)k

Security Threats and Controls
Cryptography and Access Control
CCSD SECURITY
ESSENTIAL

Trainer Profile
LEO LOURDES
(MBA IT Management, BoM Hons. HRM)
Implementer of ISO 20000-1:2011
Certified in COBIT® 5
Certified in ISO 9001 Auditor (PECB)
Certified in PRINCE2® in Project Management
Certified in ITIL® Practitioner
Certified in ITIL® Intermediate Certificate in IT Service Operation
Certified in ITIL Information Security based on ISO/IEC 27002
Certified in ITIL for Cloud Computing
Certified in ITIL IT Service Management
Certified in Coaching and Calibration Skills for Call Center
Certified in Delivering Learning / Teaching by City & Guilds, United Kingdom
wecare@thinkleosolutions.com
+6012-311 6457 / +6016-349 1793
Experience:
Management Representative (MR) ISO 20000-1: 2011
IT Service Management (Incident, Problem, Change) Manager
Security, Compliance & Risk Management
Senior CRM Delivery Analyst
Certified Trainer
Certified IT Auditor & Consultant

The CIA Triad
Availability
Copyright © 2019 Logical Operations, Inc. All rights reserved.

Confidentiality Terms
Term Definition
Sensitivity The level of damage or harm that could occur if the asset is revealed or
disclosed.
Discretion The ability for a person to control the level of access to, or disclosure of,
an asset.
Criticality The level of importance of an asset to the mission or objective.
Concealment The act of hiding or preventing disclosure of an asset.
Secrecy The practice of preventing or limiting information disclosure.
Privacy The protection of confidential or personal information.
Seclusion The act of storing something in a location that is out of the way, and thus
not easily observed or found.
Isolation The act of keeping something separate from other things that are similar
in nature.

Integrity Terms
Term Definition
Accuracy The degree to which the data is correct and precise.
Truthfulness The quality of a source of information being factual and realistic.
Validity The quality of an asset being factually or logically sound.
Authenticity The quality of an asset being genuine.
Accountability The condition of a person or entity being held responsible for their
actions.
Responsibility The obligation of a person or entity to take ownership of their actions.
Completeness The quality of an asset that has all its necessary parts or components.
Comprehensiveness The quality of an asset being complete in scope, and fully inclusive of all
relevant elements.

Availability Terms
Term Definition
Usability The degree to which an asset can be easily learned, understood, utilized,
or controlled by a subject.
Accessibility The assurance that an asset can, under the widest range of circumstances,
be used by a subject, regardless of their capabilities or limitations.
Timeliness The quality of an asset, particularly information, being prompt and
available within a reasonable time frame, and with low latency.

Common Security Terms (Slide 1 of 2)
Term Definition
Asset Anything of value that could be compromised, stolen, or harmed, including
information, systems, personnel, physical resources, and reputation.
Threat Any event or action that could potentially cause damage to an asset or an
interruption of services.
Threat actor A person, group, or other entity that could potentially attack, damage, or
otherwise compromise a system or resource.
Vulnerability A condition that leaves the system and its assets open to harm—including
such things as software bugs, insecure passwords, inadequate physical
security, poorly designed networks, or insufficient user training and
awareness.
Exploit A technique that takes advantage of a vulnerability to perform an attack.
Risk The likelihood of a threat occurring, as well as its potential damage to
assets.
Control A countermeasure that you put in place to avoid, mitigate, or counteract
security risks due to threats or attacks; also known as a safeguard.

Common Security Terms (Slide 2 of 2)
Term Definition
Attack The active attempt by a threat actor to break into and exploit a vulnerable
system, data, or other resource.
Breach The result of a successful attack. Can include theft, destruction, or loss of
availability of data, a system, or other resources.
Exposure The level, usually expressed in percentage, to which a resource is at direct
risk of attack.
Social engineering The practice of using deception and trickery against human beings as a
method of attack.
Defense in depth The practice of providing security in multiple layers for more
comprehensive protection against attack.

