Does he need to implement some cryptographic protection of data? How?
What is cryptography?
Cryptography is the process of converting (encryption) plain information into special
code that can be converted back to its original form (decryption) by using special keys.
Data security is very important to any organization and for organisations that are
involved in e-commerce it is one of their highest priorities, as e-commerce gives more
avenues for attackers to access both the company’s and the customers’ information.
Many different methods can me implemented to protect sensitive data and this section
will examine cryptography and other data securing techniques and talk about why
cryptography is needed and how it is used. (Pfleeger).
Why do you need cryptography?
Cryptography is required to keep information protected from unauthorised users. There
are many situations where an organisation would want to prevent unauthorised access to
its information. Such as, when data is exchanged over a public medium such as the
Internet and the networks security maybe breached, the messages sent over the network
can be intercepted and collected during transmission between the sender and the receiver.
Even though the message has been intercepted it cannot be read due to the message being
encrypted, and the file will be of little use to anyone until they are decrypted.
For the receiver to decrypt a message, they need to know how exactly what kind of
encryption was used on the message. More complex encryption techniques require
specific decryption key, while basic encryption usually relies on translation tables to
decrypt messages. While it is possible for encrypted data to be “cracked”, more complex
encryption techniques use keys with extremely complex mathematical algorithms that
requires literally years to crack (Pfleeger). This makes encryption a very popular and
effective way to protect information being sent over a network such as the Internet, and it
is widely used in online transactions in e-commerce.
What kind of cryptography
There are many different types of encryption and these include symmetric and
asymmetric key encryption, digital signatures, hash functions, key escrow and hybrid
systems. For wireless applications VPN and WEP are used predominantly. All encryption
techniques have their own pros and cons, and some are more suitable for some
applications over others. For example, a public key encryption is a form of asymmetric
key encryption that is extremely safe. However, this type of encryption is not appropriate
where performance is important as using this type of encryption is slow compared with
As the hospital system holds a lot of personal information about clients and with the
addition of e-commerce functionality is it essential that cryptography measures are put in
place to provide secure transmission of data. As the hospital provides online transactions,
keeping its electronic transactions secure is of high priority. To protect e-commerce
transactions, the hospital should implement Secure Sockets Layer (SSL). As SSL is the
industry standard for authentication and encryption of data between clients and servers on
the Internet and by using SSL as well as Digital signatures or checksums to verify the
authenticity of messages this should keep all transactions secure.
For wireless connections it is important to protect these from interception. By using
Virtual Private Network (VPN) and/or Wired Equivalent Privacy this can protect the data
being transmitted as each provide encryption techniques. It is important that the hospital
adopt industry standard encryption such as SSL and WEP, to ensure that they are
compatible with the majority of web browsers and operating systems currently available.
To provide this encryption security, it would be advantageous to recruit and use solutions
from well-known companies, which specialise in encryption and one of these companies
are RSA security. RSA have been industry leaders for many years and provide many
different award winning commercial products for large to small companies, making RSA
one of the top 10 in security for businesses. By implementing RSA products, the hospitals
encryption security measures would be guaranteed to be of high quality
How can he protect his network? Currently it is a simple LAN, some databases, a
mail server and a web server but he wants to add some E-Commerce
functionality very soon. What will happen when his staff use wireless enabled
PDA’s for the collection of patient data?
Networks by themselves are insecure and to combat this many measures need to be taken
to improve the security of the network. Firstly it is important to understand the risks that
networks face and once these risks have been established, then we will discuss how we
can protect the network from these risks.
- Sharing: resources are shared, and more users have access to the network
- Anonymity: networks can span great distances and an attacker does not need
direct access to the system
- Complexity: networks can combine several different operating systems, meaning
unanticipated problems can arise, especially if the operating systems have not
been designed with security as a priority.
- Unknown perimeters: the boundaries of a network are harder to define, making it
difficult to control access.
- Unknown paths: data can take many different paths from sender to receiver, and it
cannot be known if the path will be secure.
- Many points of attack: since a network consists of many computers, there are
many sources for an attack, as data send from one computer to another will travel
through many points along the way which cannot be controlled.
Protecting the current network
As the hospital is a somewhat small network, it is more likely that any attacks to hospital
will from external sources rather than internal. Therefore the solutions provided will
predominantly try to protect the network from external attacks. As any attack on the
network from internal sources will mean that there has been a breach of security
elsewhere, and the failure has not been from the network configuration itself. The
hospital currently has a simple LAN, a web server, a mail server and some databases with
out dated virus software. The hospital also plans to implement e-commerce functionality
Firewalls are becoming an industry standard as they are so widely used by corporations.
