Deliverable is about 10 pages, with a network and security table included. Template and lab I will provide.
You are an enterprise security architect for a company in a semiconductor manufacturing industry where maintaining competitive advantage and protecting intellectual property is vital. You’re in charge of security operations and strategic security planning. Your responsibilities include devising the security protocols for identification, access, and authorization management.
You recently implemented cryptography algorithms to protect the information organization. Leadership is pleased with your efforts and would like you to take protection methods even further. They’ve asked you to study cyberattacks against different cryptography mechanisms and deploy access control programs to prevent those types of attacks.
“We’d like you to create plans for future security technology deployments,” says one senior manager, “and provide documentation so that others can carry out the deployments.” A director chimes in: “But you should also devise a method for ensuring the identification, integrity, and nonrepudiation of information in transit at rest and in use within the organization.”
Network Security and Vulnerability Threats Template
You will identify the IT system assets of the system architecture of your organization. These can be fictitious or modeled after existing architectures. Be sure to cite using APA format. You will identify threats and vulnerabilities to IT system assets and the security mechanisms used to address them.
IT System Assets |
|
Threats and Vulnerabilities |
Security Mechanisms to Address Threats and Vulnerabilities |
|||||||||||||||||||||||||||||||||||||||||
Project 4 Resources
The deliverables for this project are as follows:
1. Create a single report in Word document format. This report should be about 10 pages long, double-spaced, with citations in APA format. Page count does not include diagrams or tables. The report must cover the following:
· network security and threat table
· Common Access Card deployment strategy
· email security strategy
You are an enterprise security architect for a company in a semiconductor manufacturing industry where maintaining competitive advantage and protecting intellectual property is vital. You’re in charge of security operations and strategic security planning. Your responsibilities include devising the security protocols for identification, access, and authorization management.
You recently implemented cryptography algorithms to protect the information organization. Leadership is pleased with your efforts and would like you to take protection methods even further. They’ve asked you to study
cyberattacks
against different cryptography mechanisms and deploy access control programs to prevent those types of attacks.
“We’d like you to create plans for future security technology deployments,” says one senior manager, “and provide documentation so that others can carry out the deployments.” A director chimes in: “But you should also devise a method for ensuring the identification, integrity, and nonrepudiation of information in transit at rest and in use within the organization.”
As the enterprise security architect, you are responsible for providing the following deliverables:
Create a network security vulnerability and threat table in which you outline the security architecture of the organization, the cryptographic means of protecting the assets of the organizations, the types of known attacks against those protections, and means to ward off the attacks. This document will help you manage the current configuration of the security architecture.
Create a Common Access Card, CAC deployment strategy, in which you describe the CAC implementation and deployment and encryption methodology for information security professionals.
Create an email security strategy in which you provide the public key/private key hashing methodology to determine the best key management system for your organization. These documents will provide a security overview for the leadership in your company.
Cryptography
Encryption uses cryptographic algorithms to obfuscate data. These complex algorithms transform data from human-readable plaintext into encrypted cipher text. Encryption uses the principles of substitution and permutation to ensure that data is transformed in a nondeterministic manner by allowing the user to select the password or a key to encrypt a message. The recipient must know the key in order to decrypt the message, translating it back into the human-readable plaintext.
There are six steps that will lead you through this project. After beginning with the workplace scenario, continue to Step 1: IT Systems Architecture.
The deliverables for this project are as follows:
1. Create a single report in Word document format. This report should be about 10 pages long, double-spaced, with citations in APA format. Page count does not include diagrams or tables. The report must cover the following:
· network security and threat table
· Common Access Card deployment strategy
· email security strategy
2. In a Word document, share your lab experience and provide screenshots to demonstrate that you performed the lab ( I will provide the lab document).
Step 1. IT Systems Architecture
You are a senior-level employee, and you must tailor your deliverables to suit your audience: the leadership of the organization. You may choose to use a fictitious organization, or model your organization on an existing organization. Remember that your deliverables should include proper citations.
Leadership is not familiar with the architecture of the IT systems, nor are they familiar with the types of threats that are likely or the security mechanisms in place to ward off those threats. You will provide this information in tabular format and call it the Network Security and Vulnerability Threat Table. Refer to this
threat table template
for guidance on creating this document.
Before you begin, select the links below to review some material on information security. These resources will help you complete the network security and vulnerability threat table.
