part 1

[Audio] Unit 7 – (I-T ) System Security and Encryption Understand current (I-T ) security threats information security and the legal requirements affecting the security of (I-T ) systems Threat types Internal threats External threats Physical threats Social engineering and software-driven threats [TASK 7.1] Data security threatsDownload Internal Threats Internal threats are those that originate from within an organisation. Whilst it seems unlikely it is in fact a very common source of security breach. This week (w/c 28/06/2021) a file of confidential military information was found left on a park bench and only a few days before some sensitive C-C-T-V images were leaked to the media. Internal threats can come in many forms: Accidental loss – the loss of or misplacement of important or confidential files and materials or laptops or U-S-B sticks. Unsafe practices – for example the use of U-S-B flash drives to store and transport sensitive information without sufficient encryption; visiting dubious websites; downloading files and running them without appropriate security checks; attempting to bypass user account restrictions BYOD – (bring your own device) where users may not have the required/appropriate security settings and software installed All of these threats are avoidable through the use of employee education and monitoring and enforcement of security procedures..

[Audio] External threats External threats are those that originate from outside of the business. These include but are not limited to: Data theft – this can be the result of physically copying and stealing data or can be the result of a cyber attack. Cyber attacks can take many forms including phishing attacks to obtain credentials that can be used to steal data or malware attacks that compromise systems Disruption to systems or withholding of access – for example the news has been full of stories about ransomeware attacks (The top 5 ransomware attacks in the UK and their hidden costs (acronis.com)) Destruction of data – without appropriate backup policies businesses are at risk of data loss through the destruction of data. Intentional data destruction could be intended to hide information or simply to cause as much inconvenience and disruption to the company as possible Physical Threats Even with a well-behaved workforce there are still risks to a company's data security. Threats can take the following forms: Theft of data or equipment – this means either unauthorised access and use of files resulting in files being shared or copied without permission or theft of the computing devices which hold the data. Malicious damage to data or equipment – an attacker could intentionally corrupt data (wipe it alter it change the relationships between records) or equipment can be intentionally damaged – this is why servers are often in access-controlled locations in order to minimise the severity and opportunity for this type of attack Fire flood terrorism etc – these are the so-called 'acts of god': things that the user can't prevent from happening but can have mitigations in place to protect against or lessen the impact..

[Audio] Social engineering and software-based threats Social engineering is a term used to cover all scenarios where a user is being tricked into handing over access credentials or performing actions that assist an attacker. Some examples of social engineering include: Phishing attacks – an attacker sends emails purporting to originate from a legitimate business usually requiring the user to verify account details or log in to a site in order to view some action that has been flagged up; however the links in these emails direct the victim to a copy of the real website and their credentials are simply harvested when they attempt to sign in Spear phishing attacks – these are similar to the above except that they are highly targetted. They include information that the victim assumes only privileged users know – maybe recent order details their address or some other identifying information. These are especially dangerous as users tend to believe the emails because they contain personalised information. The personalised nature of these attacks also helps them evade traditional security measures such as email scanners. Software-based threats are those that are the result of malware infection. Malware is malicious software that serves to steal monitor spread and inconvenience users. Some example categories are: Viruses – software that inserts its code into other programs and when run spreads to infect other programs/executes its payload Trojans – software that is disguised to look like something beneficial to the user whereas in reality it is software that causes damage to the user's system; this could be providing a backdoor to access the machine to download further malware Ransomware – software that encrypts a user's data and requires the user to purchase a decryption key in order to retrieve their data. The only mitigation against this is to maintain regular backups Spyware – software that records what a user is doing and then sends this information on to a third party. It could be recording and monitoring their web-browsing history key strokes what software is being used and so on Adware – software that bombards the user with pop-up adverts. Whilst not immediately dangerous the adverts displayed could link to malicious websites or attempt to encourage the user to download and run potentially dangerous software Rootkits – rootkits are pieces of software that run with 'root' privileges; this typically means they are granted the same priority level as the kernel of the operating system (ring 0). This is problematic as anti-virus software typically runs on ring 1 and therefore is not permitted to view the kernel as this is protected. The effect of this is that AV software is unable to detect or remove malware running in ring 0. Special tools are required that scan the drive without booting into Windows..

