ASSESSMENT 2: SECURTY REPORT

Information Security

Sayed Hasan Mahfoodh

201501553
Table of Contents
Introduction ........................................................................................................................ 2
Principles of information security and cryptographic measures to secure information ... 3
Information Security ....................................................................................................... 3
Confidentiality ............................................................................................................. 3
Integrity ....................................................................................................................... 3
Availability ................................................................................................................... 3
Cryptography ................................................................................................................... 4
Encryption .................................................................................................................... 4
Decryption ................................................................................................................... 4
Types of ciphers ........................................................................................................... 4
Substitutions cipher ..................................................................................................... 4
Transposition ciphers .................................................................................................. 4
Types of Cryptography .................................................................................................... 4
RSA encryption ............................................................................................................ 4
Diffie-Hellman key exchange ....................................................................................... 4
Elliptic curve cryptography .......................................................................................... 4
Lattice-based cryptography ......................................................................................... 4
Code based cryptography ............................................................................................ 5
Multivariate cryptography ........................................................................................... 5
Quantum breakable and quantum secure .................................................................. 5
Cryptanalysis ................................................................................................................... 5
Dictionary attack.......................................................................................................... 5
Frequency Analysis ...................................................................................................... 5
Brute Force attack ....................................................................................................... 5
Man In The Middle attack............................................................................................ 5
Security implications for modern networks and Bahrain Mini-mail Security assessment . 6
Bahrain Mini-mail vulnerabilities .................................................................................... 6
Bahrain Mini-mail vulnerabilities and their impacts ................................................... 6
Security implications for modern networks .................................................................... 6
Popular issues surrounding most of companies networks ......................................... 6
 Networking methods that are used to secure information and counter measures for
the vulnerabilities and threats ........................................................................................ 7
Counter measures for Bahrain Mini-mail vulnerabilities ............................................ 7
Modern Methods that are used to secure data from popular issues ......................... 8

Introduction
This report will discuss Information Security and its aims and principles in regard to
Cryptography, as well as cryptography what it means and stand for, types of cryptography,
ciphers and their types. Along with discussing cryptography and quantum computes. In addition
to cryptanalysis and what it stands for and stating some attacks that are done by cryptographers
to break the encryptions of the cryptography. Along with a security assessment for Bahrain
Mini-mail digital services, and stating some security vulnerabilities of the company and popular
once, alongside stating their impact. Moreover, counter measures for Bahrain Mini-mail
vulnerabilities and modern methods that are used to secure data at rest and data in motion. In
the end there will be a recommendation for the company to improve their networking security
and minimized and control risks.
Principles of information security and cryptographic
measures to secure information
Information Security
Information security is the fortification and safety of data and systems from, unauthorized
access, disclosure, modification, disruption or ruin (Carnegie Mellon University , 2008).

Information security has been defined as the technique of approving information confidentiality,
integrity and availability (CIA). This process to comprehend information security assists us to
handle and distinguish information security in a concrete procedure. (Katsikas, 2006).

Confidentiality
Confidentiality is the capability to protect the information from viewing it by unauthorized
personal. (Andress, 2011).

Confidentiality permits only those who have the right privileges to access the information and
data, when unauthorized party (person or system) get hold of the data the confidentiality is
breached. (Andress, 2011).

Encrypting data allows confidentiality, and if the information falls into unauthorized hands the
data is unreadable. Because if the data is encrypted you can read it if you do cryptanalysis or
having the key to decrypt the data.

Integrity
Information integrity is when the information, whole and uncorrupted. The integrity of
information is threatened when the data is exposed to a security threat like, damage or
corruption. (Whitman & Mattord, 2003).

Encryption can help maintain data confidentiality, however that does not mean that the
information is validated for integrity. (Vacca, 2009).

The integrity of the data is verified by using a Keyed Message Authentication Code (MAC), and
this is done by using a protected hash (SHA, MD5). These messages are interpreted algorithms
which are not reversible. Making it nearly impossible to modify one character without
identifying it. (Tipton, 2000).

Usually the hash in on itself is encrypted to prevent unauthorized users to modify the
information the matches the hash by modifying it also. (SecurITyCerts, 2015).

Availability
Availability signifies that only authorized party (user or system) are accessing the data with no
interference or interruption and obstruction and receive the information in a desirable format.
(Whitman & Mattord, 2003).

Networking attacks are when the availability of information is most compromised.

