INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

CRYPTOGRAPHY deciphering ciphertext without

knowing key
Origin of Cryptography
Human being from ages had two EARLIER CRYPTOGRAPHIC
inherent SYSTEMS
needs:
a) To communicate and share MONOALPHABETIC CIPHERS
information, and  Caesar Shift Cipher
b) To communicate selectively. Each letter substituted by shifting
n=3 places
CRYPTOGRAPHY EXAMPLE
 Original meaning: the art of HADPSOH
secret writing
 Send information in a way that Security Value:
prevents others from reading it Caesar Cipher is not a secure
 Process data into unintelligible cryptosystem because there are only
form, reversible, without data loss 26 possible keys to try out. An
 The art and science of concealing attacker can carry out an exhaustive
the messages to introduce key search with available limited
secrecy in information security . computing resources.

In Cryptography, the meaning of the

message is hidden.
 Kryptos = “hidden” in Greek
Historically, and also today,
encryption involves
 Transposition of letters
 Sparta’s scytale is first
cryptographic device
(5th Century BC) -
Message written on a
leather strip, which is
then unwound to
scramble the message
 Substitution
 Cipher – replace letters
 Code – replace words

SOME BASIC TERMINOLOGY

 Plaintext - original message
 Ciphertext - coded message Monoalphabetic Ciphers
 Cipher - algorithm for  Jefferson wheel implementation
transforming plaintext to  Set the message across the
ciphertext wheels
 Key - info used in cipher known  Select another line (in
only to sender/receiver random) as cipher
 encipher (encrypt) - converting
plaintext to ciphertext
 Decipher (decrypt) - recovering
ciphertext from plaintext
 Cryptography - study of
encryption principles/methods
 Cryptanalysis (codebreaking)
- study of principles/ methods of

1
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

 The illustration shows a sender

who wants to transfer some
sensitive data to a receiver in
such a way that any party
intercepting or eavesdropping on
the communication channel
CONTEXT OF CRYPTOGRAPHY cannot extract the data.
Cryptology, the study of
cryptosystems, can be subdivided  The objective of this simple
into two branches − cryptosystem is that at the end of
 Cryptography the process, only the sender and
 Cryptanalysis the receiver will know the
plaintext.

Components of a Cryptosystem
 Plaintext. It is the data to be
protected during transmission.
 Encryption Algorithm. It is a
mathematical process that
produces a ciphertext for any
given plaintext and encryption
key. It is a cryptographic
What is Cryptography?
algorithm that takes plaintext and
 Is the art and science of making a
an encryption key as input and
cryptosystem that is capable of
produces a ciphertext.
providing information security.
 Ciphertext. It is the scrambled
 Deals with the actual securing of
version of the plaintext produced
digital data.
by the encryption algorithm using
a specific the encryption key. The
Cryptosystem: A system which
ciphertext is not guarded. It flows
converts plain text to cipher text or
on public channel. It can be
cipher text to plain text by the
intercepted or compromised by
application of encryption or
anyone who has access to the
decryption algorithm.
communication channel.
 Decryption Algorithm, It is a
CRYPTOSYSTEM MODEL
mathematical process, that
produces a unique plaintext for
any given ciphertext and
decryption key. It is a
cryptographic algorithm that
takes a ciphertext and a
decryption key as input, and
outputs a plaintext.

2
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

 Authentication: the receiver of a

message can ascertain its origin.
 Data Integrity: It is security
service that deals with identifying
any alteration to the data. The
data may get modified by an
unauthorized entity intentionally
or accidently. Therefore,
modification to a message can be
Encryption Key. It is a value that is detected.
known to the sender.  Non-repudiation: a sender
Decryption Key. It is a value that is cannot falsely deny originating
known to the receiver. the message. Note that we’ve
stated these goals in terms of
CATEGORIES OF CRYPTOGRAPH data in transit; they also apply to
data at rest.