[Audio] Computer network-based threats Passive threats Active threats Cloud computing security risks Passive attacks Passive attacks are those that arise through monitoring or scanning communications information flow and systems. Due to the lack of physical action passive attacks are difficult to identify and monitor. Examples include: Tapping (monitoring unencrypted communications for example tapping a phone line) Encryption (intercepting encrypted information and attempting to break the encryption) Scanning (scanning a device for vulnerabilities or open ports) Traffic analysis (monitoring traffic to build up a picture of how the network is being used).

[Audio] Active threats These include: Denial of service attacks – these send repeated requests to a server very rapidly with the aim of stopping the server from responding. Firewalls can easily detect and block repeated traffic from an individual location. However by escalating to a DDos (Distributed DoS) it becomes not only more powerful – you now use thousands of computers from different locations to attack the server – it also becomes more difficult for the firewall to detect as the heavy traffic is coming from many locations. Spoofing is the practise of faking your IP address or M-A-C address using software tools in order to circumvent network restrictions. These restrictions could be geographical (in the same way Netflix only allows certain titles to be viewed in selected countries) or it could be device management where only certain devices are allowed to access network resources. Listening in on WiFi communication could enable an attacker to collect data depending on the level of security applied to the connection. Man in the middle attacks are directed at H-T-T-P-S connections. Usually the communication between client and server is encrypted and therefore no outside agent can view the contents. Any attempt to alter the data or intercept it will render it useless as the attacker won't possess the S-S-L decryption key. However in a mitm attack the attacker sets up a phoney server which connects both to the client and the server. This malicious server creates a secure connection with the client using one S-S-L certificate and then a secure connection the the desired server using another S-S-L certificate. The machine in the middle is now able to accept and decode incoming data from either the client or the server. The only sign of an attack like this is the issuance of the security certificate will not appear as expected (for example wrong company name). Attacks like these can obviously intercept and steal confidential information like credentials bank information and any other communication. Address Resolution Protocol Poisoning (A-R-P--) – the protocol used by D-N-S servers to resolve a U-R-L to an IP address. This means that for example www.bbc.co.uk could have its entry altered (poisoned) to point to an IP address which is not part of the B-B-C--. Users would only know if there were significant differences in the content or if the check the issuance of the S-S-L certificate if on an H-T-T-P-S connection. Buffer overflow attacks rely on submitting data to network-connected services. A buffer is an area of memory set aside for data to be stored in once it arrives. These buffers have a fixed length and theoretically it should be impossible to exceed this. However if the software that processes the received data contains bugs the contents of the data can be maliciously manipulated in order to force the host machine to write data beyond the intended limits. If an attacker knows the memory layout of the software in question they can intentionally overwrite instructions in the software (the version held in memory) giving the ability to execute arbitrary code on the target device. This method has been used to jailbreak iPhones attack Windows PCs and Servers and gain access into top-secret facilities or confidential networks..

