Professional Documents
Culture Documents
Information Security
Introduction
This report will discuss Information Security and its aims and principles in regard to
Cryptography, as well as cryptography what it means and stand for, types of cryptography,
ciphers and their types. Along with discussing cryptography and quantum computes. In addition
to cryptanalysis and what it stands for and stating some attacks that are done by cryptographers
to break the encryptions of the cryptography. Along with a security assessment for Bahrain
Mini-mail digital services, and stating some security vulnerabilities of the company and popular
once, alongside stating their impact. Moreover, counter measures for Bahrain Mini-mail
vulnerabilities and modern methods that are used to secure data at rest and data in motion. In
the end there will be a recommendation for the company to improve their networking security
and minimized and control risks.
Principles of information security and cryptographic
measures to secure information
Information Security
Information security is the fortification and safety of data and systems from, unauthorized
access, disclosure, modification, disruption or ruin (Carnegie Mellon University , 2008).
Information security has been defined as the technique of approving information confidentiality,
integrity and availability (CIA). This process to comprehend information security assists us to
handle and distinguish information security in a concrete procedure. (Katsikas, 2006).
Confidentiality
Confidentiality is the capability to protect the information from viewing it by unauthorized
personal. (Andress, 2011).
Confidentiality permits only those who have the right privileges to access the information and
data, when unauthorized party (person or system) get hold of the data the confidentiality is
breached. (Andress, 2011).
Encrypting data allows confidentiality, and if the information falls into unauthorized hands the
data is unreadable. Because if the data is encrypted you can read it if you do cryptanalysis or
having the key to decrypt the data.
Integrity
Information integrity is when the information, whole and uncorrupted. The integrity of
information is threatened when the data is exposed to a security threat like, damage or
corruption. (Whitman & Mattord, 2003).
Encryption can help maintain data confidentiality, however that does not mean that the
information is validated for integrity. (Vacca, 2009).
The integrity of the data is verified by using a Keyed Message Authentication Code (MAC), and
this is done by using a protected hash (SHA, MD5). These messages are interpreted algorithms
which are not reversible. Making it nearly impossible to modify one character without
identifying it. (Tipton, 2000).
Usually the hash in on itself is encrypted to prevent unauthorized users to modify the
information the matches the hash by modifying it also. (SecurITyCerts, 2015).
Availability
Availability signifies that only authorized party (user or system) are accessing the data with no
interference or interruption and obstruction and receive the information in a desirable format.
(Whitman & Mattord, 2003).
Encryption
The process of transforming plaintext into cipher-text in on itself is called encryption
Decryption
Decryption is the reverse process of encrypting, which is transforming cipher-text into plaintext
that can be read by human beings.
Types of ciphers
There are two basic types of ciphers, substitutions cipher and transpositions cipher.
Substitutions cipher
In substitutions cipher, cryptographer replaces characters, bits or block of characters with
substitutes. For example, shift each letter in the English alphabet forward by J positions (shifts
past Z cycle back to A); J will be key to the cipher this is often called the Caesar cipher. (Denning,
2005). (Image 1)
Transposition ciphers
The transposition ciphers rearrange bits or characters in the data. For example, in the
“rail-fence cipher” the letters of a plain text message are written down in a pattern resembling a
rail fence. (Denning, 2005). (Image 2)
Types of Cryptography
RSA encryption
RSA encryption is an Asymmetric key method that uses recipient public key to encrypt the
message, which then the recipient decrypts with a private key. (Wolchover, 2015).
Lattice-based cryptography
This type of cryptography uses lines and point which the cryptographer finds the nearest point
in the lattice with hundreds of special dimensions (Private Key) given a random location in space
(Public key). (Wolchover, 2015).
Code based cryptography
In the code based cryptography the error-correcting code is associated with the private key and
the public key is associated with a scrambled and inaccurate version of the code. (Wolchover,
2015).
Multivariate cryptography
The encryption system depends on solving systems of multivariable polynomial equations.
(Wolchover, 2015).
Cryptanalysis
Cryptanalysis is a study of cryptographic systems and the investigation of systems, ciphers and
cipher-texts in order to try to comprehend how they work or reveal the hidden aspects, and if
any flaws occur that will allow them to be broken, even if the key or main algorithm is unable to
be deciphered. This study uses many attacks to achieve its goals such as dictionary attack,
frequency analysis, brute force attack or Man In The Middle Attack. (learncryptography.com,
2014).
Dictionary attack
The dictionary attack is an attack that takes a guesses at the key of a cipher-text by attempting a
lot of common keys and probable passwords that are likely to be used by human users. The
dictionary attack stores common English words, passwords and phrases and guesses them as
the key. (learncryptography.com, 2014).
Frequency Analysis
Frequency analysis is the analyzing of groups of letters of letters contained in a cipher-text and
takes an attempt to reveal the message partially. The English language have some groups of
letters and letters that appear in varying frequencies. (learncryptography.com, 2014).
