Security

docx

School

Centennial College *

*We aren’t endorsed by this school

Course

704

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

4

Report

Uploaded by CountApePerson979

Domain 5: Security Operations 1. Provide high-level explanation for symmetric vs asymmetric encryption. What is hashing? Ans: Symmetric Encryption: This is also known as Private key cryptography or private key- encryption. In this encryption, the same secret key is used for both encryption and decryption. As the same key is used for encryption and decryption, this key is shared between both sender and recipient. Some examples of symmetric or private key encryption are: AES (Advance Encryption Standard): This algorithm uses a Substitution-permutation Network (SPN) structure. This algorithm uses fixed sizes of key and number of rounds of substitution and permutation. i.e., 10 rounds for 128 bits key ,12 rounds for 192 bits key and 14 rounds for 256-bit keys. DES Encryption: Acronym is Data Encryption Standard. This uses a small key size i.e., 56-bit key size which is smaller than AES algorithm. This algorithm consists of total of 16 rounds where in each rounds the right half of the data undergoes series of operation including permutation followed by substitution through a S-Box and key mixing with a subkey derived from a main key. At last, the result obtained is combined with the left half of the data. This process for each round is repeated creating a complex interaction of permutation and substitution until 16 round and the result then obtained is a cipher text. Due to the small key size, this encryption is vulnerable to Brute Force attack and more insecure than other algorithms that use a larger key-size. Double DES: This algorithm is a more advanced version of the DES algorithm using two successive DES encryption using different key pairs. The basic working mechanism of this algorithm is to encrypt the cipher text obtained from DES algorithm with different keys. Technically, Ciphertext = DES key2 (DES key1 (Plaintext)). Asymmetric Key algorithm: This is also known as the public key Encryption or Public Key Cryptography. The basic idea behind this algorithm is to use two different keys for encryption and decryption. Let us say we want to transmit the data from sender to recipient. Let’s say the Sender is Alice and Receiver is Bob. Each of these must key pairs one is public key, and another is private key. Let’s say Alice wants to send a message to a bob, so he encrypts the message with his private key using some asymmetric encryption algorithm and on the sender side bob uses his public key to decrypt the message. Similarly, when Bob wants to send a message to an Alice, he will encrypt the message using his private key and uses some asymmetric encryption and on the receiver side (Alice) uses his public key to decrypt the message. Here Public keys are known to each other, but private keys are secret. This idea of encryption ensures Authentication and non-repudiation. Some of the Asymmetric encryption algorithms are RSA (Rivest- Shamir algorithm, DSA (Digital Signature Algorithm), Elgamal curve cryptography (ECC), Diffie -Hellman (DH). Hashing: The input text is passed through some hashing algorithm to get a message digest or hash. This hash value is a unique representation of the input data that even a small change in the input generates a significant difference in the output. Hash functions or hash algorithms are generally used to ensure that data remains unaltered throughout the transmission. There are different types of hashing algorithms. Some of them are: MD2, MD5, SHA -1, SHA-2, SHA -512 and so on.
2. What are the phases of data lifecycle management? Ans: the phases of data life cycle management follow 6 stages: create : This is the initial phase of the data life cycle which involves the creation of the data either by any applications or by users as well as obtained from any external sources such as social media, satellite, consumer transactions. Store : Once data is created it must be stored securely for it will be accessible in future near future. Some of the concerns that should be in mind while storing data may include the place to store data. Performance cost and data regulatory compliance Use: Once the data is stored it may be used to generate useful information. Main aim of the data storage is to find some association along with the data that may help to deduce some reasoning to solve some problem or to promote innovation. Share: Another stage of the data life cycle is the sharing of data to multiple users’ organization as well as across different topography. Some of the considerations like access controls, /encryption algorithm as well secure transmission medium are to be noted to transfer data to intended recipient with no violation of confidentiality. integrity and availability. Archive: This phase includes storing data which is not used actively but may be useful in some cases. Data archiving reduces data storage costs and increases active data streamlining efficiency. Destroy: Once data is of no use and doesn’t have any information that an organization needs, it needs to be disposed of. We must be very careful while disposing of data because it is no longer in use but may have some valuable information by which malicious intruders can harm an organization. 