LAN Security
Local area networks (LANs) consist of a number of devices that are connected to each other and can share resources. According to the National Institute of Standards and Technology, LANs can encounter several cyberthreats, including unauthorized access, disclosure of data, disruption of functions, spoofing, etc. (NIST, 1994). Therefore, security measures must be undertaken to ensure that the confidentiality, integrity, and availability of shared data is maintained. These measures may include identification and authentication, access control, nonrepudiation, and logging and monitoring.
Another guideline document from NIST focuses on wireless LANs (WLANs), describing them as “groups of wireless networking devices within a limited geographic area, such as an office building, that are capable of exchanging data through radio communications” (Souppaya & Scarfone, 2012).
WLANs are popular because they allow better access and enhanced mobility, compared with wired LANs, but they also encounter attacks. These attacks can be broadly classified as passive attacks, such as unauthorized access to data, and active attacks, such as denial of service. Regular security scans, firewall installation, and use of threat monitoring and cleaning software can be beneficial in securing the sensitive data, network architecture, and physical components of WLANs.
References
National Institute of Standards and Technology, US Department of Commerce. (1994).
Guideline for the analysis local area network security: Federal Information Processing Standards Publication 191. http://www.nist.gov/itl/upload/fips191
Souppaya, M., & Scarfone, K. (2012).
Computer security: Guidelines for securing wireless local area networks (WLANs): Recommendations of the National Institute of Standards and Technology: Special Publication 800-153. National Institute of Standards and Technology. http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153
Availability
The confidentiality, integrity, and availability (CIA) triad is a popular security model for systems and data. While confidentiality refers to ensuring that there is no unauthorized access, integrity is the assurance that data is accurate and unaltered. The third element, availability, refers to data accessibility for authorized users at all times.
Information is useful only when it is available at the right time. The availability of information depends on the functioning of the systems that store, protect, and allow or deny access to information. Availability of data, information, servers, and sites can be affected by security attacks and intrusions, so appropriate measures should be undertaken to prevent and mitigate losses. These include performing regular backups, creating disaster recovery plans, updating software and hardware, ensuring access to adequate bandwidth, and installing security systems and firewalls.
References
National Institute of Standards and Technology. (2004).
Standards for security categorization of federal information and information systems. http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final
Now you’re ready to create your table. Include and define the following components of security in the architecture of your organization, and explain if threats to these components are likely, or unlikely:
· LAN security
· identity management
· physical security
· personal security
· availability
· privacy
Next, review the different types of cyberattacks described in the following resource:
cyberattacks. As you’re reading take note of which attacks are most likely to affect your organization. Then list the security defenses you employ in your organization to mitigate these types of attacks. Include this information in your Network Security and Vulnerability Threat Table.
Step 2. Plan of Protection.
I will Provide the lab document.
This hands-on lab will introduce you to Microsoft BitLocker drive encryption as a full-featured drive encryption tool to protect user computers from data exfiltration and other attacks. Given the alarming rate of high-profile breaches, using BitLocker to protect sensitive data is something to which you, the government agencies, and the commercial and private organizations should give serious consideration.
You will develop a disk encryption report, in addition to the project-specific requirements such as common access card deployment and email security strategy. Then incorporate your findings into the project deliverables and compile your project report for submission. Additionally, you will have to provide the leadership of your organization with your plan for data protection.
Step 3.
Data Hiding Technologies
You will describe to your organization the various cryptographic means of protecting its assets. Select the links below to review encryption techniques and encryption technologies, then provide your organization with a brief overview of each.
Encryption Technologies
Encryption technologies are the methods used to encrypt and decrypt messages to ensure that they are only accessible to authorized users. They are widely used in businesses and organizations to securely transmit and store data.
Encryption technologies are implemented using algorithms that apply keys to convert simple messages into ciphertexts before sending them. The ciphertexts are then decrypted (i.e., converted back into original messages) by the receivers.
While there are several encryption algorithms available, they can be broadly classified into two categories, symmetric and asymmetric. Symmetric encryption technologies use the same key for both encryption and decryption, whereas asymmetric (or public-key) encryption technologies use two separate keys, public and private, for encryption and decryption.
Shift/Caesar Cipher
The Caesar cipher is a monoalphabetic (single alphabet) cipher that uses the same substitution across the entire message. This cipher was first used by Julius Caesar around 58 BCE to keep his enemies from being able to comprehend his military commands should the commands have fallen into their hands (Khan Academy, 2016).
