NSTISS (The National Security Telecommunications and Information Systems Security Committee)
determines a standard model for security called the NSTISSC model that relates between the three
proposed security pillars (Confidentiality, Integrity, Availability), security solutions (Policy, Technology,
SETA) and information states (Storage, Processing, Transmission) and how to assign the pillars for
any information state and by which solution at what point.[1]
Fig: NSTISSC Security Model [2]
The basic objective of NSTISSC model is to secure data in 3 probable ways:
Using security services.
maintaining Information states
setting security counter measures
NSTISSC Model Activity model for University Security
Storage Processing Transmission
Confidentiality
Policy
Education
Technology
Policy
Integrity
Education
Technology
Policy
Availability
Education
Technology
1
4
7
2
5
8
3
6
9
10
13
16
11
14
17
12
15
18
19
22
25
20
23
26
21
24
27
1. Confidentiality-Policy and Storage
In this Process the University has certain Policies and Guide lines to an Enrolled student and Staffs
.All the relevant data associated is kept confidential only accessible to authorized personal only and a
secure storage solution is provided by the University to safeguard its and students data.
E - Security
�2. Confidentiality-Policy and Processing
In this Process an authorised personal is appointed to process datas whenever required. That
personal has to maintain Confidentiality of data and work according to university policies. The
example for it can be submission of Assignment Electronically which is meant for lecturer only.
3. Confidentiality-Policy and Transmission
In the Process only keeping data Confidential and personal working under policies is not enough as a
secure medium is required for transmission of that data when a user request to access .The
University is required to use all necessary measures to secure a transmission.
4. Confidentiality-Education and Storage
Only a particular student enrolled in particular subject should get the subject materials of enrolled
subject .That is use of educational data and storage of material should be kept confidential for the
actual students not all.
5. Confidentiality-Education and Processing
The lecturer needs to update slides or educational materials constantly update any new materials and
sent to the particular subject enrolled students
6. Confidentiality-Education and Transmission
Data and information related to the subject be kept secure by applying a range of measures like only
enrolled students attend classes as card swap will only open lecture room doors.
7. Confidentiality-Technology and Storage
The Use of database system to store and transfer data to only students that are to use.
8. Confidentiality-Technology and Processing
Advance processing system as speech to text collects data and store in the university database. This
method maintains confidentiality as system automatically integrates data from one to other form.
9. Confidentiality-Technology and Transmission
The use of optical fibre to transfer data between terminals decreases chances of data being stolen,
corrupt Similarly using cryptography in transmission insures secure data.
10. Integrity-Policy and Storage
Data to be uploaded in the electronic format, lecturer and the university personal should check the file
s for corrupted or damaged. The policy to upload files should be maintained.
11. Integrity-Policy and Processing
Processing should be done by personal that is aware of university policies and is knowledgeable
enough not to do mistake in data while processing.
12. Integrity -Policy and Transmission
The correct electronic data is accessible to students at particular time using wire or wireless method.
13. Integrity -Education and Storage
E - Security
�The lecture r provides up to date data on university database for students to use it without any
mistakes on information they get.
14. Integrity -Education and Processing
Educational data and material while processing should not be altered and checked before finalizing
upload to system.
15. Integrity -Education and Transmission
Only the accurate and useful data be uploaded to student database as no incorrect data lead to
problem in university.
16. Integrity -Technology and Storage
The subject materials related to particular subject is stored in university database system after being
checked and verified as correct and useful to students.
17. Integrity Technology and Processing
Some system or software is used to check uploading data for its authenticity.
18. Integrity -Technology and Transmission
The data on university network should be correct and not misleading and be available only after
finalizing its integrity of use.
19. Availability-Policy and Storage
The university students should get the data any time form university database .The data should
comply with all the rules and policies set by university.
20. Availability-Policy and Processing
The data on university system should be allowed to be edited by a responsible person whenever
some issues are found on available data.
21. Availability-Policy and Transmission
Change in data by lecturer on their subject should be immediately available to use by students and
should not violate any rules and policies.
