Professional Documents
Culture Documents
• Definition
– The conversion of data
– into a secret code for
– transmission over a public network.
• Explanation
– Cryptography is conversion of data from plaintext into an
unreadable or not understandable form. Plaintext is converted
into a ciphertext by encryption. After this, ciphertext can be
converted back to the plaintext through the process of
decryption.
• Non-mathematical
• Mathematical
• Quantum
Example
– SkillCube excels in capability building.
• Block 1: SkillCube Excels In Capability Building
• Block 2: UBESKILLC CELSEX NIILITYCAPAB DINGBUIL
passwords
• Most systems used for password-generation employs a
one-way hashing methodology
• It makes the decryption of the password harder
• It is believed by most security experts that at least a 10
character password must be used for increasing the
security
• If only the lowercase letters of alphabets are used then
there are only 26 characters to work with
• If numbers 0 to 9 are also used then the number of
characters increases by 10
• If we also add the uppercase letters then an additional 26
characters are added in the mix that will give us 62
characters for constructing a robust password
© Copyright IBM Corporation 2015
Quantum Cryptography IBM ICE (Innovation Centre for Education)
cryptography
• The process of verifying the identity of the sender is known
as the process of authentication
• If a message is valid but the source is invalid then the
message isn’t taken as authentic
• Secret words that has been agreed upon mutually in
advance can also be used to establish authenticity
• There are 2 basic authentication protocol:
– Password Authentication Protocol (PAP)
– Challenge Handshake Authentication Protocol (CHAP)
cryptography
• A party can be prevented from denying the actions that
they carried out themselves by the process of non-
repudiation
• By using a two-key system, a proof of similar type can be
achieved in the world of electronics
• The public keys are managed by certificate authorities
(CAs) who are third-party organizations
• When an individual is vouched by a respected third-party,
the verifying aspect serves as non-repudiation
• Non-repudiation is the assurance that someone cannot
deny the validity of something. Non-repudiation is a legal
concept that is widely used in information security and
refers to a service, which provides proof of the origin of
© Copyright IBM Corporation 2015
Non-repudiation through IBM ICE (Innovation Centre for Education)
cryptography
data and the integrity of the data.
Algorithms
• There are 3 methods for encoding the message including
hashing, using symmetric algorithms and using asymmetric
algorithms
– Hashing
– Symmetric algorithms
– Asymmetric algorithms
Algorithms
• Symmetric algorithms require both sender and receiver to
have the same secret key for encrypting and decrypting a
message
• In this, sender encrypts the data using a secret key and
sends the message to the receiver who then decrypts the
message by using the same secret key that was used for
encryption
• A symmetric key, sometimes referred to as a secret key,
is a key that shouldn’t be disclosed to unauthorized
people.
• Symmetric encryption methods utilizes a stream or block
cipher
• A strong symmetric algorithm can be complex enough
to break
© Copyright IBM Corporation 2015
Types of Symmetric IBM ICE (Innovation Centre for Education)
Algorithms
• Data Encryption Standard (DES)
• Triple-DES
• Advanced Encryption Standard
• AES256
• CAST
• Rivest’s Cipher
• Blowfish and Twofish
• International Data Encryption Algorithm
Algorithms
• Asymmetric algorithms utilizes 2 keys for encrypting and
decrypting the data
• There are 2 keys used in asymmetric algorithms, i.e.,
private key and public key
• One key can be used by the sender to encrypt a message
and the other key can be used by the receiver to decrypt
the message
• The private key is kept private and is known only by the
owner
• key may be shared with the intended users with whom the
owner wants to communicate
algorithms
• RSA
• Diffie-Hellman
• Elliptic Curve Cryptography
• El Gamal
techniques
• Attacking the Key
– The Keys are attacked directly in this type of attack and the value of
a key is discovered. The keys can be the following:
• Key based encryption information
• Encrypted messages
• Passwords
• Attacking the Algorithm
– Not only the keys but the algorithms and the programming
instructions that are used for data encryption are at risk as well. An
algorithm might not be able to make a program secure if discovery
and correction of an error is not done by the developers of a program
• Intercepting the Transmission
– The attackers may over a period of time gain information
inadvertently about the systems of encryption that are used by an
organization due to the process of intercepting a transmission
© Copyright IBM Corporation 2015
Techniques of Code-breaking IBM ICE (Innovation Centre for Education)
• Frequency Analysis
– It is determined whether any patterns which are common exist
in frequency analysis by looking at blocks of an encrypted
message
• Algorithm Errors
– Unpredictable results are sometimes produced by complex
algorithms. The entire system of encryption can be compromised if
the results are discovered
• Exploiting Human Error
– One of the major reasons of occurrence of vulnerabilities is
human error. Someone can send an email in the unencrypted or
clear form even if an email is sent using a scheme of encryption
• Birthday Attack
– An attack which is targeted at a key is an example of a birthday attack.
This attack is just an attack on the results and not on the algorithm
itself.
• Weak Key Attack
– The premise that many common passwords are used by various
numbers of people is the basis on which weak key attacks are
based. The hash value resulting from the key will be very easy to
guess if the length of the key is short.
