Encryption

Encryption can be software-based or hardware-based depending on the security needs as well as the IT
security budgets of an organization. As the name suggests, software-based encryption uses software to
encrypt and decrypt data stored in the files/folders, hard drives and removable media, as well as the
data traveling over the internet network through emails. Encryption software uses an algorithm to
convert the data into a meaningless cipher text or encrypted text, which can only be converted to
meaningful text using a key: symmetric key (single key) or asymmetric key (pair of keys).

Encryption may also be used to confirm the integrity of a file or part of a software program. A user can
encrypt a file, folder or a complete volume by means of a file encryption utility such as GnuPG or
AxCrypt. Asymmetric encryption is, in addition, utilized for mail signing.

There are too many ways to move files in order to protect everything by conventional methods of
perimeter defenses. It follows that when a given file is moved from a given situation, it is no longer
encrypted. Stunnel may be used to give an SSL transport for virtually any TCP connection that does not
support that itself.

The security of an important symmetric block cipher algorithm is dependent on the essential length. This
algorithm relies on both keys working in conjunction with one another. Although, given enough time
plus computing power, any one of these ciphers may be broken, they are for the time being considered
practically unbreakable. Additionally, it gives an idea about public-key and symmetric-key apparatus,
together with hash algorithms.

A dangerous pitfall of folder encryption is that there might be temporary variants of the sensitive files,
which are not encrypted. Without encryption, unauthorized users may use various methods to bypass
the accounts and permissions so as to access the neighborhood drive contents. As indicated earlier,
some applications that are not specifically created for encryption actually have standard encryption
functions. Many programs use a master password to utilize the software, and then another password for
every vault or collection of files.

Information security is offered on computers and over the web by many different methods. While no
immediate resolution is in sight, increasingly more companies offer encryption. Since encryption
conditions vary by technology, goods and implementation, there is not an overall rule.

Data encryption is important for everyone, not merely big corporations and government officials.
Despite this, email encryption is not something that can be imposed unilaterally. WEP is no longer
looked upon as a secure protocol. To put it differently, the password is incredibly sensitive. Over the
years, email has become an integral part of business communication. Presently, it is one of the most
preferred means of communication used by organizations to communicate with their clients, partners
and employees. Additionally, it is also being increasingly used by individuals for personal
communication. Because email messages contain both confidential as well as sensitive data, they are a
popular target for hackers.

Email encryption refers to the encryption and authentication of email messages to safeguard message
contents from unauthorized and unintended recipients. In other words, email encryption converts the
original message and attachments contained in the email to cipher text so that only the intended
recipient can decipher the same.

© 2018 | BCC Research LLC IFT174A Cyber Security: North American Markets | 29
Email encryption is done using the asymmetric key algorithm referred to as public-key cryptography.
Public-key cryptography uses two individual keys: a public key and a private key. This method of
encryption allows the sender of the message to publish a public key, which is used by the intended
recipients to encrypt the message, while the sender keeps the private key through which he or she can
decrypt the message received from the recipients with the public key. The sender can circulate the
public key without compromising the security of the private communications.

Emails are susceptible to various exposures and associated risks while in transit or at rest. When in
transit, email messages can be intercepted and easily read by hackers having access to the mail transfer
agent servers or mail servers (a mail server is an application used to transfer mails between the sender
and receiver).

Another risk associated with emails is phishing and spear phishing. Phishing refers to a fake email that
hijacks email information. Such fraudulent emails appear to be from legitimate enterprises and are sent
to a large number of email addresses in order to trick the user into surrendering private information.
Spear phishing is a more dangerous form of phishing. Spear phishing messages are targeted at specific
groups of individuals within an enterprise. Such messages are based on background research and
generally contain topics relevant or familiar to the people being targeted.

Organizations need email security not only to safeguard email messages against such risks, but also to
abide by their respective industry’s regulatory standards such as PCI (payment card industry) and HIPAA
(healthcare information portability and accountability act) that mandate that emails containing private
and confidential data must be secured.

Traditionally, enterprises have restricted their spending on email security. However, in recent years, due
to the growing number data thefts and increasing regulatory mandates, email security has become one
of the key priorities of IT budgets. Email encryption is one of the most preferred methods of protecting
messages containing confidential data from unauthorized access.