22. Availability-Education and Storage
Material stored in university database need to be updated and ready to use by student at any moment
23. Availability-Education and Processing
If any changes are to be made in lecture slides or any data. Authorized personal need to access it
and ready to be used.
24. Availability Education and Transmission
Always ready to use data should be in system so that students can utilize and download whenever
they require.
25. Availability-Technology and Storage
E - Security
�26. Availability-Technology and Processing
27. Availability-Technology and Transmission
All necessary documents need to be accessible to students and lecturer to download or modify based
on privileges at any time they want.
Kevin David Mitnick is an American computer security consultant, author and most wanted
hacker on US Marshalls list. In 1999, he was convicted of numerous computer and
communications-related crimes. When he was arrest, he was the most-wanted computer criminal
in the world. He leads a security firm named Mitnick Security Consulting, LLC that helps testing
security related activities within companies, and is Chief Hacking Officer of a security awareness
training company called KnowBe4.[3]
Once known as the Worlds Most Wanted social engineer and computer hacker. One doesnt acquire
a title like that nor an accompanying prison sentence for vanilla exploits. While in Federal custody,
authorities even placed Mitnick in solitary confinement; reportedly, he was deemed so dangerous that
if allowed access to a telephone he could start a nuclear war by just whistling into it. [3]
After publicized pursuit, FBI arrested Mitnick on February 15, 1995, North Carolina, charged with
federal offenses related to a 2-year period of computer hacking. Later Mitnick confessed to some
counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire
communication. He was sentenced to 46 months in prison plus 22 months for violating the terms of
his 1989 supervised release sentence for computer fraud. He admitted to violating the terms of
supervised release by hacking into PacBell voicemail and other systems and to associating with
known computer hackers, in this case co-defendant Lewis De Payne. [3]
Mitnick always said that he was a social Engineer rather than a hacker as he never used the data he
got to exploit any company or use any source codes to gain money. He always insists he was doing it
as per his interest to computer and find faults and limitations within the system .One should agrees
with Mitnick, as its for certain, he has brought many very important issues to heightened public
awareness and how venerable data can be and how simple tricks can be used to exploit systems.[5]
In a 2005 phone interview with CNN, Mitnick said "hacking is a skill that could be used for criminal
purposes or legitimate purposes, and so even though in the past I was hacking for the curiosity, and
the thrill, to get a bite of the forbidden fruit of knowledge, I'm now working in the security field as a
public speaker" [4]
His early work was to hack into telephone system computers. He would interact with them with his
voice and control them by touch tone. He was able to interface his ham radio with the telephone
system and then dial into computers and access them through the touch-tone pad.
Many security experts have argued in his favor for showing different paths for security loopholes.
Must argue he never did anything that was harmful and disastrous or that caused any panic. Nor he
E - Security
�did destroy any files or steal any money. Most agree he was punished severely and unusually, for
things he did not do; it just gave hacking, an innocent activity, a very bad name"[6]
He has been of great importance in identifying and helping to solidify laws against voice
communication loopholes and computer abuse also his efforts to prevent hacking and to increase
communication and computer security. The idea of social engineering he created and perfected in
some ways has now come under highlight as, by informing users about the way to obtain privileged
information, after which public becomes a little safer. In ways he has turned into one of everybodys
reliable safeguard against the type of actions that he himself committed. After his release from prison
and completing his probationary period, he has started using his hacker skills for the public good. He
has helped co-author books on security (The Art of Deception and The Art of Intrusion), and founded
a security consulting company.
PGP
PGP( Pretty Good Privacy) is an internet standard for data encryption and digital signatures. In
conventional encryption, a secret key is used to transform a plaintext or so called the unencrypted
data into unreadable ciphertext. The same key is also used to decrypt the ciphertext and reveal the
plaintext. [7]
PGP makes use of public-key encryption. One key (a public key) is used to encrypt the data and a
separate key (the private key) is used to decrypt it. At initial process user will generate a new publicprivate key pair and share the public key with others so that they can send the user encrypted
messages or files, while keeping own private key secret so that user can decrypt the data .
