Information SecurityIBK3IBV01 College 5

Paul J. Cornelisse

Vigenère square (cnt’d)

To decrypt the ciphertext using the known keyword, do the reverse of the above stepsFirst, write the keyword above the ciphertext, Then, find the first letter of the keyword, in this instance “K,” and follow the column down until the associated ciphertext letter is encountered, which is “Y.”

Follow the row to the left and the letter found on the outmost column is the plaintext letter, being “O.” Continue this process until the message is decrypted

The second major family of substitution is transposition ciphersThese ciphers use the same letters as the plaintext but reorganize them until the message is scrambledThe Spartan scytale is an example of a simple form of transposition

Cryptographic Keys

More complex ciphers use secret keys that control long sequences of intricate substitutions and transpositionspartnership between simple ciphers creates a powerful and modern form of communication security

Private, or secret key encryption, often referred to as a symmetric key, is a class of algorithm that uses a single key to encrypt or decrypt messagesFor maximum security, each pair of correspondents has a separate key; it is vital that both parties keep the key secret

Cryptology

Somewhat morehttp://www.youtube.com/watch?v=CR8ZFRVmQLg

DES is a nonlinear block cipher. The plaintext is broken into 64-bit blocks and encrypted using 56-bit key and 8 parity bits, totaling 64 bitsEncryption is achieved through dividing the blocks in a left (L) and right (R) parts and applying a series of permutations and substitutions 16 times.DES is insecure because its key length is relatively short

AES resulted from a worldwide competition that started in 1997 under the sponsorship of the National Institute of Standards and Technology (NIST)AES is an iterative block cipher based on substitutions and permutations. The fixed blocks are each 128 bits long, or 16 bytes. This is double the length used by DES, increasing the number of possible blocks by 2ˆˆ64This algorithm uses key lengths of 128, 192, or 256 bits.

Public key encryption

The first public key encryption cryptosystem was proposed by Ralph Merkle in 1974, and introduced two years later, in 1976, by Professor Martin Hellman from Stanford University and Whitfield Diffie, then at Northern Telecom (Bosworth et al. 2009)

Public key encryption uses two separate keys to encrypt and decrypt. Another name for public key encryption is asymmetric encryptionEach correspondent has a public key and a private key; What is encrypted using one key is decrypted using the other key

Public key encryption enables secure electronic business transactions, applied through keys and certificatesThis cryptosystem supports confidentiality, access control, integrity, authentication, and nonrepudiation services

Public and secret keys

Risk Management

Risk Management

Just because there is a threat does not mean that the organization is at riskThis is what risk assessment is all about

Risk Management

Facilitated Risk Analysis and Assessment Process (FRAAP)First used in 1995

Risk Management

FRAAPIs driven by the business ownersTakes days instead of weeks or monthsIs cost-effectiveUses in-house experts

Risk Management

The FRAAP was developed as an efficient and disciplined process for ensuring that threats to business operations areIdentifiedExaminedDocumented

Risk Management

The process involves analyzing onesystemapplicationplatformbusiness process orsegment of business operation

at a time

Risk Management

Team of internal subject matter expertsIncludes:

business managerssystem users, familiar with the mission needs of the asset under review

Andinfrastructure staff who have a detailed understanding of potential system vulnerabilities and related controls

Risk Management

A sample FRAAP procedure has been included in Appendix A of the book

Risk Management

The team’s conclusions as towhat threats existwhat their risk levels areand what controls are needed

are documented for the business owner’s use in developing the FRAAP

Risk Management

The team does not attempt to obtain or develop specific numbers for threat likelihood or annual loss estimates unless the data for determining such factors is readily available

Risk Management

The team will rely on their general knowledge of threats and probabilitiesThese are obtained from national incident response centers, professional associations and literature, and their own experience

Risk Management

Additional efforts to develop precisely quantified risks are not cost-effective

Risk Management – risk considerations ;-)

Estimates take an inordinate amount of time and effort to identify and verify or developThe risk documentation becomes too voluminous to be of practical useSpecific loss estimates are generally not needed to determine if a control is needed (e.g. for compliancy or ‘survival’)

Risk Management

After identifying the threats and establishing the relative risk level for each threat, the team identifies controls that could be implemented to reduce the risk, focusing on the most cost-effective controls

Risk Management

Once the FRAAP session is complete, the security professional can assist the business owners in determining which controls are cost-effective and meet their business needs

Risk Management

Once each threat has been assigned a control measure or has been accepted as a risk of doing business, the senior business manager and technical expert participating sign the completed document

Risk Management

The document and all associated reports are owned by the business unit sponsor and are retained for a period to be determined by the records management procedures (usually 7 years but depending on common law)

Risk Management

Each risk assessment process is divided into three distinct (types of) sessions/meetings:

Risk Management

Divided into three phases:The pre-FRAAPThe FRAAPThe post-FRAAP

Risk Management

1. The pre-FRAAP meetingNormally takes about an hour and has the business owner, project lead, scribe and facilitator as participants

Risk Management (Pre FRAAP)

Assess current level of risk assessment understandingDetermine what the managers and employees want to learnExamine the level of receptiveness to the security programMap out how to gain acceptanceIdentify possible allies

Risk Management (Deliverables Pre FRAAP)

Prescreening resultsScope statement Visual diagram Establish the FRAAP team (15 to 30 members)

Meeting mechanics Agreement on definitionsPre FRAAP Meeting summary

Risk Management

2. The FRAAP sessionTakes approximately 4 hours and includes 15 to 30 people, although sessions with as many as 50 and as few as 4 people have occurred.

Risk Management

Risk Management

The business manager/owner will present the project scope statementThe technical support will give a five-minute overview of the process using an information flow model or diagramThe facilitator will review the term definitions to be used for this FRAAP session

Risk Management

The facilitator will then reiterate the objectives and deliverables of this initial stageAt this point, stage two of this process should be briefly discussed

Risk Management

The FRAAP session definitions should be included in the meeting noticeAlso it will be necessary to notify those individuals that are needed to be present for stage two, that they will be staying for an additional hour

Risk Management

Have all members introduce themselves and provide the following information for the scribe to capture:

Team member name (first and last)DepartmentLocationPhone number

Risk Management

Risk Management (Activities during FRAAP session)

Identify Threats Using a ChecklistIdentifying Existing ControlsEstablish Risk Levels

Risk Management

Risk Management

Risk Management

Risk Management

Risk Management

A total of four deliverables come out of the FRAAP sessions:

Threats were identifiedRisk level establishedCompensating controls selectedControl “owner” identified

Risk Management

Post-FRAAP is where the results are analyzed and the Management Summary Report is completedThis process can take up to five workdays to complete.

Risk Management

Management Summary Report:Title PageTable of ContentsAttendee ListScope Statement SummaryAssessment Methodology UsedSummary of Assessment FindingsWhere to Obtain Full DocumentationConclusions

Risk Management

1. Restricted physical access areas should be considered throughout GLBA *)

Action Plan: A physical security risk assessment will be conducted to determine if there is a need to create restricted access areas and/or increase physical access controls.

*) Gramm–Leach–Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, enacted law requiring protection of particular information

Risk Management

2. Power failure could cause corruption of information or prevent access to the system

Action Plan: Network UPS may not be adequate for a power outage out of regular business hours. Install a backup domain controller at Ualena Street and connect it to the Ualena Street UPS.

Risk Management

Complete the Action Plan