No use of red ink in your answers as well as questions
include cover page (on your cover page, you must include SSBT logo, your course name, unit name, Assessment 1/3, Submitted by: your name and Submitted to : your teacher name)
if you use reference, you can use APA 6/7
I suggest student to submit in on PDF format and word doc.
Assessment 1 with answers ( each answer carry 60-70 words no more than that)
Please note this is the guidelines which helps you to do your assessment, you are not allowed to copy and paste from top to bottom. You can take an idea from this and write it on your own
Outline what certificate related infrastructure is.
Answers may include, but are not limited to: To secure the data that is then shared on the public domain, via websites and file sharing platforms, certificates and endorsements have been introduced to flag site, system and other points of safety. When you register new websites, create logins, use web interfaces and data repositories to transmit information, the certificate infrastructure secures your data to ensure that real people are sending real data and to the expected recipient. You will learn more about the Public Key Infrastructure that underpins certificate of sites, databases, and networks later in this topic. For the system to work, a certificate authority (CA) is given a key which enables them to authorise sites, databases users, site registrations and more to share information across a closed network. The certificate tags the entity as safe or trusted to share information. In general, this happens automatically but is overseen and reviewed by a person based on logs and upon the request of a user. Those certificates are then validated and authenticated by a registration authority (RA) who authenticates both the sender and receiver and authorises the encryption and decryption processes.
Identify the common asymmetric key algorithms and explain their usage.
Answers may include, but are not limited to: Rivest Shamir Adleman (RSA): This is one of the earliest asymmetric algorithms that can be used both for encryption and digital signatures. The algorithm involves modular multiplications using large prime numbers. All but the prime numbers, in the equation, can be shared publicly and this allows messages to be encrypted. Only someone with the prime numbers, however, can decode the message.
Explain the usage of the following common symmetric key algorithms:
Answers may include, but are not limited to: The Advanced Encryption Standard (AES) is a type of block cipher used as the first priority for many organisations including the U.S. Government. Blocks can have 128, 192 or 256 bits. The block cipher works by splitting and grouping information, into fixed-size bits and then locking these bits in a block along with a block of the key. The more bits in the block, the stronger the protection. When you enter the key, it unlocks, progressively, each of the blocks allowing them to reorganise and decode and become readable again.
Answers may include, but are not limited to: The data encryption standard was an inferior, earlier version of the AES. Keys were significantly shorter and, therefore, easier to guess. It was the subject of controversy, because, whilst designed to secure government data, it was later believed to have been chosen purely because it could be broken, even with some time, in case the interior spy-agencies including the CIA and NSA, needed to obtain information that would otherwise be classified.
Answers may include, but are not limited to: Like the DES and AES, the Triple Data Encryption Standard (3DES) is a block cipher that yes three different keys, paired with the blocks of data, to encrypt almost anything. The three separate keys make this algorithm much stronger and more reliable.
Answers may include, but are not limited to: Both Blowfish and its sister, Twofish, are free tools that are used particularly for e-commerce platforms and in the protection of financial information including credit card details. Twofish is the newer version of the application and offers a longer encryption key.
Briefly explain encryption strength.
Answers may include, but are not limited to: Encryption strength relates to how easy it is to decrypt data with or without the key. The more bits in a key, the more secure the algorithm. Before you can understand what strength, you may need, we need to first look at what needs protecting and at what level. It is the characteristics of the storage media that determine the level of protection required. For example, workstations which have a lot of confidential information stored directly to them and can be used to access other storage devices may need Level 1 security – the highest level. Whereas a mobile device that does not have direct access to workplace communications, like emails, nor access to workplace databases or software, may be a low-risk item and rank a level three security requirement. Level 1 security requires stronger algorithms, more layers of protection (file, folder, disk, boot disk) and longer, more tightly controlled, private and public keys. Usually, the data for Level 1 security is so confidential and private that the key needs level 1 security too!
Discuss the various encryption types, including, but not limited to:
Answers may include, but are not limited to: Public key algorithms, also known as asymmetric, require that a public key is published to all intended users, and a private key is kept secret by the users. A key can be published on a website, in manuals and procedures, by email or other communication. A special promo code, for instance, is a type of public key. You tell everyone that they will need the public key and to be logged into their account to access the promo. You give everyone the public key, they insert it in the appropriate command centre, they enter their own private key in another the login box, and this unlocks the special promotion.
