Cybersecurity - A World of Experts and Criminals

What is a DDoS Attack?

First, we must define the meaning of a DDoS attack. DDoS attacks are a main concern
in internet security, and many people misunderstand what exactly they are.

A Distributed Denial of Service (DDoS) attack is a malicious attempt to upset

typical internet traffic of a targeted server by overwhelming it with traffic from
multiple sources. DDoS attacks target a plethora of important resources, from banks
to news websites, and present a major challenge to making sure Internet users can
publish and access important information. A DDoS attack is similar to a traffic jam
on a highway, preventing typical traffic flow.

How does a DDoS attack work?

A DDoS attack requires the attacker to gain control of a network of online
machines. Computers are infected with malware, turning them into a bot. Then, the
attacker has control over the group of bots, now called a botnet.

Once a botnet is established, the attacker will send instructions to each bot from
a remote control. Once the IP address is targeted, each bot will respond by sending
requests to the target, causing the server to overflow, which will result in a DDoS
attack.

How can you combat DDoS attacks?

If you are facing an isolated low- to mid-size Distributed Denial of Service (DDoS)
attack, you can explore these logs and find the information you need to protect
yourself from these attacks. However, with larger attacks, manual lookups are time
consuming and ineffective. That�s why there need to be other plans in place to
fight cyber-attacks.

However, if you are not experiencing a DDoS attack, and you just want to learn
about top digital attack information from cybersecurity incidents around the world,
where would you look? You can try internet service provider (ISP)�s stats or check
out anti-DDOS providers, or you can see what�s happening right now by looking at
digital attack maps.

To see how cybersecurity works globally, you can observe cyber-attacks and how
malicious packets interact between countries. We are going to share with you the
top cyber-attack maps that you can watch in order to visualize digital threat
incidents.

Many of the world's original hackers were computer hobbyists, programmers and
students during the 60's. Originally, the term hacker described individuals with
advanced programming skills. Hackers used these programming skills to test the
limits and capabilities of early systems. These early hackers were also involved in
the development of early computer games. Many of these games included wizards and
wizardry.

As the hacking culture evolved, it incorporated the lexicon of these games into the
culture itself. Even the outside world began to project the image of powerful
wizards upon this misunderstood hacking culture. Books such as Where Wizards Stay
up Late: The Origins of The Internet published in 1996 added to the mystique of the
hacking culture. The image and lexicon stuck. Many hacking groups today embrace
this imagery. One of the most infamous hacker groups goes by the name Legion of
Doom. It is important to understand the cyber culture in order to understand the
criminals of the cyber world and their motivations.

Sun Tzu was a Chinese philosopher and warrior in the sixth century BC. Sun Tzu
wrote the book titled, The Art of War, which is a classic work about the strategies
available to defeat the enemy. His book has given guidance to tacticians throughout
the ages. One of Sun Tzu's guiding principles was to know your opponent. While he
was specifically referring to war, much of his advice translates to other aspects
of life, including the challenges of cybersecurity. This chapter begins by
explaining the structure of the cybersecurity world and the reason it continues to
grow.

This chapter discusses the role of cyber criminals and their motivations. Finally,
the chapter explains how to become a cybersecurity specialist. These cybersecurity
specialists help defeat the cyber criminals that threaten the cyber world.

Overview of the Cybersecurity Domains

There are many data groups that make up the different domains of the "cyber world".
When groups are able to collect and utilize massive amounts of data, they begin to
amass power and influence. This data can be in the form of numbers, pictures,
video, audio, or any type of data that can be digitized. These groups could become
so powerful that they operate as though they are separate powers, creating separate
cybersecurity domains.

Companies such as Google, Facebook, and LinkedIn, could be considered to be data

domains in our cyber world. Extending the analogy further, the people who work at
these digital companies could be considered cybersecurity experts.

The word `domain' has many meanings. Wherever there is control, authority, or
protection, you might consider that 'area' to be a domain. Think of how a wild
animal will protect its own declared domain. In this course, consider a domain to
be an area to be protected. It may be limited by a logical or physical boundary.
This will depend on the size of the system involved. In many respects,
cybersecurity experts have to protect their domains according the laws of their own
country.

Examples of Cybersecurity Domains

The experts at Google created one of the first and most powerful domains within the
broader cyber world of the Internet. Billions of people use Google to search the
web every day. Google has arguably created the world�s largest data collection
infrastructure. Google developed Android, the operating system installed on over
80% of all mobile devices connected to the Internet. Each device requires users to
create Google accounts that can save bookmarks and account information, store
search results, and even locate the device. Click here to see some of the many
services Google currently offers.

Facebook is another powerful domain within the broader Internet. The experts at
Facebook recognized that people create personal accounts every day to communicate
with family and friends. In doing so, you are volunteering a great deal of personal
data. These Facebook experts built a massive data domain to enable people to
connect in ways that were unimaginable in the past. Facebook affects millions of
lives on a daily basis and empowers companies and organizations to communicate with
people in a more personal and focused manner.

LinkedIn is yet another data domain on the Internet. The experts at LinkedIn
recognized that their members would share information in the pursuit of building a
professional network. LinkedIn users upload this information to create online
profiles and connect with other members. LinkedIn connects employees with employers
and companies to other companies worldwide. There are broad similarities between
LinkedIn and Facebook.

A look inside these domains reveals how they are constructed. At a fundamental
level, these domains are strong because of the ability to collect user data
contributed by the users themselves. This data often includes users� backgrounds,
discussions, likes, locations, travels, interests, friends and family members,
professions, hobbies, and work and personal schedules. Experts create great value
for organizations interested in using this data to better understand and
communicate with their customers and employees.

The Growth of the Cyber Domains

The data collected within the Internet is considerably more than just the data that
the users contribute voluntarily. Cyber domains continue to grow as science and
technology evolve, enabling the experts and their employers (Google, Facebook,
LinkedIn, etc.) to collect many other forms of data. Cyber experts now have the
technology to track worldwide weather trends, monitor the oceans, as well as the
movement and behavior of people, animals and objects in real time.

New technologies, such as Geospatial Information Systems (GIS) and the Internet of
Things (IoT), have emerged. These new technologies can track the health of trees in
a neighborhood. They can provide up-to-date locations of vehicles, devices,
individuals and materials. This type of information can save energy, improve
efficiencies, and reduce safety risks. Each of these technologies will also result
in exponentially expanding the amount of data collected, analyzed and used to
understand the world. The data collected by GIS and IoE poses a tremendous
challenge for cybersecurity professionals in the future. The type of data generated
by these devices has the potential to enable cyber criminals to gain access to very
intimate aspects of daily life.

Who Are the Cyber Criminals?

In the early years of the cybersecurity world, the typical cyber criminals were
teenagers or hobbyists operating from a home PC, with attacks mostly limited to
pranks and vandalism. Today, the world of the cyber criminals has become more
dangerous. Attackers are individuals or groups who attempt to exploit
vulnerabilities for personal or financial gain. Cyber criminals are interested in
everything from credit cards to product designs, and anything with value.

Amateurs

Amateurs, or script kiddies, have little or no skill, often using existing tools or
instructions found on the Internet to launch attacks. Some are just curious, while
others try to demonstrate their skills and cause harm. They may be using basic
tools, but the results can still be devastating.

Hackers

This group of criminals breaks into computers or networks to gain access for
various reasons. The intent of the break-in determines the classification of these
attackers as white, gray, or black hats. White hat attackers break into networks or
computer systems to discover weaknesses in order to improve the security of these
systems. The owners of the system give permission to perform the break-in, and they
receive the results of the test. On the other hand, black hat attackers take
advantage of any vulnerability for illegal personal, financial or political gain.
Gray hat attackers are somewhere between white and black hat attackers. The gray
hat attackers may find a vulnerability and report it to the owners of the system if
that action coincides with their agenda. Some gray hat hackers publish the facts
about the vulnerability on the Internet, so that other attackers can exploit it.

Organized Hackers

These criminals include organizations of cyber criminals, hacktivists, terrorists,

and state-sponsored hackers. Cyber criminals are usually groups of professional
criminals focused on control, power, and wealth. The criminals are highly
sophisticated and organized, and may even provide cybercrime as a service.
Hacktivists make political statements to create awareness to issues that are
important to them. Hacktivists publically publish embarrassing information about
their victims. State-sponsored attackers gather intelligence or commit sabotage on
behalf of their government. These attackers are usually highly trained and well-
funded. Their attacks focus on specific goals that are beneficial to their
government. Some state-sponsored attackers are even members of their nations� armed
forces.

Cyber Criminal Motives

Cyber criminal profiles and motives have changed over the years. Hacking started in
the �60s with phone freaking (or phreaking) which refers to using various audio
frequencies to manipulate phone systems. In the mid-�80s, criminals used computer
dial-up modems to connect computers to networks and used password-cracking programs
to gain access to data. Nowadays, criminals are going beyond just stealing
information. Criminals can now use malware and viruses as high tech weapons.
However, the greatest motivation for most cyber criminals is financial. Cybercrime
has become more lucrative than the illegal drug trade.