Bahrain Mini-mail digital service uses a variety of computers and operating systems to
access network resources. This imposes a big threat on the company’s resources
because users should be limited to access network resources to protect the company’s
servers. Using network without encryption nor safety regulations inflict a threat on the
data at rest in the company’s servers as well as the data in motion that the users send
to other parties.
Employees use passwords and user names that have been issued by the IT department.
This system of authentication is old and can be breached by most of the cryptanalytic
algorithms. This enacts a risk on the data integrity and confidentiality. While this
vulnerability does not poses a risk on the data in motion nor the data at rest but, it
leads to unauthorized personal to have unauthorized access to the data at rest in the
servers of the company.
Bahrain Mini-mail digital service have many potential threats from hackers attempting
to gain information about the company or trying to break into and penetrate the
company’s servers. This vulnerability inflicts a high risk on both the data in motion and
the data at rest.
Denial of services attack (Dos attack) has been the most costing attack to companies,
and it causes the loss if internet connection and access to the company’s website.
(Hietala, 2004). This actually prevents the legitimate user from accessing the data in
motion from the servers of the company, which is a risk on the data availability.
Secondly, Bahrain Mini-mail digital services users access the network resources using a variety
of computers and operating systems. It is best restrict network usage to a minimum and ban the
ports that are not needed in the working environment. Also, Bahrain Mini-mail should use a VPN
(virtual Private Network) and restrict it to particular I address. For the reason that VPN encrypts
the outbound Internet traffic. Alongside using VPN, using SSL/TLS actually helps to authenticates
client and servers then encrypts messages between the authenticated parties.
Moreover, employees in Bahrain Mini-mail use passwords and usernames that have been given
to them by the IT department. This method of authentication is outdate and can be broken by
the majority of cryptanalysis algorithms like the brute force attack. The use of a multifactor
authentication is recommended as well as the use of a quantum safe encryption algorithm to
protect the authentication process from penetration and cryptanalysis.
Furthermore, in order to protect the company’s assets from hackers. Alongside firewalls and a
strong authentication process, all the information and the data needs to be encrypted
disregarding the importance of it. Because if only the important data were to be encrypted the
hacker will have knowledge of which of the data is important and which is not (Cheesley, 2010).
To add to that, the encryption needs to be quantum secure so that any party who have a
quantum computer cannot decrypt the information out of the ciphers. Additionally, Bahrain
Mini-mail needs to add wireless security protocols to protect the network from intrusion, and
use MAC address filtering the filter unwanted devices in the network.
Modern Methods that are used to secure data from popular issues
Firstly, to protect the network form virus infections and worm infections which poses a great
risk at the data integrity. The Company should install Gateway anti-virus alongside a desktop
virus. And firewalls for the whole infrastructure. Along with, a client firewall for the remote
devices. And if needed a hardware firewall. (Hietala, 2004). To protect the data at rest integrity.
Secondly, so as to prevent the theft and disclosure of intellectual property of the company, or
confidential data. The company needs a strong authentication algorithm, along with access
control software that grants the legitimate user access to some data and revokes the right to
access to other data. Also, there should be an audit log to register information about when,
what and who accessed certain data. To add to that encryption helps reduce the threat and
lowers the risk of losing data integrity and confidentiality of the data at rest.
Furthermore, in order to prevent Denial of services attacks (DoS attacks). The company must
invest in sophisticated IPS (Intrusion prevention system) systems that examines network traffic
flows and spot and prevent vulnerability to being exploited. Which usually they come from
malicious software inputs. As well as properly configuring the routers and firewalls. Which the
routers should be encrypted to protect the third layer from intrusion. (Hietala, 2004). Doing that
will help secure the data at rest and data in motion availability.
To end, the security architecture should be contained firewalls, webservers in a DMZ restricts
traffic to port (HTTPS) 443 (image 4). For the reason that firewalls alone do not create security.
Typically Firewalls provide the first line of defense. (Oracle, 2015). And that to protect the data
at rest in the company servers.
Cheesley, R. (2010, July 29). Network security for small and medium sized businesses. Retrieved
from viryatechnologies.com: http://www.viryatechnologies.com/what-we-are-up-
to/white-papers/white-paper-network-security-for-small-and-medium-sized-
businesses.html
Denning, D. E. (2005). Cryptography and data security. Reading, MA, etc.: Addison-Wesley.
Katsikas, S. K. (2006). Information security: 9th international conference, ISC 2006, Samos Island,
Greece, August 30-September 2, 2006: proceedings. Berlin: Springer.
Tipton, H. F. (2000). Information Security Management Handbook: Volume 2. Hoboken: Taylor &
Francis Ltd.
Whitman, M. E., & Mattord, H. J. (2003). Principles of information security. Boston, MA:
Thomson Course Technology.
Wolchover, N. (2015, September 8). A Tricky Path to Quantum-Safe Encryption. Retrieved from
quantamagazine.org: https://www.quantamagazine.org/20150908-quantum-safe-
encryption/
Appendixes
Image 1
Image 2
Image 3
Image 4