1. COMP3371 Cyber Security Richard Henson University of Worcester October 2015

2. Week 3: Encryption and Technical Controls n Objectives:  Explain why, how, and to what standard an organisation can set up controls/ISMS  Compare security of most common types of data transmission  Explain encryption and decryption  Contrast between symmetric keys and asymmetric keys

3. Developing an Information Security Management System n Each organisation is different! No template ISMS possible n ISO27001 standard lists over 100 possible controls  how many are actually needed? »depends on an organisation’s processes  for each control not used »non-use needs to be justified…

4. An ISMS that is “fit for purpose” n Analysis needs to acknowledge all aspects of how data is managed  requires an understanding of processes and associated data n Risk assessment required to determine where controls are needed  ISO27001 assumes all controls needed  no point spending money on controls where they are not needed but exemptions need justifying…

5. A Security Controls approach light on ISMS: PCI DSS n System devised by Credit Card Companies (i.e. banks…)  https://www.pcisecuritystandards.org/ https://www.pcisecuritystandards.org/ n Guidelines for a number of years… n Now with v3 a sting in the tail for the SME  heavy fines possible  can be refused business merchant facilities… n Will affect small businesses WORLDWIDE selling online directly to consumers

6. Requirements for PCI DSS compliance? (1) n 12 controls (11 Technical)  Install and maintain a firewall configuration to protect cardholder data  Do not use vendor-supplied defaults for system passwords and other security parameters  Protect stored cardholder data  Encrypt transmission of cardholder data across open, public networks  Use and regularly update anti-virus software or programs

7. What is needed for PCI DSS compliance? (2)  Develop and maintain secure systems and applications  Restrict access to cardholder data by business need-to- know  Assign a unique ID to each person with computer access  Track and monitor all access to network resources and cardholder data  Regularly test security systems and processes  Maintain a policy that addresses information security for employees and contractors

8. PCI DSS issues n Is it realistic? n Is it essential? n How can it be policed? n Discussion in groups…

9. IASME & Cyber Essentials n IASME uses principles of ISMS and like ISO27001 uses 100+ controls… but designed to be more SME friendly n Cyber Essentials requires only 5 controls… all essentially technical  Cyber Essentials now a minimum for government contracts  useful starting point? No IS policy!

10. Useful Technical Knowledge (covered in level 1 & 2 modules) n Client-server networking n The Seven OSI software layers & the TCP/IP protocol stack n Web servers and browsers n The importance of updates n How firewalls fit in with the above…

11. Security of Data on the move: Internal networks n Most organisational computers regularly interchange data n Data could in theory be copied (although not destroyed) by being intercepted:  as it passes between computers through use of e/m waves (easy)  in copper cables (difficult)  In optical fibre cables (very difficult) n The organisation therefore needs to vigilant…

12. Security and copper cables n UTP (Unshielded Twisted Pair) cable is cheap, but not totally secure:  electricity passing through a cable creates a magnetic field…  can then be intercepted and used to recreate the original signal… n Shielding stops the magnetic field spreading out  STP (Shielded Twisted Pair) cabling available but more expensive…

13. Security, cost and Fibre Optic Cables n Much more secure than even shielded copper  digital data transmitted as a high intensity light beam  no associated magnetic field; data can’t be “tapped” n Can carry much more data than twisted pair  but: »cost… of cables… of installation… n Which to choose, UTP, STP, optical fibre?  cost v risk balancing act

14. Security and Radio Waves n System easy to install  no cabling needed, just signal boosters n BUT… without encryption & authentication, not secure at all!  can be received by anyone within range and with the right equipment  especially easy to pick up if transmitted as “fixed spectrum” »“Spread spectrum” radio waves can only be picked up by equipment that can follow the changes in frequency n such equipment MUCH more expensive…

15. Security and Network Hardware n Very small organisations may use peer- peer networking and cabling/wireless  same dangers… n Use intelligent hubs, switches, and a router to connect everything together and link to Internet  data will be stored on these devices before forwarding  plenty of hacks started by compromising a router!

