ASSIGNMENT

Transcript audio

Youareanenterprisesecurityarchitect fora companyin a semiconductor manufacturing industrywheremaintaining competitive advantage and protecting intellectual propertyisvital. You'reinchargeofsecurityoperationsand strategicsecurityplanning. Your responsibilities includedevisingthesecurityprotocolsforidentification, access, and authorization management. Yourecentlyimplemented cryptographyalgorithmsto protect the information organization.

Leadershipispleasedwith youreffortsand would like you to take protection methodseven further.They'veaskedyou to studycyberattacksagainst different cryptographymechanisms anddeployaccesscontrol programsto prevent those typesof attacks.

We'dlikeyoutocreateplansforfuture securitytechnologydeployments, saysone senior manager.Andprovidedocumentation so that otherscan carryout the deployments. A director chimesin,butyoushouldalso devise a method forensuring the identification, integrity, and nonrepudiationofinformation in transit at rest and in use within the organization. Astheenterprisesecurity architect, you are responsible forproviding the following deliverables.

Createanetworksecurityvulnerabilityand threat table in which you outline the security architectureoftheorganization, the cryptographicmeansof protecting the assetsof the organizations,thetypesof known attacksagainst those protections, and meansto ward off the attacks.Thisdocumentwill help you manage the current configuration of the security architecture.

CreateaCommonAccessCard, CAC deployment strategy, in which you describe the CAC implementationanddeployment and encryption methodologyfor information security professionals.Createanemail securitystrategyin which you provide the publickey, private key hashingmethodologytodetermine the best keymanagement system for your organization. Thesedocumentswillprovide a securityoverview forthe leadership in your company.

The deliverables for this project are as follows:

  1. Technical report: Your report should be a 6-7 page double-spaced Word document with citations in APA format. The page count does not include figures, diagrams, tables or citations.
  2. Executive summary: This should be a 2-3 page double-spaced Word document.

Note: your work will be evaluated using the competencies listed below. You can use the list below to self-check your work before submission.

  • 1.5: Use sentence structure appropriate to the task, message and audience.
  • 1.6: Follow conventions of Standard Written English.
  • 1.7: Create neat and professional looking documents appropriate for the project or presentation.
  • 2.1: Identify and clearly explain the issue, question, or problem under critical consideration.
  • 2.2: Locate and access sufficient information to investigate the issue or problem.
  • 2.3: Evaluate the information in a logical and organized manner to determine its value and relevance to the problem.
  • 2.4: Consider and analyze information in context to the issue or problem.
  • 3.2: Employ mathematical or statistical operations and data analysis techniques to arrive at a correct or optimal solution.
  • 5.1: Knowledge of procedures, tools, and applications used to keep data or information secure, including public key infrastructure, point-to-point encryption, and smart cards.

Notes: These steps below will help you in putting this report together. I advice you may attention to these steps carefully as the grading of this paper will depend on how you relate and pay attention to these 6 steps.

Step 1: IT Systems Architecture

You are a senior-level employee and you must tailor your deliverables to suit your audience: the leadership of the organization. You may choose to use a fictitious organization, or model your organization on an existing organization, including proper citations.

Leadership is not familiar with the architecture of the IT systems, nor are they familiar with the types of threats that are likely or the security mechanisms in place to ward off those threats. You will provide this information in tabular format and call it the Network Security and Vulnerability Threat Table. Refer to thisthreat table templatefor guidance on creating this document.

Before you begin, select the links below to review some material on information security. These resources will help you complete the network security and vulnerability threat table.

  • LAN security
  • Availability

Now you’re ready to create your table. Include and define the following components of security in the architecture of your organization, and explain if threats to these components are likely, or unlikely:

  • LAN security
  • identity management
  • physical security
  • personal security
  • availability
  • privacy

Next, review the different types of cyberattacks described in the following resource:cyberattacks. As you’re reading take note of which attacks are most likely to affect your organization. Then list the security defenses you employ in your organization to mitigate these types of attacks. Include this information in your Network Security and Vulnerability Threat Table.

cyberattacks.

