• Log In
  • Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar

Security Architecture

MIS 5214 - Section 001 - David Lanter

Security Architecture

MIS 5214.702 ■ Spring 2021 ■ Wade Mackey
  • Homepage
  • Instructor
  • Syllabus
  • Schedule
    • First Half of the Semester
      • Unit 01 – Threat Environment
      • Unit 02 – System Security Plan
      • Unit 03 – Planning and Policy
      • Unit 04 – Cryptography
      • Unit 05 – Secure Networks
      • Unit 06 – Firewalls
      • Unit 07 – Mid-Term Exam
    • Second Half of the Semester
      • Unit 08 – Access Control
      • Unit 9 Host Hardening
      • Unit 10 Application Security
      • Unit 11 Data Protection
      • Unit 12 – Incident and Disaster Response
  • Deliverables
    • Assignments
    • Case Studies
      • Case Study 1 – A High Performance Computing Cluster Under Attack: The Titan Incident
      • Case Study 2 – Cyberattack: The Maersk Global Supply-Chain Meltdown
    • Participation
    • Team Project
  • Harvard Coursepack
  • Gradebook

My question to discuss with my classmates

February 3, 2021 by Wade Mackey 40 Comments

Filed Under: 04 - Cryptography Tagged With:

Reader Interactions

Comments

  1. Taylor Trench says

    February 3, 2021 at 2:36 pm

    Do you foresee a different security measure overtaking cryptography? Or do you think cryptography will simple evolve further? Do you believe we will reach a point in which we cannot advance our internet security measures?

    Log in to Reply
    • Nicholas Fabrizio says

      February 9, 2021 at 9:20 am

      I do think for the foreseeable future that cryptography will just evolve and with our computing power getting better every year the standard encryption key length will just get longer. However, I’ve read some articles in the past discussing how Blockchain could be used in the future to help secure messages, prevent denial of service attacks, and much more.

      Log in to Reply
  2. Nicholas Fabrizio says

    February 4, 2021 at 4:54 pm

    What are the benefits of having a security control baseline?

    Log in to Reply
    • To-Yin Cheng says

      February 8, 2021 at 1:09 pm

      It can provide safe guidance for the company to evaluate the risk. ensures the confidentiality, integrity, and availability (CIA) of critical system resources. It helps to system categorized the import of risk as high, moderate, and low which can help the company to prioritize the relevant control and decision making.

      Log in to Reply
    • Christa Giordano says

      February 8, 2021 at 8:21 pm

      Hi Nicholas,
      The security control baseline provides the starting point of the minimum control coverage for a system based on the identified security category and impact level (low, moderate, and high) for that system. The security control baseline can also be tailored based on the organization’s need and consider factors such as risk assessment results, identification of common controls, scoping considerations, and compensating controls selected. Once the security control baselines are in place, additional controls can be added as needed or existing controls can be enhanced or strengthened.

      Log in to Reply
  3. Charlie Corrao says

    February 6, 2021 at 5:46 pm

    The textbook mentioned that they key issue with Cryptography is human error. What are some things that employees can do to combat this? Or is human error in cryptography inevitable?

    Log in to Reply
    • To-Yin Cheng says

      February 8, 2021 at 2:20 pm

      I believe the most effective way to avoid human error is to set up an automated solution to prevent security attacks. It can have better control of how security policies are implemented for all encrypted communications and comprehensive monitor the system.

      Log in to Reply
    • Jonathan Mettus says

      February 9, 2021 at 6:54 am

      Reducing human error comes down to training and being aware of human tendencies. The examples the book mentioned in cryptography came down to people using the same greetings over and over. As far as I know, this would have been a known issue at the time and best practices were not followed. But also one of the biggest issues would be divulging the key to someone else, like if the user has it written down in plaintext somewhere. You can try to reduce human error, but it is inevitable to a certain extent. At the end of the day, humans are the ones using the systems or the ones that programmed and designed them.

