CT-Logo

Header - Impressionsbeitrag CT-Portal

Did you know?

That CrypTool was originally designed as an internal business application for information security training. CrypTool has since developed into an important open-source project in the field of cryptology. Over 50 volunteer developers worldwide contribute to the program.

CrypTool for Awareness

Email Print
IT security describes comprehensive activities which suport the operation of IT systems with security measures, to provide safeguard for the electronic data of companies as well as their clients and vendors. The aim is to protect information and processes as well as exclude IT related adverse effects of business activities as far as possible.

When we talk about awareness, or security awareness, we usually mean the consciousness for general concerns of information security. Hence, awareness is not only about cryptology, e.g. the encryption of confidential data, but also about a much broader topic. The following figure aims to illustrate this fact:

cryptology en1

The measures of IT security include (besides cryptology methods) e.g. security organisation, legal aspects, security monitoring, anti virus measures, patch management, disaster recovery, business continuity, security architectures and awareness for IT security. A good overview of these measures can be found at NIST or at the German information security agency (BSI).

Risk management extents the scope of IT security and also covers the socially desirable protection of critical infrastructures.

Risk management can be defined as the consciously management of risks. This can include general operational risks or specific financial risks. Companies, organisations and individuals must deal with all sorts of risks within living memory. The origin of a systematic risk management is based in the financial industry. Today several laws contribute and aim to provide financial control and transparency for corporations (e.g. Sarbanes-Oxley Act, or Basel II).

The total risk of a company can be divided into operational risks (e.g. breakdown or limitations of IT systems) or all sorts of financial risks (credit risks, liquidity risks, market risks, liability risks etc.).

Several approaches exist to identify, measure, monitor and control risks.

Risk management does not necessarily aim at complete risk prevention. Instead it tries to identify appropriate actions under a cost and benefit perspective (appropriate measures could also include the insurance of certain risks).

A basic understanding of cryptology is necessary to take appropriate measures and controls in order to achieve the objectives of IT security (authentication, confidentiality, integrity, non-repudiation) with an optimal cost-value ratio. The following figure illustrates how Cryptool can contribute to the understanding of security awareness in this context:

cryptology en2 

Standardisation and Management Visibility of Cryptology

Besides the previous classifications originated from a technical and risk management perspective, key areas of cryptology can be structured in the 5 components: algorithms, protocols, key management, organisational best practice and regulatory requirements. These main components are characterised by very different positions in terms of grade of standardisation, corporate/management visibility and scientific focus. 

cryptology en3

Algorithms

Algorithms and related mathematic functions are the foundation of cryptology. Algorithms such as AES, 3DES or RSA are highly standardised and are subject of cryptology and related mathematics research.

Protocols

Protocols use algorithms. They are used to protect data transfer between communication partners and are therefore the inevitable enabler of the commercial use of electronic communication. Typical security protocols include TLS, SSL or IPsec. These protocols are also highly standardised and are well known by many users because of their widespread implementation in intranet and internet communication.

Key Management

An important part of cryptology is the management of encryption and decryption keys, the so called key management. Because most algorithms and protocols are based on keys, key management and storage is essential. A number of standards exist in the area of key managements such as ISO, PKIX or XKMS.

Best Practice Implementation

A fundamental aspect, especially from a corporate perspective is the implementation of cryptology, both organisational and technically. Derived from risk management, appropriate mechanisms of IT security have to be implemented, which often results in the implementation of cryptology methods. In this context cryptology has to be often implemented in heterogeneous IT landscapes and to protect information processed with frequently changing technologies.

Regulatory Requirements

Regulatory requirements are set by the legislator and the corporations have to meet these requirements as they are required by law. With regards to the area of cryptology it is important to establish common standards in order to protect electronic data exchange. Additionally legal certainty, meaning the predictability of legal decisions is necessary to lawfully safeguard electronic communication secured by cryptology (e.g. digital signatures).

Web-Development and Design by imagine orange, powered by joomla