PowerPoint One - WordPress.com
advertisement
Network Security Instructor: Professor Stephen Osborne Task Type: Discussion Board 3 Deliverable Length: See assignment details Points Possible: 50 Due Date: 9/16/2011 11:59:59 PM CT Review and reflect on the knowledge you have gained from this course. Based on your review and reflection, write at least 3 paragraphs on the following: 1. 2. 3. 4. What were the most compelling topics learned in this course? How did participating in discussions help your understanding of the subject matter? Is anything still unclear that could be clarified? What approaches could have yielded additional valuable information? Respond to another student: Respond to 1 of your fellow classmates with a reply of at least 100 words about his or her primary task response regarding items you found to be compelling and enlightening. Phase 5 Discussion Board 3 Resolution Think about and then answer the below three questions. 1. What were the most compelling topics learned in this course? 2. How did participating in discussions help your understanding of the subject matter? 3. Is anything still unclear that could be clarified? 4. What approaches could have yielded additional valuable information? Please respond to at least one others classmates’ post. Task Type: Individual Project 2 Deliverable Length: 3–5 pages Points Possible: 100 Due Date: 9/17/2011 11:59:59 PM CT In the context of e-mail communications security, prepare a 3– 5 page white paper that describes the difference between Pretty Good Privacy (PGP) and Secure/MIME (S/MIME) Be sure to reference all sources using APA style. Please submit your assignment. Individual Project 2 Resolution Gather information from the CTU Library or the Internet on Pretty Good Privacy and Secure/MIME (S/MIME). Once you have collected all of your research, provide an overview of each. Are online backup services safe for our company data? • This is an open-ended question. A better question is whether online backup services can be safe for company data, and the answer is “yes.” There are several questions you should ask before using an online backup service. • Where is the data actually stored? Is it secure and safe from natural disasters or other more ordinary threats like temperature and humidity? Is the media high quality? Are redundancies in place? •Under what conditions can data be recovered? Are you allowed to inspect the physical premises? Are backup power systems in place? As the value of your data increases, the depth of your questions will also increase. •Online backup services might not be appropriate for your primary backups, but they may serve well for a level of redundancy. How can I establish redundancy for my hosted Internet website? • Many businesses are highly dependent on their Internet presence as a primary part of business. From sales to actual business processes and communications, the web servers and the functions they support are extremely important. • Many of these same businesses have all the Internet operations located on a single hosted computer at another provider’s location. •Although reputable hosting sites have reasonably good availability, it may not always be good enough if problems occur. Most hosts provide service-level guarantees and, for a price, many will offer redundancy for your host site. •The next best level of redundancy is another hosted system through another provider. If the primary host has long-term difficulties, one can switch to a secondary host on relatively short notice. As a final measure of protection, make sure to have a system capable of running the basic operations internally, if necessary. If I encrypt the data on my systems, how can I make sure someone will be able to decrypt it should a disaster occur? • Encryption is the process of combining one or more keys with data to make it unreadable without the key used for encryption. If only one person knows the key and that person leaves the company or is not available for some other reason, a company could be in a bad situation and unable to access important information. • Failure to consider this kind of circumstance could be catastrophic. To avoid losing vital data, encryption should also be accompanied by a method to recover the data. Key individuals in the company could be given the decryption key, but this is not always adequate protection. •An additional method is to create decryption tools that can recover the important data in the event of an emergency. Treat the encrypted data as one would treat important documents kept in a safe. •How many people should have the combination, and would someone also store the combination in other safe places to provide some redundancy? Is the backup software that came with my operating system (OS) good enough for company backups? • The answer to this question lies in an understanding of what makes an excellent backup program. Basic backup features aside, the most critical part of a backup are ensuring the data are recoverable. • If a backup program merely writes the data to the backup media, then there is no assurance the data can be recovered, if necessary. •High quality backup programs are able to perform some checks on the data while the backup is being made to ensure it is recoverable. •The backup software that comes with the operating systems can do this kind of check, but as the sophistication of the software increases, so does the ability to verify integrity of the backups. The amount an organization wants to invest in backup software is related to the value of those backups. How often should I perform backups? • The simple answer is another question. How much data can you afford to lose? Keeping in mind that backups slow down system operation and also consume disk space, a system administrator needs to look at how much time would be spent recreating the lost data if something happens to the data. • Some data cannot be recreated easily at all, so some form of ongoing redundancy should be considered. •Other data, while not easy to recreate, are also not highly valuable, so a system administrator could afford to lose more. If business operations would