      Log in to Reply
    • Quynh Nguyen says

      February 9, 2021 at 1:54 pm

      To combat human error, companies has to start at the source by hiring the right candidates that are detail oriented and qualified. Next, training has to be improved to reduce human error. Finally, cryptography should be automated, a code should be created that follows a formula to automatically encrypt the message. For example, when we enter our passwords for log-in, most websites encrypt it automatically.

      Log in to Reply
  4. Quynh Nguyen says

    February 7, 2021 at 1:59 am

    Why is an RC4 key length of 40 bits commonly used and is it a strong key to use?

    Log in to Reply
    • Megan Hall says

      February 8, 2021 at 4:41 pm

      The RC4 key length was commonly used because of export restrictions. The United States and other countries did not allow greater than 40 bits to be used so they could allow the governments to crack the keys if needed. That being said, it is not a strong key to use, and given the right software tools, could be cracked in minutes.

      Log in to Reply
  5. Lakshmi Surujnauth says

    February 7, 2021 at 6:39 am

    Why might a CA revoke a digital certificate?

    Log in to Reply
    • Xiduo Liu says

      February 7, 2021 at 3:47 pm

      Compromised private key.

      Log in to Reply
    • To-Yin Cheng says

      February 8, 2021 at 1:28 pm

      If a CA found out the certificate is forged or if the private key is revealed, the certificate will be revoked and added to the Certificate Revocation List (CRL). Changing the owner of the certificate or update the certificate might also let CA revokes the certificate and reissue a new one.

      Log in to Reply
    • Quynh Nguyen says

      February 9, 2021 at 2:00 pm

      A CA might revoke to a digital certificate if it is found to be compromised by someone claiming to be the sender. Or if the private key has been exposed. Once a digital certificate has been exposed it is safe to use for encryption.

      Log in to Reply
  6. Mitchell Dulaney says

    February 7, 2021 at 11:40 am

    Can an organization have “too much” encryption? Is there any situation where implementing additional encryption methods might do more harm than good?

    Log in to Reply
    • Xiduo Liu says

      February 7, 2021 at 3:53 pm

      Speed or latency is what came to me first. Additional encryption, or even longer keys will result in an exponentially longer time to decrypt. Organizations that employ hardware and software to conduct DPI (Deep Packet Inspections) will need to take this into account, Packets will require decryption, and re-encryption post the inspection. Therefore longer keys might increase the latency and some organizations have a low tolerance for latency.

      Log in to Reply
  7. Christa Giordano says

    February 7, 2021 at 11:56 am

    The use of external service providers for information systems services are becoming a necessity for many organizations. What are the security concerns related to using an external service provider and how can these be mitigated? What has been your experience with external service providers at your organization?

    Log in to Reply
    • Megan Hall says

      February 8, 2021 at 4:48 pm

      My greatest concern related to using an external service provider is that the organization using the service provider has no direct control over security, but they are still responsible for the risks that are incurred by the activities outsourced. Not only that, but so many third parties use their own third parties, so it becomes even more challenging to not only control but monitor security risks. The other concern I would have would be in the case of a security incident, what would happen if the responsibilities related to research, investigation, notification were not clear? It would be really easy for the different parties to blame each other and for the right actions to not be taken because the parties are not clear who is supposed to do what. The contract is going to be the best way to manage the risk, and making sure there are provisions for data protection, for incident response, and for audit (if applicable) is necessary. This means IT and information security need to be involved up front before an engagement is entered into with an outsourced provider. In my experience, my organization uses a lot of external service providers (as is common in banking) and we do a lot of monitoring and oversight of our critical information systems service providers, assess specific risks, and have controls around the greatest risks that we’ve identified. We also get SOC reports and penetration tests sent to us each year and review them in detail to determine if there are any concerns that we should be aware of.