It is quite important to understand what sort of encryption is most vital for a specific need, and also to
not really be lulled into a false awareness of security by fancy-sounding process names. This technique is
called steganography, which is the procedure for disguising a file by making it resemble something
different from what it truly is. Steganography is a serious alternative to encryption, and rather secure.

It is not a fast procedure, but any password could be cracked with enough time plus power. There are
many other vital servers, too; for instance, among the most frequent passwords used is simply
“password.”

The general public key may be shared with everyone, while the private key has to be kept secret. A user
can also wish to upload the public key to one or more public key servers. While generating the key, an
expiration date must be set, as opposed to permitting it to remain valid forever.

Many encryption cases are unable to decrypt the sole copy of rather critical information. To reduce the
chances of getting hacked, a key must be created that is a mix of letters, numbers and exclusive
characters, and this key must be frequently altered. Provided that both parties have the appropriate
cipher, they may decode any message that the other sent. It should be decrypted so as to be recognized.

© 2018 | BCC Research LLC IFT174A Cyber Security: North American Markets | 30
General-purpose ciphers taken for encryption are inclined to have different design goals. Encryption
strength is precisely tied to vital dimensions, but as the vital dimensions increase, so too the resources
required to do the computation. The key also must have a specific size so that it may be considered safe.
In summary, built-in encryption functions could be convenient choices, but there is a need to research
their effectiveness before using them.

Altering the program in just about any way will probably generate a different checksum. In a perfect
world, ideal encryption software offers multiple tactics to shield files and data.

Risk and Compliance Management

Compliance risk management is generally communicated as one concept. It does greatly lower the
personal and company risk associated with a serious failure. A standard practice that has many
operational risk assessment approaches will be to think about the likelihood or probability of varied risk
categories and determine their financial effect. Organizations that do not understand or have not
considered the risks related to information technology are normally not ready to mitigate such risks.
While zero risk is not possible to achieve in virtually any organization, the Value Point approach makes it
possible to diminish the danger of regulatory failure owing to a lack of internal expertise. If such
resources are not available, then space within the strategic plan ought to be created to guarantee
proper risk controls.

Operational risk is a critical aspect of governance, risk management and compliance (GRC). Assurance
mapping may be used to recognize and eliminate these duplications. Assess risk, quantify the issue and
take suitable action predicated on key metrics. Strategic management has tools to assess the total
understanding of compliance in an organization. The systems could not communicate with one another,
and it could take a week of effort to consolidate risk and compliance reports throughout the enterprise.
Organizations are turning to assurance mapping to gain a better understanding of the drivers of their
businesses as well as non-financial metrics, which are the leading indicators of fiscal outcomes including
the repercussions of risk events (KRI – key risk indicator) on performance (KPI – key performance
indicator).

When looking at the qualities from a small business perspective, some vital questions crop up. Because
controls are not independent, they cannot be managed as such or in an ad hoc fashion. But IT is a very
technical domain, often separated from the remainder of the company. In a different circumstance,
users around the world may be managed utilizing a central server in the U.S. IT GRC can be considered a
terrific assist in handling security within the cloud. Companies are introducing security suites that can
automatically assimilate beneficial modifications to an organization’s environment when preventing
disruptive changes.

Identity and Access Management

Implementing identity and access management (IAM) systems and associated best practices can provide
organizations with a genuine competitive advantage in several ways. To put it differently, identity and
access management is a security framework that allows the right people to access the correct resources
at the appropriate time. Bearing this in mind, identity management implementation as a procedure of
continuous optimization is the responsibility of a permanent team, rather than just one, finite project.

© 2018 | BCC Research LLC IFT174A Cyber Security: North American Markets | 31
The aim is to provide a far more secure and effective organization that can respond to changing
demands.

To keep pace with the competitive small business environment, organizations are inclined to deploy
applications from assorted vendors. Identity and access management provides numerous advantages to
enterprises, such as cost reduction through protection of information as well as new small business
opportunities. IAM provides reliability and accessibility to user access control, which is imperative to the
majority of e-business sites.

An aim of an organization may be to lessen the number of passwords that users must remember. As
such, it can grant distinctive permissions to each IAM user. It is sensible for an industry owner in identity
management infrastructure to select and evaluate procedures so that any issues can be resolved using
the architecture for the technical resource. These systems provide a method of administering user
access across a complete enterprise and also of guaranteeing compliance with corporate policies and
government regulations.

