Vous êtes sur la page 1sur 9

Introduction:

Security policies are the main key in order to protect an organization. Currently we are in
the age of technology and in this age security is not only about physical security but
technology as well. Having a strong security massively changes a company’s integrity
because each company should make sure that they securely protected from any harm by
both insiders and outsides and to make sure none of their private materials and
information gets into the wrong hands.

Bahrain mini mail is a digital service located in the kingdom of Bahrain. The company is a
highly successful and advanced company and its success has attracted competitors. The
company deals with highly sensitive data that includes email correspondence and
commercial secrets. Because of its success some competitors are trying to intercept
Bahrain’s mini mail private information and data transfer, if Bahrain’s mini mail
information get leaked then they will face massive consequences and business losses.

The aim of this report is to investigate the problems Bahrain mini mail is facing and to
recommend and advice a suitable solution that relates to an encryption method for the
network method in order to have a properly secured organization. Furthermore, this
report will give complete recommendations to increase the productivity of the company
and decrease any security damage it could face in the future.

As I mentioned this report relates to encryption and in order to understand encryption the
reader must be aware of some background information. Since the beginning of time there
was cryptography, many people believe that cryptography is a modern tool. However,
there are mentions of cryptography 2000 years BC. Cryptography was the key of security in
many different civilizations of the world especially in ancient Greek, Rome and Egypt. In
times of war there were many important letters that needed to be sent and an enemy
could easily kill the messenger and read the letter he had. So cryptography was made so
that even if the enemy would see the message he would not understand it. An example of
ancient cryptography method would be Ceaser cipher, which was created by Julies Ceaser
a highly famous military leader. Ceaser cipher is still a popular encryption method until this
day, (Singh, 2013).
Principles of information security and state measures to secure information
by demonstrating an understanding of cryptographic methods:

Definition of information security:


Information security is the priority of every company and every technology owner.
Information security in regards of cryptography is a defense against outsiders getting
access to the system by preventing them from viewing, changing any data they were not
allowed access to (University Of Nevada, 2015). Cryptography is a method that empowers
information security and protects the organizations data. Currently information security is
being used in almost all of our daily devices whether it is a mobile phone or a laptop.
Additionally, information security and cryptography is needed for people’s personal use,
for schools, governments and any other organization that needs protection. The reason
why information security is so important is that it keeps information confidentiality,
availability and integrity.

Some people might think that cryptography is a recent tool, however cryptography has
been around for more than 3000 years. With the growth of technology and the increase of
people storing their data online ensuring information security is now highly important
because the risk of people accessing your data is high.

Definition of cryptography:
The simple definition and explanation of how cryptography works is that cryptography is a
mechanism that takes raw data and information and protects it by scrambling it and
changes the original data into a format that cannot be understood by any person who
doesn’t have a key. Only the person with the key can view this data in its original
understandable form. There are many types of cryptography but the main used one in
information security, which is explained above, is known as cipher. (Damico, 2009)

Aims objectives and purpose of cryptography:


The simple aims and objectives of information security in regards to cryptography is to
secure the communication between the sender and receiver by providing strong protection
mechanisms and to make sure the message is received to the right person. Additionally,
cryptography must make sure that the data is secured properly and that it will not be
understood by unauthorized people.

Cryptography is a very wide ranged topic so to ensure that it follows its aims and objectives
there are enforced policies to make sure that it is indeed working the way its should and
that its protecting data and providing security. The importance of policies is that it shows
how cryptography should be run and how it should be operated in different areas and to
insure standards are being met. (Northwestern University Information Technology, 2013)

The purpose of information security and encryption is to have better information


protection. Risk management is a way to make sure the purpose is met. Basically, risk
management is basically assessing the risk and then a step called risk treatment happens
which find countermeasures to information security problems (Cryptography is a strong
example of countermeasures.

Operations of cryptography:

The first operation is from plain to cipher. Encryption is a part of cryptography and it
basically is encoding information using a secret, which is human oriented or by using a key
which is made by a computer system. Encryption will convert “plaintext” which is the true
form of data into a series of coded data that is called “Cipher text”

The second operation is from cipher to plain. It is basically the opposite of the first
operation and it uses decryption, which is transforming a coded data using a secret or key.
It will convert cipher text into plaintext.

Principles of Information security:

There are four main FUNCTIONS/PRINCIPLES of information security in regards to


cryptography, which are privacy & confidentiality, authentication, integrity, non
repudiation (University Of Missouri, n.d)

Confidentiality is making sure that data that is being moved from one authorized person to
another is not accessed/viewed by any authorized person. Confidentiality is assured when
only intended people can access it and it is highly important because the whole purpose of
cryptography is to make sure that unauthorized people does not access the data. This is
done from the sender side by encrypting it and he send it to the receiver where the
receiver decrypts it and is able to see the original data. A breach in confidentiality can
happen if the data is not encrypted strongly and having a weak key.