      Log in to Reply
  8. Jonathan Mettus says

    February 7, 2021 at 2:32 pm

    Should the government be able to force companies, such as Google or Apple, to build backdoors into the encryption of their devices, software, applications, etc. for law enforcement to access user data with a court order?

    Log in to Reply
    • Xiduo Liu says

      February 7, 2021 at 4:01 pm

      No. When you build it. It will be leaked. Just like the alleged CIA hacking arsenal exposed known as the “Vault7 dump” released by WikiLeaks. It’s not the tools or the policies that had imperfections, the human is still the weakest link in security. Someone will leak and expose the “backdoors”. Because there’s always money to be made. Therefore it is an organization’s best interest to no have any “backdoors”.

      Log in to Reply
      • Nicholas Fabrizio says

        February 8, 2021 at 8:41 am

        Xiduo,

        I agree with you and if those tools got leaked it would cost companies like Google and Apple a lot of money to create a patch, a new backdoor for government agencies to use, and they will also get a bad reputation which may impact selling devices to future customers.

        Log in to Reply
  9. Xiduo Liu says

    February 7, 2021 at 3:47 pm

    With computing power continues to increase and the breakthrough in quantum computing, current encryption will eventually be broken. What other possible ways to conduct authentication and authorization?

    Log in to Reply
    • Wei Liu says

      February 8, 2021 at 7:11 pm

      Hi Xiduo, Good point. Today, key length of about 100 bits are considered strong, but businesses need a longer key in the future to remain secure in the face of ever-increasing computer speed. Based on Moore’s Law (overall processing power for computers will double every two years), the processing speed of microprocessors will be 15 times faster in 30 years.

      Log in to Reply
    • Christa Giordano says

      February 8, 2021 at 8:04 pm

      Hi Xiduo,
      Other ways to conduct authentication and authorization include biometric screening, voice recognition, and facial recognition. Biometric screening includes fingerprint scans and iris scans. Voice recognition takes note of the tone, inflection and other characteristics of an individuals voice. Facial recognition involves a scan of the face and and identifying facial characteristics are used for identification purposes. Facial recognition can be very sensitive. We piloted facial recognition in my organization and the software initially was very sensitive, for example it did not recognize an employee when he shaved his beard, but the setting can be adjusted. While these methods are not perfect, they do serve as an alternative means for authentication but would be best served if combined in a dual or triple authentication approach. If the current encryption is broken, then the fall back could be biometric, facial, voice, combined with secure token or RFID badge technology to name a few.

      Log in to Reply
  10. To-Yin Cheng says

    February 7, 2021 at 4:16 pm

    Since VPN is so secure, why not everybody is using it? What is the disadvantage of VPN?

    Log in to Reply
    • Michael Doherty says

      February 7, 2021 at 4:46 pm

      I think this is a good question, May organizations are using VPN to connect to their network, Does this bring added security concerns if the home users network is corrupted?

      Log in to Reply
    • Christa Giordano says

      February 8, 2021 at 7:52 pm

      Hi To-Yin,
      As with anything the organization must perform the cost benefit analysis as well as risk determination. One reason that might deter an organization from using VPN is that there can be performance and availability issues. The network can slow down, the connection can be spotty, or disconnect completely, especially in the current environment when so many people are working from home and stressing the network.

      Log in to Reply
    • Elias Harake says

      February 8, 2021 at 10:38 pm

      Great question To-Yin. I was actually wondering that same thing. I think that many people are not aware of what VPN is. Another reason is that most VPN providers are not free and require the user to pay a subscription or one-time fee in order to use their VPN for an extended time. The disadvantage of VPN is that it can slow down your internet connection. In addition, VPNs can potentially block a user access to websites such as Netflix and Pandora. I also read that some free VPN providers may sell your internet history to third parties., so be careful which VPN provider you do decide to use.