[Audio] Cloud computing security risks 1. Loss or theft of intellectual property Companies increasingly store sensitive data in the cloud. An analysis by McAfee found that 21% of files uploaded to cloud-based file sharing services contain sensitive data including intellectual property. When a cloud service is breached cyber criminals can gain access to this sensitive data. Absent a breach certain services can even pose a risk if their terms and conditions claim ownership of the data uploaded to them. 2. Compliance violations and regulatory actions These days most companies operate under some sort of regulatory control of their information whether it's H-I-P-A-A for private health information ferpa for confidential student records or one of many other government and industry regulations. Under these mandates companies must know where their data is who is able to access it and how it is being protected. B-Y-O-C often violates every one of these tenets putting the organization in a state of non-compliance which can have serious repercussions. 3. Loss of control over end user actions When companies are in the dark about workers using cloud services those employees can be doing just about anything and no one would know—until it's too late. For instance a salesperson who is about to resign from the company could download a report of all customer contacts upload the data to a personal cloud storage service and then access that information once she is employed by a competitor. The preceding example is actually one of the more common insider threats today. 4. Malware infections that unleash a targeted attack Cloud services can be used as a vector of data exfiltration. McAfee uncovered a novel data exfiltration technique whereby attackers encoded sensitive data into video files and uploaded them to YouTube. We've also detected malware that exfiltrates sensitive data via a private Twitter account 140 characters at a time. In the case of the Dyre malware variant cyber criminals used file sharing services to deliver the malware to targets using phishing attacks. 5. Contractual breaches with customers or business partners Contracts among business parties often restrict how data is used and who is authorized to access it. When employees move restricted data into the cloud without authorization the business contracts may be violated and legal action could ensue. Consider the example of a cloud service that maintains the right to share all data uploaded to the service with third parties in its terms and conditions thereby breaching a confidentiality agreement the company made with a business partner..

[Audio] 6. Diminished customer trust Data breaches inevitably result in diminished trust by customers. In one of the larges breaches of payment card data ever cyber criminals stole over 40 million customer credit and debit card numbers from Target. The breach led customers to stay away from Target stores and led to a loss of business for the company which ultimately impacted the company's revenue. See number 9 below. 7. Data breach requiring disclosure and notification to victims If sensitive or regulated data is put in the cloud and a breach occurs the company may be required to disclose the breach and send notifications to potential victims. Certain regulations such as H-I-P-A-A and HITECH in the healthcare industry and the EU Data Protection Directive require these disclosures. Following legally-mandated breach disclosures regulators can levy fines against a company and it's not uncommon for consumers whose data was compromised to file lawsuits. 8. Increased customer churn If customers even suspect that their data is not fully protected by enterprise-grade security controls they may take their business elsewhere to a company they can trust. A growing chorus of critics are instructing consumers to avoid cloud companies who do not protect customer privacy. 9. Revenue losses News of the Target data breach made headlines and many consumers stayed away from Target stores over the busy holiday season leading to a 46% drop in the company's quarterly profit. The company estimated the breach ultimate cost 148 million dollars. As a result the C-I-O and C-E-O resigned and many are now calling for increased oversight by the board of directors over cyber security programs. According to the Ponemon B-Y-O-C study a majority (64 percent) of respondents say their companies can't confirm if their employees are using their own cloud in the workplace. Trust us—they are. In order to reduce the risks of unmanaged cloud usage companies first need visibility into the cloud services in use by their employees. They need to understand what data is being uploaded to which cloud services and by whom. With this information (I-T ) teams can begin to enforce corporate data security compliance and governance policies to protect corporate data in the cloud. The cloud is here to stay and companies must balance the risks of cloud services with the clear benefits they bring..

[Audio] Information security Principles of confidentiality Unauthorised access or modification of information Principle of minimum access Deliberate or accidental loss of information Intellectual property protection Principles of confidentiality Confidentiality relates to personal information and in particular the steps taken to ensure the confidentiality of personal information. Not only should an organisation adhere to GDPR/Data Protection Act when dealing with personal data many organisations also have a confidentiality policy which further describes what is and is not acceptable use of data. For examples please view the following links: Introduction to confidentiality | (hcpc-uk.org) Confidentiality – General principles – England (medicalprotection.org).

[Audio] Unauthorised access or modification of information Unauthorised access or modification means the act of directly or indirectly accessing information to which you do not have an entitlement. In general the intention of accessing data in this manner is one of: Theft (for profit or other gain) Damage (to cause damage to the other party) There are many measures which can be taken to reduce or prevent this from happening. For example: Ensuring a rigorous authentication policy – for example the use of biometrics strong passwords etc User accounts are configured according to the principle of minimum access (do not allow access to edit create delete records unless the user needs this as part of their role) Two factor authentication to limit the chance of an unauthorised party logging in to the system Physical access control to machines hosting sensitive information User-account activity monitoring Endpoint security – for example firewalls More detail can be found here: Unauthorized Access: 5 Best Practices to Avoid Data Breaches (cynet.com).

