals in the network.

4. Data encryption – this is formatting of information in a way that only the intended person can decode it. This is done to protect information from read by third parties who might use the same information to harm the firm. Perhaps this is a mechanism that than come in handy in our efforts to ensure customer data security.

5. Firewalls – firewalls enhances security policies by acting as boundaries of two networks. Use of various set of instructions is what is used by firewalls in deciding which of the incoming traffic will be granted access and which wouldn’t.

6. Intrusion detection system and intrusion prevention system – these security mechanisms are used to inhibit security risks and prevent occurrence of new ones. An IDS makes use of intrusion alerts to sense and analyse outbound and inbound network traffic for suspicious undertakings (Rouse, 2017). In case of event of a suspicious activity, the IDS kicks the uses out of the network accompanied by a notification to the security personnel of the potential threat. The IPS is a complimentary of the IDS. The IDS works by examining incoming traffic to reject harmful requests. The IPS averts threat by uncovering malicious packets and blocking threat carrying IPs and notifying the security personnel of the incidence. The property management firm needs to continue utilising both IPS and IDS in its 24/7 operations to ensure enhanced security of the network. Below is a table showing the access points and how they can be secured.

Protection plan

Security and protection of client’s information and assets is one of our top priorities. So far we have taken a look at the IT systems of the architecture of the property management firm. We have looked at the potential types of cybersecurity faced by the firm and the various types of mechanisms that can be deployed. The next important step is formulation of a protection plan. A multi-tier system will be used to in the firm’s identification process. The firm’s agents will be provided with security cards and retina identification systems will be installed at all major access points to the company’s network. Alternative, one of this will be used in complementary with use PINs. Given the fact that it’s the agents who will come up with these passwords, they will not be expected to share them with third parties. Moreover, the passwords/PINs will comprise of numbers, letters, special characters and alpha-numeric to make sure they are not easily cracked. A network password will be assigned to the WLAN and only a given agent will be able to access it. He will be responsible for making any necessary changes when needed to the WLAN. A strong protection plan will ensure that our clients and agents information and files is protected. (please see checklist above)

Issuance of CAC will be used to control access to the firm’s buildings. Besides strong six character digit pin, the company’s agents will be have a badge with their picture, fingerprint, name and the name of the firm on it. Outside the building, there will be a door system which will require a person to provide his/her or and the scanning of the badge. A green light will be accompanied by an “access granted” feedback while a red light will display “access denied” based on assessment of a persons’ credentials. All agents will submit their schedules to the security specialists to be programmed in the system to ensure security. For example a person who randomly shows up in days which he or she is not supposed to be on duty will not be allowed entry into the firm’s premises. So all the agents will be required to submit their schedules so that necessary adjustment can be done to the system to grant you access into the premises. This will be done within 48hrs. The policy will help deny access to people who are not supposed to be there. Perhaps, this will not only help ensure the general security of the firm but also the company’s personal information and conversations. Each team or group of agents will only have access to the files which they themselves uploaded. That is, there personal files on their private portals. The person supposed to have access to all files is the managing broker only. This plan of protection will be set in place to make sure confidential information of our clients and agents does not land on a third party.

Nonrepudiation protections will be ensured by a digital signature present on the CAC issued to all agents. CAC readers will be installed on all desks besides the computers. This will make sure the information sent and deleted from the network can be traced to the originator (Lord, 2017). This will help increase accountability. No one will deny of having done something which compromised the security of the network and its information because he/ she will be under watch on his or her workdays. Therefore a person will be responsible for anything that happens while he/she is logged in through his card, PIN or retina recognition system.

Cryptography protection

(Symmetric Versus Asymmetric???)

describe to your organization the various cryptographic means of protecting its assets. descriptions will be included in the network security vulnerability and threat table for leadership

Encryption Technologies – Make a simple table

1. Shift / Caesar cipher

2. Polyalphabetic cipher

3. One time pad cipher/Vernam cipher/perfect cipher

4. Block ciphers

5. triple DES

6. RSA

7. Advanced Encryption Standard (AES)

8. Symmetric encryption

9. Text block coding

Data Hiding Technologies

1. Information hiding and steganography

2. Digital watermarking

3. Masks and filtering

One of the several ways of data encryption is triple DES. This method involves application of block cipher algorithm to every data block thrice. Each block is always characterised by 64 bits worth of data. As the word ‘triple’ suggests, in triple DES, data is encrypted thrice. One con is that is slow. However, on the other hand, it is hard to break and hence more secure.

RSA is a public key encryption algorithm. It uses both the public key and private key in its encryption process. One thing to note is that both keys are paired. Moreover, while the public key is distributed, while the private key isn’t. The process start with two prime numbers, then products and finally the exponents. Besides RSA being secure, it is also hard to crack. On the other hand, the encryption process might be very slow especially when encrypting large amounts of data.