3. What steps would you follow for system hardening? Ans: The steps to be followed for system hardening are as follows: Identification: This is the initial stage of the system hardening where a security professional identifies all the configuration and documents all the configuration items like software, hardware, and any other critical components within the system. Baseline: Next steps include maintaining a baseline while building the secure system. This baseline may include user account policies i.e., enforcing strong password policies and access controls policies. similarly, other baseline policies may include access controls, firewall configuration, logging and auditing, encryption algorithms, OS update policies and so on Change Control: This stage consists of bringing changes to the pre-existing system for its better security. This stage includes various aspects like requesting the change. evaluating the impact of the changes made, documentation of all evaluation, justification, and clarification that the change is inevitable as well as approval of the change control. This also includes a roll back policy to reboot the system to legacy mode in case of any change failure occurs within a system. Verification and audits: This is the final stage of the system hardening where each and all baseline policies change controls policies are justified and they are audited, to insure all the security hardening policies are effectively implemented without any violation of the data protection policy act meeting all required legal compliance. 4. Provide a summary of Acceptable Use policy (AUP), Bring your own device (BYOD) policy, change management policy.
Ans: Accept Use of Policy : This is a rule and regulation that governs the proper use of IT resources of an organization. This defines acceptable and prohibited activities and define consequence for any violation if the organizations accept and use policy of its infrastructure and resources are being violated. This might include prohibiting the employee from using their resources for personal use. For example: an employee is allowed to send and receive emails related to organizational purpose from the it premises of an organization while on the other hand they are prohibited to use email of an organization for personal purpose like products promotion or selling personal items. This ensures that the company’s email system remains within the organizational personnel, reducing the risk of external unauthorized access or inappropriate usage. Bring Your Own Device Policy: This policy is another data security ensuring policy that almost all organizations need to adapt. This policy defines that the personal device that an employee use to access the organizational documents as well as used to accomplish the organizational task must be registered with in the organizational device acceptance policy such as the device must have a screen lock such as pin password or biometrics authentication and so on. For example, an employee who brings his/her personal device to a workplace to perform organizational task may misplaced or lost device and his/her device is secure by screen locks or requires biometric authentication to access the device, this will help to reduce the access of the device. This simple measure helps to mitigate the data security risks associated to the organization even if a personal device is compromised. 5. What benefits (provide a list) would you receive from Security Awareness training? Ans: Security Awareness training provides profound benefits to people. Some of them can be listed as following: Endpoint Security: Security Awareness training helps to aware employees about importance of keeping their devices secure through regular software updates, anti-virus protection as well as the use of firewalls. Phishing Prevention : This helps employees to defend against Phishing attacks as security awareness training helps individuals to recognize the phishing malicious emails and malicious hyperlinks and social engineering making less vulnerable to such attacks. Password Management : This also helps individuals to know more about password policies and standards to be followed while setting passwords to their account. Furthermore, this also helps them to know how to create strong passwords, avoiding sharing passwords and regular updating. Continual Improvement : As security awareness is an ongoing process this helps employees to understand evolving cyber-attacks and ways to prevent as well as mitigate those attacks in their everyday life. Protect against insider Threats : As security awareness program is a designed to make employee more conscious about the potential threat and risk in their workplace environment, they become less susceptible to such threats posed by their contractors, colleague, and other individuals.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

Application Case 7.2- Top Five Investment Bank Achieves Single Source of the Truth.docx
Application Case 3.4 EDW Helps Connect State Agencies in Michigan.docx
UsefulCommands.txt
Application Case 1.5- A Specialty Steel Bar Company Uses Analytics to Determine Available-to-Promise
DAT-250 Module 3 Project One Business Brief.docx
DAT-250 Module 4 Assignment.docx
crj 4210 chapter quiz 1.docx
BUS 625 W3 Assignment.docx
Document (29).docx
Topic 3 DQ 1 MIS 605 GCU.docx
Chaudhary Niharika TAEPDD401.docx
BA131-Final Project.docx