Unit 7: IT Systems Security and

Encryption

Overview,

I have been asked by the director our company who are developing internet based financial transfer
software to report on security threats to their website and software. I have also been asked to
investigate encryption methods to keep the software secure.

Security threats
There are many kinds of security threats. Internal security threats, external security threats passive
threats and active security threats. Since our organisation will be dealing with money transfer in
country and abroad. External security threats will be the most likely to occur however we must cover
both.

Internal security threats,

Internal security threats refer to threats that come from within our organisation. That can include
threats such as data theft, social engineering and many more. Our company is susceptible to many of
these such as data theft.

Data theft

Data theft is when you illegally get data from an organization with negative intent. Since this is a
startup company, we are especially susceptible due to the belief that we may be inexperienced. This
will have a relatively large impact on the company depending on how the stolen data is used. The
best way to prevent/ reduce the risk of this occurring is from would be to properly train all and new
employees. This is because trained employes will know the full reproductions to doing this
discouraging them.

Social engineering

Social engineering is another internal threat where you are manipulating a victim in order to gain
control or information over a computer system. Since our organisation is starting, we will be in the
process of hiring new people this hiring process can lead to hiring people that can be manipulated.
Social engineering threats such as quid pro quo and baiting. Quid pro quo is where a criminal request
an exchange of some type of data (in our case banking detail) for a monetary value with. Baiting is
where a scammer uses a false promise to lure victims into a trap where, in our case, the trap would
be used to steal financial information. This will have a relatively varied impact on our business
depending on how often it occurs and how much is stolen. The best way to prevent this from
occurring would be to properly train all and new employees.
External security threats,
External security threats are threats that come from outside of our organisation. Some of the most
common external security threats include malware and sabotage. There are many kinds of malicious
software however the ones we are most likely to be effect by are banking trojans and spyware.

Banking Trojans

Banking Trojans are when the malicious codes disguise itself as a permissible program. These can be
a problem because baking trojans main goal is to take/steal private credentials that can be used to
take a user’s online banking account. This can lead to identity theft and stolen money. Since our
business will be an internet based financial transfer software, we will be dealing with client’s privet
credential and sensitive information meaning we must be able to prevent that from being stolen.
Spyware is also a likely malware that we are likely to encounter. This can have a extremely large
impact on our business if it infects our system due to the potential amount of data that can be
stolen. The best way to prevent this would be to get antimalware on our systems.

Spyware

Spyware is software which can gather data from users’ devices without consent. This Is bad because
some of the data that can be gathered is login details and credentials. With this being gathered they
can illegally use our service for unauthorised transactions. This can have a relatively large impact on
our business because the ability on spy on people’s credentials shows that we can’t be safe with our
client’s. this can create distrust between us and our clients. Like banking trojans the best way to
prevent this would be to get antimalware.

Passive security threats

A passive threat is a threat that does not directly harm a computer system such as eaves dropping.

Eavesdropping

Eaves dropping is when a hacker intercept modifies or deletes data between two devices. This can
be bad for our company because it allows hackers to be able to view the data that is sent and
received from our clients allowing them to possibly gain clients bank detail or other personal
information. This can largely impact our company.

Active security threats

A active security threat is a threat that directly attacks a computer system such as denial of service.

Denial of service (Dos)

A denial-of-service attack is when a hacker/ cybercriminal floods our company with traffic leading to
our systems crashing. This can cause the company a lot of money and a lot of time to handle. This
would also prevent our clients from being able to access our service leading to even more money
loss.

Principles of information security Legal requirements

There are three principles of information security these confidentiality, integrity and availability.
confidentiality is the assurance that sensitive information is not is closed to unauthorized individuals,
entities, or processes. Integrity is the assurance that data or information is accurate, complete, and
uncorrupted and has not been altered or tampered with in an unauthorized manner. availability is
the assurance that authorized individuals, entities, or processes can access data or information when
needed. It is important for us to maintain the CIA triad. We can maintain confidentiality but by using
accesses controls such as passwords, Facial scan and Thumb print. Passwords are a good way to
maintain confidentiality because if they are strong, they can be hard to break preventing brute force
and unauthorized access. We can maintain the integrity of our data by implementing data validation,
error checking mechanisms and logic checking to make sure our data is not modified or corrupted
unintendedly. Data validation is a good way to maintain data integrity because it eliminates data
errors and makes sure the data isn’t corrupt providing accuracy to our data. To ensure availability we
should implement fault tolerant systems, backup power and backup systems so our critical systems
are reliable. Having a backup power system is good because in case of an emergency and our
companies main power goes down we will still be able to ensure the availability of our systems,
making sure everything doesn't go down at once. Examples of unauthorized access that could occur
in our business is the changing of passwords and logging into someone else’s account. This could
lead to unauthorized deletion or creation of data.

