A1 Threat types
1. Internal threats, e.g. employee actions, data theft, accidental loss, unintentional disclosure or damage to data, unsafe practices (use of external flash storage, visiting untrusted websites, downloading/uploading files to/from the internet, users overriding security controls, file sharing apps and bring your own device (BYOD))
Internal threats are not literally inside a computer. This means inside a workplace, at home or a classroom, there are tonnes of internal threats. For an example, at work one employee is working at his/her desk working on social media or excel, after a while the employee goes to get a drink to rest his/her eyes and in this time a colleague will find the computer logged-in and unattended, the colleague may find it humorous to compromise their work and ruin everything. This can also happen to people who bring in their new laptop and to have it ruined by someone else.
Internal threats does not strictly mean in the office, websites and unsafe practises are internal threats. Some users may want to get software for their school/college work and find a website that allows users to download it for free. This turns out to be an untrusted website and download malicious files which corrupts the computer. This software would not set anything off until a user instructs the computer to do so.
2. External threats, e.g. data theft, destruction, withholding and/or disruption of systems (by competitors, cyber criminals, governments, terrorists) for political purposes or financial gain
An External threat is a likely possibility of suffering consequences such as either an attack from the outside. For example a hacker. Imagine buying a brand new Apple Macbook and then in the same day, the user gets a virus from a cybercriminal. Disruption of systems is a type of external threat, this is caused by competitors of another company. Hackers: People can use extreme skills and by pass a firewall to hack into a computer system. Hackers are the biggest threat out of another since a lot of people can do this and it is very malicious as the hacker can gain full access. A DOS attack is where a person hacks into the network through proxies. The computer systems connected to the network will not be able to connect to the internet. Only reverse proxies can stop a DOS attack by reducing the amount of data processed.
3. Physical threats, e.g. theft of equipment or data, malicious damage to equipment or data, damage or destruction by fire, flood, terrorist action or other disaster
A physical threat is a consequence that is caused physically and inflicted physically. A colleague can break a user`s computer by accident for example an environmental hazard on the floor, the colleague can fall over and break a computer. A natural disaster is an unlikely occurrence an earthquake or a flood might happen. Computers can be damaged, data will be lost and the computers may get broken. Some users may find their computer more and more irritating as they use it for example, the computer is working too slow or not carrying out the task the user wants to do. This frustration builds up and is taken out on the computer, the computer gets broken and data is lost. People do walk down streets with laptops and tablets in their bags, an iPad and a high-end laptop are worth a lot of money and are very easily stolen. Criminals attend to find a lot of money from IT systems hence why a being safe while outside is crucial as data is also lost which may be very important.
4. Social engineering and software-driven threats, techniques used to obtain secure information (software that has a malicious intent), e.g. malware, viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits and backdoors.
The application of sociological principles to specific social problems. Social engineering includes software and apps that allow the actions to do strange actions and almost break a computer. Users may have to wipe the registry if the anti-virus software cannot get rid of a virus. In a certain scenario, a user could download software from a website, this software contains a Trojan horse and this can take action when the user opens the programme. There have been cases where ransomware has taken a network. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money has been paid. This is extremely common in schools, colleges and offices as this has the potential to take down a whole network for a very long time. There are different types of Ransomware such as TeslaCrypt or Cryptolocker. As previously mentioned, Trojan Horses are a type of social engineering. It may be a link, software and computers can get them from streams. Trojan Horses look harmless and useful but inside it contains a lot of viruses that can bring an end to a computer.
A2 Computer network-based threats
1. Passive threats, including wiretapping, port scanning and idle scanning.
Of a data or information processing system, a threat of disclosure of information without changing the state of the system. Wiretapping is one of a few examples, connecting a listening device to a telephone line to monitor conversations secretly. Port Scanning, a port scanner is an application designed to probe a server. Idle Scanning is a TCP port scan method that consists of sending spoofed packets to a computer to find out what services are available.
2. Active threats, including denial-of-service attack, spoofing, man in the middle, Address Resolution Protocol (ARP) poisoning, smurf attack, buffer overflow, heap overflow, format string attack, Structured Query Language (SQL) injection and cyber-attack.
In a masquerade attack, the malicious user pretends to be a user of a system to gain access they are authorised for. A masquerade may be attempted using stolen login, IDs and passwords through finding security gaps in programs. In a session replay attack, a hacker steals an authorised user’s log in information by stealing the session ID. The malicious user gains access and the ability to do anything the authorised user can do on the website. In a message modification attack, an intruder alters packet header addresses to direct a message to a different destination or modify the data on a target machine.The Smurf Attack is a distributed denial-of-service attack in which large numbers of Internet Control Message Protocol packets with the users` spoofed IP are broadcast to a computer network using an IP Broadcast address.