And networking attacks interject with the availability of data for the legitimate users.
Cryptography
Cryptography is the study of approaches of conveying messages in secret (enciphered or
disguised) so that only the wished-for receiver can deciphered and read the message. (Mollin,
2001). Cryptography can be interpreted as transforming a plaintext into cipher-text and vice
versa.

Encryption
The process of transforming plaintext into cipher-text in on itself is called encryption

Decryption
Decryption is the reverse process of encrypting, which is transforming cipher-text into plaintext
that can be read by human beings.

Types of ciphers
There are two basic types of ciphers, substitutions cipher and transpositions cipher.

Substitutions cipher
In substitutions cipher, cryptographer replaces characters, bits or block of characters with
substitutes. For example, shift each letter in the English alphabet forward by J positions (shifts
past Z cycle back to A); J will be key to the cipher this is often called the Caesar cipher. (Denning,
2005). (Image 1)

Transposition ciphers
The transposition ciphers rearrange bits or characters in the data. For example, in the
“rail-fence cipher” the letters of a plain text message are written down in a pattern resembling a
rail fence. (Denning, 2005). (Image 2)

Types of Cryptography
RSA encryption
RSA encryption is an Asymmetric key method that uses recipient public key to encrypt the
message, which then the recipient decrypts with a private key. (Wolchover, 2015).

Diffie-Hellman key exchange

The Diffie-Hellman key exchange also known as symmetric key, uses a shared secret key over a
secure channel that the two parties use to encrypt and decrypt messages. (Wolchover, 2015).

Elliptic curve cryptography

This type of cryptography uses mathematical properties of the elliptic curves to generate public
and private keys. (Wolchover, 2015).

Lattice-based cryptography
This type of cryptography uses lines and point which the cryptographer finds the nearest point
in the lattice with hundreds of special dimensions (Private Key) given a random location in space
(Public key). (Wolchover, 2015).
Code based cryptography
In the code based cryptography the error-correcting code is associated with the private key and
the public key is associated with a scrambled and inaccurate version of the code. (Wolchover,
2015).

Multivariate cryptography
The encryption system depends on solving systems of multivariable polynomial equations.
(Wolchover, 2015).

Quantum breakable and quantum secure

The most widely used cryptography methods which are RSA encryption, Diffie-Hellman key
exchange and elliptic curve cryptography can be broken by algorithms designed to run on
quantum computers (Quantum breakable). On the other hand, Code based cryptography,
Lattice based cryptography and multivariate cryptography are thought to be secure from
quantum computers based algorithms (Quantum Secure). (image 3).

Cryptanalysis
Cryptanalysis is a study of cryptographic systems and the investigation of systems, ciphers and
cipher-texts in order to try to comprehend how they work or reveal the hidden aspects, and if
any flaws occur that will allow them to be broken, even if the key or main algorithm is unable to
be deciphered. This study uses many attacks to achieve its goals such as dictionary attack,
frequency analysis, brute force attack or Man In The Middle Attack. (learncryptography.com,
2014).

Dictionary attack
The dictionary attack is an attack that takes a guesses at the key of a cipher-text by attempting a
lot of common keys and probable passwords that are likely to be used by human users. The
dictionary attack stores common English words, passwords and phrases and guesses them as
the key. (learncryptography.com, 2014).

Frequency Analysis
Frequency analysis is the analyzing of groups of letters of letters contained in a cipher-text and
takes an attempt to reveal the message partially. The English language have some groups of
letters and letters that appear in varying frequencies. (learncryptography.com, 2014).

Brute Force attack

The brute force attack is an attack that involves trying every potential mixture of characters or
data in order to find the key, so that you can decrypt an encrypted message. Usually this is used
a last resort tactic in a cryptanalysis situation. (learncryptography.com, 2014).

Man In The Middle attack

The Man In The Middle attack is a type of malicious attack on communication between two
parties (client or server). The Man In The Middle is a third party that pretends to be the server
which a client is trying to connect to, when the client connects sends its request to the server
that the client wants to connect to and takes the servers response and sends it to the client.
Everything will be behaving as if the client is connected to the server itself, so the client will not
know the difference, however the Man In The Middle could have manipulated the data that
have been sent. (learncryptography.com, 2014).

Security implications for modern networks and

Bahrain Mini-mail Security assessment
Bahrain Mini-mail vulnerabilities
Bahrain Mini-mail vulnerabilities and their impacts
 In Bahrain Mini-mail digital service all users have access to most of the data which is
stored in the company’s servers. This is a risk on the confidentiality and the integrity of
the data, for the reason that most of the users can access most of the data stored in
Bahrain Mini-mail servers, which means that most of the users can leak information to
any other party and maybe modify it. This actually impacts the data at rest in the
servers and poses a minor threat at it.