16. Standard Internet Protocols and Security n Early Internet:  users military personnel, research centre admin, etc.  all security vetted  protocols not designed with security in mind »about getting data safely & reliably from one place to another n OSI model ordered protocols into a 7-layer stack:  based on TCP and IP »user system security already built in at the session layer »no inherent security for data on the move

17. Network-Network n Most networks now use TCP/IP for Internet connectivity n Any intelligent device with an IP address and connected to the Internet theoretically visible across the network/Internet  otherwise, packets couldn’t be navigated to it! n Data on such a device could be:  located using its IP address  copied to another destination using a remote computer and an appropriate network protocol (e.g. NFS – network file system, part of the TCP/IP suite)) n It really is as simple as that!!!

18. Copying, Changing, or Deleting Data on a networked computer n Data could be tapped in exactly the same way on any Internet computer  must have an IP address to participate on the Internet  packets going to that computer have a destination IP address in the header, and headers can easily be read  NFS can be used to manage data remotely on that computer – which could include copying or (perhaps worse) deleting that data, or even BOTH

19. Technologies for Implementing Security Controls n The rest of this session focuses on ensuring the security of data “on the move”…  through cabling systems  in radio waves  via human transportation systems stored on digital media »hard disks & CDs »digital backup tapes »USB sticks…

20. Client-Server Network: do’s and don'ts for administrators n Only allow authorised (and TRUSTED) users to gain access to the network  ensure users are always properly authenticated n Only allow network administrators to have full access n Monitor the network continually to provide alerts that unauthorised access is being sought n Encrypt data that will be sent through UTP cables and/or held on computers that are connected to the Internet n When using the www, use secure versions of network protocols and/or tunnelling protocols to encapsulate and hide data

21. The Virtual Private Network n Secure sending of data through the Internet  Only use a restricted and very secure set of Internet routers  No IP address broadcasting, because all packets use the same route  IP tunnelling protocol encapsulates data »normal Internet users will therefore not be able to see the sending, receiving, or intermediate IP addresses  Data sent is encrypted n Potential hackers don’t get a look in!

22. Encyption/Decryption n Technique of changing digital data in a mathematical reversible way n Makes it impossible to get at the information… data representing it scrambled n Coding data not new…  been happening for millennia  many clever techniques involved  Encryption studies - cryptography

23. What is Cryptography? n “The safe securing, storing, and transmitting of sensitive information” n Purpose:  conceal sensitive information from unauthorised persons n Outlines protocols, practices, procedures to build components of a cryptosystem including…  authenticity (proof of ownership)  integrity (data not tampered with in any way)

24. What is a Cryptosystem? n Well?....

25. OSI layers and cryptosystem n Encryption level depends on:  circumstances  risk  value of information n could be layer 1  e.g. electronically, in communications equipment n could be layer 7…  encrypted directly from/to the screen Layer 7 Layer 1 screen hardware software

26. Key Escrow & Recovery n Law enforcement agencies can intervene to decode encypted data  under a court order in pursuit of criminal evidence or activity n Escrow:  system of checks and balances to ensure that privacy rights are not infringed where agencies need to get hold of encrypted information  separate agencies keep complementary components of the key system so no entity possesses a usable key

27. Email data and Encryption n As discussed earlier, sensitive data needs protecting…  Internet designed to be an “open” system  IDs of devices based on IP address n Data at rest or moving round the Internet could be intercepted by:  someone with a good knowledge of TCP/IP  any IT literate person with the appropriate software n This person could be anywhere in the world!