be significantly interrupted by loss of data, then nightly backups should be performed. •With less valuable data, data that do not change often, or data that are easily recreated, weekly or even monthly backups are sufficient. How can I test my backups if there is not sufficient disk space to restore the data to a secondary location? • The best way to test a backup is to actually restore and test the resultant information. This is seldom possible though because disk space to hold the restored data is not always available. One alternative is to stream test the information. To stream test, individual files are restored and tested. • During this process, the backup media can also be verified for integrity. The problem with this approach is many of the applications and associated data cannot be tested in isolation, but at least the integrity of the files can be checked. Do backups go bad after time? • This was a larger problem in the past when backups were made to more sensitive media like floppy disks and tape drives. Backups are now often made to secondary hard drives and CD or DVD media, which is generally more durable and less prone to problems. • These media are not without their problems though, and while time may not be the biggest contributor to problems, environmental exposure combined with time can be. The answer to the question is that backup media does go bad, but it does not happen very often if the media are kept under appropriate conditions. How much can I justify spending on disaster recovery plans? • A system administrator can begin to address this question by determining how much a disaster would cost the business. After these values are established, the administrator can attempt to assign some probabilities to the types of problems the business might encounter. • Although a flood might present an almost catastrophic situation to the business, if the business is in an area where this is extremely unlikely, then preparation for a flood would not make a lot of sense. •Preparation for an earthquake in San Francisco might not be a bad idea though. How much do you spend in preparation for disaster? When one combines the cost of an event with the risk, one will have a sense of the threat to the business. •Treat these disaster recovery plans somewhat as an individual would treat insurance. As a system administrator, one might want to discuss this topic with the person responsible for insurance coverage in the company. More on Disaster Recovery • Disaster recovery is critical for today's organization because weather-related or man-made disasters can occur at any time. Examples of disasters are extensive, from weather-related disasters like hurricanes and tornadoes to man-made disasters such as riots. • Unfortunately, these events happen, but businesses must have operations back up and running as soon as possible. Disasters like the tsunami that struck Southeast Asia in December 2004 or Hurricane Katrina that hit the Gulf Coast region of the United States in August 2005 provide real-life examples that disasters can happen in any form and at any time. Businesses must have systems in place to protect themselves. • Network outages can create the same damage to a business as a natural disaster. Although a network outage pales in comparison to a natural disaster, the effect on a business can be the same. The business is shut down. Money and time are lost. If steps are not taken quickly, the business may not recover. • Defining Disaster Recovery • Disaster recovery planning, sometimes called business continuity planning, is defined by the Disaster Recovery Journal (DRJ) editorial review board as "The ability of an organization to respond to a disaster or an interruption in services by implementing a disaster recovery plan to stabilize and restore the organization's critical functions" (Disaster Recovery Journal, n.d.). • The definition encompasses the activities that restore health to the system stricken by disaster. It is critical to understand that disaster recovery planning refers to a set of activities and processes to restore the health of a business to an acceptable state. Disaster Recovery Teams • Teamwork is an important component in disaster recovery planning. If a disaster occurs, many individuals are coordinated to restore business functions. When natural disasters occur, teams of personnel will be disbursed to provide help to people affected in the natural disaster's stricken areas. • This is no different in business disaster recovery; each person on the disaster recovery team has a role to play. It is his or her job to coordinate an area of responsibility to bring the business network back up and operating. • Disaster recovery teams develop long before a disaster occurs. Teams are created from different departments across the organization. They have members with a mix of technical and business skills who work together to identify critical resources and to prioritize critical operations for the organization. Disaster Recovery Steps There are a number of steps involved in developing a disaster recovery plan. These steps include the following (Erbschloe, 2003): 1. 2. 3. 4. 5. 6. 7. Organization of the team Assessing the potential risks Establishing roles and responsibilities Development of policies Documentation Preparation Training and testing 8. Maintenance •These steps illustrate that disaster recovery planning is more than a plan; it is a companywide philosophy that enables the company to pull together all the pieces and use its resources to get the business back up and running. Disaster Recovery Management • Disaster Recovery Management Teams (DRMTs) are not necessarily included in disaster recovery plans, but they are necessary. DRMT are the managers and executives who are responsible for overseeing a disaster recovery plan and making sure the rules that were developed are followed. • The leadership of the organization has to be sure that these knowledgeable workers get the resources they need, give the necessary support, and make sure the plan is being carried out as effectively as possible. Introduction to Cyber Crimes and Networks • Cyber crime is a term that many people are now familiar with; however, it is a term that was not a part of the common vernacular until recent years. As computers and computer networks, including the Internet, have increased in popularity, so have the opportunities to use these tools as systems to commit policy violations as well as civil and criminal activities. • When considering cyber crime, one must remember there are many types of crimes commonly committed using computer systems. • To understand cyber crimes in relation to computer network penetration, one must first understand the concept of computer networks. At its most basic level, a computer network is two or more computers connected together to allow communications between two users. •When considering computer network penetration, it is important to consider the types of attacks that can occur and where these attacks may originate. It is common for security professionals to focus on the possibility of external attacks and not put sufficient focus on the potential for internal attacks. Computer users connected to a network must realize that in today’s society there is always a possibility of interception of any information on a networked computer or one shared over an Internet connection. • •Standard security recommends that users look for “the lock” that indicates the security of a Web site or HTTPS in the Web address, again to indicate security. These are good indications of the security of the Web site; however, this does not indicate the security of the user’s Internet connection. Challenges of Information Security • Attackers are always interested in gaining something from the organization or person attacked. It may be the notoriety of having performed the attack, the data gained during the attack, or any of the other results when a network attack occurs. There are six significant challenges outlined, which include the following (Egan & Mather, 2005): •E-commerce is where the attack could occur to the organization selling the product or service or to the purchaser where the attacker is attempting only to gain the individual’s purchase information. •The information security requirements of the organization must be maintained. Organizations must maintain the security of their data. In today’s marketplace, the importance of an organization's customer database, employee records, product plans, and other data are the backbone of the organization; the loss of this information could cause lawsuits and other situations that can lead to the organization’s failure. •The immature information security market is a problem that many do not readily recognize; however, many areas of information security still do not meet the needs of consumers or organizations. •Organizations may also lack experienced information security personnel. •With the increase in government legislation and industry regulations, organizations must not only ensure compliance with company policies but also all of the government and other regulations. •The final challenge for organizations to face is the increasing mobile workforce and wireless computing. The mobile workforce has increased physical security risks related to the mobility of the data through mobile devices such as laptops and smart phones. In addition, to be considered are the information risks related to employees using unsecured networks at airports or other public locations or attackers using the convenience of public access to observe users and gain access to information that would have been unavailable if the employee was within the organization’s business environment. Internal Crackers • In today's corporate world internal crackers are serious threats possibly even more so than external crackers since internal crackers already have access to the network. But all hope is not lost there are lots that can be done to combat internal hacking. •Firstly, one should set clearly defined policies for what is and is not acceptable use of the corporate network. The policies should define what acceptable use of network resources is and what resources one is allowed to access and the ones they are not allowed to access depending on there role within the company. •A part of this policy should also be controls to police the network security personal, administrators, and anyone else with access to sensitive information. •Some such controls could be background checks, making sure old user accounts are disabled, make sure to check for backdoors, and educating employees about the security policies. •Another good practice is to make sure security responsibilities are distributed amount many people. This way no one person has access to everything so no one person can be comprised or paid-off to take down the entire network security. The policy should also clearly define the consequences of violating the policy. And the most important part is the policy should be enforced because if the policy is not enforced it is completely useless and you might as well not have one. •Secondly, file and folder security should be implemented such as NTFS permissions embedded in the newer versions of windows. It allows the admin to set up access control lists (ACL) to control what each user as access to and how much access they have. •For example it can be set up the ACL to allow John Smith the read and open files in the Corporate Manuals folder but not delete or change them. •File and folder security is important because it would be ideal for every employee to follow the security policy but in reality that is not always the case and that is were file and folder security comes in. •Although not all internal hacking attempts are from malicious means some are just out of curiosity or just a plain accident but if the file and folder security is configured properly it should stop most internal hacking attempts. • This idea ties into the concept of "Least Privilege" which is the idea that employees should only get permissions and access to what they need to complete the role of their jobs. •Finally, an audit policy should be implemented to monitor high risk resources or the resources that have the