IM Information Security

LESSON 1
INTRODUCTION TO INFORMATION SECURITY
TOPICS:
1. What is information security?
2. Concepts and models: the CIA Triad
3. Concepts and models: the RMIAS model
4. Exploring the core knowledge areas within information security.
LEARNING OUTCOMES: At the end of the lesson the student should be able to:
express some of the key concepts around information security;

relate knowledge areas to the discipline of information/cyber security; and
summarize the CIA Triad and show an appreciation of the more extensive RMIAS
model.
Topic 1: WHAT IS INFORMATION SECURITY?
Information Security - What's that?
Information security, sometimes abbreviated to infosec, is a set of practices intended to keep data
secure from unauthorized access or alterations, both when it's being stored and when it's being
transmitted from one machine or physical location to another. You might sometimes see it referred to
as data security. As knowledge has become one of the 21st century's most important assets, efforts to
keep information secure have correspondingly become increasingly important.
SANS Institute define Information security as:
Information security refers to the processes and methodologies which are designed and implemented
to protect print, electronic, or any other form of confidential, private and sensitive information or data
from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption.
Information security vs. cybersecurity
Because information technology has become the accepted corporate buzz phrase that means,
basically, "computers and related stuff," you will sometimes see information
security and cybersecurity used interchangeably. Strictly speaking, cybersecurity is the broader
practice of defending IT assets from attack, and information security is a specific discipline under the
cybersecurity umbrella. Network security and application security are sister practices to infosec,
focusing on networks and app code, respectively.
Obviously, there's some overlap here. You can't secure data transmitted across an insecure network
or manipulated by a leaky application. As well, there is plenty of information that isn't stored
electronically that also needs to be protected. Thus, the infosec pro's remit is necessarily broad.
Source:https://www.csoonline.com/article/3513899/what-is-information-security-definition-principles-and-jobs.html)
Information Security 1
Other Definition
Information Security is not only about securing information from unauthorized access. Information
Security is basically the practice of preventing unauthorized access, use, disclosure, disruption,
modification, inspection, recording or destruction of information. Information can be physical or electronic
one. Information can be anything like your details or we can say your profile on social media, your data in
mobile phone, your biometrics etc. Thus Information Security spans so many research areas like
Cryptography, Mobile Computing, Cyber Forensics, Online Social Media etc.
During First World War, Multi-tier Classification System was developed keeping in mind sensitivity of
information. With the beginning of Second World War formal alignment of Classification System was done.
Alan Turing was the one who successfully decrypted Enigma Machine which was used by Germans to
encrypt warfare data.
Source: (https://www.geeksforgeeks.org/what-is-information-security/)
Topic 2: CONCEPTS AND MODELS: THE CIA TRIAD
The CIA Triad
The CIA Triad - Confidentiality, Integrity and Availability is a well-established model in information security.
The CIA Triad model focuses on three key aspects:
 Confidentiality: a system should ensure that only authorized

user’s access information; that information is stored or
transmitted to ensure that unauthorized users cannot
access it.
 Integrity: a system should ensure completeness,
accuracy and an absence of unauthorized modifications
in all its components.
 Availability: a system and all system’s components are
available and operational when required by any authorized
users.
Define some terms:
Authorized user - a user (person or system) who has been authenticated. Once authenticated a user has
some level of authorization (e.g. the ability to view, change, delete, administer/manage etc.) which is
identified and checked by the system.
Authentication - a mechanism (a protocol) by which a user is identified and uses some token to prove who
they are. Authentication can take many forms including biometrics (i.e. the use of biological features such
as face, iris, fingerprint, etc.).
We use cryptography as a basis to hide the meaning of information from those people or systems that do
not have the decryption key (a piece of information, usually numeric, that is known only to the authorized
user or system, and is required by them to access the information. Note that, often data that is stored in a
computer or on disk is called "data at rest" and data being transmitted is called "data in motion".
We need to be sure that the information or data that we are accessing is valid, which is achieved by various
integrity mechanisms. Our definition identifies "absence of unauthorized modifications" this implies several
things;
(i) that the system tracks (often called logging) which user has access to it and that user
has gone through appropriate authentication processes,
(ii) that it checks that a user must has write access before she can make a change and
save changes - and may also keep a backup of changes as well as the audit
information,
(iii) that an authorized user can view, modify, delete etc. only the information for which
they have permission, and
(iv) the system can be made up of a number of components and so authentication,

authorization, audit can be something that is shared across a system.
So for integrity we need to authenticate and check levels of authorizations, log information as required so
that a future audit can identify what has taken place and lastly we need to have confidence that the
information or data we are viewing is correct, or that the transaction we want to undertake (e.g. transfer of
cash or making a payment) is valid - this is something we can prove mathematically / logically. This last
comment about transactions is important as we need to consider nonrepudiation.
Nonrepudiation is "the assurance that someone cannot deny something" such as a signature on a
contract. In information security we have an equivalent meaning - we have a service, or set of services that
provide proof of the integrity and origin of data. This relies on authentication and cryptographic mechanisms
so that we can effectively sign data, such as an email, so that the receiver has high confidence that it came
from a known source and that it has not been tampered with.
For availability we are looking to build systems that are reliable and are able to provide service across a
wide range of operating states. We are concerned that a system will remain accessible to authorized users
for a range of operating conditions, such as if under attack, or being heavily used. For example a system
attached to the Internet (or other network such as a server on a cellular network) may be attacked in order
to deny legitimate users access - a so called Denial of Service (DoS) or Distributed DoS attack where the
resources used to get access to a system are used up by the attacker(s) in an effort to stop users. Such
attacks are widely reported in the press. Additionally an attacker may gain access to a system and cause
the system to stop or malfunction. We are therefore concerned with creating systems that have an
appropriate level of availability as defined by government, customers or industry, for which we may need to
employ high availability and high reliability engineering. A compromised system could also provide incorrect
information - a failure of integrity, or provide unauthorized users access to information or resources - a
failure of confidentiality.
The CIA Triad encompasses hardware (computers, servers, smartphones, etc.), software (operating
systems as well as applications) and communication technologies (switches, routers, gateways, wifi access
points, base stations, mobile switching centres, etc.). These fundamental components are in the context of
systems, people and processes. This is typically in the context of a person, a family unit, a business, or a
government and country in its many civilian and military facets.
Importance of CIA Triad in Cyber Security
Security breaches and Data thefts are becoming headaches in businesses nowadays. The recent reports
and surveys reflect the unpleasant picture of the organization’s cybersecurity posture. The recent data
breach scandal of Facebook is on the limelight where the private data of millions of users were
compromised. Most companies have unprotected data due to poor policies that could result in data
breaches and massive penalties due to compliance issues such as that of GDPR – General Data
Protection Regulation. In order to avert this situation, the organizations must deploy the above-said
security controls along with various other controls (Such as SIEM and SOAR) to enhance their
cybersecurity posture.
Topic 3: Concepts and models: the RMIAS model
A Reference Model of Information Assurance and Security (RMIAS)
The RMIAS is a comprehensive overview of the Information Assurance and Security domain. The RMIAS
promotes a comprehensive approach to Information Assurance and Security. It is independent of
technology and may be applied by an organization of any size in any domain.
The RMIAS has been developed on the basis of the extensive analysis of the Information Security
(InfoSec) and Information Assurance (IA) literature, survey of InfoSec and IA practitioners and a systematic
analysis of the existing models of InfoSec and IA. The RMIAS is a synthesis of the existing knowledge of
the IAS domain. Some of the models of InfoSec and IA that lay in the foundation of the RMIAS are the CIA-
triad, McCumber's Cube and Maconachy et al Model of IA.
The RMIAS has implications for education, research and practice. The RMIAS may be used for the
development of Information Security Policy Document, its structuring and omissions identification. The
RMIAS may be used for structuring InfoSec thinking in an organization. It provides a framework for
cataloguing the existing research in the domain. The RMIAS enables newcomers to the IAS domain to get
faster appreciation of the complexity and diverse nature of the domain.
The RMIAS encompasses four dimensions: Security Development Life Cycle; Information Taxonomy,
Security Goals and Security Countermeasures Dimensions. The interconnections between the dimensions
are illustrated with arrows.
The RMIAS embraces as one of its dimensions the IAS-octave - a set of eight security goals including
Confidentiality, Integrity, Availability, Accountability, Non-repudiation, Auditability, Authenticity &
Trustworthiness and Privacy. The IAS-octave replaces the CIA-triad as a comprehensive set of security
goals. The IAS-octave was developed based on the extensive analysis of IAS and system engineering
literature, and evaluated via interviews with IAS experts.
The RMIAS was adopted as basis for a security extension for BPMN. The aspect of security related to
cloud computing were identified using the RMIAS.
The RMIAS is published under a Creative Commons Attribution-Noncommercial-Share Alike 4.0

International
License.
The RMIAS has a wider scope than the CIA Triad. It is based on IAS – Information Assurance and Security
– which is the integration of Information Security, which we have defined, and Information Assurance,
which we briefly discuss here. Details are provided in the resources and bibliography section.
Information Assurance has a different emphasis than Information Security – it is multi-disciplinary and its
focus is to reduce risks to information and information systems including physical security, people aspects
such as awareness and training as well as processes and governance within an organization. In addition
the perception of Information Assurance is that its focus is more on the defensive measures and cost
effectiveness of the measures that can be put into place to minimize the impact of a security event.
Information/cyber security is similar in scope but not overly focused on risk and cost.
So combining Information Security and Information Assurance we can address the risks to information
systems and all manner of the controls we can put in place: technical, physical, procedural and personnel.
Using the RMIAS model we have the opportunity to see the widest picture.
Source: http://users.cs.cf.ac.uk/Y.V.Cherdantseva/RMIAS.pdf
What is a reference model?
Hopefully you will have heard about the 7 layer Open Systems Interconnection model standardized by the
International Standards organization (ISO) for computer networks. That model provides an abstraction – a
set of concepts, axioms, and relationships for computer networks that is independent of specific standards,
technologies or implementations. The RMIAS is a proposal that identifies an abstraction of Information
Assurance and Security as a square representation of different concepts – called dimensions.
It is not the only such model; the authors have taken on board a number of other models created over the
last few decades. Let’s look briefly at these 4 dimensions that they have defined:
 Information Systems Security Lifecycle – illustrates a temporal aspect and the application of some
development methodology that will create, deploy, measure, refine and finally retire an information
systems / solution in the context of the business / organization.
 Information taxonomy – through which we can describe the information being protected and its
lifecycle from creation to destruction. Here we consider every category of information by form, state,
sensitivity and location.
 Security Goals – define the set of goals that can be applied in the context of an organization,
business or system. The model here is an expansion of the CIA Triad to become the “IAS octet” by
adding for example accountability, nonrepudiation and privacy. Agreeing goals allows the
stakeholders to understand the concepts that can then be mapped to technical, business, process and
human perspectives. By the process of risk analysis the authors outline that the security goals can be
prioritized and used to set security countermeasures.
 Security countermeasures – we can define as a technique or process used to achieve the required
security goals. From an IAS perspective the selection of security measures is carried out from the
perspective of cost-effectiveness and business efficiency. This set of countermeasures covers
technical business, legal and human factors, we cover some technical and business aspects in weeks
2, 3 and 4. For example the human aspect includes the setting of security policies for staff to meet the
business requirements. To help staff the business requires staff to be aware of the policies, they must
confirm their awareness and compliance, they may receive training and they may be tested, for
example many businesses are sending fake phishing emails to staff to see who opens and engages
with the scam. By monitoring or auditing the effectiveness of the security countermeasures we can
close the loop as this feeds into the security development lifecycle and can effect change.
There is a wealth of detail when you look into each of these dimensions. Much more than we can cover in a
short course. The key perspective is to reflect on the model and use it as a tool to help understand the
breadth of information security and information assurance.
Topic 4: EXPLORING THE CORE KNOWLEDGE AREAS WITHIN INFORMATION SECURITY
The Knowledge Areas identified at the time of creating this lesson cover the following nine areas:
1. Cyber Defense, which includes aspects such as cryptography, data security, computer security,
network security, information assurance. We cover a short introduction to some of these in this
course. This area is based on computing, networks and protocols and mathematics as well as
aspects of management as part of information assurance.
2. Cyber Operations, this covers aspects such as cyber-attack, penetration testing, cyber intelligence,
reverse engineering of malware, cryptanalysis and so on. Again this is based on computing,
networks and protocols and mathematics. Here we also consider adversarial aspects – how are we
attacked, what attacks are being perpetrated and how good are our systems. In penetration testing
we play the adversary to test our systems, our processes and our personnel as part of our
organizations readiness to face attacks and to determine our vulnerabilities. In penetration testing
us also consider physical security and can use social engineering to test the organization. In
cryptanalysis we break encryption systems – either to test how effective our systems are or for
intelligence and law enforcement purposes.
3. Digital Forensics, which includes the investigation and gathering of data from hardware and
software on hosts and servers, mobile devices right down to network devices and embedded
systems such as CCTV. Here we also see incident response, cybercrime, and cyber law
enforcement in the curriculum. Our focus has become interdisciplinary as we add aspects of the
law, evidence gathering and processes to respond to attacks and data breaches to our knowledge
and skills.
4. Cyber Physical Systems, such as Supervisory Control and Data Acquisition (SCADA) systems, the
internet-of-things (IOT), industrial control systems. Here we move out of the office environment into
the factory, the production line, the supply chain, smart cities, smart transportation systems, smart
homes. These are typically not based on standard desktop and server computers, instead the
systems are usually termed embedded systems and cyber-physical systems as they interface
computers with sensors and actuators. Again this is based on computing, networks and protocols
as well as some exposure to electronic engineering.
5. Secure Software Development, which includes secure systems design, secure coding, deployment,
maintainability, usability of secure system. We of course wish that all software was secure and
usable but a lot of software is not written using “security by design”. This area is largely around
computing, software engineering and includes aspects such as building reliable and available
software. There is also a human factor as well – how do we design systems for the users of our
secure systems (human computer interactions).
6. Cyber ethics, the ethical use of information systems including the concept of privacy and
anonymity, intellectual property rights, etc. We as professionals have a responsibility around the
societal impact of information systems and in their security. Here we apply many of the previous
knowledge areas and consider the human factors, laws, regulations, directives etc.
7. Cyber Policy, Governance, and Law, such as government and institutional policies and practices,
the roles in organizations, responsibilities and requirement on senior management to the business,
the law and regulations. There are a range of regulations that apply for cyber systems and
operations, and of course cyber laws such as the data protection act, computer misuse act and so
on. There is a technical focus, we need to consider aspects of technology but many aspects are
around management and legal/regulatory.
8. Cyber Risk Management, which includes cyber resilience and assurance, for example how do we
recover from disasters (disaster recover), what business continuity measures are required for our
business, security evaluation (for example compliance issues) and cyber economics? Here we
need a technology background but much of the coverage includes, management, processes,
people and risk assessment and economic factors.
9. Human Behavior Relating to Cyber Systems and Operations, such as social engineering, use of
social networks, the user experience, and organizational behavior.
As mentioned, these are draft knowledge areas and are more specifically oriented to cyber security rather
than the more general areas of Information Security and Information Assurance. However they give you a
flavor of what to expect when you study and work in the security industry. These areas will change and this
lesson will be updated when the JTF have finalized their work.
Not all careers or roles in the security industry will need to have a deep coverage of all nine areas. In fact
providing a depth of knowledge in all these aspects is difficult to achieve within the time constraints of a
master’s degree or undergraduate degree. Therefore degrees typically provide a core coverage and some
of these knowledge areas may be provided as options so that students interested say in digital forensics
and cybercrime can gain some depth by taking those options that most interest them.
The Multi-Disciplinary Nature of Information Security
We have seen throughout this week that information/cyber security has a wide coverage – it is multi-
disciplinary subject and the knowledge areas specified by the ACM JTF are largely based around computer
science, ICT, some mathematics, management, a little engineering, and economics. Some aspects touch
on some psychology with respect to human and organizational behavior.
However this is not the whole picture. Different degrees, roles and career trajectories will expose you to a
variety of different elements, and these will change as you progress through your career. In addition to the
knowledge areas identified above, you may gain and develop skills and knowledge around politics, geo-
politics, culture, electronic commerce, project management, technology management, consultancy, people
and organizational management, business planning and sales.
Additionally we look briefly at the professionalization of the security industry, with some of the different
organizations that provide support, development and networking to help develop you and your career.
ASSESSMENT
I. MATCHING TYPE: Match column A with the correct answer on column B write only the letter of upon
answer on the blank provided before the number.
Column A Column B
______ 1. This can take in many forms including face, iris, fingerprint and a. Availability
etc. b. Information security
______ 2. The information is transmitted to ensure that unauthorized users c. Security
cannot access it. countermeasure
______ 3. This is practice of preventing unauthorized access. d. RMIAS
______ 4. The assurance that someone cannot deny something.
e. TRIAD
______ 5. This promote a comprehensive approach to information.
______ 6. This is use to create, deploy, measure, refine. f. Authentication
______ 7. A technique or process used to achieve the required security g. Confidentiality
goals. h. Non-repudiation
______ 8. This covers the penetration and cyber-attack. i. Cyber operation
______ 9. A system that ensure completeness. j. Integrity
______10. A system all the components are required to authorized users. k. Information system
security lifecycle
II. ESSAY. Answer the following questions. Write your answer under each question (5pts each).
1. How reference model of information assurance and security (RMIAS) work?

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
2. Differentiate cyber security from information security.

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
3. What is cyber ethics?

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
4. What is digital forensics?

_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
_______________________________________________________________________________
Reflection paper: (The outline would be: INTRODUCTION, BODY PARAGRAPH/SELF REFLECTIVE
ESSAY, AND CONCLUSION)
Topic: Why information security is needed?
LESSON 2
INTRODUCTION TO CRYPTOGRAPHY
TOPICS:
1. Origin of Cryptography
2. Modern Cryptography
3. Cryptosystem
4. Attacks on Cryptosystem
5. Traditional Ciphers
6. Modern Symmetric Key Encryption
7. Advanced Encryption Standard
8. Public Key Encryption
9. Data Integrity in Cryptography
10. Cryptography Digital Signature
11. Public Key Infrastructure
justify why we need cryptography;
identify different security services cryptography can provide;
explain the different roles of cryptographic algorithms and keys;
recognize how and where cryptographic protection can fail;
appraise the role cryptography plays in real applications; and
evaluate different perspectives on control of cryptography.
Topic 1: ORIGIN OF CRYPTOGRAPHY
Human being from ages had two inherent needs − (a) to communicate and share information and (b) to
communicate selectively. These two needs gave rise to the art of coding the messages in such a way that
only the intended people could have access to the information. Unauthorized people could not extract any
information, even if the scrambled messages fell in their hand.
The art and science of concealing the messages to introduce secrecy in information security is recognized
as cryptography.
The word ‘cryptography’ was coined by combining two Greek words, ‘Krypto’ meaning hidden and
‘graphene’ meaning writing.
History of Cryptography
The art of cryptography is considered to be born along with the art of writing. As civilizations evolved,
human beings got organized in tribes, groups, and kingdoms. This led to the emergence of ideas such as
power, battles, supremacy, and politics. These ideas further fueled the natural need of people to
communicate secretly with selective recipient which in turn ensured the continuous evolution of
cryptography as well.
The roots of cryptography are found in Roman and Egyptian civilizations.
Hieroglyph − the Oldest Cryptographic Technique

The first known evidence of cryptography can be traced to the use of ‘hieroglyph’. Some 4000 years ago,
the Egyptians used to communicate by messages written in hieroglyph. This code was the secret known
only to the scribes who used to transmit messages on behalf of the kings. One such hieroglyph is shown
below.
Later, the scholars moved on to using simple mono-alphabetic substitution ciphers during 500 to 600 BC. This
involved replacing alphabets of message with other alphabets with some secret rule. This rule became a key to
retrieve the message back from the garbled message.

