Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

UNIT 7: IT SYSTEMS
SECURITY AND
ENCRYPTION
Assignment 1: IT security and cryptography

[20/10/2020]
YOUR JUDE WHITENSTALL-SNOWDON
Centre Number: 31190

0
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

Security Threats and protecting data

1. Introduction
MoneyRun which is a money transfer company, and therefore must deal banking information or
personal information such as birthdates, address, full name and potentially national insurance
number, etc which is a big potential target due to it being in the finical market, in a recent report by
Forbes the finical market losses $18 billion from losses and damages from cyber-attacks. I will
explain the use of malware possibly used on MoneyRun, the effect/impact it will have and how to
mitigate and avoid getting a virus such as the use of cryptography, as well as how effective they will
be. In this report there is also encryption methods and how effective they will be for Moneyruns
case. This report is to assess Moneys current state of security, and how these flaws might lead to a
potential breach.

2.0 Types of threats

Because of the data moneyrun deals with on a daily basis as a money transfer company it's going to
deal with a lot of banking and personal information some people even in the company may wish to
steal or use this information maliciously against moneyrun or for their own finical/ emotional gain
listed below are some types of threats and some ways moneyrun can deal with said threats

Internal threats

Internal threats are a serious threat to moneyrun because a recent report on internal and external
computer attacks showed internal accounted for 58% of all security incidents. MoneyRun could be
attacked internally by 2 ways, either deliberate or accidently which can damage the security of
MoneyRun or the organisation. And because moneyrun deals with important personal information in
addition to 58% of all attacks showed some internal threat moneyrun might want to keep a closer
look on employees and any potential threats inside the business to make sure no leaks of customer
information happen for example the FinCEN.

Deliberate attacks

These are attacks made deliberately from an employee usually out of hatred or spite of that
company this applies to moneyrun because of the information and data which it holds some past
employees may wish to sell or corrupt this data to either cause finical loss or to cause moneyrun to
go down which might see them losing customers.

Employee actions:

If MoneyRun dismissed an employee, this may make the person infuriated and try to get revenge on
MoneyRun. They could physically damage computers or other pieces of hardware like servers or
network switches, to stop their service from running and with moneyrun being a online bank
transferring company this would mean they have no way to trade. Furthermore, they could delete or
damage files in an attempt to stop or remove current work or past work, which might be important
to moneyrun like customer information or any general work that moneyrun has to deal with such as
receipts or graphs.

1
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

Data theft:

As Moneyrun is a finical transfer business, we are going to deal with a lot of bank accounts,
credit/debit cards, etc. Some employees may try to steal customers information which they could
use for themselves, cyber criminals or even competitors, the biggest example of this would be when
Greg chung of Boeing when he sold $2 Billion worth of aerospace documents to china. Another
statics shows 53% of companies found over 1000 sensitive files accessible to every employee. This
shows how it's not always the employee going out his way to steal data of the company, sometimes
it is the company's fault of data protection and management of data and so moneyrun may wish to
look in encryption or levels of access to reduce the chances of any important information getting
leaked.

Users over riding security controls:

Our employees may try to bypass the security controls in place, to download or use their own piece
of software. By downloading their own software, it increases the chance of MoneyRun being
breached by hackers and being attacked this could then result in any important data being leaked
either customers' banking information or moneyruns computer information like what hardware or
software it is using which could be used to potential make more focused attacks against moneyrun.

Accidental or unintentional

Normally the greatest threat to a network or system is the user itself, this is normally due to lack of
experience or knowledge of computing.

Accidental loss:

Our employees may accidentally delete or corrupt sensitive files, with the cost of the data directly
linked with the value of data and how long it took to produce, this usually happens due to lack of
knowledge or poor training. However most operating systems have a safety net like feature, were if
you delete a file it goes to the recycle bin and can be restored or at the minimum recovery the last
version that was saved if it got corrupt.

Unintentional disclosure or damage to data:

Employees who might have bad habits, potentially could disclose information about MoneyRun’s
hardware or software therefore, allowing hackers to be more targeted and have an insight into
potential ways of breaching, to attack and steal or the damage of data. Furthermore, employees may
accidently disclose data such as passwords in a couple of ways, they could write the password down
and not keep that piece of paper somewhere secure, furthermore if they leave their system on
unattended or unlocked allowing anyone to just walk up and access their system and data, or by just
telling just telling other employees or even worst someone who doesn’t even work at MoneyRun.
Corruption of data could happen due to lack of training or education on computing and ICT, or by
employees not having common sense like drinking near a system that could be spilt and damage the
components therefore leading to potential corruption or permanent damage of data.

Unsafe practices

An employee may carry out an action which leaves the system compromised. An example of an
employee doing unsafe practises which lead to a large breach would be Equifax data breach of 2017,
which exposed 146 million Americans which was due to the mistakes of employees, failing to follow
security warnings and code. Listed below are examples of what an unsafe practise could be

2
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

 Using an external flash drive. If that USB gets moved from in and out of the building and
transferred between a lot of devices, it has the potential to be infected with malware and to
be unloaded on to a device connected to MoneyRuns network.
 Visiting unsafe websites or links. An employee may click on a link from an untrusted source
or even a college which leads to a phishing or malicious website stealing data. When I was
still doing my BTEC course about computing we watched a where an ICT technician got
fooled into clicking a link by who he thought was another employee and clicked a button on
said website which said “allow” and gave the breacher full access to his device. This is a good
example as it shows how even the people in charge of IT can be fooled into taking an action
which might compromise their safety.