Cyberattacks refer to attacks launched against computer systems, networks, and infrastructure with the intention of committing theft of sensitive data, gaining unauthorized access, and sniffing passwords. These attacks are implemented by individuals, groups, or states and may use malicious software like viruses and worms. The problem of cyberattacks has been acknowledged by the National Institute of Standards and Technology (Johnson, Badger, Waltermire, Snyder, & Skorupka, 2016).

Cyberattacks have increased in frequency and sophistication, resulting in significant challenges for organizations in defending their data and systems from capable threat actors. These actors range from individual, autonomous attackers to well-resourced groups operating in a coordinated manner as part of a criminal enterprise or on behalf of a nation-state. These actors can be persistent, motivated, and agile, and they employ a variety of tactics, techniques, and procedures (TTPs) to compromise systems, disrupt services, commit financial fraud, and expose or steal intellectual property and other sensitive information.

Cyberattacks can be prevented or their risks minimized if organizations who have faced attack share information with others so that they can deploy resources to combat the threat.

Reference

Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016).Computer security: Guide to cyber threat information sharing.(NIST Special Publication 800-150, 2nd draft). Retrieved from

Lab work space. (See the attached lab document to reference to the lab work)

In this lab exercise, you will learn more about the transmission of files that do not seem suspicious but that actually have embedded malicious payload, undetectable to human hearing or vision. This type of threat can enter your organization’s networks and databases undetected through the use of steganography or data hiding. You should include this type of threat vector to an organization in your report to leadership. Research how organizations can monitor, identify and remedy those files with embedded files and data, and provide these as recommendations for your leadership.

You will have to provide the leadership of your organization with your plan for protecting identity, access, authorization and non-repudiation of information transmission, storage, and usage.

Research scholarly works on nonrepudiation measures and discuss options for protecting the integrity of an organization's information assets, which include files, networks, databases, and e-mail, and include this in your lab report.

Step 3: Data Hiding Technologies

You will describe to your organization the various cryptographic means of protecting its assets. Select the links below to review encryption techniques and encryption technologies, then provide your organization with a brief overview of each.

Encryption Technologies

  1. Shift / Caesar cipher
  2. Polyalphabetic cipher
  3. One time pad cipher/Vernam cipher/perfect cipher
  4. Block ciphers
  5. triple DES
  6. RSA
  7. Advanced Encryption Standard (AES)
  8. Symmetric encryption
  9. Text block coding

Data Hiding Technologies

  1. Information hidingand steganography
  2. Digital watermarking
  3. Masks and filtering

Note: These descriptions will be included in the network security vulnerability and threat table for leadership.

Step 4: Creating the Network Security Vulnerability and Threat Table

Using the information you've gathered from the previous steps, prepare the network security vulnerability and threat table,in which you outline the following:

  • security architecture of the organization
  • the cryptographic means of protecting the assets of the organization
  • the types of known attacks against those types of protections
  • means to ward off the attacks

Create your Network Security Vulnerability and Threat Table, and include it in your submission to the organization. Please refer to thisthreat table template belowfor guidance on creating this document.

Network Security and Vulnerability Threats Template

You will identify the IT system assets of the system architecture of your organization. These can be fictitious or modeled after existing architectures. Be sure to cite using APA format. You will identify threats and vulnerabilities to IT system assets and the security mechanisms used to address them.

IT System Assets / Threats and Vulnerabilities / Security Mechanisms to Address Threats and Vulnerabilities

Step 5: Access Control Based on Smart Card Strategies

Smart cards use encryption chips to identify the user, their identity, role, and sometimes use their personal identifiable information (PII). Two examples of smart cards are the federal government’s use of common access cards (CACs), and the financial sector’s use of encryption chips in credit cards.

You have completed your threat table, and you've decided that you want to modernize the access control methods for your organization. To that end, you read the following resources to gather some background information on access control and the various encryption schemas associated with the Common Access Card (CAC):

  • Access control
  • Common access Card (CAC)

You plan to deploy CAC to the company and you are tasked with devising that CAC deployment strategy, which includes the cryptographic solutions used with the CAC.

