CIS-2011-N: Information Security Management Report on Security Threats
VerifiedAdded on  2022/08/21
|9
|2314
|11
Report
AI Summary
This report delves into the realm of Information Security Management, examining critical aspects such as security threats, potential vulnerabilities, and the strengths and weaknesses of cryptographic elements. The report explores various attack vectors, including replay attacks and system loopholes, while also discussing the importance of protocols like end-to-end encryption and MACs in mitigating risks. Furthermore, it analyzes the strengths and weaknesses of cryptographic elements like MAC, forward secrecy, end-to-end encryption, and private key encryption. The literature review highlights the evolution of mobile security threats and the shift of attacks from computers to mobile phones. The report concludes with an overview of security threats, forensic analysis of mobile applications, and their prevention. This report is a valuable resource for understanding the current landscape of information security and its impact on mobile applications and networks. The assignment was completed as part of the CIS-2011-N module at the university.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
Running head: INFORMATION SECURITY MANAGEMENT
INFORMATION SECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note
INFORMATION SECURITY MANAGEMENT
Name of the Student
Name of the University
Author Note
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1INFORMATION SECURITY MANAGEMENT
Table of Contents
Introduction......................................................................................................................................2
Security Threats and Potential Vulnerabilities................................................................................2
Strengths and Weakness of the cryptographic elements..................................................................4
Literature review..............................................................................................................................5
Conclusion.......................................................................................................................................6
References........................................................................................................................................7
Table of Contents
Introduction......................................................................................................................................2
Security Threats and Potential Vulnerabilities................................................................................2
Strengths and Weakness of the cryptographic elements..................................................................4
Literature review..............................................................................................................................5
Conclusion.......................................................................................................................................6
References........................................................................................................................................7
2INFORMATION SECURITY MANAGEMENT
Introduction
The mobile application and web based applications are becoming standardized in the
current market. Beginning of the end-to-end encryption and MACs with multi factor
authentications have brought change in the general awareness of independent security and
privacy practices. This paper discusses the capability of the attacks on a system having security
threats and vulnerabilities. Digital evidence examined and tested from smartphone can provide
effective information that are criminal in nature. In the current world, the messaging applications
are widely used technology which has become an important component of security and privacy
(Zhu et al. 2014). The paper also describes the cryptography element along with their strength
and weaknesses. In this work, the results of a test of over 20 applications are discussed based on
the android devices along with iPhone’s tethering issues. The digital forensic is a methodology
to trace the vulnerabilities f a device or network. In the later section of the paper, it is concluded
with the overview of the security threats and their preventions.
Security Threats and Potential Vulnerabilities
Replay attack: Any system, having potential vulnerabilities and loopholes can attract hackers. A
replay attack is one of the type of attacks done by the hacker which replay the messages between
two parties. From the receiver end, the replay messages seems to be an act of the sender by
mistake. However it does not decrypt the messages which were shared between the two parties.
Whereas the body of the message is changed by the attacker to obtain information from the user
ends. The messages are designed in way that it passes the protocols and firewalls of the system
9Costa-Pazo et al. 2016). The system accepts the message and the user implants the attack by
themselves by receiving the messages. End-to-end encryption is protocol that prevents the replay
Introduction
The mobile application and web based applications are becoming standardized in the
current market. Beginning of the end-to-end encryption and MACs with multi factor
authentications have brought change in the general awareness of independent security and
privacy practices. This paper discusses the capability of the attacks on a system having security
threats and vulnerabilities. Digital evidence examined and tested from smartphone can provide
effective information that are criminal in nature. In the current world, the messaging applications
are widely used technology which has become an important component of security and privacy
(Zhu et al. 2014). The paper also describes the cryptography element along with their strength
and weaknesses. In this work, the results of a test of over 20 applications are discussed based on
the android devices along with iPhone’s tethering issues. The digital forensic is a methodology
to trace the vulnerabilities f a device or network. In the later section of the paper, it is concluded
with the overview of the security threats and their preventions.
Security Threats and Potential Vulnerabilities
Replay attack: Any system, having potential vulnerabilities and loopholes can attract hackers. A
replay attack is one of the type of attacks done by the hacker which replay the messages between
two parties. From the receiver end, the replay messages seems to be an act of the sender by
mistake. However it does not decrypt the messages which were shared between the two parties.
Whereas the body of the message is changed by the attacker to obtain information from the user
ends. The messages are designed in way that it passes the protocols and firewalls of the system
9Costa-Pazo et al. 2016). The system accepts the message and the user implants the attack by
themselves by receiving the messages. End-to-end encryption is protocol that prevents the replay
3INFORMATION SECURITY MANAGEMENT
attack. In this protocol the messages are encrypted using cryptographic techniques from both
receiver and sender end (Espinoza et al. 2017). Any problem in end-to-end encryption can allow
the attacker to plant replay attack.