Answers may include, but are not limited to: Secret key algorithms are also known as symmetric or private and use one key to encode and decode information. Even though that key is kept private and secret, it is more vulnerable because anyone who accesses the key or is given the key can use it. Imagine you have a website, and it requires a password, normally sent on an introductory email, to access a membership area. Anyone who has that password gets the content for free; everyone else must pay for it. Now imagine someone shares that email with their friends. The result costs the business money!
Answers may include, but are not limited to: Hash keys or algorithms encode data that needs to remain sensitive, even from the party providing the need for the key! For example, your email account uses a public key to identify you – your username. But you enter your private hash key into the password box, which then only appears as stars or dots, to log in. The system knows your password only long enough to run the hash algorithm and match the result to the result it has stored. In other words, your email provider has no idea what your password is. They just know the result of the hash algorithm for that password. As the hash algorithm always produces the same result for the same data, each time you enter your password correctly it will match what your email provider saves.
Identify and briefly outline the functions and features of:
Access control permissions
Answers may include, but are not limited to: Access control permissions can be assigned to different people in an organisation, to different software for each person and to different locations for use. There are four general roles for ACP. Read – a person can see the files and data, read each file and access files within other structures. Write – a person can edit files and data and create new files in folders and new records in databases. Delete – a person can delete files, folders, data and records. Associate – a person can create links between data, files, folders and records. There is also a range of automatic profiles applied to these roles. They include: Granted – meaning a person has specifically been given access to features and functions, Denied – meaning a person has been specifically barred from functions and features.Unspecified – meaning a person may request a role or access and a decision will be made on an individual basis. When creating user registrations, you can apply permissions using profiles, which you have created previously, for different types of users, different business areas and different levels of responsibility. For example, an accounts cleric who processes accounts receivable may be assigned a profile that gives access to the accounting software but limits the creation of new customers or suppliers, prevents invoicing or payment of invoices and limits access to other customer databases, whereas a receptionist may be granted access to a customer database but have no access to the accounting system at all.
Answers may include, but are not limited to: A digital signature acts as a handwritten signature in electronic environments linking the signer to the signed document with keys. Digital signatures are used for individuals to agree to statements, policies, and procedures, to sign contracts and agreements, to authorise money exchange or the recording of data. Whether the user physically signs, using a mouse, or ticks a box to sign a document, the individuals private key – normally based on their IP or email address – is added to the document and then an algorithm matches this, and her public key, with the signed document, called a hash, and encrypts the data. It also timestamps the signature and adds other important, distinguishing data to ensure that the signature becomes reliable. If the algorithm and the public key cannot unlock the data, then the document has been changed since it was originally signed, and the signature is no long validated.
The following encryption types:
Answers may include, but are not limited to: Symmetric encryption is used for fast transfers and information share where the level of encryption required is lower. It uses only one key to both lock and unlocks one or more lots of data. It requires pre-arrangement so that both parties share the key – this can be in the form of a password. However, if someone loses the key or the key becomes compromised its possible that you will lose access to the data completely. Some applications for symmetric encryption include software access, cloud and email storage. Asymmetric encryption is stronger as two different, unique keys are generated and mathematically linked via an algorithm. The public key is widely shared, whilst a private key is restricted to a single person via their IP or email address or similar unique identifier. It works by encrypting messages with one key and decrypting with the second. The keys are long and can contain letters and numbers so that they cannot easily be remembered, and the encrypting and decrypting processes can be time consuming or slow. One-way encryption converts data to a sequence that is then checked against corresponding records. The same data will always result in the same sequence. But they cannot always be easily guessed, replicated, or duplicated because of the algorithms used. The sequence cannot be worked backwards, either, to identify the data.
Answers may include, but are not limited to: Timestamps include date, time to the millisecond and any other identifying details at the time of digitally signing or encrypting data and act as a certification that an action or encryption occurred on a certain day and at a certain time. They can be used to authenticate data if they are compliant and created using the time stamp protocol. A good example of timestamps in action is email timestamps which can provide assurance about when the email data was created.
What are one-way message digests? Include in your answer MD5 and SHA.
