Secured Distributed-Access Protection System – A New Construct Engineered for Digital Security Paradigms
Solomon Sonya and Dr. Barry E. Mullins
Air Force Institute of Technology, Wright Patterson Air Force Base, Ohio, USA [email protected]
Abstract: Data theft, interception, and unintentional alteration are a significant concern regarding the protection of sensitive information. Current strategies to secure computer systems and protect sensitive data from unintended data disclosure have failed to provide an adequate solution against persistent and sophisticated threats. This paper presents a new construct called SeDAPS (Secured Distributed-Access Protection System) and a prototype system named Icos (Information Control System) created to control information dissemination, reduce unauthorized data disclosure, and audit all transaction requests granting access to protected resources. This research mitigates unauthorized data disclosure by developing a protection model and functional prototype that enhance Defense in Depth and Data Loss Prevention paradigms. The end result of this research delivers a robust access protection system applying measures to secure at-rest, in-motion, as well as introduce data-at-location to secure a resource and track its access based on resolved geo-location.
Keywords: Data Loss Prevention, Reference Monitor, Access Control, Data Disclosure 1. Introduction and Background
Computer systems are under a constant barrage of intrusion attacks by malicious actors across the Internet. Network administrators deploy multiple layers of security applications and services in a perimeter-style defense posture to detect and disrupt these potential attacks against selected computer systems. This approach is called Defense-in-Depth (DiD). To be effective, DiD relies heavily on dissemination of signatures to identify a subset of threats matching a predetermined attack profile before initiating approved response actions returning the compromised system(s) back to a secured configuration.
A critical flaw exists with the DiD paradigm in that the signature has become inseparably linked to the detection and response aspect required to provide security of the host system and computer network. Successfully bypassing signature recognition allows malicious programs to ultimately defeat the entire paradigm by evading detection and exploiting protected resources for extended periods of time. This is particularly harmful in the growing threats produced by unauthorized data interception, alteration, and exfiltration.
Signature-based detection applications do not identify all types of infections. In 2012, Symantec reported the existence of over 403 million unique malware variants (Symantec, 2012). On average, the lifespan of malware from initial system infection to detection by most popular antivirus vendors is between 43 and 173 days (Trustwave, 2012). The actual detection rate of newly released viruses is the most disconcerting fact about signature-based detection. It is reported that only 19% of most viruses are detected after initial system infection. The detection rate may rise to approximately 61% after a month of system infection (Cyveillance, 2010). These statistics emphasize a very sobering fact that relying on a failed defensive paradigm leaves data that is most valuable to the organization extremely vulnerable to attack.
Anomaly-based intrusion detection systems have been developed to complement signature-based detection. Anomaly-based detection relies on heuristics rather than signatures to classify activity as benign or potentially malicious on the computer system. In order to classify detected activity appropriately, the anomaly-based detection system must first undergo a training procedure to learn how to interpret deviations on the computer from a pre-established baseline. This deviation triggers an alert of potential malicious activity. Although beneficial, anomaly-based detection may suffer from a high false-positive rate due to overly sensitive heuristics and may still fail to detect a malicious event if the activity can be masked within the normal operating parameters of the computer system’s
baseline.
In addition to the use of malicious programs to exfiltrate sensitive documents from protected computer networks, the insider threat and cyber espionage remain a critical concern to organizations as well.
The need for greater security control and accountability is no more evident than what is occurring today in the news. It may be necessary at times to place stringent access control mechanisms on sensitive information, determine what files a person may have in their possession, and track the location of these files as they are transmitted across the Internet.
So long as computers are connected to the Internet and its users conduct arbitrary transactions on the computer systems, vulnerabilities, insider threats, and data exfiltration remain a huge concern with regard to protecting sensitive information from unauthorized data disclosure. More robust security concepts must be developed to prevent the exfiltration of data, track the location where this data resides, and restrict information flow to authorized parties.
