Nowadays cryptography is critical to all organizations. Cryptography is usually used by passwords, SSL, smart cards. Cryptographic systems can provide following services: 1) authentication, 2) non-repudiation 3) confidentiality 4) integrity. For user authentication the password should be used. The politics for password selection must be applied: the password should contain at least 8 symbols, have characters, symbols and numbers, so that it would be difficult to guess it. It is more secure to use two-factor authentication, rather relying entirely on password authentication. Non-repudiation tools are needed to prove that definite user made transaction (for example, queried statement). Only appropriate users should have access to data. Also the integrity is required, which means that tools should be provided to ensure that data is not altered, corrupted or viewed during storage and transmission.
The passwords of users should be stored not in plain view, but encrypted with hash function. Hash function generates fixed length hash based on provided input. It is recommended to use SHA-256 hash algorithm instead of weaker old algorithms MD-5 and SHA-1 (OWASP, 2014).
The following steps are required for cryptographic system selection: define data and durability of data to be secured (the value of protected data should be determined and the costs to secure it), decide the level of network security needed, evaluate existing security controls, including physical, logical and administrative, determine how cryptographic keys will be managed: generated, distributed, stored and used.
The data needed to secure is payment transactions data (if customer uses online purchase options) and financial data of customers (statements and etc.). The information about customers themselves should be also secured, because not all people prefer their personal data (email, phone numbers) be available to everybody. The data should be secured during online transactions. Also it must be possible to tune up access settings – so that some information is available only to definite employees. The data about commodities should not be encrypted as this data is not secret one.
It is better to apply end-to-end encryption, instead of link encryption, as in that case store’s online operations will be more reliable and fast, because the data transmission won’t depend on definite links on the path. Also decryption will occur only at the destination.
As there are a lot of users (5000), automatic private key distribution is required. Manual key distribution is inefficient in such case. The session key should be used. This key is generated on the user’s request and can be used only for one session. As the data is sensitive, it is better to use the most reliable RSA encryption algorithm (Wright, 2016).
Also it is a good idea to use one-time passwords for payment operations. For example, SMS can be sent with code, which user should input in order to accomplish transaction.
For the purposes of non-repudiation it is recommended to use digital signatures. If the user wants to verify that he sent a message, he can use digital signature. The signature procedure uses user’s private key, as only definite user has own private key. The hash function based on the private key is used to represent message content. It is impossible to get private key from hash function, so it cannot be used by attacker (Fig. 1).
Also the malware should be handled on the servers, where electronic services run. The following systems should be assessed, while considering the risk of malware propagation: patch management systems, asset management systems, remote assistance software, anti-virus, systems assigned to system and network administrative personnel, centralized backup servers, and centralized file shares.
The proper monitoring should be configured. Audit and review of failed logon attempts, file share access, interactive logons through remote session should be performed. Also it is required to review network flow data for unusual activities.
WLANs should be secure, as the data can be access via unsecure WLAN. It is recommended to change default administrative passwords, restrict access, encrypt data on the network, protect SSID, install a firewall and maintain anti-virus software in order to minimize the risks of the wireless network.
References
Wright Marie, 2016. Selecting a Cryptographic System. Retrieved from: http://www.ittoday.info/AIMS/DSM/87-02-35.pdf
OWASP, 2014. Guide to Cryptography. Retrieved from: https://www.owasp.org/index.php/Guide_to_Cryptography
Olzak Tom, 2012. Chapter 7: The Role of Cryptography in Information Security. Retrieved from: http://resources.infosecinstitute.com/role-of-cryptography/