General hacker profiles and motives have changed quite a bit.

Why Become a Cybersecurity Specialist?

The demand for cybersecurity specialists has grown more than the demand for other
IT jobs. All of the technology that transforms the kingdom and improves people�s
way of life also makes it more vulnerable to attacks. Technology alone cannot
prevent, detect, respond and recover from cybersecurity incidents. Consider the
following:

The skill level required for an effective cybersecurity specialist and the shortage
of qualified cybersecurity professionals translates to higher earning potential.
Information technology is constantly changing. This is also true for cybersecurity.
The highly dynamic nature of the cybersecurity field can be challenging and
fascinating.
A cybersecurity specialist�s career is also highly portable. Jobs exist in almost
every geographic location.
Cybersecurity specialists provide a necessary service to their organizations,
countries, and societies, very much like law enforcement or emergency responders.
Becoming a cybersecurity specialist is a rewarding career opportunity.

Thwarting Cyber Criminals

Thwarting the cyber criminals is a difficult task and there is no such thing as a
�silver bullet.� However, company, government and international organizations have
begun to take coordinated actions to limit or fend off cyber criminals. The
coordinated actions include:

Creating comprehensive databases of known system vulnerabilities and attack

signatures (a unique arrangement of information used to identify an attacker�s
attempt to exploit a known vulnerability). Organizations share these databases
worldwide to help prepare for and fend off many common attacks.
Establishing early warning sensors and alert networks. Due to cost and the
impossibility of monitoring every network, organizations monitor high-value targets
or create imposters that look like high-value targets. Because these high-value
targets are more likely to experience attacks, they warn others of potential
attacks.
Sharing cyber intelligence information. Business, government agencies and countries
now collaborate to share critical information about serious attacks to critical
targets in order to prevent similar attacks in other places. Many countries have
established cyber intelligence agencies to collaborate worldwide in combating major
cyberattacks.
Establishing information security management standards among national and
international organizations. The ISO 27000 is a good example of these international
efforts.
Enacting new laws to discourage cyberattacks and data breaches. These laws have
severe penalties to punish cyber criminals caught carrying out illegal actions.

Common Threats to End Users

As previously described, there are experts who are innovators and visionaries. They
build the different cyber domains of the Internet. They have the capacity to
recognize the power of data and harness it. Then they build their organizations and
provide services, as well as protecting people from cyberattacks. Ideally,
cybersecurity professionals should recognize the threat that data poses if it is
used against people.

Threats and vulnerabilities are the main concern of cybersecurity professionals.

Two situations are especially critical:

When a threat is the possibility that a harmful event, such as an attack, will
occur.
When a vulnerability makes a target susceptible to an attack.
For example, data in the wrong hands can result in a loss of privacy for the
owners, can affect their credit, or jeopardize their career or personal
relationships. Identity theft is big business. However, it is not necessarily the
Googles and Facebooks that pose the greatest risk. Schools, hospitals, financial
institutions, government agencies, the workplace and e-commerce pose even greater
risks. Organizations like Google and Facebook have the resources to hire top
cybersecurity talent to protect their domains. As more organizations build large
databases containing all of our personal data, the need for cybersecurity
professionals increases. This leaves smaller businesses and organizations competing
for the remaining pool of cybersecurity professionals. Cyber threats are
particularly dangerous to certain industries and the records they must maintain.

Types of Personal Records

The following examples are just a few sources of data that can come from
established organizations.

Medical Records

Going to the doctor�s office results in the addition of more information to an

electronic health record (EHR). The prescription from a family doctor becomes part
of the EHR. An EHR includes physical health, mental health, and other personal
information that may not be medically related. For example, an individual goes to
counseling as a child because of major changes in the family. This will be
somewhere in his or her medical records. Besides the medical history and personal
information, the EHR may also include information about that person�s family.
Several laws address protecting patient records.

Medical devices, such as fitness bands, use the cloud platform to enable wireless
transfer, storage and display of clinical data like heart rates, blood pressures
and blood sugars. These devices can generate an enormous amount of clinical data
that can become part of a medical record.

Education Records

Education records include information about grades, test scores, attendance,

courses taken, awards, degrees awarded, and disciplinary reports. This record may
also include contact information, health and immunization records, and special
education records, including individualized education programs (IEPs).

Employment and Financial Records

Employment information can include past employment and performance. Employment

records can also include salary and insurance information. Financial records may
include information about income and expenditures. Tax records could include
paycheck stubs, credit card statements, credit rating and banking information.

Threats to Internet Services

There are many essential technical services needed for a network, and ultimately
the Internet, to operate. These services include routing, addressing, domain
naming, and database management. These services also serve as prime targets for
cyber criminals.

Criminals use packet-sniffing tools to capture data streams over a network. This
means that all sensitive data, like usernames, passwords and credit card numbers,
are at risk. Packet sniffers work by monitoring and recording all information
coming across a network. Criminals can also use rogue devices, such as unsecured
Wi-Fi access points. If the criminal sets this up near a public place, such as a
coffee shop, unsuspecting individuals may sign on and the packet sniffer copies
their personal information.

Domain Name Service (DNS) translates a domain name, such as www.facebook.com, into
its numerical IP address. If a DNS server does not know the IP address, it will ask
another DNS server. With DNS spoofing (or DNS cache poisoning), the criminal
introduces false data into a DNS resolver�s cache. These poison attacks exploit a
weakness in the DNS software that causes the DNS servers to redirect traffic for a
specific domain to the criminal�s computer, instead of the legitimate owner of the
domain.

Packets transport data across a network or the Internet. Packet forgery (or packet
injection) interferes with an established network communication by constructing
packets to appear as if they are part of a communication. Packet forgery allows a
criminal to disrupt or intercept packets. This process enables the criminal to
hijack an authorized connection or denies an individual�s ability to use certain
network services. Cyber professionals call this a man-in-the-middle attack.

The examples given only scratch the surface of the types of threats criminals can
launch against Internet and network services.

Threats to Key Industry Sectors

Key industry sectors offer networking infrastructure systems such as manufacturing,
energy, communication and transportation. For example, the smart grid is an
enhancement to the electrical generation and distribution system. The electrical
grid carries power from central generators to a large number of customers. A smart
grid uses information to create an automated advanced energy delivery network.
World leaders recognize that protecting their infrastructure is critical to
protecting their economy.

Over the last decade, cyberattacks like Stuxnet proved that a cyberattack could
successfully destroy or interrupt critical infrastructures. Specifically, the
Stuxnet attack targeted the Supervisory Control and Data Acquisition (SCADA) system
used to control and monitor industrial processes. SCADA can be part of various
industrial processes in manufacturing, production, energy and communications
systems. Click here to view more information about Stuxnet attack.

A cyberattack could bring down or interrupt industry sectors like

telecommunication, transportation or electrical power generation and distribution
systems. It could also interrupt the financial services sector. One of the problems
with environments that incorporate SCADA is the fact that designers did not connect
SCADA to the traditional IT environment and the Internet. Therefore, they did not
properly consider cybersecurity during the development phase of these systems. Like
other industries, organizations using SCADA systems recognize the value of data
collection to improve operations and decrease costs. The resulting trend is to
connect SCADA systems to traditional IT systems. However, this increases the
vulnerability of industries using SCADA systems.

The advanced threat potential that exists today demands a special breed of cyber
security experts.

Threats to People�s Way of Life

Cybersecurity is the ongoing effort to protect networked systems and data from
unauthorized access. On a personal level, everyone needs to safeguard his or her
identity, data, and computing devices. At the corporate level, it is the employees�
responsibility to protect the organization�s reputation, data, and customers. At
the state level, national security and the citizens� safety and well-being are at
stake.

Cybersecurity professionals are often involved in working with government agencies

in identifying and collecting data.

In the U.S., the National Security Agency (NSA) is responsible for intelligence
collection and surveillance activities. The NSA built a new data center just to
process the growing volume of information. In 2015, the U.S. Congress passed the
USA Freedom Act ending the practice of collecting U.S. Citizens� phone records in
bulk. The program provided metadata that gave the NSA information about
communications sent and received.

The efforts to protect people�s way of life often conflicts with their right to
privacy. It will be interesting to see what happens to the balance between these
rights and the safety of Internet users.

Social Engineering Attacks

Social engineering attacks are very effective because people want to trust other
people and social
engineering attacks are not the kind of attack that the average user guards
against; users are concerned with
botnets, identity theft or ransomware. These are big external threats, so they do
not think to question what
seems to be a legitimate-looking message.

Baiting
Baiting relies on the curiosity or greed of the victim. What distinguishes baiting
from other types of social
engineering is the promise of an item or good that hackers use to entice victims.
Baiters may offer users free
music or movie downloads if the users surrender their login credentials to a
certain site. Baiting attacks are
not restricted to online schemes. Attackers can exploit human curiosity with
physical media like USB drives.