The earlier Roman method of cryptography, popularly known as the Caesar Shift Cipher, relies on
shifting the letters of a message by an agreed number (three was a common choice), the recipient of this
message would then shift the letters back by the same number and obtain the original message.
Steganography
Steganography is similar but adds another dimension to Cryptography. In this method, people not only
want to protect the secrecy of an information by concealing it, but they also want to make sure any
unauthorized person gets no evidence that the information even exists. For example, invisible
watermarking.
In steganography, an unintended recipient or an intruder is unaware of the fact that observed data
contains hidden information. In cryptography, an intruder is normally aware that data is being
communicated, because they can see the coded/scrambled message.
Evolution of Cryptography
It is during and after the European Renaissance, various Italian and Papal states led the rapid proliferation
of cryptographic techniques. Various analysis and attack techniques were researched in this era to break
the secret codes.
 Improved coding techniques such as Vigenere Coding came into existence in the 15th century,
which offered moving letters in the message with a number of variable places instead of moving
them the same number of places.
 Only after the 19th century, cryptography evolved from the ad hoc approaches to encryption to the
more sophisticated art and science of information security.
 In the early 20th century, the invention of mechanical and electromechanical machines, such as
the Enigma rotor machine, provided more advanced and efficient means of coding the
information.
 During the period of World War II, both cryptography and cryptanalysis became excessively
mathematical.
With the advances taking place in this field, government organizations, military units, and some corporate
houses started adopting the applications of cryptography. They used cryptography to guard their secrets
from others. Now, the arrival of computers and the Internet has brought effective cryptography within the
reach of common people.
Topic 2: MODERN CRYPTOGRAPHY
Modern cryptography is the cornerstone of computer and communications security. Its foundation is based
on various concepts of mathematics such as number theory, computational-complexity theory, and
probability theory.
Characteristics of Modern Cryptography

There are three major characteristics that separate modern cryptography from the classical approach.
Classic Cryptography Modern Cryptography
It manipulates traditional characters, i.e., It operates on binary bit sequences.

letters and digits directly.
It is mainly based on ‘security through It relies on publicly known mathematical algorithms for coding
obscurity’. The techniques employed for the information. Secrecy is obtained through a secrete key
coding were kept secret and only the parties which is used as the seed for the algorithms. The
involved in communication knew about computational difficulty of algorithms, absence of secret key,
them. etc., make it impossible for an attacker to obtain the original
information even if he knows the algorithm used for coding.
It requires the entire cryptosystem for Modern cryptography requires parties interested in secure
communicating confidentially. communication to possess the secret key only.
Context of Cryptography
Cryptology, the study of cryptosystems, can be subdivided into two branches −
 Cryptography
 Cryptanalysis
What is Cryptography?
Cryptography is the art and science of making a cryptosystem that is capable of providing information
security.
Cryptography deals with the actual securing of digital data. It refers to the design of mechanisms based on
mathematical algorithms that provide fundamental information security services. You can think of
cryptography as the establishment of a large toolkit containing different techniques in security applications.
What is Cryptanalysis?
The art and science of breaking the cipher text is known as cryptanalysis.
Cryptanalysis is the sister branch of cryptography and they both co-exist. The cryptographic process
results in the cipher text for transmission or storage. It involves the study of cryptographic mechanism with
the intention to break them. Cryptanalysis is also used during the design of the new cryptographic
techniques to test their security strengths.
Note − Cryptography concerns with the design of cryptosystems, while cryptanalysis studies the breaking
of cryptosystems.
Security Services of Cryptography

The primary objective of using cryptography is to provide the following four fundamental information
security services. Let us now see the possible goals intended to be fulfilled by cryptography.
Confidentiality
Confidentiality is the fundamental security service provided by cryptography. It is a security service that
keeps the information from an unauthorized person. It is sometimes referred to as privacy or secrecy.
Confidentiality can be achieved through numerous means starting from physical securing to the use of
mathematical algorithms for data encryption.
Data Integrity
It is security service that deals with identifying any alteration to the data. The data may get modified by an
unauthorized entity intentionally or accidently. Integrity service confirms that whether data is intact or not
since it was last created, transmitted, or stored by an authorized user.
Data integrity cannot prevent the alteration of data, but provides a means for detecting whether data has
been manipulated in an unauthorized manner.
Authentication
Authentication provides the identification of the originator. It confirms to the receiver that the data received
has been sent only by an identified and verified sender.
Authentication service has two variants −
 Message authentication identifies the originator of the message without any regard router or
system that has sent the message.
 Entity authentication is assurance that data has been received from a specific entity, say a
particular website.
Apart from the originator, authentication may also provide assurance about other parameters related to
data such as the date and time of creation/transmission.
Non-repudiation
It is a security service that ensures that an entity cannot refuse the ownership of a previous commitment
or an action. It is an assurance that the original creator of the data cannot deny the creation or
transmission of the said data to a recipient or third party.
Non-repudiation is a property that is most desirable in situations where there are chances of a dispute
over the exchange of data. For example, once an order is placed electronically, a purchaser cannot deny
the purchase order, if non-repudiation service was enabled in this transaction.
Cryptography Primitives
Cryptography primitives are nothing but the tools and techniques in Cryptography that can be selectively
used to provide a set of desired security services −
 Encryption
 Hash functions
 Message Authentication codes (MAC)
 Digital Signatures
The following table shows the primitives that can achieve a particular security service on their own.
Note − Cryptographic primitives are intricately related and they are often combined to achieve a set of
desired security services from a cryptosystem.
Topic 3: CRYPTOSYSTEMS
A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to

provide information security services. A cryptosystem is also referred to as a cipher system.
Let us discuss a simple model of a cryptosystem that provides confidentiality to the information being
transmitted. This basic model is depicted in the illustration below −
The illustration shows a sender who wants to transfer some sensitive data to a receiver in such a way that
any party intercepting or eavesdropping on the communication channel cannot extract the data.
The objective of this simple cryptosystem is that at the end of the process, only the sender and the
receiver will know the plaintext.
Components of a Cryptosystem
The various components of a basic cryptosystem are as follows −
 Plaintext. It is the data to be protected during transmission.
 Encryption Algorithm. It is a mathematical process that produces a ciphertext for any given
plaintext and encryption key. It is a cryptographic algorithm that takes plaintext and an encryption
key as input and produces a ciphertext.
 Ciphertext. It is the scrambled version of the plaintext produced by the encryption algorithm using
a specific the encryption key. The ciphertext is not guarded. It flows on public channel. It can be
intercepted or compromised by anyone who has access to the communication channel.
 Decryption Algorithm, It is a mathematical process, that produces a unique plaintext for any
given ciphertext and decryption key. It is a cryptographic algorithm that takes a ciphertext and a
decryption key as input, and outputs a plaintext. The decryption algorithm essentially reverses the
encryption algorithm and is thus closely related to it.
 Encryption Key. It is a value that is known to the sender. The sender inputs the encryption key
into the encryption algorithm along with the plaintext in order to compute the ciphertext.
 Decryption Key. It is a value that is known to the receiver. The decryption key is related to the
encryption key, but is not always identical to it. The receiver inputs the decryption key into the
decryption algorithm along with the ciphertext in order to compute the plaintext.
For a given cryptosystem, a collection of all possible decryption keys is called a key space.
An interceptor (an attacker) is an unauthorized entity who attempts to determine the plaintext. He can
see the ciphertext and may know the decryption algorithm. He, however, must never know the decryption
key.
Types of Cryptosystems
Fundamentally, there are two types of cryptosystems based on the manner in which encryption-decryption
is carried out in the system −
 Symmetric Key Encryption

 Asymmetric Key Encryption
The main difference between these cryptosystems is the relationship between the encryption and the
decryption key. Logically, in any cryptosystem, both the keys are closely associated. It is practically
impossible to decrypt the ciphertext with the key that is unrelated to the encryption key.
Symmetric Key Encryption

The encryption process where same keys are used for encrypting and decrypting the information is
known as Symmetric Key Encryption.
The study of symmetric cryptosystems is referred to as symmetric cryptography. Symmetric
cryptosystems are also sometimes referred to as secret key cryptosystems.
A few well-known examples of symmetric key encryption methods are − Digital Encryption Standard
(DES), Triple-DES (3DES), IDEA, and BLOWFISH.
Prior to 1970, all cryptosystems employed symmetric key encryption. Even today, its relevance is very
high and it is being used extensively in many cryptosystems. It is very unlikely that this encryption will fade
away, as it has certain advantages over asymmetric key encryption.
The salient features of cryptosystem based on symmetric key encryption are −

 Persons using symmetric key encryption must share a common key prior to exchange of
information.
 Keys are recommended to be changed regularly to prevent any attack on the system.
 A robust mechanism needs to exist to exchange the key between the communicating parties. As
keys are required to be changed regularly, this mechanism becomes expensive and cumbersome.
 In a group of n people, to enable two-party communication between any two persons, the number
of keys required for group is n × (n – 1)/2.
 Length of Key (number of bits) in this encryption is smaller and hence, process of encryption-
decryption is faster than asymmetric key encryption.
 Processing power of computer system required to run symmetric algorithm is less.
Challenge of Symmetric Key Cryptosystem

There are two restrictive challenges of employing symmetric key cryptography.
 Key establishment − before any communication, both the sender and the receiver need to agree
on a secret symmetric key. It requires a secure key establishment mechanism in place.
 Trust Issue − since the sender and the receiver use the same symmetric key, there is an implicit
requirement that the sender and the receiver ‘trust’ each other. For example, it may happen that
the receiver has lost the key to an attacker and the sender is not informed.
These two challenges are highly restraining for modern day communication. Today, people need to
exchange information with non-familiar and non-trusted parties. For example, a communication between
online seller and customer. These limitations of symmetric key encryption gave rise to asymmetric key
encryption schemes.
Asymmetric Key Encryption

The encryption process where different keys are used for encrypting and decrypting the
information is known as Asymmetric Key Encryption. Though the keys are different, they are
mathematically related and hence, retrieving the plaintext by decrypting ciphertext is feasible. The process
is depicted in the following illustration –
Asymmetric Key Encryption was invented in the 20th century to come over the necessity of pre-shared
secret key between communicating persons. The salient features of this encryption scheme are as follows
−
 Every user in this system needs to have a pair of dissimilar keys, private key and public key.
These keys are mathematically related − when one key is used for encryption, the other can
decrypt the ciphertext back to the original plaintext.
 It requires to put the public key in public repository and the private key as a well-guarded secret.
Hence, this scheme of encryption is also called Public Key Encryption.
 Though public and private keys of the user are related, it is computationally not feasible to find one
from another. This is a strength of this scheme.
 When Host1 needs to send data to Host2, he obtains the public key of Host2 from repository,
encrypts the data, and transmits.
 Host2 uses his private key to extract the plaintext.
 Length of Keys (number of bits) in this encryption is large and hence, the process of encryption-
decryption is slower than symmetric key encryption.
 Processing power of computer system required to run asymmetric algorithm is higher.
Symmetric cryptosystems are a natural concept. In contrast, public-key cryptosystems are quite difficult to
comprehend.
You may think, how can the encryption key and the decryption key are ‘related’, and yet it is impossible to
determine the decryption key from the encryption key? The answer lies in the mathematical concepts. It is
possible to design a cryptosystem whose keys have this property. The concept of public-key cryptography
is relatively new. There are fewer public-key algorithms known than symmetric algorithms.
Challenge of Public Key Cryptosystem
Public-key cryptosystems have one significant challenge − the user needs to trust that the public key that
he is using in communications with a person really is the public key of that person and has not been
spoofed by a malicious third party.
This is usually accomplished through a Public Key Infrastructure (PKI) consisting a trusted third party. The
third party securely manages and attests to the authenticity of public keys. When the third party is
requested to provide the public key for any communicating person X, they are trusted to provide the
correct public key.
The third party satisfies itself about user identity by the process of attestation, notarization, or some other
process − that X is the one and only, or globally unique, X. The most common method of making the
verified public keys available is to embed them in a certificate which is digitally signed by the trusted third
party.
Relation between Encryption Schemes

A summary of basic key properties of two types of cryptosystems is given below –
Symmetric Cryptosystems Public Key Cryptosystems
Relation between Keys Same Different, but mathematically related
Encryption Key Symmetric Public
Decryption Key Symmetric Private
Due to the advantages and disadvantage of both the systems, symmetric key and public-key
cryptosystems are often used together in the practical information security systems.
Kerckhoff’s Principle for Cryptosystem

In the 19th century, a Dutch cryptographer A. Kerckhoff furnished the requirements of a good
cryptosystem. Kerckhoff stated that a cryptographic system should be secure even if everything about the
system, except the key, is public knowledge. The six design principles defined by Kerckhoff for
cryptosystem are −
 The cryptosystem should be unbreakable practically, if not mathematically.
 Falling of the cryptosystem in the hands of an intruder should not lead to any compromise of the
system, preventing any inconvenience to the user.
 The key should be easily communicable, memorable, and changeable.
 The ciphertext should be transmissible by telegraph, an unsecure channel.
 The encryption apparatus and documents should be portable and operable by a single person.
 Finally, it is necessary that the system be easy to use, requiring neither mental strain nor the
knowledge of a long series of rules to observe.
The second rule is currently known as Kerckhoff principle. It is applied in virtually all the contemporary
encryption algorithms such as DES, AES, etc. These public algorithms are considered to be thoroughly
secure. The security of the encrypted message depends solely on the security of the secret encryption
key.
Keeping the algorithms secret may act as a significant barrier to cryptanalysis. However, keeping the
algorithms secret is possible only when they are used in a strictly limited circle.
In modern era, cryptography needs to cater to users who are connected to the Internet. In such cases,
using a secret algorithm is not feasible, hence Kerckhoff principles became essential guidelines for
designing algorithms in modern cryptography.
Topic 4: ATTACKS ON CRYPTOSYSTEMS
In the present era, not only business but almost all the aspects of human life are driven by information.
Hence, it has become imperative to protect useful information from malicious activities such as attacks.
Let us consider the types of attacks to which information is typically subjected to.
Attacks are typically categorized based on the action performed by the attacker. An attack, thus, can
be passive or active.
Passive Attacks
The main goal of a passive attack is to obtain unauthorized access to the information. For example,
actions such as intercepting and eavesdropping on the communication channel can be regarded as
passive attack.
These actions are passive in nature, as they neither affect information nor disrupt the communication
channel. A passive attack is often seen as stealing information. The only difference in stealing physical
goods and stealing information is that theft of data still leaves the owner in possession of that data.
Passive information attack is thus more dangerous than stealing of goods, as information theft may go
unnoticed by the owner.
Active Attacks
An active attack involves changing the information in some way by conducting some process on the
information. For example,
 Modifying the information in an unauthorized manner.
 Initiating unintended or unauthorized transmission of information.
 Alteration of authentication data such as originator name or timestamp associated with information
 Unauthorized deletion of data.
 Denial of access to information for legitimate users (denial of service).
Cryptography provides many tools and techniques for implementing cryptosystems capable of preventing
most of the attacks described above.
Assumptions of Attacker
Let us see the prevailing environment around cryptosystems followed by the types of attacks employed to
break these systems –
Environment around Cryptosystem

While considering possible attacks on the cryptosystem, it is necessary to know the cryptosystems
environment. The attacker’s assumptions and knowledge about the environment decides his capabilities.
In cryptography, the following three assumptions are made about the security environment and attacker’s
capabilities.
Details of the Encryption Scheme

The design of a cryptosystem is based on the following two cryptography algorithms −
 Public Algorithms − with this option, all the details of the algorithm are in the public domain,
known to everyone.
 Proprietary algorithms − the details of the algorithm are only known by the system designers and
users.
In case of proprietary algorithms, security is ensured through obscurity. Private algorithms may not be the
strongest algorithms as they are developed in-house and may not be extensively investigated for
weakness.
Secondly, they allow communication among closed group only. Hence they are not suitable for modern
communication where people communicate with large number of known or unknown entities. Also,
according to Kerckhoff’s principle, the algorithm is preferred to be public with strength of encryption lying
in the key.
Thus, the first assumption about security environment is that the encryption algorithm is known to the
attacker.
Availability of Ciphertext
We know that once the plaintext is encrypted into ciphertext, it is put on unsecure public channel (say
email) for transmission. Thus, the attacker can obviously assume that it has access to the ciphertext
generated by the cryptosystem.
Availability of Plaintext and Ciphertext