 Bahrain Mini-mail digital service uses a variety of computers and operating systems to
access network resources. This imposes a big threat on the company’s resources
because users should be limited to access network resources to protect the company’s
servers. Using network without encryption nor safety regulations inflict a threat on the
data at rest in the company’s servers as well as the data in motion that the users send
to other parties.

 Employees use passwords and user names that have been issued by the IT department.
This system of authentication is old and can be breached by most of the cryptanalytic
algorithms. This enacts a risk on the data integrity and confidentiality. While this
vulnerability does not poses a risk on the data in motion nor the data at rest but, it
leads to unauthorized personal to have unauthorized access to the data at rest in the
servers of the company.

 Bahrain Mini-mail digital service have many potential threats from hackers attempting
to gain information about the company or trying to break into and penetrate the
company’s servers. This vulnerability inflicts a high risk on both the data in motion and
the data at rest.

Security implications for modern networks

Bahrain Mini-mail digital service have its own vulnerabilities and their risks on the data of the
company, but there are popular threats that poses risks on all networks.

Popular issues surrounding most of companies networks

 Virus infections and worm infections are the most popular threats that poses a huge risk
on the data at rest, causing data manipulation and affecting the data integrity and
confidentiality. (Hietala, 2004).
  Theft or disclosure of intellectual property, or confidential data either by insiders or by
competitors hacking into the system of the company. (Hietala, 2004). Which poses a risk
at the data at rest and data in motion from being stolen or being modified. Which is
considered a risk on the data integrity and confidentiality.

 Denial of services attack (Dos attack) has been the most costing attack to companies,
and it causes the loss if internet connection and access to the company’s website.
(Hietala, 2004). This actually prevents the legitimate user from accessing the data in
motion from the servers of the company, which is a risk on the data availability.

Networking methods that are used to secure information and counter

measures for the vulnerabilities and threats

Counter measures for Bahrain Mini-mail vulnerabilities

First, Bahrain Mini-mail digital service is giving most of the employees permissions to view most
of the information and data that is available in the company servers, which can be an issue for
the security of the data. Thus the company should adopt a policy that allows each employee to
view the data that they need in order to complete their work (no more no less). Which the data
should be encrypted by a quantum secure algorithm. And the data can decrypted only by the
respective department manager.

Secondly, Bahrain Mini-mail digital services users access the network resources using a variety
of computers and operating systems. It is best restrict network usage to a minimum and ban the
ports that are not needed in the working environment. Also, Bahrain Mini-mail should use a VPN
(virtual Private Network) and restrict it to particular I address. For the reason that VPN encrypts
the outbound Internet traffic. Alongside using VPN, using SSL/TLS actually helps to authenticates
client and servers then encrypts messages between the authenticated parties.

Moreover, employees in Bahrain Mini-mail use passwords and usernames that have been given
to them by the IT department. This method of authentication is outdate and can be broken by
the majority of cryptanalysis algorithms like the brute force attack. The use of a multifactor
authentication is recommended as well as the use of a quantum safe encryption algorithm to
protect the authentication process from penetration and cryptanalysis.

Furthermore, in order to protect the company’s assets from hackers. Alongside firewalls and a
strong authentication process, all the information and the data needs to be encrypted
disregarding the importance of it. Because if only the important data were to be encrypted the
hacker will have knowledge of which of the data is important and which is not (Cheesley, 2010).
To add to that, the encryption needs to be quantum secure so that any party who have a
quantum computer cannot decrypt the information out of the ciphers. Additionally, Bahrain
Mini-mail needs to add wireless security protocols to protect the network from intrusion, and
use MAC address filtering the filter unwanted devices in the network.
Modern Methods that are used to secure data from popular issues
Firstly, to protect the network form virus infections and worm infections which poses a great
risk at the data integrity. The Company should install Gateway anti-virus alongside a desktop
virus. And firewalls for the whole infrastructure. Along with, a client firewall for the remote
devices. And if needed a hardware firewall. (Hietala, 2004). To protect the data at rest integrity.