Shoulder Surfing
Shoulder surfing is literally looking over someone's shoulder to get information.
Shoulder surfing is an
effective way to get information in crowded places because it is relatively easy to
stand next to someone and
watch as they fill out a form or enter a PIN number at an ATM machine. Shoulder
surfing can also be done
long distance with the aid of modern cell phones, binoculars, or other vision-
enhancing devices. To prevent
shoulder surfing, experts recommend that you shield paperwork or your keypad from
view by using your body
or cupping your hand. There are even screen shields that make shoulder surfing much
more difficult.

Pretexting
Pretexting is using deception to create a scenario to convince victims to divulge
information they should not
divulge. Pretexting is often used against organizations that retain client data,
such as financial data, credit
card numbers, utilities account numbers, and other sensitive information.
Pretexters often request information
Lab - Explore Social Engineering Techniques
� 2021 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2
of 3 www.netacad.com
from individuals in an organization by impersonating a supervisor, helpdesk clerk,
or client, usually by phone,
email, or text.

Phishing, spear phishing, and whaling attacks

In phishing attacks, the attackers try to obtain personal information or data, like
username, password, and
credit card details, by disguising themselves as trustworthy entities. Phishing is
mainly conducted through
emails and phone calls. Spear phishing is more targeted version of the phishing, in
which an attacker chooses
specific individuals or enterprises and then customizes their phishing attack to
their victims to make it less
conspicuous. Whaling is when the specific target is a high-profile employee such as
a CEO or CFO.

Scareware and ransomware

Ransomware attacks involve injecting malware that encrypts a victim�s critical
data. The cyber criminals
request a ransom to be paid to decrypt the data. However, even if a ransom is paid,
there is no guarantee the
cyber criminals will decrypt the information. Ransomware is one of the fastest
growing types of cyberattack
and has affected thousands of financial organizations, government agencies,
healthcare facilities, even
schools and our education systems.
Scareware takes advantage of a user�s fear by coaxing them into installing fake
antivirus software.

Tailgating
Tailgating tricks the victim into helping the attacker gain unauthorized access
into the organization�s physical
facilities. The attacker seeks entry into a restricted area where access is
controlled by software-based
electronic devices or human guards. Tailgating can also involve the attacker
following an employee closely to
pass through a locked door before the door locks behind the employee.

Dumpster diving
In the world of social engineering, dumpster diving is a technique used to retrieve
discarded information
thrown in the trash to carry out an attack on a person or organization. Dumpster
diving is not limited to
searching through the trash for obvious treasures like access codes or passwords
written down on sticky
notes, it can also involve electronic information left on desktops, or stored on
USB drives.

How Threats Spread

Internal Security Threats

Attacks can originate from within an organization or from outside of the

organization, as shown in the figure. An internal user, such as an employee or
contract partner, can accidently or intentionally:

Mishandle confidential data

Threaten the operations of internal servers or network infrastructure devices
Facilitate outside attacks by connecting infected USB media into the corporate
computer system
Accidentally invite malware onto the network through malicious email or websites
Internal threats have the potential to cause greater damage than external threats
because internal users have direct access to the building and its infrastructure
devices. Internal attackers typically have knowledge of the corporate network, its
resources, and its confidential data. They may also have knowledge of security
countermeasures, policies and higher levels of administrative privileges.

External Security Threats

External threats from amateurs or skilled attackers can exploit vulnerabilities in

networked devices, or can use social engineering, such as trickery, to gain access.
External attacks exploit weaknesses or vulnerabilities to gain access to internal
resources.

Traditional Data

Corporate data includes personnel information, intellectual property, and financial

data. Personnel information includes application materials, payroll, offer letters,
employee agreements, and any information used in making employment decisions.
Intellectual property, such as patents, trademarks and new product plans, allows a
business to gain economic advantage over its competitors. Consider this
intellectual property as a trade secret; losing this information can be disastrous
for the future of the company. Financial data, such as income statements, balance
sheets, and cash flow statements, gives insight into the health of the company.

The Emergence of the Internet of Things

The Internet of Things (IoT) is the collection of technologies that enable the
connection of various devices to the Internet. The technological evolution
associated with the advent of the IoT is changing commercial and consumer
environments. IoT technologies enable people to connect billions of devices to the
Internet. These devices include appliances, locks, motors, and entertainment
devices, to name just a few. This technology affects the amount of data that needs
protection. Users access these devices remotely, which increases the number of
networks requiring protection.

With the emergence of IoT, there is much more data to be managed and secured. All
of these connections, plus the expanded storage capacity and storage services
offered through the Cloud and virtualization, has led to the exponential growth of
data. This data expansion created a new area of interest in technology and business
called �Big Data".

The Impact of Big Data

Big data is the result of data sets that are large and complex, making traditional
data processing applications inadequate. Big data poses both challenges and
opportunities based on three dimensions:

The volume or amount of data

The velocity or speed of data
The variety or range of data types and sources
There are numerous examples of big corporate hacks in the news. Companies like
Target, Home Depot and PayPal are subjects of highly publicized attacks. As a
result, enterprise systems require dramatic changes in security product designs and
substantial upgrades to technologies and practices. Additionally, governments and
industries are introducing more regulations and mandates that require better data
protection and security controls to help guard big data.

Using Advanced Weapons

Software vulnerabilities today rely on programming mistakes, protocol
vulnerabilities, or system misconfigurations. The cyber criminal merely has to
exploit one of these. For example, a common attack involved constructing an input
to a program in order to sabotage the program, making it malfunction. This
malfunction provided a doorway into the program or caused it to leak information.

There is a growing sophistication seen in cyberattacks today. An advanced

persistent threat (APT) is a continuous computer hack that occurs under the radar
against a specific object. Criminals usually choose an APT for business or
political motives. An APT occurs over a long period with a high degree of secrecy
using sophisticated malware.

Algorithm attacks can track system self-reporting data, like how much energy a
computer is using, and use that information to select targets or trigger false
alerts. Algorithmic attacks can also disable a computer by forcing it to use memory
or by overworking its central processing unit. Algorithmic attacks are more devious
because they exploit designs used to improve energy savings, decrease system
failures, and improve efficiencies.

Finally, the new generation of attacks involves intelligent selection of victims.

In the past, attacks would select the low hanging fruit or most vulnerable victims.
However, with greater attention to detection and isolation of cyberattacks, cyber
criminals must be more careful. They cannot risk early detection or the
cybersecurity specialists will close the gates of the castle. As a result, many of
the more sophisticated attacks will only launch if the attacker can match the
object signature targeted.

Safety Implications
Emergency call centers in the U.S. are vulnerable to cyberattacks that could shut
down 911 networks, jeopardizing public safety. A telephone denial of service (TDoS)
attack uses phone calls against a target telephone network tying up the system and
preventing legitimate calls from getting through. Next generation 911 call centers
are vulnerable because they use Voice-over-IP (VoIP) systems rather than
traditional landlines. In addition to TDoS attacks, these call centers can also be
at risk of distributed-denial-of-service (DDoS)The National Cybersecurity Workforce
Framework
The Workforce Framework categorizes cybersecurity work into seven categories.

Operate and Maintain includes providing the support, administration, and

maintenance required to ensure IT system performance and security.
Protect and Defend includes the identification, analysis, and mitigation of threats
to internal systems and networks.

Investigate includes the investigation of cyber events and/or cyber crimes

involving IT resources.

Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.

Analyze includes highly specialized review and evaluation of incoming cybersecurity

information to determine if it is useful for intelligence.

Oversight and Development provides for leadership, management, and direction to

conduct cybersecurity work effectively.

Securely Provision includes conceptualizing, designing, and building secure IT

systems.

Within each category, there are several specialty areas. The specialty areas then
define common types of cybersecurity work. attacks that use many systems to flood
the resources of the target making the target unavailable to legitimate users.
There are many ways nowadays to request 911 help, from using an app on a smartphone
to using a home security system.

Addressing the Shortage of Cybersecurity Specialists

In the U.S., the National Institute of Standards and Technologies (NIST) created a
framework for companies and organizations in need of cybersecurity professionals.
The framework enables companies to identify the major types of responsibilities,
job titles, and workforce skills needed. The National Cybersecurity Workforce
Framework categorizes and describes cybersecurity work. It provides a common
language that defines cybersecurity work along with a common set of tasks and
skills required to become a cybersecurity specialist. The framework helps to define
professional requirements in cybersecurity.

The National Cybersecurity Workforce Framework

The Workforce Framework categorizes cybersecurity work into seven categories.

Operate and Maintain includes providing the support, administration, and

maintenance required to ensure IT system performance and security.

Protect and Defend includes the identification, analysis, and mitigation of threats
to internal systems and networks.

Investigate includes the investigation of cyber events and/or cyber crimes

involving IT resources.

Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.

Analyze includes highly specialized review and evaluation of incoming cybersecurity

information to determine if it is useful for intelligence.

Oversight and Development provides for leadership, management, and direction to

conduct cybersecurity work effectively.

Securely Provision includes conceptualizing, designing, and building secure IT

systems.
Within each category, there are several specialty areas. The specialty areas then
define common types of cybersecurity work.

Industry Certifications
In a world of cybersecurity threats, there is a great need for skilled and
knowledgeable information security professionals. The IT industry established
standards for cybersecurity specialists to obtain professional certifications that
provide proof of skills, and knowledge level.

CompTIA Security+

Security+ is a CompTIA-sponsored testing program that certifies the competency of

IT administrators in information assurance. The Security+ test covers the most
important principles for securing a network and managing risk, including concerns
associated with cloud computing.

EC-Council Certified Ethical Hacker (CEH)

This intermediate-level certification asserts that cybersecurity specialists

holding this credential possess the skills and knowledge for various hacking
practices. These cybersecurity specialists use the same skills and techniques used
by the cyber criminals to identify system vulnerabilities and access points into
systems.

SANS GIAC Security Essentials (GSEC)

The GSEC certification is a good choice for an entry-level credential for

cybersecurity specialists who can demonstrate that they understand security
terminology and concepts and have the skills and expertise required for �hands-on�
security roles. The SANS GIAC program offers a number of additional certifications
in the fields of security administration, forensics, and auditing.

(ISC)^2 Certified Information Systems Security Professional (CISSP)

The CISSP certification is a vendor-neutral certification for those cybersecurity

specialists with a great deal of technical and managerial experience. It is also
formally approved by the U.S. Department of Defense (DoD) and is a globally
recognized industry certification in the security field.

ISACA Certified Information Security Manager (CISM)

Cyber heroes responsible for managing, developing and overseeing information

security systems at the enterprise level or for those developing best security
practices can qualify for CISM. Credential holders possess advanced skills in
security risk management.

How to Become a Cybersecurity Expert

To become a successful cybersecurity specialist, the potential candidate should
look at some of the unique requirements. Heroes must be able to respond to threats
as soon as they occur. This means that the working hours can be somewhat
unconventional.

Cyber heroes also analyze policy, trends, and intelligence to understand how cyber
criminals think. Many times, this may involve a large amount of detective work.

The following recommendations will help aspiring cybersecurity specialists to

achieve their goals:

Study: Learn the basics by completing courses in IT. Be a life-long learner.

Cybersecurity is an ever-changing field, and cybersecurity specialists must keep
up.
Pursue Certifications: Industry and company sponsored certifications from
organizations such as Microsoft and Cisco prove that one possesses the knowledge
needed to seek employment as a cybersecurity specialist.
Pursue Internships: Seeking out a security internship as a student can lead to
opportunities down the road.
Join Professional Organizations: Join computer security organizations, attend
meetings and conferences, and join forums and blogs to gain knowledge from the
experts.

Packet Tracer - Creating a Cyber World

In this Packet Tracer, you will complete the following objectives:

Configure the FTP Server

Configure the Web Server
Configure the Email Server
Configure the DNS Server
Configure the NTP Server
Configure the AAA Server

Send Email between Users

Upload and Download Files using FTP
Remotely Access an Enterprise Router using Telnet
Remotely Access an Enterprise Router using SSH

Chapter 2: The Cybersecurity Cube

Cybersecurity professionals are best described as experts charged with the
protection of cyberspace. John McCumber is one of the early cybersecurity experts,
developing a commonly used framework called the McCumber Cube or the Cybersecurity
Cube. This is used as tool when managing the protection of networks, domains and
the Internet. The Cybersecurity Cube looks somewhat like a Rubik's Cube.

The first dimension of the Cybersecurity Cube includes the three principles of
information security. Cybersecurity professionals refer to the three principles as
the CIA Triad. The second dimension identifies the three states of information or
data. The third dimension of the cube identifies the expertise required to provide
protection. These are often called the three categories of cybersecurity
safeguards.

The chapter also discusses the ISO cybersecurity model. The model represents an
international framework to standardize the management of information systems.

The Principles of Security

The first dimension of the cybersecurity cube identifies the goals to protect
cyberspace. The goals identified in the first dimension are the foundational
principles. These three principles are confidentiality, integrity and availability.
The principles provide focus and enable the cybersecurity expert to prioritize
actions when protecting any networked system.

Confidentiality prevents the disclosure of information to unauthorized people,

resources, or processes. Integrity refers to the accuracy, consistency, and
trustworthiness of data. Finally, availability ensures that information is
accessible by authorized users when needed. Use the acronym CIA to remember these
three principles.

The States of Data

Cyberspace is a domain containing a considerable amount of critically important
data; therefore, cybersecurity experts focus on protecting data. The second
dimension of the Cybersecurity Cube focuses on the problems of protecting all of
the states of data in cyberspace. Data has three possible states:

Data in transit
Data at rest or in storage
Data in process
The protection of cyberspace requires cybersecurity professionals to account for
the safeguarding of data in all three states.

Cybersecurity Safeguards
The third dimension of the Cybersecurity Cube defines the skills and discipline a
cybersecurity professional can call upon to protect cyberspace. Cybersecurity
professionals must use a range of different skills and disciplines available to
them when protecting the data in the cyberspace. They must do this while remaining
on the �right side� of the law.

The Cybersecurity Cube identifies the three types of skills and disciplines used to
provide protection. The first skill includes the technologies, devices, and
products available to protect information systems and fend off cyber criminals.
Cybersecurity professionals have a reputation for mastering the technological tools
at their disposal. However, McCumber reminds them that the technological tools are
not enough to defeat cyber criminals. Cybersecurity professionals must also build a
strong defense by establishing policies, procedures, and guidelines that enable the
users of cyberspace to stay safe and follow good practices. Finally, users of
cyberspace must strive to become more knowledgeable about the threats of the
cyberspace and establish a culture of learning and awareness.

The Principle of Confidentiality

Confidentiality prevents the disclosure of information to unauthorized people,
resources and processes. Another term for confidentiality is privacy. Organizations
restrict access to ensure that only authorized operators can use data or other
network resources. For example, a programmer should not have access to the personal
information of all employees.

Organizations need to train employees about best practices in safeguarding

sensitive information to protect themselves and the organization from attacks.
Methods used to ensure confidentiality include data encryption, authentication, and
access control.

Controlling Access
Access control defines a number of protection schemes that prevent unauthorized
access to a computer, network, database, or other data resources. The concepts of
AAA involve three security services: Authentication, Authorization and Accounting.
These services provide the primary framework to control access.

The first �A� in AAA represents authentication. Authentication verifies the

identity of a user to prevent unauthorized access. Users prove their identity with
a username or ID. In addition, users need to verify their identity by providing one
of the following as shown in Figure 1:

Something they know (such as a password)

Something they have (such as a token or card)
Something they are (such a fingerprint)
For example, if you go to an ATM for cash, you need your bankcard (something you
have) and you need to know the PIN. This is also an example of multifactor
authentication. Multifactor authentication requires more than one type of
authentication. The most popular form of authentication is the use of passwords.

Authorization services determine which resources users can access, along with the
operations that users can perform. Some systems accomplish this by using an access
control list, or an ACL. An ACL determines whether a user has certain access
privileges once the user authenticates. Just because you can log onto the corporate
network does not mean that you have permission to use the high-speed color printer.
Authorization can also control when a user has access to a specific resource. For
example, employees may have access to a sales database during work hours, but the
system locks them out after hours.

Accounting keeps track of what users do, including what they access, the amount of
time they access resources, and any changes made. For example, a bank keeps track
of each customer account. An audit of that system can reveal the time and amount of
all transactions and the employee or system that executed the transactions.
Cybersecurity accounting services work the same way. The system tracks each data
transaction and provides auditing results. An administrator can set up computer
policies to enable system auditing.

The concept of AAA is similar to using a credit card. The credit card identifies
who can use it, how much that user can spend, and accounts for items or services
the user purchased.

Cybersecurity accounting tracks and monitors in real time. Websites, like Norse,
show attacks in real-time based on data collected as part of an accounting or
tracking system. Click here to visit the Norse list of attack maps.

Laws and Liability

Confidentiality and privacy seem interchangeable, but from a legal standpoint, they
mean different things. Most privacy data is confidential, but not all confidential
data is private. Access to confidential information occurs after confirming proper
authorization. Financial institutions, hospitals, medical professionals, law firms,
and businesses handle confidential information. Confidential information has a non-
public status. Maintaining confidentiality is more of an ethical duty.

Privacy is the appropriate use of data. When organizations collect information

provided by customers or employees, they should only use that data for its intended
purpose. Most organizations will require the customer or employee to sign a release
form giving the organization permission to use the data.