• Methods of exercising control and management over an organization.
• Seeks to mitigate security risk.
• Turns a reactionary security culture into a proactive one.
• Supports business objectives to minimize cost and disruption.
• A major objective is compliance.
• Compliance assures that the organization operates within regulatory requirements.
Security Governance

Organizational Governance Structure
Board of Directors/CEO
CISO
Security Department
Management
Staff

• Structure of an organization can impact its security.
• Who is responsible for what? Who do they report to?
• Different levels responsible for different security requirements and tasks.
The Organizational Culture's Impact on Security

• Security professionals must advise decision makers based on risk.
• Cost prohibits 100% security.
• Tosupport business constraints:
• Assess risk and determine needs.
• Implement policies and controls to mitigate risk.
• Promote awareness of expectations.
• Monitor and evaluate effectiveness of the controls.
• Use as input in next risk assessment.
• IT is the business, and the business is IT.
• Not separate function; integral to the business.
• Business makes money from IT platform.
• Recognize mutual nature of security and business.
Security and Business Alignment

Roles and Responsibilities (Slide 1 of 2)
Role Responsibility
End Users • Protect information on a daily basis.
• Adhere to security policies.
• Be mindful of everything they do.
• Report security issues.
Administrative Assistants • First line of defense against social engineering.
• Screen phone calls for executives.
Help Desk/Service Desk
Administrators
• Answer user questions about system problems.
• Help desk calls may indicate security issues.
Physical Security • First line of defense regarding physical location of assets.
• Can work with external law enforcement.
• Role may be integrated with information systems security.
Information Systems/IT
Professionals
• Design security controls into information systems.
Information Systems
Security Professionals
• Inform executive management of security concerns and suggest solutions.

Roles and Responsibilities (Slide 2 of 2)
Role Responsibility
Information Systems
Auditors
• Determine whether systems and personnel are in compliance.
• Check configuration and design, implementation and operation of systems.
Business Continuity
Planners
• Develop contingency plans to prepare for incidents.
Data/Information
Custodians
• Implement access control levels based on data owner’s specifications.
• Back up data to ensure recovery after loss or corruption.
Data/Information/
Business Owners
• Classify data.
• Determine level of access to data.
Security Administrators • Manage access to information systems.
• Keep logs of all requests for access.
• Provide logs to auditor.
Network/Systems
Administrators
• Keep network infrastructure running to ensure availability.
• Physically implement access controls to data.
Executive Management • Protect information assets of organization.
• May include Chief Information Officer (CIO).
• May also include Chief Information Security Officer (CISO)

• Protects all business information from loss and disclosure.
• Works with individuals to ensure policies, procedures, and other documents are
implemented.
• May also run the organization’s incident response team.
• Supports governance activities.
• Develops programs to review security from several viewpoints.
• Must balance security needs with business objectives, especially when limited by
cost or time.
CISO Role

CISO Responsibilities (Slide 1 of 2)
Role Responsibility
Understand the business • Become knowledgeable about business operation and goals.
• Understand vision and mission, and how IT security helps to meet goals.
• Be a member of the management team.
• Provide security guidance to entire organization.
Stay informed • Be up to date on changing threat environment.
• Be aware of emerging technologies that provide security solutions.
Budget • Develop and justify security budget.
• Communicate budget needs to senior management to ensure approval.
• Ask for needs rather than wants.
Develop • Develop security policies, procedures, baselines, standards, and guidelines.
• Develop organization-wide security awareness programs.
• Develop security management skills within the security organization.
Train • Ensure user and management training in information security protection.
• Train security staff in new threats, new safeguards, and current operations.

CISO Responsibilities (Slide 2 of 2)
Role Responsibility
Ensure compliance • Ensure compliance to laws, regulations, and policies within areas controlled by
information security.
• Coordinate with legal department as necessary.
Promote awareness • Promote an organization-wide climate of security awareness.
• Communicate importance of business continuity and disaster recovery
planning.
Inform • Be conduit for security information in the organization.
• Provide frequent status updates on security environment.
• Provide advance information about pending changes to help plan training.
Measure • Measure security effectiveness by conducting penetration testing and other
similar activities.
• Work with auditors to determine weaknesses.
Assist • Assist senior management in understanding information security requirements.
• Assist application designers and developers to provide security in new and
existing systems.
Report • Report security accomplishments and limitations to senior management.
• Provide details regarding security violations.

