An Introduction To Information Security Cryptography And Control Families
Cryptography is the science of communicating the message in a secret code. This technique involves encoding a data (called as encryption), with a certain set of keys while sending and decoding the data (called as decryption) using same or diverse keys at the receiver’s end.
It includes a variety of algorithms for storing as well as transmitting sensitive details in a manner that only proposed receiver can access and read. In this section, we are going to explore outline of the basic factors of the cryptographic technologies and some certain ways the cryptography can be implemented to enhance security which is described in the NIST S.P-800-12r1. Furthermore, this article also presents the description of essential control families.
Uses Of Cryptography
It is used to prevent data both outside and inside the system. An inside system may be protected with physical and logical access controls. However, the system’s outside data can be protected only by the cryptography. It offers a solution to preventing data even when those data are no longer under the control of the originator.
- Data Encryption - Cryptography provides cost-effective data confidentiality via the data encryption. Encryption is a technique, which transfers intelligible data (plain text) into an unintelligible text (ciphertext). This process is reversed via the decryption process. For example, Advanced Encryption Standard (AES) is a cryptographic algorithm that can be applied to encrypt and decrypt to protect the electronic data.
- Integrity - It ensures the integrity by detecting both the unintentional and intentional modification.
- Electronic Signatures - It offers a means of associating documents with a certain person, as is accomplished in the written signature. Electronic signatures can be authenticated uniquely for a sensitive message and only for that sensitive message.
Types Of Electronic Signatures:
- Secret Key Electronic Signatures - employed using MACs
- Public Key Electronic Signatures - employed using public key cryptography
User Authentication- It forms the basis for various authentication techniques and enhances the security in the user authentication techniques.
Implementation Issues To Consider
When designing, implementing and integrating the cryptographic techniques, it is essential to consider some issues that include:
1. Selecting Design and Implementation Standards
2. Deciding Software, Hardware, or Firmware Implementations
3. Managing keys
4. Security of Cryptographic Modules
5. Applying Cryptography to Networks
6. Complying with Export Rules
1. Selecting Design And Implementation Standards
NIST and other enterprises have released several standards for designing, implementing and integrating cryptographic techniques. These standards can support enterprises to reduce costs as well as prevent their investments in the technology.
The organization should choose the proper cryptographic standard accordance with the trends in acceptance of the standard, cost-effectiveness analysis, and interoperability needs. Each standard needs to be analyzed carefully to identify it is appropriate to the desired application of the enterprise.
2. Deciding Between Software, Hardware, Or Firmware Implementations
Cryptography can be applied in hardware, software or firmware. Each mode includes its associated costs and benefits. For example:
- Generally, software is less expensive, but slower than hardware.
- For large systems, the hardware is less expensive.
In most cases, cryptography is applied using hardware and controlled by software. This hybrid solution ensures that hardware devices are offered with proper information and isn’t bypassed. We can find firmware in cell phones, USB keyboards, and smart TVs. It is critical to ensure the security of the firmware implementation. Hardware available with built-in protection that can prevent the malicious firmware modifications.
3. Managing Keys
The security of the message that is protected with cryptography depends on the security of the keys. Key management is essential to protect the keys from modification and unauthorized access. Managing keys involves generation, storage, distribution, use, entry, destruction, and archiving of keys.
A business which involve geographically distributed user needs to maintain a public key with enhancing level of confidence in the integrity and binding. Furthermore, it may also essential to integrate date/time to stamp for authentication of old signatures.
4. Security Of Cryptographic Modules
Cryptography is generally implemented in the modules of software, hardware, firmware or by combining them as a hybrid solution. Thus, the module includes the certain control parameters, the cryptographic algorithm(s) and temporary storage services for the key(s). The module should be protected against tampering and other security issues to ensure the proper cryptographic functioning.
5. Applying Cryptography To Networks
Implementing cryptographic techniques within the networking application often need special considerations. Here, the appropriateness of the cryptographic module depends on its competence for handling special needs imposed by network protocols & software. It is mandatory that cryptography technique meets the needs forced by the communications devices and doesn’t interfere with the efficient and proper functioning of the network.
On the network, data is either encrypted using end-to-end encryption or link encryption. Link encryption encrypts the entire data along with the communication path, whereas in an end-to-end encryption, the data is encrypted but the routing information stays visible.