• Mathematical Attack
– These kinds of attacks are basically focused on the following things:
• The algorithm of encryption
• Any potential weakness area or the key mechanism
INR)
• Data at rest
– All data in computer storage while excluding data that is in a
network or temporarily residing in computer memory to be read or
updated is the data which is at rest
• Data in motion
– Data in Motion is the term used for data which is in the network and
moving. It is the process of the transfer of the data between all of the
versions of the original file, especially when data may be in
movement on the Internet
• Data in use
– “Data in Use” is all data not in a rest state and is being used in
processing, or stored for being processed (for example, in
resident memory, or swap, or processor cache or disk cache, etc.
Memory)
• Definition
– The process by which a user can deny the access of critical
information to potential adversaries (opponents) by identifying,
controlling and protecting the critical information is known as
the Operations Security Process.
• There are mainly fives principles of OPSEC:
– What data needs to be protected?
– Who wants the data about the organization?
– How is the organization’s data vulnerable to attacks?
– What is the risk associated with the data?
– How can the data be protected?
Security
• Keeps confidential information secure
• Allows for secure exchange of information
• Allows an organization to ensure that they are meeting their
legal obligations
• Enhanced customer satisfaction that improves client
retention
• Consistency in the delivery of organization's service or
product
• Manages and minimizes risk exposure
• Builds a culture of security
• Protects the company, assets, shareholders and directors
Assets
• Information assets
• Software assets
• Physical assets
• Services
Analysis
• Threat analysis is a procedure through which data
regarding a potential threat is collected and analyzed.
Threat is subjected to thorough and systematic examination
for identifying facts that are significant together with
deriving conclusions about whether excessive damage
could be realized through this threat
• Following determinations has to be made:
– Who would want to have this technology?
– Who would be benefited if the project is discredited?
– Who would like if something happens with the participants of
the project?
– Who would be benefited if the activities that are directed at the
project are corrupted?
Analysis
• Vulnerabilities can be determined through analysis of the
operation of any project by the supporting and primary
team members working on it
• The target shall be viewed like an attacker
• The actions must be identified which can be used to derive
vital information by interpreting or piecing together other
data
Assessment
• This step is where a decision is made estimating the
potential effects of vulnerability on an operation/activity and
a cost-benefit analysis made of recommended correction
actions
• Following things are conducted during risk assessment:
– Determination of the information’s value
– Threat analysis
– Vulnerability determination of the information
• Avoidance of risk
• Transferring risks
• Mitigation of risks
• Deterring the risk
• Accepting the risks
• Personal life
– Thework-related and sensitive information must be kept away
from profile
– The location data, schedules and the plans must be kept secure
– The information and the names of friends, coworkers and members
of the family should be kept secure
• Posted data
– All the photos must be checked for reflective surfaces that
may indicate some critical information
– The file tags and filenames must be checked for critical information
• Passwords
– Uniqueness of the password must be there
– The passwords must be hard such that it is difficult to guess
– The passwords must not be given away or shared
© Copyright IBM Corporation 2015
• Settings and Privacy
– The access permissions should be set according to the sorted group
of friends
– Determine both the profile and search visibility
– Verify through other channels that a “friend request” was actually
from a friend
– The people who are not trustable at all must be added to the
group with the lowest accesses and permissions
• Security
– The anti-virus software must be kept updated
– The downloads, attachments and the links in e-mailsshould be
handled properly
– Third parties often use the ‘apps’ or plug-ins to get access to data.
The user should be aware of that
– Before entering sensitive data or logging in, the HTTPS must
be looked upon that indicates active security transmission
Operations Security cost vs.
IBM ICE (Innovation Centre for Education)
benefit – Permanent
resources on
• Costs security team
for a particular
project
– Tool and
methodology
procurement
– Source
– Costs incurred
due to training
materials are
to be
purchased
• Benefits
– Operational
© Copyright IBM Corporation 2015
costs are reduced
– Capital expenses are avoided
– The efficiency of operations is increased
– Compliance is enhanced
5)
1. Which mathematical process can be used to derive a
mathematical value?
– Symmetric
– Social engineering
– Hashing
– Asymmetric
2. An employee claims that he didn’t send a mail to the
competitors. However, it was deduced from the email logs
that the mail was sent to that particular id at a very late
hour of night. What is provided from these logs?
– Integrity
– Confidentiality
– Authentication
– Non-repudiation
© Copyright IBM Corporation 2015
Checkpoint (2 of 5) IBM ICE (Innovation Centre for Education)
5)
3. In cryptography, what does MAC stands for?
– Media access control
– Mandatory access control
– Message authentication code
– Multiple advisory committees
4. Out of the following, which one is an attack against the
algorithm?
– Birthday attack
– Weak key attack
– Mathematical attack
– Registration attack
5)
5. What does WEP stands for?
– Wi-Fi encrypted process
– Wi-Fi encrypted protection
– Wired Equivalent Protection
– Wired Equivalent Privacy
6. Which of the following is a Physical Asset?
– Database
– Router
– Application
– Data Communication
5)
7. Which of the following is an Information Asset?
– Database
– Router
– Application
– Data Communication
8. Which of the following is a Software Asset?
– Database
– Router
– Application
– Data Communication
5)
9. What is MAC associated with access control?
– Media access control
– Mandatory access control
– Message authentication code
– Multiple advisory committees
10.Which of the following is data at rest in a system?
– Data in RAM
– Data in hard disk
– Data in pen drive
– Data in network