Security Goal Categories
Goal Description
Strategic • Align with business and information technology goals.
• Long horizon (3-5 years or more).
• Ex: establish security policies and ensure all users understand
responsibilities.
Tactical • Provide broad initiatives necessary to support goals of strategic plan.
• May consist of multiple projects.
• Usually 6-18 month time period.
• Ex: implement disaster recovery programs and customer relationship
management.
Operational • Specific short-term goals.
• Put tactical plan into practice.
• Ensure that individual projects are completed with milestones.
• Ex: perform project-wise risk assessment and development of security
policies.

Control Frameworks
• Minimizes risk in an organization by creating a structure for security controls.
• Meet the following criteria:
• Consistent
• Measurable
• Standardized
• Comprehensive
• Modular

• Awareness of and adherence to contractual obligations, relevant laws, and/or
regulations.
• Can be:
• Set forth by governments and other private organizations.
• Internal and self-imposed.
• Consult with legal department to determine how laws and regulations impact
security operations.
• A well-rounded compliance program helps with overlapping or confusing regulatory
requirements
• Compliance may be required for an Authorization to Operate.
• U.S. Federal government agencies
• Formal acceptance of risk and approval to use a product
Compliance

• Security professionals must understand all laws that apply to their organization.
• Specific conditions must be met in certain cases.
• Identify any safe harbors that could help the organization avoid penalties.
• Safe harbors are practices or actions that are deemed not to be in violation of the law.
• Policies and other documentation should be consistent with applicable laws and
regulations.
• There are different types of laws; not all laws are regulatory in nature.
Legislative and Regulatory Compliance

Computer Crime
Government
Database
Classified Information
Attack

Data Breach
• An incident that results in release or potential
exposure of secure information.
• Can be true test of legal compliance.
• If organization performs due care to comply with laws,
breach’s effects may be mitigated.
• Organization can also avoid severe legal penalties.
• Especially a concern with privacy laws, as many
breaches expose customer PII.
• Consequences for compliance failure are magnified
under a breach.
• Most laws require timely notification in the event of a
breach.

Industry Standards (Slide 1 of 2)
IT/Information Security Standard Description
PCI DSS • Specifies how organizations handle information security for major
card brands.
• Compliance validated on annual basis.
• Organizations or merchants that accept, transmit, or store
cardholder data from these brands must comply.
NIST SP 800 series • Various publications establish computer security standards,
including:
• SP 800-12: An Introduction to Computer Security: The NIST
Handbook
• SP 800-14: Generally Accepted Principles and Practices for
Securing Information Technology Systems
• SP 800-33: Underlying Technical Models for Information
Technology Security
• SP 800-53: Security and Privacy Controls in Federal Information
Systems and Organizations

Industry Standards (Slide 2 of 2)
IT/Information Security Standard Description
COBIT 5 Standards for IT management and governance, promoting five
principles:
• Meeting stakeholder needs.
• Covering the enterprise end-to-end.
• Applying a single, integrated framework.
• Enabling a holistic approach.
• Separating governance from management.
ISO/IEC 27001 Focuses on topics in information security management:
• Responsibilities and procedures.
• Reporting information security events.
• Reporting information security weaknesses.
• Assessment of and decision on information security events.
• Response to information security incidents.
• Learning from information security incidents.
• Collection of evidence.

• Lack of documentation creates organizational chaos.
• Documentation provides a framework for people to work together in achieving
organizational goals.
• Security documentation can also act as a road map to governance.
The Value of Security Documentation

Security Document Types
Security Document Type Description
Policy High-level statement of management intentions. Contains purpose, scope, and
compliance expected of every employee.
Example: Information security will ensure the protection of information by
implementing security best practices.
Standard Required implementation or use of tools.
Example: The corporation must implement 802.1x security for all wireless
networks.
Guideline Recommended or suggested action or best practice.
Example: When travelling with laptops, users should use safety precautions to
prevent laptop theft, damage, or data loss.
Procedure Step-by-step description of how to implement a system or process.
Example: Toimplement Secure Shell (SSH) on the router, enter the enable mode
and then enter the appropriate commands for the router.
Baseline Minimum security required for a system or process.
Example: Trivial File Transfer Protocol (TFTP) must be disabled in all servers except
for those specifically used for the TFTP service.