System Loop holes: Almost all the mobile applications including snap chat, Facebook,
WhatsApp etc. uses encrypted network for transmissions of the messages. The encryption uses
HTTPS encryption with SSL certificates. The server storage of these applications are also
encrypted. The system seems to be tightly packed with security metrics (Peng et al. 2014).
However, a single loophole in the system can be vulnerable for the user’s privacy and their
information. Apart from the multinational organizations, the third party websites and application
does not use end-to-end encryption due to less resources. This allows to create a potential
security hole in the system. A phishing attack can be done by hackers on these type of networks.
Packet Sniffing: Packet sniffing is attack where hacker sniffs the transmission between two or
more than two parties. MAC (Message Authentication codes) is used to maintain the integrity of
the messages which should not get altered in its ay of transmission (Longo et al. 2018). MAC is
checked while receiving the messages to calculate that the received message is original. Systems
and software which do not use MAC can attract hackers to sniff packets during the transmission
of the messages.
Lack of forward secrecy: Forward secrecy is a feature of the encryption system which prevents
the attacker to decrypt the old messages of the user even the private key is accessed by the
attacker. It generates a new key session wise for a communication between users. The keys are
called ephemeral key (Xiong et al. 2017). Without using the forward secrecy, the system
becomes vulnerable where the collected messages on the database can be decrypted by the
attacker if he/she can get access to the messages and user’s private key as well as.
attack. In this protocol the messages are encrypted using cryptographic techniques from both
receiver and sender end (Espinoza et al. 2017). Any problem in end-to-end encryption can allow
the attacker to plant replay attack.
System Loop holes: Almost all the mobile applications including snap chat, Facebook,
WhatsApp etc. uses encrypted network for transmissions of the messages. The encryption uses
HTTPS encryption with SSL certificates. The server storage of these applications are also
encrypted. The system seems to be tightly packed with security metrics (Peng et al. 2014).
However, a single loophole in the system can be vulnerable for the user’s privacy and their
information. Apart from the multinational organizations, the third party websites and application
does not use end-to-end encryption due to less resources. This allows to create a potential
security hole in the system. A phishing attack can be done by hackers on these type of networks.
Packet Sniffing: Packet sniffing is attack where hacker sniffs the transmission between two or
more than two parties. MAC (Message Authentication codes) is used to maintain the integrity of
the messages which should not get altered in its ay of transmission (Longo et al. 2018). MAC is
checked while receiving the messages to calculate that the received message is original. Systems
and software which do not use MAC can attract hackers to sniff packets during the transmission
of the messages.
Lack of forward secrecy: Forward secrecy is a feature of the encryption system which prevents
the attacker to decrypt the old messages of the user even the private key is accessed by the
attacker. It generates a new key session wise for a communication between users. The keys are
called ephemeral key (Xiong et al. 2017). Without using the forward secrecy, the system
becomes vulnerable where the collected messages on the database can be decrypted by the
attacker if he/she can get access to the messages and user’s private key as well as.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4INFORMATION SECURITY MANAGEMENT
Strengths and Weakness of the cryptographic elements
MAC: Message authentication codes uses hash functions to generate code which are stronger.
The hash function is embedded in the system which preserves the originality of the data without
degradation. It uses the keys very well and uses cryptographic analysis for the authentication
analysis mechanism (Naito 2015). Hence the strength of the MAC depends of the hash function
of the mechanism. On other hand, the weakness of the MAC is for the single block chains while
creating MAC.
Forward secrecy: Forward secrecy has the strength to prevent the attackers to decrypt messages
even after getting the private keys. The session based keys are used to implement forward
secrecy of the messages (You et al. 2017). On other hand, weakness of the forward secrecy is
that the perfect forward secrecy is not easy to get. For this a better cryptography algorithm is
required for this element.
End-to-End Encryption: The strength of the end-to-end encryption is measured through the
size of the key. 128-bit key is standard and below 128bit the encryption is not strong (Borcea et
al. 2017). Higher bit will give high security and strong encryption. Also to break a high bit
encryption, the time consumption is very high. The main weakness of the end to end encryption
is that it does not apply for the data which is at rest such as information kept in a database.