highest impact on the companies operations. The audit policy will help to determine possible hacking attempts and the areas that require better security. •An audit policy will also keep a record of activity that would allow activity to be tracked and provide evidence in the event of prosecution become necessary. •Internal crackers can be a serious threat but there is a lot that can be done to combat them. But like all things in life there is no answer all solution that will prevent internal hacking 100%, but listed above are many ways in which we can reduce and mitigate the risk of internal crackers. Access Control Lists (ACLs) • Access Control List (ACL) are filters that enable you to control which routing updates or packets are permitted or denied in or out of a network. They are specifically used by network administrators to filter traffic and to provide extra security for their networks. This can be applied on routers (Cisco). • ACLs provide a powerful way to control traffic into and out of your network; this control can be as simple as permitting or denying network hosts or addresses. You can configure ACLs for all routed network protocols. • The most important reason to configure ACLs is to provide security for your network. However, ACLs can also be configured to control network traffic based on the TCP port being used. How ACLs work • A router acts as a packet filter when it forwards or denies packets according to filtering rules. As a Layer 3 device, a packet-filtering router uses rules to determine whether to permit or deny traffic based on source and destination IP addresses, source port and destination port, and the protocol of the packet. These rules are defined using access control lists or ACLs. • To simplify how ACL or a router uses packet filtering work, imagine a guard stationed at a locked door. The guard's instruction is to allow only people whose names appear on a quest list to pass through the door. The guard is filtering people based on the condition of having their names on the authorized list. When a packet arrives at the router, the router extracts certain information from the packet header and makes decisions according to the filter rules as to whether the packet can pass through or be dropped. Packet filtering process works at the Network layer of the Open Systems Interconnection (OSI) model, or the Internet layer of TCP/IP. Why use ACLs • Limits network traffic to increase network performance. • ACLs provides traffic flow control by restricting the delivery of routing updates. • It can be used as additional security. • Controls which type of traffic are forwarded or blocked by the router. • Ability to control which areas a client access. Types of Access Control Lists Standard access-list • Standard access lists create filters based on source addresses and are used for server based filtering. Address based access lists distinguish routes on a network you want to control by using network address number (IP). • Address-based access lists consist of a list of addresses or address ranges and a statement as to whether access to or from that address is permitted or denied. Extended access lists • Extended access lists create filters based on source addresses, destination addresses, protocol, port number and other features and are used for packet based filtering for packets that traverse the network. Role-Based Access Control (RBAC) • RBAC appears to be a promising method for controlling what information computer users can utilize, the programs that they can run, and the modifications that they can make. Only a few offthe-shelf systems that implement RBAC are commercially available; however, organizations may want to start investigating RBAC for future application in their multi-user systems. • RBAC is appropriate for consideration in systems that process unclassified but sensitive information, as well as those that process classified information. What is Role-Based Access Control? • Access is the ability to do something with a computer resource (e.g., use, change, or view). Access control is the means by which the ability is explicitly enabled or restricted in some way (usually through physical and system-based controls). • Computer- based access controls can prescribe not only who or what process may have access to a specific system resource, but also the type of access that is permitted. These controls may be implemented in the computer system or in external devices. •With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). •The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization. •Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies. •The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies, and for streamlining the security management process. Users and Roles • Under the RBAC framework, users are granted membership into roles based on their competencies and responsibilities in the organization. The operations that a user is permitted to perform are based on the user's role. User membership into roles can be revoked easily and new memberships established as job assignments dictate. • Role associations can be established when new operations are instituted, and old operations can be deleted as organizational functions change and evolve. This simplifies the administration and management of privileges; roles can be updated without updating the privileges for every user on an individual basis. •When a user is associated with a role: the user can be given no more privilege than is necessary to perform the job. This concept of least privilege requires identifying the user's job functions, determining the minimum set of privileges required to perform that function, and restricting the user to a domain with those privileges and nothing more. In less precisely controlled systems, this is often difficult or costly to achieve. •Someone assigned to a job category may be allowed more privileges than needed because is difficult to tailor access based on various attributes or constraints. Since many of the responsibilities overlap between job categories, maximum privilege for each job category could cause unlawful access. Roles