There are several different types of combinations of authentication. Higher levels of security are generally associated with more levels of authentication (multifactor). For example, two-factor authentication might include a token and a password. Kerberos is a protocol for authentication made up of two components: a ticket (distributed by a service) for user authentication and a key that is developed from the user’s password. Another authentication scheme is the Challenge-Handshake Authentication Protocol (CHAP), which uses a representation (hash) of the user’s password to authenticate. Some sources: https://csrc.nist.gov/projects/risk-management/security-assessment/assessment-cases-download-page http://www.tldp.org/REF/INTRO/SecuringData-INTRO.pdf Part 2 : Identify Key Management Gaps, Risks, Solutions, and Challenges Incorporate and cite actual gaps in key management within your key management plan. Identify crypto attack and other risks to the cryptographic systems posed by these gaps. Propose solutions organizations may use to address these gaps and identify necessary components of these solutions. Identify challenges, including remedies, other organizations have faced in implementing a key management system Provide a summary table of the information within your key management plan.
Crypto Attacks Cryptography is used to send data over the network: Plaintext is encrypted to ciphertext using a key, transmitted over the network and decrypted back to plaintext by the receiver. Crypto attacks are the attacks that are performed to get unauthorized access to the transmitted data. According to Phatak, some “cryptographic attacks try to decipher the key, while others try to steal data on the wire by performing some advanced decryption” (2013). Common examples of crypto attacks include key hijacking, man-in-the-middle attacks, and SSL brute-force attacks. Some sources: Phatak, P. (2013). Cyber attacks explained: Cryptographic attacks. http://opensourceforu.com/2013/05/cyber-attacks-explained-cryptographic-attacks/ Part 3 : Provide Additional Considerations for the CISO Explain the uses of encryption and the benefits of securing communications by hash functions and other types of encryption. Evaluate and assess whether or not to incorporate file encryption full disc encryption, and partition encryption. Discuss the benefits of using DES, triple DES, or other encryption technologies. Describe the use and purpose of hashes and digital signatures in providing message authentication and integrity. Explain the use of cryptography and cryptanalysis in data confidentiality.
Determine if it will be more effective to develop the SEs to perform these tasks, taking into consideration the need, cost, and benefits of adding cryptanalysts to the organization’s workforce. Discuss alternative ways for obtaining cryptanalysis if the organization chooses not to maintain this new skilled community in-house Explain the concepts and practices commonly used for data confidentiality: the private and public key protocol for authentication, public key infrastructure (PKI), the x.509 cryptography standard, and PKI security. There are two main types of encryption technologies: symmetric and asymmetric. Symmetric encryption technologies use the same key for both encryption and decryption, whereas asymmetric—or public-key—encryption technologies use separate public and private keys for encryption and decryption. The most well-known encryption technique is symmetric cryptography, which is based on a shared secret, or key. Although symmetric cryptography works well within an isolated environment, maintaining secure communication is difficult if the system has to communicate with a large number of users. Asymmetric cryptography involves the use of an asymmetric-key pair—a private key and a public key. This method is also known as public-key cryptography. The public key is freely available to anyone on the Internet, whereas the private key is kept secret by the owner. Some sources:
Scarfone, K., Souppaya, M., & Sexton, M. (2007). Guide to storage encryption technologies for end user devices (Special Publication 800-111). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-111.pdf. Keswani, A., & Khadilkar, V. (n.d.). The SHA-1 algorithm. Lamar University Computer Science Department, Beaumont, TX. cs.lamar.edu/faculty/osborne/5340_01/summer_06/…/SHA/Project_Paper.docPart 4. Analyze Cryptographic Systems Describe the cryptographic system, its effectiveness and efficiencies. Provide an analysis of the trade-offs of different cryptographic systems. Include information on Security index rating, Level of complexity, and Availability or utilization of system resources the possible complexity and expense of implementing and operating various cryptographic ciphers Final. Develop the Enterprise Key Management Plan In the previous steps, you gathered information about systems used elsewhere. Using the materials produced in those steps, develop your Enterprise Key Management Plan for implementation, operation, and maintenance of the new system. Address these as separate sections in the plan. In this plan, you will identify the key components, the possible solutions, the risks, and benefits comparisons of each solution, and proposed mitigations to the risks. These, too,
should be considered as a separate section or could be integrated within the implementation, operation, and maintenance sections. A possible outline could be: •Introduction •Purpose •Key Components •Implementation •Operation •Maintenance •Benefits and Risks •Summary/Conclusion *****
Enterprise Key Management Policy 3 pages page double-spaced APA Word document. Discuss Digital Certificates Discuss different scenarios and hypothetical situations the policy should address. Provide policy standards, guidance, and procedures that would be invoked by the enterprise key management policy using three scenarios The final step requires you to use the information from the previous steps to develop the Enterprise Key Management Policy. The policy governs the processes, procedures, rules of behavior, and training for users and administrators of the enterprise key management system. Research similar policy documents used by other organizations and adapt an appropriate example to create your policy. Review and discuss the following within the policy: •digital certificates •certificate authority •certificate revocation lists Discuss different scenarios and hypothetical situations. For example, the policy could require that when employees leave the company, their digital certificates must be revoked within 24 hours. Another could require that employees must receive initial and annual security training.
Include at least three scenarios and provide policy standards, guidance, and procedures that would be invoked by the enterprise key management policy. Each statement should be short and should define what someone would have to do to comply with the policy. *****