3. Cloud computing security risks.
Cloud computing is reliable overall, although there are many risks. Firstly, cloud websites can end up getting hacked pretty easily by giving out passwords to the wrong people. Hackers can down the cloud storage website allowing it to not be used, during this profiles can be exposed to get stolen, changed or deleted. Some users leave their computer unattended which allows others to manipulate the files inside the cloud storage, this is very common in an office environment. Cloud storage has progressed over the years but there always have been permanent data loss.Frequent data backup measures are essential in making sure that if data is lost there always is a backup.
A3 Information security
1. Principles of confidentiality, integrity and availability of information.
Confidentiality is maintaining data from being breached from anyone else. If a person ask for medical details and does not match the person who he/she has asked for, this person will not gain access of their medical history as this can put that person at risk. On a computer system, confidential information will have many passwords and computers are logged off when not in use, so there is no internal threat. Externally, a doctor`s system will be on a local area network, which also has restricted access, for visitors there may be a free Wi-Fi access.
Integrity is when someone has made a mistake the best thing to do is be honest and admit that they have made a mistake. If someone is a company has accidently gave someone else`s details to another person when they wanted theirs the person who has done this would be honest and apologise and give the right details. A customer may not be annoyed at this and forgive this person.
Availability is when someone asks for information it should be able to given there and then. If the information is not available this will cause a problem for a company more specifically the doctor`s. A patient has every right to know their prescription, medical history and other details when they ask for it.
2. Unauthorised access or modification of information.
Users would want to send messages probably containing very important information. Malicious users will attend to intercept the message and change the information and send it forward. To prevent this from happening, encryption would be the top solution. Symmetric key is one of the few methods of encryption, the message would be sent forward (all encrypted) and the decryption key is the exact same as the encryption key. Public key is the other type of encryption, the receiving person has access to the decryption key that enables messages to be read but the decryption key is sent along the message so any malicious user can get see it. The best method would be the private key as it would be sent in a different message at the same time.
3. Principle of minimal access to information or lowest required access permission to be able to maximise protection
When downloading files, some may have different access behaviours such as write only, full access or read only. To maximise protection, some users would set a message to read-only. This can be done on Word, so important documents can only be read instead of changing the document. The only way that the document can be changed is that a copy is created but this isn’t malicious at all because if it was sent to someone specific it would be tracked through the IP address.
4. Deliberate or accidental loss of information.
The need to protect intellectual property from theft or malicious damage for an example, personal information, bank account details, employment details. A company can lose their reputation of being safe and trust worthy where people can keep their data such as bank details and personal information. In result, the business will have a drop in customer service. This aspect will be affected because the company will have to change how they work with customers and internally within the company. Businesses will have to spend money on better security, new software and new potentially new hardware. Depending on how malicious the attack is the customer might have to change their password because of further threat to the customer`s account with the company. This is a nuisance and hassle and the customer does not deserve that sort of service.
A4 Legal Requirements
1. Data Protection Act 1998 and the requirements it places on organisations to keep data about stakeholders secure.
The Data Protection Act is how personal information is used by organisations, businesses or the government. The requirements of the Data Protection act consist of being kept securely, away from anyone else because the data are people`s personal details and information. The data should only be used when it is relevant for an example permanent records. Data should not be kept for a ridiculous amount of time, such as when someone has left a company, their data should be erased after a certain amount of time as the information would be useless to the company.
2. Computer Misuse Act 1990 and its definitions of illegal practices and applications.
There are a lot of malicious users that breaks this act. Acts such as Hacking or downloading illegal software penetrates the computer misuse act. On December 25th 2014 PlayStation and Xbox online services were hacked, this is an illegal practise which affected millions of people worldwide.
3. Copyright, Designs and Patents Act 1988 and its requirements in terms of protecting software products and digital media such as music and films.
Copyright is probably the most known act. The requirements of Copyright are; permission to use continent from someone else (if the content creator is using someone else`s content then credit must be due). This act goes for the music, gaming, filming and media industries.
4. Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 and their requirement to allow companies to monitor employee communication using IT systems and other uses of the internet while at work.
The Telecommunications act allows companies to monitor what the employees are doing on business computers or network. This prevents all employees searching unnecessary websites, videos or pictures either on their break or during work. All employees usually sign a letter containing the Telecommunications act in the workplace. With BYOD (Bring Your Own Device) connecting on to the network allows the act to take place as filters will always be in place.