Private Key encryption: In symmetric-key cryptography, private key are widely used
techniques to prevent brute force attacks. It requires one time pad with plaintext and random key
to secure the network from a hacker. The time consumptions for a brute force attack on private
key encryption is very high along with high computational power (Lozupone 2018). However the
creation of these require less computation power. The main weakness of this encryption is that
Strengths and Weakness of the cryptographic elements
MAC: Message authentication codes uses hash functions to generate code which are stronger.
The hash function is embedded in the system which preserves the originality of the data without
degradation. It uses the keys very well and uses cryptographic analysis for the authentication
analysis mechanism (Naito 2015). Hence the strength of the MAC depends of the hash function
of the mechanism. On other hand, the weakness of the MAC is for the single block chains while
creating MAC.
Forward secrecy: Forward secrecy has the strength to prevent the attackers to decrypt messages
even after getting the private keys. The session based keys are used to implement forward
secrecy of the messages (You et al. 2017). On other hand, weakness of the forward secrecy is
that the perfect forward secrecy is not easy to get. For this a better cryptography algorithm is
required for this element.
End-to-End Encryption: The strength of the end-to-end encryption is measured through the
size of the key. 128-bit key is standard and below 128bit the encryption is not strong (Borcea et
al. 2017). Higher bit will give high security and strong encryption. Also to break a high bit
encryption, the time consumption is very high. The main weakness of the end to end encryption
is that it does not apply for the data which is at rest such as information kept in a database.
Private Key encryption: In symmetric-key cryptography, private key are widely used
techniques to prevent brute force attacks. It requires one time pad with plaintext and random key
to secure the network from a hacker. The time consumptions for a brute force attack on private
key encryption is very high along with high computational power (Lozupone 2018). However the
creation of these require less computation power. The main weakness of this encryption is that
5INFORMATION SECURITY MANAGEMENT
the private keys must be shared between the users, in order to decrypt the sender messages. The
sharing of the key should also be done in a secure way. Sometimes the sharing requires to be
done face to face by the users.
Literature review
It has been seen that mobile messaging applications such as Facebook and WhatsApp are
very famous platforms around the world. Husain and Sridhar’s study on iPhone has tested these
apps which were previously started on the PC web version of the platform. These PC based
application has been transformed from the PC to mobile phones. They tested the trace of these
application on the iPhone. WhataApp are the first application that facilitates the end-to-end
encryption on social media applications. Anglano has analyzed that the most of the social media
applications uses the same encryption today. The mobile has become popular and priority over
the computers (Walnycky et al. 2015). Hence, the attackers have also shifted their target from
computers to mobile phones. An example of the mobile attack is given by the Damopoulos
which malfunctioned the tethering hotspot in iPhone which exposed the user data of the other
connected devices of the iPhone. Mobile phone uses security and privacy features such as HTTS
and multifactor authentication to prtotect the user privacy. End-to-End encryption has been
adopted by the popular applications such as LINE, Viber and Facebook after Whatsapp. It is
found that LINE version 6.7.1 has the vulnerability of having a replay attack due to lack of end-
to-end forward secrecy (Espinoza et al. 2017). New emergent systems and technologies are
important to contribute in an existing problem. According to D. Walnycky, only Snapchat,
Tinder, Wickr and BBM are the application whose network was configured with HTTPS and
SSL certificates from a list of total 20 social media mobile applications (Walnycky et al. 2015).
However, it has been seen that the packet sniffing from these application was not possible.
the private keys must be shared between the users, in order to decrypt the sender messages. The
sharing of the key should also be done in a secure way. Sometimes the sharing requires to be
done face to face by the users.
Literature review
It has been seen that mobile messaging applications such as Facebook and WhatsApp are
very famous platforms around the world. Husain and Sridhar’s study on iPhone has tested these
apps which were previously started on the PC web version of the platform. These PC based
application has been transformed from the PC to mobile phones. They tested the trace of these
application on the iPhone. WhataApp are the first application that facilitates the end-to-end
encryption on social media applications. Anglano has analyzed that the most of the social media
applications uses the same encryption today. The mobile has become popular and priority over
the computers (Walnycky et al. 2015). Hence, the attackers have also shifted their target from
computers to mobile phones. An example of the mobile attack is given by the Damopoulos
which malfunctioned the tethering hotspot in iPhone which exposed the user data of the other
connected devices of the iPhone. Mobile phone uses security and privacy features such as HTTS
and multifactor authentication to prtotect the user privacy. End-to-End encryption has been
adopted by the popular applications such as LINE, Viber and Facebook after Whatsapp. It is
found that LINE version 6.7.1 has the vulnerability of having a replay attack due to lack of end-
to-end forward secrecy (Espinoza et al. 2017). New emergent systems and technologies are
important to contribute in an existing problem. According to D. Walnycky, only Snapchat,
Tinder, Wickr and BBM are the application whose network was configured with HTTPS and
SSL certificates from a list of total 20 social media mobile applications (Walnycky et al. 2015).