At many hospitals, identity and access management was implemented to ensure powerful
authentication solutions in order to safeguard access to (sensitive) data when accessed from a
peripheral location. Still, a lack of efficient identity and access management poses significant risks not
just to compliance but likewise an organization’s general security. A comprehensive overview of
business risk factors and existing security policies must be performed to ensure complete information
security.

With the growing number of identity hazards, there is a crucial need for a thorough approach to boost
IAM programs. Key vendors must strike an ideal balance when managing identity and access in this kind
of dynamic environment. Business value improves once an organization can appropriately safeguard its
information assets. Therefore, to reduce failures within an IAM program, strategy and planned
implementation play important roles. Instead, IAM programs are often utilized to stop the attacker from
penetrating into the organization’s infrastructure. Decentralized management needs to be avoided (this
is the area where process and governance are involved).

Firewall
Firewalls can be configured in various ways. A firewall provides excellent standard functionality while
running seamlessly within the background. Along with port and IP address rules, firewalls may have a
wide selection of functionality.

There is a 97% chance that a personal computer has registry issues; one way of protecting it is, naturally,
through the utilization of an antivirus program. With no firewall, an internet-connected PC may succumb
to an attack. Network firewalls are often utilized to stop unauthorized web users from accessing private
networks joined to the web, especially intranets. A hardware firewall is put between a network, for
example, a corporation, as well as a less secure area, like the internet. For greater security, data could
be encrypted. NAT (network address translation) also enables users within a network to get in touch
with a server working with a private IP, while users away from the network must contact exactly the
same server working with an external IP.

© 2018 | BCC Research LLC IFT174A Cyber Security: North American Markets | 32
A small home network has many similar security issues that a large corporate network does. A user can
employ a firewall to safeguard his or her household network and family from offensive websites and
potential hackers.

Generally speaking, PC tools provide an excellent selection for users who have been confused by firewall
interfaces previously. They can be inexpensive enough to be properly used with one computer and may
also be used to generate a residence computer network. Additional security is a secondary
consideration, though it is convenient to have a firewall and extra security bundled into one product.

The costs of a data breach are much more than any network firewall expenditures; a good solution can
be found at any given price point. However, it needs to be 99.9% secure when it is connected.

As with hardware firewalls, there is a huge variety of software firewalls to pick from. Firewall software
builds an intelligent barrier to shield a computer or network from those who want to gain access to it.
Comodo has long been considered among the greatest free firewall tools.

Disaster Recovery
Data safety is a crucial feature of disaster recovery. To minimize disaster losses, an excellent disaster
recovery plan must be in place for every business subsystem and operation in an enterprise. The
disaster recovery plan document should be kept current with the present organizational environment.
The optimal strategy is to have a disaster recovery plan in place that will return the enterprise’s systems
to normal.

The effects of a disaster that strikes the whole enterprise are different from the effects of a disaster
affecting a particular area, office or utility within an organization. For example, a central factor in
evaluating risks connected with telephone systems is to study the telephone architecture and determine
whether any extra infrastructure must be created to mitigate the effects of potentially losing the whole
telecommunication service in a disaster.

Possessing a disaster recovery plan is critical, but whether it is properly tested and assessed depends on
the distinctive demands of the organization. In general, the procedure can be streamlined, yet this
facilitation of recovery will only happen where preparations are made. During the last several decades.

Assessing the precise impacts of a disaster may take a while for the company. These particular effects
should ideally be covered by the disaster recovery approach. However, there may not be a warning, as
in the case of a burst water pipe or a criminal act. Data systems risks could also be the result of
inappropriate operation processes. The disaster toolkit was made to allow a user to review the total
selection of business continuity and disaster recovery issues.

Data Loss Protection

An aim of data protection is to make an environment that shields against all sorts of disasters. Auditing
is a key element of building effective policies. However, the frequency of information loss along with the
impact might be greatly mitigated by taking proper precautions. When organizations do not take the
vital steps to identify sensitive data and protect it entirely from loss or misuse, they may be risking their
capacity to compete.

© 2018 | BCC Research LLC IFT174A Cyber Security: North American Markets | 33