Integrity is making sure that the data is not modified in a way its not meant to. In regards
to cryptography integrity is making sure the information does not change or loose its
trustworthiness. Additionally, integrity is making sure that the data is stored the same
through all phases of cryptography whether it is being sent, received or encrypted and
decrypted. Additionally when an unauthorized person changes or manipulates data
integrity is compromised. Integrity is highly important in cryptography because the data is
changed a lot to maintain its security, so if a change happens during encryption/decryption
the entire meaning of the data can be ruined which can affect entire business.
Implementation can be assured when you use a strong reliable encryption method and
making sure that no authorized people can access the data by keeping file permissions.

Authenticity: Is to make sure the data is from where it claims it is highly important because
people can claim fake identities and send u data that u think is the original one. For
example, if there is a breach in authenticity a bank customer can send fake information
increasing the amount of money in his bank account, the bank will need to know if this
information is from the original bank database or if its being sent by a criminal.
Authenticity is important in cryptography because it assures that the data is real and from
a credible source. A way in implementing authenticity is using digital certificates and a
highly popular method is using Kerberos, which is a cryptography authentication system.

In relation to cryptography, non-repudiation is to make sure that a message that has been
transferred and sent and received are indeed transferred and received by the rightful
parties. Non-repudiation is to make sure that the person who sent a message couldn’t
deny sending the message and that the receiver of that message cannot deny receiving the
message. (A simple way of explaining this is Whatsapp where you can see if a message is
received and read) Non-repudiation can be guaranteed by the usage of digital signatures in
a method where it acts as a unique identifier like a written signature for a user. If there
was a breach in non-repudiation it would mean that people can claim that they did not
sent a message especially in cases where someone can steal information and threaten
them.

Methods of cryptography:

Substitution: when each character of the message is substituted with another character.
One of the most famous types are the rotation of characters where characters are shifted
In their position to either right characters or left characters like Caesar’s cipher. This is also
one of the oldest types.

Transposition: When the characters of the original data get rearranged to become the
cipher text.

Polyalphabetic: When multiple alphabets of substation are used at the same time while the
process of encryption is happening.

Running key: When the characters of the wanted message are changed to numbers then
added together. Additionally, The key is recurrent as long as it is necessary.
Types of cryptography:

Symmetric cryptography:
Also known as secret key cryptography, uses a single key for both operations of encryption
and decryption. The person who will send the message uses the key in order to encrypt his
data (plain text) and then sends the encrypted message (cipher text) to the receiver. The
receiver then uses the same key that the sender used in order to decrypt the message and
transform it into the original form. In this form both the sender and receiver must know
the key. Because both parties need to know the key this is the reason for developing
asymmetric cryptography. Additionally, symmetric cryptography is considered fast.
(Colombia University, n.d)

Asymmetric cryptography:
Asymmetric cryptography uses a two key cryptography system where both the sender and
receiver have a private key that is not shared and they also have a public key, which are
exchanged between them. Authentication in asymmetric cryptography is much more
stronger however it is much slower and complicated. (Smart, 2003)

One Way Hash:


One-way hash is a one-way encryption and uses no key. The data (plaintext) is that is saved
is converted into cipher text and becomes unreadable and it would not be able to decrypt
it. The use of one-way hash is that only comparisons can be made between hashes. The
most famous uses of hashes for security purposes would be for checking if a password is
correct. (Sans technology institute, 2008)

Steganography:
Steganography is a different type than the traditional cryptography. Normal ciphered text
attracts hackers because they know that there is valuable information. With steganography
no one knows that there is hidden information, steganography hides information so that it
does not seem to appear that there is anything. For example it uses any bits that are
unused and hides information inside of them. (SANS Institute Reading Room site, 2003)
Identify and describe security implications for modern networks

In this part of the report I will discuss the security issues in the company network and
methodologies in order to make the company more secure.

Security Risk: High


Bahrain mini mail is having problems in its organization. The first problem is that the
company believes that competitors are intercepting their data and the data includes highly
important information about their products and if it reaches their competitors they could
lose huge money.
The most famous type of encryption to be used online is called “PGP” which means Pretty
Good Privacy, it is a commercial program however there is an open source version for it. Its
main purpose is to give encryption for emails. The open source version, which is called
GPG, is used more than PGP. PGP is highly secure because you create your own personal
private and public key using the application and so it requires the user to be more
involved. From there you can upload your public key online so that other people can
search for it and use it if they want to send you an encrypted message. When you send a
message to someone you would be sending it using your public key and then if they want
to decrypt they would have to use their private key. However, this process is slightly
complicated but in the end it is worth having if your emails are secure. With using PGP
even if Bahrain mini mail’s email is being intercepted the people who steal the email would
not be able to understand it because all the data inside of it will not be understandable
(unless they have the private key)

Security Risk: Medium


In the past Bahrain Mini mail has allowed the free exchange of information meaning that
everyone in the organization can access other people department and access all the
company’s information. Bahrain mini mail has set up user names and passwords for all the
workers in the organization. However because there was free exchange of information in
the past users have access to most data. Bahrain Mini mail has set up a policy that workers
can only access personal and work data if its for work business policy. Having a policy is not
enough to make sure that the organization is safe and there needs to be bigger security
implementations. Especially that most hacks and theft of data starts from inside the
organization by an employee. A way of solving this problem is separating each department
with its own data files. So only each department can use its own data, as well as only the
head of department can give access to his department employees which data they can use.
If a department wants to use another department’s work they have to get permission from
senior management, which they will give them temporarily access to the needed data from
other department. Any department except for human resources cannot hold any employee
personal data and the data will not be shared by anyone except by the main head of the
company.