Blowfish is another symmetric block cipher which makes use of an adjustable key length ranging from 32-448 bits.it can be used for exportable or domestic. No patent is made against it and hence the licence is free. Of all the bock ciphers, the blowfish is relatively fast. However, its use requires a key and management of a key is not easy.

Twofish, just as the blowfish is block cipher algorithm encryption. Its key goes up to 256 bits. Additionally, just as blowfish, it is not patented hence availably free for use. Its pro is that it is relatively fast as a block cipher and can be used by bigger CPUs as well as smartcards. Because of its huge size, slowdowns on the system are frequent.

Advanced Encryption Standard (AES) is another symmetrical encryption algorithm. It constitutes AES 256, AES 192 and AES 128. Because of its symmetrical nature, the key used in its encryption is supposed to be shared in order to decrypt. Advanced encryption standard is recommended because its secure and the fact that it uses varying key lengths in its encryption (Lord, 2017). Its one con is that the algebraic structure it uses is simple and the form used is uniform across all the blocks.

I would recommend use of AES for data encryption in our offices. I consider it secure compared to other modes of date encryption and hence promising in terms of ensuring security for our clients as well as the firm. Perhaps that is why the security protocol is common. Most importantly, clients entrust us with most confidential information. Breaking of the trust would lead ruining of the reputation that the company has tried so hard to uphold. Perhaps this will lead to lose of clients.

CAC Deployment Strategy

CAC is a user identification method. The CAC is basically a card implanted with a chip containing information regarding its owner. It has a digital signature that allows the user/owner to decrypt and encrypt using the card keys. The CAC deployment plan is meant to give the agents a common network access method. The CAC will not be necessary whenever they want to use the WLAN. A password is all they will need. The only time the CAC will be necessary is when they want to delete or upload to the network and when they want to access the office after normal worktime hours. But during the day, the agents will use the PINs and cards for access into the firm’s premises. The aim of the measure is to ensure security of the clients as well as the agents from cyberattacks.

Email security strategy

Emails and internal messaging services are the main communication channels of the property management firm. The agents update the clients’ information and keep track of the clients through emails as well. Considering the number of emails flowing through the network in a day, it makes it easier for an attacker to find a vulnerability within the network and gain access to important data. In an attempt to prevent this risk, the firm has put in place policies to ensure email security. Varying encryption technologies can be made use of in the process but the most efficient method would be use of digital certificates. The advantage of using digital certificates is that they are hard to bypass. However you will not have access to data in the event of loss of the key. As a measure to ensure to ensure more security, the digital certificates can be incorporated into the firm’s agent’s emails which will bring about an automatic encryption of all the emails flowing through the firm’s network. (Find References and specific information??)

Conclusion

We have explored the explanation and organization of the property management firm and looked at the potential cyberattack threats facing the firm. Moreover, I have also looked at the various security mechanisms and policies that can be implemented to prevent and neutralize the attacks. Given the fact that our firm is a service delivery company, we need to have all the security systems intact. I would urge the firm to invest more on security in order to secure the firm’s transactions. The investment would lead to increased trustworthiness between us and the clients hence increased traffic. To ensure security of emails, the company should use CACs stepped up with digital certificates. More attention should be given on the same considering it’s the firm’s main channel of communication. All in all, strong security features will help our clients have confidence us hence feel safe while we are handling their property.

References – Please see our discussions about peer-reviewed references and scholarly articles

Cisco Press. (2016, February 09). Retrieved September 9, 2018, from http://www.ciscopress.com/articles/article.asp?p=1626588&seqNum=2

Ledford, Jerri (2018) What is a cyber attack and how to prevent one? Retrieved from https://www.lifewire.com/cyber-attacks-4147067

Lord, Nate (2017) What is a phishing attack? Defining and identifying different types of phishing attacks. Retrieved from https://digitalguardian.com/blog/what-phishing-attack-defining-and-identifying-different-types-phishing-attacks

Menegaz, Gery (2012) SQL Injection Attack: What is it, and how to prevent it. Retrieved from https://www.zdnet.com/article/sql-injection-attack-what-is-it-and-how-to-prevent-it/

Merriam-Webster Dictionary. (n.d.). Retrieved September 19, 2018, from https://www.merriam-webster.com/dictionary/cyberattack

Oppenheimer, Priscilla (2010) Developing Network Security Strategies. Retrieved from http://www.ciscopress.com/articles/article.asp?p=1626588&seqNum=2

Rouse, Margaret (2017) Ransomware, defend your data with best practices. Retrieved from https://searchsecurity.techtarget.com/definition/ransomware