1.

BACKGROUND

1.1 Purpose

In this report, we shall describe the organizational security structure, the cryptographic safeguards for our assets, the kinds of known

attacks against those defenses, and countermeasures. I protect our proprietary information and intellectual property as the enterprise

security architect for our semiconductor manufacturing company. To do this, we have put in place a thorough security architecture

comprising several different cryptographic techniques for safeguarding our assets.

1.2 Company

1. Description of Company

The security architecture of our company is a thorough system created to safeguard our proprietary information, sensitive data, and

vital infrastructure. The design has access control systems that guarantee that only authorized workers can access sensitive data and several

cryptographic safeguards for our assets. Our security architecture's usage of powerful encryption techniques is one of its main pillars.

2. IT SYSTEM SECURITY AND VULNERABILITY (Step 1)

2.1 System Threats/Attacks and Potential Vulnerabilities

We use encryption techniques to protect data while it is in transit and at rest. Advanced Encryption Standard (AES) and Triple Data

Encryption Standard are two examples of encryption algorithms that safeguard data while it is at rest (3DES). We encrypt data in transit

Page 1 of 19
using Secure Sockets Layer (SSL) and Transport Layer Security (TLS) as it moves across the network. Our access control programs are a

crucial component of our security architecture.

We use multi-factor authentication (MFA) in addition to RBAC to strengthen the security of our access control systems. To access

sensitive data, employees must submit something they know, like a password, and something they have, like a security token. We also

have a complete incident response plan explaining the procedures to be done in case of a security breach. The plan includes procedures for

identifying, containing, and resolving security events.

3. PROTECTION MECHANISMS1

[Be sure to include significant findings from your lab experience. Full documentation of your lab work should be placed in the Appendix

or in a separate Word file.]

3.1 Information protection

Administration of identification

We combine a username and password to identify users and give access to our systems. Passwords must contain a mixture of

upper- and lowercase letters, digits, and special characters and must be at least 8 characters long. Moreover, passwords must be reset every

90 days. We also use MFA, which requires users to submit something they have (like a security token) and something they know (like a

password) in order to access sensitive data.

1
Include key results from all lab testing and tools used. Provide details including screenshots, answers to questions, analyses, etc. in the Lab Report in the Appendix or
as a separate Word file.
Page 2 of 19
Access Control

To control who has access to our systems and data, our company uses RBAC. Each employee is given a certain role, establishing

the scope of their access to various sorts of data. Access restrictions are put in place on our network devices, servers, and apps to ensure

that only authorized individuals can access sensitive data. Additionally, access is limited based on the user's location, with some data only

being available from within our corporate network.

Authorization Control

The process of deciding which actions users are permitted to take within a system or application is known as authorization

management. RBAC is used by our company to control authorization. Users are given the authority to carry out particular actions

depending on their allocated role. Our network devices, servers, and apps all have authorization rules in place to guarantee that only

authorized users can carry out particular operations on our systems.

Overall, these security procedures ensure that our systems and data are shielded from unauthorized access and that only authorized

individuals can enter our systems and do actions there. We continually examine and update these processes to keep ahead of potential

threats and maintain a strong security posture. Some of the cryptography techniques employed by our company include the following:

Encryption-To prevent unauthorized access, encryption involves turning plaintext data into ciphertext. Our business uses powerful

encryption algorithms like AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) to protect our sensitive data at rest

and in transit. To keep data secure, it is encrypted using a combination of symmetric and asymmetric encryption methods.

The process of turning plaintext data into a fixed-length, a one-of-a-kind string of characters is known as hashing. In our company,

Page 3 of 19
hashing is utilized to check the accuracy of the data. To create hashes of our data, we use cryptographic hash functions like SHA-256

(Secure Hash Algorithm 256-bit) and MD5 (Message Digest 5). Digital signatures are used to guarantee the integrity and authenticity of

digital documents.

3.2 Encryption Technologies (Step 3) [Create a table showing the different encryption technologies, each technology’s benefits and

risks/“cost” and your recommendation for your company.]