[Audio] Principle of minimum access This is the security paradigm which states that users and applications should have only the bare minimum of privileges to support their intended roles. For example an administrator would be able to install software on a system. A data entry operator should not be installing software and in fact should only be running the program required to complete their job. By granting a user access rights beyond those which are needed by them you risk instability in your system as users can perform unintended actions. With regards to software you should ensure that applications are only accessing resources on your system that you consent to. For example an anti-virus package needs to run with privileges that allow it to view the entire contents of the computers storage device. However you would question whether a contact management system or web server should have those rights: you would remove any permissions from these applications so that they run with the bare minimum of access that they require. In the event of a malware attack on the application in question it is now far less likely that sensitive data can be accessed by the rogue application. Deliberate or accidental loss of information Regardless of whether information is lost accidentally or intentionally there are steps that must be adhered to the most important of which are: Notification to the Information Commissioner Office detailing the breach and how it occurred Steps to mitigate the risk that was exploited Full details of the requirements of companies under G-D-P-R and data protection laws are found here and here. Any company suffering a data breach is required to complete an investigation into the circumstances leading up to the breach. Should this investigation determine that the information has been intentionally leaked or deleted then the identified user will also be in breach of the Computer Misuse Act which carries a range of severe penalties. Intellectual property protection.

[Audio] Legal Requirements Data protection legislation Computer misuse legislation Copyright designs and patents legislation Legal liability and contractual obligations Data protection legislation Data Protection legislation is designed to provide rules about what can and can't be done with individuals' data. It is covered by various laws which can differ in different parts of the world. For full details of the Data Protection Act (2018) and G-D-P-R click on the links below. Data Protection Act 2018 (legislation.gov.uk) General Data Protection Regulation (G-D-P-R-) – Official Legal Text (gdpr-info.eu) Computer misuse legislation Computer Misuse Act (1990) The Computer Misuse Act protects personal data held by organisations from unauthorised access and modification). The act makes the following illegal: 1. Unauthorised access to computer material. This refers to entering a computer system without permission (hacking) 2. Unauthorised access to computer materials with intent to commit a further crime. This refers to entering a computer system to steal data or destroy a device or network (such as planting a virus) 3. Unauthorised modification of data. This refers to modifying or deleting data and also covers the introduction of malware or spyware onto a computer (electronic vandalism and theft of information) 4. Making supplying or obtaining anything which can be used in computer misuse offences These four clauses cover a range of offences including hacking computer fraud blackmail and viruses. Failure to comply with the Computer Misuse Act can lead to fines and potentially imprisonment. Offence Penalty Unauthorised access to computer material Up to six months in prison and/or an up to a £5 000 fine Unauthorised access to computer materials with intent to commit a further crime Up to a five-year prison sentence and/or an unlimited fine Unauthorised modification of data Up to a five-year prison sentence and/or an unlimited fine Making supplying or obtaining anything which can be used in computer misuse offences Up to a ten-year prison sen.