All of the laws listed in the figure include a provision for dealing with privacy
starting with U.S. laws in Figure 1. Figure 2 lists a sampling of international
efforts. Most of these laws are a response to the massive growth in data
collection.

The growing number of privacy related statutes create a tremendous burden on

organizations that collect and analyze data. Policies are the best way for an
organization to comply with the growing number of privacy related laws. Policies
enable organizations to enforce specific rules, procedures, and processes when
collecting, storing, and sharing data.

Principle of Data Integrity

Integrity is the accuracy, consistency, and trustworthiness of data during its
entire life cycle. Another term for integrity is quality. Data undergoes a number
of operations such as capture, storage, retrieval, update, and transfer. Data must
remain unaltered during all of these operations by unauthorized entities.

Methods used to ensure data integrity include hashing, data validation checks, data
consistency checks, and access controls. Data integrity systems can include one or
more of the methods listed above.

Need for Data Integrity

Data integrity is a fundamental component of information security. The need for
data integrity varies based on how an organization uses data. For example, Facebook
does not verify the data that a user posts in a profile. A bank or financial
organization assigns a higher importance to data integrity than Facebook does.
Transactions and customer accounts must be accurate. In a healthcare organization,
data integrity might be a matter of life or death. Prescription information must be
accurate.

Protecting data integrity is a constant challenge for most organizations. Loss of

data integrity can render entire data resources unreliable or unusable.

Integrity Checks
An integrity check is a way to measure the consistency of a collection of data (a
file, a picture, or a record). The integrity check performs a process called a hash
function to take a snapshot of data at an instant in time. The integrity check uses
the snapshot to ensure data remains unchanged.

A checksum is one example of a hash function. A checksum verifies the integrity of

files, or strings of characters, before and after they transfer from one device to
another across a local network or the Internet. Checksums simply convert each piece
of information to a value and sum the total. To test the data integrity, a
receiving system just repeats the process. If the two sums are equal, the data is
valid (Figure 1). If they are not equal, a change occurred somewhere along the line
(Figure 2).

Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash
functions use complex mathematical algorithms. The hashed value is simply there for
comparison. For example, after downloading a file, the user can verify the
integrity of the file by comparing the hash values from the source with the one
generated by any hash calculator.

Organizations use version control to prevent accidental changes by authorized

users. Two users cannot update the same object. Objects can be files, database
records, or transactions. For example, the first user to open a document has the
permission to change that document; the second person has a read-only version.

Accurate backups help to maintain data integrity if data becomes corrupted. An

organization needs to verify its backup process to ensure the integrity of the
backup before data loss occurs.

Authorization determines who has access to an organization�s resources based on

their need to know. For example, file permissions and user access controls ensure
that only certain users can modify data. An administrator can set permissions for a
file to read-only. As a result, a user accessing that file cannot make any changes.

The Principle of Availability

Data availability is the principle used to describe the need to maintain
availability of information systems and services at all times. Cyberattacks and
system failures can prevent access to information systems and services. For
example, interrupting the availability of the website of a competitor by bringing
it down may provide an advantage to its rival. These denial-of-service (DoS)
attacks threaten system availability and prevent legitimate users from accessing
and using information systems when needed.

Methods used to ensure availability include system redundancy, system backups,

increased system resiliency, equipment maintenance, up-to-date operating systems
and software, and plans in place to recover quickly from unforeseen disasters.

Five Nines
People use various information systems in their day-to-day lives. Computers and
information systems control communications, transportation and the manufacturing of
products. The continuous availability of information systems is imperative to
modern life. The term high availability, describes systems designed to avoid
downtime. High availability ensures a level of performance for a higher than normal
period. High availability systems typically include three design principles.

Eliminate single points of failure

Provide for reliable crossover
Detect failures as they occur
The goal is the ability to continue to operate under extreme conditions, such as
during an attack. One of the most popular high availability practices is five
nines. The five nines refer to 99.999%. This means that downtime is less than 5.26
minutes per year. Figure 2 provides three approaches to five nines.

Ensuring Availability
Organizations can ensure availability by implementing the following:

Equipment maintenance
Regular equipment maintenance can dramatically improve system uptime. Maintenance
included component replacement, cleaning and alignment.

OS and system updates

Modern OS, applications and software programs are continuously updated to correct
errors and eliminate vulnerabilities. All systems, applications and software should
be updated on a regular schedule. Cybersecurity professionals can subscribe to
alerts that announce new update releases.

Backup testing
Backup of organization data, configuration data and personal data ensures system
availabilty. Backup systems should also be tested to ensure these systems work
properly and that data can be recovered in the event of data loss.

Disaster planning
Disaster planning is a critical part of increasing system availabilty. Employees
and customers should know how to respond to a disaster. The cybersecurity team
should practice response and test backup systems and be familiar with procedures
for restoring critical systems.

New technology implementations

High availabilty requires continuous evaluation and testing new technologies to
counter new threats and attacks. Cyber criminals use the latest tools and tricks.
Cyber professionals are also required to use new technologies, products and
devices.

Unusual activity monitoring

Continuous system monitoring increases system availability. Monitoring event logs,
system alerts and access logs provides the cybersecurity professional with real
time system information. This information can identify attacks after the event
occurs and enable the cybersecurity professional to fend off attacks as they occur.

Availability/ System testing

All systems should be tested to find vulnerabilties. Testing can include port
scans, vulnerability scans and pen tests.
Types of Data Storage
Stored data refers to data at rest. Data at rest means that a type of storage
device retains the data when no user or process is using it. A storage device can
be local (on a computing device) or centralized (on the network). A number of
options exist for storing data.

Direct-attached storage (DAS) is storage connected to a computer. A hard drive or

USB flash drive is an example of direct-attached storage. By default, systems are
not set up to share direct-attached storage.

Redundant array of independent disks (RAID) uses multiple hard drives in an array,
which is a method of combining multiple disks so that the operating system sees
them as a single disk. RAID provides improved performance and fault tolerance.

A network attached storage (NAS) device is a storage device connected to a network

that allows storage and retrieval of data from a centralized location by authorized
network users. NAS devices are flexible and scalable, meaning administrators can
increase the capacity as needed.

A storage area network (SAN) architecture is a network based storage system. SAN
systems connect to the network using high-speed interfaces allowing improved
performance and the ability to connect multiple servers to a centralized disk
storage repository.

Cloud storage is a remote storage option that uses space on a data center provider
and is accessible from any computer with Internet access. Google Drive, iCloud, and
Dropbox are all examples of cloud storage providers.

Challenges of Protecting Stored Data

Organizations have a challenging task in trying to protect stored data. In order to
improve data storage, organizations can automate and centralize data backups.

Direct-attached storage can be one of the most difficult types of data storage to
manage and control. Direct-attached storage is vulnerable to malicious attacks on
the local host. Stored data may also include backup data. Backups can be manual or
automatic. Organizations should limit the types of data stored on direct-attached
storage. In particular, an organization would not store critical data on direct-
attached storage devices.

Network storage systems offer a more secure option. Network storage systems
including RAID, SAN and NAS provide greater performance and redundancy. However,
network storage systems are more complicated to configure and manage. They also
handle more data, posing a greater risk to the organization if the device fails.
The unique challenges of network storage systems include configuring, testing, and
monitoring the system.

Methods of Transmitting Data

Data transmission involves sending information from one device to another. There
are numerous methods to transmit information between devices including:

Sneaker net � uses removable media to physically move data from one computer to
another
Wired networks � uses cables to transmit data
Wireless networks � uses radio waves to transmit data
Organizations will never be able to eliminate the use of a sneaker net.

Wired networks include copper-wired and fiber optic media. Wired networks can serve
a local geographical area (Local Area Network) or they can span great distances
(Wide Area Networks).
Wireless networks are replacing wired networks. Wireless networks are becoming
faster and able to handle more bandwidth. Wireless networks expand the number of
guest users with mobile devices on small office home office (SOHO) and enterprise
networks.

Both wired and wireless networks use packets or data units. The term packet refers
to a unit of data that travels between an origin and a destination on the network.
Standard protocols like Internet Protocol (IP) and Hypertext Transfer Protocol
(HTTP) define the structure and formation of data packets. These standards are open
source and are available to the public. Protecting the confidentiality, integrity,
and availability of transmitted data is one of the most important responsibilities
of a cybersecurity professional.

Challenges of Protecting Data In-Transit

The protection of transmitted data is one of the most challenging jobs of a
cybersecurity professional. With the growth in mobile and wireless devices,
cybersecurity professionals are responsible for protecting massive amounts of data
crossing their network on a daily basis. The cybersecurity professional must deal
with several challenges in protecting this data:

Protecting data confidentiality � cyber criminals can capture, save and steal data
in-transit. Cyber professionals must take steps to counter these actions.
Protecting data integrity � cyber criminals can intercept and alter data in-
transit. Cybersecurity professionals deploy data integrity systems that test the
integrity and authenticity of transmitted data to counter these actions.
Protecting data availability - cyber criminals can use rogue or unauthorized
devices to interrupt data availability. A simple mobile device can pose as a local
wireless access point and trick unsuspecting users into associating with the rogue
device. The cybercriminal can hijack an authorized connection to a protected
service or device. Network security professionals can implement mutual-
authentication systems to counter these actions. Mutual-authentication systems
require the user to authenticate to the server, and requests the server to
authenticate to the user.