This assumption is not as obvious as other. However, there may be situations where an attacker can
have access to plaintext and corresponding ciphertext. Some such possible circumstances are −
 The attacker influences the sender to convert plaintext of his choice and obtains the ciphertext.
 The receiver may divulge the plaintext to the attacker inadvertently. The attacker has access to
corresponding ciphertext gathered from open channel.
 In a public-key cryptosystem, the encryption key is in open domain and is known to any potential
attacker. Using this key, he can generate pairs of corresponding plaintexts and ciphertexts.
Cryptographic Attacks
The basic intention of an attacker is to break a cryptosystem and to find the plaintext from the ciphertext.
To obtain the plaintext, the attacker only needs to find out the secret decryption key, as the algorithm is
already in public domain.
Hence, he applies maximum effort towards finding out the secret key used in the cryptosystem. Once the
attacker is able to determine the key, the attacked system is considered as broken or compromised.
Based on the methodology used, attacks on cryptosystems are categorized as follows −
 Ciphertext Only Attacks (COA) − In this method, the attacker has access to a set of
ciphertext(s). He does not have access to corresponding plaintext. COA is said to be successful
when the corresponding plaintext can be determined from a given set of ciphertext. Occasionally,
the encryption key can be determined from this attack. Modern cryptosystems are guarded
against ciphertext-only attacks.
 Known Plaintext Attack (KPA) − In this method, the attacker knows the plaintext for some parts
of the ciphertext. The task is to decrypt the rest of the ciphertext using this information. This may
be done by determining the key or via some other method. The best example of this attack
is linear cryptanalysis against block ciphers.
 Chosen Plaintext Attack (CPA) − In this method, the attacker has the text of his choice
encrypted. So he has the ciphertext-plaintext pair of his choice. This simplifies his task of
determining the encryption key. An example of this attack is differential cryptanalysis applied
against block ciphers as well as hash functions. A popular public key cryptosystem, RSA is also
vulnerable to chosen-plaintext attacks.
 Dictionary Attack − This attack has many variants, all of which involve compiling a ‘dictionary’. In
simplest method of this attack, attacker builds a dictionary of ciphertexts and corresponding
plaintexts that he has learnt over a period of time. In future, when an attacker gets the ciphertext,
he refers the dictionary to find the corresponding plaintext.
 Brute Force Attack (BFA) − In this method, the attacker tries to determine the key by attempting
all possible keys. If the key is 8 bits long, then the number of possible keys is 2 8 = 256. The
attacker knows the ciphertext and the algorithm, now he attempts all the 256 keys one by one for
decryption. The time to complete the attack would be very high if the key is long.
 Birthday Attack − This attack is a variant of brute-force technique. It is used against the
cryptographic hash function. When students in a class are asked about their birthdays, the answer
is one of the possible 365 dates. Let us assume the first student's birthdate is 3 rd Aug. Then to
find the next student whose birthdate is 3rd Aug, we need to enquire 1.25*√365 ≈ 25 students.
Similarly, if the hash function produces 64 bit hash values, the possible hash values are 1.8x10 19.
By repeatedly evaluating the function for different inputs, the same output is expected to be
obtained after about 5.1x109 random inputs.
If the attacker is able to find two different inputs that give the same hash value, it is
a collision and that hash function is said to be broken.
 Man in Middle Attack (MIM) − The targets of this attack are mostly public key cryptosystems
where key exchange is involved before communication takes place.
o Host A wants to communicate to host B, hence requests public key of B.
o An attacker intercepts this request and sends his public key instead.
o Thus, whatever host A sends to host B, the attacker is able to read.
o In order to maintain communication, the attacker re-encrypts the data after reading with
his public key and sends to B.
o The attacker sends his public key as A’s public key so that B takes it as if it is taking it
from A.
 Side Channel Attack (SCA) − This type of attack is not against any particular type of
cryptosystem or algorithm. Instead, it is launched to exploit the weakness in physical
implementation of the cryptosystem.
 Timing Attacks − They exploit the fact that different computations take different times to compute
on processor. By measuring such timings, it is be possible to know about a particular computation
the processor is carrying out. For example, if the encryption takes a longer time, it indicates that
the secret key is long.
 Power Analysis Attacks − These attacks are similar to timing attacks except that the amount of
power consumption is used to obtain information about the nature of the underlying computations.
 Fault analysis Attacks − In these attacks, errors are induced in the cryptosystem and the
attacker studies the resulting output for useful information.
Practicality of Attacks
The attacks on cryptosystems described here are highly academic, as majority of them come from the
academic community. In fact, many academic attacks involve quite unrealistic assumptions about
environment as well as the capabilities of the attacker. For example, in chosen-ciphertext attack, the
attacker requires an impractical number of deliberately chosen plaintext-ciphertext pairs. It may not be
practical altogether.
Nonetheless, the fact that any attack exists should be a cause of concern, particularly if the attack
technique has the potential for improvement.
Topic 5: TRADITIONAL CIPHERS
Earlier Cryptographic Systems

Before proceeding further, you need to know some facts about historical cryptosystems −
 All of these systems are based on symmetric key encryption scheme.
 The only security service these systems provide is confidentiality of information.
 Unlike modern systems which are digital and treat data as binary numbers, the earlier systems
worked on alphabets as basic element.
These earlier cryptographic systems are also referred to as Ciphers. In general, a cipher is simply just a
set of steps (an algorithm) for performing both an encryption, and the corresponding decryption.
Caesar Cipher
It is a mono-alphabetic cipher wherein each letter of the plaintext is substituted by another letter to form
the ciphertext. It is a simplest form of substitution cipher scheme.
This cryptosystem is generally referred to as the Shift Cipher. The concept is to replace each alphabet by
another alphabet which is ‘shifted’ by some fixed number between 0 and 25.
For this type of scheme, both sender and receiver agree on a ‘secret shift number’ for shifting the
alphabet. This number which is between 0 and 25 becomes the key of encryption.
The name ‘Caesar Cipher’ is occasionally used to describe the Shift Cipher when the ‘shift of three’ is
used.
Process of Shift Cipher

 In order to encrypt a plaintext letter, the sender positions the sliding ruler underneath the first set of
plaintext letters and slides it to LEFT by the number of positions of the secret shift.
 The plaintext letter is then encrypted to the ciphertext letter on the sliding ruler underneath. The
result of this process is depicted in the following illustration for an agreed shift of three positions.
In this case, the plaintext ‘tutorial’ is encrypted to the ciphertext ‘WXWRULDO’. Here is the
ciphertext alphabet for a Shift of 3 –
 SAMPLE: CESAR CIPHER

KHARINE – PLAIN TEXT
NKDULQH – CIPHER TEXT
 On receiving the ciphertext, the receiver who also knows the secret shift, positions his sliding ruler
underneath the ciphertext alphabet and slides it to RIGHT by the agreed shift number, 3 in this
case.
 He then replaces the ciphertext letter by the plaintext letter on the sliding ruler underneath. Hence
the ciphertext ‘WXWRULDO’ is decrypted to ‘tutorial’. To decrypt a message encoded with a Shift
of 3, generate the plaintext alphabet using a shift of ‘-3’ as shown below –

NKDULQH – CIPHER TEXT
NKDULQH
Security Value
Caesar Cipher is not a secure cryptosystem because there are only 26 possible keys to try out. An
attacker can carry out an exhaustive key search with available limited computing resources.
Simple Substitution Cipher

It is an improvement to the Caesar Cipher. Instead of shifting the alphabets by some number, this scheme
uses some permutation of the letters in alphabet.
For example, A.B…..Y.Z and Z.Y……B.A are two obvious permutation of all the letters in alphabet.
Permutation is nothing but a jumbled up set of alphabets.
With 26 letters in alphabet, the possible permutations are 26! (Factorial of 26) which is equal to 4x10 26.
The sender and the receiver may choose any one of these possible permutation as a ciphertext alphabet.
This permutation is the secret key of the scheme.
Process of Simple Substitution Cipher

 Write the alphabets A, B, C,...,Z in the natural order.
 The sender and the receiver decide on a randomly selected permutation of the letters of the
alphabet.
 Underneath the natural order alphabets, write out the chosen permutation of the letters of the
alphabet. For encryption, sender replaces each plaintext letters by substituting the permutation
letter that is directly beneath it in the table. This process is shown in the following illustration. In
this example, the chosen permutation is K,D, G, ..., O. The plaintext ‘point’ is encrypted to
‘MJBXZ’.
Here is a jumbled Ciphertext alphabet, where the order of the ciphertext letters is a key.

AVKCBXN – CIPHER TEXT -

 On receiving the ciphertext, the receiver, who also knows the randomly chosen permutation,
replaces each ciphertext letter on the bottom row with the corresponding plaintext letter in the top
row. The ciphertext ‘MJBXZ’ is decrypted to ‘point’.
Security Value
Simple Substitution Cipher is a considerable improvement over the Caesar Cipher. The possible number
of keys is large (26!) and even the modern computing systems are not yet powerful enough to comfortably
launch a brute force attack to break the system. However, the Simple Substitution Cipher has a simple
design and it is prone to design flaws, say choosing obvious permutation, this cryptosystem can be easily
broken.
Monoalphabetic and Polyalphabetic Cipher

Monoalphabetic cipher is a substitution cipher in which for a given key, the cipher alphabet for each plain
alphabet is fixed throughout the encryption process. For example, if ‘A’ is encrypted as ‘D’, for any number
of occurrence in that plaintext, ‘A’ will always get encrypted to ‘D’.
All of the substitution ciphers we have discussed earlier in this chapter are monoalphabetic; these ciphers
are highly susceptible to cryptanalysis.
Polyalphabetic Cipher is a substitution cipher in which the cipher alphabet for the plain alphabet may be
different at different places during the encryption process. The next two examples, playfair and Vigenere
Cipher are polyalphabetic ciphers.
Playfair Cipher
In this scheme, pairs of letters are encrypted, instead of single letters as in the case of simple substitution
cipher.
In playfair cipher, initially a key table is created. The key table is a 5×5 grid of alphabets that acts as the
key for encrypting the plaintext. Each of the 25 alphabets must be unique and one letter of the alphabet
(usually J) is omitted from the table as we need only 25 alphabets instead of 26. If the plaintext contains J,
then it is replaced by I.
The sender and the receiver deicide on a particular key, say ‘tutorials’. In a key table, the first characters
(going left to right) in the table is the phrase, excluding the duplicate letters. The rest of the table will be
filled with the remaining letters of the alphabet, in natural order. The key table works out to be –
Process of Playfair Cipher

 First, a plaintext message is split into pairs of two letters (digraphs). If there is an odd number of
letters, a Z is added to the last letter. Let us say we want to encrypt the message “hide money”. It
will be written as −
HI DE MO NE YZ
 The rules of encryption are −
o If both the letters are in the same column, take the letter below each one (going back to
the top if at the bottom)
T U O R I
A L S B C
‘H’ and ‘I’ are in same column, hence take
D E F G H
letter below them to replace. HI → QC
K M N P Q
V W X Y Z
 If both letters are in the same row, take the letter to the right of each one (going back to the left if
at the farthest right)
T U O R I
A L S B C
‘D’ and ‘E’ are in same row, hence take letter to
D E F G H
the right of them to replace. DE → EF
K M N P Q
V W X Y Z
 If neither of the preceding two rules are true, form a rectangle with the two letters and take the
letters on the horizontal opposite corner of the rectangle.
Using these rules, the result of the encryption of ‘hide money’ with the key of ‘tutorials’ would be −
QC EF NU MF ZV
Decrypting the Playfair cipher is as simple as doing the same process in reverse. Receiver has the same
key and can create the same key table, and then decrypt any messages made using that key.
Security Value
It is also a substitution cipher and is difficult to break compared to the simple substitution cipher. As in
case of substitution cipher, cryptanalysis is possible on the Playfair cipher as well, however it would be
against 625 possible pairs of letters (25x25 alphabets) instead of 26 different possible alphabets.
The Playfair cipher was used mainly to protect important, yet non-critical secrets, as it is quick to use and
requires no special equipment.
Vigenere Cipher
This scheme of cipher uses a text string (say, a word) as a key, which is then used for doing a number of
shifts on the plaintext.
For example, let’s assume the key is ‘point’. Each alphabet of the key is converted to its respective
numeric value: In this case,
p → 16, o → 15, i → 9, n → 14, and t → 20.
Thus, the key is: 16 15 9 14 20.
Process of Vigenere Cipher

 The sender and the receiver decide on a key. Say ‘point’ is the key. Numeric representation of this
key is ‘16 15 9 14 20’.
 The sender wants to encrypt the message, say ‘attack from south east’. He will arrange plaintext
and numeric key as follows –
 He now shifts each plaintext alphabet by the number written below it to create ciphertext as shown
below –
 Here, each plaintext character has been shifted by a different amount – and that amount is
determined by the key. The key must be less than or equal to the size of the message.
 For decryption, the receiver uses the same key and shifts received ciphertext in reverse order to
obtain the plaintext.
Security Value
Vigenere Cipher was designed by tweaking the standard Caesar cipher to reduce the effectiveness of
cryptanalysis on the ciphertext and make a cryptosystem more robust. It is significantly more secure than
a regular Caesar Cipher.
In the history, it was regularly used for protecting sensitive political and military information. It was referred
to as the unbreakable cipher due to the difficulty it posed to the cryptanalysis.
Variants of Vigenere Cipher

There are two special cases of Vigenere cipher −
 The keyword length is same as plaintect message. This case is called Vernam Cipher. It is more
secure than typical Vigenere cipher.
 Vigenere cipher becomes a cryptosystem with perfect secrecy, which is called One-time pad.
One-Time Pad
The circumstances are −
 The length of the keyword is same as the length of the plaintext.

 The keyword is a randomly generated string of alphabets.
 The keyword is used only once.
Security Value
Let us compare Shift cipher with one-time pad.
Shift Cipher − Easy to Break

In case of Shift cipher, the entire message could have had a shift between 1 and 25. This is a very small
size, and very easy to brute force. However, with each character now having its own individual shift
between 1 and 26, the possible keys grow exponentially for the message.
One-time Pad − Impossible to Break

Let us say, we encrypt the name “point” with a one-time pad. It is a 5 letter text. To break the ciphertext by
brute force, you need to try all possibilities of keys and conduct computation for (26 x 26 x 26 x 26 x 26) =
265 = 11881376 times. That’s for a message with 5 alphabets. Thus, for a longer message, the
computation grows exponentially with every additional alphabet. This makes it computationally impossible
to break the ciphertext by brute force.
Transposition Cipher
It is another type of cipher where the order of the alphabets in the plaintext is rearranged to create the
ciphertext. The actual plaintext alphabets are not replaced.
An example is a ‘simple columnar transposition’ cipher where the plaintext is written horizontally with a
certain alphabet width. Then the ciphertext is read vertically as shown.
For example, the plaintext is “golden statue is in eleventh cave” and the secret random key chosen is
“five”. We arrange this text horizontally in table with number of column equal to key value. The resulting
text is shown below.
The ciphertext is obtained by reading column vertically

downward from first to last column. The ciphertext is
‘gnuneaoseenvltiltedasehetivc’.
To decrypt, the receiver prepares similar table. The
number of columns is equal to key number. The number of
rows is obtained by dividing number of total ciphertext
alphabets by key value and rounding of the quotient to
next integer value.
The receiver then writes the received ciphertext vertically
down and from left to right column. To obtain the text, he
reads horizontally left to right and from top to bottom row.
Source: https://www.tutorialspoint.com/cryptography/traditional_ciphers.htm
TASK/ACTIVITY
Create an Encrypted Messages using the Traditional Ciphers and send it to one of your classmate. Send a
screen shot of the Encrypted messages after sending it to your classmate.
Topic 6: MODERN SYMMETRIC KEY ENCRYPTION
Digital data is represented in strings of binary digits (bits) unlike alphabets. Modern cryptosystems need to
process this binary strings to convert in to another binary string. Based on how these binary strings are
processed, a symmetric encryption schemes can be classified in to −
Block Ciphers
In this scheme, the plain binary text is processed in blocks (groups) of bits at a time; i.e. a block of
plaintext bits is selected, a series of operations is performed on this block to generate a block of ciphertext
bits. The number of bits in a block is fixed. For example, the schemes DES and AES have block sizes of
64 and 128, respectively.
Stream Ciphers
In this scheme, the plaintext is processed one bit at a time i.e. one bit of plaintext is taken, and a series of
operations is performed on it to generate one bit of ciphertext. Technically, stream ciphers are block
ciphers with a block size of one bit.
BLOCK CIPHERS
The basic scheme of a block cipher is depicted as follows −
A block cipher takes a block of plaintext bits and generates a block of ciphertext bits, generally of same
size. The size of block is fixed in the given scheme. The choice of block size does not directly affect to the
strength of encryption scheme. The strength of cipher depends up on the key length.
Block Size
Though any size of block is acceptable, following aspects are borne in mind while selecting a size of a
block.
 Avoid very small block size − Say a block size is m bits. Then the possible plaintext bits
combinations are then 2m. If the attacker discovers the plain text blocks corresponding to some
previously sent ciphertext blocks, then the attacker can launch a type of ‘dictionary attack’ by
building up a dictionary of plaintext/ciphertext pairs sent using that encryption key. A larger block
size makes attack harder as the dictionary needs to be larger.
 Do not have very large block size − With very large block size, the cipher becomes inefficient to
operate. Such plaintexts will need to be padded before being encrypted.
 Multiples of 8 bit − A preferred block size is a multiple of 8 as it is easy for implementation as
most computer processor handle data in multiple of 8 bits.
Padding in Block Cipher
Block ciphers process blocks of fixed sizes (say 64 bits). The length of plaintexts is mostly not a multiple of
the block size. For example, a 150-bit plaintext provides two blocks of 64 bits each with third block of
balance 22 bits. The last block of bits needs to be padded up with redundant information so that the length
of the final block equal to block size of the scheme. In our example, the remaining 22 bits need to have
additional 42 redundant bits added to provide a complete block. The process of adding bits to the last
block is referred to as padding.
Too much padding makes the system inefficient. Also, padding may render the system insecure at times,
if the padding is done with same bits always.
Block Cipher Schemes
There is a vast number of block ciphers schemes that are in use. Many of them are publically known. Most
popular and prominent block ciphers are listed below.
 Digital Encryption Standard (DES) − the popular block cipher of the 1990s. It is now considered
as a ‘broken’ block cipher, due primarily to its small key size.
 Triple DES − It is a variant scheme based on repeated DES applications. It is still a respected
block ciphers but inefficient compared to the new faster block ciphers available.
 Advanced Encryption Standard (AES) − It is a relatively new block cipher based on the
encryption algorithm Rijndael that won the AES design competition.
 IDEA − It is a sufficiently strong block cipher with a block size of 64 and a key size of 128 bits. A
number of applications use IDEA encryption, including early versions of Pretty Good Privacy
(PGP) protocol. The use of IDEA scheme has a restricted adoption due to patent issues.
 Twofish − This scheme of block cipher uses block size of 128 bits and a key of variable length. It
was one of the AES finalists. It is based on the earlier block cipher Blowfish with a block size of 64
bits.
 Serpent − A block cipher with a block size of 128 bits and key lengths of 128, 192, or 256 bits,
which was also an AES competition finalist. It is a slower but has more secure design than other
block cipher.
In the next sections, we will first discuss the model of block cipher followed by DES and AES, two of the
most influential modern block ciphers.
FEISTEL BLOCK CIPHER

Feistel Cipher is not a specific scheme of block cipher. It is a design model from which many different
block ciphers are derived. DES is just one example of a Feistel Cipher. A cryptographic system based on
Feistel cipher structure uses the same algorithm for both encryption and decryption.
Encryption Process
The encryption process uses the Feistel structure consisting multiple rounds of processing of the plaintext,
each round consisting of a “substitution” step followed by a permutation step.
Feistel Structure is shown in the following
illustration −
 The input block to each round is
divided into two halves that can be denoted as
L and R for the left half and the right half.
 In each round, the right half of the
block, R, goes through unchanged. But the left
half, L, goes through an operation that
depends on R and the encryption key. First,
we apply an encrypting function ‘f’ that takes
two input − the key K and R. The function
produces the output f(R,K). Then, we XOR the
output of the mathematical function with L.
 In real implementation of the Feistel
Cipher, such as DES, instead of using the
whole encryption key during each round, a
round-dependent key (a subkey) is derived
from the encryption key. This means that each
round uses a different key, although all these
subkeys are related to the original key.
 The permutation step at the end of
each round swaps the modified L and unmodified R. Therefore, the L for the next round would be
R of the current round. And R for the next round be the output L of the current round.
 Above substitution and permutation steps form a ‘round’. The number of rounds are specified by
the algorithm design.
 Once the last round is completed then the two sub blocks, ‘R’ and ‘L’ are concatenated in this
order to form the ciphertext block.
The difficult part of designing a Feistel Cipher is selection of round function ‘f’. In order to be unbreakable
scheme, this function needs to have several important properties that are beyond the scope of our
discussion.
Decryption Process
The process of decryption in Feistel cipher is almost similar. Instead of starting with a block of plaintext,
the ciphertext block is fed into the start of the Feistel structure and then the process thereafter is exactly
the same as described in the given illustration.
The process is said to be almost similar and not exactly same. In the case of decryption, the only
difference is that the subkeys used in encryption are used in the reverse order.
The final swapping of ‘L’ and ‘R’ in last step of the Feistel Cipher is essential. If these are not swapped
then the resulting ciphertext could not be decrypted using the same algorithm.
Number of Rounds
The number of rounds used in a Feistel Cipher depends on desired security from the system. More
number of rounds provide more secure system. But at the same time, more rounds mean the inefficient
slow encryption and decryption processes. Number of rounds in the systems thus depend upon
efficiency–security tradeoff.
DATA ENCRYPTION STANDARD