[Audio] Copyright Designs and Patents legislation For the UK Copyright Designs and Patents Act see the link: Copyright Act – GOV.UK (www.gov.uk) Broadly speaking the difference between a copyright and a patent is that a copyright protects a specific piece of work from being copied/duplicated whereas a patent protects the process or idea of something rather than a specific 'item'. The items which can be copyrighted or patented are also different. See the Patenting your invention – GOV.UK (www.gov.uk) page for further information. Legal and ethical issues around encryption Encryption is a necessity; without it many of the modern technological processes on which we rely would not be possible. Web browsing would be less safe; online shopping would be out of the question. Subscription TV wouldn't exist. Cryptocurrencies wouldn't exist. Encrypted chat wouldn't exist. We accept that encryption allows users (a user could be an individual or a government) to secure information. The military need to be able to communicate without being those messages being intercepted – we all know what a huge impact the breaking of the Enigma code had on the length and outcome of World War 2. Morally the right to privacy is a basic human right and as more of our lives becomes digital there clearly needs to be a process in place to ensure our privacy in the digital space. Legally it is more complicated: it is commonly argued that if one user's right to privacy endangers another user then it may be acceptable to restrict or remove the former's right to privacy for the good of the latter. Then there is the argument of whether applications which promote security should also have a 'backdoor' built in to allow governments to access communications – in the interest of national safety. While morally this is commendable in reality it can't work: as soon as a backdoor is implemented that backdoor is also available to any hacker who wishes to compromise a system. For further details and other examples please see the following links. Encryption ethics: are email providers responsible for privacy? (theconversation.com) Legal Issues with Cryptography | Cryptography with Java | InformIT View of The ethics of unbreakable encryption: Rawlsian privacy and the San Bernardino iPhone | First Monday.

[Audio] Impact of Security Breaches Operational impact Financial impact Damage to reputation Legal consequences Forensics research requirements Operational and financial impact of breaches A security break in a Norwegian aluminium producing company created mayhem in 2019. As a result of an unspecified security breach ransomware infiltrated the network and locked the company out of its systems. I can't do the impact justice so look at this: Norsk Hydro's initial loss from cyber attack may exceed 40 million dollars | Reuters Operational and financial impact of breaches A security break in a Norwegian aluminium producing company created mayhem in 2019. As a result of an unspecified security breach ransomware infiltrated the network and locked the company out of its systems. I can't do the impact justice so look at this: Norsk Hydro's initial loss from cyber attack may exceed 40 million dollars | Reuters Damage to reputation A company's reputation is built from many things but trust in a company is usually heavily linked with how well they are perceived to protect the information they hold about you. TalkTalk fell victim to this when details of their subscriber base along with payment details were stolen (TalkTalk hack 'affected 157 000 customers' – B-B-C News) leading to a significant number of customers leaving..

[Audio] Data protection legislation Data Protection legislation is designed to provide rules about what can and can't be done with individuals' data. It is covered by various laws which can differ in different parts of the world. For full details of the Data Protection Act (2018) and G-D-P-R click on the links below. Data Protection Act 2018 (legislation.gov.uk) General Data Protection Regulation (G-D-P-R-) – Official Legal Text (gdpr-info.eu) Forensic requirements for data retrieval When data is stored on a device its information is usually stored in empty blocks on that medium (either magnetic or SSD). For practical reasons (speed on magnetic media and wear-levelling on SSDs) currently unused areas of storage are favoured wherever possible. Of course as a disc is filled there are fewer unused blocks. There will however probably now be used blocks that aren't needed any more because the file isn't needed. Once we run out of empty blocks we store data on theses blocks – reusing them. This approach works because the storage device also contains a directory – an index which lists which files should be there and where to find them. Deleting a file doesn't actually remove it: it simply removes the entry from the index meaning the space is now 'used but ready to re-use'. Why does this matter? Firstly when deleting files or formatting a drive you aren't always removing the file(s). You are simply removing the directory. The data is still on the drive. Secondly if you are in a position to have deleted data that you need any further use of that drive risks loss of the data because new information could be written over a section that is needed. The risk of this is greatest with drives with little free space. There are many tools available for retrieval of data and secure destruction of data. See examples here Forensic data recovery to retrieve digital data for litigation (datarecoveryspecialists.co.uk).