The Caesar cipher is a substitution cipher; parts of the plaintext message are substituted for something else based on the cipher rules. Inverse substitution results in the deciphering of the hidden message (Practical Cryptography, n.d.).
Each letter in the message is mapped directly to another letter. Because of the simplicity of this cipher, frequency analysis (looking at the frequency with which a letter occurs in the encrypted text) can be used to crack the cipher (Braingle, 2014).
The Caesar cipher is also referred to as a shift cipher because messages are encrypted as a result of the shifting of the letters an identified number of spaces to the right and the starting of the alphabet from there, with the letters wrapping to the beginning of the alphabet until the letter Z is reached.
The position in which the shifted alphabet corresponds to the unshifted alphabet defines the cipher (Department of Mathematics, Cornell University, 2008). The number of positions by which the alphabet is shifted is referred to as the key; the key is a number between 1 and 26. Because of the simplicity of this encryption/decryption process, this cipher is considered to be very easy to crack, as there are fairly few combinations that need to be tried for an individual to determine how to decipher the message.
References
Braingle. (2014). Codes and ciphers: Frequency analysis. http://www.braingle.com/brainteasers/codes/frequencyanalysis.php
Department of Mathematics, Cornell University. (2008, summer). Lecture 1: Shift ciphers. http://www.math.cornell.edu/~mec/Summer2008/lundell/lecture1.html
Khan Academy. (2016). The Caesar cipher. https://www.khanacademy.org/computing/computer-science/cryptography/crypt/v/caesar-cipher
Practical Cryptography. (n.d.). Caesar cipher. http://practicalcryptography.com/ciphers/caesar-cipher/
Polyalphabetic Cipher
Polyalphabetic ciphers are ciphers that are based on more than one alphabet and that switch between the alphabets in a systematic way, as opposed to using fixed substitution or the same alphabet for every occurrence of the letter (known as monoalphabetic cipher) (Math Explorers’ Club, 2004). Two common examples of polyalphabetic ciphers are
Playfair and
Vigenère.
Under the Playfair
method, pairs of letters are encrypted; a letter may be encrypted using different alphabets because encryption depends on its paired letter.
The Vigenère
method uses a separate text string that is converted to numeric values that determine the number of shifts for each letter. This form of cipher was created by Giovan Battista Bellaso in 1553, but was misattributed to Blaise de Vigenère in 1586. It is similar to the Trithemius cipher but uses a keyword in its encryption strategy. This keyword (or key phrase) is repeated until it is the same length as the plaintext message, and is referred to as the keystream
and used to determine the ciphertext (Rodriguez-Clark, 2013).
In 1585, Vigenère created what is known as the autokey system, where a key starts the choice of alphabet, but it is the message that determines the alphabets to use for later parts of the message (Savard, 2012).
Although both these methods are more secure than
Caesar cipher (a monoalphabetic cipher method), the Vigenère method is more secure than Playfair and is used for encrypting sensitive information.
Leon Battista Alberti invented the first known polyalphabetic cipher, known as the
Alberti cipher, around 1467. He started by using a mixed alphabet to encrypt plaintext but changed to a different mixed alphabet at random points, indicated by capital letters in the ciphertext.
Another example of a polyalphabetic cipher is the
Trithemius cipher created by Johannes Trithemius in the fifteenth century. This cipher requires the sender to change the ciphertext alphabet after each letter is encrypted. This type of cipher is referred to as a
progressive key cipher.
References
Khan Academy. (2016). Polyalphabetic cipher. https://www.khanacademy.org/computing/computer- science/cryptography/crypt/v/polyalphabetic-cipher
Math Explorers’ Club. (2014). Polyalphabetic substitution ciphers. Cornell Department of Mathematics. https://www.math.cornell.edu/~mec/2003- 2004/cryptography/polyalpha/polyalpha.html
Rodriguez-Clark, D. (2013). Polyalphabetic substitution ciphers. Crypto Corner. http://crypto.interactive-maths.com/polyalphabetic-substitution-ciphers.html
Savard, J. (2012). Polyalphabetic substitution. http://www.quadibloc.com/crypto/pp010303.htm
One-Time Pad Cipher/Vernam Cipher/Perfect Cipher
The one-time pad (OTP), or Vernam cipher, created near the end of the nineteenth century, was the strongest form of encryption at the time and was shown to be unbreakable. This is why it became known as the perfect cipher. It uses keys with randomly generated letters to replace letters in messages. Each letter can be replaced with 26 possible options (alphabet), and the length of the encrypted message remains the same as the original message.
