I believe it was TLS 2.1 with [AES] GCM (Galois Counter Mode) that was the most difficult concept, because of the multilayers of encryption.

On the one hand, the block cipher (ciphertext?) is converted into a stream cipher (ciphertext?). It's beyond the scope of this course (and my math aptitude), but can the encryption algorithm convert the less-secure stream cipher into the more-secure block cipher instead?

On the other hand, Counter Mode combines block ciphertext and plaintext to best enhance encryption. Can the encryption algorithm combine the ciphertext with a stream ciphertext instead?

An excerpt from the prompt "Your Learning Journey" (coursera.org)

Jubalyn ExWilliams lives in Pennsylvania (United States). You can find her writings and commentaries, including "Making sense of the encryption algorithm in cybersecurity," at landturn.com/blog.

Related: Cybersecurity (Quiz)
​Related: Cybersecurity 3 (Notes)
Related: Cybersecurity: final project (Assignment)
Related: "Cybersecurity & Cyberwar" (2020)

Note: This assignment wasn’t graded for accuracy, so some of the technical details might not be. Scenario prompt not included.

The company’s external website will require HTTP over TLS to create the most secure system over which paying customers can initiate transactions. If not by best practice, the company may by law need PCI DSS implementation for its payment system. Network-based firewall configurations must whitelist traffic for customer payment data and payment vendor services necessary to initiate, process, and finalize transactions.

A NIDS machine must be connected to the company switch and port mirroring must be enabled. The system can issue an alert if the network, for example, suspects a threat between:

• The vendor payment system and the company website through which the customer initiates a payment
• The vendor payment system and a configured network over which it may transmit consumer data for processing

If so, a corresponding NIPS system will terminate transmission of those sensitive data packets – which may contain stored customer data and more.

Aside from customers, team members may authenticate against a RADIUS server for access to the company’s intranet. For secure-yet-remote access, engineering employees can connect to the same intranet via a VPN authenticated against the same RADIUS server. If using a reverse proxy, they may authenticate, in part, with TLS client certificates. 

For purposes of network monitoring and auditing, a VLAN network can be applied to both tunneled traffic (engineering team) and non-tunneled traffic (all other team members). Whether roaming users (engineers) or mobile users (all other employees), the wireless connection should implement 802.1x with EAP-TLS for the strongest level of encryption given that the requisite RADIUS server is deployed.

For access to the intranet by devices, network-based firewall configurations can authorize whitelisting of employee laptops and other machines via MAC address. In addition to approved devices, network-based firewalls must whitelist only those services that team members use actively. 

To minimize the company network’s attack surface, it’s important that services or applications not in active use be disabled.

Employee laptops must enable an automatic screen-locking mechanism to prevent unlogged access to the hardware. Each laptop must have FDE to prevent data theft or tampering if the device is lost, stolen, or decommissioned. Further, a Key Escrow is recommended for data recovery of the hard drive if the FDE encryption key or password is forgotten.

It’s assumed that all employee laptops have host-based firewalls by way of their operating system.

Jubalyn ExWilliams lives in Pennsylvania (United States). You can find her writings and commentaries, including "Cybersecurity: final project," at landturn.com/blog.

Related: Cybersecurity (Quiz)
​Related: Cybersecurity 3 (Notes)
Related: Making sense of the encryption algorithm in cybersecurity (2021)
Related: No, your IP address isn't private info (2021)
Related: "Cybersecurity & Cyberwar" (2020)

Related: November Cheyney Challenge (2021)
Related: December Cheyney Challenge (2020)
Related: December Cheyney Challenge (2022)
Related: Why Booker's sights for HBCUs has my support (2019)
Related: How Hennessy partnership can payoff for HBCU students (2019)