Attacks on Cryptosystems

PASSIVE ATTACKS
 The main goal of a passive attack
is to obtain unauthorized
access to the information.
 For example, actions such as
intercepting and eavesdropping
on the communication channel
can be regarded as passive
attack.
 These actions are passive in
nature, as they neither affect
information nor disrupt the
communication channel. A
passive attack is often seen as
stealing information. The only
difference in stealing physical
goods and stealing information is
that theft of data still leaves the
owner in possession of that data.
Passive information attack is thus
more dangerous than stealing of
goods, as information theft may
go unnoticed by the owner.

What is the Goal?

 Confidentiality: the information
in a message is accessible only to
authorized parties. It is
sometimes referred to as privacy
or secrecy. Active Attacks

3
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

 An active attack involves  Chosen key attack:

changing the information in some cryptanalyst has knowledge of
way by conducting some process the relationship among different
on the information. keys.
 For example, Modifying the
information in an unauthorized  Rubber-hose cryptanalysis:
manner. breaking cipher through threats,
 Initiating unintended or blackmail, or torture.
unauthorized transmission of
information.
 Alteration of authentication data SYMMETRIC-KEY CRYPTOGRAPHY
such as originator name or Symmetric-key cryptography started
timestamp associated with thousands of years ago when people
information needed to exchange secrets (for
 Unauthorized deletion of data. example, in a war). We still mainly
 Denial of access to information for use symmetric-key cryptography in
legitimate users (denial of our network security
service).

The following shows a plaintext and

its corresponding
ciphertext. Is the cipher
monoalphabetic?
Cryptanalysis
Attacks on an encryption algorithm
can be classified according to what Solution
information is available to the The cipher is probably
attacker. monoalphabetic because both
occurrences of L’s are encrypted as
 Ciphertext-only attack (COA): O’s.
available is only the ciphertext of
several messages encrypted with The following shows a plaintext and
the same key/algorithm its corresponding
ciphertext. Is the cipher
 Known plaintext attack (KPA): monoalphabetic?
available is a quantity of
ciphertext and corresponding
plaintext. Solution
The cipher is not monoalphabetic
 Chosen plaintext attack (CPA): because each
cryptanalyst can control the plain occurrence of L is encrypted by a
text to be encrypted and see the different character. The first L is
resulting ciphertext. encrypted as N; the second as Z
s
 Brute Force Attack (BFA) − In Plain text to Cipher text:
this method, the attacker tries to Use the shift cipher with key = 15 to
determine the key by attempting encrypt the message
all possible keys. “HELLO.”
Solution

4
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

We encrypt one character at a time.

Each character is shifted 15
characters down. Letter H is
encrypted to W. Letter E is encrypted
to T. The first L is encrypted to A.
The second L is also encrypted to A.
And O is encrypted to D.
The cipher text is WTAAD.

The shift cipher is sometimes

referred to as the Caesar cipher.

TRANSPOSITION CIPHER

 A transposition cipher reorders

(permutes) symbols in a block of
symbols.

EXAMPLES
Encrypt the message “HELLO MY
DEAR,” using the key shown in
Transposition cipher.

Solution
We first remove the spaces in the
message. We then divide the text
into blocks of four characters. We
add a bogus character Z at the end
of the third block. The result is HELL
OMYD EARZ. We create a three-block
ciphertext ELHLMDOYAZER.Using
the example decrypt the message
“ELHLMDOYAZER”.

Solution
The result is HELL OMYD EARZ. After
removing the bogus character and
combining the characters, we get
the original message “HELLO MY
DEAR.”

5
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

identify potential threats. A lower

MTTD indicates better
performance.This quantification
allows organizations to compare
their performance over time,
against benchmarks, or against
METRICS AND TRENDS industry standards.
• Trends reveal evolving threats
TERMS and emerging technologies.