In the Common Access Card Deployment Strategy final deliverable, describe how identity management would be a part of your overall security program and your CAC deployment plan:

Create your Common Access Card Deployment Strategy and include it in your submission to the organization.

Step 6: The Email Security Strategy

After completing the CAC, your next step is to build the Secure Email Strategy for the organization. You will present this tool to your leadership.

Provide an overview of the types of public-private key pairing, and show how this provides authentication and nonrepudiation. You will also add hashing, and describe how this added security benefit ensures the integrity of messaging.

Begin preparing your strategy by reviewing the following resources that will aid you in becoming well informed on encryption technologies for e-mail:

  • Public Key Infrastructure (PKI)
  • iOS encryption
  • Blackberry encryption

Then start developing your strategy. Define these strong encryption technologies as general principles in secure email:

Pretty Good Policy (PGP algorithm)

  • GNU Privacy Guard (GPG)
  • Public Key Infrastructure (PKI)
  • Digital signature
  • Mobile device encryption (e.g., iOS encryption and Blackberry encryption)

In your report, also consider how the use of smart card readers tied to computer systems might be beneficial in the future enhancements to system and data access protection. This may help you define long-term solutions for your leadership.

Leadership does not know the costs and technical complexity of these email encryption strategies. To further their understanding, compare the complexities of each in relation to the security benefits, and then make a recommendation and a deployment plan.

Project 5 Topics Covered and Deliverable Outline

Project 5 Topics Covered

  1. IT Systems Architecture
  2. Architecture of IT Systems
  3. Types of Threats
  4. Security Mechanisms
  5. Table
  6. Column 1 (Components)– Lan Security, Identity Management, Physical Security, Personal Security, Availability, Privacy
  7. Column 2 (Common Threats) – Name the threats that are common to the components listed above.
  8. Column 3 (Likely or Unlikely) – Use a X to indicate if the threat is likely or unlikely to your organization
  9. Column 4 (Security Mechanisms) – List the security mechanisms that would mitigate these attacks.
  10. Colum 5 (Encryption) – List any of the encryption technologies that can be used to protect the components from Column 1. (These technologies are listed in Step 3 of the project).
  11. Cyberattacks
  12. Theft of sensitive date
  13. Security defenses against these attacks
  14. Gaining unauthorized access
  15. Security defenses against these attacks
  16. Sniffing passwords
  17. Security defenses against these attacks
  18. Plan of Protection
  19. Information – describe the process to information transmission, storage and usage. This would just be a brief synopsis of how information is transmitted (different components needed for this), as with storage and usage. Then in the below describe how you would protect information in the following:
  20. Identity
  21. Access
  22. Authorization
  23. Non-repudiation
  24. Cryptographic Program
  25. Files
  26. Network
  27. Databases
  28. Email
  29. Cryptography
  30. Steganography
  31. Benefits
  32. Risks
  33. Encryption/Decryption
  34. Benefits
  35. Risks
  36. Data Hiding Technologies
  37. Encryption Technologies
  38. Shift/Caesar Cipher
  39. Polyalphabetic Cipher
  40. One Time Pad Cipher
  41. Vernam Cipher
  42. Perfect Cipher
  43. Block Ciphers
  44. Triple DES
  45. RSA
  46. Advanced Encryption Standard (AES)
  47. Symmetric Encryption
  48. Test Block Coding
  49. Data Hiding Technologies
  50. Steganography
  51. Digital Watermarking
  52. Masks and Filtering
  53. Creating the Network Security Vulnerability and Threat Table
  54. Access Control based on Smart card Strategies
  55. Access Control
  56. Common Access Card (CAC)
  57. CAC Deployment Plan
  58. Deployment Strategy
  59. Cryptographic Solutions for CAC
  60. Identity Management and CAC
  61. The Email Security Strategy
  62. Private Key Pairing
  63. Authentication
  64. Non-repudiation
  65. Hashing
  66. Integrity
  67. Public Key Infrastructure (PKI)
  68. Mobile Device Encryption
  69. iOS Encryption
  70. Blackberry Encryption
  71. Pretty Good Privacy (PGP) Algorithm
  72. Digital Signature