Firewalls work by filtering out data coming in from external sources and only allows
specific authorised data through. For firewalls to work effectively the hospital must
create a policy which defines and classifies what data can be allowed through the firewall
and what data should be filtered out and denied. Also the firewall needs to be placed at
the point of external entry to the internal network. This is done so that all external data
will have to pass through the firewall before it can reach any other parts of the network,
otherwise the firewall would be useless. Firewalls are not full proof, but they are a
reliable and effective way to protect from most small attacks or unauthorised access.
The firewall policy that the hospital needs to create is to filter out most traffic and only
allow specific traffic through. An example would be that the hospital maintains a website,
therefore it would be required to allow HTTP access, also the hospital has a mail server,
therefore it would also be required to allow incoming mail through to the network. There
are both hardware and software based firewalls and both are effective when they are
configured properly. Hardware firewalls are more secure then software based ones, for
that reason implementing a hardware firewall over a software one would be beneficial.
Intrusion Detection System (IDS)
An IDS works by detecting unauthorised access and alarms the user of an intruder
accessing the network as well as logging and reporting the event. IDS usually work in
conjunction with firewalls as they can alert when the firewall may have failed allowing
an intruder into the system, therefore implementing an IDS along with a firewall can
provide a better security detection scheme
Email is an easy and convenient way of getting data/information from external sources
into the network. Attacks using email usually involve the email containing a virus or
worm of some sort which can cause all sorts of detrimental affects. As the hospital has
been already affected by virus infected emails this is one concern that can be addressed
by taking a few easy measures. As it is impossible to block all emails, all incoming mail
should go through a filtering program which will filter out all emails which are of
suspicious origin or content. The most effective solution would be for the hospital to
implement an up to date anti-virus program to scan all incoming email for virus or worms
before allowing them to reach the recipient.
Often web servers contain bugs or vulnerabilities that were not found during testing and
web servers often become the point of attack for many intruders or hackers. Once the web
server companies find out about these vulnerabilities, they provide patches or updates to
quickly fix these known problems. Therefore it is vital that the hospital keeps their web
server software up to date to fix any bugs or vulnerabilities.
As the hospital is soon to provide e-commerce functionality, it is important that these
transactions are encrypted. SSL would be a good choice to implement as it authenticates
both sides of the transaction and encrypts the data during the transaction. SSL is a trusted
industry standard and is widely used by commercial companies.
As doctors are using wireless connections to retrieve medical records, it is extremely
important that the data transmitted is protected. As wireless is more vulnerable to
interception is it vital that the proper security measures are put in place. To secure
wireless processes Wired Equivalent Privacy (WEP) should be implemented. WEP is part
of the 802.11b wireless standard and provides encryption of data. Also using a Virtual
Private Network (VPN) will increase the security for wireless applications as it provides
a secure link between access points. Also as many wireless networks need actual physical
structures outside it is important that these structures cannot be attacked or damaged as
this could prevent wireless applications from working properly if at all.
Unauthorised access could lead to many harmful things, one example for the hospital is
that patients medical records of patients could be stolen and sold to insurance companies.
Therefore it is important that the users of the system are authenticated and authorised to
access the network, therefore only allow users that require access. This may include
limiting users to accessing only selected parts of the network and granting others higher
access. Also make sure any previous access accounts or passes are disabled if they are not
needed as these could also lead to access points for attacks. It is also necessary to log all
accesses to the system to make sure all users are accounted for as any breach of access
could mean harm to patients and doctors.
The hospital’s database would be one of the most important systems to keep safe, as it
will be where most sensitive or valuable information is stored. Some general ideas which
could prevent the database from being tampered with would be the physical location of
the database and the security features of the operating system it’s running, although more
drastic measures need to be taken. Such as all sensitive data should be encrypted to some
All accesses to the database should be logged with all the important details such as the
user, parts of the database accessed, changes made, and the date/time accessed. These
details will be useful if there was any security breach or attack. Access control to
databases should also require user authentication as this will help prevent unauthorised
As the hospital traffic and e-commerce functions expand, load balancers would be very
beneficial. Load balancers provide the service of splitting up the load between servers
making the network more efficient. Not only does it even out the work load for servers it
also provides more reliability as proposed to only a single connection, as if a server is
down, using a load balancer the system would not halt, but will divert the load over to
other servers allowing the system to still run which improves the networks reliability
which is crucial for the hospital. Load balancers also provide more room for upgrades as
extra systems could be attached to the load balancers, which will divert the process
among all systems.
A router provides the service of directing data/information to the rightful recipient. By
implementing routers it makes the network more efficient when under load and can make
it easier for future upgrades or increases in network traffic.
L Web L App L Wireless L Mail
B Server B server B Server B Server
Mainframe Lan DB Server DB/Legacy