 Downloading files from untrusted websites. As mentioned above if an employee goes onto a
dodgy or untrusted website and downloads a piece of software, that has the potential to be
malicious and steal or damage all the data on that device once it gave permission which if
they have already unwillingly known and just downloaded will probably just end up doing
anyway.
 Using files sharing software/website. By using a form of data movement over the internet, it
gives the chance for hackers to intercept and modify the data to be received, injecting it with
malicious code to be unloaded and executed once on the device.

 BYOD. Bring Your Own Device similar to USB if one of our employees brings their own laptop
or phone which connects to other networks then back to MoneyRuns network if it has any
malware on those devices it may try to execute itself when on the network potentially
gaining full access of the network.

External threats

These are threats or attacks from outside our company, usually for financial gain or to get revenge
back on MoneyRun. This is usually done by ransomware or to extort money out of MoneyRun or by
malware to steal information, in our case being customer banking information.

Some examples of the most considerable external threats could be Yahoo in 2014 when 500Million
accounts got hacked, this was the largest ever cyber-attack of individual’s data directed against a
single company. Furthermore, to prove that some hackers only hack for financial gain could be when
the hacker “peace” sold 200million usernames and passwords of yahoo accounts for $1900. Yahoo in
total has had 3Billion accounts hacked, with that only being reported cases meaning there could be
more accounts hacked that we don’t know of.

However, it is not always just tech companies that get attacked, dozens of US energy supplies have
also been attacked to cut power supply across America.

Here are some examples of how hackers can attack Moneyrun externally:

 Ransomware is a type of malware which once installed onto the user's device will encrypt all
the user's files, photos, documents and data making it impossible to access unless you have
the key to decrypt, however the key is only know to the hackers which you usually must pay
a Ransome (this is where Ransome and ware coming from malware comes from). Even after
you pay the Ransome there is no guarantee to get all your data, back as the hackers might
decide to take your money and not give you the key to decrypt your data. A good example of

3
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

ransomware would be WannaCry which attacked windows devices in May 2017 which asked
for $300-$600 in bitcoin (this is because bitcoin is a digital currency and is very hard to track)
it was estimated to attack 200,000 devices in 150 countries even effecting NHS meaning
patients couldn’t get treatment and putting lives at stake.

 Worms are a form of malware which self-replicates itself and doesn’t need permission like a
virus. A worm spreads by email attachment, once the worm is on the device it will then
email itself to everyone on that users' email contacts list, spreading itself further. In
addition, it can also use that infected device as a host to infect more devices on the network
sending them a payload which will have the worm in it and then unload itself on the device
once reached. Now we are starting to see a hybrid worm which spreads like a worm but
works like a virus in which it can modify, install and delete programs and data.

 Trojan comes from Greek mythology when a horse was gifted to Troy but, it had soldiers in it
who ruined and attacked the city. A trojan works with the same intention, it would first be
bundled or added to legitimate software, after installed it gives full access to the user's
device, like r.a.t or Remote Access Tool this tool allows the hacker to see your screen,
camera, files, key logs and can display or install more onto ur device.

2.1 Internal threats

 Accidental loss: employees may accidently delete or corrupt, important files or sensitive
data. This would be mainly down to lack of experience or bad training however, most
operating systems like windows offer a safety net like feature, were if you did delete
something it goes the recycle bin were the data can be fully restored or at least to the last
version it was before corruption/deletion.
 Unsafe practices Visiting untrusted (websites): employees may try to access a website that
was given by them via link or by searching It up by themself. And it is unfortunately quite
hard to block all malicious websites via firewall settings, so the best is to give the employees
either online safety courses or online common-sense training. Once on the malicious website
the employee opens themselves and Moneyrun to be breached and potentially hacked.
 Unintentional Disclosure of data: Employees have life's outside of work so is safe to say they
will talk about their job and what they do, to people who don’t work at Moneyrun however
during those conversations they may accidently disclose information such as what software
we use, what version, how it works which may give potential hackers an insight into how our
service works, allowing them to make more targeted attacks at Moneyrun or even talk about
customer or another employees personal information which might compromise their safety.
 Damage to data: Hard disk drives are prone to magnets and shocks or sudden vibrations so
if an employee was to place a magnet on top of the device or was to move the device

4
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

suddenly it may cause data lost or corruption permanently and temporarily depending on
how severe it is. Or it could even be something as simple as spilling a liquid near a device and
is why most places with laptops/computers now say please don’t drink or drink to the side.
 Unsafe practices file sharing apps and bring your own device (BYOD): if our employees
bring their own device like phones, laptops, USB’s etc and those devices connect to other
devices, it increases the chances of malware to be introduced into the workplace, that they
got from outside of the premises.

2.2 External threats

 Data theft: as we deal with finical transaction, we are going to have to store customers
banking information, if the employee is in high enough position to see the customers
information decrypted, he could just access all the data and sell them to hackers for example
Greg Chung worked for Boeing and sold files to china, which carried sensitive army
information and was valued at $200 billion. Furthermore, it's not unlikely for a non-
employee to target Moneyrun for the data to either sell or to use for personal finical gain
from the stolen banking information.
 Destruction: since the WannaCry attack back in 2017 people are worried about destruction
of service attacks(DeOS) now, these attacks have the potential to eliminate backups and
safety nets needed to restore systems data, therefore could leave a new start up like us
completely unable to recover from such attacks. However, we are also seeing the emerges of
“clouds” or offsite backup/recovery services which allow direct access to backed up pieces of
data in large volume for relatedly low cost.
 Withholding and/disruption of systems (by competitors, cyber criminals, government,
terrorists) for purposes or financial gain: as stated before (DeOS) have the potential to stop
the service of a busines but, there is also denial of service (Dos) or distributed denial service
attack (DDoS) these attacks stop the service of internet access to that device or make it
excruciating slow. Some of these hackers who launch these attacks may keep doing the
attacks until a ransom is met, and even then, doesn’t guarantee the hackers will stop
immediately after the Ransome is paid.