Encryption Technology and

Benefits Risks/“Costs” Recommendations
Description

Our company uses To guarantee the confidentiality

strong encryption algorithms to and integrity of our sensitive

protect the confidentiality and data, our company combines

integrity of our sensitive data. symmetric and asymmetric

Advanced Encryption Standard encryption algorithms. For

(AES) and Rivest-Shamir- instance, we utilize RSA to

Adleman (RSA) are two securely exchange keys with our

Page 4 of 19
encryption algorithms that are

frequently utilized in our firm. business partners and AES to

AES is a symmetric encryption encrypt data at rest on our

technique that encrypts and servers. Additionally, we use key

decrypts data using a single key management practices to

(Daimi et al.,018). Because of guarantee the safety of our

its power, effectiveness, and encryption keys. Strong, random

simplicity of usage, it is now number generators are used to

the encryption method that is create keys kept in safe key

most extensively used vaults.

worldwide.

AES may encrypt data

using several key sizes, such as

128-bit, 192-bit, and 256-bit.On

the other hand, RSA is an

asymmetric encryption method

Page 5 of 19
that encrypts and decrypts data

using both public and private

keys. For key exchange and

digital signatures, RSA is

frequently employed since it

offers more security than

symmetric encryption

techniques. Several key sizes,

such as 2048-bit, 3072-bit, and

4096-bit, can be used by RSA

to encrypt data.

3.3 Data Hiding Technologies (Step 3) [Create a table showing the different data hiding technologies, each technology’s benefits and

Page 6 of 19
 risks/“cost” and your recommendation for your company.]

Data Hiding Technology and

Benefits Risks/“Costs” Recommendations
Description

In order to guarantee the security of our encryption techniques, effective key management is essential. Our organization's

comprehensive key management plan includes key production, storage, distribution, rotation, and revocation. To ensure that keys are

unpredictable and secure, powerful random number generators are used to create them. Second, keys are kept in safe, audited key vaults

with strong access controls. We also implement multi-factor authentication measures to prevent unwanted access to our key vaults.

Thirdly, authorized users, including staff members and commercial partners, are given secure access to keys through secure

channels. We make sure that keys are delivered securely across the network by utilizing cryptographic methods like Transport Layer

Security (TLS). Fourthly, keys are routinely rotated to lessen the effects of a compromised key. We normally change keys every several

months depending on how sensitive the data being encrypted is.

The last step is revoking keys when they are no longer required or when there is a suspicion of fraud. To prevent the usage of

compromised keys, we keep a revocation list that is periodically updated and provided to authorized users. In general, our key management

Page 7 of 19
strategy aims to protect the integrity and security of our sensitive data. We can reduce the danger of a data breach and ensure our

encryption algorithms are secure by implementing strong key management policies.

Attacks using a brute-force strategy include the attacker trying every key until the right one is discovered. This is only conceivable

if the keyspace is small enough to make it viable to try every possible key. Dictionary attacks- A dictionary is a pre-generated collection of

potential keys an attacker can use to guess the right key. If the key is unreliable or the attacker is familiar with the encryption technique,

this kind of attack may succeed.

Attacks are where the attacker sits in the middle of a conversation between two participants and decrypts or modifies the transferred

data. Secure communication channels and robust authentication procedures can stop this kind of assault. Side-channel attacks- In this kind

of attack, the attacker takes advantage of flaws in how the encryption method is used to extract the key, such as by monitoring power usage

or electromagnetic radiation. Using safe hardware and software implementations of the encryption method will thwart this kind of attack.

Attacks using cryptanalysis: In this kind of attack, the attacker examines the encryption algorithm to look for vulnerabilities that

can be used to crack the encryption. The use of proven and tested encryption techniques can thwart this kind of attack. Attacks involving

social engineering: In these types of assaults, the attacker manipulates people's minds to coerce them into disclosing their passwords or

other private information.

We must be aware of the many threat actors who may target our organization as a company engaged in the semiconductor

manufacturing sector. These are a few instances:

Cybercriminals are people or organizations that infiltrate our networks and steal sensitive data by using malicious software, such as

Page 8 of 19
malware or ransomware. Cybercriminals could be driven by a desire for monetary gain or to interfere with our activities.