 Metric: - a proposed measure or Understanding Metrics

unit of measure that is designed • Definition
to facilitate decision making and Quantifiable measures that track
improve the performance and the effectiveness of security
accountability through collection, controls and
analysis, and reporting of relevant Processes.
data.
• Purpose:
 Measurement: process by which Evaluate performance.
numbers or symbols are assigned Support compliance and
to entities in the real world in reporting.
such a way as to describe them Improve decision-making.
according to clearly defined rules.
The comparison of a property of • Examples:
an object to a similar property of Mean time to detect (MTTD).
astandard reference. Percentage of patched systems

 Primitive: data relating to the Characteristics of Effective/Good

development or use of software Metrics
that is used in developing
measures of quantitative SMART Criteria:
descriptions of software. • Specific: Clearly defined and
Primitives are directly measurable focused.
or countable. Examples include • Measurable: Quantifiable data.
error, fault, failure, time interval, • Achievable: Realistic within
date, and number of an item. available resources.
• Relevant: Tied to organizational
Why Metrics and Trends Matter goals.
in Information Security • Time-bound: Collected over a
defined period.
• Metrics help quantify performance
and guide decisions. (provide • Actionable Insight: Metrics
measurable data or indicators should guide action, not just
that enable organizations to report data.
evaluate how well they are
achieving their goals, identifying Example: "Average time to
areas of improvement based on resolve a security incident within
factual evidence) 48 hours.
• Quantifying Performance: Metrics
give a numerical representation Key Metrics in Information
of key processes or outcomes. Security: types
Example: Mean Time to Detect
(MTTD) is a metric that shows Operational Metrics:
how quickly security teams

6
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

Number of incidents detected per Difference between an organization

month. and others is a “performance gap”.
Average time to resolve incidents.
• Best practices are often cited as
Compliance Metrics: general recommendations.
Percentage of systems passing • Gold standard are the
audits. best possible practices.
Adherence to security policies. • Best current practice
(BCP) are often
Risk Metrics: recommended based on
Probability of data breaches. current technology or
Number of vulnerabilities by environments.
severity. • Standard of due care: what any
organization would do in similar
Metrics for IA circumstances.
The goal of security metrics is to • Due diligence is the process
provide the information an that an organization ensures
organization needs to prevent attack standards provide adequate
by establishing a quantitative basis protections.
for measuring security.
Using Metrics
According to Herrmann, there are
three major types of security/privacy STRIDE
metrics: STRIDE is a threat classification
system designed by Microsoft. It
1. Compliance metrics: measure does not attempt to rank or prioritize
compliance with current security vulnerabilities, only to classify them:
and privacy regulations and • Spoofing -
standards. • Tampering
2. Resilience metrics: measure • Repudiation
the resilience of controls relating • Information Disclosure
to physical security, personnel • Denial of Service
security, IT security, and • Elevation of Privilege
operational security both before Many vulnerabilities may cross
and after a product, system or boundaries and some are “threshold
network is deployed. attacks” that lead to others.
3. Return on investment (ROI)
metrics: measure the ROI in IIMF
physical, personnel, IT, and The IIMF model classifies potential
operational security controls to vulnerabilities according to
guide capital investment. four categories:
• Interception
Goals for Metric • Interruption
Metrics should provide a means for • Modification
comparison: • Fabrication
• Between alternatives
• Change over time CIA
• Relative to others: CIA classifies potential vulnerabilities
“benchmarking” an organization according to violations on the traits
we want a system to have:
Metrics and process-based measures • Confidentiality
together allow organizations to • Integrity
compare themselves to others. • Availability

7
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

Some groups (notably NSA) add two • Assets may have intrinsic
more high level security goals to value as well as acquired
derive CIA-AN: value (a storage array may
• Authenticity have a higher value than
• Nonrepudiation the
• value of the underlying disks and
DREAD controllers).
DREAD is another system from • Intellectual property valuation
Microsoft. Unlike STRIDE, it not only may depend on the cost to
classifies potential threats, but also acquire or produce the
ranks them. Compute 5 potential intellectual property, its worth
subscores for each vulnerability (e.g. how much it can make over
(scale 1..10) and for each of: its lifetime), and how much it
• Damage potential costs to protect it.
• Reproducibility (or Reliability)
• Exploitability Some Metrics
• Affected users Single Loss Expectancy: depends on
• Discoverability percentage loss if a vulnerability is
Add scores together and divide by 5 exploited; (SLE = asset value *
to get an overall DREAD score. exposure factor).