2.3 Physical threats

 Theft of equipment or data: some employee intentional or not may steal data or pieces of
equipment from our work area, therefore, it is possible if they steal a laptop, usb or some
data. that it could be leaked or be found by hackers as its not guaranteed to be in a safe
Enviromint. The data once stolen could be sold or potentially used against us or to gain
further information on how we work and could be used to plan an attack on Moneyrun. To
mitigate this some tech companies are now logging equipment and when employees access
data to check if they download or make a copy and transfer to make sure everything is safe.
 malicious damage to equipment or data: employees may try to damage our network or
devices out of revenge or other personal motives which could cause from a minor repair up
to major finical cost and putting our network down. Therefore, some tech companies with
large data centres such as Google restrict those who can access the servers or equipment to
mitigate such chances of attacks as they know who is where and when allowing them to be a

5
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

lot safer from such attacks. Although rare there is a chance for people to attempt to break
into the building however modern-day technology allows hd-cctv, alarms, doors etc which
deter thieves wanting equipment or data.
 damage or destruction by fire: as we are going to deal with a lot of technology there is a
chance for one of equipment to overheat and catch fire to the building, also has the chance
for employees or someone outside of the building committing arson, as stated before with
external threats destruction if we back up our data to a cloud or a backup/recovery service it
could save some data getting lost in the blaze of the fire.
 Flood: if the building was to get flooded it has the potential to damage the devices inside,
therefore, could not just destroy equipment/device but also could corrupt or damage data
on the devices or servers as well. This would be a massive finical set back as to repair
everything damaged but also for the time the service was down and under maintenance and
the loss of customers who might have gone to competitors.
 terrorist action or other disaster: Due to the fact we have data about mass banking
information it could be possible that someone might try to hold Moneyrun Ransome or use
an in real life threat to make us either pay or give the data over. We are also seeing a rise in
something called “swatting” this is when a hoax call is made to a place about a bomb,
hostage, terrorist etc to a place or a person leading the police to send a swat team ready for
a serious situation and has had some people killed due to it. We can take the Ubisoft
hostage hoax as an example which was only as recent of 15/11/2020.

2.4 Social engineering and software driven threats

 social engineering and software-driven threats: social engineering is when people are
tricked into giving information or data, which might comprise their safety. This is usually
done by playing on the user's emotions, as to make it seem serious and urgent or by playing
dumb and making the user think they are smart, to make them think that nothing dodgy is
happening.
 Techniques used to obtain secure information (software that has a malicious intent), e.g.,
malware, viruses, worms, Trojan horses, ransomware, spyware, adware, rootkits, and
backdoors. (provide examples and case studies where possible): in this video here
(https://www.youtube.com/watch?v=PWVN3Rq4gzw) we see how an IT technician of a
company is tricked into going into a dodgy website and clicking a button which says “allow,”
he thought it was just a simple IT fix for a dumb employee which turned out to give the
hackers a backdoor into his computer. This would be an example of phishing engineering.
Another example could be Baiting which relates to BYOD as mentioned above, hackers relies
on the greed of people to pick up and use a device and login or to take an infected USB or
CD-ROMs, hoping that the person takes it only to use it and infect their device or possible
even take it to work and infect the workplace which is why now some social engineers now
place them around cafes, toilets, or other shop around the premises of buildings to catch
greedy employees on break/launch.

3.0 Computer based threats

 Passive threats: passive threats are attack methods which wait and monitor a network, or a
system till it finds a vulnerability or a way into a network. The purpose is to only gain
information and no data is changed at the users' end. One example of passive threats is
wiretapping which has existed long before computers have. Wiretapping happens when

6
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

someone is listening to information or data usually this had to be done by a physical cable
like ethernet but can now be done by “packets sniffers” which capture and monitor the
networks current activity. Therefore, if a non-employee got access either by social
engineering or brute force, they could see all our online activity and possible what some
data contains or says this would be a threat to Moneyrun as it could expose customers
putting in banking information or could leak an employee's password/username but also
what website it is and could lead to a potential breach or more customers sensitive
information being leaked or used.

Another example of a passive threats is port scanning, this is when an IP (internet

protocol) gets sent data on each port to see if it will receive and send data, if the port is open it
could be used to identify vulnerabilities in the network such as a firewall vulnerability were a port
has not been properly proxied allowing a hacker to listen to the network then send it malicious
payloads which when received on the user's device would try to execute and infect the device
usually make it “zombie” for a botnet. This could be damaging to Moneyrun as may need to use
many Ports to function for transaction and just for genral inter activity like File Transfer Protocol, so
by not having access to the ports it could limit our service or shut it down temporally. It could also
open us susceptible to payloads exploits or trojans based attacks.

Another example of passive threats is idle scanning like port scanning it scans ports however the
method of doing so is different. When you send a request, it comes from your IP so makes it easy to
track or work out who is sending the attack however, with idle scan the hackers use a “zombie” pc to
send the request for them or use awfully slow to nonexistence internet activity devices. As stated,
before this could be damaging to Moneyrun to possibly shut down our service temporarily down or
exploit or systems to a payload or trojan attack which could gain full access to the device steal the
sensitive information and data of our customers.