However, it has been seen that the packet sniffing from these application was not possible.
6INFORMATION SECURITY MANAGEMENT
Whereas the lack of end-to-end encryption in some applications were due to lack of having
resources. The thumbnail of the profile picture during an advertisements on these application
provides an unencrypted data content. The current mobile technology has seen malware trend
and its growth in the mobile devices. A paper sows that 1414 vulnerabilities are found in an
android devices on 50+ paid applications and 50 free applications (Walnycky et al. 2015). The
vulnerabilities found can attract the hackers for hijacking of account, spoofing, unrequested
messages and packet sniffing etc. Though the smartphone stores a majority of the personal
information of a user. Most of the people do not read security and privacy policies of the
applications before allowing them access their location, sms, phone dialer, and storage etc. Many
applications transmit location using the Google maps and services which can be observed as
reconstructive for the third persons suing images from textMe, Viber and MessageMe. On other
hand, telegram provides an option for having end-to-end encryption chat (Candra, Kurniawan
and Rhee 2016).
Conclusion
The forensic of the mobile application provides the better analysis of the traffic and
server storages analysis. It is easy for a hacker to use public Wi-Fi for capturing personal
communication of the users connected to the same network. The data is not encrypted in mobile
devices which are sent or received by the users. However end-to-end encryption has helped a lot
to encrypt the message transmission between users. The paper successfully explains the strength
and weaknesses of the cryptographic elements along with their use in preventing security threats
and vulnerabilities.
Whereas the lack of end-to-end encryption in some applications were due to lack of having
resources. The thumbnail of the profile picture during an advertisements on these application
provides an unencrypted data content. The current mobile technology has seen malware trend
and its growth in the mobile devices. A paper sows that 1414 vulnerabilities are found in an
android devices on 50+ paid applications and 50 free applications (Walnycky et al. 2015). The
vulnerabilities found can attract the hackers for hijacking of account, spoofing, unrequested
messages and packet sniffing etc. Though the smartphone stores a majority of the personal
information of a user. Most of the people do not read security and privacy policies of the
applications before allowing them access their location, sms, phone dialer, and storage etc. Many
applications transmit location using the Google maps and services which can be observed as
reconstructive for the third persons suing images from textMe, Viber and MessageMe. On other
hand, telegram provides an option for having end-to-end encryption chat (Candra, Kurniawan
and Rhee 2016).
Conclusion
The forensic of the mobile application provides the better analysis of the traffic and
server storages analysis. It is easy for a hacker to use public Wi-Fi for capturing personal
communication of the users connected to the same network. The data is not encrypted in mobile
devices which are sent or received by the users. However end-to-end encryption has helped a lot
to encrypt the message transmission between users. The paper successfully explains the strength
and weaknesses of the cryptographic elements along with their use in preventing security threats
and vulnerabilities.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
7INFORMATION SECURITY MANAGEMENT
References
Borcea, C., Polyakov, Y., Rohloff, K. and Ryan, G., 2017. PICADOR: End-to-end encrypted
Publish–Subscribe information distribution with proxy re-encryption. Future Generation
Computer Systems, 71, pp.177-191.
Candra, A., Kurniawan, Y. and Rhee, K.H., 2016, October. Security analysis testing for secure
instant messaging in android with study case: Telegram. In 2016 6th International Conference
on System Engineering and Technology (ICSET) (pp. 92-96). IEEE.
Costa-Pazo, A., Bhattacharjee, S., Vazquez-Fernandez, E. and Marcel, S., 2016, September. The
replay-mobile face presentation-attack database. In 2016 International Conference of the
Biometrics Special Interest Group (BIOSIG) (pp. 1-7). IEEE.
Espinoza, A.M., Tolley, W.J., Crandall, J.R., Crete-Nishihata, M. and Hilts, A., 2017. Alice and
Bob, who the {FOCI} are they?: Analysis of end-to-end encryption in the {LINE} messaging
application. In 7th {USENIX} Workshop on Free and Open Communications on the Internet
({FOCI} 17).
Longo, E., Redondi, A.E. and Cesana, M., 2018, June. Pairing Wi-Fi and Bluetooth MAC
addresses through passive packet capture. In 2018 17th Annual Mediterranean Ad Hoc
Networking Workshop (Med-Hoc-Net) (pp. 1-4). IEEE.
Lozupone, V., 2018. Analyze encryption and public key infrastructure (PKI). International
Journal of Information Management, 38(1), pp.42-44.