6. Complying With Export Rules
The rules that govern the export of cryptographic implementation can be complex because they cover multiple factors. In addition, the rules may change whenever the cryptography field evolves. Hence, it is important to address the questions that concern the export rules with the support of proper legal counsel.
Protecting information with the help of cryptographic includes both direct and indirect cost, which can be determined by the availability of products. A wide range of products are available for employing cryptography in add-on boards, integrated circuits, adaptors & stand-alone units.
- Implementing or acquiring cryptographic module & integrating it into the system. The cryptographic module and various other problems like logical & physical configuration, security level, and special processing needs will include an influence on cost.
- Handling the cryptography algorithm, key generation, archiving, distribution, disposal and security measures to preventing the keys
- A reduction in network or system performance, resulting from the extra pressure of incorporating cryptographic protection to communicated or stored data.
- Modifications in the means user communicate with the system, because of more stringent security enforcement.
The following section will provide the brief description of the control families, which are essential to address the operational, management and technical factors of protecting the organization’s system and information.
1. Access Controls (AC)
Access is the capability to make use of the system. Access control is defined as the process of granting/denying a certain request to:
- Acquire and use information and associated information processing services
- Enter certain physical facilities like military establishments, federal buildings, and border crossing entrances.
Examples: separation of duties, account management, least privilege, information flow enforcement, and session termination.
AC In Organizations:
- System access to the authorized users
- The kinds of functions & transactions, which authorized users are allowed to exercise
2. Awareness And Training (AT)
Awareness and Training involve the action of making system users aware of their security responsibilities & educating them correct practices to change their behavior. It supports the individual accountability that is one among most essential ways to enhance information security.
The purpose of the awareness & training is to increase security by:
- Increase awareness of the requirement to protect system resources
- Enhancing knowledge and skills, hence the system users can continue their jobs securely
- Constructing in-depth knowledge as required to design, implement and operate security programs for the systems and organizations
Examples: security awareness training, security training records, and role-based security training.
AT In Organizations:
- Ensures the personnel involved in the organizational systems are aware of the security risks related to their activities
- Ensures that the personnel are properly trained to perform their assigned security-oriented duties & responsibilities
3. Audit And Accountability (AU)
An audit is the independent examination and review of activities and records to evaluate the competency of system controls & guarantee compliance with created policies & operational procedures. An audit trail is nothing but a record that maintains the record of operations of the individuals who have accessed a system at a given period.
Examples: time stamps, audit events, protection of audit information, nonrepudiation, and session audit and audit record retention.
AU In Organizations:
- Create, protect & retain the system audit records required to facilitate the analysis, monitoring, reporting, and investigation
- Guarantee that the individual users’ action can be uniquely outlined to them; hence, they can be detained accountable
4. Assessment, Authorization, And Monitoring (CA)
Assessment defines the testing or evaluation of the technical, management and operational security controls for the system to identify the extent to which the security controls are applied correctly, functioning as intended and offering the desired result with respect to satisfying the needs of the system.
Examples: security assessments, plans of action & milestones, system interconnections, and continuous monitoring.
CA In Organizations:
- Periodically evaluate the security controls in the organization to identify whether the controls are effective in their application
- Develop & implement POA (Plans Of Action) designed to address deficiencies & reduce vulnerabilities in the systems.
5. Configuration Management (Cm)
Configuration management is defined as the collection of actions focused on creating and maintaining the products’ and systems’ integrity via the control of processes for starting, changing & monitoring the config of those systems and products throughout the SDLC.
Examples: configuration change control, baseline configuration, least functionality, security impact analysis, and software usage restrictions.
CM In Organizations:
- Create & maintain the baseline config and inventories of the systems
- Create & enforce the configuration setting of the security for IT products employed in the systems
6. Contingency Planning (CP)
A contingency planning is the management policy & procedure used for direct response of the organization to a supposed loss of mission competency.
Examples: contingency training, contingency plan, system backup, system recovery & reconstitution, and contingency plan testing.
CP In Organizations:
- Construct, maintain & effectively execute plans for an emergency response
- Backup operations
7. Identification And Authentication (IA)
Identification is the ways of evaluating the identity of the process, user or device, as a requirement for allowing access to a system resource. Identification & authentication is defined as the technical measure, which prevents unauthorized processes or individuals from access a system.
Examples: Device identification & authentication, authenticator feedback, identifier management, re-authentication and authenticator management.
IA In Organizations:
- Identify processes, users or devices of the organizational systems
- Verify or authenticate the identities of those processes, users or devices
8. Individual Participation (IP)
This control addresses the individual interaction with the system to facilitate them to create reliable assumptions of how the organizational system is processing the information about them.