An innovative approach is required to control information dissemination, reduce unauthorized data disclosure, track the location of critical information resources, and audit all transaction requests granting access to protected resources. This paper presents a new abstract model for next generation Data Loss Prevention (DLP) paradigms called the SeDAPS construct. The SeDAPS construct is an abstract model designed to provide data dissemination control and maintain document protection via the enforcement of explicit access control rules across every file specified by the user. Specifically, SeDAPS is designed to facilitate the following:
Couple data resident on a computer system to its data owners
Restrict access to certain computers specified by the data-owner (particularly useful when dealing with safety in cloud technology)
Ensure critical information remains protected in the event of complete system compromise via enforcement of symmetric and asymmetric encryption algorithms
Provide a mechanism for each protected document to supply alerts regarding its approximate geo-location, tracking data, and access policy violations
Identify potential data compromise attempts in real-time
Provide an initial damage assessment in the event of detected insider activity Provide an audit trail logging all actions in the system
1.1 Information Flow
In a protection system, although trust must exist at certain location(s) within the system, the amount of trust given to each principal must remain as reduced as possible and always verified when required. This is further understood by analyzing information flow within a system. Information flow occurs when data from one class, class A, (e.g., process, sub-system, user, transaction, etc) is permitted to flow into a separate class, class B, such that data from class A affects the operations or decision making functions of class B (Denning, 1976). This information flow can be an active (directed) process or may occur indirectly. It is possible to indirectly gain information from the system through an implicit information flow as well.
An implicit flow occurs when data flows from one class to another class without an explicit assignment operation but yet changes are observed such that information that was not explicitly released is gained from the system. This is similar to an assignment operation between arbitrary variables. Suppose variables A and B are of the same class and freely allow information to flow between each other. Variable C is of a different security class and is inherently prohibited from directly receiving information from variables A and B. Depending on the observed output of transactions between A and B, it may still be possible for C to determine a type of information exchange from A or B based on the observed or measured behavior changes within the system. For example, let variable A represent a controller process and variable B represent an execution process. Variable A has the ability to send two commands to variable B: turn the light on or turn the light off. Let variable C represent an
observer process that is not privy to the communication channel between variables A and B. At time t, variable C observes the light bulb has remained off. However at time t + ε, variable C observes the light bulb has just turned on. In this case, although information was not directly released to variable C, assuming all external factors remained constant, C can conclude at time t + ε, that process A sent an “on” command to process B and thus information between variable A and B has implicitly flowed to variable C.
1.2 Entropy
It is important to measure information flow to understand the degree of information that can be gained from each transaction in the system. Entropy calculations are used to measure the amount of
information flow between two separate classes. Entropy quantifies the level of uncertainty in a system and is assigned a real number between 0 and 1 inclusive with 0 representing no uncertainty to 1 representing a high degree of uncertainty (Bishop, 2002). Hence, if it is true that uncertainty is reduced from time x to time x+Δ, then detectable amounts of information flow has occurred and this must be avoided in an access protection system unless explicitly authorized by the respective data owners.
1.3 Access Constraints
Constraints indicate restrictions placed on how access to a resource may occur. Confidentiality constraints refer to restrictions placed on which subjects may access a resource. Integrity constraints verify the consistency of data, processes, and the subjects authorized to alter a resource. Temporal constraints apply time-based restrictions when access to a resource is permitted (Anderson, 2008). Geospatial constraints are a set of restrictions placed on the access of an object based on the derived geo-location of the subject or object. Using geospatial constraints, a data owner is able to control the locations at which access to a protected resource is permitted.
1.4 Reference Monitor
The reference monitor (RM) concept provides an abstract model for an access control system’s central policy enforcement mechanism by mediating all access requests to protected resources (Chin, Older, 2006), (Irvine, 1999). The RM concept is an abstract model used in the design, analysis, and implementation of secure automated systems and represents properties that must be fulfilled to enforce a set of access control policies (Irvine, 1999). All Reference Monitors must satisfy the following three properties (Chin, Older, 2006), (Irvine, 1999):
i. Completeness: every access request must invoke the access mediation mechanism such that no process is able to bypass the RM;
ii. Isolation: the RM is tamperproof. The RM must be protected such that it is impossible for a malicious action to alter the mediation process and disable the enforcement mechanisms; iii. Verifiability: the RM must be examined and validated to ensure correct functionality enforces
the appropriate policies such that completeness of implementation is assured.