The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of
Standards and Technology (NIST).
DES is an implementation of a Feistel Cipher. It uses 16 round Feistel structure. The block size is 64-bit.
Though, key length is 64-bit, DES has an effective key length of 56 bits, since 8 of the 64 bits of the key
are not used by the encryption algorithm (function as check bits only). General Structure of DES is
depicted in the following
illustration −
Since DES is based on the

Feistel Cipher, all that is required
to specify DES is −
 Round function
 Key schedule
 Any additional
processing − Initial and final
permutation
Initial and Final Permutation
The initial and final permutations

are straight Permutation boxes
(P-boxes) that are inverses of
each other. They have no
cryptography significance in
DES. The initial and final permutations are shown as follows −
Round Function
The heart of this cipher is the DES function, f. The DES

function applies a 48-bit key to the rightmost 32 bits to
produce a 32-bit output.
 Expansion Permutation Box − Since right input is 32-bit and round key is a 48-bit, we first need
to expand right input to 48 bits. Permutation logic is graphically depicted in the following
illustration −
 The graphically depicted permutation logic is generally described as table in DES specification
illustrated as shown −
 XOR (Whitener). − After the expansion permutation, DES does XOR operation on the expanded
right section and the round key. The round key is used only in this operation.
 Substitution Boxes. − The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes,
each with a 6-bit input and a 4-bit output. Refer the following illustration −
 The S-box rule is illustrated below –
 There are a total of eight S-box

tables. The output of all eight s-boxes is
then combined in to 32 bit section.
 Straight Permutation − The 32 bit output of S-boxes is then subjected to the straight permutation
with rule shown in the following illustration:
Key Generation
The round-key generator creates sixteen 48-bit keys out of a 56-bit cipher key. The process of key
generation is depicted in the following illustration −
The logic for Parity drop, shifting, and Compression

P-box is given in the DES description.
DES Analysis
The DES satisfies both the desired properties of

block cipher. These two properties make cipher
very strong.
 Avalanche effect − A small change in
plaintext results in the very great change in the
ciphertext.
 Completeness − each bit of ciphertext
depends on many bits of plaintext.
During the last few years, cryptanalysis have found some weaknesses in DES when key selected are
weak keys. These keys shall be avoided.
DES has proved to be a very well designed block cipher. There have been no significant cryptanalytic
attacks on DES other than exhaustive key search.
TRIPLE DES
The speed of exhaustive key searches against DES after 1990 began to cause discomfort amongst users
of DES. However, users did not want to replace DES as it takes an enormous amount of time and money
to change encryption algorithms that are widely adopted and embedded in large security architectures.
The pragmatic approach was not to abandon the DES completely, but to change the manner in which
DES is used. This led to the modified schemes of Triple DES (sometimes known as 3DES).
Incidentally, there are two variants of Triple DES known as 3-key Triple DES (3TDES) and 2-key Triple
DES (2TDES).
3-KEY Triple DES
Before using 3TDES, user first generate and distribute a 3TDES key K, which consists of three different
DES keys K1, K2 and K3. This means that the actual 3TDES key has length 3×56 = 168 bits. The
encryption scheme is illustrated as follows −
The encryption-decryption process is as follows −
 Encrypt the plaintext blocks using single DES with key K1.
 Now decrypt the output
of step 1 using single DES with
key K2.
 Finally, encrypt the
output of step 2 using single
DES with key K3.
 The output of step 3 is
the ciphertext.
 Decryption of a
ciphertext is a reverse process.
User first decrypt using K3, then
encrypt with K2, and finally
decrypt with K1.
Due to this design of Triple DES as an encrypt–decrypt–encrypt process, it is possible to use a 3TDES
(hardware) implementation for single DES by setting K1, K2, and K3 to be the same value. This provides
backwards compatibility with DES.
Second variant of Triple DES (2TDES) is identical to 3TDES except that K 3is replaced by K1. In other
words, user encrypt plaintext blocks with key K1, then decrypt with key K2, and finally encrypt with K1 again.
Therefore, 2TDES has a key length of 112 bits.
Triple DES systems are significantly more secure than single DES, but these are clearly a much slower
process than encryption using single DES.
Topic 7: ADVANCE ENCRYPTION STANDARD
The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays
is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES.
A replacement for DES was needed as its key size was too small. With increasing computing power, it
was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome
this drawback but it was found slow.
The features of AES are as follows −
 Symmetric key symmetric block cipher

 128-bit data, 128/192/256-bit keys
 Stronger and faster than Triple-DES
 Provide full specification and design details
 Software implementable in C and Java
Operation of AES
AES is an iterative rather than Feistel cipher. It is based on ‘substitution–permutation network’. It

comprises of a series of linked operations, some of which involve replacing inputs by specific outputs
(substitutions) and others involve shuffling bits around (permutations).
Interestingly, AES performs all its computations on bytes rather than bits. Hence, AES treats the 128 bits
of a plaintext block as 16 bytes. These 16 bytes are arranged in four columns and four rows for processing
as a matrix −
Unlike DES, the number of
rounds in AES is variable and
depends on the length of the
key. AES uses 10 rounds for
128-bit keys, 12 rounds for
192-bit keys and 14 rounds for
256-bit keys. Each of these
rounds uses a different 128-bit
round key, which is calculated
from the original AES key.
The schematic of AES
structure is given in the
following illustration −
Encryption Process
Here, we restrict to description of a typical round of AES encryption. Each round comprise of four sub-
processes. The first round process is depicted below −
Byte Substitution (SubBytes)

The 16 input bytes are substituted by
looking up a fixed table (S-box) given
in design. The result is in a matrix of
four rows and four columns.
Shiftrows
Each of the four rows of the matrix is
shifted to the left. Any entries that ‘fall
off’ are re-inserted on the right side of row. Shift is carried out as follows –
 First row is not shifted.

 Second row is shifted one (byte) position to the left.
 Third row is shifted two positions to the left.
 Fourth row is shifted three positions to the left.
 The result is a new matrix consisting of the same 16 bytes but shifted with respect to each other.
MixColumns
Each column of four bytes is now transformed using a special mathematical function. This function takes
as input the four bytes of one column and outputs four completely new bytes, which replace the original
column. The result is another new matrix consisting of 16 new bytes. It should be noted that this step is
not performed in the last round.
Addroundkey
The 16 bytes of the matrix are now considered as 128 bits and are XORed to the 128 bits of the round
key. If this is the last round then the output is the ciphertext. Otherwise, the resulting 128 bits are
interpreted as 16 bytes and we begin another similar round.
Decryption Process
The process of decryption of an AES ciphertext is similar to the encryption process in the reverse order.
Each round consists of the four processes conducted in the reverse order −
 Add round key

 Mix columns
 Shift rows
 Byte substitution
Since sub-processes in each round are in reverse manner, unlike for a Feistel Cipher, the encryption and
decryption algorithms needs to be separately implemented, although they are very closely related.
AES Analysis
In present day cryptography, AES is widely adopted and supported in both hardware and software. Till
date, no practical cryptanalytic attacks against AES has been discovered. Additionally, AES has built-in
flexibility of key length, which allows a degree of ‘future-proofing’ against progress in the ability to perform
exhaustive key searches.
However, just as for DES, the AES security is assured only if it is correctly implemented and good key
management is employed.
BLOCK CIPHER MODES OF OPERATION
A block cipher processes the data blocks of fixed size. Usually, the size of a message is larger than the
block size. Hence, the long message is divided into a series of sequential message blocks, and the cipher
operates on these blocks one at a time.
Electronic Code Book (ECB) Mode

This mode is a most straightforward way of processing a series of sequentially listed message blocks.
Operation
 The user takes the first block of plaintext and encrypts it with the key to produce the first block of
ciphertext.
 He then takes the second block of plaintext and follows the same process with same key and so
on so forth.
The ECB mode is deterministic, that is, if plaintext block P1, P2,…, Pm are encrypted twice under the
same key, the output ciphertext blocks will be the same.
In fact, for a given key technically we can create a codebook of ciphertexts for all possible plaintext blocks.
Encryption would then entail only looking up for required plaintext and select the corresponding ciphertext.
Thus, the operation is analogous to the assignment of code words in a codebook, and hence gets an
official name − Electronic Codebook mode of operation (ECB). It is illustrated as follows −
Analysis of ECB Mode

In reality, any application data usually have partial information which can be guessed. For example, the
range of salary can be guessed. A ciphertext from ECB can allow an attacker to guess the plaintext by
trial-and-error if the plaintext message is within predictable.
For example, if a ciphertext from the ECB mode is known to encrypt a salary figure, then a small number
of trials will allow an attacker to recover the figure. In general, we do not wish to use a deterministic cipher,
and hence the ECB mode should not be used in most applications.
Cipher Block Chaining (CBC) Mode
CBC mode of operation provides message dependence for generating ciphertext and makes the system
non-deterministic.
Operation
The operation of CBC mode is depicted in the following illustration. The steps are as follows −
 Load the n-bit Initialization Vector (IV) in the top register.
 XOR the n-bit plaintext block with data value in top register.
 Encrypt the result of XOR operation with underlying block cipher with key K.
 Feed ciphertext block into top register and continue the operation till all plaintext blocks are
processed.
 For decryption, IV data is XORed with first ciphertext block decrypted. The first ciphertext block is
also fed into to register replacing IV for decrypting next ciphertext block.
Analysis of CBC Mode
In CBC mode, the current plaintext block is added to the previous ciphertext block, and then the result is
encrypted with the key. Decryption is thus the reverse process, which involves decrypting the current
ciphertext and then adding the previous ciphertext block to the result.
Advantage of CBC over ECB is that changing IV results in different ciphertext for identical message. On
the drawback side, the error in transmission gets propagated to few further block during decryption due to
chaining effect.
It is worth mentioning that CBC mode forms the basis for a well-known data origin authentication
mechanism. Thus, it has an advantage for those applications that require both symmetric encryption and
data origin authentication.
Cipher Feedback (CFB) Mode
In this mode, each ciphertext block gets ‘fed back’ into the encryption process in order to encrypt the next
plaintext block.
Operation
The operation of CFB mode is depicted in the following illustration. For example, in the present system, a
message block has a size ‘s’ bits where 1 < s < n. The CFB mode requires an initialization vector (IV) as
the initial random n-bit input block. The IV need not be secret. Steps of operation are −
 Load the IV in the top register.
 Encrypt the data value in top register with underlying block cipher with key K.
 Take only ‘s’ number of most significant bits (left bits) of output of encryption process and XOR
them with ‘s’ bit plaintext message block to generate ciphertext block.
 Feed ciphertext block into top register by shifting already present data to the left and continue the
operation till all plaintext blocks are processed.
 Essentially, the previous ciphertext block is encrypted with the key, and then the result is XORed
to the current plaintext block.
 Similar steps are followed for decryption. Pre-decided IV is initially loaded at the start of
decryption.
Analysis of CFB Mode

CFB mode differs significantly from ECB mode, the ciphertext corresponding to a given plaintext block
depends not just on that plaintext block and the key, but also on the previous ciphertext block. In other
words, the ciphertext block is dependent of message.
CFB has a very strange feature. In this mode, user decrypts the ciphertext using only the encryption
process of the block cipher. The decryption algorithm of the underlying block cipher is never used.
Apparently, CFB mode is converting a block cipher into a type of stream cipher. The encryption algorithm
is used as a key-stream generator to produce key-stream that is placed in the bottom register. This key
stream is then XORed with the plaintext as in case of stream cipher.
By converting a block cipher into a stream cipher, CFB mode provides some of the advantageous
properties of a stream cipher while retaining the advantageous properties of a block cipher.
On the flip side, the error of transmission gets propagated due to changing of blocks.
Output Feedback (OFB) Mode
It involves feeding the successive output blocks from the underlying block cipher back to it. These
feedback blocks provide string of bits to feed the encryption algorithm which act as the key-stream
generator as in case of CFB mode.
The key stream generated is XOR-ed with the plaintext blocks. The OFB mode requires an IV as the initial
random n-bit input block. The IV need not be secret.
The operation is depicted in the following illustration −
Counter (CTR) Mode
It can be considered as a counter-
based version of CFB mode without
the feedback. In this mode, both the
sender and receiver need to access to
a reliable counter, which computes a
new shared value each time a
ciphertext block is exchanged. This
shared counter is not necessarily a
secret value, but challenge is that both
sides must keep the counter
synchronized.
Operation
Both encryption and decryption in CTR mode are depicted in the following illustration. Steps in operation
are −
 Load the initial counter value in the top register is the same for both the sender and the receiver. It
plays the same role as the IV in CFB (and CBC) mode.
 Encrypt the contents of the counter with the key and place the result in the bottom register.
 Take the first plaintext block P1 and XOR this to the contents of the bottom register. The result of
this is C1. Send C1 to the receiver and update the counter. The counter update replaces the
ciphertext feedback in CFB mode.
 Continue in this manner until the last plaintext block has been encrypted.
 The decryption is the reverse process. The ciphertext block is XORed with the output of encrypted
contents of counter value. After decryption of each ciphertext block counter is updated as in case
of encryption.
Analysis of Counter Mode

It does not have message dependency and
hence a ciphertext block does not depend on
the previous plaintext blocks.
Like CFB mode, CTR mode does not involve the decryption process of the block cipher. This is because
the CTR mode is really using the block cipher to generate a key-stream, which is encrypted using the
XOR function. In other words, CTR mode also converts a block cipher to a stream cipher.
The serious disadvantage of CTR mode is that it requires a synchronous counter at sender and receiver.
Loss of synchronization leads to incorrect recovery of plaintext.
However, CTR mode has almost all advantages of CFB mode. In addition, it does not propagate error of
transmission at all.
Topic 8: PUBLIC KEY ENCRYPTION
Public Key Cryptography
Unlike symmetric key cryptography, we do not find historical use of public-key cryptography. It is a
relatively new concept.
Symmetric cryptography was well suited for organizations such as governments, military, and big financial
corporations were involved in the classified communication.
With the spread of more unsecure computer networks in last few decades, a genuine need was felt to use
cryptography at larger scale. The symmetric key was found to be non-practical due to challenges it faced
for key management. This gave rise to the public key cryptosystems.
The process of encryption and decryption is depicted in the following illustration –
The most important properties of public key encryption scheme are −