Examples: privacy notice, redress, consent, and privacy act statements for the organizations.
IP In Organizations:
- Request consent for processing the PII
- Offer notice to the user about the processing of PII
9. Incident Response (IR)
Incident Response includes the swift actions in order to reduce the influence of the attack that will occur in future in the organization.
Examples: Incident response testing, incident handling, incident reporting, incident response training, and incident monitoring.
IR In Organizations:
- Create an operational incident handling competency for the systems
- Track, report and document the incidents to the corresponding authorities
10. Maintenance (MA)
The organization needs to establish a set of procedures to keep the systems working in good order and to reduce risks from the software and hardware failures.
Examples: nonlocal maintenance, maintenance tools controlled maintenance, and timely maintenance.
MA In Organizations:
- Conduct periodic & timely maintenance on the systems
- Offer effective controls on the techniques, tools, mechanisms & personal used to perform maintenance
11. Media Protection (MP)
It is a control, which addresses the protection of the system media that can be defined as digital & non-digital.
Examples: media storage, media access, media transport, media marking, and media sanitization.
MP In Organizations:
- Protect system media both digital and paper
- Restrict access to information on the system media to the authorized personnel
12. Privacy Authorization (PA)
This control supports an organization in guaranteeing that it is the only processing PII in ways, which it possesses the authority for & clear purpose for performing so.
Examples: purpose specification, authority to collect, & information sharing with external parties.
PA In Organizations:
- Determine the legal bases, which authorize certain PII collection use, sharing, and maintenance
- Handling PII sharing with external parties
13. Physical And Environmental Protection (PE)
This control refers the measures that are taken to protect buildings, and associated supporting infrastructure against the threats linked to their physical environment.
Examples: physical access control, physical access authorizations, emergency lighting, asset monitoring, and information leakage.
PE In Organizations:
- Restrict physical access to the equipment, systems, and the corresponding operating environments to the authorized individuals
- Offer proper environmental controls in the facilities comprising systems
14. Planning (PL)
Proper planning enables the systems to provide a security level adequate with the risk related to the system operation, enhance productivity& performance and enable new means of organizing and managing.
Examples: security concept of operations, rules of behavior, and central management.
PL In Organizations:
- Develop, document, update and implement security plans for the system that defines the controls in place for the systems
15. Program Management (PM)
It is a comprehensive management approach to handle the management issues in terms of security that protect the resources and assets.
Examples: POA & M, information security resources, and system inventory.
16. Personnel Security (PS)
This control seeks to reduce the risk, which staff poses to assets through malicious user to the resources of the organization.
Examples: personnel termination, personnel transfer, personnel sanctions and access agreements.
PS In Organization:
- Guarantees that individuals inhabiting position of the security responsibility are trustworthy and satisfy security criteria for them
- Employ formal sanctions for the officials failing to conform to security policies & procedures
17. Risk Assessment (RA)
This control determines & prioritize the risks to the assets, operations, individuals of the organization, which may result from the operation of the system. To know more about RA, explore the blog, An Introduction To Information Security Guide – Risk Management, Assurance, And Security Consideration.
Examples: risk assessment, security categorization, and vulnerability scanning.
RA In Organizations
- Periodically evaluate the risk to the operation, assets, and individuals.
18. System And Services Acquisition (SA)
This control insists that security requirements need to be integrated early into the architecture and those considerations should meet the mission and processes of the organization.
Examples: acquisition process, criticality analysis, and supply chain protection.
SA In Organizations
- Allocate adequate resources to protect the systems
- Employ SDLC processes, which integrate security considerations
19. System And Communications Protection (SC)
This control presents an array of defends for the systems.
Examples: application partitioning, session authenticity, operations security, and usage restrictions.
SC In Organizations
- Monitor, control & protect organizational communications
- Employ software development techniques, architectural designs, and system engineering principles, which promote effective security
20. System And Information Integrity (SI)
This control is defined as the protection against improper modifications/destructions of information and it also ensures authenticity and non-repudiation of the information.
Examples: malicious code protection, flaw remediation, error handling, and memory protection.
SI In Organizations:
- Identify, correct and report information errors in a timely manner
- Provide safeguards from malicious code at the proper location within the systems
Hope the above information provides the basic understanding of how cryptographic techniques and access controls are implemented in the organizations.