OTP is used for highly secure applications but requires extensive resources for the generation of random keys to ensure no repetition. Since the length of the message exponentially affects the number of randomly generated key possibilities for the OTP cipher, it is computationally impossible to decrypt OTP messages using brute force (Khan Academy, 2016).
For the code to be deciphered, a copy of the one-time pad is required to reverse the encryption. As its name implies, the one-time pad is used only once and then destroyed (Braingle, 2014). The following rules must be followed to ensure that the one-time pad encryption is unbreakable (Rijmenants, 2004):
· The key must be as long as the message or data encrypted.
· The key must be randomly generated.
· Both the key and plaintext must be digits, letters, or binary.
· The key must be used only once and then destroyed by the sender and receiver.
· Only two copies of the key must exist—one for the sender and one for the receiver.
The key used in this cipher is often referred to as a secret key due to the importance of the contents of the key being protected and not revealed. The invention of public-key cryptology resulted from the inability of individuals to securely control secret keys on the internet (Rouse, 2016).
References
Braingle. (2014). Codes and ciphers: One-time pad. http://www.braingle.com/brainteasers/codes/onetimepad.php
Khan Academy. (2016). The one-time pad. https://www.khanacademy.org/computing/computer- science/cryptography/crypt/v/one-time-pad
Rijmenants, D. (2004). One-time pad. http://users.telenet.be/d.rijmenants/en/onetimepad.htm
Rouse, M. (2016). One-time pad. TechTarget. http://searchsecurity.techtarget.com/definition/one-time-pad
Block Ciphers
The block cipher encryption method breaks messages into blocks (groups of bits) and then encrypts the blocks using symmetric keys. The resulting encrypted blocks have the same length (number of bits) as the corresponding original blocks. According to Morris Dworkin of the National Institute of Standards and Technology (NIST), block ciphers are a “family of functions and their inverse functions that is parameterized by cryptographic keys; the functions map bit strings of a fixed length to bit strings of the same length” (Dworkin, 2001).
The size of the block (or length of bit strings) can vary, but it is common to choose a multiple of 8, such as 64 or 128 bits. If the original message is not a multiple of the block size, padding is done through the addition of extra information to achieve the desired length. Implementation models of block cipher include the Data Encryption Standard (DES),
Triple DES
, and
Advanced Encryption Standard (AES)
.
References
Dworkin, M. (2001).
Computer security: Recommendation for block cipher modes of operation: Special Publication 800-38A. National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a
Triple DES
Triple Data Encryption Standard (Triple DES) is a block cipher implementation that organizes data into 64-bit blocks using the DES keys (of 56 bits each) three times.
According to Elaine Barker (2016) of the National Institute of Standards and Technology (NIST):
TDEA encrypts and decrypts data in 64-bit blocks, using three 56-bit keys. Two variations of TDEA have been defined: two-key TDEA (2TDEA), in which the first and third keys are identical, and three-key TDEA, in which the three keys are all different (i.e., distinct). (p. 24)
Triple DES is based on the older Data Encryption Standard (DES), which was created in the 1970s. However, the increased computational power available in modern systems resulted in brute-force attacks on DES encryption, which applied a 56-bit key only once. So, DES was modified into Triple DES encryption, which provided greater security.
References
Barker, E. (2016).
Computer Security: Recommendation for key management (Special Publication 800-57, Part 1, Revision 4). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4
Rivest–Shamir–Adleman (RSA) Encryption
RSA is an asymmetric or public-key encryption algorithm that is named after its authors, Ron Rivest, Adi Shamir, and Leonard Adleman.
The algorithm uses two keys, a public key and a private key. The public key can be distributed and is used to encrypt the message. The message can only be decrypted by using the private key, which is not shared with anyone.
The RSA algorithm has been approved by the National Institute of Standards and Technology (NIST) “in [FIPS186] for digital signatures and in [SP800-56B] for key establishment” (Barker, 2016).
RSA is implemented by starting with two prime numbers and finding their product (called modulus) and the exponents for public and private keys. Further details about RSA key pairs and generation have been documented by NIST in Barker, Chen, and Moody (2014).
References
Barker, E. (2016).
Computer Security: Recommendation for key management, Part 1: General (Special Publication 800-57, Part 1, Revision 4).