5. Fraud Act 2006 and its requirement to deal with services using IT-based methods to steal information for fraudulent purposes.
The fraud act prevents malicious users to gain other people`s personal information. Malicious users would often use the phishing technique to gain bank details of others. Services such as banks always say they will never contact the account holder in regards of their information, this is one of the requirements which is essential to make sure no one succeeds to commit fraud through either a computer system or telephone.
6. Legal liability and contractual obligations.
A contract is a document which people sign proving they have come to an agreement. Typically, there flaws in contracts and most well written contracts aren’t every flawed, however in law every contract or piece of document is never against the law or against any moral belief.
A5 Impact of security breaches
1. Operational impact on an organisation of the loss of data or service
Data loss is an error condition in information systems which information is destroyed by computers failing. The impact of data loss to an organisation it is a sinister consequence, the data that the organisation hold could be their client`s details such as bank details, addresses, passwords and more. It costs companies millions of pounds to get details back, to make sure that all data is backed-up and secure. Nonetheless, the company will give itself a negative reputation to potential clients and current ones, as the organisation is not trusted because their system is inadequate.
2. Financial impact of loss of service, such as an e-commerce website
Loss of service to an e-commerce website like Amazon will cost them dearly, millions of pounds because they will lose a lot of custom. Loss of service can be caused from a bad customer service, the website being far too complicated or simply not a better option than another service. For instance, when a user has a problem with an order from the e-commerce website, the customer service should always remain calm and retain a positive manner to the customer. However, some employees may feel offended and be slightly unpleasant to the customer, resulting in a loss of service.
3. Damage to reputation
As mentioned previously, a loss of service will damage the reputation of the company as being unreliable and has a bad service in general. The damaging reputation will cause competition to gain more customer and get the better reputation as one of the only e-commerce websites to have a good customer service.
4. Legal consequences of data privacy breaches
Losing data could break the law. The data protection Act. 1998 is a legal act which can cause an organisation to get a fine up to £500,000 for losing important details. It should be in all companies` policy that the clients should get compensation (https://ico.org.uk/for-the-public/compensation/). If the company refuses or does not come to an agreement for the sum the client wants that is to a certain amount, this can be taken to court.
5. Forensics research requirements to identify data lost, stolen or copied.
Computer forensics are used in court systems to give evidence of stolen, lost or copied data. In 1980 computers became more accessible in terms of hacking, creating viruses, defrauding and other crimes hence why there is the computer misuse act.1990. There are a number techniques to strip down a computer of its illegal data such as Cross Drive Analysis (Searching through multiple hard drives), Live Analysis (this is for dealing with encrypted files where the encryption keys may be collected before the computer shuts down) and Deleted Files (Searching through history of recycle bin, backed up files and internet history).
Learning Aim B
B1 Cryptographic principles
1. The principles and uses of encryption, including digital rights management (DRM); password storing and salts; obfuscation and steganography; secure transactions; two-factor authentication; file, folder, disk encryption; encryption of communication data, e.g. police, mobile phone.
The main idea of using encryption and Digital Rights management is to protect files such as DVDs, CDs and other media types from being copied and pirated. This is file sharing to certain extent but it is illegal to carry this out. This principle is related to copyright. For a real-life example in 2008, the computer game Mass Effect released with SecuROM while other games like Call of Duty 4 and Assassin`s Creed had SafeDisc.
2. Legal and ethical issues.
Cryptography has legal and ethical issues. Police services cannot attempt to hack into a mobile phone as it is an invasion of privacy. Legal regulations, people should not gain access into other`s computers, consoles. If any computer system gets breached, the Computer Misuse Act. 1990 is therefore violated. As it is an established act the perpetrator will be charged receive a penalty. Ethically, no other should tap into anyone else`s private business because people don’t like it when their privacy has been invaded.
3. Computational hardness assumption.
Computer Hardness Assumption is not proven to be easy or hard to decrypt, its main goal is to create cryptographic primitives with provable security. Some problems are stronger than other assumptions. The reason why it is called an assumption because in practice the problems are assumed to be difficult. (https://en.wikipedia.org/wiki/Computational_hardness_assumption).