and Role Hierarchies • Under RBAC, roles can have overlapping responsibilities and privileges; that is, users belonging to different roles may need to perform common operations. Some general operations may be performed by all employees. In this situation, it would be inefficient and administratively cumbersome to specify repeatedly these general operations for each role that gets created. • Role hierarchies can be established to provide for the natural structure of an enterprise. A role hierarchy defines roles that have unique attributes and that may contain other roles; that is, one role may implicitly include the operations that are associated with another role. •In the healthcare situation, a role Specialist could contain the roles of Doctor and Intern. This means that members of the role Specialist are implicitly associated with the operations associated with the roles Doctor and Intern without the administrator having to explicitly list the Doctor and Intern operations. Moreover, the roles Cardiologist and Rheumatologist could each contain the Specialist role. Role hierarchies are a natural way of organizing roles to reflect authority, responsibility, and competency: The role in which the user is gaining membership is not mutually exclusive with another role for which the user already possesses membership. These operations and roles can be subject to organizational policies or constraints. When operations overlap, hierarchies of roles can be established. Instead of instituting costly auditing to monitor access, organizations can put constraints on access through RBAC. For example, it may seem sufficient to allow physicians to have access to all patient data records if their access is monitored carefully. With RBAC, constraints can be placed on physician access so that only those records that are associated with a particular physician can be accessed. Roles and Operations • Organizations can establish the rules for the association of operations with roles. For example, a healthcare provider may decide that the role of clinician must be constrained to post only the results of certain tests but not to distribute them where routing and human errors could violate a patient's right to privacy. Operations can also be specified in a manner that can be used in the demonstration and enforcement of laws or regulations. For example, a pharmacist can be provided with operations to dispense, but not to prescribe, medication. • An operation represents a unit of control that can be referenced by an individual role, subject to regulatory constraints within the RBAC framework. An operation can be used to capture complex securityrelevant details or constraints that cannot be determined by a simple mode of access. •For example, there are differences between the access needs of a teller and an accounting supervisor in a bank. An enterprise defines a teller role as being able to perform a savings deposit operation. This requires read and write access to specific fields within a savings file. •An enterprise may also define an accounting supervisor role that is allowed to perform correction operations. These operations require read and write access to the same fields of a savings file as the teller. However, the accounting supervisor may not be allowed to initiate deposits or withdrawals but only perform corrections after the fact. •Likewise, the teller is not allowed to perform any corrections once the transaction has been completed. The difference between these two roles is the operations that are executed by the different roles and the values that are written to the transaction log file. •The RBAC framework provides administrators with the capability to regulate who can perform what actions, when, from where, in what order, and in some cases under what relational circumstances: •Only those operations that need to be performed by members of a role are granted to the role. Granting of user membership to roles can be limited. Some roles can only be occupied by a certain number of employees at any given period of time. •The role of manager, for example, can be granted to only one employee at a time. Although an employee other than the manager may act in that role, only one person may assume the responsibilities of a manager at any given time. A user can become a new member of a role as long as the number of members allowed for the role is not exceeded. Advantages of RBAC • Properly-administered RBAC system enables users to carry out a broad range of authorized operations, and provides great flexibility and breadth of application. System administrators can control access at a level of abstraction that is natural to the way that enterprises typically conduct business. • This is achieved by statically and dynamically regulating users' actions through the establishment and definition of roles, role hierarchies, relationships, and constraints. Thus, once an RBAC framework is established for an organization, the principal administrative actions are the granting and revoking of users into and out of roles. • This is in contrast to the more conventional and less intuitive process of attempting to administer lower-level access control mechanisms directly (e.g., access control lists [ACLs], capabilities, or type enforcement entities) on an object-by-object basis. •Further, it is possible to associate the concept of an RBAC operation with the concept of "method" in Object Technology. This association leads to approaches where Object Technology can be used in applications and operating systems to implement an RBAC operation. •For distributed systems, RBAC administrator responsibilities can be divided among central and local protection domains; that is, central protection policies can be defined at an enterprise level while leaving protection issues that are of local concern at the organizational unit level. • For example, within a distributed healthcare system, operations that are associated with healthcare providers may be centrally specified and pertain to all hospitals and clinics, but the granting and revoking of memberships into specific roles may be specified by administrators at local sites. Task Type: Individual Project Deliverable Length: PowerPoint, 9–11 slides, including a title slide; Final key assignment document Points Possible: 250 Due Date: 8/8/2011 11:59:59 PM CT Weekly tasks or assignments (Individual or Group Projects) will be due by Monday and late submissions will be assigned a late penalty in accordance with the late penalty policy found in the syllabus. NOTE: All submission posting times are based on midnight Central Time. Keeping data safe is not only a responsibility of the security administrator but also of every employee in a company. Many times, the employee is the first level of security and can thwart break-ins, spot security breaches, and protect data. However, many employees do not know how to protect data, what data needs protecting, or what to do if a breach is detected. Please submit your assignment. For this assignment, complete the following: Develop a Security Awareness Training (SAT) presentation for company employees. Present at least 8 elements to help employees keep the company data safe and their computers running well. Using your Week 4 DB Assignment, build a PowerPoint presentation following the summary. Add 2 additional items to the presentation that are not included in your Week 4 DB assignment. You can include, but are not limited to, understanding the importance of security, what data to protect, what to do if a breach is detected, how to protect the company data, or how computers get infected. Your presentation should improve the employees' security awareness and practices. Include, as the second slide, an agenda that names each security tip. Be sure to use a design template to add a professional look and consistency to the presentation. Add to the key assignment document an explanation of the 2 additional elements in your presentation. Explain the 3 topic points you provided for the 2 additional elements, describing why they are important. The following is the instructions for the Phase 5 Individual Project. Basically this assignment will consist of designing a Security Awareness Training Program for employees. It will be a PowerPoint presentation consisting of as many slides that you deem necessary. I have provided the necessary topics below that should be incorporated into the program. I believe that these areas would definitely reflect a security awareness training program for an organization. I have added some examples for each topic. You can use these as well and anymore that you would like to add. Factors that go into a Security Awareness Training (SAT) program •Employee Training (password creation and protection in regards to their computers, recognizing different types of security issues, knowing what to do in case of a security breach). •Understanding how Data gets corrupted (viruses, internal and external crackers, not keeping company information confidential, downloading non-company material). •How to Keep Data Safe (antivirus software, do not download suspicious looking emails, be aware of types of social engineering attacks). •Designing company Security Policies (data integrity, data availability, data confidentiality, authentication, best email practices). •Implementing Security Policies (educating personnel, ensuring that current company security policies are available at all times to personnel by some form of media such as a company intranet or some type of internal network). •Disaster Recovery (Training personnel in what to do in case of a disaster happens in their workplace, evacuation steps in case disaster is catastrophic or if not the decisions as what part of the business should be saved first, such as customer databases or billing systems and which personnel is in charge of this)? •HIPAA (Health Insurance Portability and Accountability Act Training if applicable). •HIPAA was created by the federal government to protect patients’ private information. It is directly associated with healthcare professionals and staff who have access to patient information. This includes doctors, healthcare office workers, healthcare managers, and healthcare technicians. In order to obtain HIPAA certification, individuals are required to take a HIPAA compliance course. This course provides you an understanding of HIPAA implications on healthcare providers. Please be sure to use APA formatting. If you need help or have any questions, please email me, Little Quiz What is the name of the agency that the 10 knowledge domains are under? International Information Systems Security Certifications Consortium (ISC2). What is the name of the triangle that comprises different stages of data such as Confidentiality, Integrity and Availability? CIA What a type of attack is specifically designed to bring a network down by flooding it with useless traffic? Various versions of this attack are SYN and flood attacks. Denial of Service attack (DoS) What term describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people to break normal security procedures? Social Engineering What is the name of the scenario when an organization has a procedure in place in case something catastrophic happens to the organization? Disaster Recovery Plan (DRP) This term is when data is converted into a form, called a ciphertext, which cannot be easily understood by unauthorized people. Encryption Thank You References CTU Course Materials http://waringgrills.com/weber-charcoal-grills/weber-one-touch-charcoal-grill-2675.php http://www.kidskorner.net/coloring/alien.html http://www.associatedcontent.com/article/1779042/network_security_internal_hackers_ pg2.html?cat=15 http://www.orbit-computer-solutions.com/Access-Control-Lists-%28ACL%29.php http://csrc.nist.gov/groups/SNS/rbac/documents/design_implementation/Intro_role_bas ed_access.htm http://www.asolutioninc.net/images/Fotolia_11880956_M.jpg http://www.westwardpictures.com/wp-content/uploads/2011/01/disasterrecovery1.jpg http://blogs.technet.com/b/seanearp/archive/2007/08/01/layers-defense-in-depthpart-1.aspx http://iaclub.ist.psu.edu/2010/tooltalk-social-engineering-toolkit/ http://www.thoughtmechanics.com/email-encryption-does-your-company-need-it/