National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4
Barker, E., Chen, L., & Moody, D. (2014).
Recommendation for pair-wise key establishment schemes using integer factorization cryptography (NIST Special Publication 800-56B, Revision 1)
. National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Br1
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is a widely adopted block cipher method that breaks the messages into 128-bit blocks and applies keys of different lengths for encryption. AES was established by the National Institute of Standards and Technology (NIST) in 2001 to overcome the problems with Data Encryption Standard (DES). According to Elaine Barker of NIST (2016):
AES encrypts and decrypts data in 128-bit blocks, using 128-, 192- or 256-bit keys. The nomenclature for AES for the different key sizes is AES-x, where x is the key size (e.g., AES-256). (p. 23)
Detailed specifications of AES algorithm have been specified in Federal Information Processing Standards Publications (FIPS PUB) 197 (NIST, 2001).
References
Barker, E. (2016).
Computer Security: Recommendation for key management (NIST Special Publication 800-57, Part 1, Revision 4). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4
National Institute of Standards and Technology, US Department of Commerce. (2001).
Announcing the advanced encryption standard (AES) (Federal Information Processing Standards Publication 197). http://csrc.nist.gov/publications/fips/fips197/fips-197
Symmetric Encryption
Symmetric encryption algorithms use the same key for encrypting and decrypting a message; the sender and receiver both have access to the key. According to the National Institute of Standards and Technology (NIST), “symmetric-key algorithms (sometimes known as secret-key algorithms) transform data in a way that is fundamentally difficult to undo without knowledge of a secret key. The key is ‘symmetric’ because the same key is used for a cryptographic operation and its inverse (e.g., encryption and decryption)” (Barker, 2016).
Key distribution in symmetric encryption poses some security threats. It is important to ensure that the key is not “disclosed to entities that are not authorized access to the data protected by that algorithm and key” (Barker, 2016).
Secret key cryptography algorithms include Data Encryption Standard (DES), Advanced Encryption Standard (AES), Global System for Mobile Communications (GSM), and General Packet Radio Service (GPRS) (Kessler, 2016).
References
Texture Block Coding
Texture block coding is an information-hiding technique that uses a low bit-rate spatial algorithm for encrypting media files. The coding technique is implemented through the copying of a block from a random texture region for use in another region with similar texture. The decoding process is performed through the application of autocorrelation, shifting, and thresholding functions.
Although texture block coding is reasonably resistant to filtering, compression, and rotation, it is difficult to apply because the coding process requires manual inspection. However, the technique’s robustness and its ease of decoding make it suitable for steganography or watermarking applications.
Barker, E. (2016).
Computer security: Recommendation for key management (Special Publication 800-57, Part 1). National Institute of Standards and Technology. US Department of Commerce. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4
Kessler, G. C. (2016). An overview of cryptography. http://www.garykessler.net/library/crypto.html#purpose
Data Hiding Technologies
Information Hiding
Information hiding is a technique that is used to prevent unauthorized access or claims and securely store data. The technique is particularly useful for images and videos and is implemented by concealing or embedding information using algorithms. Information-hiding algorithms can be classified on the basis of the amount of data hidden or embedded (low bit rate or high bit rate) and the domain used for embedding (spatial domain or transform domain).
Low bit rate methods, such as digital watermarking, embed small amounts of data in images/videos, whereas high bit rate methods embed large amounts of data. Both these methods can be applied in two domains: spatial domain (implemented by changing the pixels) and transform domain (implemented by changing the frequency).
Digital Watermarking
Digital watermarking
is an information-hiding method used to identify and secure copyright information for images or videos. It is implemented through the embedding of invisible bits, which are resistant to compression and filtering, into media files (in digital formats).
According to an article published in the
Journal of Applied Research and Technology, digital watermarking is “the process of embedding or hiding digital information called watermark into a multimedia product, and then the embedded data can later be extracted or detected from the watermarked product, for protecting digital content copyright and ensuring tamper-resistance, which is indiscernible and hard to remove by unauthorized persons” (Tao et al., 2014).
Digital watermarking can be applied in two domains: spatial domain (changing the pixels) and transform domain (changing the frequency). The watermarked files are prone to several types of attacks, including removal attacks (to remove watermarks), geometric attacks (to distort watermarks), and cryptographic attacks (to find secret watermarking keys) (Tao et al., 2014).