Attackers who are state-sponsored-These are organizations or people who work for foreign governments and may attempt to steal

our confidential information or intellectual property to advance their political or economic agendas. Hacktivists are people or organizations

with political or social motivations who may try to obstruct our operations or steal private data to achieve their goals. To accomplish their

objectives, hacktivists may employ a range of strategies, including social engineering and distributed denial of service (DDoS) attacks.

Competitors: These are other businesses in the semiconductor manufacturing sector that might try to steal our confidential data or

other intellectual property in order to obtain a competitive edge. Examining the techniques attackers use to undermine our security.

There are numerous ways that attackers could undermine our security. Here are a few typical approaches:

Phishing- Attackers may deceive employees into supplying login passwords or other sensitive information through phishing emails

or messages. These communications may include a link to a phony website that looks official and pretend to be from a reliable source,

such as a bank or a vendor. Malware- To infect our systems, steal sensitive data, or interfere with our operations, attackers may utilize

malware, such as viruses or trojans. Malicious websites, email attachments, and other channels can all be used to spread malware.

Attackers may try to guess passwords using brute force, dictionary attacks, or stolen passwords to access our systems. To obtain

credentials, they might also try to take advantage of password storage or transmission flaws. Physical security breaches- Attackers may

enter our buildings or systems physically to steal sensitive information or install malware. They might also try to steal gadgets with

important data, including computers or smartphones.

Role-based access controls, multi-factor authentication, and strong passwords are a few examples of access controls that can be

Page 9 of 19
implemented to prevent unauthorized access to our systems and data. This may entail restricting access to sensitive information and

systems to only staff who require it to carry out their duties. Network security- By putting firewalls, intrusion detection and prevention

systems, and network segmentation into place, you can help stop unwanted access and spot possible assaults.

4. NETWORK SECURITY SUMMARY (Step 4)

[Note that the table summarizes the findings by each row relating columns 2 and 3 with the specific asset in column 1.]

Threats and
IT System Assets Security Mechanisms to Address Threats and
Vulnerabilities
(from Section 1.3) Vulnerabilities (from Section 2.2 item 2 and Section 3)
(from Section 2.1 item 2)

Endpoint security software- Frequent security awareness training- Regular security

Endpoint protection software can awareness training can teach all staff how to recognize and

assist in defending our endpoints, report potential security issues and enhance awareness of

such as laptops and desktops, potential security dangers. Robust password policies can help

from potential dangers. Examples prevent unauthorized access to our systems and data by

of such software include antivirus requiring complicated passwords that are updated on a

and anti-malware programs regular basis. Planning for disaster recovery and routine

(Ciampi 2022). Firewall- By backups- We may increase the likelihood of swiftly

Page 10 of 19
monitoring and regulating recovering from a security event or data loss by regularly

network traffic, a firewall can backing up our data and putting a disaster recovery strategy

prevent unauthorized access to in place.

our network and systems.

Intrusion detection and prevention

systems (IDPS)- By observing

network traffic and spotting

unusual activity, IDPS can assist

in detecting and preventing

possible attacks.

Least privilege access- Putting the least privilege

access principle into practice can help reduce the risk of

unauthorized access and limit the possible harm caused by an

account being hacked. Frequent security testing and

assessments- Regular testing and evaluating our security

Page 11 of 19
 measures can help us find potential flaws and vulnerabilities

in our processes and systems.

5. ACCESS CONTROL BASED ON COMMON ACCESS CARDS (CAC) (Step 5)

5.1 Common Access Cards (CAC) Cryptographic Solutions for CAC

For information security professionals, we will outline the Common Access Card (CAC) implementation, deployment, and encryption

methods in this study. The U.S. Department of Defense uses the Common Access Card (CAC), a specific kind of smart card, to manage

access to protected locations and information systems. Several businesses have used CACs more frequently in recent years to increase
Page 12 of 19
security and regulate access to confidential information.