Forms of Data Processing and Computation

The third state of data is data in process. This refers to data during initial
input, modification, computation, or output.

Protection of data integrity starts with the initial input of data. Organizations
use several methods to collect data, such as manual data entry, scanning forms,
file uploads, and data collected from sensors. Each of these methods pose potential
threats to data integrity. An example of data corruption during the input process
includes data entry errors or disconnected, malfunctioning, or inoperable system
sensors. Other examples can include mislabeling and incorrect or mismatched data
formats.

Data modification refers to any changes to the original data such as users manually
modifying data, programs processing and changing data, and equipment failing
resulting in data modification. Processes like encoding/decoding,
compression/decompression and encryption/decryption are all examples of data
modification. Malicious code also results in data corruption.

Data corruption also occurs during the data output process. Data output refers to
outputting data to printers, electronic displays or directly to other devices. The
accuracy of output data is critical because output provides information and
influences decision-making. Examples of output data corruption include the
incorrect use of data delimiters, incorrect communication configurations, and
improperly configured printers.
Challenges of Protecting Data In-Process
Protecting against invalid data modification during processing can have an adverse
impact. Software errors are the reason for many mishaps and disasters. For example,
just two weeks before Christmas, some of Amazon�s third-party retailers experienced
a change in the advertised price on their items to just one cent. The glitch lasted
for one hour. The error resulted in thousands of shoppers getting the deal of a
lifetime and the company losing revenue. In 2016, the Nest thermostat malfunctioned
and left users with no heat. The Nest thermostat is a smart technology owned by
Google. A software glitch left users, literally, out in the cold. A software update
went wrong, forcing the device�s batteries to drain and leaving it unable to
control temperature. As a result, customers were unable to heat their homes or get
hot water on one of the coldest weekends of the year.

Protecting data during processing requires well-designed systems. Cybersecurity

professionals design policies and procedures that require testing, maintaining, and
updating systems to keep them operating with the least amount of errors.

Software-based Technology Safeguards

Software safeguards include programs and services that protect operating systems,
databases, and other services operating on workstations, portable devices, and
servers. Administrators install software-based countermeasures or safeguards on
individual hosts or servers. There are several software-based technologies used to
safeguard an organization�s assets:

Software firewalls control remote access to a system. Operating systems typically

include a firewall or a user can purchase or download software from a third party.
Network and port scanners discover and monitor open ports on a host or server.
Protocol analyzers, or signature analyzers, are devices that collect and examine
network traffic. They identify performance problems, detect misconfigurations,
identify misbehaving applications, establish baseline and normal traffic patterns,
and debug communication problems.
Vulnerability scanners are computer programs designed to assess weaknesses on
computers or networks.
Host-based intrusion detection systems (IDS) examine activity on host systems only.
An IDS generates log files and alarm messages when it detects unusual activity. A
system storing sensitive data or providing critical services is a candidate for
host-based IDS.

Cybersecurity Threats, Vulnerabilities, and Attacks

Threats, vulnerabilities, and attacks are the central focus of cybersecurity
professionals. A threat is the possibility that a harmful event, such as an attack,
will occur. A vulnerability is a weakness that makes a target susceptible to an
attack. An attack is a deliberate exploitation of a discovered weakness in computer
information systems, either as specific targets or merely as targets of
opportunity. Cyber criminals may have different motivations for selecting a target
of an attack. Cyber criminals succeed by continuously searching for and identifying
systems with clear vulnerabilities. Common victims include unpatched systems or
systems missing virus and spam detection.

This chapter examines the most common cybersecurity attacks. Cybersecurity

professionals must understand how each attack works, what it exploits, and how it
affects the victim. The chapter begins by explaining the threat of malware and
malicious code and then goes into explaining the types of deception involved with
social engineering. A cyberattack is any type of offensive maneuver used by cyber
criminals to target computer information systems, computer networks, or other
computer devices. Cyber criminals launch offensive maneuvers against both wired and
wireless networks.
What is Malware?
Malicious software, or malware, is a term used to describe software designed to
disrupt computer operations, or gain access to computer systems, without the user's
knowledge or permission. Malware has become an umbrella term used to describe all
hostile or intrusive software. The term malware includes computer viruses, worms,
Trojan horses, ransomware, spyware, adware, scareware, and other malicious
programs. Malware may be obvious and simple to identify or it can be very stealthy
and almost impossible to detect.

Types of Malware
Cyber criminals target user�s end devices through the installation of malware.
Click Play to view an animation of the three most common types of malware.

Viruses

A virus is malicious executable code attached to another executable file, such as a

legitimate program. Most viruses require end-user initiation, and can activate at a
specific time or date. Computer viruses usually spread in one of three ways: from
removable media; from downloads off the Internet; and from email attachments.
Viruses can be harmless and simply display a picture or they can be destructive,
such as those that modify or delete data. In order to avoid detection, a virus
mutates. The simple act of opening a file can trigger a virus. A boot sector, or
file system virus, infects USB flash drives and can spread to the system�s hard
disk. Executing a specific program can activate a program virus. Once the program
virus is active, it will usually infect other programs on the computer or other
computers on the network. The Melissa Virus was an example of a virus spread via
email. Melissa affected tens of thousands of users and caused an estimated $1.2
billion in damage. Click here to read more about viruses.

Worms

Worms are malicious code that replicates by independently exploiting

vulnerabilities in networks. Worms usually slow down networks. Whereas a virus
requires a host program to run, worms can run by themselves. Other than the initial
infection, worms no longer require user participation. After a worm affects a host,
it is able to spread very quickly over the network. Worms share similar patterns.
They all have an enabling vulnerability, a way to propagate themselves, and they
all contain a payload.

Worms are responsible for some of the most devastating attacks on the Internet. For
example, in 2001, the Code Red worm infected 658 servers. Within 19 hours, the worm
infected over 300,000 servers.

Trojan horse

A Trojan horse is malware that carries out malicious operations under the guise of
a desired operation such as playing an online game. This malicious code exploits
the privileges of the user that runs it. A Trojan horse differs from a virus
because the Trojan binds itself to non-executable files, such as image files, audio
files, or games.

Logic Bombs
A logic bomb is a malicious program that uses a trigger to awaken the malicious
code. For example, triggers can be dates, times, other programs running, or the
deletion of a user account. The logic bomb remains inactive until that trigger
event happens. Once activated, a logic bomb implements a malicious code that causes
harm to a computer. A logic bomb can sabotage database records, erase files, and
attack operating systems or applications. Cybersecurity specialists recently
discovered logic bombs that attack and destroy the hardware components in a
workstation or server including the cooling fans, CPU, memory, hard drives and
power supplies. The logic bomb overdrives these devices until they overheat or
fail.

Ransomware
Ransomware holds a computer system, or the data it contains, captive until the
target makes a payment. Ransomware usually works by encrypting data in the computer
with a key unknown to the user. The user must pay a ransom to the criminals to
remove the restriction.

Some other versions of ransomware can take advantage of specific system

vulnerabilities to lock down the system. Ransomware propagates as a Trojan horse
and is the result of a downloaded file or some software weakness.

Payment through an untraceable payment system is always the criminal�s goal. Once
the victim pays, the criminal supplies a program that decrypts the files or sends
an unlock code.

Backdoors and Rootkits

A backdoor refers to the program or code introduced by a criminal who has
compromised a system. The backdoor bypasses the normal authentication used to
access a system. A few common backdoor programs are Netbus and Back Orifice, which
both allow remote access to unauthorized system users. The purpose of the backdoor
is to grant the cyber criminals future access to the system even if the
organization fixes the original vulnerability used to attack the system. Usually,
criminals have authorized users unknowingly run a Trojan horse program on their
machine to install the backdoor.

A rootkit modifies the operating system to create a backdoor. Attackers then use
the backdoor to access the computer remotely. Most rootkits take advantage of
software vulnerabilities to perform privilege escalation and modify system files.
Privilege escalation takes advantage of programming errors or design flaws to grant
the criminal elevated access to network resources and data. It is also common for
rootkits to modify system forensics and monitoring tools, making them very hard to
detect. Often, a user must wipe and reinstall the operating system of a computer
infected by a rootkit.