Answers may include, but are not limited to: One way message digests and hash algorithms are designed to encode data in one direction only, creating a message digest, or hash, that the other user stores and matches each time the private key is entered. Each time the data is entered, it results in the same message digest which can be matched. It’s a bit like entering hex codes for website colours. If you enter the correct sequence of numbers and letters, it recognises the red, blue and green values that then produce the colour. The hex code is like the private key. Looking at it means nothing to anyone, but entering that code always results in the same RGB response. Message Digest Algorithm 5 (MD5) is less secure than Secure Hash Algorithm (SHA), and both are less strong than the most recent release SHA-3. MHA is vulnerable to brute force attacks, where a person or robot uses trial and error to break into data sources. SHA-1, however, has never been broken because it’s not strictly a security feature, but rather a consistency-checker.
Define and explain:
Answers must include: PKI – public key infrastructure PGP – pretty good privacyGnuPG – GNU Privacy Guard And might include: When we talk about public key infrastructure, we are talking about people who have been given a role in encryption, the keys and how they are managed and distributed and the policies and procedures that support encryption in a workplace. We use public key infrastructure (PKI) to set a framework in which to use Pretty Good Privacy (PGP) encryption methods. PGP, which is actually very good privacy, works on the asymmetric encryption principles. It is one of the earliest forms of the technology, and the principles now underpin modern algorithms. Before software was developed specifically for PGP, manual key management was required. As the technology has evolved, the software has been developed to help others to encrypt and decrypt messages using the PGP principles. One of the providers of this software, GnuPG, makes its software free to use and distribute to ensure that everyone who receives a PGP message can decrypt it.
Summarise replay security.
Answers may include, but are not limited to: Replay attacks occur when a third party replays specific actions, data, sequences or hashes in order to intercept or defraud. This specifically occurs where there is no multi-level or asymmetric encryption and where other measures are not taken to challenge identity prior to accepting a hash or password truly. Ways to avoid replay attacks and improve replay security include: Using session tokensIssuing one time passwordsUsing message authentication codesEncryption inclusive of session ID’s and component numbersEmbedding timestamps into interactions Recent examples of replay attacks, in real life, include the interception of remote keyless entry devices, card skimming and PayPass attacks using RFID technology, prank calls which record the individual speaking specific words / phrases like “Yes” or “I understand” or “I agree”. The details taken during these attacks are then used to procure funds, make purchases, enter contracts, take out loans and similar other transactions.
Identify and outline the common possible sources of security threats.
Answers may include, but are not limited to: Eavesdropping – this occurs when communication, such as that by telephone, Skype, messaging service, fax or video conference, is intercepted in real-timeData interception – this occurs when the attack blocks the data from getting to its original recipient. Data corruption – this occurs when the data is encrypted, tampered with or destroyed maliciously and outside of normal processes. The result is that data cannot be recovered. Data falsification – this occurs where a person manually, or digitally, recreates a document, key, signature, or another element of encryption and sends it to the original recipient to pass it off as the original document.
Explain the protocols and applications of TCP/IP.
Answers may include, but are not limited to: One threat is the way that we link computers to each other, in a network, to allow for data sharing. To control this, we apply a set of rules to the network known as the transmission control protocol or internet protocol (TCP/IP) which sets out how information is to be broken down, transported, and reconstructed for the intended recipient. The TCP component deals with the packaging rules and the IP component limits who receives data and who from. When we choose encryption technology, we need to be cautious of how it will work with the existing TCP/IP relationships within a network to ensure it cannot be corrupted or damaged simply by the sharing mechanism itself. Because the TCP/IP is not owned or controlled by any one entity, it is accessible in regard to modification for your end-user and transferability across networks, systems and providers. The sharing mechanism includes four layers of protection, all of which can be incorporated, modified and maintained by your applications, including: The applications that standardise how information is sent received and applied. Applications include the Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), Post Office Protocol 3 (POP3), Simple Mail Transfer Protocol (SMTP) and Simple Network Management Protocol (SNMP). Packaging layers are known as the network or internet layer which groups information into packets for transmission. We know the protocols associated with this layer as the internet protocol (IP) and the error-reporting Internet Control Message Protocol (ICMP). Physical layers of the network that provided the linkages between the hosts and nodes that talk to one another. You may be familiar with these networks and their protocols including the Ethernet for local area networks (LAN) and Address Resolution Protocol (ARP) for addressing errors. A layer to maintain the transport of communications throughout the network which includes the TCP itself and a user datagram for mapping of communication points and flows.