Since its inception in 1972, the RM has remained an effective model for secure systems in modern development environments (Irvine, 1999). A system that correctly satisfies the properties of the RM will correctly enforce policies contained in an access control system (Jaeger, 2011). Figure 1
provides an access control abstraction detailing how the RM fits into the access control system (Chin, Older, 2006):
As shown in Figure 1, principals represent subjects that submit requests to access or modify an object (also referred to as a resource). The RM is the mediation mechanism whose sole function is to make a decision whether an access right (or privilege) is to be granted to a requesting principal over a protected object. Several attributes regarding the object, the subject, and resource access policy contribute to the decision by the RM to allow or deny a request. The audit log is used to store all access requests and decisions by the RM (Chin, Older, 2006).
Identification, authentication, authorization, and audit logging are central components to the RM. Identification and authentication enable the binding of a principal’s identity to a valid system and existing resource (Irvine, 1999). Authorization permits requested actions based on access policy. Audit provides accountability for the system and all transactions that occur in the reference validation mechanism. Adhering to principles of the RM will allow a reference validation system to properly enforce access control policy over user process operations (Jaeger, 2011).
2. Problem Definition
Unintended information flow and data leakage occur when inadequate protection mechanisms exist to authenticate access requests, restrict data flow only to authorized individuals, track the location of critical files for theft, and alert on access policy violations. The purpose of this research is to develop a holistic approach that enhances data loss prevention paradigms and mitigates unauthorized data disclosure via the creation of a robust access protection system applying measures to secure data-at-rest, data-in-motion, and data-at-location to secure a resource and track its access based on
approximate geo-location. This is accomplished by exploring confidentiality, integrity, authentication, non-repudiation, and authorization mechanisms to present the SeDAPS (Secured Distributed-Access Protection System) construct designed to successfully control information dissemination, reduce unauthorized data disclosure, and audit all transaction requests granting access to protected resources.
3. Research Goals
The strategic goal of this research is to control information flow by designing an abstract model and prototype to prevent data exfiltration via the enforcement of explicit document access, disclosure, and dissemination policies specified by the data owners. This access control mechanism is created such that only approved parties are authorized access to a protected resource. The tactical goal of this research is to create and examine a particular access protection construct called Secured Distributed-Access Protection System (SeDAPS) to secure data, track resource access requests, characterize performance, and determine the validity of the model developed in the research.
4. System Construction and Design
The construction of SeDAPS entails the creation of several systems identified in the RM concept to provide specific capabilities for the system. SeDAPS relies heavily on encryption, digital signatures, and message digests to communicate with all agents in the system and secure the contents of data specified by the data owners. Properties from Information Assurance are employed in order to provide confidentiality, integrity, authentication, non-repudiation, and authorization to securely exchange information with verified parties and protect access to sensitive resources.
Confidentiality is provided using both symmetric and asymmetric encryption algorithms to restrict information flow between authorized principals. Integrity is provided using message digests of data to validate instructions, encryption keys, executable binaries, and ensure files exchanged with SeDAPS have remained unaltered from unintended data manipulation. Authentication and non-repudiation are provided using digital signatures to prove principals truly are who they say and verify received
messages were submitted by authenticated principals. Authorization is provided using access control lists (ACL) to specify which principals have access to protected resources and the conditions under which access is permitted.
5. System Boundaries
Developing a distributed access protection system to accomplish the goals of securing information, preventing data exfiltration, and tracking the location of resource access requests first requires the
creation of several components to distribute the workload and accomplish the required functions of each mechanism.
Figure 2 represents the complete abstract model indicating each component required to create the SeDAPS construct:
Figure 2: SeDAPS Abstract Model
The principal is represented by a host agent installed on each end-system used to supply requests into the system on behalf of the user. The guardian is a gateway system that provides a layer of protection for the RM and normalizes requests entering the system. The address retrieval mechanism is used for scalability to return routing information for a requesting principal to reach additional
SeDAPS instances. The access policy mechanism is composed of four components used to analyze access requests. The authentication monitor validates the identities of principals accessing the system. The authorization monitor is populated with access control rules stating which principals are authorized to access protected resources. The integrity monitor is a separate system that stores message digests of protected objects. The job of the integrity monitor is to validate the agent executable binary used to communicate with SeDAPS and the protected resources have remained unaltered from malicious alteration. The tracking monitor is a retrieval system that handles the subroutines to resolve the geo-location of a principal and also validates if requests originate from an approved location depending on policy instituted by the data owner.