 Different keys are used for encryption and decryption. This is a property which set this scheme
different than symmetric encryption scheme.
 Each receiver possesses a unique decryption key, generally referred to as his private key.
 Receiver needs to publish an encryption key, referred to as his public key.
 Some assurance of the authenticity of a public key is needed in this scheme to avoid spoofing by
adversary as the receiver. Generally, this type of cryptosystem involves trusted third party which
certifies that a particular public key belongs to a specific person or entity only.
 Encryption algorithm is complex enough to prohibit attacker from deducing the plaintext from the
ciphertext and the encryption (public) key.
 Though private and public keys are related mathematically, it is not be feasible to calculate the
private key from the public key. In fact, intelligent part of any public-key cryptosystem is in
designing a relationship between two keys.
There are three types of Public Key Encryption schemes. We discuss them in following sections −
RSA Cryptosystem
This cryptosystem is one the initial system. It remains most employed cryptosystem even today. The
system was invented by three scholars Ron Rivest, Adi Shamir, and Len Adleman and hence, it is
termed as RSA cryptosystem.
We will see two aspects of the RSA cryptosystem, firstly generation of key pair and secondly encryption-
decryption algorithms.
Generation of RSA Key Pair
Each person or a party who desires to participate in communication using encryption needs to generate a
pair of keys, namely public key and private key. The process followed in the generation of keys is
described below −
 Generate the RSA modulus (n)
o Select two large primes, p and q.
o Calculate n=p*q. For strong unbreakable encryption, let n be a large number, typically a
minimum of 512 bits.
 Find Derived Number (e)
o Number e must be greater than 1 and less than (p − 1)(q − 1).
o There must be no common factor for e and (p − 1)(q − 1) except for 1. In other words two
numbers e and (p – 1)(q – 1) are coprime.
 Form the public key
o The pair of numbers (n, e) form the RSA public key and is made public.
o Interestingly, though n is part of the public key, difficulty in factorizing a large prime
number ensures that attacker cannot find in finite time the two primes (p & q) used to
obtain n. This is strength of RSA.
 Generate the private key
o Private Key d is calculated from p, q, and e. For given n and e, there is unique number d.
o Number d is the inverse of e modulo (p - 1)(q – 1). This means that d is the number less
than (p - 1)(q - 1) such that when multiplied by e, it is equal to 1 modulo (p - 1)(q - 1).
o This relationship is written mathematically as follows −
ed = 1 mod (p − 1)(q − 1)
The Extended Euclidean Algorithm takes p, q, and e as input and gives d as output.
Example
An example of generating RSA Key pair is given below. (For ease of understanding, the primes p & q
taken here are small values. Practically, these values are very high).
 Let two primes be p = 7 and q = 13. Thus, modulus n = pq = 7 x 13 = 91.
 Select e = 5, which is a valid choice since there is no number that is common factor of 5 and (p −
1)(q − 1) = 6 × 12 = 72, except for 1.
 The pair of numbers (n, e) = (91, 5) forms the public key and can be made available to anyone
whom we wish to be able to send us encrypted messages.
 Input p = 7, q = 13, and e = 5 to the Extended Euclidean Algorithm. The output will be d = 29.
 Check that the d calculated is correct by computing −
de = 29 × 5 = 145 = 1 mod 72
 Hence, public key is (91, 5) and private keys is (91, 29).
Encryption and Decryption
Once the key pair has been generated, the process of encryption and decryption are relatively
straightforward and computationally easy.
Interestingly, RSA does not directly operate on strings of bits as in case of symmetric key encryption. It
operates on numbers modulo n. Hence, it is necessary to represent the plaintext as a series of numbers
less than n.
RSA Encryption
 Suppose the sender wish to send some text message to someone whose public key is (n, e).
 The sender then represents the plaintext as a series of numbers less than n.
 To encrypt the first plaintext P, which is a number modulo n. The encryption process is simple
mathematical step as −
C = Pe mod n
 In other words, the ciphertext C is equal to the plaintext P multiplied by itself e times and then
reduced modulo n. This means that C is also a number less than n.
 Returning to our Key Generation example with plaintext P = 10, we get ciphertext C −
C = 105 mod 91
RSA Decryption
 The decryption process for RSA is also very straightforward. Suppose that the receiver of public-
key pair (n, e) has received a ciphertext C.
 Receiver raises C to the power of his private key d. The result modulo n will be the plaintext P.
Plaintext = Cd mod n
 Returning again to our numerical example, the ciphertext C = 82 would get decrypted to number
10 using private key 29 −
Plaintext = 8229 mod 91 = 10
RSA Analysis
The security of RSA depends on the strengths of two separate functions. The RSA cryptosystem is most
popular public-key cryptosystem strength of which is based on the practical difficulty of factoring the very
large numbers.
 Encryption Function − It is considered as a one-way function of converting plaintext into
ciphertext and it can be reversed only with the knowledge of private key d.
 Key Generation − The difficulty of determining a private key from an RSA public key is equivalent
to factoring the modulus n. An attacker thus cannot use knowledge of an RSA public key to
determine an RSA private key unless he can factor n. It is also a one way function, going from p &
q values to modulus n is easy but reverse is not possible.
If either of these two functions are proved non one-way, then RSA will be broken. In fact, if a technique for
factoring efficiently is developed then RSA will no longer be safe.
The strength of RSA encryption drastically goes down against attacks if the number p and q are not large
primes and/ or chosen public key e is a small number.
ElGamal Cryptosystem
Along with RSA, there are other public-key cryptosystems proposed. Many of them are based on different
versions of the Discrete Logarithm Problem.
ElGamal cryptosystem, called Elliptic Curve Variant, is based on the Discrete Logarithm Problem. It
derives the strength from the assumption that the discrete logarithms cannot be found in practical time
frame for a given number, while the inverse operation of the power can be computed efficiently.
Let us go through a simple version of ElGamal that works with numbers modulo p. In the case of elliptic
curve variants, it is based on quite different number systems.
Generation of ElGamal Key Pair
Each user of ElGamal cryptosystem generates the key pair through as follows −
 Choosing a large prime p. Generally a prime number of 1024 to 2048 bits length is chosen.
 Choosing a generator element g.
o This number must be between 1 and p − 1, but cannot be any number.
o It is a generator of the multiplicative group of integers modulo p. This means for every
integer m co-prime to p, there is an integer k such that gk=a mod n.
For example, 3 is generator of group 5 (Z5 = {1, 2, 3, 4}).
N 3n 3n mod 5
1 3 3
2 9 4
3 27 2
4 81 1
 Choosing the private key. The private key x is any number bigger than 1 and smaller than p−1.
 Computing part of the public key. The value y is computed from the parameters p, g and the
private key x as follows −
y = gx mod p
 Obtaining Public key. The ElGamal public key consists of the three parameters (p, g, y).
For example, suppose that p = 17 and that g = 6 (It can be confirmed that 6 is a generator of
group Z17). The private key x can be any number bigger than 1 and smaller than 71, so we choose
x = 5. The value y is then computed as follows −
y = 65 mod 17 = 7
 Thus the private key is 62 and the public key is (17, 6, 7).
Encryption and Decryption
The generation of an ElGamal key pair is comparatively simpler than the equivalent process for RSA. But
the encryption and decryption are slightly more complex than RSA.
ElGamal Encryption
Suppose sender wishes to send a plaintext to someone whose ElGamal public key is (p, g, y), then −
 Sender represents the plaintext as a series of numbers modulo p.
 To encrypt the first plaintext P, which is represented as a number modulo p. The encryption
process to obtain the ciphertext C is as follows −
o Randomly generate a number k;
o Compute two values C1 and C2, where −
C1 = gk mod p
C2 = (P*yk) mod p
 Send the ciphertext C, consisting of the two separate values (C1, C2), sent together.
 Referring to our ElGamal key generation example given above, the plaintext P = 13 is encrypted
as follows −
o Randomly generate a number, say k = 10
o Compute the two values C1 and C2, where −
C1 = 610 mod 17
C2 = (13*710) mod 17 = 9
 Send the ciphertext C = (C1, C2) = (15, 9).
ElGamal Decryption
 To decrypt the ciphertext (C1, C2) using private key x, the following two steps are taken −
o Compute the modular inverse of (C1)x modulo p, which is (C1)-x , generally referred to as
decryption factor.
o Obtain the plaintext by using the following formula −
C2 × (C1)-x mod p = Plaintext
1. In our example, to decrypt the ciphertext C = (C1, C2) = (15, 9) using private key x = 5, the
decryption factor is
15-5 mod 17 = 9
 Extract plaintext P = (9 × 9) mod 17 = 13.
ElGamal Analysis
In ElGamal system, each user has a private key x. and has three components of public key − prime
modulus p, generator g, and public Y = gx mod p. The strength of the ElGamal is based on the difficulty
of discrete logarithm problem.
The secure key size is generally > 1024 bits. Today even 2048 bits long key are used. On the processing
speed front, Elgamal is quite slow, it is used mainly for key authentication protocols. Due to higher
processing efficiency, Elliptic Curve variants of ElGamal are becoming increasingly popular.
Elliptic Curve Cryptography (ECC)
Elliptic Curve Cryptography (ECC) is a term used to describe a suite of cryptographic tools and protocols
whose security is based on special versions of the discrete logarithm problem. It does not use numbers
modulo p.
ECC is based on sets of numbers that are associated with mathematical objects called elliptic curves.
There are rules for adding and computing multiples of these numbers, just as there are for numbers
modulo p.
ECC includes a variants of many cryptographic schemes that were initially designed for modular numbers
such as ElGamal encryption and Digital Signature Algorithm.
It is believed that the discrete logarithm problem is much harder when applied to points on an elliptic
curve. This prompts switching from numbers modulo p to points on an elliptic curve. Also an equivalent
security level can be obtained with shorter keys if we use elliptic curve-based variants.
The shorter keys result in two benefits −
 Ease of key management

 Efficient computation
These benefits make elliptic-curve-based variants of encryption scheme highly attractive for application
where computing resources are constrained.
RSA and ElGamal Schemes – A Comparison
Let us briefly compare the RSA and ElGamal schemes on the various aspects.
RSA ElGamal
It is more efficient for encryption. It is more efficient for decryption.
It is less efficient for decryption. It is more efficient for decryption.
For a particular security level, lengthy keys are For the same level of security, very short keys
required in RSA. are required.
It is widely accepted and used. It is new and not very popular in market.
Topic 9: DATA INTEGRITY IN CRYPTOGRAPHY
Threats to Data Integrity
When sensitive information is exchanged, the receiver must have the assurance that the message has
come intact from the intended sender and is not modified inadvertently or otherwise. There are two
different types of data integrity threats, namely passive and active.
Passive Threats
This type of threats exists due to accidental changes in data.
 These data errors are likely to occur due to noise in a communication channel. Also, the data may
get corrupted while the file is stored on a disk.
 Error-correcting codes and simple checksums like Cyclic Redundancy Checks (CRCs) are used to
detect the loss of data integrity. In these techniques, a digest of data is computed mathematically
and appended to the data.
Active Threats
In this type of threats, an attacker can manipulate the data with malicious intent.
 At simplest level, if data is without digest, it can be modified without detection. The system can use
techniques of appending CRC to data for detecting any active modification.
 At higher level of threat, attacker may modify data and try to derive new digest for modified data
from exiting digest. This is possible if the digest is computed using simple mechanisms such as
CRC.
 Security mechanism such as Hash functions are used to tackle the active modification threats.
Topic 10: CRYPTOGRAPHY DIGITAL SIGNATURES
Digital signatures are the public-key primitives of message authentication. In the physical world, it is
common to use handwritten signatures on handwritten or typed messages. They are used to bind
signatory to the message.
Similarly, a digital signature is a technique that binds a person/entity to the digital data. This binding can
be independently verified by receiver as well as any third party.
Digital signature is a cryptographic value that is calculated from the data and a secret key known only by
the signer.
In real world, the receiver of message needs assurance that the message belongs to the sender and he
should not be able to repudiate the origination of that message. This requirement is very crucial in
business applications, since likelihood of a dispute over exchanged data is very high.
Model of Digital Signature
As mentioned earlier, the digital signature scheme is based on public key cryptography. The model of
digital signature scheme is depicted in the following illustration −
The following points explain the entire process in detail −

 Each person adopting this scheme has a public-private key pair.
 Generally, the key pairs used for encryption/decryption and signing/verifying are different. The
private key used for signing is referred to as the signature key and the public key as the
verification key.
 Signer feeds data to the hash function and generates hash of data.
 Hash value and signature key are then fed to the signature algorithm which produces the digital
signature on given hash. Signature is appended to the data and then both are sent to the verifier.
 Verifier feeds the digital signature and the verification key into the verification algorithm. The
verification algorithm gives some value as output.
 Verifier also runs same hash function on received data to generate hash value.
 For verification, this hash value and output of verification algorithm are compared. Based on the
comparison result, verifier decides whether the digital signature is valid.
 Since digital signature is created by ‘private’ key of signer and no one else can have this key; the
signer cannot repudiate signing the data in future.
It should be noticed that instead of signing data directly by signing algorithm, usually a hash of data is
created. Since the hash of data is a unique representation of data, it is sufficient to sign the hash in place
of data. The most important reason of using hash instead of data directly for signing is efficiency of the
scheme.
Let us assume RSA is used as the signing algorithm. As discussed in public key encryption chapter, the
encryption/signing process using RSA involves modular exponentiation.
Signing large data through modular exponentiation is computationally expensive and time consuming. The
hash of the data is a relatively small digest of the data, hence signing a hash is more efficient than
signing the entire data.
Importance of Digital Signature
Out of all cryptographic primitives, the digital signature using public key cryptography is considered as
very important and useful tool to achieve information security.
Apart from ability to provide non-repudiation of message, the digital signature also provides message
authentication and data integrity. Let us briefly see how this is achieved by the digital signature −
 Message authentication − When the verifier validates the digital signature using public key of a
sender, he is assured that signature has been created only by sender who possess the
corresponding secret private key and no one else.
 Data Integrity − In case an attacker has access to the data and modifies it, the digital signature
verification at receiver end fails. The hash of modified data and the output provided by the
verification algorithm will not match. Hence, receiver can safely deny the message assuming that
data integrity has been breached.
 Non-repudiation − Since it is assumed that only the signer has the knowledge of the signature
key, he can only create unique signature on a given data. Thus the receiver can present data and
the digital signature to a third party as evidence if any dispute arises in the future.
By adding public-key encryption to digital signature scheme, we can create a cryptosystem that can
provide the four essential elements of security namely − Privacy, Authentication, Integrity, and Non-
repudiation.
Encryption with Digital Signature
In many digital communications, it is desirable to exchange an encrypted messages than plaintext to

achieve confidentiality. In public key encryption scheme, a public (encryption) key of sender is available in
open domain, and hence anyone can spoof his identity and send any encrypted message to the receiver.
This makes it essential for users employing PKC for encryption to seek digital signatures along with
encrypted data to be assured of message authentication and non-repudiation.
This can archived by combining digital signatures with encryption scheme. Let us briefly discuss how to
achieve this requirement. There are two possibilities, sign-then-encrypt and encrypt-then-sign.
However, the crypto system based on sign-then-encrypt can be exploited by receiver to spoof identity of
sender and sent that data to third party. Hence, this method is not preferred. The process of encrypt-then-
sign is more reliable and widely adopted. This is depicted in the following illustration −
The receiver after receiving the encrypted data and signature on it, first verifies the signature using
sender’s public key. After ensuring the validity of the signature, he then retrieves the data through
decryption using his private key.
Topic 11: PUBLIC KEY INFRASTRUCTURE
The most distinct feature of Public Key Infrastructure (PKI) is that it uses a pair of keys to achieve the
underlying security service. The key pair comprises of private key and public key.
Since the public keys are in open domain, they are likely to be abused. It is, thus, necessary to establish
and maintain some kind of trusted infrastructure to manage these keys.
Key Management
It goes without saying that the security of any cryptosystem depends upon how securely its keys are
managed. Without secure procedures for the handling of cryptographic keys, the benefits of the use of
strong cryptographic schemes are potentially lost.
It is observed that cryptographic schemes are rarely compromised through weaknesses in their design.
However, they are often compromised through poor key management.
There are some important aspects of key management which are as follows −
1. Cryptographic keys are nothing but special pieces of data. Key management refers to the secure
administration of cryptographic keys.
2. Key management deals with entire key lifecycle as depicted in the following illustration –
 There are two specific requirements

of key management for public key
cryptography.
o Secrecy of private
keys. Throughout the key lifecycle, secret
keys must remain secret from all parties
except those who are owner and are
authorized to use them.
o
o Assurance of public
keys. In public key cryptography, the public
keys are in open domain and seen as public
pieces of data. By default there are no
assurances of whether a public key is correct, with whom it can be associated, or what it
can be used for. Thus key management of public keys needs to focus much more
explicitly on assurance of purpose of public keys.
The most crucial requirement of ‘assurance of public key’ can be achieved through the public-key
infrastructure (PKI), a key management systems for supporting public-key cryptography.
Public Key Infrastructure (PKI)
PKI provides assurance of public key. It provides the identification of public keys and their distribution. An
anatomy of PKI comprises of the following components.
 Public Key Certificate, commonly referred to as ‘digital certificate’.
 Private Key tokens.
 Certification Authority.
 Registration Authority.
 Certificate Management System.
Digital Certificate
For analogy, a certificate can be considered as the ID card issued to the person. People use ID cards
such as a driver's license, passport to prove their identity. A digital certificate does the same basic thing in
the electronic world, but with one difference.
Digital Certificates are not only issued to people but they can be issued to computers, software packages
or anything else that need to prove the identity in the electronic world.
 Digital certificates are based on the ITU standard X.509 which defines a standard certificate format
for public key certificates and certification validation. Hence digital certificates are sometimes also
referred to as X.509 certificates.
Public key pertaining to the user client is stored in digital certificates by The Certification Authority
(CA) along with other relevant information such as client information, expiration date, usage,
issuer etc.
 CA digitally signs this entire information and includes digital signature in the certificate.
 Anyone who needs the assurance about the public key and associated information of client, he
carries out the signature validation process using CA’s public key. Successful validation assures
that the public key given in the certificate belongs to the person whose details are given in the
certificate.
The process of obtaining Digital Certificate by a person/entity is depicted in the following illustration.
As shown in the illustration, the CA accepts the application from a client to certify his public key. The CA,
after duly verifying identity of client, issues a digital certificate to that client.
Certifying Authority (CA)
As discussed above, the CA issues certificate to a client and assist other users to verify the certificate.
The CA takes responsibility for identifying correctly the identity of the client asking for a certificate to be
issued, and ensures that the information contained within the certificate is correct and digitally signs it.
Key Functions of CA
The key functions of a CA are as follows −
 Generating key pairs − The CA may generate a key pair independently or jointly with the client.
 Issuing digital certificates − The CA could be thought of as the PKI equivalent of a passport
agency − the CA issues a certificate after client provides the credentials to confirm his identity.
The CA then signs the certificate to prevent modification of the details contained in the certificate.
 Publishing Certificates − The CA need to publish certificates so that users can find them. There
are two ways of achieving this. One is to publish certificates in the equivalent of an electronic
telephone directory. The other is to send your certificate out to those people you think might need
it by one means or another.
 Verifying Certificates − The CA makes its public key available in environment to assist
verification of his signature on clients’ digital certificate.
 Revocation of Certificates − At times, CA revokes the certificate issued due to some reason
such as compromise of private key by user or loss of trust in the client. After revocation, CA
maintains the list of all revoked certificate that is available to the environment.
Classes of Certificates
There are four typical classes of certificate −
 Class 1 − These certificates can be easily acquired by supplying an email address.
 Class 2 − These certificates require additional personal information to be supplied.
 Class 3 − These certificates can only be purchased after checks have been made about the
requestor’s identity.
 Class 4 − They may be used by governments and financial organizations needing very high levels
of trust.
Registration Authority (RA)
CA may use a third-party Registration Authority (RA) to perform the necessary checks on the person or
company requesting the certificate to confirm their identity. The RA may appear to the client as a CA, but
they do not actually sign the certificate that is issued.
Certificate Management System (CMS)
It is the management system through which certificates are published, temporarily or permanently
suspended, renewed, or revoked. Certificate management systems do not normally delete certificates
because it may be necessary to prove their status at a point in time, perhaps for legal reasons. A CA
along with associated RA runs certificate management systems to be able to track their responsibilities
and liabilities.
Private Key Tokens
While the public key of a client is stored on the certificate, the associated secret private key can be stored
on the key owner’s computer. This method is generally not adopted. If an attacker gains access to the
computer, he can easily gain access to private key. For this reason, a private key is stored on secure
removable storage token access to which is protected through a password.
Different vendors often use different and sometimes proprietary storage formats for storing keys. For
example, Entrust uses the proprietary .epf format, while Verisign, GlobalSign, and Baltimore use the
standard .p12 format.
Hierarchy of CA
With vast networks and requirements of global communications, it is practically not feasible to have only
one trusted CA from whom all users obtain their certificates. Secondly, availability of only one CA may
lead to difficulties if CA is compromised.
In such case, the hierarchical certification model is of interest since it allows public key certificates to be
used in environments where two communicating parties do not have trust relationships with the same CA.
 The root CA is at the top of the CA hierarchy and the root CA's certificate is a self-signed
certificate.
 The CAs, which are directly subordinate to the root CA (For example, CA1 and CA2) have CA
certificates that are signed by the root CA.
 The CAs under the subordinate CAs in the hierarchy (For example, CA5 and CA6) have their CA
certificates signed by the higher-level subordinate CAs.
Certificate authority (CA) hierarchies are reflected in certificate chains. A certificate chain traces a path of
certificates from a branch in the
hierarchy to the root of the
hierarchy.
The following illustration shows a
CA hierarchy with a certificate chain
leading from an entity certificate
through two subordinate CA
certificates (CA6 and CA3) to the
CA certificate for the root CA.
Verifying a certificate chain is the
process of ensuring that a specific
certificate chain is valid, correctly
signed, and trustworthy. The
following procedure verifies a
certificate chain, beginning with the
certificate that is presented for
authentication −
 A client whose authenticity
is being verified supplies his
certificate, generally along with the
chain of certificates up to Root CA.
 Verifier takes the certificate and validates by using public key of issuer. The issuer’s public key is
found in the issuer’s certificate which is in the chain next to client’s certificate.
 Now if the higher CA who has signed the issuer’s certificate, is trusted by the verifier, verification is
successful and stops here.
 Else, the issuer's certificate is verified in a similar manner as done for client in above steps. This
process continues till either trusted CA is found in between or else it continues till Root CA.
Source: https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm
ASSESSMENT
TRUE OR FALSE TEST.