Summarise at least one (1) common security problem and challenge that arises from organisational issues.
Answers may include, but are not limited to: An example of this is electronic billing. You may identify that email security is a risk area across the organisation. But the accounting department and its policies, procedures and practices for electronic billing is also a risk because it’s likely, at some point, that someone may directly email a bill or contents of a bill to a customer, upon their request, opening up new security questions and problems.
Define and explain WEP, WPA and WPA2.
Answers must include: Wired equivalent privacy (WEP), Wi-Fi protected access (WPA) and Wi-Fi protected access 2 (WPA2). And may explain: The TCP/IP applies to data security regardless of whether the connection is wired or unwired (wireless). But with the introduction of wireless networks, a new facility for interception, interruption and corruption was created – anyone with a wireless device could access a network and gain access to its data sharing. To overcome this, three different wireless protocols were introduced. Wired Equivalent Privacy was introduced to create the same privacy available on a wired network. This was then replaced with the WI-FI protected access (WPA) and then by its own upgrade, WPA2. Both WPA and WPA2 are still used widely. However, WPA2 is more secure than its predecessor which is being phased out. All three protocols use keys to secure the network and its data. This means that an individual is required to connect first to the network using username and password, and then to the data share points. Each file is then encrypted to communicate only within that network.
Assessment 2 ( each answer carry 50-60 words no more than that)
Please note this is the guidelines which helps to do your assessment, you are not allowed to copy and paste from top to bottom. You can take an idea from this and write it on your own
Outline the four (4) steps required before you can create a new, or modify and existing, security plan.
Answers could outline: Consult with a range of people who access, use, and may have an interest in data security, about the security problems within the organisation and the types of issues that may be resolved with security protocols.Analyse the types of data used and stored within your workplace to identify the types of data that need to be secured, and that which can be shared freely, the level of protection required, or the impacts of the data being leaked.Identify who will need the keys to important data and the processes that will be used to guard the keys within and external to the organisation.Investigate a range of alternatives from the simple right through to the complex
What are the steps to follow to assess the costs which are associated with encryption options?
Answers should reflect: Identify the cost of the product itself including any upfront and ongoing costs, license, and support fees. Analyse the cost of the implementation process including the time costs associated with system downtime, staff allocated to the implementation process, systems training for other affected users, upgrades to other parts of the IT network required to support the new software, etc. Document any impacts of the implementation on other business areas including any role changes, time impacts in relation to extra security steps, training and similar. Identify the benefits of the system both regarding security and to the business functions, the ability to cater to client requests, reduced likelihood of impact to clients and so on. Analyse the benefits to other teams, business areas and to the organisation’s goals. Calculate the costs associated with each benefit, such as reductions in insurance premiums, less monetary based client resolutions, improved system control, less multiple system maintenances or similar. Draw conclusions about the options that have that have benefits that outweigh the product costs.
In what manner could you document the encryption options and costs, so that it can be forwarded to the appropriate person?
Answers could explain: A good way to document your recommendations, regardless of whether it is to generate discussion or apply for approval and funding, is to create a general business report.
What are the general steps to follow when you are applying encryption technologies to the enterprise system?
Answers could outline: Create an implementation plan using the guidelines provided by your organisation.Procure training services for the implementation. Identify options for integrationCritical path analysis
Explain how to analyse the effects of encryption technologies on the roles and responsibilities of users.
Answers might explain: Your analysis may start with system checks to ensure that:The encryption technologies are working as expected.There is minimal delay between entering the keys and the decoding of the data.The keys can be generated and distributed safely and in a timely manner.There are adequate policy and procedure infrastructure to support even the most technophobic individual in your organisation!The analysis should then look at:What information classifications are accessed by each person in each role in the organisation? What specific software and applications the individual usesWhere their data is stored – locally, on a server or in the cloud.How they use workplace data and the likelihood of them needing to transfer that data externally to the organisationSpecific areas of responsibility a person may have that differs from their general work area.
What methods might be used to inform users of the new encryption technologies and the effects these have on responsibilities?
Answers could include: A good first point is to draft a simple email or hardcopy memo communication about the changes.Consider using videos to demonstrate any new steps or skills required to integrate encryption technologies into day-to-day activities. Explainer videos are an effective way to demonstrate what an individual might see on the screen and simplifying the instructions for people who need to be “shown” multiple times.