Common Vulnerability Scoring • Exposure factor is the impact of

System (CVSS the risk over the asset or
A more common metric for rating percentage of asset lost.
vulnerabilities is the CVSS, created • Annualized Rate of Occurence
by a consortium of software vendors (ARO): how many times the
and security organizations, including: attack will occur.
CMU CERT, Cisco, DHS, MITRE, eBay, • Annualized Loss Expectancy
IBM, Microsoft, others. CVSS is (ALE): (ALE = SLE * ARO)
currently maintained by the Forum of • Cost Benefit = (ALEbefore -
Incident Response and Security ALEafter) – Cost of safeguard
Teams (FIRST).
Recovery, MTTR and Availability
Rate each vulnerability in three Mean time to repair (MTTR) after a
dimensions on a scale 0..10: failure (or attack). Goal is to reduce
• Base equations: objective downtime costs
characteristics of the vulnerability • In 2000, Amazon estimated
• Temporal score: how may the risk losses due to downtime at
change overtime $180,000 per hour.
• Environmental score: how is the • Ebay estimates $225,000 per
vulnerability specific to your hour (and had a 22 hour
organization outage).

Asset Value and Cost-Benefit Availability is the percentange of

Analysis uptime. Inherent availability is (A =
Benefit is the value an organization MTBF / (MTBF + MTTR))
receives by using controls and Marketing literature quotes “5 nines”
countermeasures associated with a availability: 99.999%
specific vulnerability. • translates to 5 minutes
• Typically by valuing the exposed downtime/year;
asset and finding the percentage • however, requires “pre-
exposed. defined, pre-tested
• Asset valuation is often difficult or environments”
inconsistent across organizations.

8
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

If availability is particularly important Exemptions: Data for personal,

to your organization, how might you journalistic, and government use.
enhance it?
Key Definitions
Recovery, MTTR and Availability • Personal Data: Any information
Operational availability must take that identifies an individual.
into account the time between • Sensitive Personal Information:
maintenance (not just failure), and Includes health, religion, political
the downtime due to maintenance. opinions, etc.
• Processing: Collection, storage,
Availability metrics may no longer be sharing, and disposal of data.
valid if environment changes.
• In particular the introduction of Principles of Data Privacy
new threats! • Transparency: Inform individuals
• Or when running in a “degraded about data processing.
capability.” • Legitimacy: Ensure data
processing is lawful.
• Proportionality: Collect only
necessary data.

Rights of Data Subjects

Right to:
• Be informed.
• Access.
• Object.
• Data erasure.
• Data portability

LAWS, STANDARDS, AND

POLICIES RELATING TO Obligations of Organizations:
CYBER/INFORMATION SECURITY • Ensure Security Measures –
IN THE PHILIPPINES Protect data from breaches.
• Appoint a Data Protection
R.A. 10173: THE DATA PRIVACY Officer (DPO)
ACT OF 2012 • Report Data Breaches – Notify
affected parties and authorities.
Ensuring Data Privacy and Protection
in the Philippines The Role of the National Privacy
Commission (NPC)
Introduction to R.A. 10173 Regulatory authority established by
• Definition: A law protecting the Act.
personal data in the Philippines. Responsibilities:
• Year enacted: 2012. • Monitor compliance.
• Purpose: Safeguard the privacy of • Investigate complaints.
individuals and regulate data • Issue advisory opinions.
processing.
Penalties for Non-Compliance
• Fines: Ranging from PHP 100,000
Scope of the Law Applies to: to PHP 5,000,000.
• Public and private sectors. • Imprisonment: 3 to 6 years for
• Individuals or organizations serious violations.
processing personal data. • Examples of offenses:

9
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

• Unauthorized data • Illegal Access (Hacking)

disclosure. • Data Interference
• Failure to comply with NPC • System Interference
orders. • Cyber-squatting

Impacts on Businesses B. Computer-related Offenses:

• Need for compliance with: • Identity Theft
• Data protection policies. • Computer-related Fraud
• Staff training on data privacy. • Computer-related Forgery
• Data breach response
mechanisms. C. Content-related Offenses:
• Cybersex
Implications for Individuals • Child Pornography
• Increased awareness of personal • Libel
data protection.
• Steps to secure personal data: Key Provisions
• Use strong passwords. • Cybercrime Offenses:
• Be cautious with online sharing. Punishable by law.
• Jurisdiction: Philippine courts
R.A. 10175 – CYBERCRIME have authority over crimes
PREVENTION ACT OF 2012 affecting Philippine ICT systems,
even if the perpetrator is abroad.
Combatting Cyber Threats in the • Creation of Cybercrime
Philippines Investigation and
Coordinating Center (CICC):
Introduction to R.A. 10175 Oversee and implement policies.
• Definition: A law that criminalizes
offenses committed through ICT Rights of Citizens
(Information and Communication • Right to Privacy: Data
Technology). protection during investigations.
• Enacted: 2012 • Right to Due Process: Fair
• Purpose: investigation and trial.
• Address cyber threats. • Freedom of Expression:
• Protect data and online Balanced against libel and hate
transactions. speech laws.
• Penalize cybercriminal • Protection Against Abuse:
activities. Safeguards to prevent law
misuse.
Scope of the Law
Applies to: Penalties for Violations
• All internet users, public and • Fines and Imprisonment:
private sectors. Depending on the severity of the
• Crimes committed within the offense.
Philippines and by Filipino citizens • Cyberlibel: Imprisonment and
abroad. fines.
Covers: • Child Pornography: Up to life
• Crimes involving computers, imprisonment.
networks, and online platforms. • Multiple Offenses: Harsher
penalties if crimes are committed
Categories of Cybercrimes simultaneously.

A. Offenses Against Impact on Society

Confidentiality, Integrity, and • Positive Impact:
Availability of Data and Systems: Safer online environment.

10
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

Increased trust in digital • Implemented By: Department

transactions. of Information and
Communications Technology
• Challenges (DICT).
Concerns over freedom of
speech. Objectives of the NCSP:
Fear of potential government 1. Ensure the Protection of
overreach. Critical Infrastructure
2. Strengthen Government Cyber
Obligations of Individuals and Defense Capabilities
Organizations 3. Enhance Capacity to Respond
• Individuals: to Cyber Threats
Be cautious online. 4. Develop a Cybersecurity-
Report suspicious activities. Aware Society
5. Foster International
• Organizations: Cooperation on Cybersecurity
Implement strong
cybersecurity policies. Key Pillars of the NCSP:
Educate employees on cyber
threats. 1. Protection of Critical
Information Infrastructure (CII):
Conclusion: Safeguard sectors like energy,
• Summary: R.A. 10175 finance, and healthcare.
protects citizens from 2. Cyber Resiliency: Ensure fast
cybercrimes and enforces recovery from cyberattacks.
online accountability. 3. Cybercrime Prevention: Support
• Call to Action: stronger enforcement of laws against
Stay informed about cyber cybercriminals.
laws. 4. Cybersecurity Workforce
Practice responsible online Development: Train professionals in
behavior. cybersecurity fields.
Promote safe digital spaces.
Initiatives and Programs
NATIONAL CYBERSECURITY PLAN • Cybersecurity Awareness
(NCSP) – PHILIPPINES Campaigns – Public education on
digital safety.
Strengthening the Nation’s Cyber • National Computer Emergency
Defense Response Team (NCERT):
Monitors and responds to national
Introduction to the NCSP cyber incidents.
• Definition: The NCSP is a
comprehensive framework to • Partnerships with Private
strengthen the country’s Sector – Collaboration to improve
resilience against cyber threats. infrastructure protection.

• Purpose: Challenges and Opportunities:

• Secure critical information
infrastructure. Challenges:
• Promote cybersecurity • Limited cybersecurity
awareness. professionals.
• Develop responsive • Increasing sophistication of cyber
cybersecurity capabilities. threats.

Opportunities:

11
 INFORMATION ASSURANCE AND SECURITY | 1ST SEMESTER | ENDTERM

• Growing tech infrastructure.

• Stronger collaboration with global
cybersecurity entities.

Conclusion and Call to Action:

Summary: The NCSP is crucial for

national security and economic
growth.

Call to Action:
• Encourage students to pursue
cybersecurity careers.
• Promote responsible online
practices.
• Support national efforts to build a
secure digital environment.

12