Security Planning
Security Planning Effort Description
Strategic planning • Long-term (three- to five-year) planning process.
• Focuses on major security changes in an organization.
• Processes such as mergers and acquisitions could trigger a plan review.
Tactical planning • Mid-term process (6 to 18 months).
• For example, a move to RADIUS for authentication could take a year to
complete.
Operational and project
planning
• Near-term, per-project basis.
• Supports milestones and completion dates that are communicated
regularly.
• For example, planning for a penetration test in three months.

• Objectives that security policies can fulfill:
• Inform employees about their security-related duties and responsibilities.
• Define an organization’s security goals.
• Outline a computer system's security requirements.
• Objectives depend on the organization’s specific requirements.
• Policies should be long enough to explain but short enough to be understood.
• All employees should have access to the policy.
Security Policy Objectives

Security Policy Types
Security Policy Type Description
Advisory • Indicates certain types of actions as being more appropriate or effective
than others.
• Includes consequences and reprimands that may occur if actions are not
as indicated.
• Commonly indicate how to handle private documentation and money.
Informative • Provides data to employees on a specified subject.
• Includes no ramifications.
• Often used as instructional instruments.
Regulatory • Addresses industry regulations regarding the conduct of organizations.
• Commonly used for health care and financial organizations.

The Relationship Between Security Document Types
Laws and Requirements
Strategic
Tactical
Operational
Standards
Mandatory
implementation
Guidelines
Recommended actions
Procedures
Step-by-step
instructions
Baselines
Consistent comparison
points
Policies
Statement of management
intentions
Policy Types:
• Advisory
• Informative
• Regulatory

• Comprehensively identify all assets in the organization.
• Waiting until it’s too late will make it harder to recover an asset.
• If you don’t identify an asset, you may not even know when it’s compromised.
• Describe assets in terms of:
• Basic characteristics.
• Value to the company.
• Use on a daily basis.
• Replaceability.
Asset Identification

• What effort was required to develop or obtain it?
• What does it cost to maintain and protect it?
• How much will we lose in operational functionality if the asset is misplaced or
damaged?
• What would it cost to replace it?
• What enemies might pay for it?
• What liability penalties might occur if the asset is compromised?
Asset Valuation

Asset Valuation Methods
Asset Valuation Method Description
Asset management system Contains a detailed record of corporate property and similar assets,
including facilities, furniture, computers, and other real property.
Accounting system Contains additional financial information about assets, such as
expensing the cost to develop software packages.
Insurance valuation Good source of asset valuation due to rigorous analysis of risk of
loss.
Qualitative valuation Narrative descriptions capture expert judgement about asset value.

Areas of Vulnerability
Vulnerability Area Example Threat and Risk
Physical structure Window accessibility in a room where secure information is stored can
expose vulnerabilities and create a venue for sudden intrusion threats.
Electrical Failure of a vulnerable electrical feed can threaten system data.
Software Worms, viruses, and Trojans threaten systems.
Network Unencrypted data on network can be vulnerable to interception and exploit.
Personnel Key trained personnel must be available to deal with critical events to avoid
corporate-wide vulnerabilities.
Hardware Losses due to theft and physical damage generate costs for replacement and
lost productivity.
Documentation If poorly written, can cause confusion and impair decision making.
Organization must protect integrity and confidentiality of sensitive
documentation.
Process Outdated or inefficient processes can impair business operations; poor
security processes weaken defenses and increase risk.

Identify Threats
Threat Type Description
Natural disasters • Earthquakes
• Wildfires
• Flooding
• Excessive snowfalls
• Tsunamis
• Hurricanes
• Tornados
• Landslides
Man-made disasters Intentional:
• Arson
• Terrorist attacks
• Political unrest
• Break-ins
• Theft of equipment and/or data
• Equipment damage
• File destruction
•Information disclosure
Unintentional:
• Employee mistakes
• Power outages
• Excessive employee illnesses or epidemics
• Information disclosure

Control Selection Criteria
• Selection criteria:
• Cost effectiveness
• Risk reduction
• Practicality
• Additional details to consider:
• Can the control be audited?
• Is the control from a trusted source?
• Can the control be consistently applied?
• Is the control reliable?
• Is the control independent from other controls?
• Is the control easy to use?
• Can the control be automated?
• Is the control sustainable?