Security Risk: High


Bahrain mini mail needs to encrypt all of the data in their server and database. Encrypting
mail will only encrypt the data that is being transferred. But it is important to encrypt all of
their stored information. So if any person targets attack and steal their data they would
still not be able to understand it and use it. There are multiple applications available like
axcrypt, which is a free open source application that is simple to use, you can easily
encrypt the entire system and it automatically encrypts itself after a person is done using
the files. It uses a 128-bit aes method, which is, advanced encryption standard it is cipher
block and gives protection against brute force attacks. (Paar & Pelzl, 2009)Using this
Bahrain mini mail will significantly make its company stronger against insiders and
outsiders.

Security Risk: Low


Bahrain mini mail uses multiple operating system and computers to access the network.
This is considered a weakness in the security of the system because different computers
and different operating system use different software’s and have different applications. So
in order to have stronger security it would be better to use one operating system through
all the computers so that it would be easier to use the same application through the
company for encryption. And it would be easier to monitor changes on every computer.
Conclusion and recommendation:

After defining clearly what encryption does, how it works and the methods of it and using
it to compare to Bahraini mini mail. I found out that Bahrain mini mail has neglected their
network security and it is highly weak in many areas throughout the organization. Bahrain
mini mail is a highly reputed and successful company, which has many competitors that are
waiting for any chance to damage Bahrain mini mail. A Company as successful as this one
should immediately start to improve its security.

After evaluation the security risks I found out that are multiple problems that range from
low security risks to high security risks that significantly effects how the organization
works. Furthermore, each security risk has a solution that I have provided.

These are the problems:

1) Bahrain mini mail is having their data intercepted by their competitors, which includes
very important details about their products. If the competitors intercept more data
Bahrain mini mail will lose all their value. Bahrain mini mail should implement an
encryption method by using an encryption app like PGP in order to secure your network
and to send emails to other business partners that are guaranteed to be secure.
Additionally even if someone leaks the company information it will still be encrypted and it
would be really hard for the hijackers to see the information.

2) Bahrain mini mail previously has set up free exchange of information and even though
they generated names and passwords most people can still access each other, and by
having a non encrypted system all the data can be at anyone’s reach. In order to solve this
problem Bahrain mini mail needs to separate there departments hard drives and encrypt
each one so that other departments can’t access all the files. Additionally only the head of
department or senior managers can give information from the hard drives to the
employees. This will make all the data secure.

3) Bahrain mini mail needs to encrypt all the information stored on their files. Any target or
hijack from outsiders if they take their data they will not be able to understand it so even if
its stolen the data will still be a bit secure. A solution to this problem is to use axcrpyt that
encrypts all the hard drives easily.

To conclude, Bahrain Mini mail have done the right decision by wanting to upgrade their
network security and. This report has highlighted all the areas and all the solutions to their
problems. By fixing these security threats Bahraini mini mail can go on and continue being
a successful business company.
Works Cited
1. University Of Nevada. (2015). Definition of Information Security. Retrieved from
Office of Information Technology: https://oit.unlv.edu/network-and-
security/definition-information-security
2. University Of Missouri. (n.d). Cryptography. Retrieved from University Of Missouri
Information Technology:
http://www.umsl.edu/~siegelj/information_theory/projects/des.netau.net/Cryptog
raphy%20and%20goals.html
3. Colombia University. (n.d). Introduction to Cryptography. Retrieved from
http://www.cs.columbia.edu/~hgs/teaching/security/slides/crypto2.pdf
4. Damico, T. M. (2009). A Brief History of Cryptography. Retrieved from Inquiries
journal: http://www.inquiriesjournal.com/articles/41/a-brief-history-of-
cryptography
5. Northwestern University Information Technology. (2013). Information Security
Policy and Standards: Data Encryption. Retrieved from Norwestern University
Information Technology:
http://www.it.northwestern.edu/policies/dataencryption.html
6. Paar, C., & Pelzl, J. (2009). Understanding Cryptography. Retrieved from
http://vladimirbozovic.net/univerzitet/wp-
content/uploads/2010/02/understanding_cryptography.pdf
7. SANS Institute Reading Room site. (2003). Steganalysis: Detecting hidden
information with computer forensic analysis. Retrieved from
https://www.sans.org/reading-room/whitepapers/stenganography/steganalysis-
detecting-hidden-information-computer-forensic-analysis-1014
8. Sans technology institute. (2008). Hash Functions. Retrieved from
http://www.sans.edu/cyber-research/security-laboratory/article/hash-functions
9. Singh, S. (2013). The History Of Cryptography. Retrieved from http://www.m-
a.org.uk/resources/Vol-32-No1_Jan_2003_History_of_cryptography.pdf
10. Smart, N. (2003). In Cryptography: An Introduction (pp. 93-94).