This Article has been prepared to provide a framework for decision makers to assess their own needs .Many managers realise there is some need to secure electronic transmissions.However,because communications security is newto the commercial sector ,there is uncertainty about the options available and how to proceed .After defining communications security ,a procedure for the internal assessment of an organisations needs is provided.The various options for applying security are then discussed and the concept of encryption is introduced.This is followed by the cost justification of a proposal and a practical guide to product selection.
Communications security
Communications security can be defined as the protection of information during transmission from unauthorised or accidental modification, destruction and disclosure. If we accept that preventing unauthorised access to information transmissions is often not possible, the security of the information can only be maintained by disguising it. Modem communications require this to be achieved electronically, usually by some form of scrambling or encryption.
Internal assessment
In a recent business survey, the most commonly cited reasons for securing transmissions were the prevention of accidental security breaches, the prevention of purposeful breaches and meeting customer expectations.
Risk analysis is an exercise that will determine the security needs of an organisation. There are logical steps to follow in assessing the risks associated with transmitting unprotected information. Further information can be obtained from sources such as the insurance industry; however, the basic principles are as follows:
p Establish what is at risk.
p Identify sources of risk.
p Assess the likelihood of a breach.
Security levels – how much is enough?
Government agencies, the traditional users of communications security equipment, generally have three classifications for security levels; they are referred to by various names according to the country of origin. A lower level exists that does not have a formal classification; it is the category of alternatives to encryption and includes such items as digital voice (including GSM), scramblers, software security, passwords, confidential mailbox, codes, policies on use and others.
The highest security level is for specialised equipment usually used by the military. The equipment must conform to exacting requirements in addition to the strength of the encryption, and is unnecessary for most applications.
Generally, it should cost more for an unauthorised party to obtain information than what the information is worth. In a business situation the low level of security (this is still far higher than the ‘alternatives to encryption’ listed above) is sufficient for most commercial applications.
The medium level is only required for highly sensitive information that needs to be kept secure for a long period of time (remember, these levels were set by government agencies, and so ‘low’ and ‘medium’ are relative to the requirements of intelligence agencies).
“The greatest threat to communications security is a lack of awareness. A recent international survey indicated that although it is commonplace to transmit sensitive information, very few organisations apply security measures to their transmissions.”
Encryption
Encryption refers to the transformation of clear information, or plaintext, to coded information, or cyphertext. A key controls the algorithm used for the transformation. The process must be invertable so that a decryption algorithm can reverse the process using an appropriate key. The key must be kept secure so that unauthorised parties cannot complete the decryption process (key management).
Previously encryption has been expensive and complex, only available to a limited number of organisations – considered to be the preserve of governments, banks and intelligence operatives.
Encryption is now an affordable technology that can easily be incorporated into the business practices of the next millennium.
Encryption is generally regarded as the safest method of guarding against accidental or purposeful security breaches. The strength of the encryption method is often measured in terms of work factor. This is the amount of force that can be used to ‘break’ the encryption. The greater the force that is used (for example, the computational power), the less time required to break the code.
Cost justification
To justify the purchase of an effective system for providing transmission security business decision makers will probably be required to present the benefits of achieving security, favourably balanced against the costs.
The cost of encryption can be determined by adding the various costs of purchasing, installing and maintaining the system.
“The benefits that are more difficult to quantify are equally important. Consider the benefits in avoiding embarrassment, loss of public confidence and credibility, loss of competitive advantage and loss of business. Knowledge of a proposed acquisition could push up share prices to an extent where the acquisition is no longer viable.”
The benefits of security can be divided into quantifiable benefits and those that are more difficult to quantify. Often the quantifiable benefits will be sufficient to illustrate how payback can be achieved within the required period. The other benefits can be presented as additional justification.
Quantifiable benefits often centre on avoiding costs. These include the costs of alternative secure delivery methods, the cost of lawyer’s fees or court action and other direct financial losses.
The benefits that are more difficult to quantify are equally important. Consider the benefits in avoiding embarrassment, loss of public confidence and credibility, loss of competitive advantage and loss of business. Knowledge of the proposed acquisition could push up share prices to an extent where the acquisition is no longer viable.
Another major benefit worth highlighting is the capability of an encryption system to provide virtually instantaneous secure transfer of information. Time pressures and constraints can often tempt people to chance using an unsecured telephone network for confidential information.