Instruction: Write KHARINE if the statement is True, and write KARREN if otherwise. Write your correct answer on
the blank provided at the right side of the paper.
1. The transposition cipher where the order of the alphabets in the plaintext is 1. ____________________
arranged to create the ciphertext.
2. The vigenere cipher designed by correcting the standard ceasar cipher 2. ____________________
improve the effectiveness of the cryptanalysis on the ciphertext.
3. Decrypting the playfair cipher is as simple as doing the same process in 3. ____________________
reverse.
4. In the process of vigenere cipher the sender are the one who decide on a key. 4. ____________________
5. In playfair cipher a key table is created. 5. ____________________
6. A ceasar cipher is a secure cryptosystem. 6. ____________________
7. Cryptosystem is also known as shift cipher. 7. ____________________
8. In playfair cipher key table is not created. 8. ____________________
9. In the process of substitution cipher the receiver decide on a randomly 9. ____________________
selected permutation of the letter.
10.The monoalphabetic cipher is a substitution cipher. 10 ___________________
ESSAY: Answer the following questions. Write your answer under each question (5pts each).
1. Differentiate public algorithms from proprietary algorithms.
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
2. Differentiate passive attacks from active attacks.
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
3. What is asymmetric key encryption?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
4. How are encryption key and decryption key related?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
5. What is the difference between the ciphertext and plaintext?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
REFLECTION PAPER: (The outline would be: INTRODUCTION, BODY, AND CONCLUSION)
Topic: Why we need cryptography?
LESSON 3
NETWORK AND COMPUTER SECURITY
TOPICS:
1. Network security
2. Computer security
list the different threats that affect computers and networks;

summarize the risks that exist when information is transmitted through a network;
relate some network technologies with the main security protocols that enable their
protection;
define authentication and authorization; and
list some of the kinds of vulnerabilities that may affect a computer system.
Topic 1: NETWORK SECURITY
What is Network Security?
Network security is an organization’s strategy that enables guaranteeing the security of its assets
including all network traffic. It includes both software and hardware technologies. Access to the network is
managed by effective network security, which targets a wide range of threats and then arrests them from
spreading or entering in the network.
Network Security Definition and Meaning

Network security is an integration of multiple layers of defenses in the network and at the network.
Policies and controls are implemented by each network security layer. Access to networks is gained by
authorized users, whereas, malicious actors are indeed blocked from executing threats and exploits.
Our world has presently been transformed by digitization, resulting in changes in almost all our daily
activities. It is essential for all organizations to protect their networks if they aim at delivering the services
demanded by employees and customers. This eventually protects the reputation of your organization. With
hackers increasing and becoming smarter day by day, the need to utilize network security tool becomes
more and more impotent.
Types of Network Security

 Antivirus and Antimalware Software
 Application Security
 Behavioral Analytics
 Data Loss Prevention (DLP)
 Email Security
 Firewalls
 Mobile Device Security
 Network Segmentation
 Security Information and Event Management (SIEM)
 Virtual Private Network (VPN)
 Web Security
 Wireless Security
1. Endpoint Security
 Network Access Control (NAC)
Antivirus and Antimalware Software: This software is used for protecting against malware, which
includes spyware, ransomware, Trojans, worms, and viruses. Malware can also become very dangerous as
it can infect a network and then remain calm for days or even weeks. This software handles this threat by
scanning for malware entry and regularly tracks files afterward in order to detect anomalies, remove
malware, and fix damage.
Application Security: It is important to have an application security since no app is created perfectly. It is
possible for any application to comprise of vulnerabilities, or holes, that are used by attackers to enter your
network. Application security thus encompasses the software, hardware, and processes you select for
closing those holes.
Behavioral Analytics: In order to detect abnormal network behavior, you will have to know what normal
behavior looks like. Behavioral analytics tools are capable of automatically discerning activities that deviate
from the norm. Your security team will thus be able to efficiently detect indicators of compromise that pose
a potential problem and rapidly remediate threats.
Data Loss Prevention (DLP): Organizations should guarantee that their staff does not send sensitive
information outside the network. They should thus use DLP technologies, network security measures,
which prevent people from uploading, forwarding, or even printing vital information in an unsafe manner.
Email Security: Email gateways are considered to be the number one threat vector for a security breach.
Attackers use social engineering tactics and personal information in order to build refined phishing
campaigns to deceive recipients and then send them to sites serving up malware. An email security
application is capable of blocking incoming attacks and controlling outbound messages in order to prevent
the loss of sensitive data.
Firewalls: Firewalls place a barrier between your trusted internal network and untrusted outside networks,
like the Internet. A set of defined rules are employed to block or allow traffic. A firewall can be software,
hardware, or both. The free firewall efficiently manages traffic on your PC, monitors in/out connections, and
secures all connections when you are online.
Intrusion Prevention System (IPS): An IPS is a network security capable of scanning network traffic in order
to actively block attacks. The IPS Setting interface permits the administrator to configure the ruleset
updates for Snort. It is possible to schedule the ruleset updates allowing them to automatically run at
particular intervals and these updates can be run manually on demand.
Mobile Device Security: Mobile devices and apps are increasingly being targeted by cybercriminals. 90%
of IT organizations could very soon support corporate applications on personal mobile devices. There is
indeed the necessity for you to control which devices can access your network. It is also necessary to
configure their connections in order to keep network traffic private.
Network Segmentation: Software-defined segmentation places network traffic into varied classifications
and makes enforcing security policies a lot easier. The classifications are ideally based on endpoint
identity, not just IP addresses. Rights can be accessed based on location, role, and more so that the right
people get the correct level of access and suspicious devices are thus contained and remediated.
Security Information and Event Management (SIEM): SIEM products bring together all the information
needed by your security staff in order to identify and respond to threats. These products are available in
different forms, including virtual and physical appliances and server software.
Virtual Private Network (VPN): A VPN is another type of network security capable of encrypting the
connection from an endpoint to a network, mostly over the Internet. A remote-access VPN typically uses
IPsec or Secure Sockets Layer in order to authenticate the communication between network and device.
Web Security: A perfect web security solution will help in controlling your staff’s web use, denying access
to malicious websites, and blocking
Wireless Security: The mobile office movement is presently gaining momentum along with wireless
networks and access points. However, wireless networks are not as secure as wired ones and this makes
way for hackers to enter. It is thus essential for the wireless security to be strong. It should be noted that
without stringent security measures installing a wireless LAN could be like placing Ethernet ports
everywhere. Products specifically designed for protecting a wireless network will have to be used in order
to prevent an exploit from taking place.
Endpoint Security: Endpoint Security, also known Network Protection or Network Security, is a
methodology used for protecting corporate networks when accessed through remote devices such as
laptops or several other wireless devices and mobile devices. For instance, Comodo Advanced Endpoint
Protection software presents seven layers of defense that include viruscope, file reputation, auto-sandbox,
host intrusion prevention, web URL filtering, firewall, and antivirus software. All this is offered under a single
offering in order to protect them from both unknown and known threats.
Network Access Control (NAC): This network security process helps you to control who can access your
network. It is essential to recognize each device and user in order to keep out potential attackers. This
indeed will help you to enforce your security policies. Noncompliant endpoint devices can be given only
limited access or just blocked.
How does network security work?
There are many layers to consider when addressing network security across an organization. Attacks can
happen at any layer in the network security layers model, so your network security hardware, software and
policies must be designed to address each area.
Network security typically consists of three different controls: physical, technical and administrative. Here is
a brief description of the different types of network security and how each control works.
Technical Network Protection: Technical Network Protection is used to protect data within the network.
Technical network protection guards both stored and in-transit data from malicious software and from
unauthorized persons.
Physical Network Protection: Physical Network Protection, or Physical Network Security, is a network
security measure designed to prevent unauthorized people from physically interfering with network
components. Door locks and ID passes are essential components of physical network protection.
Administrative Network Protection: Administrative Network Protection is a security method that control a
user’s network behavior and access. It also provides a standard operating procedure for IT officers when
executing changes in the IT infrastructure. Company policies and procedures are forms of Administrative
network protection.
Source:https://enterprise.comodo.com/blog/what-is-network-security/
Source:https://www.forcepoint.com/cyber-edu/network-security
Topic 2: COMPUTER SECURITY
What is Computer Security?

Computer security, also known as cybersecurity or IT security, is the protection of information systems
from theft or damage to the hardware, the software, and to the information on them, as well as from
disruption or misdirection of the services they provide. It includes controlling physical access to the
hardware, as well as protecting against harm that may come via network access, data and code injection,
and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into
deviating from secure procedures.
What are the concerns of computer security?

Computer Security is concerned with four main areas:
1. Confidentiality: - Only authorized users can access the data resources and information.
2. Integrity: - Only authorized users should be able to modify the data when needed.
3. Availability: - Data should be available to users when needed.
4. Authentication: - are you really communicating with whom you think you are communicating with
Computer Network Security
Computer network security consists of measures taken by business or some organizations to monitor and
prevent unauthorized access from the outside attackers.
Different approaches to computer network security management have different requirements depending on
the size of the computer network. For example, a home office requires basic network security while large
businesses require high maintenance to prevent the network from malicious attacks.
Network Administrator controls access to the data and software on the network. A network administrator
assigns the user ID and password to the authorized person.
Aspects of Network Security:
Following are the desirable properties to achieve secure communication:
o Privacy: Privacy means both the sender and the receiver expects confidentiality. The
transmitted message should be sent only to the intended receiver while the message should be
opaque for other users. Only the sender and receiver should be able to understand the
transmitted message as eavesdroppers can intercept the message. Therefore, there is a
requirement to encrypt the message so that the message cannot be intercepted. This aspect of
confidentiality is commonly used to achieve secure communication.
o Message Integrity: Data integrity means that the data must arrive at the receiver exactly as it
was sent. There must be no changes in the data content during transmission, either maliciously
or accident, in a transit. As there are more and more monetary exchanges over the internet,
data integrity is more crucial. The data integrity must be preserved for secure communication.
o End-point authentication: Authentication means that the receiver is sure of the senders
identity, i.e., no imposter has sent the message.
o Non-Repudiation: Non-Repudiation means that the receiver must be able to prove that the
received message has come from a specific sender. The sender must not deny sending a
message that he or she send. The burden of proving the identity comes on the receiver. For
example, if a customer sends a request to transfer the money from one account to another
account, then the bank must have a proof that the customer has requested for the transaction.
Source: https://www.javatpoint.com/computer-network-security
Source: http://www.contrib.andrew.cmu.edu/~dabousen/Default%20-%20Copy%20(4).html
ASSESSMENT
I. IDENTIFICATION TEST. Write your answer on the space provided
1. A barrier between your trusted network and untrusted outside networks. _________________________
2. It encompasses the software, hardware and processes that one select for closing those holes.
______________________
3. Denying and blocking the access of malicious websites. _______________________
4. This is also known a Network Protection or Network Security. ____________________________
5. This process is to help to control who can access the network. ____________________________
6. This is a security method that control a user’s network behavior and access. ____________________
7. This type of network security capable of encrypting the connection from an endpoint to a network.
_______________________
8. This is used for protecting against malware which includes spyware, ransomware, Trojans, worms, and
viruses. ______________________________.
9. This is use to prevent people from uploading, forwarding, or even printing vital information in an unsafe
manner. ___________________________
10. This is an integration of multiple layers of defenses in the network and at the network. ______________
1. How does network security work?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
2. How does computer security work?

_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
3. Differentiate information security from computer security?

_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
4. How do anti-viruses/firewalls ensure the safety of the data in your computer or android phone?
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
_____________________________________________________________________________________________
REFLECTION PAPER: (The outline would be: INTRODUCTION, BODY, AND CONCLUSION)
Topic: Why computer security is important?
LESSON 4
NETWORK AND COMPUTER SECURITY
TOPICS:
1. Standards, Security Policies and Controls
2. Risk Management
3. Legal Regulation
explain the need of effective security management;
outline the activities involving risk and incident management;
identify the main factors that affect risk assessment;
define security control, security policies and risk; and
identify the regulations that should be considered within the Information Security
Management System,
Topic 1: STANDARDS, SECURITY POLICIES AND CONTROLS
As with most topics, there are international standards that deal with information security management, and
the main one is ISO27001: 2013.
This Standard is structured in a linear fashion, from the establishment of the ISMS through to the review
and adaptation of the ISMS. However, addressing the requirements in that order is not a requirement in
itself. In the previous edition, the Standard defined the project approach as the well-recognized Plan–Do–
Check–Act model (P-D-C-A) to structure the tasks required to introduce an effective ISMS. While this is no
longer strictly mandated by ISO27001, it remains a valid and effective approach.
The P-D-C-A cycle can be summarized as:
 Plan what you need to do to achieve the objective (which includes defining what that objective is).
 Do what you planned.
 Check that what you have done achieves what you had planned for it to achieve and identify any
gaps or shortfalls (i.e. check whether you have met the objectives).
 Act on the findings of the check phase to address the gaps and/or improve the efficiency and
effectiveness of what you have in place.
Typically this last stage will involve making a plan, doing what that plan entails, checking that the objectives were
achieved, identifying any shortfalls and then acting on the findings by once again creating a plan.
And so, with the introduction of an ISMS using P-D-C-A, the initial cycle of continuous improvement is
affected.
One common misunderstanding in adopting the P-D-C-A approach is that the planning stage is limited
purely to planning the project. However, applying the approach required in the 2005 version of ISO27001,
the planning stage includes all the activity to determine what is required of the ISMS, and how this is to be
achieved. This is a significant undertaking, to the extent that it can take up to half of the project time from
initiation through to having a full ISMS in place. The other main resource-demanding stage is
implementation. The next chapter deals with the most resource intensive aspects of determining what is
required of the ISMS.
There are a number of requirements for a management system to operate that are as applicable to an
ISMS as to any other management system, and these include:
Document control. This is an arrangement to manage the availability of documents within the ISMS,
typically including:
 the corporate-level policies
 operating procedures which describe the processes that support the policy and explain who does
what, where and when
 work instructions that detail how certain tasks should be conducted, and
 records which capture the information that is essential for the purposes of review and to inform
decisions. These include documents such as audit schedules and logs, records of work completed
for the purpose of traceability and accountability, etc.
The aim of document control is to ensure that all these documents have been written and approved by the
right people and that only the latest approved versions are available to those who need to be aware of and
follow them. Records also need to be safeguarded once they are generated. This means protecting their
confidentiality, integrity and availability in order to be sure they can be retrieved by the right (authorized)
people when needed and that they are legible and have not been interfered with.
Returning to the common management system ‘hygiene’ factors …
 Internal audit. Internal audits can be used for many purposes, but one of the main objectives of
deploying an internal management system audit programed is to monitor compliance between the
management system requirements and working practice. The internal audits are commissioned by the
organization, for the organization, and provide an opportunity to review the level of compliance within
and effectiveness of the ISMS. This is achieved by examining what actually happens across a sample
of activities and processes and comparing this to what the documented management system
describes. The identification of any mismatch during an audit provides the opportunity to put it right,
either by changing the system description of what happens, by enhancing working practices, or
addressing competency issues (often through improved training and awareness). The internal audit
process should also inform the continual improvement of the ISMS; however, this typically only starts to
become an objective of audits once the ISMS is embedded. Internal audits can also be commissioned
to target specific areas of concern or for the purpose of identifying opportunities for improvement.
 Management review. Given that management initiate the ISMS by approving the use of resources to
undertake the project and issuing the corporate information security policy defining the objectives of the
ISMS, it is reasonable to expect them to review the progress of the implementation project and the
effectiveness of the ISMS thereafter. The management review is typically held once every six or 12
months and is intended to achieve exactly these objectives. A number of reports would be prepared for
the meeting, covering key indicators of how the ISMS is operating. These reports include an analysis of
the outcome of audits (internal and second- and third-party2), significant security-related incidents,
changes in external and internal issues that may affect the ISMS, some form of indicator of awareness
of information security issues and the ISMS across all those affected by it, and an indication of the
amount and timeliness of any improvement activity undertaken. The review should also examine the
effectiveness measures3 that have been developed and any opportunities for continual improvement
that have been identified or implemented.
Source:
https://www.jstor.org/stable/pdf/j.ctt5hh3wf.7.pdf?refreqid=excelsior%3A97a2ce96be558bb98da449fb711e
e358
Topic 2: RISK MANAGEMENT
Risk Management and Assessment
The following reading provides a more detailed view of some of the factors to be considered during the risk
management process
Attacker Groups and Motivations
We present an indicative list of various types of attackers along with their usual motivations:
Group Labels Motives

Novices, newbies and script Notoriety, curiosity, thrill
Novices
kiddies seeking and reputation
Browsers and cyber- Browsers, students, cyber- Intellectual challenge, but
punks punks and pranksters also financial gain
Grey hats, old guard and
Intellectual challenge,
Ethical hackers ethical hackers, quiet,
passion
paranoid and skilled hackers
Cause and ideology, but
Hacktivists Hacktivists, political activists
also status, ego
Insiders Insiders, internals Revenge, financial gain
Crackers, crashers, sport
intruders, malicious hackers, Revenge, ego,
Crackers
virus writers, coders, elite and entertainment
black hats
Thieves, career criminals,
darksiders, professional
Professional Criminals Financial gain
criminals, organized crime
groups and petty thieves
National states, foreign
Government agents intelligence, government Ideology, cause
agents, military hackers
Risk Components
In order to perform a risk assessment, information security professionals have to estimate the following
variables, which depend on the given system under protection and the needs of the organization. The
following definitions are taken from ISO 27002:
 Asset is anything that has value to an organization, its business operations and its continuity.
 Threat is a potential cause of an incident that may result in harm to a system or organization.
 Vulnerability is a weakness of an asset or group of assets that can be exploited by one or more
threats.
 Risk is the potential that a given threat will exploit vulnerabilities of an asset or groups of assets and
thereby cause harm to the organization.
 Impact is the result of an information security incident, caused by a threat, which affects assets.
Each potential information security threat i is assumed to have a corresponding probability of
manifestation, ti. For each threat, the information system or organization under protection has an
associated probability of breach (vulnerability), vi. These two factors combined describe the likelihood or
probability, pi, that a vulnerability is exploited allowing a threat to be realized:
pi = ti * vi
The estimated impact (i.e. the outcome or loss) that the organization suffers when a breach is materialized,
is symbolized with xi, for various outcomes; this is related to the value of the asset under protection. One
approach is to assume that the total value of the asset will be lost in the event that a threat materializes.
Then, we can combine likelihood and impact to obtain risk in the following way:
Risk =pi * xi= ti * vi * xi.
Threats are outside the control of the decision-maker (security professional). Thus, their probabilities
cannot be altered. By contrast, vulnerabilities are internal, meaning that their associated probabilities can
be reduced by security investment decisions. In some cases, information security professionals do not
target vulnerability probabilities vi with their investment decisions, but instead aim to contain the potential
impacts xi.
As we described during the video, risk assessment can be either quantitative or qualitative. In case the
aforementioned values can be estimated, we have a quantitative approach.
A useful tool for qualitative assessment is the so called ‘risk matrix’ which maps likelihood of a threat
materializing against the expected business impact related to a particular threat. In our example, risk is
measured on a scale of 0 to 8. Such an estimation can be further evaluated against the risk appetite of the
organization. A simple risk rating could be also used for categorizing the resulting risk, for example, Low
risk: 0 to 2, Medium Risk: 3 to 5, High Risk: 6 to 8.
Risk Matrix (adapted from BS ISO/IEC 27005:2011)
Topic 3: LEGAL REGULATION
Laws affecting Information Security
Wassenaar Arrangement (1996, 41 countries)
The purpose of the international Wassenaar Arrangement on Export Controls for Conventional Arms and
Dual-Use Goods and Technologies is to ‘...Contribute to regional and international security and stability, by
promoting transparency and greater responsibility in transfers of conventional arms and dual-use goods
and technologies, thus preventing destabilizing accumulations. Participating States seek, through their
national policies, to ensure that transfers of these items do not contribute to the development or
enhancement of military capabilities which undermine these goals, and are not diverted to support such
capabilities. The aim is also to prevent the acquisition of these items by terrorists’ (source:
http://www.wassenaar.org/ about-us/). The agreement specifically refers to civil uses and export controls of
cryptography.
Source: http://www.wassenaar.org/
Computer Misuse Act (1990, UK)
The Computer Misuse Act, is the primary law in the United Kingdom dealing with computer misuse. The
sections of the Act with the most interest for information security are: Section 1 ‘unauthorized access to
computer material’ according to which, ‘A person is guilty of an offence if—
 he causes a computer to perform any function with intent to secure access to any program or data
held in any computer, or to enable any such access to be secured;
 the access he intends to secure, or to enable to be secured, is unauthorized; and
 he knows at the time when he causes the computer to perform the function that that is the case.
The intent a person has to have to commit an offence under this section need not be directed at—
 any particular program or data;