[Audio] Cryptographic techniques and processes for data protection Cryptographic principles Principles and uses of encryption Legal and ethical issues Computational hardness assumption Principles and uses of encryption Encryption can be categorised as either: Symmetric encryption Public key encryption (asymmetric) Uses of encryption It should be evident by now that there are a great deal of ways in which data security can be impacted. The majority of these threats can be mitigated through the use of encryption; whilst it may not always be possible to completely prevent user error (for example loss leaving a laptop or U-S-B lying about) if the information is appropriately encrypted the impact of its loss can be hugely reduced. As long as a secure key is used to encrypt the data it should remain safe even in the event of its loss. Another common use for encryption is in the H-T-T-P-S protocol. Normally HTTP is used to govern and control the exchange of data between a client and a webserver. However this data is unencrypted meaning anyone who intercepts traffic between a client and the server will be able to clearly read that data: this could include the names of pages that the user is viewing but also any additional data such as user credentials. H-T-T-P-S ensures that even if the traffic is intercepted it will be meaningless to all but the intended recipient. H-T-T-P-S is the technology that has enabled the vast majority of what we use on the Internet. See the section on applications of cryptography for further examples and explanations..

[Audio] Legal and ethical issues around encryption Encryption is a necessity; without it many of the modern technological processes on which we rely would not be possible. Web browsing would be less safe; online shopping would be out of the question. Subscription TV wouldn't exist. Cryptocurrencies wouldn't exist. Encrypted chat wouldn't exist. We accept that encryption allows users (a user could be an individual or a government) to secure information. The military need to be able to communicate without being those messages being intercepted – we all know what a huge impact the breaking of the Enigma code had on the length and outcome of World War 2. Morally the right to privacy is a basic human right and as more of our lives becomes digital there clearly needs to be a process in place to ensure our privacy in the digital space. Legally it is more complicated: it is commonly argued that if one user's right to privacy endangers another user then it may be acceptable to restrict or remove the former's right to privacy for the good of the latter. Then there is the argument of whether applications which promote security should also have a 'backdoor' built in to allow governments to access communications – in the interest of national safety. While morally this is commendable in reality it can't work: as soon as a backdoor is implemented that backdoor is also available to any hacker who wishes to compromise a system. For further details and other examples please see the following links. Encryption ethics: are email providers responsible for privacy? (theconversation.com) Legal Issues with Cryptography | Cryptography with Java | InformIT View of The ethics of unbreakable encryption: Rawlsian privacy and the San Bernardino iPhone | First Monday.

[Audio] Computational Hardness Assumption Summary The Computational Hardness Assumption is a hypothesis that a given problem cannot be solved in efficiently (in polynomial or better). It is used where there is no way to prove the hardness of solving a problem: instead the problem is simplified (reduced) and then compared to another better understood problem in order to approximate the hardness. Significance In cryptography it is vitally important to prove that an algorithm is secure and provides a safe means of encrypting transmitting and storing sensitive information. The security of a cryptographic algorithm can either be proven by Information theoretic security or if this is not possible by computational security. Computational security essentially works on the proviso that the attacker is computationally limited (and therefore brute force attacks are futile). Further reading wikipedia.

[Audio] Cryptography methods Ciphers one-time pads hash functions Cryptographic primitives Cryptographic salts Encryption algorithms Mathematical principles Ciphers one time pads and hashes A cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure. The goal is to reversibly alter data to make it unreadable to anyone who does not possess the key to decipher it. One-time pads are a type of cipher which uses a unique key that is at least the same length as the message to be encrypted. The key must be pre-shared (in other words known to both the sender and the receiver) and should not be re-used as this would compromise the security. Hashes are mathematical functions which processes data reducing entire files to a single (long) number. The algorithms are designed to ensure that it is impossible to predict what changes to a file would result in a particular output. Note that as hashes reduce data to a single value they are irreversible and can not be used to re-engineer the original data. Cryptographic primitives These are the basic cornerstones of encryption and consist of: One-way hash function: A mathematical function that takes a variable-length input string and converts it into a fixed-length binary sequence. Symmetric key cryptography: An encryption system in which the sender and receiver of a message share a single common key that is used to encrypt and decrypt the message. Public-key cryptography: Also known as asymmetric cryptography a system that uses a pair of keys—a public key and private key..