The working process can be described as:
When a user encrypts (plaintext) with PGP, PGP initially compresses the plaintext and creates a
session key, which is a single-time-only secret key. It is a random number generated from the random
movements of user mouse pointer and the keystrokes typed at the moment. The session key works
with a very secure encryption algorithm to encrypt the plaintext; and the end result is (ciphertext).
After the data is encrypted, the session key is then encrypted to intended recipient's public key. This
public key-encrypted session key is then transmitted to the recipient along with the cipher text. [8]
The Decryption works in reverse manner. The recipient's copy of PGP uses his or her private key to
recover the temporary session key, which PGP then uses to decrypt the encrypted ciphertext .[8]
PGP comes in two public key versions
1.
Rivest-Shamir-Adleman (RSA)
Uses the IDEA algorithm to generate a short key for the entire message and then RSA to
encrypt the short key.
2.
Diffie-Hellman.
E - Security
�It uses the CAST algorithm to encrypt the message and then the Diffie-Hellman algorithm to
encrypt the short key.
For digital signatures, PGP uses an algorithm that generates a hash from the user's name and other
signature information. This hash code is then encrypted with the sender's private key. The end user
uses the sender's public key to decrypt the hash code. If it matches the hash code sent as the digital
signature for the message, then the receiver is sure that the message is secure and meant for sender.
PGP's RSA version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version
uses the SHA-1 algorithm to generate the hash code. [9]
IS PGP REALLY SECURE?
Depends on users. Yes, it is secure against most attackers when used on a physically secure system
as per its instructions. That is using a strong passphrase to protect your private keys and keeping
your passphrase and private keys truly private. You must never run or run being an administrator any
untrustworthy software (including viruses, worms, and Trojan horses) which might send your
passphrase keystrokes and your PGP key file back to some hacker or cracker.
If somebody has access to your computer it is not hard to install a hardware or software keystroke
logger which can capture your passphrase, and to copy your private keyring. After getting the
combination, any of your PGP-encrypted messages can be read. Also PGP is not secure if you don't
understand what you are doing as you might be exploiting rather than securing. [10]
Generating and using Public key with Email Encryption in Window 8 with Symantec Encryption
Window.
1. Provide general information.
2.Check for Setting if any needed under Advance Setting.
E - Security
�3. Provide your passphrase or password to Encrypt.
3. After your public key is generated, select the file you want to encrypt.
E - Security
�4. Select your signature for the encrypted file.
E - Security
�6.If you need to send your public key to other , select the option which uses default messaging
application to send mail.
E - Security
�Difference in Mail using PGP sign and without.
1. The message body cannot be read as its hash function.
E - Security
�References
[1] Ahmed Hussein, Applying NSTISSC Security Model on Using Web Content
Management Systems, Arabic Academy for Financial and Banking Sciences, 6th Annual
Security Conference, April 11-12, 2007
[2] http://dc429.4shared.com/doc/CIBiou10/preview.html
[3] http://www.forbes.com/sites/singularity/2013/04/11/kevin-mitnick-the-hackinghamburglar/
[4] "A convicted hacker debunks some myths." CNN.com. 13 Oct 2005.
www.cnn.com/2005/TECH/internet/10/07/kevin.mitnick.cnna/index.html
[5] http://woz.cs.duke.edu/~rachel/assignments_casestudy.html
[6] COMPUTER CRACKING: The case of Kevin Mitnick, Johnson, Laura . Forensic
Examiner; Fall 2010, Vol. 19 Issue 3, p22
[7] http://www.bitcoinnotbombs.com/beginners-guide-to-pgp/
[8] http://users.ece.cmu.edu/~adrian/630-f04/PGP-intro.html#p10
[9] http://searchsecurity.techtarget.com/definition/Pretty-Good-Privacy
[10] http://cryptography.org/getpgp.htm , Michael Paul Johnson
E - Security