References
Tao, H., Chongmin, L., Zain, J. M., & Abdalla, A. N. (2014). Robust image watermarking theories and techniques: A review.
Journal of Applied Research and Technology, 12(1). http://www.elsevier.es/en-revista-journal-applied-research-technology-jart-81-articulo-robust-image-watermarking-theories-techniques-S1665642314716128?redirectNew=true
Masking and Filtering
Masking and filtering steganography techniques are used to hide information in images so that the information is visible only to the sender and the intended receiver(s). The techniques are used for 24-bit-per-pixel color and grayscale images, and are implemented through marking (in a manner similar to watermarking).
Masking and filtering is considered more suitable for lossy JPEG images than least significant bit (LSB) insertion (another information-hiding technique), as those techniques have less degradation and are more resistant to modifications such as compression, cropping, and rotation, as well as other types of processing.
Step 4: Create the Network Security Vulnerability and Threat Table
Using the information you’ve gathered from the previous steps, prepare the network security vulnerability and threat table, in which you outline the following:
· security architecture of the organization
· the cryptographic means of protecting the assets of the organization
· the types of known attacks against those types of protections
· means to ward off the attacks
Create your Network Security Vulnerability and Threat Table and include it in your submission to the organization. Refer to this
threat table template for guidance on creating this document.
Step 5:
Access Control
Based on Smart Card Strategies
Smart cards use encryption chips to identify the user’s identity, role, and sometimes use the user’s personal identifiable information (PII).
Two examples of smart cards are the federal government’s use of Common Access Cards (CACs), and the financial sector’s use of encryption chips in credit cards.
You have completed your threat table, and you’ve decided that you want to modernize the access control methods for your organization. To that end, read the following resources to gather some background information on access control and the various encryption schemas associated with a CAC:
Access Control
Access control is the process by which permissions are granted for given resources. Access control can be physical (e.g., locked doors accessed using various control methods) or logical (e.g., electronic keys or credentials). There are several access control models, to include:
·
Role-based access control: Access is granted based on individual roles.
·
Mandatory access control: Access is granted by comparing data sensitivity levels with user sensitivity access permissions.
·
Attribute-based access control: Access is granted based on assigned attributes.
·
Discretionary access control: Access is granted based on the identity and/or group membership of the user.
The access control model used is determined based on the needs of the organization. To determine the best model, a risk assessment should be performed to determine what threats might be applicable. This information is then used to assess which model can best protect against the threats.
Common Access Card (CAC)
The Common Access Card (CAC) is a Department of Defense (DoD) card used for authentication and access. According to the Defense Human Resource Activity (DHRA, n.d.):
The CAC, a “smart” card about the size of a credit card, is the standard identification for active duty uniformed service personnel, Selected Reserve, DoD civilian employees, and eligible contractor personnel. It is also the principal card used to enable physical access to buildings and controlled spaces, and it provides access to DoD computer networks and systems.
The CAC has a single integrated circuit chip (ICC) for the storage of data such as digital fingerprints and photos, Personal Identity Verification (PIV) certificate, agency and organizational affiliation (DHRA, n.d.). In addition, CACs enable the use of public key infrastructure (PKI) certificates, which enable the encryption and decryption of emails, the signing of digital documents, and the establishment of secure connections.
References
Defense Human Resource Activity (DHRA). (n.d.). Common access card (CAC). http://www.cac.mil/common-access-card/
Defense Human Resource Activity (DHRA). (n.d.). Common access card (CAC) security. http://www.cac.mil/common-access-card/cac-security/
You plan to deploy CAC to the company and you are tasked with devising that CAC deployment strategy, which includes the cryptographic solutions used with the CAC.
In the Common Access Card Deployment Strategy final deliverable, describe how identity management would be a part of your overall security program and your CAC deployment plan:
Create your Common Access Card Deployment Strategy and include it in your submission to the organization.
The Email Security Strategy
After completing the CAC, your next step is to build the Secure Email Strategy for the organization. You will present this tool to your leadership.
Provide an overview of the types of public-private key pairing, and show how this provides authentication and nonrepudiation. You will also add hashing and describe how this added security benefit ensures the integrity of messaging.
Begin preparing your strategy by reviewing the following resources that will aid you in becoming well informed on encryption technologies for email:
Public Key Infrastructure (PKI)
Public key infrastructure (PKI) is the management environment (consisting of hardware, software, standards, policies, and procedures) for public keys. It is used to transmit data securely and authenticate identity of users. According to the National Institute of Standards and Technology (NIST):
A public key infrastructure (PKI) binds public keys to entities, enables other entities to verify public key bindings, and provides the services needed for ongoing management of keys in a distributed system (Kuhn et al., 2001).
