Does he need to implement some cryptographic protection of data? How?

What is cryptography?

Cryptography is the process ...
Encryption implementation

As the hospital system holds a lot of personal information about clients and with the
addition ...
How can he protect his network? Currently it is a simple LAN, some databases, a
mail server and a web server but he wants ...
specific authorised data through. For firewalls to work effectively the hospital must
create a policy which defines and cl...
Wireless Access
As doctors are using wireless connections to retrieve medical records, it is extremely
important that the ...
extra systems could be attached to the load balancers, which will divert the process
   among all systems.

   Router
   A...
Upcoming SlideShare
Loading in …5
×

Whatiscryptography.doc

117
-1

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
117
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Whatiscryptography.doc

  1. 1. Does he need to implement some cryptographic protection of data? How? What is cryptography? Cryptography is the process of converting (encryption) plain information into special code that can be converted back to its original form (decryption) by using special keys. Data security is very important to any organization and for organisations that are involved in e-commerce it is one of their highest priorities, as e-commerce gives more avenues for attackers to access both the company’s and the customers’ information. Many different methods can me implemented to protect sensitive data and this section will examine cryptography and other data securing techniques and talk about why cryptography is needed and how it is used. (Pfleeger). Why do you need cryptography? Cryptography is required to keep information protected from unauthorised users. There are many situations where an organisation would want to prevent unauthorised access to its information. Such as, when data is exchanged over a public medium such as the Internet and the networks security maybe breached, the messages sent over the network can be intercepted and collected during transmission between the sender and the receiver. Even though the message has been intercepted it cannot be read due to the message being encrypted, and the file will be of little use to anyone until they are decrypted. For the receiver to decrypt a message, they need to know how exactly what kind of encryption was used on the message. More complex encryption techniques require specific decryption key, while basic encryption usually relies on translation tables to decrypt messages. While it is possible for encrypted data to be “cracked”, more complex encryption techniques use keys with extremely complex mathematical algorithms that requires literally years to crack (Pfleeger). This makes encryption a very popular and effective way to protect information being sent over a network such as the Internet, and it is widely used in online transactions in e-commerce. What kind of cryptography There are many different types of encryption and these include symmetric and asymmetric key encryption, digital signatures, hash functions, key escrow and hybrid systems. For wireless applications VPN and WEP are used predominantly. All encryption techniques have their own pros and cons, and some are more suitable for some applications over others. For example, a public key encryption is a form of asymmetric key encryption that is extremely safe. However, this type of encryption is not appropriate where performance is important as using this type of encryption is slow compared with others (http://www.igknighttec.com/Articles/Security/Crypto/types.php). (http://techdir.rutgers.edu/wireless.html).
  2. 2. Encryption implementation As the hospital system holds a lot of personal information about clients and with the addition of e-commerce functionality is it essential that cryptography measures are put in place to provide secure transmission of data. As the hospital provides online transactions, keeping its electronic transactions secure is of high priority. To protect e-commerce transactions, the hospital should implement Secure Sockets Layer (SSL). As SSL is the industry standard for authentication and encryption of data between clients and servers on the Internet and by using SSL as well as Digital signatures or checksums to verify the authenticity of messages this should keep all transactions secure. For wireless connections it is important to protect these from interception. By using Virtual Private Network (VPN) and/or Wired Equivalent Privacy this can protect the data being transmitted as each provide encryption techniques. It is important that the hospital adopt industry standard encryption such as SSL and WEP, to ensure that they are compatible with the majority of web browsers and operating systems currently available. To provide this encryption security, it would be advantageous to recruit and use solutions from well-known companies, which specialise in encryption and one of these companies are RSA security. RSA have been industry leaders for many years and provide many different award winning commercial products for large to small companies, making RSA one of the top 10 in security for businesses. By implementing RSA products, the hospitals encryption security measures would be guaranteed to be of high quality (http://www.rsasecurity.com).
  3. 3. How can he protect his network? Currently it is a simple LAN, some databases, a mail server and a web server but he wants to add some E-Commerce functionality very soon. What will happen when his staff use wireless enabled PDA’s for the collection of patient data? Network Security /* Networks by themselves are insecure and to combat this many measures need to be taken to improve the security of the network. Firstly it is important to understand the risks that networks face and once these risks have been established, then we will discuss how we can protect the network from these risks. - Sharing: resources are shared, and more users have access to the network - Anonymity: networks can span great distances and an attacker does not need direct access to the system - Complexity: networks can combine several different operating systems, meaning unanticipated problems can arise, especially if the operating systems have not been designed with security as a priority. - Unknown perimeters: the boundaries of a network are harder to define, making it difficult to control access. - Unknown paths: data can take many different paths from sender to receiver, and it cannot be known if the path will be secure. - Many points of attack: since a network consists of many computers, there are many sources for an attack, as data send from one computer to another will travel through many points along the way which cannot be controlled. /* Protecting the current network As the hospital is a somewhat small network, it is more likely that any attacks to hospital will from external sources rather than internal. Therefore the solutions provided will predominantly try to protect the network from external attacks. As any attack on the network from internal sources will mean that there has been a breach of security elsewhere, and the failure has not been from the network configuration itself. The hospital currently has a simple LAN, a web server, a mail server and some databases with out dated virus software. The hospital also plans to implement e-commerce functionality very soon. Firewalls Firewalls are becoming an industry standard as they are so widely used by corporations. Firewalls work by filtering out data coming in from external sources and only allows