Naito, Y., 2015, November. Full PRF-secure message authentication code based on tweakable
block cipher. In International Conference on Provable Security (pp. 167-182). Springer, Cham.
References
Borcea, C., Polyakov, Y., Rohloff, K. and Ryan, G., 2017. PICADOR: End-to-end encrypted
Publish–Subscribe information distribution with proxy re-encryption. Future Generation
Computer Systems, 71, pp.177-191.
Candra, A., Kurniawan, Y. and Rhee, K.H., 2016, October. Security analysis testing for secure
instant messaging in android with study case: Telegram. In 2016 6th International Conference
on System Engineering and Technology (ICSET) (pp. 92-96). IEEE.
Costa-Pazo, A., Bhattacharjee, S., Vazquez-Fernandez, E. and Marcel, S., 2016, September. The
replay-mobile face presentation-attack database. In 2016 International Conference of the
Biometrics Special Interest Group (BIOSIG) (pp. 1-7). IEEE.
Espinoza, A.M., Tolley, W.J., Crandall, J.R., Crete-Nishihata, M. and Hilts, A., 2017. Alice and
Bob, who the {FOCI} are they?: Analysis of end-to-end encryption in the {LINE} messaging
application. In 7th {USENIX} Workshop on Free and Open Communications on the Internet
({FOCI} 17).
Longo, E., Redondi, A.E. and Cesana, M., 2018, June. Pairing Wi-Fi and Bluetooth MAC
addresses through passive packet capture. In 2018 17th Annual Mediterranean Ad Hoc
Networking Workshop (Med-Hoc-Net) (pp. 1-4). IEEE.
Lozupone, V., 2018. Analyze encryption and public key infrastructure (PKI). International
Journal of Information Management, 38(1), pp.42-44.
Naito, Y., 2015, November. Full PRF-secure message authentication code based on tweakable
block cipher. In International Conference on Provable Security (pp. 167-182). Springer, Cham.
8INFORMATION SECURITY MANAGEMENT
Peng, C., Li, C.Y., Wang, H., Tu, G.H. and Lu, S., 2014, November. Real threats to your data
bills: Security loopholes and defenses in mobile data charging. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (pp. 727-738).
Walnycky, D., Baggili, I., Marrington, A., Moore, J. and Breitinger, F., 2015. Network and
device forensic analysis of android social-messaging applications. Digital Investigation, 14,
pp.S77-S84.
Xiong, L., Peng, D., Peng, T., Liang, H. and Liu, Z., 2017. A lightweight anonymous
authentication protocol with perfect forward secrecy for wireless sensor
networks. Sensors, 17(11), p.2681.
You, W., Shi, G., Chen, X., Qi, J. and Qing, C., 2017, December. Research on a hybrid system
with perfect forward secrecy. In 2017 IEEE 2nd Information Technology, Networking,
Electronic and Automation Control Conference (ITNEC) (pp. 1783-1787). IEEE.
Zhu, H., Xiong, H., Ge, Y. and Chen, E., 2014, August. Mobile app recommendations with
security and privacy awareness. In Proceedings of the 20th ACM SIGKDD international
conference on Knowledge discovery and data mining (pp. 951-960).
Peng, C., Li, C.Y., Wang, H., Tu, G.H. and Lu, S., 2014, November. Real threats to your data
bills: Security loopholes and defenses in mobile data charging. In Proceedings of the 2014 ACM
SIGSAC Conference on Computer and Communications Security (pp. 727-738).
Walnycky, D., Baggili, I., Marrington, A., Moore, J. and Breitinger, F., 2015. Network and
device forensic analysis of android social-messaging applications. Digital Investigation, 14,
pp.S77-S84.
Xiong, L., Peng, D., Peng, T., Liang, H. and Liu, Z., 2017. A lightweight anonymous
authentication protocol with perfect forward secrecy for wireless sensor
networks. Sensors, 17(11), p.2681.
You, W., Shi, G., Chen, X., Qi, J. and Qing, C., 2017, December. Research on a hybrid system
with perfect forward secrecy. In 2017 IEEE 2nd Information Technology, Networking,
Electronic and Automation Control Conference (ITNEC) (pp. 1783-1787). IEEE.
Zhu, H., Xiong, H., Ge, Y. and Chen, E., 2014, August. Mobile app recommendations with
security and privacy awareness. In Proceedings of the 20th ACM SIGKDD international
conference on Knowledge discovery and data mining (pp. 951-960).
1 out of 9
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
 +13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024  |  Zucol Services PVT LTD  |  All rights reserved.