 a program or data of any particular kind; or
 a program or data held in any particular computer.’
Section 2 refers to ‘unauthorized access with intent to commit or facilitate commission of further offences’.
Section 3 describes the conditions to be met for a person be guilty of the offence of ‘unauthorized
modification of computer material’. Finally, Section 17, refers to the interpretation of the Act. An important
point is that the term ‘computer’ has been deliberately left undefined, as such a definition would require
regular updating in order to keep up with technological advancements. Such flexibility allows courts to
consider tablets, mobile phones, even car systems and other devices with processing capabilities as target
systems.
Source: http://www.legislation.gov.uk/ukpga/1990/18/contents
Data Protection Act (1998, UK)
This act deals with the ‘regulation of the processing of information relating to individuals, including the
obtaining, holding, use or disclosure of such information’. For the purposes of this course, Section 55 is
interesting as it refers to the ‘unlawful obtaining of personal data’. The Data Protection Act will be override
by the General Data Protection Regulation (GDPR), described later in this document.
Source: http://www.legislation.gov.uk/ukpga/1998/29/contents
Investigatory Powers Act (2016, UK)
This act focuses on 'the interception of communications, equipment interference and the acquisition and
retention of communications data, bulk personal datasets and other information'. The act became an official
act on November 2016 and overrides the previous 'Regulation of Investigatory Powers Act'.
Source http://www.legislation.gov.uk/ukpga/2016/25/introduction/enacted
Foreign Intelligence Surveillance Act (1978, USA)
This act describes the conditions and processes required for the authorization of electronic surveillance in
order to obtain foreign intelligence information.
Source https://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf
Health Insurance Portability and Accountability Act (1996, USA)
This act, also known as HIPAA, aims at ensuring data privacy and security provisions for safeguarding
medical information.
Source https://www.gpo.gov/fdsys/pkg/PLAW-104publ191/html/PLAW-104publ191.htm
California Senate Bill No. 1386 (2002, CA USA)
This is one of the first laws which aimed at regulating the privacy of personal information. The part of the bill
that relates to security breach notification in particular, has been very useful for the analysis and research
on information security breaches.
Source http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf
General Data Protection Regulation (2016, EU)
The General Data Protection Regulation, or GDPR, is considered as one of the most important new
security initiatives. It is set to replace the Data Protection Directive 95/46/EC and will take effect on May,
2018. The purpose of the regulation is the protection of persons in relation to the processing of their
personal data. In particular, the regulations aims at:
 Strengthening civilians’ rights,

 Adapting data protection to technological advancements and
 Benefiting businesses, the market and international cooperation.
One of the most debated points of the regulation refers to breach notification requirements:
‘..as soon as the controller becomes aware that a personal data breach has occurred, the controller should
notify the personal data breach to the supervisory authority without undue delay and, where feasible, not
later than 72 hours after having become aware of it, unless the controller is able to demonstrate, in
accordance with the accountability principle, that the personal data breach is unlikely to result in a risk to
the rights and freedoms of natural persons.’
Source http://ec.europa.eu/justice/data-protection/reform/index_en.htm
ASSESSMENT
1. Why is document control needed?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
2. What is the purpose of internal audit?

______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
3. What is risk management? Why do we need to assess risk?

______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
Research Output: : (The outline would be: INTRODUCTION, BODY, AND CONCLUSION)
Topic: Data privacy act in the Philippines and compare it to the other Asian country.
LESSON 5
THE CYBER SECURITY INDUSTRY AND CAREERS
TOPICS:
1. Modelling and Information Security Industry
2. Roles and careers in the information security industry
3. Professionalization of the information security industry
describe a model of the information security industry;
classify the actors in the model of the cyber security industry;
give examples of professional bodies and their influence on the security industry;
summarize some of the roles and careers available in the security industry; and
create a career plan and determine the potential educational milestones to help
achieve the plan.
Explain some of the ethical issues within information security
Topic 1: MODELLING AND INFORMATION SECURITY INDUSTRY
Introduction
Why do we want to build and discuss a model of the information security industry at this stage of the
course?
 At this point you should have an appreciation of the breadth of information security and an introduction
to some of the knowledge areas. Based on this we can introduce some of the types of companies that
make up the industry and consider some of the security related roles that are available in the industry.
 The model can help us appreciate some of the relationships and interactions in the industry, some of
which we have introduced previously in the course.
Building a model can help us understand the real world and abstract away some of the complexities. At the
same time it helps shape our thinking and you can critique the model, change or extend it as your
knowledge grows and throw it away when it no longer applies or has limited usefulness.
We build up our model by first considering the fundamental components using a classic producer-consumer
concept that is used in many areas of computing, management and marketing to model systems and
interactions. On this we build up our vision of the producer community and the consumer community.
We introduce the enforcer component, a critical aspect within the model that acts on the producers and
consumers. Lastly we consider the adversary component, because of course without the adversary - who
can be both internal and external to the other components - we have little motivation for providing
Information Security, the industry and the laws, regulations, standards and best practices that have been
developed to help protect us!
This unit is split into the following videos and associated readings:
 Building the information security model

 The Producers
 The Consumers
 The enforcers and adversaries
So, to start, we should appreciate that the security industry is full of products and services (created by
producers) that are aimed at certain types of consumers, typically businesses. We have mentioned some of
these within previous weeks such as firewalls, intrusion detection systems, anti-virus (end-point security),
cryptographic products to ensure privacy such as virtual private networks, or to authenticate and authorize
such as Radius servers and Active Directory products. Other products can be services, anything from
consultancy through to the ubiquitous network and computing services that are used by many businesses,
such as Internet connectivity, web infrastructure, software as a service (SaaS) and cloud computing. There
are a wide range of information/cyber security roles and careers within producers.
The consumers for our model will be all the different types of businesses including government that use
information security products or services. There are a wide variety of different types of businesses and
these can be categorized to help us consider groups rather than every individual business. Certain groups
(also called "verticals") will have certain requirements, for example in retail we have a wide variety of e-
commerce interactions that include procurement through payment card transactions either in store or
online. Within the consumers there are a wide range of roles and careers required in the context of
information or cyber security.
In addition to the model we will describe we could create a producer-consumer model for the individual or
home user as well, however this would only consider a subset of potential producers and would not allow
us to consider a wide variety of careers and roles. From an individual or home perspective we are likely to
be familiar with products such as anti-virus suites, add blockers, parental control products, anonymity
services etc. as well as equipment and services provided by our network (fixed and/or cellular) and
entertainment providers. However, this type of model would not allow us to consider the widest range of
careers and roles in the cyber security industry, so we will not consider it further.
Basic elements in our model
Let’s consider some of the terminology mentioned in the presentation and one or two of the concepts.
Producers - any company/business that creates, manufactures, sells, installs, maintains or runs security
products or services. The next video in this lesson expands on the producer.
Consumer - a company that consumes (purchases, installs, uses) products to secure their business. The
set of products will depend on the business requirements and on external factors such as laws, regulations,
directives, standards, best practices, etc. with which they need to comply or choose to implement.
At around the 50th second I mentioned that consumers need a "security solution". What do I mean by that?
 Based on their business needs a consumer will need to invest in people, processes and equipment
(hardware and software) and services in order to protect their assets.
 There may be different elements to security within one company, for example the UK Company Marks
& Spencers Ltd provide retail outlets of various types, plus online sales of their product lines. They
also offer a banking service and insurance services. They therefore have a variety of security needs
and security solutions in one part of the business may not be the same as in another, for example to
meet regulations in different market segments.
At around 1 minute 30 seconds I mention the term "verticals" in the context of Consumers. What does this
mean?
 Vertical is used to denote a set of similar types of business, for example it might refer to retail, or
banking, or government, or critical infrastructure etc. By grouping businesses by "verticals" we can
analyze the needs of the vertical and produce generic products, e.g. to protect online retail, or for the
banking industry, or to protect national critical infrastructure.
 Verticals can also be used to denote sets of producers, such as anti-virus vendors, network security
vendors and so on. We can categorize producers by the products and services they deliver.
During the period 1 minute 10 seconds to 1 minute 25 seconds I mention that the producers can also be
considered consumers. We draw an arrow from producers to themselves. Let’s expand on this a little.
 The consumer and the producer are companies, they generally employ staff, maintain some sort of
premises, have an IT infrastructure, some web presence etc. They typically have a set of relationships
- with their customers, with their suppliers and with other sectors so have business to business and
business to consumer relationships. Such a vendor, say IBM as an example, has a set of products
developed by engineers, scientists, and other specialists, sold by sales people, pre sales consultants,
marketing departments legal and finance teams etc. they provide a wide variety of professional
services that rely on consultants, engineers, etc. They need ICT and security specialists to support all
aspects of their business and so have a need for all the security skills and roles found within the
consumer sector as well as all the staff required to produce and deliver products and services - the
security engineers (hardware and software), security services consultants and engineers, pre-sales
technical support, etc. etc. etc. Some of these may be outsourced or provided by third party providers.
 Producers will typically have a variety of suppliers - whether its raw materials, chips or systems,
software, operating systems, complete products through to services that they themselves consume.
Effectively behind the bubble of the producer is a web of interactions - a potentially huge supply chain
that ends up as the products and services that the consumers purchase and use.
At around 1 min 45 seconds I introduce the Enforcer. Largely this can be taken from the Producer
community, although the Enforcers can provide services as well so some may have some characteristics of
producers.
 The Enforcer community helps to regulate and support the overall network of producers and
consumers. There are specific security related entities as well as other entities that have a
cyber/information security function within them. Consider the Information Commissioners Office (ICO)
in the UK - primarily concerned that companies meet the requirements of the Data Protection Act and
the new EU GDPR (General Data protection Regulation from the European Union). They work with all
sectors of to ensure that companies comply, they investigate breaches and prosecute.
 The police in the UK on the other hand have some cyber/information security units, however they
have a much wider role.
At around 2 minutes and 30 seconds I mention the "interactions" between the components of the model.
let’s briefly consider some of these at this point, there will be some additional comments in later videos and
readings.
 "Interactions" take place at a variety of points. Between enforcers and consumers and producers,
consumers and producers, producers and producers and consumers and consumers.....
Some examples:
 The banking industry works together on cyber security and threats

 Security vendors have data gathering networks where information from customers is collected and
used to enhance their product to meet emerging threats/attacks,
 In the UK the CERT-UK (Computer Emergency Response Team) have the CISP (Cyber security
Information Sharing Partnership) where companies can share security information in a trusted
network.
 The Information Commissioners office communicates with companies, maintains knowledge of the
industry, undertakes inspections, investigates breaches and prosecutes, so it has many interactions.
All these aspects can make the model quite complex, so we abstract at a high level to maintain a relatively
simple overview. We expand on each a little in the next set of video lessons and short readings.
More about the Producers
Categorizing by types of producers.
The presentation identifies a wide variety of producer types - covering products through to services.
 Vendors create products and services to meet security needs

 Value added reseller – provide products plus associated services such as installation, training,
maintenance
 System Integrators – produce solutions that mix and match vendor products to meet the needs of a
customer. Often include all of a VAR functionality plus system engineering and consultancy. For
example Accenture provide system integration.
 Consultants – offer a wide variety of services from management to deep technical. There are a wide
range of companies from large multi-nationals through to small bespoke companies offering
consultancy in the security sector.
 Service Provider (outsource) – companies that provide various operational services to customers e.g.
providing security solutions for BYOD (Bring Your Own Devices), providing SOC (Security Operation
Centres), DR (Disaster Recovery), BC (Business Continuity), etc.
 Service Providers (services) – telecoms, ISPs, cellular/mobile etc. Of course many of these service
providers may offer the outsourced products in the bullet point above.
We have producers that make a single type or a small number of types of produces. They sell into
consumers or more often through value added resellers (VARs) that can help them sell into wider markets,
different countries etc. A VAR can offer added value by providing installation, maintenance, training etc.
Systems integrators will develop a solution for customers. Typically they have a range of relationships with
a wide number of vendors and have in house expertise that can architect and create security solutions.
They may sub contract vendors and VARs as required.
Categorizing by products.
We refer to several categorizations in the video. This graphic shows that in a single image. It is created
based largely on a report from Market and Markets (2016).
At this stage some of the acronyms or terms may be unfamiliar but Google searches will throw up useful
sources for you to find out more!
Whether categorizing by type of producer, by product type, or by all aspects, this sort of analysis helps us
to understand the breadth of the producer within the model and the products and services in the information
security marketplace.
More about the consumers
Earlier in our readings we looked at verticals, here we looked at one particular vertical - critical
infrastructure, and introduced the some other verticals that are classified by analysts, such as retail,
banking, healthcare, education, etc.
Critical Infrastructure.
Source: http://www.cpni.gov.uk
Critical infrastructure here has been categorized by value and criticality. The criticality scale uses the
impact on essential services, economic impact, and impact on life as a basis to determine what is critical. In
the UK we have:
 Communications
 Emergency Services
 Energy/Power
 Financial services
 Food
 Government
 Health
 Transport
 Water
 Defence/Military
 Civil nuclear
 Space
 Chemicals
Let’s just briefly mention one example, say energy/power. In the UK the infrastructure is made up of a large
number of companies from the companies that run power stations and the distribution network through to
companies that supply power consumer. For example EDF runs a number of power stations which supply
electricity to the transmission network, the National Grid PLC is the company that provides the distribution
network for electricity and gas, and a wide variety of companies, deal with the power consumers, such as
British Gas Ltd which supplies electricity and gas to a large number of companies and residential
consumers in the UK. These companies cooperate to provide this infrastructure and are all concerned with
various aspects of security, from physical to logical, including power plant control (SCADA), transmission
system stability (more SCADA), through to the consumer oriented aspects of customer accounts accessed
through the WWW, payment systems, smart metering and micro-generation (such as solar) in the home.
Verticals. Market analysts such as Gartner, Forrester, IDC etc. create verticals as a basis for classifying or
categorizing markets. As mentioned in the video there are a wide number of these, such as:
 Banking and securities

 Communications, media and services
 Manufacturing and natural resources
 Government
 Insurance
 Retail
 Healthcare
 Education
 Military
Each of these can be viewed from a cyber/information security perspective and there are some producers
that will target verticals with particular solutions.
Some of the security consumers may fit into multiple verticals. Consider for example Marks & Spencer Ltd.
They are a large retailer with many stores, they provide online shopping as well. In addition they offer the
M&S bank and insurance services, so they fall into multiple verticals.
Wrapping up the model
The last video briefly identifies some of the enforcers that we can see - nationally and internationally. The
drivers for the various enforcers are for example national and international governments, policies, laws,
regulations, directives, standards, industry best practice. One example in the UK would be the Information
Commissioner office (ICO) which deals with enforcing the Data Protection Act (DPA). We discussed it
briefly in an earlier reading in this lesson. Adversaries are of course the context in which our industry
resides and there are many different types, from the insider threat, the basic script kiddie through to
organized crime, industrial espionage and nation states.
At the top level the model is simple and shown in the diagram below, as we look into it we can build in a
range of useful features to expand on the base components as discussed through this lesson. The model
may not work well for you perhaps - it may need to be tailored for your country and culture. Perhaps the
model presented does not meet your expectations - but perhaps the steps presented can help you develop
something you find more useful that can help you understand the information security industry.
Topic 2: ROLES AND CAREERS IN THE INFORMATION SECURITY INDUSTRY
Overview and resources
There are a wide range of potential careers in information/cyber security. In the previous lesson we
identified different type of employers - consumers, producers and enforcers. There is a huge demand for
people to enter the information security industry and governments are encouraging people to enter the
profession at various levels - as apprentices, by taking an undergraduate or graduate degree and by
encouraging mid-career changes into security roles.
Here we look at two resources that provide information about information/cyber security careers. The first
is inspredcareers which provides an accessible website that contains descriptions of a wide range of jobs at
different levels from junior through to the industry leaders. Not all jobs have full descriptions, some do not
have video interviews for example, and however there is a good deal of information provided overall.
The second resource is SFIA - Skills Framework for the Information Age - a more formal resource that has
been created over many years and provides an analysis of ICT skills used widely across the industry. Many
of the areas identified in SFIA have a security element and the number of these has grown significantly
over the last decade as security has become ubiquitous.
There are many resources around the world. The US government is putting in place resources to help
develop enough cyber security professionals. For example here are some of the initiatives and resources in
the US, which has probably the most active and extensive resources to promote cyber security careers and
education:
 NICE (National Initiative for Cybersecurity Education) provides a national resource, and
 NICCS (National Initiative Fore Cybersecurity Careers and Studies) from the Department of Homeland
Security.
 CyberSeek - shows cybersecurity pathways - similar to inspired careers.org, but with a more limited
number of careers discussed. CyberSeek has a heat map of cyber security vacancies across the US.
 Cyber Degrees website provides a set of useful information about cyber security jobs as well as
information on US degree programmes.
Both the UK and the US have certified universities and specific degree programmes in cyber/information
security and identified centres of excellence in research. The UK masters and undergraduate degrees are
certified by GCHQ,
Source: https://www.ncsc.gov.uk/information/gchq-certified-degrees.
Penetration testing as a career

In the first video I mention the role of penetration tester. On inspiredcareers.org, Cyber Degrees and
CyberSeek, you will find information about the penetration tester role. In addition there is also an article on
the dark reading website that describes the role. Dark reading is a useful web site for professionals in
security, you may like to browse the site:
Skills Framework for the Information Age (SFIA)