      Log in to Reply
    • Quynh Nguyen says

      February 9, 2021 at 2:11 pm

      VPN can still be susceptible to man-in-the-middle attacks, and are at risk because employees connect via their home networks, which may not have the appropriate security software to protect the connection. VPN connections can be weak depending on what network strength each employee has at home. There is also the disadvantage of employees being able to work anywhere, meaning public wifi at libraries, coffee shops, restaurants, etc. that may be vulnerable to hackers.

      Log in to Reply
  11. Michael Doherty says

    February 7, 2021 at 4:45 pm

    What is a plan that you would implement in case one of the phases of the SDLC is skipped during the security and privacy assessments.

    Log in to Reply
    • Wei Liu says

      February 8, 2021 at 7:30 pm

      Hi Michael, This is a good question. SDLC could help us find specific needs for different users but there are some advantages of developing programs with SDLC skipped. One of the advantages is program development will be much faster when programmers creating the workflow instead of going through a lot of user inputs and requirements.

      Log in to Reply
  12. Megan Hall says

    February 7, 2021 at 4:53 pm

    NIST SP 800-53 discusses two approaches for identifying when additional security controls may be needed: the requirements definition approach and the gap analysis approach. Are there any scenarios you can think of where you might want to use one approach over the other?

    Log in to Reply
  13. Christopher Clayton says

    February 7, 2021 at 5:17 pm

    Can cryptography be combined with another type of secured technique?

    Log in to Reply
  14. Wei Liu says

    February 7, 2021 at 8:47 pm

    Symmetric or Asymmetric encryption? why?

    Log in to Reply
    • Charlie Corrao says

      February 8, 2021 at 7:27 pm

      I think this varies depending on the situation. If you rely on the transaction remaining secure, asymmetric encryption is the correct answer. The drawback to asymmetric is the increased costs and complexity, but in a majority of situations, the cost of implementing asymmetric encryption will be less than the cost of the data being passed over being compromised

      Log in to Reply
  15. Panayiotis Laskaridis says

    February 7, 2021 at 11:01 pm

    Is there any sensitive data that shouldn’t be encrypted for any sort of reason? Financial reasons aside, could there be any information out there that is safer without it?

    Log in to Reply
    • Charlie Corrao says

      February 9, 2021 at 10:32 am

      I’m not sure if I can think of any data that should not be encrypted, but data needs to be encrypted well if you are going to the trouble of encrypting it. For example, if a company uses the same key for all of their databases, they are setting themselves up for failure. If that key is exposed, then the entire system is at risk. Like I said, I cannot think of an example of data that should never be encrypted, but one of the disadvantages of encryption is the processing speed. It slows the processing way down, which also takes up bandwidth on the network. Overall, I would lean towards encryption being considered for all data.

      Log in to Reply
  16. Elias Harake says

    February 7, 2021 at 11:39 pm

    The security trend seems to be longer and more complex keys for better encryption. How will longer keys impact computer processors or servers with keys longer than 2048 bits keys?

    Log in to Reply
    • Nicholas Fabrizio says

      February 9, 2021 at 8:42 am

      The longer and more complex a key length is the more difficult it is for computers to crack the key, which makes it more secure. However, the downside to this is the computer that needs to decrypt the key will require more resources. If an excessive amount of CPU resources are being used to decrypt the key then this can make the machine run more slowly which can impact productivity.

      Log in to Reply

Leave a Reply Cancel reply

You must be logged in to post a comment.

Primary Sidebar

Weekly Discussions

  • 01 – Introduction (3)
  • 01 – Threat Environment (5)
  • 02 – System Security Plan (5)
  • 03 – Planning and Policy (7)
  • 04 – Cryptography (6)
  • 05 – Secure Networks (7)
  • 06 – Firewalls (5)
  • 08 – Access Control (7)
  • 09 – Host Hardening (4)
  • 10 – Application Security (5)
  • 11 – Data Protection (3)
  • 12 – Incident and Disaster Response (4)
Fox School of Business

Copyright © 2025 · Course News Pro on Genesis Framework · WordPress · Log in