Safeguard Cost/Benefit Analysis
• Determine if the safeguard is worth the money.
• Also be confident that the solution meets requirements.
• Be sure to consider total cost:
• Initial purchase price and installation and configuration costs.
• Annual maintenance and licensing costs.
• Internal soft costs for configuration, management, and maintenance.
• Percentage of risk coverage.
• Scalability, upgradeability of solution.
• Most solutions do not completely remediate a risk.

• Administrative
• Covers personnel security, risk management, training, permissions, etc.
• Physical
• Limit a person’s physical access to assets or facilities, using locks, doors, fences, etc.
• Example: Infrared monitoring system can detect the presence of an intruder.
• Technical
• Also known as logical controls.
• Implemented in computing environments like operating systems, applications, databases,
network devices, etc.
• Prefer physical or technical controls, as administrative controls require manual
enforcement.
Control Types
User
***
Administrative Physical Technical

• Not just simple pass-fail results or generating paperwork for an audit.
• Well-executed assessment determines validity and effectiveness of controls.
• Can expose strengths and weaknesses of current systems.
• Helps identify a plan for correcting weaknesses.
Monitoring and Measuring

• Ongoing effort to optimize policies and processes.
• A function of risk management.
• Includes best practices:
• Continuously seek to discover new vulnerabilities.
• Be context aware in your risk analysis.
• Prioritize your efforts to vulnerabilities
that actually pose a significant risk.
• Determine patchability.
Continuous Improvement

Threat Types (Slide 1 of 2)
Cryptojacking • Unauthorized use of someone else's computing device to mine cryptocurrency.
• Devices can include computers, phones, routers, IoT devices.
Advanced Persistent Threat
(APT)
• Stealthy attack.
• Intruder remains undetected for a lengthy period of time.
• Usually sponsored by nation states or organizations that have considerable
resources.
Phishing and social
engineering
• Attackers use psychological tactics to manipulate victims into disclosing
information or performing an action that they shouldn’t.
• Phishing is the most common form.
• Uses email with malicious attachments or links.
Insider threat • Disgruntled employees and others with internal access.
• Use their access privilege or knowledge to steal data or damage systems.
• Can also be accidental/unintentional.
Malware • Any software intended to damage a computer system.
• Can be distributed through email, websites, file sharing, social media, even
legitimate published software.
• Includes viruses, worms, Trojans, keyloggers, rootkits, bootkits, ransomware,
spyware, etc.

Threat Types (Slide 2 of 2)
Denial of service • Any attack that consumes computer or network resources so the system
cannot service legitimate client requests.
• Can be conducted against:
• Network
• CPU
• RAM
• Disk space
• Maximum allowed connections
Unauthorized network
access
• Deliberate or accidental.
• Normal security controls are bypassed.
Injection and Cross-Site
commands
• Malicious commands hide inside normal browser activity.
• Includes command and SQL injection, XSS, and XSRF.
Session Hijacking/
Man-in-the-Middle
• Attacker takes over legitimate network connection, often after user has
authenticated.

• Employees are the weakest link in security.
• Help employees understand:
• Risks
• Impact for company and themselves
• Security policies and procedures
• Focus on attitude, motivation, and attention.
Security Awareness

Security Training
• A clearly defined target audience.
• Training objectives mapped to desired increases in on-the-job
security practices.
• Training outcomes that can be quantified and measured.
• Variations and customizations for different job roles and levels.
• Provisions for updates and refresher training sessions.

• Process of allowing only authorized entities to observe/modify/take possession of a
computer system or physical property.
• Subject – entity requesting access:
• Person.
• System.
• Process.
Access Control
• Object – entity being accessed – any resource.
• Limits subject’s access to object using predefined rules/roles/labels.
Subjects Objects

Types of Access Control Services
Access Control Service Description
Identification and
Authentication (I&A)
• Provides unique identifier for each authorized subject attempting to access
the object.
• Includes method or methods to ensure identity of subject (authentication).
• Typically administered with Identity Management System and support of a
directory.
Authorization • Determines the capabilities or rights of the subject when accessing the
object.
Audit • Creates a log or record of system activities.
Accountability • Reports and reviews the contents of log files.
• Each subject identifier must be unique to relate activities to one subject.