Legal requirements and legislation

Legislations our company will be required to follow are the GDPR and computer misuse act to name
a few. These legislations will ensure that as a company we don't break any laws and it helps
encourage us to keep our security methods up to standard. These legislations also show the rights of
our company

The GDPR/ data protection act

The data protection act gives us strong rules and principles to follow when it comes to our client's
data. Princibles such as the data must be used fairly, lawfully and transparently and data must be
used for used for specified, explicit purposest. This act also leads us to making sure that our security
system won't allow for unlawful or unauthorised access and loss. As a company we must adhere to
this act so we can not only build rapport with our clients but also because we could face a fine of up
to 7 million euros or 4% of a company's annual turnover.
The computer misuse act

The main purpose of the computer misuse act is to protect the security and integrity of computer
systems and data and this act achieves this my criminalising unauthorised access to the system or
data. We should be aware of this act because security threats such as spyware which I mentioned
before will count as breaking this act. As a company we need to make sure that this act doesn't
break allowing us to take steps to reduce the risk. Doing this is risk mitigation which mitigates the
chance of cyberattacks and data breaches. Overall, we should adhere to the computer misuse act to
avoid legal consequences and keep our reputation high.

Impact of security threats on business

The security threats i mentioned above can have a large impact on businesses. Especially if you take
into account legal requirements and the principles of information security. If there was a
confidentiality breach within this company such as unauthorized access to sensitive data, this could
impact our company leading to loss of trust between us and our customers and possible legal actions
could be taken against us by our customers. If our integrity was compromised such as data
manipulation and or our data was altered in an unauthorized way, then this can lead to us messing
up in our operations such as sending money to the wrong accounts, and this can largely impact our
credibility. If there were threats to the availability to our it's systems and data it could lead to us as a
company being not as productive as we should be and possible downtime of the apps or sites our
clients use to use our services, and this would heavily impact us and would most likely lead to loss of
money due to it. There can also be legal impacts if we don't comply with legal requirements; This can
lead to being fined or possible legal action getting taken against us due to violating data protection
laws such as the data protection act and if we were to break it, it would lead to “fines of up to £17.5
million or 4% of your annual worldwide turnover, whichever is higher”

How effective are the techniques we use against security threats

Techniques we use such as encryption is extremely effective This is because it can protect our data
from unauthorised access and manipulation. And by blocking theese it protects our confidentiality
and integrity as a company therefore encryption is a very effective method. Authentication and
access control are also very effective methods; by limiting the access to only authorized people it
prevents unauthorized breaches of our company. This means that as long as we keep our user
privacy and data access methods robust it will ensure that we keep our confidentiality, integrity and
availability. Firewalls have a medium to high effectivity. This is because firewalls will help prevent
unauthorized access through methods such as denial of service attacks, phishing emails and social
engineering. And by denying the attacks I just mentioned it will protect our availability such as
keeping our sites up preventing denial of service attacks and our integrity building trust in our
clients.
Cryptography

Cryptography is the concealing of messages with codes So that only the intended person can read it.
Cryptography will be very important for our company because we will be sending data around the
world depending on where our clients want to send their money. And we must make sure that the
data is properly encrypted so no cybercriminals and hackers and access them. But to understand
cryptographic methods you first need to understand the cryptographic principles. Confidentiality,
authenticity, encryption data integrity and non-repudiation.

Confidentiality

Confidentiality as a cryptographic principle means that only the people with permission can access
the transmitted information so it can be protected by unauthorized access this also prevents the
computer misuse act from being breached. The two forms to adhere to cryptographic confidentiality
is ssl/tls and permission rights.