SFIA is a long lived ICT skills framework - it is used internationally - it helps with various career related
activities, such as skills management, planning, assessment, development, recruitment etc.
SFIA identifies 97 skills in 6 categories at 7 levels (as of version 6). If you recall the inspired careers web
site used 5 levels instead, it also used job titles rather than skills, so the two resources do not naturally
align, but both are useful.
There is significant coverage of cyber security in SFIA, including skills of information assurance, information
security, security administration etc. In version 6 new skills added included Digital Forensics and
Penetration Testing and as the industry changes so will SFIA, so new skills are expected to be added as
they are created and validated by the industry.
SFIA creates 7 levels based on experience, competency, complexity, autonomy, business skills and
influence.
SFIA defines 6 categories and skills are named, assigned a code, described and assigned level descriptors
so that you can determine what is required as you develop your career. The categories are:
The example shows part of the strategy and architecture category, sub category Information Strategy, and
the skills and levels within that. This shows the "information security" skill starts at level 3 and can lead
through to level 7, whereas the "information assurance" skill starts at level 5. Typically you might start in
information security and then transition into an information assurance role.
Lastly, I want to share an example of the information provided for a skill, this is for Digital Forensics:
Topic 3: PROFESSIONALIZATION OF THE INFORMATION SECURITY INDUSTRY
The formation of a professional body to provide standards of excellence within cybersecurity

practitioners has been mooted for many years. Now the UK government has proposed the
development of an institution for “developing the cybersecurity profession, including through
achieving Royal Chartered status by 2020.”
This is the professionalization of cybersecurity in everything but name. ‘Regulation’ is not mentioned in the
proposal; but just as the General Medical Council regulates medical practitioners, so a potential UK
National Cybersecurity Council might eventually regulate cybersecurity practitioners.
This could include setting and requiring cybersecurity qualifications and setting the level of qualifications
needed in specific industries. While this will inevitably raise the technical level of many cybersecurity
practitioners, it could potentially mean that some practitioners could not be employed by some – if not all –
companies without attaining a predefined level of qualifications.
This is not yet the inevitable outcome of the government proposals, which are outlined in a consultation
document titled, developing the Cyber Security Profession in the UK. The consultation closed August 31,
2018, and the government is currently analyzing feedback.
The proposal
The proposal is that the cybersecurity profession delivers on four specific themes by 2021. These are
professional development, professional ethics, thought leadership and influence, and outreach and
diversity. Each of these themes is discussed and followed by one or more relevant consultation questions.
Underpinning the proposed role of the National Cybersecurity Council is the CyBOK project – the
development of a Cybersecurity Body of Knowledge – being led by Professor Awais Rashid at the
university of Bristol. The overall aim of the CyBOK project is to codify the foundational and generally
recognized knowledge in cybersecurity.
This project is ongoing. The first phase, completed in October 2017, defines 19 knowledge areas (KAs) of
cybersecurity. The government proposal says, “The depiction of the 19 Knowledge Areas sets the scope of
cybersecurity to shape approaches for training, standard setting, the dissemination of expert opinion, and
the execution of professionalism.”
The 19 KAs of the CyBOK
There is much that is good in the proposals. For example, the government expects to support the
development of the professional body, but to then step aside so that it is “fully independent of government.”
However, there is also much that can be criticized. Firstly, it is not a discussion document on what should
be done, but one on how to achieve what has already been decided – that is, the formation of a National
Cybersecurity Council.
Perhaps even more concerning, however, is that the Council is to be derived from existing organizations
rather than individuals. “We envisage,” says the proposal, “the Council would have organizational rather
than individual membership and be made up of existing professional bodies and other organizations with an
interest in cybersecurity.”
While nobody will deny the great work already undertaken by many of these existing organizations, the fact
remains that that they are basically businesses that have sometimes been described as primarily designed
to sell certificates.
The lack of direct representation by the very people that are meant to be represented – the individual
cybersecurity professionals – could be a worrying development.
Support from existing professional bodies
Existing professional cybersecurity organizations have expressed strong support and have banded together
to form an ‘Alliance’ in support of the government’s proposals. The Alliance membership currently
comprises BCS, The Chartered Institute for IT, Chartered Institute of Personnel & Development (CIPD), the
Chartered Society of Forensic Sciences (CSofFS), CREST, The Engineering Council, IAAC, The Institution
of Analysts and Programmers (IAP), The IET, Institute of Information Security Professionals (IISP), Institute
of Measurement and Control (InstMC) ISACA, (ISC)2, techUK, The Security Institute, and WCIT, The
Worshipful Company of Information Technologists.
A typical expression of support includes, from Deshini Newman, MD EMEA (ISC), “We are reaching an
important milestone in the maturity of our profession with the intent to develop a nationally-recognized
professional body and consideration for chartered status. The UK is taking a leadership role in this effort
that may well set an example for governments around the world. We are keen to support their work.”
Michael Hughes, board director of ISACA, adds, “We believe objectives such as the prioritization of
benchmarking cyber capabilities and a sharper focus on the need to fortify the pipeline of highly skilled,
well-trained cybersecurity professionals put the alliance on track to serve as a valuable resource in support
of the UK National Cyber Security Strategy.”
The Chair of the IISP, Dr. Alastair MacWillson, told SecurityWeek, “The IISP has been involved in this
initiative from the outset… These discussions have led to the DCMS launching last [July’s] consultation to
create a new UK Cyber Security Council to develop the cybersecurity profession in the UK… What is being
proposed by the Government through this initiative, is the most profound development of governance for
the information security profession that we have seen.”
It is no surprise that existing professional bodies will support the government approach to
professionalization – those that don’t will lose ground to those that do. But nowhere in this proposal or
support for the proposal, is the voice of the practitioners.
Views from the coalface
The opinions of existing cybersecurity practitioners and individual security consultants range from support
through ‘a good but unworkable idea’ to reserved condemnation.
Martin Zinaich (information security officer at the City of Tampa, Florida), has long advocated the formation
of a professional body for cybersecurity practitioners able to uphold and maintain professional standards.
He wrote a paper on the subject and sees similarities in the UK proposal to his own ideas.
He believes that professionalization is not merely a good idea, but an essential step towards improving the
overall quality of cybersecurity. He has some concerns over the involvement of government. He believes a
light touch – as suggested in the government proposal – is feasible; but probably not likely. He has always
held the view that professionalization is ultimately inevitable, and that if practitioners don’t do it themselves,
governments will do it to them.
“The idea,” he told SecurityWeek, “that such critical ubiquitous lifeblood like technology, the internet and
IoT will not be regulated heavily, as each new breach expands its impact, is very short sighted. We either
lead this effort or get lead.”
The concept of a professional body promoting expertise is widely welcomed; but government involvement
is sometimes questioned. “In principle, I think it’s a good idea,” says Paul Simmonds, CEO at The Global
Identity Foundation; co-founder of the Jericho Forum. “In fact, when I supported the setting up of the IISP
over 10 years ago that's what I hoped they were going to be.”
But he has his own concerns: “Unlike many other professional bodies, security moves an order of
magnitude faster, so the worry is that the ‘grandees’ who define the bar for qualification cannot keep up
with the speed of change – and we thus continue to implement 1990s-based perimeterized networks.”
Raef Meeuwisse, author of Cybersecurity for Beginners, believes the proposal is a bad idea. “Existing
cybersecurity professionals will look at any additional overhead or demands imposed by any national
training standards and think; not this. They will vote with their feet and move their skills on to more savvy
international employers.”
Meeuwisse believes that top talent rarely bothers with certifications, “not only because their talent speaks
for itself but more importantly because training and certification content often lags behind the operational
reality by a number of years.”
He fears that rather than levelling cybersecurity professionalism up, a National Cyber Security Council will
level down by driving the most able people out of the UK. “Any national registration or requirements,” he
told SecurityWeek, “would just act as a deterrent to the best cybersecurity professionals taking up roles in
the UK, because the success of the best cybersecurity professionals is built around having a global and
international focus.” Rather than solving the cybersecurity problem within the UK, he fears that a national
council will simply make it worse.
Meeuwisse is not alone in questioning the absolute need for certifications. Steven Lentz, CSO and director
of information security at Samsung Research America, makes a similar point. “There are a lot of security
practitioners that do not have security certifications or memberships; but does that mean they do not know
their field? They may have been practicing for 10+ years but never had the time to certify. Membership and
certification qualities are helpful but depending on the job, job experience is the key.”
Such professionals are well-aware of the existing problems within their industry. One expert, preferring to
remain anonymous because he is an ‘official’ in one of the Alliance member organizations, explained,
“There are serious problems that remain in the cybersecurity field today, which have existed for a long time.
These problems relate to inadequate level of knowledge in security practitioners, lack of measurement
performed on activities, and methodologies, poor judgment and decision making in risk management,
insufficient communication at many different levels within and between organizations, limited business
alignment and limited security assurance provided to stakeholders.”
He believes establishing a cybersecurity profession can help with this, but he has some worries. “The
nature of the work we do in managing information risk is very broad, covering disciplines as diverse as
strategy, architecture, software development, operations, supply chain risk, incident management, business
continuity and assurance. A profession should cover these and other disciplines/practices. Restricting the
scope to cybersecurity will likely be too narrow.”
He sees CyBOK itself as problematic. “We need a strong, comprehensive and balanced framework on
which to build the profession. I think the contents of the CyBOK, as it currently stands, is problematic for
two reasons. Firstly, why would you include capabilities like governance, law, regulation and privacy when
they are already covered elsewhere? And secondly, why would you exclude coverage of essential
disciplines like psychology, economics, decision theory, social science and statistics, when they are so
important to effective cybersecurity?”
The idea that a formal professional body for cybersecurity professionals is a positive and welcome step –
but that it has problems – is common. Independent security consultant Stewart Twynham acknowledges
that there must be change. “Look at any job ad for a ‘cybersecurity professional’ and you’ll see a long list of
must-have training and certifications costing anywhere from £5,000 to £25,000 – along with experience pre-
requisites that rule out most candidates. Something has to change… but at the same time we must also be
mindful of the rule of unintended consequences.”
He points to the 1986 NHS Project 2000 that was designed to turn nursing into a professional career.
“Thirty-two years on and the NHS now faces one of the greatest recruitment crises in its 70-year history
amid concerns that nurses are now academics, taught by academics and are no-longer bringing the softer
skills into hospitals that the role so desperately requires.”
David Ginsburg, VP of marketing at Cavirin, comments, “The concept of security as an accredited

profession is a noble concept. However, it should not be at the risk of interfering with the free market or
making it overly difficult for new entrants due to entrenched professional bodies.”
He suggests that the U.S. concept of the ‘professional engineer’ could provide a useful blueprint. “A
compromise could be the equivalent of the professional engineer (PE) in the U.S., where individuals are not
precluded from utilizing the latest technologies and approaches. In California, we have PEs as diverse as
electrical, nuclear, traffic, and chemical; and I could easily see cybersecurity added to the list.”
While most practitioners seem to feel that a professional body is a good idea but with problems and
difficulties, there are others more strongly in favor. “Personally, I think it’s a good thing,” Steve Furnell,
associate dean and professor of IT security at Plymouth University, told SecurityWeek: “not least because it
underlines cybersecurity as being a profession and thereby meriting consideration in its own right, as
opposed to being viewed as part of IT, and implying that any qualified IT practitioner might also be suitable
to have a stab at security.”
He doesn’t believe it has to be ‘membership by qualification’, but rather by evidence of skills and capability.
“Qualifications and certifications are means by which some aspects might be demonstrated,” he continued,
“but practitioner experience should count towards the level that can be achieved. Businesses looking to
employ staff would, of course, be well-advised to employ people with the right skills, and holding
membership of the professional body could prove to be a means of demonstrating this.”
Randy Potts, an information security leader in the Dallas, Texas area, also supports the idea. “At this point,
we need all the help we can get, and another council/organization/body might have more success. I do not
see this as the final answer, but the new council seems at least focused on clarifying qualifications and
career paths, which will aid those looking to enter,” he told SecurityWeek.
“SANS and US government bodies work together on frameworks regularly. I was a fan of the Australian
DoD Top 35 too,” he continued. “This seems to be the furtherance of such initiatives. The government
working with outside parties is a good way to get multiple perspectives. I think of all the great talent being
produced by the Israeli Defense Forces and the startup activity in Tel Aviv as a result.”
Takeaways
The idea of a professional body to raise and maintain cybersecurity standards is good – but there are many
concerns over how it may be implemented.
While individual practitioners could voice their opinions during the consultation period of August 2018, they
are precluded from being a part of the National Cyber Security Council itself. This implies that the Council
will operate as a controlling organization rather than a forum for practitioners.
There is some concern that the existing General Medical Council (GMC) may be the blueprint for the
National Cyber Security Council. Qualified medical doctors must be registered with the GMC before they
can practice – and there are many examples of doctors being ‘struck off’ for voicing the wrong opinions.
If the GMC is the blueprint, there are also concerns that security product vendors may come to wield too
much influence over the GSC, just as there are current concerns that the pharmaceutical companies
influence the GMC.
“Influence from drug companies are a problem in the [medical practitioner] space,” is one comment
received. “How much of a risk I don’t know but I’ve learnt a lot from Ben Goldacre. For cybersecurity this is
a similar risk and will need to be acknowledged and managed.” (Ben Goldacre is author of Bad Pharma:
How Drug Companies Mislead Doctors and Harm Patients.)
There is a question over whether the government will be able to fully step aside and leave an established
National Cyber Security Council as a fully independent body. Will the government ever be able to let go of
control? “No,” says Steven Lentz. “The government thinks it knows all but actually is behind the times in my
opinion. Too much politics to really help. The government can maybe have an advisory role but should not
run anything.”
“I don't know if government does need to let go,” counters Randy Potts. “If this is effective and successful
then I see the government not wanting to let go. If the initiative is a failure, the whole initiative will likely fade
away or perhaps never take off.”
The devil will be in the detail going forward. Done correctly, a professional body will benefit the nation, its
businesses, and the practitioners. Done badly, it could prove an unmitigated disaster.
“I do think the benefit of an information risk management profession (i.e. beyond just cybersecurity)
outweighs the risk, although it will need to be managed. It could even be an opportunity to show how an
emerging profession can lead the way and act as a role model for other professions. Is this idealistic?
Probably.”
There is one final question worth asking. If the formation of an overarching professional body is such an
attractive concept that all the existing professional organizations (the ‘Alliance’) offer such strong support –
why did they not come together of their own accord without first requiring the intervention of government?
ASSESSMENT
1. Why is there a need to build and discuss the model of the information security industry?
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
_____________________________________________________________________________
2. What are the roles and careers of information and cyber security to the consumers?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
3. Why is there always a need of information security in the business/company?

______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
4. When does the consumer became producer?

______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
5. Why did the government propose the development of the information security profession?
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
______________________________________________________________________________
_______________________________________________________________________
Reflection Paper: (The outline would be, INTRODUCTION, BODY, AND CONCLUSION)
Topic: Why there is a need to professionalizing the cyber and information security practitioners?
REFERENCES:
Abousen, Doaa (2019), Computer Security, Accessed at

http://www.contrib.andrew.cmu.edu/~dabousen/Default%20-%20Copy%20(4).html
Centre for the Protection of National Infrastructure (2020), Security Planning, Accessed at
http://www.cpni.gov.uk
Cherdantseva, Y. and Hilton, J. A Reference Model of Information Assurance & Security, Accessed at
http://users.cs.cf.ac.uk/Y.V.Cherdantseva/RMIAS.pdf
Comodo, (2019), what is Network Security, Accessed at https://enterprise.comodo.com/blog/what-is-

network-security/
Crawley, Kim (2017), All about the CIA Triad, Accessed at https://threatvector.cylance.com/en_us/home/all-
about-the-cia-triad.html
Forcepoint (2020), what is the CIA Triad? Accessed at https://www.forcepoint.com/cyber-edu/cia-triad
Forcepoint, (2018), what is Network Security, Accessed at https://www.forcepoint.com/cyber-edu/network-

security
Frunhlinger, Josh (2020), what is information security? Definition, principles, and jobs, Accessed at
https://www.csoonline.com/article/3513899/what-is-information-security-definition-principles-and-
jobs.html
Fulgencio, Eduardo M., (2016), Security Management Principles Techniques and Application
GeeksforGeeks, What is Information Security, Accessed at https://www.geeksforgeeks.org/what-is-
information-security/)
javaTpoint, Computer Network Security, Accessed at https://www.javatpoint.com/computer-network-

security
Official Website, Accessed at http://ec.europa.eu/justice/data-protection/reform/index_en.htm
Retried at http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351 1400/sb_1386_bill_20020926_ chaptered

.pdf
Rouse, Margaret (2020), Confidentiality, Integrity, and Availability (CIA) triad, Accessed at
https://whatis.techtarget.com/definition /Confidentiality-integrity-and-availability-CIA
Townsend, Kevin (2018), Professionalizing Cybersecurity Practitioner. Accessed at

https://www.securityweek.com/professionalizing-cybersecurity-practitioners-0
Tutorialspoint (2020), Learn Cryptography, Accessed at

https://www.tutorialspoint.com/cryptography/traditional_ciphers.htm
Tutorialspoint (2020), Learn Cryptography, Accessed at

https://www.tutorialspoint.com/cryptography/public_key_infrastructure.htm
Watkins, Steve, (2013), an Introduction to Information Security and ISO27001:2013: A Pocket Guide 2nd
Edition, IT Governance Publishing
Y. Cherdantseva and J. Hilton, "A Reference Model of Information Assurance & Security," Availability,
Reliability and Security (ARES), 2013 Eighth International Conference on , vol., no., pp.546-555, IEEE,
doi: 10.1109/ARES.2013.72, 2–6 September 2013.

IM Information Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IM Information Security

Uploaded by

Copyright:

Available Formats

LESSON 1

INTRODUCTION TO INFORMATION SECURITY

express some of the key concepts around information security;

Topic 1: WHAT IS INFORMATION SECURITY?

Information Security - What's that?

SANS Institute define Information security as:

Information security vs. cybersecurity

Topic 2: CONCEPTS AND MODELS: THE CIA TRIAD

The CIA Triad

The CIA Triad model focuses on three key aspects:

 Confidentiality: a system should ensure that only authorized

Define some terms:

(iv) the system can be made up of a number of components and so authentication,

Importance of CIA Triad in Cyber Security

A Reference Model of Information Assurance and Security (RMIAS)

The RMIAS is published under a Creative Commons Attribution-Noncommercial-Share Alike 4.0

What is a reference model?

The Multi-Disciplinary Nature of Information Security

1. How reference model of information assurance and security (RMIAS) work?

2. Differentiate cyber security from information security.

3. What is cyber ethics?

4. What is digital forensics?

Topic 1: ORIGIN OF CRYPTOGRAPHY

Hieroglyph − the Oldest Cryptographic Technique

retrieve the message back from the garbled message.

Topic 2: MODERN CRYPTOGRAPHY

Characteristics of Modern Cryptography

It manipulates traditional characters, i.e., It operates on binary bit sequences.

Security Services of Cryptography

A cryptosystem is an implementation of cryptographic techniques and their accompanying infrastructure to

 Symmetric Key Encryption

Symmetric Key Encryption

The salient features of cryptosystem based on symmetric key encryption are −

Challenge of Symmetric Key Cryptosystem

Asymmetric Key Encryption

Relation between Encryption Schemes

Symmetric Cryptosystems Public Key Cryptosystems

Relation between Keys Same Different, but mathematically related

Encryption Key Symmetric Public

Decryption Key Symmetric Private

Kerckhoff’s Principle for Cryptosystem

Environment around Cryptosystem

Details of the Encryption Scheme

Availability of Plaintext and Ciphertext

Topic 5: TRADITIONAL CIPHERS

Earlier Cryptographic Systems

Process of Shift Cipher

 SAMPLE: CESAR CIPHER

 SAMPLE: CESAR CIPHER

Simple Substitution Cipher

Process of Simple Substitution Cipher

 SAMPLE: CESAR CIPHER

Monoalphabetic and Polyalphabetic Cipher

Process of Playfair Cipher

Process of Vigenere Cipher

Variants of Vigenere Cipher

 The length of the keyword is same as the length of the plaintext.

Shift Cipher − Easy to Break

One-time Pad − Impossible to Break

The ciphertext is obtained by reading column vertically

Topic 6: MODERN SYMMETRIC KEY ENCRYPTION

ciphers with a block size of one bit.

Padding in Block Cipher