28. How does Encryption work? n Unencrypted data sent e.g. in forms or email messages over the Internet usually a sequence of ASCII codes  ASCII code generated at keyboard by converting a selected keyboard character into a particular binary number  intercepted ASCII codes not secret; very easily converted back to text

29. Encryption of ASCII data n Encryption puts further coding onto each ASCII character in some reversible way before it is sent. Requires…  a coding method (often a mathematical operation)  a numerical value used with the coding method n The ASCII codes can always be recovered by someone who knows the encryption method

30. Simple Encryption Example n Algorithm based on a mathematical operation such as ADD  key based on a numerical digit (e.g 5) n Data represented by an ASCII code n Algorithm + key produce encrypted data

31. Using Encryption n The key must be kept secret  anyone with access to the key and the algorithm can decrypt the encrypted data n BOTH of:  coding method  key used to produce cipher text n needed to decrypt

32. Diagram – single key encryption User sends message via server server key Data is transmitted to another server key Message is coded Message is decoded Message is received

33. Simple example of an Encryption Method n Method of encryption – add 5 to each ASCII code (this would be the key)  plain text = HELLO (ASCII codes 48 45 4B 4B 4F)  cipher text would be MJQQT (ASCII codes 4D 4A 50 50 54) n Getting the original data back would mean subtracting 5 from each ASCII character – very easy to anyone with access to the key

34. Effectiveness of Encryption n Only effective if:  either the key remains secret  or the algorithm remains secret n WWII: Germans thought they had an encryption method that was impossible to decipher n With the efforts of the Mathematicians at Bletchley Park, the key and algorithm were deciphered

35. Access to Encrypted Data Stored, encrypted file NTFS EFS enabled File system that supports encryption Authorised User Unauthorised User  Data encrypted Access Denied File accessed “MJQQT” “HELLO”

36. Encryption in Practice n Many techniques have been developed n Examples:  DES (Data Encryption Standard)  IDEA (ID Encryption Algorithm)  RSA (Rivest, Shamir, Adleman)  Diffie-Hellmann n Classified into two types:  Symmetric Key  Asymmetric Key

37. Symmetric Encryption n Sender and receiver share a single, common key – known as a symmetric key n Used both to encrypt and decrypt the message n Advantages: simpler and faster than other systems n Disadvantages:  the two parties must need to exchange the key in a secure way  the sender cannot easily be authenticated

38. DES – an example of symmetric encryption n IBM/US gov, 1974-7; still popular  56-bit encryption working on 64-bit blocks of data n However, in view of recent research, clearly inadequate for really secure encryption  “Using P2P architecture and over 100,000 participants (using only idle CPU time), distributed.net was able to test 245 billion keys per second to break the 56 bit DES encryption algorithm in less than 24 hours (22 hours and 15 minutes).”

39. What levels of encryption are available? n The more complex the key, the more difficult the encryption method is to decipher  a single 40-digit key can be mathematically deduced very quickly using a computer »known as WEAK encryption  an equivalent 128-digit key would take much longer to “crack” »known as STRONG encryption

40. Making Encryption as Effective as Possible n It makes sense to use 128-digit key encryption if possible…. n However, with commercial products there may be trade offs…  e.g. Verisign 40-bit SSL »actually 128-bit within US »40-bit for any communications that go outside US borders…  e.g. Verisign Global Server SSL »“the world’s strongest encryption” »standard for large-scale online merchants, banks, brokerages, health care organisations and insurance companies worldwide n Strong encryption may cost a little more  Is the extra expense going to be justified?

41. Breaking an Encryption Technique n Usually achieved with the aid of very powerful computers n The more powerful the computer, the more likely that the key can be mathematically deduced n Until fairly recently, a 128-bit encryption key would have been considered to be secure n However, a research team have now succeeded in breaking 128 bit encryption in seconds, using a supercomputer…

42. Secure Keys for Today and Tomorrow… n 256-bit encryption is probably now a minimum for single key encryption  but only a matter of time… n 512-bit encryption is currently used by financial institutions to transfer funds electronically via the Internet  again, only a matter of time before even this can be cracked…  Solution - 1024 bit keys?