The feedback mechanism is comprised of three components: an alert, notification, and diagnostic monitor. The alert monitor aggregates access policy violations, correlates intrusion attempts, and supplies this data to incident responders for further investigation. The notification monitor handles the routing of access requests to the data owner in the event different principals previously omitted from a resource access control list (ACL) may receive permissions to access a resource. The auditing system provides a system log of all transactions in the system. Finally, the reference monitor, placed at the center of the system, receives input from each component in order to authorize access to a protected resource and release the decision back to requesting principals.
The abstract model in Figure 2 details the mechanisms and components required for this distributed system to secure data resources identified by data owners. Figure 3 provides an execution flow of how a request enters the system and how the various components are involved in the transaction to finally release a response back to the requesting principal.
Figure 3: Execution Flow Overview
Each request must first pass through the guardian to verify the connection is not prohibited by the system. An allowed connection is next analyzed by the authentication monitor to ensure the principal is recognized by the system. After this phase, the authorization, integrity, and tracking monitors ensure the request is authorized per the access policy created for each resource. Next, the RM determines if the request is approved and invokes the appropriate services to handle each action. Throughout the process, feedback is provided to the diagnostic, audit, alert, and notification monitors to indicate the states of each transaction.
Shown in Figure 4, the System Under Test (SUT), named “Icos,” short for Information Control System, is an instantiation of the SeDAPS abstract model providing a functional prototype based on the SeDAPS construct to achieve data security in a distributed system. The Component Under Test (CUT) consists of the reference monitor within Icos named Gandalf.
Figure 4: System Under Test: “Icos” – SeDAPS Prototype
Figure 2 represents the complete abstract model detailing the components required to achieve security in the protection construct. Icos is the actual working prototype of the SeDAPS abstract model and highlights the connectivity of each component in the system. The SUT consists of the components shown in Figure 4 and are described as follows from left to right in the figure:
Galadriel represents the root address retrieval server for scalability that stores a reference of all document identifiers protected in the system. Galadriel routes HDPA (Host Data
Protection Agents) to the appropriate SeDAPS instance to receive data regarding a particular resource.
HDPA “Host Data Protection Agents” represent the principals from the abstract model that supply resource access requests into the system. HDPA gathers the unique attributes about the file, owner, and host system and provides this data with the access request to encrypt or decrypt a file.
Sam “Security Agent Module” represents the data guardian to validate requests and information flow exchanged between HDPA and the reference monitor (named Gandalf). Gandalf represents the reference monitor that communicates with all backend systems within
SeDAPS to decide if resource access is granted or denied to the requesting HDPA. Legolas is a database management system that represents both the authorization and
integrity monitors in SeDAPS to allow the exchange of information to a requesting HDPA and verifies files have remained unaltered. Access policy regarding file restrictions and
encryption/decryption keys are managed by this component.
Cera “Certificate Authority and Retrieval Agent” represents the authentication monitor that handles the retrieval of HDPA certificates used to authenticate each principal communicating with Icos.
Gaius represents the IP geospatial tracking monitor to provide the approximate location of each principal and requested resource files.
Safe represents the archive system providing file storage and retrieval capabilities.
Reana “Resource-Access Notification Agent” represents the notification monitor to provide access requests to the data owner of new principal who wish to be added to the file access list.
Aggregos represents the alert monitor providing an interface between SeDAPS and the incident responders to indicate access policy violations detected by the system.
Watson represents both the diagnostic monitor and auditing system to store data regarding the internal system components of SeDAPS and transactions authorized by the reference monitor.
6. Approach
Effective data protection must no longer apply redundant “bolted-on” layers of security tools around a flawed methodology in an attempt to provide security for the system. Instead, the research
hypothesis herein tests the appropriate configuration to secure data from unauthorized access within an already contested cyber operating environment. The approach to achieve this is three-fold. First, identification and protection of critical resources are incumbent on the data owner such that data owners must first identify each file requiring protection. Not all files are important on the computer system. However, files regarded as more sensitive should have an appropriate protection placed around the document such that its contents remain secure. This research delivers the methodology of a system used to secure said documents. Even so, the onus is still upon the data owner to identify these critical resources and use the system (i.e., Icos) to secure each document.