Defending Against Malware

A few simple steps can help defend against all forms of malware:

Antivirus Program - The majority of antivirus suites catch most widespread forms of
malware. However, cyber criminals develop and deploy new threats on a daily basis.
Therefore, the key to an effective antivirus solution is to keep the signatures
updated. A signature is like a fingerprint. It identifies the characteristics of a
piece of malicious code.
Up-to-Date Software - Many forms of malware achieve their objectives through
exploitation of vulnerabilities in software, both in the operating system and
applications. Although operating system vulnerabilities were the main source of
problems, today�s application-level vulnerabilities pose the greatest risk.
Unfortunately, while operating system vendors are becoming more and more responsive
to patching, most application vendors are not.

Email and Browser attacks

Spam
Email is a universal service used by billions worldwide. As one of the most popular
services, email has become a major vulnerability to users and organizations. Spam,
also known as junk mail, is unsolicited email. In most cases, spam is a method of
advertising. However, spam can send harmful links, malware, or deceptive content.
The end goal is to obtain sensitive information such as a social security number or
bank account information. Most spam comes from multiple computers on networks
infected by a virus or worm. These compromised computers send out as much bulk
email as possible.

Even with these security features implemented, some spam might still get through.
Watch for some of the more common indicators of spam:

An email has no subject line.

An email is requesting an update to an account.
The email text has misspelled words or strange punctuation.
Links within the email are long and/or cryptic.
An email looks like correspondence from a legitimate business.
The email requests that the user open an attachment.

If a user receives an email that contains one or more of these indicators, he or

she should not open the email or any attachments. It is very common for an
organization�s email policy to require a user receiving this type of email to
report it to the cyber security staff. Almost all email providers filter spam.
Unfortunately, spam still consumes bandwidth, and the recipient's server still has
to process the message.

Spyware, Adware, and Scareware

Spyware is software that enables a criminal to obtain information about a user�s
computer activities. Spyware often includes activity trackers, keystroke
collection, and data capture. In an attempt to overcome security measures, spyware
often modifies security settings. Spyware often bundles itself with legitimate
software or with Trojan horses. Many shareware websites are full of spyware.

Adware typically displays annoying pop-ups to generate revenue for its authors. The
malware may analyze user interests by tracking the websites visited. It can then
send pop-up advertising pertinent to those sites. Some versions of software
automatically install Adware. Some adware only delivers advertisements, but it is
also common for adware to come with spyware.

Scareware persuades the user to take a specific action based on fear. Scareware
forges pop-up windows that resemble operating system dialogue windows. These
windows convey forged messages stating that the system is at risk or needs the
execution of a specific program to return to normal operation. In reality, no
problems exist, and if the user agrees and allows the mentioned program to execute,
malware infects his or her system.

Phishing
Phishing is a form of fraud. Cyber criminals use email, instant messaging, or other
social media to try to gather information such as login credentials or account
information by masquerading as a reputable entity or person. Phishing occurs when a
malicious party sends a fraudulent email disguised as being from a legitimate,
trusted source. The message intent is to trick the recipient into installing
malware on his or her device or into sharing personal or financial information. An
example of phishing is an email forged to look like it came from a retail store
asking the user to click a link to claim a prize. The link may go to a fake site
asking for personal information, or it may install a virus.

Spear phishing is a highly targeted phishing attack. While phishing and spear
phishing both use emails to reach the victims, spear phishing sends customized
emails to a specific person. The criminal researches the target�s interests before
sending the email. For example, a criminal learns that the target is interested in
cars and has been looking to buy a specific model of car. The criminal joins the
same car discussion forum where the target is a member, forges a car sale offering,
and sends an email to the target. The email contains a link for pictures of the
car. When the target clicks on the link, he or she unknowingly installs malware on
the computer. Click here to learn more about email frauds.

Vishing, Smishing, Pharming, and Whaling

Vishing is phishing using voice communication technology. Criminals can spoof calls
from legitimate sources using voice over IP (VoIP) technology. Victims may also
receive a recorded message that appears legitimate. Criminals want to obtain credit
card numbers or other information to steal the victim�s identity. Vishing takes
advantage of the fact that people trust the telephone network.

Smishing (Short Message Service phishing) is phishing using text messaging on

mobile phones. Criminals impersonate a legitimate source in an attempt to gain the
trust of the victim. For example, a smishing attack might send the victim a website
link. When the victim visits the website, malware is installed on the mobile phone.

Pharming is the impersonation of a legitimate website in an effort to deceive users

into entering their credentials. Pharming misdirects users to a fake website that
appears to be official. Victims then enter their personal information thinking that
they connected to a legitimate site.

Whaling is a phishing attack that targets high profile targets within an

organization such as senior executives. Additional targets include politicians or
celebrities.
Browser Plugins and Browser Poisoning
Security breaches can affect web browsers by displaying pop-up advertising,
collecting personally identifiable information, or installing adware, viruses, or
spyware. A criminal can hack a browser�s executable file, a browser�s components,
or its plugins.

Plugins

The Flash and Shockwave plugins from Adobe enable the development of interesting
graphic and cartoon animations that greatly enhance the look and feel of a web
page. Plugins display the content developed using the appropriate software.

Until recently, plugins had a remarkable safety record. As Flash-based content grew
and became more popular, criminals examined the Flash plugins and software,
determined vulnerabilities, and exploited Flash Player. Successful exploitation
could cause a system crash or allow a criminal to take control of the affected
system. Expect increased data losses to occur as criminals continue to investigate
the more popular plugins and protocols for vulnerabilities.

SEO Poisoning

Search engines such as Google work by ranking pages and presenting relevant results
based on users� search queries. Depending on the relevancy of web site content, it
may appear higher or lower in the search result list. SEO, short for Search Engine
Optimization, is a set of techniques used to improve a website�s ranking by a
search engine. While many legitimate companies specialize in optimizing websites to
better position them, SEO poisoning uses SEO to make a malicious website appear
higher in search results.

The most common goal of SEO poisoning is to increase traffic to malicious sites
that may host malware or perform social engineering. To force a malicious site to
rank higher in search results, attackers take advantage of popular search terms.
Browser Hijacker

A browser hijacker is malware that alters a computer's browser settings to redirect

the user to websites paid for by the cyber criminals' customers. Browser hijackers
usually install without the user's permission and are usually part of a drive-by
download. A drive-by download is a program that automatically downloads to the
computer when a user visits a web site or views an HTML email message. Always read
user agreements carefully when downloading programs to avoid this type of malware.

Defending Against Email and Browser Attacks

Methods for dealing with spam include filtering email, educating the user about
being cautious towards unknown email(s), and using host/server filters.

It is difficult to stop spam, but there are ways to diminish its effects. For
example, most ISPs filter spam before it reaches the user�s inbox. Many antivirus
and email software programs automatically perform email filtering. This means that
they detect and remove spam from an email inbox.

Organizations must also make employees aware of the dangers of opening email
attachments that may contain a virus or a worm. Do not assume that email
attachments are safe, even when they come from a trusted contact. A virus may be
trying to spread by using the sender�s computer. Always scan email attachments
before opening them.

The Anti-Phishing Working Group (APWG) is an industry association focused on

eliminating the identity theft and fraud that result from phishing and email
spoofing.

Keeping all software updated ensures that the system has all of the latest security
patches applied to take away known vulnerabilities. Click here to learn more about
avoiding browser attacks.

The Art of Deception

Social Engineering
Social engineering is a completely non-technical means for a criminal to gather
information on a target. Social engineering is an attack that attempts to
manipulate individuals into performing actions or divulging confidential
information.

Social engineers often rely on people�s willingness to be helpful but also prey on
people�s weaknesses. For example, an attacker could call an authorized employee
with an urgent problem that requires immediate network access. The attacker could
appeal to the employee�s vanity, invoke authority using name-dropping techniques,
or appeal to the employee�s greed.

These are some types of social engineering attacks:

Pretexting - This is when an attacker calls an individual and lies to them in an

attempt to gain access to privileged data. An example involves an attacker who
pretends to need personal or financial data in order to confirm the identity of the
recipient.

Something for Something (Quid pro quo) - This is when an attacker requests personal
information from a party in exchange for something, like a gift.

Social Engineering Tactics

Social engineers rely on several tactics. Social engineering tactics include:

Authority � people are more likely to comply when instructed by �an authority�
Intimidation � criminals bully a victim into taking action
Consensus/Social Proof � people will take action if they think that other people
like it too
Scarcity � people will take action when they think there is a limited quantity
Urgency � people will take action when they think there is a limited time
Familiarity/Liking � Criminals build a rapport with the victim to establish a
relationship
Trust � Criminals build a trusting relationship with a victim which may require
more time to establish

Cybersecurity professionals are responsible for educating others in the

organization to the tactics of social engineers. Click here to learn more about
social engineering tactics.

Methods of Deception

Shoulder Surfing and Dumpster Diving

A criminal observes, or shoulder surfs, to pick up PINs, access codes or credit
card numbers. An attacker can be in close proximity to his victim or the attacker
can use binoculars or closed circuit cameras to shoulder surf. That is one reason
that a person can only read an ATM screen at certain angles. These types of
safeguards make shoulder surfing much more difficult.