Identity and Access Provisioning Lifecycle
Provisioning
Review
Revocation/
Deprovisioning

Facilities Access
Logical Access Concern Mitigation
Electronic intrusion into network. • Establish logical perimeter.
Hijacking networked utilities/industrial control
system.
• Harden network utilities with strong
authentication/authorization.
Remote tampering of networked physical access
mechanisms.
• Continuous monitoring of access granted by
networked mechanisms.
Physical Access Concern Mitigation
Unauthorized people entering facility. • Establish physical perimeter.
• Use guards, entrance/exit checkpoints.
Unauthorized people attempting to enter facility. • Security cameras.
Unrestricted access to all areas within facility. • Create physical security zones within building.
• Use guards or doors requiring ID card.

Systems Access
Attacker access to configuration consoles. • Administrator configuration of systems.
• Change default administrator password.
Remote access to a critical system by an attacker. • Establish authentication and authorization in
remote services.
Physical damage to server. • Segment servers behind closely guarded rooms.
Physical damage to networking equipment. • Equipment lockers.

Device Access
Attacker accessing the configuration console. • Strong user name/passwords.
• Change default passwords.
Unrestricted access to workstations. • Require authentication/authorization
mechanisms.
Age of device mobility and BYOD (often pass
beyond perimeter).
• Implement mobile device management.
• Require PIN use.
Device theft. • Physical locks on devices.
Device loss. • Locking up phones/tablets.
• Require PIN use.
Unmonitored access to background wireless
connections.
• Turn off Bluetooth, NFC, geo-locating unless
required.

Information Access
Databases with sensitive information are prime
targets.
• Isolate database from rest of network.
• Use authentication/authorization mechanisms.
Inability to determine who is using remote
connections.
• Implement remote authentication protocols.
All accounts allow full access to data. • Set up varied levels of access permissions.
Attackers simply walking out with a bunch of
servers.
• Lock and monitor server rooms/data centers.
Hard copies of sensitive information. • Keep hard copies in locked file cabinets/safes.

• Or “authentication by possession.”
• Device that must be physically present to be used for access.
• Theft of device:
• Prevents access for authorized user.
• May allow access by unauthorized user.
• Often used together with a PIN/password for two-factor authentication.
Something You Have
PIN
Password
User Information
Unique Value
Two-factor authentication

• Or “authentication by characteristic.”
• Uses personal attributes:
• Fingerprints.
• Hand geometry.
• Retina scans.
• Iris scans.
• Facial recognition
• Voiceprints.
Something You Are
Fingerprint Scanner

• A single instance of identification and authentication applied to resources.
• Permissions won’t change for duration of session.
• Lock session:
• Timeouts.
• Screensavers.
Session Management

Federated Identity
Single identity linked across many different identity management systems.
Microsoft
Account

• Centralized authentication system.
• Provides consistent/scalable mechanism to control access:
• Applications.
• Services.
• Systems.
• Common examples:
• X.500.
• LDAP.
• Active Directory.
Directory Services
Authentication
Centralized
Administration

LDAP
LDAP Client
LDAP Server
LDAP Client
Signed certificate
Trusted session

• Microsoft’s LDAP-compatible directory implementation.
• Structures objects within an organization into a hierarchy.
• Allows administrators to centrally manage access using access control lists.
• Can subdivide the domain into organizational units.
Active Directory

Kerberos
Ticket
Ticket
User passes credentials to
an authentication server

The Kerberos Process
1. I (user) need to authenticate and I need a ticket.
2. Here is a TGT.
3. Here is my TGT; now I need an ST.
4. Here is your ST.
5. Here is my ST secure connection to the File Server.
6. Resource authenticates user and allows access via a secure connection.
File Server
Key Distribution
Server
Authentication Server
Ticket Granting Server
1 2
3
4
5
6
User

SSO
• Allows a user to authenticate once and receive access to a number of related but
independent software systems.
• SSO often considered a subset of Identity Federation.
• Benefits:
• Compromised credentials quickly regained by single action.
• Central server minimizes burden of logging in and monitoring user logins.
• Easy to use because only have to remember one password.
• Security considerations:
• Compromise of single set of credentials allows access to multiple systems.
• If authentication servicer becomes unavailable, the entire system might become
unavailable.
• Need multiple levels of authentication to ensure secure SSO system.
Email
File Server

Cryptography
Unprotected
Data
Encryption
Protected
Data

Encryption and Decryption
Encryption Ciphertext
Plaintext
Ciphertext Decryption Plaintext

• Rule/system/mechanism used to encrypt data.
• Also known as an encryption algorithm.
• Stronger, more complex algorithm = more difficult to break.
Ciphers
Original
Information
Cipher
Encrypted
Information

Key Clustering
Original Information
Cipher
U@5 U@5

• Steganographic techniques include:
• Hiding information in blocks.
• Hiding information within images.
• Invisibly altering structure of a digital image.
Steganography
Vessel Image
Secret Data
Steganographic
Image

Symmetric Encryption
Encrypts Data Decrypts Data
Same Key on Both Sides

• Data Encryption Standard (DES)
• Triple DES (3DES)
• Advanced Encryption Standard (AES)
• Blowfish
• Twofish
• IDEA
• Skipjack
• Rivest Cipher (RC) 4, 5, and 6
Symmetric Encryption Algorithms

Symmetric Algorithm Comparison Chart
Algorithm Block Size (bits) Key Size (bits) Rounds
AES 128 128, 192, 256 10, 12, 14
Rijndael Variable (multiples of 32) 128, 192, 256 9, 11, or 13 depending on
key/block size
Blowfish 64 32 - 448 16
DES 64 56 (+ 8 parity bits) 16
3DES 64 112 or 168 48
IDEA 64 128 8
RC2 64 128 18
RC4 n/a 40 - 2048 (typically 40 - 128) 1
RC5 32, 64, 128 0 - 2040 0 - 255
RC6 128 128 - 2040 Variable (20 recommended)
Skipjack 64 80 32
Twofish 128 128, 192, 256 16

• Symmetric encryption benefits:
• Good performance
• Well suited to encrypt both data at rest and data in transit.
• The greatest challenge is key management.
• Both parties must agree upon the key ahead of time.
• If the key gets compromised, all files and communications encrypted with that key have
also been compromised.
• A new key must be issued, with both parties again communicating ahead of time to agree
upon the key.
Symmetric Encryption Considerations

Asymmetric Encryption
Public Key Encrypts Private Key Decrypts

• Rivest Shamir Adelman (RSA)
• Diffie-Hellman (DH)
• Elliptic Curve Cryptography (ECC)
• Diffie-Hellman Ephemeral (DHE)
• Elliptic Curve Diffie-Hellman Ephemeral (ECDHE)
• ElGamal
• Digital Signature Algorithm (DSA)
• Knapsack
Asymmetric Encryption Techniques

Asymmetric Algorithm Comparison Chart
Asymmetric
Algorithm
Based On Common Use
RSA Factors (products of large prime numbers) Digital certificates, digital signatures
DH Handshake Key exchange
ECC Elliptic curves Smart cards, wireless, realtime
communications
ElGamal DH OpenPGP, GnuGPG
DSA Modular exponentiation and the discrete
logarithmic problem
FIPS-compliant digital signatures
Knapsack Mathematical knapsack problem Early public key-based encryption

• Asymmetric encryption is generally stronger than symmetric encryption.
• More flexible key management.
• Asymmetric algorithms have significantly lower performance than symmetric
algorithms.
• Asymmetric algorithms are used to encrypt only short amounts of data such as
another encryption key.
• It is very common to use a combination of both methods.
• The biggest issue, besides performance, is the liability a person incurs if they lose
their private key.
• The private key should never be exposed.
• It is always stored in a non-paged part of kernel memory.
• If you put it on a smart card or other removable media, you must encrypt it (typically with a
password or other symmetric key).
• If someone steals your private key, they could impersonate you, getting you into legal
trouble.
• Compromised keys should immediately be revoked and reissued.
Asymmetric Encryption Considerations

Hashing
Message
This is a secret
Hash
Hash Function
Hashing is one-way encryption
508FF7A91DB0A80A1
3151F786FBB6E43

• MD2
• MD4
• MD5
• HAVAL
• SHA
• NTLM versions 1 and 2
• RIPEMD
• HMAC
Hashing Algorithms

Salting the Hash
• Adding a random number to the input of a hashing function to create unique hash
values.
Message
Secret
Hash
Hash Function
1

)k

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie )k

Ähnlich wie )k (20)

Mehr von Anne Starr

Mehr von Anne Starr (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

)k