The four main components of PKIs are certificate authorities (CAs) to confirm the identities of the senders and receivers; registration authorities (RAs), which are used by CAs to register or issue certificates; repositories, or databases of certificates; and archives, or databases of information to determine the authentication of old documents (Kuhn et al., 2001).
References
Kuhn, D. R., Hu, V. C., Polk, W. T., & Chang, S.. (2001).
Introduction to public key technology and the federal PKI infrastructure (Special Publication 800-32). National Institute of Standards and Technology, US Department of Commerce. http://csrc.nist.gov/publications/nistpubs/800-32/sp800-32
iOS Encryption
Apple’s operating system, iOS, combines hardware, software, and services to provide high security on its devices. iOS uses an AES 256-bit crypto engine and a random number generator (RNG) for file encryption.
In addition, the following encryption and data protection features are described in the iOS Security white paper published by Apple Inc. (2016):
· file data protection to protect the data stored in the device’s memory
· multiple lengths passcodes for unlocking and getting access to other functionalities
· data protection classes to determine levels of protections for different files
· keychain data protection (implemented using the SQLite database) to securely store keys and log-in tokens
· access to passwords saved by Safari by interacting with keychain items
· keybags to store keys for users, devices, backup, escrow, and iCloud
References
Apple Inc. (2016).
iOS security. https://www.apple.com/business/docs/iOS_Security_Guide
Then start developing your strategy. Define these strong encryption technologies as general principles in secure email:
Pretty Good Policy (PGP algorithm)
· GNU Privacy Guard (GPG)
· public key infrastructure (PKI)
· digital signature
· mobile device encryption (e.g., iOS encryption and Android encryption)
In your report, also consider how the use of smart card readers tied to computer systems might be beneficial in the future enhancements to system and data access protection. This may help you define long-term solutions for your leadership.
Leadership does not know the costs and technical complexity of these email encryption strategies. To further their understanding, compare the complexities of each in relation to the security benefits, and then make a recommendation and a deployment plan.
The deliverables for this project are as follows:
2. Create a single report in Word document format. This report should be about 10 pages long, double-spaced, with citations in APA format. Page count does not include diagrams or tables. The report must cover the following:
· network security and threat table
· Common Access Card deployment strategy
· email security strategy
CST Lab Experience Report
Use this lab experience report template to document your findings from the lab and make sure to complete all required actions in each step of the lab and respond to all questions. The template is designed to be used as a guide for your lab and not necessarily a project requirement.
ADDITIONAL LAB GUIDANCE
Below is a list of additional guidance and/or recommendations for your lab experience report:
· Completing the labs: All sections or parts of the labs should be completed as required.
· Answering the lab questions: You are required to answer all the lab questions (if any).
· Taking screenshots: While taking screenshots is recommended in your lab, try to limit them and only focus on the applicable ones to support your lab report.
· Writing your lab experience report: You are required to write a summary of the lab experience report based on your findings and incorporate them into your final deliverables.
· File name convention: Please change the generic file name of this template to reflect part of your name, the course ID, or the project/lab title.
· e.g. 1:
CST610 Project 4 Lab-Data Protection with Bitlocker Drive Encryption
· e.g. 2:
CST610 Project 4 Lab-Data Protection with Bitlocker Drive Encryption—John Doe
· e.g. 3:
CST610-Project 4 Lab_Data Protection with Bitlocker Drive Encryption (5/15/22)
In compiling your findings, think of how your experience performing the labs is related to the overall project goals. You are required to collect information from the lab to understand potential vulnerabilities and other security challenges, analyze, create your lab report, and incorporate key components in the final project report.
Please do well to pay attention to each item above and use it as a supplemental guide besides the project requirements. Finally, note that successfully completing the lab is important for achieving the overall project goals.
THE REQUIRED LAB QUESTIONS
As a cybersecurity consultant, you were hired to secure AbriteXI’s sensitive data and ensured that the company
has the highest levels of security posture required to prevent data exfiltration, as well as potential attacks. By performing this lab, you have been able to ensure the highest levels of security required to prevent data exfiltration by employing BitLocker Drive Encryption (BDE). Specifically, you decided to use BDE as a data protection tool to integrate with the internal operating system (OS) and encrypted user hard drives with the aim of addressing threats to data privacy. Based on the knowledge and experience gained from the lab about the use of BitLocker encryption, answer the following questions.