We will give a summary of our organization's CAC deployment and implementation plan in this report. We will also review the encryption

technique employed to guarantee the confidentiality and integrity of our systems and data. We may greatly enhance our security posture

and shield our sensitive data from unwanted access and potential threats by adopting CACs and utilizing powerful encryption techniques.

This research will provide helpful insights for information security professionals looking to strengthen their organizations' security.

The U.S. Department of Defense (DoD) uses a smart card called a Common Access Card (CAC) to manage access to protected

locations and information systems. A microprocessor chip found inside the CAC stores and processes data, including sensitive personal

data, digital certificates, and cryptographic keys.

The CAC is a versatile card that may be used as an authentication tool as well as an identification card. It is utilized to confirm the

cardholder's identification and grant access to secure locations and information systems. The DoD's security architecture relies heavily on

the CAC, which is utilized widely across the company. Beyond the DoD, other federal agencies and businesses seeking to improve their

security posture are also using it.

CACs are extremely secure and are built to withstand forging and tampering. They use sophisticated cryptographic algorithms to

guarantee the privacy, accuracy, and integrity of the data contained on the card. The CAC is useful for restricting access to facilities and

sensitive data. Its use to enhance security and regulate access to sensitive information has grown in popularity in different industries.

5.2 Identity Management and CAC

Page 13 of 19
Improved Security- Using a CAC for access control and identification gives a higher level of security than older techniques such as

passwords or PINs. A microprocessor chip found inside the CAC stores and processes data, including sensitive personal data, digital

certificates, and cryptographic keys (Abu-Faraj 2021). Thanks to this cutting-edge technology, unauthorized individuals find it challenging

to access secure locations and information systems.

Enhanced Identity Verification- The CAC acts as both an identification card and an authentication device, making verifying the

cardholder's identity easier. This decreases the danger of identity fraud, which is a significant problem with traditional authentication

techniques such as passwords or PINs.

Improved Access Control- The CAC can be used to restrict access to a range of resources, including physical locations, computer

networks, and confidential information. This makes it possible for organizations to better and more effectively manage access to these

resources.

5.3 CAC Deployment Strategy

Many obstacles and circumstances must be carefully considered for the CAC deployment to be successful. The cost of implementation,

which can be high, especially for large enterprises, is one of the difficulties. This covers the price of purchasing the tools, instruction, and

software needed to deploy and maintain the CAC system. Another factor is the requirement for interoperability between the CAC system

and other security systems inside the enterprise. Integration with other identity and access management systems, network architecture, and

security protocols may be necessary.

Page 14 of 19
It can be difficult to ensure user uptake and compliance because consumers may object to implementing additional security measures or

find CAC difficult to use. As a result, user assistance and training are crucial for a successful CAC deployment. To ensure compliance with

rules and standards, there may be legal and regulatory compliance requirements for using CAC in particular areas, including healthcare or

banking.

Key Generation- To ensure proper security, keys must be generated with a secure technique long enough. The keys should be created in a

safe area and kept away from prying eyes. Key Distribution-Only authorized individuals should receive the keys, which should be done

safely. Secure communication channels, such as secure email or secure file transfer protocols, can be used to accomplish this. Key

Revocation- If there is a possibility of compromise or the staff with access to the keys is no longer authorized, the keys should be

immediately revoked. This ensures that stolen keys cannot be utilized to access the company's resources.

6. SECURE EMAIL STRATEGY (Step 6)

1.1 Importance of Email Security

In the age of modern technology, email security is crucial since it has replaced other forms of communication as the most popular means of

personal and business correspondence. Emails may include sensitive information like login credentials, private data, financial data, or

secret corporate knowledge. If this information is misused, it may result in financial fraud, business espionage, or identity theft. Email

security guarantees the privacy, availability, and integrity of messages sent via email. When a message is considered confidential, it can

only be read by persons who have been given permission to do so, and it is also considered to be intact and available Cryptography,

Page 15 of 19
electronic signatures, spam detection, antivirus programs, firewalls, and training for staff are a few examples of email security methods.