Why is it important to analyse the implementation of the encryption technologies?
Answers must reflect: To confirm function and performance And may also include: By checking on effectiveness and acting on opportunities, you will continue to improve and adapt compliance over time to suit all changes in the security landscape.
List four (4) examples of issues you might identify from the help desk records.
Answers should consider: Problems concerning implementation. And should list four (4) of the following: System slowness and delaysLost keys or frequent key replacement requestsSuspicious email reportsIncorrectly decoded dataMissing public keysChanges in data classification or data that is being encrypted by the wrong technology solution
What actions might you take in response to identified problems? List at least three (3).
Answers could include: Modifying user roles and responsibilitiesRemoving technology from specific files, folders and devicesUpgrading the technology or applying patches or updates as recommendedProviding user trainingDecreasing computer power loads to speed up actions across the board.
Explain how to identify the relevant system logs so they can be reviewed for encryption issues and compromises.
Answers could explain: To identify relevant logs, you must:Identify exactly what logs are available.Work with developers to identify the information exchange needs.Review your strategic documentation and reporting requirements to identify data needed internally.Match available logs with internal and external compliance needs
Why should you use an incident report to document and report to appropriate persons the issues and compromises with encryption issues?
Answers might include: An incident report is a common way of documenting issues and compromises because:A template can be produced that makes it’s easy to tick or circle common problem.It is easy to collate into further reports. Non-technical people can follow the process.All actions, related to the incident, can be recorded in the one place.
Assessment 3 – Practical (ICTNWK502) Each answer carry 100 words no more than that (Topic in assignment 3 need to explain any one method for encryption like symmetric technique etc.) and follow this table of content for assignment 3 need to write the answers for each question but follow this table as well.
Table of Contents
Topic Page numbers
1. Determine the encryption methods to be used through completion of the following activities: ………………………………………………………………………………………….2.
1.1 Analyse, and record, the data security requirements of the enterprise …………………………………………………………………………………………………………………………………………….2.
1.2. Create a new security plan or review the existing security plan to determine the appropriate encryption methods ………………………………………………………………………………………………………………………………………….…3
1. 3. Review a range of encryption technologies, ranking those which are the most appropriate, assessing the costs which are associated with each encryption option, and documenting these options and costs to forward to appropriate person for decision…………………………………………………………………………………………………………………………………4
2. Perform the following steps to implement the encryption……………………………7.
2.1. Apply the encryption technologies to the enterprise system……………………….7
2.2. Analyse the effect of the encryption technologies on user roles and responsibilities, and accurately document these to inform user of the new encryption technologies and the effect it has on their responsibilities. ………………………………………………………………………………………………………8
3. Monitor the encryption through completion of the following steps: ……………11.
3.1. Analyse the implementation of the encryption technologies, confirming their function and performance …………………………………………………………………………………………………..12
Review the help desk records to identify any problems concerning implementation and take appropriate action. ………………………………………………………………………………………………………………….13
3.3. Review the system logs to identify any encryption issues and compromises, documenting these and notifying the appropriate person……………………………………………………………………………………………………………………….14
The following task must be demonstrated in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the network industry, and include access to:
A site where encryption installation may be conducted.
A live network.
For this task you are to complete the following steps to implement, and monitor, secure encryption technologies on at least one (1) occasion.
Determine the encryption methods to be used through completion of the following activities:
1. Analyse, and record, the data security requirements of the enterprise 2. Create a new security plan, or review the existing security plan to determine the appropriate encryption methods. 3. Review a range of encryption technologies, ranking those which are the most appropriate, assessing the costs which are associated with each encryption option, and documenting these options and costs to forward to appropriate person for decision.
Perform the following steps to implement the encryption:
4. Apply the encryption technologies to the enterprise system. 5. Analyse the effect of the encryption technologies on user roles and responsibilities, and accurately document these to inform user of the new encryption technologies and the effect it has on their responsibilities.
Monitor the encryption through completion of the following steps:
6. Analyse the implementation of the encryption technologies, confirming their function and performance. 7. Review the help desk records to identify any problems concerning implementation, and take appropriate action. 8. Review the system logs to identify any encryption issues and compromises, documenting these and notifying the appropriate person.