[Audio] Cryptographic salt A necessary feature of encryption algorithms is that they are predictable. It would be no use if the same file generated various different outputs. It is this predictability that is also a weakness. When encryption is used for shorter pieces of data (email addresses passwords etc) there is a high likelihood of multiple people having the same data to be encrypted. Good practise is to store the hash of a password in a database rather than the actual password: this way if the database security is breached the attacker can't read the passwords of your users from the database. However every user who has the same password will have the same password hash. This means once one password is cracked all other passwords with the same hash are known. Salting is a process where an additional value is incorporated into the algorithm and this value is unique for each record. By adding a random element all hash values will now be different even if the original data was the same. This obviously makes potential data breaches less catastrophic. Cryptographic algorithms Five of the most common encryption algorithms are: DES AES RSA Blowfish Twofish Details of how each of them works uses and advantages of each can be found here. Mathematical principles.

[Audio] Applications of cryptography Symmetric key encryption Public key encryption Key exchanges Digital certificates H-T-T-P-S protocol Virtual Private Networks Generic Routing Encapsulation (G-R-E--) tunnels Encryption of data on WiFi networks Symmetric Key Encryption What is it? Symmetric key encryption uses one private key in order to encrypt and decrypt information. This means that both the encryptor and the decryptor need to have the key but this key can't be made publicly available. In other words the recipient of the encrypted information must already have a copy of the correct key to decrypt it. Despite being an older technique that asymmetric encryption symmetric encryption is still widely used as it is: faster to perform (requires fewer C-P-U cycles in order to complete) smaller network utilisation as less data is produced (no need to include key blocks with transmissions) Where is it used? Generally anywhere where large amounts of data need encryption. Some examples include: Encrypting the contents of a database – this means that should a database fall into the wrong hands or the contents of the database get leaked the information is not viewable. It may be that the database management system itself looks after the key or it may be that the application using that data holds the key. Either way no exchanging of keys is required for this to work. Encrypting computer drives – again as with the example above this aims to ensure that if the hard drive is removed from a computer or laptop its contents will be unreadable by third parties. The computer itself stores the key securely and is therefore the only device able to decrypt and access the drive's contents..

[Audio] Public Key Encryption What is it? Public Key Encryption is a system which utilises pairs of keys: one is private and is known only to its 'owner'. The other is public and is sharable to anyone. This means that anyone with the public key can create and encrypt a message but no-one except the private key owner will be able to decrypt it. It is a type of asymmetric encryption and therefore the process with the public key is one way. Consider a server and a client communicating. The client can send its public key to the server which can then generate a key for symmetric encryption and this key can be encrypted using the client's public key and sent back to the client. The only person who can decrypt this is the client as it requires their private key. This has allowed the server to create a symmetric encryption key and send it over an insecure medium (the Internet) in a secure manner. Once the client has decrypted the key it can begin communicating with the server using symmetric encryption taking advantage of symmetric encryption's advantages of speed and reduced network utilisation. Where is it used? This is most widely used to provide security and privacy in communications. For example WhatsApp prides itself on providing end-to-end encryption. This is only possible through the use of public key encryption. Messages are encrypted with the recipients' public keys delivered and finally decrypted with the users' private key. This ensures that no-one except the intended parties are able to view the messages even if data is intercepted en route. Further Reading wikipedia.

[Audio] Key exchange What is it? Key exchange is the process of exchanging cryptographic keys in a secure manner over an insecure medium – for example using the Internet to exchange data. Because this is taking place before encryption has been initialised (it is the required prior step) this happens in plain text. The steps involved are as follows: Parties A and B have a common starting value Party A has its own secret value which is secret Party B has its own secret value which is secret Party A takes the common starting value and 'processes' it with its secret value Party B takes the common starting value and 'processes' it with its secret value At this point A and B exchange their processed values. They will currently be different. Once the exchange has taken place A and B both process the newly received values with their private values. This results in both A and B now possessing the same value – the key for communication between them. This has resulted in keys being exchanged to allow symmetric encryption without revealing the key at any point. Where is it used? Anywhere that requires keys to be exchanged – for example internet communications. Further Reading wikipedia–Hellman_key_exchange.