These precautions defend against various email risks, including phishing scams, viruses, spam, and unapproved access.

1.2 Authentication

Public-private key pairing is a frequent way for email senders to prove they are who they say they are. In this technique, the person who

sends it verifies the email using a private key, and the recipient checks the signature with the associated public key that was provided. This

process makes sure that the email is coming from the person who said they sent it and that it hasn't been changed on the way.

The sender makes a pair of keys, with one being private and the other being public. The private key is kept secret and should never be

given to anyone else. On the other hand, the public key is given to anyone who needs to check the signature. When an email arrives, the

sender uses a secret key to sign the message electronically. This digital signature and the sender's public key are added to the email header.

The person who gets the email can use the sender's public key to check the verification and make sure the email is real.

1.3 Non-Repudiation

Non-repudiation means that a person or group can't say that the interaction or exchange they were a part of isn't real or isn't true. It is a

security characteristic that ensures the person who sent a message or took part in a transaction can't afterward say they didn't send the

message or take part in the transaction.

Non-repudiation can be achieved in information security by using electronic signatures and other encryption methods. Digital signs are

Page 16 of 19
used to "stamp" a message or document with a digital "stamp" that can be checked to make sure the message or document hasn't been

changed since it was signed and that it was verified by the person who says it was sent it. The principle of non- is especially crucial in

internet sales and other digital transactions, where it is important to make sure that all participants may be held accountable for their

conduct. Without not repudiating, a party could say they didn't send a message or give permission for a transaction, which could lead to

disagreements and even deception.

1.4 Integrity

As a component of our organization's resources, there are things like proprietary information, financial data, and confidential data that are

sensitive. Cyberattacks, phishing attacks, and illicit access from inside and outside the company are the greatest risks to these assets. Some

examples of weaknesses are old software, weak passwords, and not using encryption.

Strong Encryption Email

Benefits Risks/“Costs” Recommendations
Technologies and Description

Page 17 of 19
 1.5 Email Encryption Strategy

We will put in place the following safety precautions to safeguard against the dangers and vulnerabilities we've found, Two-factor

authentication (2FA): To stop illegal access to email, all staff members and subcontractors will have to take advantage of 2FA. Privacy

policy: We will set up a system of passwords that says all email accounts must have complicated passwords that are often changed. Email

encryption: We'll utilize the Pretty Good Privacy (PGP) protocol to keep sensitive information from being read by people who shouldn't be

able to.

7. SUMMARY OF REFERENCES

Abu-Faraj, M. A. M., & Alqadi, Z. A. (2021). Improving the efficiency and scalability of standard methods for data cryptography.

International Journal of Computer Science & Network Security, 21(12spc), 451-458.

https://www.koreascience.or.kr/article/JAKO202108038320106.page

Ciampi, M., Romano, D., & Schmid, G. (2022). Process Authentication through Blockchain: Three Case Studies. Cryptography 2022, 6,

58. https://www.academia.edu/download/95867876/pdf.pdf

Daimi, K., Francia, G., Ertaul, L., Encinas, L. H., & El-sheikh, E. (Eds.). (2018). Computer and network security essentials. Springer.

Page 18 of 19
 https://link.springer.com/book/10.1007/978-3-319-58424-9

APPENDIX

[Place your lab report and screenshots here or in a separate Word file.

The lab is to be treated as your specific testing and checking out of your company critical information systems and the topics you are

writing about. It is not a theoretical exercise. Nor is it independent of and separate from our topic and scenario. Provide screenshots of the

tools and results from your lab experiences, as well as answer any lab questions. Many students take the lab directions, eliminate

everything but the section headings and questions and in each section write down what was asked for, what the results would show, how

they relate to a topic in the main report, enter the screenshots obtained and point to or write out the specific key data result(s) in the

screenshot.

Your specific insights, comparisons and results from the analysis of the lab data should be identified and used in the report and tables,

above.

Note: A great tool for capturing your screenshots from the lab is MS SnipIt which I believe comes installed on MS Windows computers.]

Page 19 of 19