Second, an abstract model is designed to provide an appropriate configuration for a scalable
distributed access protection system that provides a greater level of security for sensitive files on the computer system. The SeDAPS abstract model applies authentication, authorization, integrity, and resource tracking measures to prevent information exchange to unverified parties. The design of this model incorporates the following data-centric protections:
Uniquely identify and join artifacts of a principal to a resource i.e., create a digital fingerprint to bind data to the data owner and host system(s),
Appropriately distribute resource access tokens to requesting principals if action is explicitly authorized and denied otherwise,
Provide data tracking capabilities to determine resource access time, location access may have occurred, and track where a resource transits over time,
Provide appropriate alert and notification messages based on policy violations and specified actions defined by the data owner, and
Provide auditing capabilities to log the results of each transaction in the system.
Third, a functional prototype called Icos (Information Control System) is instantiated from the SeDAPS abstract model to validate the data protection concept defined in this research paper by applying appropriate measure to secure existing files on the computer system. Icos proves this configuration is a viable solution to protect sensitive files in operational environments.
7. Assumptions
It is necessary to state the assumptions made in this research. The following assumptions bind the solution to the problem statement:
i. Both symmetric and asymmetric encryption algorithms remain valid and secure such that it is infeasible to conduct brute-force attacks that can derive keys used to decrypt an encrypted communication channel by an unverified entity.
ii. Private keys used to encrypt/decrypt a message remain secure from interception and theft such that the private key assigned to an entity remains known only to the entity receiving the key and no one else.
iii. Message digests remain one-way (preimage resistant) such that it is infeasible to calculate the original input from a hashed digest output. Furthermore, the message digests remain collision-free such that two non-equivalent messages do not produce the same digest. (Trappe, Washington, 2002).
iv. Memory analysis is not performed to harvest information exchanged with the system. A common weak point in computer security is the protection of data-in-memory. Thus, it is
assumed that analysis of data while resident in volatile computer memory (RAM) does not occur on any system corresponding with Icos.
v. To minimize the possibility of data leakage, information is discarded after use and not saved to a separate data stores on the end-systems.
8. Project Scope and Applicability:
The true contribution of this research lies in the design and configuration of the abstract model to secure sensitive data. The ultimate development objective is for the model to be integrated into an operating system such that user-land processes (i.e., all processes outside of the system kernel) are limited in the amount of interference and possible data contamination they can introduce into the protection system. SeDAPS is envisioned to not only protect arbitrary files on the host system, but also to provide security mechanisms to transparently authorize access between separate computer systems as well. For the purposes of this research however, SeDAPS is scoped to demonstrate the appropriate protection means applied to file types most commonly involved in data exfiltration attacks e.g., Microsoft Word, Excel, and PowerPoint, Adobe PDF and text files, and SQL database dumps (Kaspersky, 2004), [Faw10], (Hussey, 2011).
9. System Services and Expected Outcomes
The SUT receives various service requests from principals, delegates the requests to the appropriate component to handle each function, and provides a response back to the requesting principals. A success outcome is achieved when the reference monitor permits the action, invokes the appropriate handling routines to release information based on the service request, and the principal is able to act upon the data received from the reference monitor. Failure outcomes occur when a data request sent from a principal is incomplete, invalid, corrupted, or unusable such that a denial response is returned to the principal. The services provided by Icos are as follows:
Release of file encryption/decryption keys from the RM to authorized principals. This allows the proper encryption/decryption of files when the user initiates an appropriate security action. Authentication validations by the RM identifying and providing attributes regarding legitimate
users of the system.
Authorization validations by the RM to determine if a principal possesses adequate privileges to access a resource.
Resource integrity validation by the RM to successfully validate a resource has remained unaltered while at rest or during transit from point of origin to destination computer. Provide damage assessment estimates based on logged file access attempts. Icos is
designed to track all files accessed as well as all transactions releasing keys to decrypt a file between various principals. Correlating this data together with each principal and the time each file was referenced, a damage assessment picture will be provided in the event of a detected insider to approximate the number of files and information that may be in the possession of the suspected insider. This will enable investigators to understand the type of data that may have been stolen from the organization and begin remediation efforts
immediately.
Geo-location tracking to resolve the physical location of each principal and verify file access occurs within expected parameters specified by the data owners (if applicable).
Protected file storage and retrieval to exchange encrypted files on the data store in Icos with authorized principals.
Sending of resource access notification messages to the appropriate data owners in the event a principal, previously omitted from a resource ACL, contacts the reference monitor to request permission to access a file. Respective ACL are updated based on the data owner’s decision to grant a new principal access to a protected resource.
