In: Accounting
Please answer the following questions
a) What is Encryption in accounting information system and what are the steps in the encryption and decryption process?
b) What are the factors that influnces encryption strength?
c) What types of encryption systems and the advantages and disadvantages , risks and their primay uses in information systems?
d) How does hashing, digital signatures, and virtual private networks process in encryption?
a) ENCRYPTION:-
Encryption is a simple concept to grasp. Essentially, it’s a way that you can encode a piece of information so only the intended recipient can access it. The information is scrambled using a cipher, such as AES, and a key is shared between parties that allows the recipient to decrypt it.
Steps in the encryption and decryption process:-
Private Key/Symmetric Encryption
Symmetric encryption uses the same key to encrypt and decrypt the
data. That means the encryption key is shared between parties
before the data is encrypted or decrypted. Symmetric encryption
would be like having a safe where you store your data. You, and
anybody else that could access that data, would need the
combination to open the safe.
This encryption is mainly used to protect data at-rest. A good example of this is cloud storage, where encryption happens while the data is still stored, and only decrypted when accessed by an authorized user. ( refer image 1)
The basic process works like this: A user requests access to encrypted data. The storage container sends back an encryption key to the key manager. The key manager verifies the legitimacy of each party, then opens a secure connection between them.
Now that the secure connection is opened, the encryption key is shared between parties. After that’s done, the encrypted information is decrypted and sent as plaintext to the requesting party.
There are a lot of steps when it comes to symmetric encryption, which makes it most applicable to data at rest. Asymmetric encryption is better for data in motion, as it allows users to actively encrypt packets of data without sharing a key between them.
There’s more than one way to encrypt plaintext: the limit seems to be the human imagination.
(b) Factors that influences encryption strength :-
What you do online, your internet browsing and history, are exposed to your ISP (Internet Service Provider), the government, or to whoever manages to hack into your device and get access to your network.
They can see every website you visit, the files you download, and any interaction you have in the online world.
This gives hackers the chance of collecting private data about you that they can further use to harm you through different types of fraudulent activities.
Fortunately, there are tools designed to protect your personal information when you're browsing online by encrypting your internet traffic.
These services are called VPNs.
With a VPN, the data you send and receive when connected to the internet is encrypted.
c) Types of encrption systems and advantages and disadvantages,risks in information systems:-
There are two types of encryption - symmetric and asymmetric key algorithms.
Symmetric key algorithms
The symmetric key algorithms are also known as public-key
cryptography.
Symmetric key algorithms use the same key for both encrypting the plaintext and decrypting the ciphertext. With this type of encryption, the two parties that exchange information only need to share the key once and it will remain the same.
While symmetric key algorithms are easier to use because there is only one key, it is also less secure as if someone manages to obtain the key, he'll be able to decrypt the information.
Asymmetric key algorithm
Unlike symmetric key algorithms, asymmetric key algorithms use two
different keys - one for encrypting the plaintext and one for
decrypting the ciphertext.
This type of encryption uses a private key and a public key. The private key is used to encrypt the message and it's not shared with the receiver, while the public key can be shared with anyone but only allows access to a limited piece of information.
When you send an encrypted email to your friend that used asymmetric encryption, you send the public key to your friend. He'll be required to authenticate to verify that the message is sent by the private key holder. If someone manages to obtain the public key, he will only be able to read the one email, but he won't be able to get access to the rest of the emails.
Using asymmetric encryption highly diminishes the chances of getting hacked, but its disadvantage is it cannot be used for computing huge amount of data because the algorithm is way more complex and the process of encrypting is much slower.
Risks :-
Specific internal security controls need to be identified for protecting this data and, most importantly, auditing must take place to attest for the efficacy of the controls. But in the context of cloud adoption, especially SaaS, as long as the vendor supports SSL, you’ve got “good enough” encryption. If you go deeper, you end up breaking down the reporting mechanisms which would enable the most important regulatory output: attestation.
Enterprise security postures must be regularly re-assessed – including any changes or deficiencies as a result of changing conditions; in the spirit of compliance controls, they’re intended to be guidelines that survive technological paradigm shifts. The security value of encrypting data at rest in the cloud is nominal when a user with sufficient access privileges has been compromised, which is increasingly the preferred attack vector. Modern compliance best practices should shift resources away from prevention and towards attestation.
d) Hashing, digital signatures and virtual private networks process in encryption:-
A more secure method is to store a password hash on a server. Hashing is a process where a value can be calculated from text using an algorithm. Hashes are better because they can’t be reversed engineered. You can generate a hash from a password, but you can’t generate a password from a hash.
Unfortunately, this doesn’t solve every problem. An attacker can still use the hash to brute force attack your password. If an attacker manages to steal a table of password hashes, then they can use a dictionary attack to figure out those passwords through a process of trial and error.
Once the attacker figures out what algorithm the passwords were hashed with, they can use a piece of software that will generate possible passwords using common words in the dictionary. The candidate passwords are hashed using the known algorithm and then compared to the password hashes in the table.
Besides making you anonymous online and protecting your personal information, you'll also get other perks by using our VPN such as:
Being able to access any content online even if it's usually
restricted in your country (e.g. Netflix).
Downloading torrents anonymously.
Finding the best deals when shopping online.
Securing your connection on public WiFis.