External review
There are a large number of products that can be used to provide security for electronic transmissions. These can be arranged into a hierarchy according to the level of security they provide. In such a hierarchy, encryption products are the most secure option.
When evaluating encryption products it is useful to focus on the important specifications and features. In achieving the objectives of providing security the client will wish to instal equipment that all personnel will utilise; this means that user features such as ease of use and quality of voice reproduction are very important.
Product selection – Anyone, who has attempted to assimilate the technical information, provided for some encryption products, would know that the features and specifications are often ambiguous, irrelevant or even misleading. The following section provides a down-to-earth insight into the features and specifications that really matter.
Where to begin? – A good starting point with encryptor selection is to decide what type of transmission you want to protect, voice, fax or data. A number of other decisions must then be made.
Inbuilt or standalone? – Similarly to answering machines, encryptors can be standalone or the encryption technology can be built into the telephone, fax machine or modem. Standalone encryptors will require special cables for connection to the telephone.
Public or private key? – Private (or symmetrical) key encryption (eg DES) uses the same key for encryption and decryption. This introduces a problem of having to share the key with other parties, making the system more vulnerable to compromise.
Public key (or asymmetrical) encryption (eg RSA) solves this problem by using separate keys for encryption and decryption, one private key and one public key. However, public key encryption is relatively inefficient and is not suitable for either encrypting large volumes or operating at high speeds.
Compatibility – Not all encryption devices are compatible with each other. Usually devices made by different manufacturers are not compatible, even if they use the same algorithm. It is important to decide what compatibility’s are necessary before selecting a particular device by considering the needs of suppliers, customers and other branches of the organisation.
Ease of operation – In a business situation, ease of operation is vital. Unless technology products are easy to use, many people will avoid using them or will use them badly. This is a particular concern with security-related products. Ease of operation is indicated by the ability to easily change keys (even during a conversation), no requirement for synchronisation and the use of a concept simple enough to be grasped by all people likely to be involved.
Voice reproduction – Many voice encryptors, especially those which encrypt the data that the signal is carrying (compared to those that encrypt the actual signal), face the problem that ordinary scramblers face: the deeper (and more secure) the encryption (or scrambling), the poorer the quality of the received and decrypted signal. Signal encryptors (distinctly different from signal scramblers) offer better quality voice reconstruction for deeper encryption.
Set-up and installation – The configuration of some encryption systems must be done by an expert and yet in other systems can be installed as easily as an answering machine.
Ongoing costs –As with other high technology systems, there is the possibility of substantial ongoing costs. For example, once the internal supply of keys has been exhausted, acquiring new keys can involve the purchase of a key generator.
Adding new users to a defined user group sharing compatible codes can involve a consultant. The costs involved with receiving product support and having the system maintained should also be considered; these costs need not be very high.
“The assessment of an organisation’s particular situation will help define what information is at risk of a security breach, the sources of the risk and how likely a breach is.”
Conclusion
Encryption is generally regarded as the safest method of guarding against accidental or purposeful security breaches. Although encryption is not a well-known topic, there are a logical and effective series of steps that can be followed to determine the security needs for any organisation. Applying security measures to transmissions of information is a logical part of good business practice. The nature of the information (ie its value) and the time available for attempting to access the information will determine the strength of the encryption required to protect it.
The assessment of an organisation’s particular situation will help define what information is at risk of a security breach, the sources of the risk and how likely a breach is.
The costs of an encryption system must be balanced against the benefits it will provide. Encryption devices can provide economical, more secure and faster ways of moving information than alternative methods. There are many encryption products available and it is important to select wisely. Price and technical specifications are important, however, there are other aspects that are more important such as compatibility and ease of operation.
For details contact Technical Surveillance Countermeasures (TSCM) Services on tel: (012) 664 3157, or fax: (012) 664 3180.
Notes: The article was submitted by Steve Whitehead (BA Pol) M.I.S. and Lorenzo Lombard NH Dip (Tech) (Elec) of TSCM Services. The article is based on material supplied by CES Communications for reproduction by their authorised distributors. TSCM Services is the authorised distributor in South Africa of the Signal Guard range of voice, fax and data encryptors.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.
printer friendly version