Project 5 Deliverable Outline

( The paper should take format below)

  1. Title Page
  2. Abstract
  3. IT Systems
  4. Architecture
  5. Type of Attacks
  6. Security Mechanisms
  7. (Insert Table)
  8. Protection Mechanisms
  9. Information Protection (explain why the below areas need information protection)
  10. Identity
  11. Access
  12. Authorization
  13. Non-repudiation
  14. Cryptography Protection
  15. Types (for each type list benefits and risks. Refer to step 2 and 3 for different types).
  16. Benefits
  17. Risks
  18. Recommendation (Recommend which protection is best for your organization)
  19. Common Access Cards (CAC) Deployment Strategy
  20. Common Access Cards (CAC) (describe what this is)
  21. CAC Deployment Plan (describe the deployment strategy)
  22. Cryptographic Solutions for CAC
  23. Identity Management and CAC
  24. Email Security Strategy
  25. Encryption Protections (describe why email security is important)
  26. Type (list at least 3 email security technologies)
  27. Benefits
  28. Risk
  29. Recommendation
  30. Conclusion
  31. References

References

National Institute of Standards and Technology, US Department of Commerce. (1994). Specifications for guideline for the analysis local area network security (Federal Information Processing Standards Publication 191). Retrieved from

Souppaya, M., & Scarfone, K., National Institute of Standards and Technology, US Department of Commerce. (2012). Computer security: Guidelines for securing wireless local area networks (WLANs): Recommendations of the National Institute of Standards and Technology (NIST Special Publication 800-153). Retrieved from

Johnson, C., Badger, L., Waltermire, D., Snyder, J., & Skorupka, C. (2016). Computer security: Guide to cyber threat information sharing.(NIST Special Publication 800-150, 2nd draft). Retrieved from

Dworkin, M. (2001).Computer security: Recommendation for block cipher modes of operation.. U.S. Department of Commerce, National Institute of Standards and Technology. Retrieved August 8, 2016, from

Barker, E., National Institute of Standards and Technology, US Department of Commerce. (2016). Computer Security: Recommendation for key management (NIST Special Publication 800-57, Part 1, Revision 4). Retrieved from

Barker, E., National Institute of Standards and Technology, US Department of Commerce. (2016). Computer Security: Recommendation for key management, Part 1: General (NIST Special Publication 800-57, Part 1, Revision 4). Retrieved from

Barker, E., Chen, L., & Moody, D. National Institute of Standards and Technology, US Department of Commerce. (2014). Recommendation for pair-wise key establishment schemes using integer factorization cryptography (NIST Special Publication 800-56B, Revision 1). Retrieved from

National Institute of Standards and Technology, US Department of Commerce. (2001). Announcing the advanced encryption standard (AES) (Federal Information Processing Standards Publication 197). Retrieved from

Barker, E. (2016). Computer security: Recommendation for key management (Special Publication 800-57, Part 1). U.S. Department of Commerce, National Institute of Standards and Technology. Retrieved August 8, 2016, from

Defense Human Resource Activity (DHRA). (n.d.). Common access card (CAC). Retrieved August 8, 2016, from

Defense Human Resource Activity (DHRA). (n.d.). Common access card (CAC) security. Retrieved August 8, 2016, from

Kuhn, D. R., Hu, V. C., Polk, W. T., & Chang, S., National Institute of Standards and Technology, U.S. Department of Commerce. (2001). Introduction to public key technology and the federal PKI infrastructure (SP 800-32). Retrieved from

Apple Inc. (2016). iOS security. Retrieved from

BlackBerry. (2015). BBM security note. Retrieved from

BlackBerry. (n.d.). BBM Protected: Enterprise grade encryption for BBM messages between iPhone, Android and BlackBerry smartphones.. Retrieved from

1