[Audio] Digital Certificates Digital certificates are used to guarantee the ownership of some resource. The specific case we are looking at is the issuance of certificates for web sites. When visiting a website by default the H-T-T-P protocol is used for data exchange between client and server. This is problematic as many websites require confidential information to be entered: for example credentials or payment details. In these cases HTTPS is used. Certificates are used on H-T-T-P-S websites in order to identify the server: it is easy to duplicate a website and use a U-R-L similar to the real one. However in order to get a certificate a certification authority must verify the identity of the client. This means a website certificate can show who the owner is and this information can be trusted. Certificates are issued by Certification Authorities (CAs) – for example Verisign. For more detail read here: Verisign is a global provider of domain name registry services and internet infrastructure – Verisign H-T-T-P-S protocol The H-T-T-P-S protocol is used whenever there is a need to safely and securely transfer data between machines on the World Wide Web. H-T-T-P-S requires a T-L-S certificate to be installed on your server. You can apply certificates to different protocols like H-T-T-P (web) SMTP (email) and F-T-P--. An S-S-L or T-L-S certificate works by storing your randomly generated keys (public and private) in your server. The public key is verified with the client and the private key used in the decryption process. H-T-T-P is just a protocol but when paired with T-L-S or transport layer security it becomes encrypted. The H-T-T-P-S Stack You may know T-L-S by another acronym SSL. Secure socket layer or S-S-L was the original way we secured the Internet. As we evolved our standards we retired S-S-L but the acronym remains the more popular term for TLS. If you look at a network Stack diagram H-T-T-P is at the top on top of T-L-S which sits on top of the T-C-P and IP layers. I know those are a lot of acronyms but don't worry. When H-T-T-P is combined with T-L-S you get H-T-T-P-S This secure version of H-T-T-P..

[Audio] The H-T-T-P-S Handshake When your browser connects to an H-T-T-P-S server the server will answer with its certificate. The browser checks if the certificate is valid: 1. the owner information need to match the server name that the user requested 2. the certificate needs to be signed by a trusted certification authority If one of these conditions is not met the user is informed about the problem. H-T-T-P-S Connection Sequence Diagram When H-T-T-P is used a series of handshakes takes place. The initial request is sent to the server for a verification. When the server responds that it is the desired server the client then sends a hello message. At this point the communication becomes encrypted. Is to exchange encryption keys or ciphers. At this point the reader communication can proceed. The initial handshakes steps take place in a matter of milliseconds..

[Audio] VPNs A virtual private network creates just that: a virtual (in other words logical rather than physical) network which is private meaning only you and the end-point can view the data you are transmitting and receiving. They are typically used to hide activity to spoof your location or to provide additional security (for example to access confidential information from outside of a work network). The typical steps involved in the use of a V-P-N are: When the connection has been established the following will happen to your data: o The V-P-N software on your computer encrypts your data traffic and sends it (via your Internet Service Provider) to the V-P-N server through a secure connection. o The encrypted data from your computer is decrypted by the V-P-N server. o The V-P-N server will send your data on to the internet and receive a reply which is meant for you the user. G-R-E Tunnelling Routers work by delivering and receiving packets of data which are addressed using IP and Port numbers. Tunnelling takes the principle of encapsulation that is already used when creating packets of data (wrapping up the data headers and addressing information) and goes further by encapsulating the pack within another packet. By doing this data is hidden from firewalls meaning rules can be easily bypassed. For G-R-E Tunnelling to work the routers must support this format. Read a technical description here: What is G-R-E tunneling? | How G-R-E protocol works | Cloudflare.