PART 2—TASK 2, TASK 3, TASK 4: Performing BitLocker Encryption/Decryption, Changing Encryption/Decryption Password, TPM chip
1. Comment on what the PowerShell command outputs above indicate. There will be additional questions for you to answer later in this lab.
The PowerShell command output results in the TPM configuration. In the above example, it tells us ‘TpmPresent : False’ indicating that there is no TPM installed.
2. In your opinion, how does BitLocker work and how can you tell if a TPM is on my computer?
Bitlocker encrypts the entire drive. You can configure a password prompt when specific locations are accessed. If you run PowerShell and run the command “Get-TPM”, it will tell if TPM is installed.
3. Can you use BitLocker on an operating system drive without a TPM?
BitLocker can run the OS with TPM, if you load if from a USB flashdrive from boot.
4. Why do you think attempt to enable BitLocker on the
C drive without a TPM prompted the error message that the administrator must set the
Allow BitLocker without a compatible TPM
option?
The error indicates that TPM is not installed, but enabling BitLocker is possible as long as an Admin account enables it to do so without a TPM. This a good protective measure against unwanted configuration, whether accidental or malicious.
5. In your opinion, why do you think you were able to encrypt the
Data-A(H:)
drive? What is the OS security implications of this requirement?
I was able to due to being signed in as an Admin. This requirement ensures that encryption is both legitimate and purposeful, and prevents malicious tampering.
6. When a drive is encrypted with BitLocker and the BitLocker lock is on, what options do you have to manage that drive in the
Manage BitLocker
utility?
In this instance, the only option really, is to unlock the drive.
7. Other than the encryption keys that need to be generated and stored, why does BitLocker require a TPM chip?
The TPM chip is required to store encryption keys, similar to NVRAM while the machine is powered down.
8. What is the best practice for using BitLocker on an operating system drive and what role does TPM play? [hint: Think of the advantages of a TPM chip?]
Enable it on all drives and PIN protect it from decryption. The role of the TPM chip is to store encryption keys while the machine is powered down. This enables to BitLocker to use stored keys rather than an external USB drive, upon startup.
What credentials are required to use BitLocker and does BitLocker support multifactor authentication?
BitLocker requires a PIN, MFA is supported.
9. Based on your experience conducting this lab, how long do you think initial encryption will take when BitLocker is turned on, and what happens if the computer is turned off during encryption or decryption?
In my experience, initial encryption was fairly quick, however, I suspect actual time will depend upon drive size and speed. If encryption or decryption is interrupted by power loss, it will pick up where it left off when power resumes.
10. Based on your experience conducting this lab, what is the difference between a recovery password and a recovery key? Where are the encryption keys stored?
A recovery password is randomly generated and saved to a specific location, whereas a recovery key is a password you input to access drives locked by BitLocker.
OPTIONAL QUESTIONS:
1. Was the C drive encryption successful? Why or why not?
2. What do you think about storage of the recovery key and an encrypted device?
3. Document your observations based on your experience conducting BitLocker encryption. Please do well to document any errors if any.
NOTE: Proceed to the next page and use the space provided to compile a summary of your lab experience report. Use additional space as necessary to complete the report.
SUMMARY OF THE LAB EXPERIENCE REPORT
Use the space below to summarize your lab experience report based on your findings from the lab, making sure to complete all required actions in each step of the lab and respond to all questions. Be sure to incorporate key part of your findings in your final project report for submission to your professor. You may use additional space as necessary to complete the lab.
BitLocker is a great tool for encryptin drives for both personal and business use. With BitLocker you can encrypt your whole drive, BitLocker will ony allow decryption with the use of recovery key to prevent unwanted or malicious access. Only an Admin can turn this system feature on or off. Having TPM installed allowed you to utilize a stored, non-volatile BitLocker encryption key, this bypasses the need to have an external USB drive to unlock it. You can set it so anpassword is required to access locked drives. The time it takes to encrypt a drive depends on several variables, including drive size and speed, and the amount of date being encrypted. This encryption can run in the background, allowing you to utilize the machine. Power interruption will only pause encryption, and will resume when power returns.
References
[List your references in APA 7/IEEE format here.]
2
image1
image2
image3
image4