 Active threats: Unlike passive which just listens, active threats are when an attacker
attempts to break into the system, to alter or control data. One example of an active threat
is denial of service or DoS. Denial of service attack is when an IP gets flooded with
information and the bandwidth of that Ip can’t handle processing it, so the speed of internet
dramatically slows down or it can just shut down till either the attack stops, or the users
resets their IP address. In addition to the stopping of service, the cost of average cost is $20-
40,000 per hour and since 2014 to 2017 has grown 2.5 times.

Another example could be (MTM) Man in the Middle attacks this is when someone listens to
incoming internet traffic, intercepts and modifies it usually injected with malicious code to
be sent to the end point. This is usually done on unencrypted networks or open WIFI's such
as cafes, this could be an issue for Moneyrun because if one of our employees went to a café
or a library or any other place to work with free open WIFI and they are using a work-based
device or is accessing sensitive information it allows the hacker to see what he's doing and
send him payloads of malicious data which his device won’t be able to recognize.

An alternative active threat could be address resolution poisoning (APR) works like a (MTM)
attack in the way it disguises itself as another device like a network gateway, pairing its ip to
a mac address table. The other devices will just see the request come from the mac address
and not think about it as ARP protocol was designed on efficiency and not security, once the

7
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

attacker has sent the request and all devices have received it, it will then receive data from
all those devices on that LAN allowing them to inspect or modify the data before sending it
back to real end point. The threat level would be slightly less than (MTM) as the users and
attacker must be on the same LAN and now days most networks or even OS like windows
now offer firewall settings which block most requests like this.

Another example could be smurf attack, this a form of DDoS or distributed denial of service.
Usually, ICMP works by sending a request then relaying the information back the IP which
sent it however, the attacker has spoofed the request IP address making the devices send
internet traffic to an IP which is unknowing to the upcoming attack, but the attack has sent
this ICMP request to multiple IP to make sure that spoofed request IP address gets
overloaded and shuts down from internet traffic. This wouldn’t be a threat to Moneyrun as
luckily most modern devices don’t respond to ICMP messages which request it to broadcast
to an IP, therefore at most we would have to do would be an update of the software or OS.

An additional active threat would be a buffer overflow attack, this happens when an input of
data to the buffer is too large leading to an overflow, the hacker can then make the software
execute code his own code instead of the original code. Listed below is 4 examples of a
buffer overload attack and how they can affect Moneyrun

 heap overflow: heap overflow is a type of buffer overflow attack which affects the heap
data area of the operating system, an attack will send a request of data bigger than the
allocated amount. Due to there being too much data that it can handle the memory
corrupts, which can either display sensitive information or execute malicious code from the
hacker himself. This could be an issue for Moneyrun as they could heap overflow the
website to either make it distribute sensitive information or make it execute malicious
packet sniffing code to breach and infect Moneyrun’s network and devices. One method to
stop this form of attack could be address space randomization this where the data regions
change every so while making it impossible for hackers to know exactly location of
executable code.
 format string attack: format string attacks occur when the submitted data of an input string
is evaluated as a command by the application this could lead to the hacker reading the data
or stack of executable code or execute his own code. This could be an issue for moneyrun as
an attacker may try to execute his own code or try to read our stack on the website which
could either give them a back door to our devices or give them an insight to how our devices
work giving them a more targeted attack.
 Structured Query Language (SQL) injection and cyber-attack: SQL injection is a code
injection method used to attack database of SQL. For example, an attack would put in
malicious SQL code into a search engine onto a website which uses a SQL database for the
back end of the website, once the malicious code has been entered a number of incidents
can happen such as, attackers spoof identity, tamper with existing data, cause repudiation
issues, allows the complete disclosure of all data on the systems, destroy/corrupt all data or
become administrator of the database server. This could be an issue for Money as if our
customers information is stored on that database the hacker would be able to see it and
have full access to the data. There is a couple of methods to mitigate the chance of getting a
SQL injection such as keeping everything up to date and patched, a web application firewall
which will filter out malicious inputs which is also free and finally setting privileges for your
database, if we register our database with an admin account it allows the hackers to gain full
unrestricted access to the database if breached so by setting it to a basic or user account, we

8
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

can limit potentially what the hackers could access and steal giving us time to fix and patch
the hackers attack.
 Cloud computing security risks: in 2017 70% of all organisation were using a form of cloud-
based computing with the value of data breaches over past five years from 2017 to be
valued at $50 billion. Due to data and recourses, being off premises it limits your availability
if the data centre goes offline, Maintenace or has a natural disaster. Due to us having to
transfer constantly between our sit and the cloud data centre it increases the chance of the
data to being intercepted and either being stolen with the information being sold or getting
injected with malicious code to be executed on our device which might have a backdoor and
give the hackers straight access to our devices.

4.0 Information security

To keep Moneyrun and the customers safe we should follow 4 main principals to how we use and
store data and information of Moneyrun.

Availability:

This principal is about how information should be easy to access but also who should be able to
access the information for example if you allowed everyone to access any information yes it would
available however it would not be very secure so we need to work out who should have access to
what level of information and how easy/hard it should be for them to access such information. in
addition, we should consider does every employee have access or some sort of availability to a
works device to access any information they might need, also when can they access the data as if it
for example a bank holiday and need to make a document however can't access the work place that
could hinder Moneyruns progress or service. Another point with availability to consider with
moneyrun is do we have a safe back up of every customer and employee in case of a natural
disasters, hardware/software failure or cyber-attack. Even by having a minor safety net like feature
such as raid which takes up a whole storage device or space on a storage device any corrupted or
lost data will be saved on that storage device allowing money to easily access the data and not cause
a maintenance or make the service go down.

Confidentiality:

Confidentiality is the principle of keeping data that should not be accessible to those who shouldn’t
be able to access it. This can be done by user permission levels such as having the more sensitive
information not accessible to user while senior staff or administrator should be Able to access it,
another option to keep sensitive information confined could be encryption this means anyone who
tries to read it and doesn’t have the key/password can’t read it unlike user accounts the key for the
encryption can't be hacked, it has to be brute forced trying every password and if we use a very
secure encryption method such as AES-256 it will have 2 to the power of 256 or
(115,792,089,237,316,195,423,570,985,008,687,907,853,269,
984,665,640,564,039,457,584,007,913,129,639,936) possible outcomes making it impossible to
crack within our life span.

Integrity

9
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

Integrity is the principle of making sure that the data and information is correct and in original form
from the user, making sure that no unauthorised changes which could mean data going missing or
corrupted without anyone knowing, even worst unauthorised access could lead to data being sold or
transferred to competition, have happened to the information. One method to check the integrity of
information is a hash, each piece of data will be given a unique hash if any changes happen it will
change the hash value allowing us to compare to see if the 2-hash value match up and are the same.
Another method is digital signature which make sure the person who says it is, actually is. Due to
person having a digital signature your able to see what they access, when and where meaning it's
easier to track who is using our data can also make sure data is not duplicated without permission
which can affect integrity. Integrity can also cover and help prevent accidently loss from data if the
firewall sees that an important hash try's to be delete or moved it can stop or make sure the user is
completely sure that they which to delete the information.

Accessibility

Accessibility is the principle that data should be available to those who need it, this is usually done
with levels of access which can be given to a specific person like a CEO or owner or to a group of
people like senior team members or a general employee. This would be ideal for moneyrun because
of the data they are dealing with, just giving important information like credit card numbers or CNN
codes to any generic employee could cause serious consequences for moneyrun like a fine from the
government or maybe even possibly worst hackers getting hold of this information and selling it or
holding it for Ransome which is why such things like data protection act is in place to make sure
important and serious data which moneyrun is dealing with is protected and treated correctly to
mitigate the chances of any potential threat.

5.0 legal requirements

Legislation must be current and applicable to England, Wales. Explain why Money Run must
adhere to legal requirements when considering IT system security. Ensure you include the following:

Companies now have to follow strict rules with how they handle and use data or devices. If not,
Moneyrun could face a fine or even have some people arrested in more serious cases. One example
of these rules is computer misuse act of 2018 protects personal data from unauthorised access and
modification this act is the updated and improved act which was made back in 1990 to inline it self
with more up to date term, methods, techniques which improve the security for data and especially
the type of data which moneyrun is dealing with. The act made it illegal to make unauthorised
modification to data. This includes deleting the data or introducing malware onto the device to
destroy/ corrupt the data or to steal/spy the data. The act also made it illegal to access a device or to
computer material, unauthorised access to computer materials with intent to commit a crime, this
means to steal data or destroy a network or device like infecting the device with a virus.

Another example of an act Moneyrun must follow is data protection act of 1998. In this act it covers
the ground work for rules and laws about how data should be used and how it should be stored. This
makes sure that your data is used fairly and properly with its intended purpose. In this act it has 6
principals the company should follow these are:

 For the data to be used fairly, lawfully and transparently.

 Used for specified, explicit purpose.
 Used in a way that is adequate, relevant and limited to only what is necessary.

10
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

 Accurate and, where necessary, kept up to date.

 Kept for no longer than is necessary.
 Handled in a way that ensures appropriate security, including protection against unlawful or
unauthorised processing, access, loss, destruction or damage.

Another example of a law Moneyrun must follow is copyright, designs and patent act of 1998. This
protects in our case, software and data which Moneyrun uses. This is to make sure we don’t steal
any information of software from other people, and people don’t steal information from us. For
example, it is not illegal for a person to make a copy of a computer program which is necessary and
lawful for him to have. With software and data if you made it, contributed or is a part of ownership
of it you legally can make copies, at any time. It is also not an infringement of copy right for a
legitimate user of software to decompile the program in low level code such as machine language or
assembly language.

Another example of a law Moneyrun would have to follow is the telecommunication regulation act
of 2000. In this act it gave the employee privacy to work without fear of being watched and judged,
however in this act it made it legal for companies to listen monitor communication on their own
network, therefore Moneyrun can monitor internet activity, telephone and emails or lawfully but
ethically it is up to you and the employee to decide.

6.0 Impacts of security breaches

Encase of a breach ever does happen moneyrun is going to need to respond responsibly and quickly
to assess any damage caused by the breach and how they can mitigate any potential threats
happening in the future. in addition, what are the consequences of moneyrun being breached and
what data could be leaked from this.

If Moneyrun was to get breached it could lead to us losing reputation and changes people's
perception, this could lead to people changing to our competition as they may feel unsafe this would
lead to loss of customers therefore loss of income but could also lead to legal action if a customer's
account got hacked due to a security breach or if they feel like they have been compromised.
One example how financial can be impacted because loss of business, if Moneyrun was to get
breached it could lead to us having to take down the website to do Maintenace or stop any
malicious code which might now be on there. This would lead to customers not being able to access
our service which would directly affect our sales and income but might also cause some our
customers changing to our competition due anger or fear of account being hacker or comprised and
not feeling safe anymore at Moneyrun, which Moneyrun will have to spend marketing and
advertising to get the number of customers they lost back.
Another example which links to finical is damage to reputation, as if a company is known for being
breached constantly or having a major breach, potential customers are going to pass and go to a
different company as they won't feel safe there. Therefore, some companies now don’t say if they
have been breached or hacked as they know it will tarnish, their reputation and only public say to
their customers once they are caught and by then it's too late with the damage already done. A
recent example would be NordVPN a tech companies which ironically specialises in keeping you safe
online, which public came out in October 2019 after an investigation about a breach back in March
2018, NordVPN out of fear kept it a secret for over a year.

11
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

Another example is operational impact on an organisation of the loss of data or service, many
companies now relay on computers for service but now as we see new improvements like the cloud
a lot of companies are moving from physical data to cloud base networking storage for their data. If
Moneyrun was to get denial of serice attack it could destroy Moneyruns ability to operate and run as
Moneyrun wouldn’t be able to access the internet therefore couldn’t access any online data or run
their web service. Which could be affected during an important time such as the ddos attack on
Microsoft and Sony on Christmas day 2014, due to Sony and Microsoft just recently realising their
new device and it being Christmas a lot of people were going to have it and try their service out only
to find them self's offline and unable to connect which cause a lot of unhappy people on Christmas
day.
Another example could be how companies faces legal consequences for data breaches, even though
it is easier store data online or on a device it comes with increased risk from theft and security so by
Moneyrun putting's its customers data electronically, they agree under the acts mentioned before to
keep the data safe and secure to the best of their ability, however if there is a breach and is saw that
Moneyrun was negligent or didn’t do everything in their ability we could face prosecution or a hefty
fine for example the data protection act of 2018 is in place to make sure data is secured properly to
reduce the chance of any important data such as credit card information or personal information
getting leaked.
Another considerable impact of security breach is the effort, time and money that goes into
forensics, for example if Money were to detect an extensive security breach the time it would take
from other projects and in general would disrupt the flow of work, furthermore due to people
having to spend time doing something else this might cause an undesirable finical expense.

7.0 The effectiveness of techniques used to protect systems.

If moneyrun was to choose any protection methods or principles, how effective are these methods at
stop cyber attackers.

One technique used to protect systems is a firewall. A firewall controls the flow of incoming and
outgoing data, most modern OS a firewall will already have a list of rules to follow to stop the device
getting breached however the user of administrator of the network can decide to add rules to make
the network safer. This is backed up by the fact firewalls are apparently only 60% effective out of the
box meanwhile a person with good IT security which can block up to 80% of known malware.
However, if Moneyrun was to only use a firewall as its mean of defence from a potential breach it
would face a hefty fine or up to 4% of total turnover this can be shown when a London base
pharmacy was fined £275,000 for failure to ensure the security of special category data. It shows
how a company must ensure they protect important data like in our case customer banking and
personal information to the best of their ability.

Another technique used to protect systems is anti-virus software. Anti-virus software is a program
that does regular checks on your whole device to see for any possible malware or any areas of your
device which might lead to a virus such as not having a firewall activated, clicking on dodgy links and
some even have real time online protection. There are two main flaws with anti-virus which would
see Moneyrun face a fine, one being you must update antivirus for them to stay relevant and up to
date with the ever-growing amount of malware, and the second being no form of encryption which
will be important with the information that Moneyrun deals with to stop hackers or a rouge
employee easily accessing. However, some anti-virus does offer an encryption service there is

12
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

nothing stop someone from uninstalling the anti-virus either by accident or deliberate and therefore
removing the encryption on the information which could be cause colossus amount of damage for
Moneyrun because of the type of data that they deal like banking or personal information.

Another technique that money can use to protect its system is encryption this a very secure and very
effective method to stop against hackers to breach your data if done correctly. There are types of
encryption they are network encryption and data encryption , network traffic has secure sockets
layer (SSL) this forms an encrypted secure link between the server and client, encrypting all data
exchanged between the two. The other network-based encryption being, HTPPS all website use
HTTP to display data on their website, however the S on the ends of HTTPS means secure which
means all data on a website transferred from you or the website is secure. HTTPS and SSL feature 2
of principles as mentioned before making sure they are integral and haven’t been altered or lost
along the way and the other principle being privacy making sure the data is only accessible to those
who need to see it. The data encryption is done by public key encryption, in this method data is
encrypted with the host own choice making a public key which anyone can access or find and a
private key which is own know to the host or whoever they desire to send it to, meaning only the
host can unlock it they have the private key with decrypts the public keys information. This makes
for a very secure method of data which makes sure the data also gets in one piece as any alteration
would change the public key so the host wouldn’t be able to unlock the information, however it can
be hard sometimes to make such data accessible as both parties must agree on a method and must
send/receive the data then to use the key. This would be the most appropriate for Moneyrun case as
it protects all data and internet traffic to the best current ability, and as Moneyrun deals with very
personal and important banking information making sure they are secured to the best of their ability
should be a must. so would be down to the employee not to be neglectful and leave Moneyrun to a
breach.

8.1 Uses of cryptography

The use of cryptography as a method of encryption to moneyrun could be quite useful as in to further
protect any important data they want to be kept secret even if it does manage to get leaked.