Data integrity

Theese principles ensure that the information is accurate, and the data will be moved around in
predictable ways. Also, it ensures that when hashing algorithms are used the digital keys that is
received is from the genuine sender and are the real keys.

Authentication

Authentication is the means of confirming that the person who send a message is the sender and, in
our case, whether or not the person who sent money or other such data using our service is the
correct person to be sending it the two authentication mechanisms are access tokens and auth
signatures.

Encryption

Encryption is the means of transforming information into a format that cannot be understood by
people without the decryption key. This is used to protect the privacy of the information.

Nonrepudiation

This principle ensures that the message sender cannot repudiate the authentic of the message they
sent such as not allowing a person to deny sighing something after signing it.

SSL/TLS and permission rights

SSl or Secure Sockets Layer is a encryption bases security protocol where ssl initiations a process of
authentication called handshake between two devices. Handshaking happens to they can ensure
that the devices are who they claim. SSl also signs the data to verify that is has not been messed with
before reaching the target. This provides data integrity. Tls is faster than ssl me reducing the steps it
reduces the total number of cipher suites.
Hashing algorithm

A hashing algorithm is a function that makes data unreadable. They are one-way programs; this is to
ensure that they can't be decoded by someone unauthorized. This will be important to us so people
can't read the data that we send out and receive ensuring the clients data remains privet. The
process of a hashing algorithm: Create the message, choose the type of hashing algorithms, enter
the message this means the user enters the message into the computer that is running the hashing
algorithm, the start of the hash( this is where the system changes the message of any size into a
predetermined bit size the program then breaks the message into multiple equal size blocks with
each one compressed), then the hash is sent. Our company can use hashing algorithms for password
storage to stop hackers accessing a clients account. Overall, this can be used to protect our cloud
storage systems.

Check sum

Check sum is an error checking method that is used to verify if data has been corrupted or not. It is
done by sending data in multiple blocks and this is the process. Firstly, a checksum is calculated with
an algorithm that is pre agreed with the receiving device; before the data is sent and the checksum is
added to the end of the data blocks. Secondly, it is then transmitted, and the receiving device uses
the same pre agreed algorithm to calculate the checksum. Finally, if the 2 checksums are the same
then there are no errors however is they are not the same then either the data has been modified or
corrupted in some way. This will be important to our organisation to make sure there is no
corruption when money transfers occur. Overall, this improves the integrity of the data.

Salt

Salts is a string of numbers added to the end and start of a password before it is hashed. A different
salt is used for each password, and this extremely increases the security of the password making it
really hard to decrypt meaning our client password will take longer to brute force however it is still
brute force.

Block cipher

A block cipher is another cryptographic method of encrypting data. It is done by putting them in
fixed size blocks and encrypts data one block at a time. They use a symmetric keys and algorithm to
decrypt and encrypt the blocks of data. If the block length is longer than the message needs, it will
be padded (This means it will add random content to make it longer). This cipher would allow us to
securely communicate when sending and receiving data and money keeping the confidentiality high
by obscuring length and the information in it.
Stream cipher

Stream ciphers is a encryption methods where the plaintext is broken down into bits and is
encrypted one bit at a time Although if someone is eavesdropping, they can tell how long the
message is stream ciphers are useful if you don't know how long your message is going to be. This
will be important for in company messages and calls across distances to keep us from being
eavesdropped.

How the principles and uses of cryptography have an impact on the security and
protection of data.

Each principal effects cryptography and defines how we use it. cryptography makes sure that data is
encrypted and can only be accessed by the authorized parties this builds of the principle of
confidentiality by protecting information from unauthorized viewing. Cryptographic techniques such
as using digital signatures or authentication codes will all help verify the integrity of the data or
whatever is being sent. And if any unauthorised changes where to be attempted these methods
should stop and protect the data against them. Also, cryptography will enable the verification of the
parties that are trying to communicate with each other making sure that the sender is really the
sender, and the receiver is really the receiver this keeps cryptography align with the authentication
principle. Cryptography supports nonrepudiation by providing evidence that data that was sent or
received is sent or received. For example, digital signatures can be used to verify the sender so they
can deny that they sent it. Cryptography will transform the plain text into ciphertext this will make it
unreadable unless the person who wants to read it has the keys needed and without the keys it is
unreadable meaning that attacks such as eavesdropping, and packet sniffing won't work. this directly
supports the principle of encryption. Hash functions are used to make data a fixed size and
unreadable this use of cryptography will largely support the integrity of the data because if the data
was changed or altered the hash value would also change. Cryptographic protocols like ssl/tls are
used for communication. This is because they ensure that the data that is sent between systems is
secure and safe from attacks that might read or manipulate it; supporting integrity and
confidentiality.

Thank you for reading our company is sure to prosper if we are aware of the security threats I
mentions and strife to stop them accordingly while putting the cryptographic methods I mentioned
above to good use.
Reference list
Carnegie Mellon University (2023). Social Engineering - Information Security Office -
Computing Services - Carnegie Mellon University. [online] www.cmu.edu. Available at:
https://www.cmu.edu/iso/aware/dont-take-the-bait/social-engineering.html#:~:text=Social
%20engineering%20is%20the%20tactic.

Check Point Software. (n.d.). What is a Banking Trojan? [online] Available at:
https://www.checkpoint.com/cyber-hub/cyber-security/what-is-trojan/what-is-a-banking-trojan/ .

cloudflare (2023). What is SSL (Secure Sockets Layer)? | Cloudflare UK. Cloudflare. [online]
Available at: https://www.cloudflare.com/en-gb/learning/ssl/what-is-ssl/.

communications @manageengine.com, M. (n.d.). Data visibility and security solution by

ManageEngine DataSecurityPlus. [online] ManageEngine DataSecurityPlus. Available at:
https://www.manageengine.com/data-security/what-is/data-theft.html#:~:text=Data%20theft
%20refers%20to%20the.

Fortinet. (n.d.). What Are Eavesdropping Attacks? [online] Available at:

https://www.fortinet.com/uk/resources/cyberglossary/eavesdropping [Accessed 25 Mar. 2024].

Fortinet. (n.d.). What Does a Firewall Do? [online] Available at:

https://www.fortinet.com/uk/resources/cyberglossary/what-does-a-firewall-do#:~:text=Firewalls
%20protect%20your%20network%20from.

Google.com. (2024). Redirect Notice. [online] Available at: https://www.google.com/url?

sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwi5kv7Q0o-
FAxX7UkEAHV0GBYEQFnoECBQQAw&url=https%3A%2F%2Fico.org.uk%2Ffor-organisations%2Fuk-
gdpr-guidance-and-resources%2Fdata-sharing%2Fdata-sharing-a-code-of-practice%2Fenforcement-
of-this- [Accessed 25 Mar. 2024].

GOV.UK. (n.d.). Data protection. [online] Available at: https://www.gov.uk/data-

protection#:~:text=convictions%20and%20offences.-.

GOV.UK. (n.d.). Review of the Computer Misuse Act 1990: consultation and response to call
for information (accessible). [online] Available at:
https://www.gov.uk/government/consultations/review-of-the-computer-misuse-act-1990/review-of-
the-computer-misuse-act-1990-consultation-and-response-to-call-for-information-
accessible#:~:text=The%20Act%20has%20the%20intention .

Kumar, A. (2021). Why is Data Validation Crucial for Long-term Data Success. [online]
Sigmoid. Available at: https://www.sigmoid.com/blogs/data-validation/#:~:text=Data
%20validation%20provides%20accuracy%2C%20cleanness.

Learning Center. (n.d.). What is Information Security | Policy, Principles & Threats |
Imperva. [online] Available at: https://www.imperva.com/learn/data-security/information-
security-infosec/#:~:text=Confidentiality%20measures%20are%20designed%20to .

Morgan, N. (n.d.). The role of cryptography in information security. [online]

www.triskelelabs.com. Available at: https://www.triskelelabs.com/blog/the-role-of-cryptography-
in-information-security#:~:text=Confidentiality%20is%20a%20key%20priority .

What is Encryption? | Types of Encryption | Cloudflare. (n.d.). Cloudflare. [online] Available

at: https://www.cloudflare.com/learning/ssl/what-is-encryption/#:~:text=Encryption%20is%20a
%20way%20of.