  4. 4. specific authorised data through. For firewalls to work effectively the hospital must create a policy which defines and classifies what data can be allowed through the firewall and what data should be filtered out and denied. Also the firewall needs to be placed at the point of external entry to the internal network. This is done so that all external data will have to pass through the firewall before it can reach any other parts of the network, otherwise the firewall would be useless. Firewalls are not full proof, but they are a reliable and effective way to protect from most small attacks or unauthorised access. The firewall policy that the hospital needs to create is to filter out most traffic and only allow specific traffic through. An example would be that the hospital maintains a website, therefore it would be required to allow HTTP access, also the hospital has a mail server, therefore it would also be required to allow incoming mail through to the network. There are both hardware and software based firewalls and both are effective when they are configured properly. Hardware firewalls are more secure then software based ones, for that reason implementing a hardware firewall over a software one would be beneficial. Intrusion Detection System (IDS) An IDS works by detecting unauthorised access and alarms the user of an intruder accessing the network as well as logging and reporting the event. IDS usually work in conjunction with firewalls as they can alert when the firewall may have failed allowing an intruder into the system, therefore implementing an IDS along with a firewall can provide a better security detection scheme (http://www.columbustechnology.org/img/presentations/IDS.ppt). Email System Email is an easy and convenient way of getting data/information from external sources into the network. Attacks using email usually involve the email containing a virus or worm of some sort which can cause all sorts of detrimental affects. As the hospital has been already affected by virus infected emails this is one concern that can be addressed by taking a few easy measures. As it is impossible to block all emails, all incoming mail should go through a filtering program which will filter out all emails which are of suspicious origin or content. The most effective solution would be for the hospital to implement an up to date anti-virus program to scan all incoming email for virus or worms before allowing them to reach the recipient. Web Servers Often web servers contain bugs or vulnerabilities that were not found during testing and web servers often become the point of attack for many intruders or hackers. Once the web server companies find out about these vulnerabilities, they provide patches or updates to quickly fix these known problems. Therefore it is vital that the hospital keeps their web server software up to date to fix any bugs or vulnerabilities. As the hospital is soon to provide e-commerce functionality, it is important that these transactions are encrypted. SSL would be a good choice to implement as it authenticates both sides of the transaction and encrypts the data during the transaction. SSL is a trusted industry standard and is widely used by commercial companies.
  5. 5. Wireless Access As doctors are using wireless connections to retrieve medical records, it is extremely important that the data transmitted is protected. As wireless is more vulnerable to interception is it vital that the proper security measures are put in place. To secure wireless processes Wired Equivalent Privacy (WEP) should be implemented. WEP is part of the 802.11b wireless standard and provides encryption of data. Also using a Virtual Private Network (VPN) will increase the security for wireless applications as it provides a secure link between access points. Also as many wireless networks need actual physical structures outside it is important that these structures cannot be attacked or damaged as this could prevent wireless applications from working properly if at all. Access Control Unauthorised access could lead to many harmful things, one example for the hospital is that patients medical records of patients could be stolen and sold to insurance companies. Therefore it is important that the users of the system are authenticated and authorised to access the network, therefore only allow users that require access. This may include limiting users to accessing only selected parts of the network and granting others higher access. Also make sure any previous access accounts or passes are disabled if they are not needed as these could also lead to access points for attacks. It is also necessary to log all accesses to the system to make sure all users are accounted for as any breach of access could mean harm to patients and doctors. Database systems The hospital’s database would be one of the most important systems to keep safe, as it will be where most sensitive or valuable information is stored. Some general ideas which could prevent the database from being tampered with would be the physical location of the database and the security features of the operating system it’s running, although more drastic measures need to be taken. Such as all sensitive data should be encrypted to some degree. All accesses to the database should be logged with all the important details such as the user, parts of the database accessed, changes made, and the date/time accessed. These details will be useful if there was any security breach or attack. Access control to databases should also require user authentication as this will help prevent unauthorised access. (Pfleeger) Load Balancer As the hospital traffic and e-commerce functions expand, load balancers would be very beneficial. Load balancers provide the service of splitting up the load between servers making the network more efficient. Not only does it even out the work load for servers it also provides more reliability as proposed to only a single connection, as if a server is down, using a load balancer the system would not halt, but will divert the load over to other servers allowing the system to still run which improves the networks reliability which is crucial for the hospital. Load balancers also provide more room for upgrades as
  6. 6. extra systems could be attached to the load balancers, which will divert the process among all systems. Router A router provides the service of directing data/information to the rightful recipient. By implementing routers it makes the network more efficient when under load and can make it easier for future upgrades or increases in network traffic. Internet Router Firewall DMZ SSL L Web L App L Wireless L Mail B Server B server B Server B Server IDS Firewall Router Mainframe Lan DB Server DB/Legacy Data

×