Cryptography is a method of encrypting data with two type of keys, the first being the public key
which anyone can find or use this key is used to encrypt the data, and the other key being the
private key which is only know to the host or receiver of the data, this key is used to decrypt the
data encrypted with the public key. This method is also known as asymmetric encryption is used in
SSL and HTTPS which is mentioned above 7.0 effectiveness of techniques. This form of encryption is
very secure and safe method to use and is why most companies now use it to encrypt their data.
Listed below are a few examples of cryptography methods which Moneyrun could use to protect
their customer banking and personal information:

Encryption algorithms: one example of encryption algorithm is RSA which is a public-key algorithm
and is the standard for encryption data to send over the internet. Due to RSA algorithm using 2 large
primer numbers which are random therefore making it hard to predict also, it takes the attackers a
lot of time and a lot of processing power to decrypt. RSA is a good choice for Moneyrun because it is
safe and secure due to it using 2 large primer numbers which are hard to crack. Another example
could be AES is an algorithm trusted as the standard by the United states government and army this
is because AES 128,192 or even 256 bits is hailed as being impenetrable from all methods of attacks
beside brute force which as mentioned with RSA require a lot of processing power and time to crack,
furthermore RSA only used 112 bits why AES can go up to 256 bits and has been considered secure
against quantum computers which have been thought to be able to crack other algorithms such as

13
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

RS instantly. This would be the most ideal for moneyrun to use preferably AES 256 as the raw
computing power and time it takes to crack this type of data will deter any potential hackers to
trying to brute force their way into moneyrun and steal important information.

Another example of an encryption algorithm is shift ciphers; shift ciphers work by shifting each letter
over by X amount for example if the cipher was shifted by 1 a=b, b=c, c=d and so on, this form of
encryption is very outdated and not very viable in modern days firstly as it can only encrypt text and
second being modern computers can decrypt this quickly. So, I would not recommend Moneyrun to
adopt this method due to the importance of information of our customers' data and any important
data which Moneyrun has.

Another example is cryptographic salts which add random bits to each password before hashed, this
would mean if two people chose the same password the bits assigned to them would be completely
different. Salts help mitigate rainbow table attacks by forcing attackers to re-compute them using
the salt. This could be a viable encryption method for Moneyrun as it makes the passwords a lot
more secure not just for the customer online but also for the employees in-house. Making password
theft a lot harder therefore would lead to less accounts being breaches, making Moneyrun look
better compared to competition which might not use it, leading to more customers. In addition due
to Moneyrun being a money transfer company their customer accounts are going to be prime
targets for hackers so therefore I believe Moneyrun should investigate cryptographic salts as an
option for their customers passwords.

Another algorithm is cryptographic primitives, which is made up of a lot of lower-level cryptographic

algorithms frequently used. One example of these lower-level algorithms is pseudo random which
makes random sequence of numbers however, because a computer made it do logical thinking it
isn't truly random. Therefore, it could have a pattern if the generator is inadequately coded. For this
reason alone, I would not recommend Moneyrun to adopt this method of encryption as if it is
possible for attackers to breach it currently in a few years as technology advances this method could
be obsolete and with the importance of their customer information it is too risk for Moneyrun to
pick this encryption method up for long term or even short term for their own and customer
security.

8.3 Legal issues and ethical consideration in encryption

What are the legal and ethical considerations around encryption?

Ethical issue with encryption

Due to its encryption ability to make information awfully hard to decrypt or understand, some
people say it allows criminals such as black hat hackers to get away with such crimes and talk about
it online without any consequences. Encryption also showed the development of malware using it
such as Ransomware which brings up the argument of should only government or law enforcement
be able to use encryption as to stop anyone from using it developing malware.

Legal issues

In some countries such as Senegal it is illegal to have encryption at all or is legal unless encryption
provides confidentiality. this is stop people from keeping sensitive or important information about them
self's secure from the government, but this contradicts the statement of human rights which says No one
shall be subjected to arbitrary interference with his privacy so links to ethical with should
governments be able to see your own personal data as one side says no each person should be able

14
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

to securely their own data and the other side saying the government or law enforces should be able
to access it in case they incriminating information on it

 In the mid ground of this debate is should large companies be able to not disclose their
encryption for ethical reason not disclosing means we don’t truly know how secure our data
is till it's too late but by disclosing they open them self's up to targeted attacks which affect
the security on these large companies which hold a majority of the internet users. But on the
legal side the government should have a back door to all this encryption as it does store
most of its residents and yet can't even access their own population, it also means terrorist
or criminals can carrying on uses such platforms without any consequences.

8.4 Cryptography principles

Cryptography has 4 principles to follow to make sure it is secure

1. Encryption:
 Encryption is to convert data into some unreadable from unless you have the key to
decryption. This help protects the privacy from the senders' end but also in case an intended
user receives the encrypted data. Encrypting the data makes it secure meaning an attacker
cannot just access it and run off as it would take time to brute force allowing Moneyrun to
sort the issue out
 The reverse of encryption is decryption and must be possible due to a key
 There may be cases when the same key is used for both decryption and encryption while in
most cases encryption and decryption will require different keys.
2. Authentication:
 Authentication ensures that the message was originated from who made it in the message,
this is a method of stopping fraud via confirmation of each party.
 This can be confirmed via an action on the message such as a digital signature which only the
sender and receiver mutually know.
3. Integrity:
 Information can get lost along the way to the sender, if valuable information like banking
information got lost it could cause banking or finical transaction confusion.
 This means the cryptography should ensure the message is the same, that was sent and has
not been altered, reassuring the customer and employee the information is correct.
 This can be done by using a hash to assign a bit to each piece of data, so if any changes
happen it will change the hash number.
4. Non-repudiation:
 To ensure the sender or receiver cannot deny receiving or sending the information, this is to
stop fraud from customers or employee's potential trying to target Moneyrun.
 To counter this, you can use digital signatures to ensure the person is who it says it is and no
mistakes happened such as another employee's device being used by anyone else but them
this will ensure the person truly is who they are and is validation no mistakes happened.

9.0 Applications of cryptography within Money Run

The types and application of cryptography, including:
• Symmetric key encryption: Due to symmetric keys large size and heavy use of the CPU it is
typically used in databases or colossal amounts of data, for example payment transactions, such
as card transactions where PII (personally identifiable information) needs to be protected to

15
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

prevent identity theft or fraudulent charges. This would be useful for Moneyrun case and
application as a finical transfer company ensuring the safety of our customers and information
should be our top priority. An example of symmetric key encryption is AES which is widely used
across the world and is the United States of America standard for the government and military
• public key encryption: Due to how public keys must encrypt each piece of information with a
separate key it's not very practical with large amounts of data. However, it still could have a few
uses and applications within Moneyrun such as encrypting communication this is for privacy
reasons to stop anyone who shouldn’t have access to the information can't see it, another
application could be digital signatures/certificates, this is to verify the message or information is
sent and verified by who it says it is. This helps reduce the chances of fraud or personal
information theft.
• HTTPS protocol: https is the new and more secure version of HTTP with the additional s meaning
secure, this is because the information sent between you and the server is encrypted by TLS
making sure the principles of privacy and integrity stay throughout the exchange of data. And in
2016 became the norm for all websites on the world wide web, this must be an application
Moneyrun to use, this is to make sure it ensures its users' privacy.
• virtual private networks (VPNs): vpns use public keys to protect the transfer of AES keys. The
servers use the public key of the vpn client to encrypt the key and then send it to the client, the
client program on your computer then decrypts that message using its own private keys. There
are a few types of vpn protocols such as IPsec secures the IP by authenticating the session and
encrypting the data transferred during the session, another type is SSH this creates a tunnel to
the vpns IP which data can transfer through ensures all data that goes through SSH is secure and
encrypted.
• encryption of data on Wi-Fi networks: all wireless networks now have a few protocols they must
follow like WEP this method of encrypting data was introduced back in 1997 it used 40/104 bits
encryption this method of encryption was easy to decrypt after a flaw was found in the method
itself, another method of encryption on the network is WPA which was introduced in 2003 its
used 64-128-bit encryption and its method was much better than WEP however it was not as
good as WPA2 since a flaw was found in WPA which relied on WEP and the limitations at the time,
WPA released only a year later in 2004 and is still commonly used even to this date due to its use
of AES encryption, and all devices made from March 13 2006 to June 30 2020 WPA2 certification
was mandatory for all new devices to bear the Wi-Fi trademark

10.0 Summary
This report explained the problems moneyrun faces either by software or online. methods
Moneyrun can use to mitigate such attacks and how these methods work to better allow Moneyrun
to be prepared for any current or future attacks it may face. In addition, in this report it has
explained methods of encryption and how Moneyrun can use these to their advantage to better
protect their customers.

11.0 References

16
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

Resou Resource (URL) Auth Pag

rce/Tit or/Da e
le te refe
publi renc
sh e
and
secti
on
whe
re
sour
ce
was
used
.
Types https://www.csoonline.com/article/2615925/security-your- 1st
of quick-guide-to-malware-types.html May
malwa 2019
re Roger
a.
grime
s
Interna https://digitalguardian.com/blog/insider-outsider-data-
l vs security-threats
externa
l
Data https://iapp.org/news/a/data-indicates-human-error- 26th
breach prevailing-cause-of-breaches-incidents/ June
2018
Mah
mood
Sher-
Jan
Bigges https://outpost24.com/blog/top-10-of-the-world-biggest-
t cyber cyberattacks
attacks
Wire https://www.kaspersky.com/resource-
tappin center/definitions/what-is-a-packet-sniffer
g
The https://www.capita.com/sites/g/files/nginej146/files/2020-
cost of 08/Ponemon-Global-Cost-of-Data-Breach-Study-2020.pdf
data
breach'
s
WPA/ https://en.wikipedia.org/wiki/Wi-Fi_Protected_Access
WPA2 https://www.netspotapp.com/wifi-encryption-and-

17
Your Jude Whitenstall-Snowdon Centre Number: 31190 Unit 7: Assignment 1

security.html#:~:text=The%20wireless%20security
%20protocols%20are,data%20sent%20over%20the
%20airwaves.
VPN https://www.vpnoneclick.com/types-of-vpn-and-types-of-
vpn-protocols/
Public https://www.cloudflare.com/en-gb/learning/ssl/how-does-
key public-key-encryption-work/
encryp
tion
encryp https://www.gp-digital.org/world-map-of-encryption/
tion
Encryp https://www.theguardian.com/technology/2015/nov/23/app
tion le-google-microsoft-weakening-encryption-back-doors
back
doors
Crypto http://ksuweb.kennesaw.edu/~she4/2017Fall/cs4322/Slides
graphy /13Cryptography.pdf
princip
les
Non https://www.cryptomathic.com/products/authentication-
repuad signing/digital-signatures-faqs/what-is-non-
tion repudiation#:~:text=Non%2Drepudiation%20is%20the
%20assurance,the%20integrity%20of%20the%20data.

18