B2 Cryptography methods
1. Shift ciphers, one-time pads, hash functions (e.g. Md4, md5, sha-2 sha-3), block ciphers, stream ciphers
Shift Ciphers and block ciphers are known as symmetric key ciphers. Symmetric key ciphers get their input from stream ciphers. Block ciphers make a long stream of key data which is mixed with the plaintext bit-by-bit just like the one-time pad. Md4, md5, sha-2 sha-3 are third type of cryptic algorithms, they take information no matter how long or what a good hash function makes an attacker have a very difficult time finding two different messages that produce the same hash. (https://en.wikipedia.org/wiki/Cryptography)
2. Cryptographic primitives, e.g. Pseudo random functions, one-way functions
Cryptographic primitives are low level algorithms that are well established and very reliable. It is essentially never sensible or secure to design a new cryptographic primitive to suit the needs of a new cryptographic system without the necessities. It takes a long time to design an efficient cryptology system, in this certain field cryptic software does not require the best design but does need to be tested on everything. If the design is not tested properly then the biggest consequence will be that the software will be very error prone. Pseudorandom functions are vital tools in the making of cryptographic primitives, especially secure encryption schemes without the cryptographic primitives are not efficient enough to be used. A One- Way function is easy to work on every input, but hard to get an output given. https://en.wikipedia.org/wiki/Cryptographic_primitive
3. Cryptographic salts and their use in storing passwords
Salts are used to protect passwords while they are in storage. They are hashed in case a malicious user hacks into a storage full of passwords, this user would not be able to use them or at all know what they are at all. Without salts, passwords are stored in plaintext and can be exploited to hackers and other malicious users.
4. Encryption algorithms, e.g. Rsa, des, 3des
DES (Data Encryption Standard) was overtaken by 3DES also known as Triple Data Encryption Standard. RSA is a public key encryption method which uses a private key to encrypt the message. RSA is an asymmetric encryption algorithm due to its pair of keys, this method makes attackers a lot of time to figure out or to not even bother. 3DES has been defeated by attackers it was the recommended method and the most widely used symmetric algorithm to businesses. DES is never used to this day because of how insecure and inferior it is in comparison to RSA, 3DES and DES are both Symmetric key encryption standards.
5. Mathematical principles, integer factorisation, prediction of prime numbers.
Integer Factorisation is the breaking down of a complex number into smaller ones this can be done with pen and paper but if this process of breaking down integers this will cause the prediction of prime numbers as they cannot be broken down into anymore whole numbers, this is also called Prime number Factorisation.
B3 Applications of cryptography
1. Symmetric key encryption
Symmetric Key encryption is the complete opposite to asymmetric encryption this consists of two keys that are the same (there are both private/secret keys) a message with plaintext will be encrypted and sent to the other person. The other user will use the keys and decrypt the message back into plaintext without any attacker touching it.
2. Public key encryption
Public Key encryption also known as asymmetric cryptography, is a cryptographic system that uses a pair of keys public keys which may be spread and private keys which are known only to the users. The public key is used to verify that a holder of the paired private key sent the message and encryption, only the holder of the paired private key can decrypt the message.
3. Key exchanges (Diffe-Hellman)
Whitfield Diffie and Martin Hellman are creators of the key exchange method, this is known to be one of the earliest method of exchanging public keys from one user to another without any perpetrators. This practice is a start on encryption in general. However, in 2015 it was found that key exchanges are not strong enough for the internet. https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
4. Digital certificates (including certificate authorities)
A digital certificate is like a ticket to send information over the internet securely using the public key infrastructure, an authority would be the public key certificate. A trait to this is that public key infrastructure is forgery, using this method no message can be forged. Operating systems and browsers hold lists of trusted certificates so they can easily be verified.
5. HTTP Protocols
HTTP Protocols is the set of rules for transferring all types of files on the Internet. As soon as a user opens their Web browser, the user is makes use of Hyper Text Transfer Protocol. HTTP is an application protocol that runs on top of the Transmission Control Protocol.
6. Virtual private networks (vpns)
As a business grows, it might expand to multiple shops or offices across a country and around the world. To keep things running efficiently, the people working in those locations need a fast, secure and reliable way to share information across computer networks. To do this a VPN would be useful, this allows employees of a company to communicate between themselves within the company as a whole.
7. Generic Routing Encapsulation (GRE) tunnels
Using Point-to-point links over an Internet Protocol network will create a Generic Routing Encapsulation tunnel. A GRE tunnel works by expressing a payload (information or message in transmitted data) that is a package that must be delivered to a certain network inside an outer Internet protocol. (http://www.techtarget.com/network)
8. Encryption of data on Wi-Fi networks.
Routers allow the user to encrypt data as it travels in and out of a network, making it much more difficult to be forged by hackers trying to steal secret information. In order to make the best choice for a network, it is needed to understand the differences between encryption protocols. Users can access an unprotected Wi-Fi network which is also unencrypted, protocols such as a WPA are protected and are encrypted. This allows users to be free to use a wireless internet network safely.
...(download the rest of the essay above)