Secondly, so as to prevent the theft and disclosure of intellectual property of the company, or
confidential data. The company needs a strong authentication algorithm, along with access
control software that grants the legitimate user access to some data and revokes the right to
access to other data. Also, there should be an audit log to register information about when,
what and who accessed certain data. To add to that encryption helps reduce the threat and
lowers the risk of losing data integrity and confidentiality of the data at rest.

Furthermore, in order to prevent Denial of services attacks (DoS attacks). The company must
invest in sophisticated IPS (Intrusion prevention system) systems that examines network traffic
flows and spot and prevent vulnerability to being exploited. Which usually they come from
malicious software inputs. As well as properly configuring the routers and firewalls. Which the
routers should be encrypted to protect the third layer from intrusion. (Hietala, 2004). Doing that
will help secure the data at rest and data in motion availability.

To end, the security architecture should be contained firewalls, webservers in a DMZ restricts
traffic to port (HTTPS) 443 (image 4). For the reason that firewalls alone do not create security.
Typically Firewalls provide the first line of defense. (Oracle, 2015). And that to protect the data
at rest in the company servers.

Conclusion and Recommendation

In the end, I would recommend that Bahrain Mini-mail digital services restrict the viewing of the
data to the employees who only need to view it, and install an access control software to control
the granting and revoking of data for users. Moreover, Bahrain Mini-mail should use VPN that
has been encrypted alongside SSL to protect the company’s network and help in the process on
authentication. Furthermore, authentication in the company should be a multifactor
authentication that is encrypted. Along with every data and information in the company’s
servers so that hackers do not have the knowledge of which is important data and which is not.
Additionally, Bahrain Mini-mail digital service should install Anti-virus for gateways and desktops
as well as firewalls, client firewalls and hardware firewalls. To add to that, Bahrain Mini-mail
digital service should use audit logs to register information about the data. Finally the company
should install an IPS to prevent DoS attacks, along with installing DMZ to restrict traffic to
HTTPS.
References
Andress, J. (2011). The basics of information security: understanding the fundamentals of InfoSec
in theory and practice. Amsterdam: Syngress.

Carnegie Mellon University . (2008). Retrieved from cmu.edu:

http://www.cmu.edu/iso/aware/presentation/security101-v2.pdf

Cheesley, R. (2010, July 29). Network security for small and medium sized businesses. Retrieved
from viryatechnologies.com: http://www.viryatechnologies.com/what-we-are-up-
to/white-papers/white-paper-network-security-for-small-and-medium-sized-
businesses.html

Denning, D. E. (2005). Cryptography and data security. Reading, MA, etc.: Addison-Wesley.

Hietala, J. (2004, october 31). Retrieved from sans.org: https://www.sans.org/reading-

room/whitepapers/basics/network-security-guide-small-mid-sized-businesses-1539

Katsikas, S. K. (2006). Information security: 9th international conference, ISC 2006, Samos Island,
Greece, August 30-September 2, 2006: proceedings. Berlin: Springer.

learncryptography.com. (2014). Retrieved from https://learncryptography.com/attack-

vectors/dictionary-attack

learncryptography.com. (2014). Retrieved from https://learncryptography.com/attack-

vectors/frequency-analysis

learncryptography.com. (2014). Retrieved from https://learncryptography.com/attack-

vectors/brute-force-attack

learncryptography.com. (2014). Retrieved from https://learncryptography.com/attack-

vectors/man-in-the-middle-attack

learncryptography.com. (2014). learncryptography.com/cryptanalysis. Retrieved from

learncryptography.com: https://learncryptography.com/cryptanalysis

Mollin, R. A. (2001). An introduction to cryptography. Boca Raton: Chapman & Hall/CRC.

Oracle. (2015). Retrieved from

https://docs.oracle.com/cd/E13174_01/alui/deployment/docs603/deployment/implem
enting_network_security.html

SecurITyCerts. (2015). SecurITyCerts. Retrieved from SecurITyCerts.org:

http://securitycerts.org/review/cryptography-integrity.htm

Tipton, H. F. (2000). Information Security Management Handbook: Volume 2. Hoboken: Taylor &
Francis Ltd.

Vacca, J. R. (2009). Computer and information security handbook. Amsterdam: Elsevier.

Whitman, M. E., & Mattord, H. J. (2003). Principles of information security. Boston, MA:
Thomson Course Technology.
Wolchover, N. (2015, September 8). A Tricky Path to Quantum-Safe Encryption. Retrieved from
quantamagazine.org: https://www.quantamagazine.org/20150908-quantum-safe-
encryption/

Appendixes

Image 1

Image 2
Image 3
Image 4