Correlation of access policy violation messages and alerts by the alert monitoring system to provide feedback events increasing the situational awareness of the incident responders. Auditing services to maintain a log of all transactions that occur in the system and a
correlation of events between principals to understand which files are being actively accessed by which groups of individuals. This correlation will become crucial in providing an initial damage assessment and detecting unintended data leakage mentioned previously in this research paper.
10. Conclusion and Future Work
Data exfiltration, interception, and unauthorized alteration pose a significant threat to computer systems. This paper introduces a new construct called SeDAPS (Secured Distributed-Access Protection System) and a functional prototype system named Icos (Information Control System) designed to secure sensitive files and reduce the risk of unintended information disclosure. The goals of this research include the design of the SeDAPS construct and the layout of Icos instantiated from the SeDAPS abstract model used to secure computer files, track file access requests, and audit transactions in the system to identify possible data leakage attempts and assess potential data compromises from malicious actors. In short, SeDAPS is developed to provide a greater layer of security over data-at-rest, data-in-motion, and data-at-location.
The system under test (SUT) is discussed in detail that is comprised of various agents including principals, access policy mechanisms, feedback monitors, a data guardian, an address retrieval agent, an auditing and archive system, and a reference monitor to analyze all requests and validate parties authorized to access sensitive data.
As the SUT is a new configuration created to provide several data protection services, questions arise regarding the validity of this research. How effective is the SeDAPS configuration at identifying and preventing data disclosure? How well does SeDAPS scale to enterprise networks? What are the thresholds and limitations of this system? How transparent is the encryption/decryption process to minimize overhead on the users and data owners? Are there further components and issues to take into consideration when providing additional security measures over documents?
To answer these questions, rigorous testing, experimentation, and operational evaluations are required to be performed on this system. The results of this analysis and experimentation will help to either validate the system or highlight areas requiring further study.
References
Anderson R. (2008) Multilevel Security. Security Engineering: A Guide to Building Dependable Distributed Systems, Second Edition, Boston: Wiley.
Bishop, M. (2002) Computer Security: Art and Science, Boston: Addison-Wesley.
Chin, S. and Older, S. (2006) A Rigorous Approach to Teaching Access Control, Annual Conference on Education in Information Security (ACEIS), [Online], Available:
http://www.lcs.syr.edu/faculty/chin/papers/aceis06.pdf.
Cyveillance, (2010) Malware Attacks Often Not Detected, [Online], Available: http://www.bizjournals.com/washington/stories/2010/08/02/daily51.html.
Denning, D. (1976), A Lattice Model of Secure Information Flow, Communications of the ACM, Volume 19 Issue 5, pp 236-243, [Online], Available: http://dl.acm.org/citation.cfm?id=360056. Fawcett, T. (2010), Exfild: A Tool For The Detection of Data Exfiltration Using Entropy and Encryption
Characteristics of Network Traffic, [Online], Available:
http://udspace.udel.edu/bitstream/handle/19716/5838/Tyrell_Fawcett_thesis.pdf?sequence=1 Hussey, B. (2011), Decoding Data Exfiltration – Reversing XOR Encryption, [Online], Available:
http://crucialsecurityblog.harris.com/2011/07/06/decoding-data-exfiltration-%E2%80%93-reversing-xor-encryption/.
Irvine, C. (1999) The Reference Monitor Concept as a Unifying Principle in Computer Security Education, In Proceedings of the IFIP TC11 WG 11.8 First World Conference on Information Security Education, pp. 27-37, Kista, Sweden.
Jaeger, T. (2011), Reference Monitor, In Encyclopedia of Cryptography and Security (2nd Ed.) pp. 1038-1040, [Online], Available:
http://ix.cs.uoregon.edu/~butler/teaching/10F/cis607/papers/jaeger-refmon.pdf. Kasperky Lab. (2004), NetFile-801.exe, [Online], Available:
http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf. Symantec, (2012) Annual Symantec Internet Security Threat Report, [Online], Available:
http://www.symantec.com/about/news/release/article.jsp?prid=20120429_01.
Trappe, W and Washington, L. (2002). Introduction To Cryptography with Coding Theory. Prentice Hall.
Trustwave, (2012), Global Security Report, [Online], Available:
