Professional Documents
Culture Documents
CSF011G02 - Cryptograpgy & Operations Security
CSF011G02 - Cryptograpgy & Operations Security
Welcome to:
• Definition
– The conversion of data into a secret code for transmission over a
public network.
• Explanation
– Cryptography is conversion of data from plaintext into an
unreadable or not understandable form. Plaintext is converted into
a ciphertext by encryption. After this, ciphertext can be converted
back to the plaintext through the process of decryption.
• Non-mathematical
• Mathematical
• Quantum
• To provide confidentiality
• To provide integrity
• To provide authentication
• To provide non-repudiation
• To provide access control
• RSA
• Diffie-Hellman
• Elliptic Curve Cryptography
• El Gamal
• Secure Shell
– SSH or Secure Shell which was originally used on the UNIX systems is
a tunneling protocol. SSH is now available for Windows as well
• Pretty Good Privacy
– PGP or Pretty Good Privacy is a system to encrypt the email. It was in
the 1990s that PGP was introduced and was considered to be a very
good system. Now-a-days, PGP is used widely for securing the email
• HTTP Secure
– Hypertext Transport Protocol Secure is also known as Hypertext
Transport Protocol over SSL (HTTPS). It is the secure version of
HTTP. Hypertext Transport Protocol Secure is also the World Wide
Web’s language
• IP Security
– Encryption and authentication is provided by IP Security across the
internet. IPSec is becoming a standard for encrypting virtual private
network (VPN) channels and is built into IPv6
• Tunneling Protocols
– The sensitive information is contained in other packets and then sent
across the public network. The sensitive data which has been received
at the other end is stripped from the other packets
• Public Key Infrastructure
– The Public Key Infrastructure (PKI) is intended to offer a means of
providing security to messages and transactions on a grand scale
• Frequency Analysis
– It is determined whether any patterns which are common exist in
frequency analysis by looking at blocks of an encrypted message
• Algorithm Errors
– Unpredictable results are sometimes produced by complex algorithms.
The entire system of encryption can be compromised if the results are
discovered
• Exploiting Human Error
– One of the major reasons of occurrence of vulnerabilities is human
error. Someone can send an email in the unencrypted or clear form
even if an email is sent using a scheme of encryption
• Birthday Attack
– An attack which is targeted at a key is an example of a birthday attack.
This attack is just an attack on the results and not on the algorithm
itself.
• Weak Key Attack
– The premise that many common passwords are used by various
numbers of people is the basis on which weak key attacks are based.
The hash value resulting from the key will be very easy to guess if the
length of the key is short.
• Mathematical Attack
– These kinds of attacks are basically focused on the following things:
• The algorithm of encryption
• Any potential weakness area or the key mechanism
• Data at rest
– All data in computer storage while excluding data that is in a network
or temporarily residing in computer memory to be read or updated is
the data which is at rest
• Data in motion
– Data in Motion is the term used for data which is in the network and
moving. It is the process of the transfer of the data between all of the
versions of the original file, especially when data may be in movement
on the Internet
• Data in use
– “Data in Use” is all data not in a rest state and is being used in
processing, or stored for being processed (for example, in resident
memory, or swap, or processor cache or disk cache, etc. Memory)
• Definition
– The process by which a user can deny the access of critical
information to potential adversaries (opponents) by identifying,
controlling and protecting the critical information is known as the
Operations Security Process.
• There are mainly fives principles of OPSEC:
– What data needs to be protected?
– Who wants the data about the organization?
– How is the organization’s data vulnerable to attacks?
– What is the risk associated with the data?
– How can the data be protected?
• Information assets
• Software assets
• Physical assets
• Services
• Avoidance of risk
• Transferring risks
• Mitigation of risks
• Deterring the risk
• Accepting the risks
• Dual control
– The same group must not be responsible for the network and security
controls
• Secure and verify
– Active attempts can be carried out by all the measures mentioned
above in order to detect a change which could have happened in the
network
• Automation
– Procedures and processes such as process of verification are
recommended generally to be automates. This is because of the fact
that details in log files and other processes which are similar are
overlooked by humans
• Personal life
– The work-related and sensitive information must be kept away from
profile
– The location data, schedules and the plans must be kept secure
– The information and the names of friends, coworkers and members of
the family should be kept secure
• Posted data
– All the photos must be checked for reflective surfaces that may
indicate some critical information
– The file tags and filenames must be checked for critical information
• Passwords
– Uniqueness of the password must be there
– The passwords must be hard such that it is difficult to guess
– The passwords must not be given away or shared
© Copyright IBM Corporation 2015
Operations Security in personal life 2 IBM ICE (Innovation Centre for Education)
IBM Power Systems
• Security
– The anti-virus software must be kept updated
– The downloads, attachments and the links in e-mails should be
handled properly
– Third parties often use the ‘apps’ or plug-ins to get access to data. The
user should be aware of that
– Before entering sensitive data or logging in, the HTTPS must be
looked upon that indicates active security transmission
• Costs
– Permanent resources on security team for a particular project
– Tool and methodology procurement
– Source
– Costs incurred due to training materials are to be purchased
• Benefits
– Operational costs are reduced
– Capital expenses are avoided
– The efficiency of operations is increased
– Compliance is enhanced