"One man's trash is another man's treasure". This phrase can be especially true in
the world of dumpster diving which is the process of going through a target's trash
to see what information an organization throws out. Consider securing the trash
receptacle. Any sensitive information should be properly disposed of through
shredding or the use of burn bags, a container that holds classified or sensitive
documents for later destruction by fire.

Impersonation and Hoaxes

Impersonation is the action of pretending to be someone else. For example, a recent
phone scam targeted taxpayers. A criminal, posing as an IRS employee, told the
victims that they owed money to the IRS. The victims must pay immediately through a
wire transfer. The impersonator threatened that failure to pay will result in an
arrest. Criminals also use impersonation to attack others. They can undermine the
credibility of individuals by using website or social media postings.

A hoax is an act intended to deceive or trick. A cyber hoax can cause just as much
disruption as an actual breach would cause. A hoax elicits a user reaction. The
reaction can create unnecessary fear and irrational behavior. Users pass hoaxes
through email and social media.

Piggybacking and Tailgating

Piggybacking occurs when a criminal tags along with an authorized person to gain
entry into a secure location or a restricted area. Criminals use several methods to
piggyback:

They give the appearance of being escorted by the authorized individual

They join a large crowd pretending to be a member
They target a victim who is careless about the rules of the facility
Tailgating is another term that describes the same practice.

A mantrap prevents piggybacking by using two sets of doors. After individuals enter
an outer door, that door must close before entering the inner door.
Online, Email, and Web-based Deception
Forwarding hoax emails and other jokes, funny movies, and non-work-related emails
at work may violate the company's acceptable use policy and result in disciplinary
actions.

Defending Against Deception

Organizations need to promote awareness of social engineering tactics and properly
educate employees on prevention measures, such as the following:

Never provide confidential information or credentials via email, chat sessions, in-
person, or on the phone to unknown parties.
Resist the urge to click on enticing emails and website links.
Keep an eye out for uninitiated or automatic downloads.
Establish policies and educate employees about those policies.
When it comes to security, give employees a sense of ownership.
Do not fall to pressure from unknown individuals.

Attacks

Types of Cyber Attacks

Denial of Service
Denial-of-Service (DoS) attacks are a type of network attack. A DoS attack results
in some sort of interruption of network services to users, devices, or
applications. There are two major types of DoS attacks:

Overwhelming Quantity of Traffic � The attacker sends an enormous quantity of data

at a rate that the network, host, or application cannot handle. This causes a
slowdown in transmission or response, or a crash of a device or service.
Maliciously Formatted Packets � The attacker sends a maliciously formatted packet
to a host or application and the receiver is unable to handle it. For example, an
application cannot identify packets containing errors or improperly formatted
packets forwarded by the attacker. This causes the receiving device to run very
slowly or crash.
DoS attacks are a major risk because they can easily interrupt communication and
cause significant loss of time and money. These attacks are relatively simple to
conduct, even by an unskilled attacker.

The goal of a denial-of-service attack is to deny access to authorized users making

the network unavailable (remember the three underlying security principles:
confidentiality, integrity, and availability). Click Play in Figure 1 to view the
animation of a DoS attack.

A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from
multiple, coordinated sources. As an example, a DDoS attack could proceed as
follows:

An attacker builds a network of infected hosts, called a botnet, comprised of

zombies. Zombies are the infected hosts. The attacker uses handler systems to
control the zombies. The zombie computers constantly scan and infect more hosts,
creating more zombies. When ready, the hacker instructs the handler systems to make
the botnet of zombies carry out a DDoS attack.

Sniffing
Sniffing is similar to eavesdropping on someone. It occurs when attackers examine
all network traffic as it passes through their NIC, independent of whether or not
the traffic is addressed to them or not. Criminals accomplish network sniffing with
a software application, hardware device, or a combination of the two. As shown in
the figure, sniffing views all network traffic or it can target a specific
protocol, service, or even string of characters such as a login or password. Some
network sniffers observe all traffic and modify some or all of the traffic as well.

Sniffing also has its benefits. Network administrators may also use sniffers to
analyze network traffic, identify bandwidth issues, and troubleshoot other network
issues.

Physical security is important in preventing the introduction of sniffers on the

internal network.

Spoofing
Spoofing is an impersonation attack, and it takes advantage of a trusted
relationship between two systems. If two systems accept the authentication
accomplished by each other, an individual logged onto one system might not go
through an authentication process again to access the other system. An attacker can
take advantage of this arrangement by sending a packet to one system that appears
to have come from a trusted system. Since the trusted relationship is in place, the
targeted system may perform the requested task without authentication.

There are multiple types of spoofing attacks.

MAC address spoofing occurs when one computer accepts data packets based on the MAC
address of another computer.
IP spoofing sends IP packets from a spoofed source address to disguise itself.
Address Resolution Protocol (ARP) is a protocol that resolves IP addresses to MAC
addresses for transmitting data. ARP spoofing sends spoofed ARP messages across a
LAN to link the criminal�s MAC address with the IP address of an authorized member
of the network.
The Domain Name System (DNS) associates domain names with IP addresses. DNS server
spoofing modifies the DNS server to reroute a specific domain name to a different
IP address controlled by the criminal.

Man-in-the-middle
A criminal performs a man-in-the-middle (MitM) attack by intercepting
communications between computers to steal information crossing the network. The
criminal can also choose to manipulate messages and relay false information between
hosts since the hosts are unaware that a modification to the messages occurred.
MitM allows the criminal to take control over a device without the user�s
knowledge.

Click the steps in the figure to learn the basics of a MitM attack.

Man-In-The-Mobile (MitMo) is a variation of man-in-middle. MitMo takes control over

a mobile device. The infected mobile device sends user-sensitive information to the
attackers. ZeuS, an example of an exploit with MitMo capabilities, allows attackers
quietly to capture 2-step verification SMS messages sent to users. For example,
when a user sets up an Apple ID, he or she must provide an SMS-capable phone number
to receive a temporary verification code via text message to prove the user�s
identity. Malware spies on this type of communication and relays the information
back to the criminals.

A replay attack occurs when an attacker captures a portion of a communication

between two hosts and then retransmits the captured message later. Replay attacks
circumvent authentication mechanisms.

Zero-Day Attacks
A zero-day attack, sometimes referred to as a zero-day threat, is a computer attack
that tries to exploit software vulnerabilities that are unknown or undisclosed by
the software vendor. The term zero hour describes the moment when someone discovers
the exploit. During the time it takes the software vendor to develop and release a
patch, the network is vulnerable to these exploits, as shown in the figure.
Defending against these fast-moving attacks requires network security professionals
to adopt a more sophisticated view of the network architecture. It is no longer
possible to contain intrusions at a few points in the network.

Keyboard Logging
Keyboard logging is a software program that records or logs the keystrokes of the
user of the system. Criminals can implement keystroke loggers through software
installed on a computer system or through hardware physically attached to a
computer. The criminal configures the key logger software to email the log file.
The keystrokes captured in the log file can reveal usernames, passwords, websites
visited, and other sensitive information.

Keyboard loggers can be legitimate, commercial software. Parents often purchase key
logger software to track the websites and behavior of children using the Internet.
Many anti-spyware applications are able to detect and remove unauthorized key
loggers. Although keylogging software is legal, criminals use the software for
illegal purposes.

Defending Against Attacks

Defending Against Attacks

An organization can take a number of steps to defend against various attacks.
Configure firewalls to discard any packets from outside of the network that have
addresses indicating that they originated from inside the network. This situation
does not normally occur, and it indicates that a cybercriminal attempted a spoofing
attack.

To prevent DoS and DDoS attacks, ensure patches and upgrades are current,
distribute the workload across server systems, and block external Internet Control
Message Protocol (ICMP) packets at the border. Network devices use ICMP packets to
send error messages. For example, the ping command uses ICMP packets to verify that
a device can communicate with another on the network.

Systems can prevent falling victim to a replay attack by encrypting traffic,

providing cryptographic authentication, and including a time stamp with each
portion of the message.

Wireless and Mobile Device Attacks

Defending Against Attacks

An organization can take a number of steps to defend against various attacks.
Configure firewalls to discard any packets from outside of the network that have
addresses indicating that they originated from inside the network. This situation
does not normally occur, and it indicates that a cybercriminal attempted a spoofing
attack.

To prevent DoS and DDoS attacks, ensure patches and upgrades are current,
distribute the workload across server systems, and block external Internet Control
Message Protocol (ICMP) packets at the border. Network devices use ICMP packets to
send error messages. For example, the ping command uses ICMP packets to verify that
a device can communicate with another on the network.

Systems can prevent falling victim to a replay attack by encrypting traffic,

providing cryptographic authentication, and including a time stamp with each
portion of the message.

Rogue Access Points

A rogue access point is a wireless access point installed on a secure network
without explicit authorization. A rogue access point can be set up in two ways. The
first is when a well-intentioned employee is trying to be helpful by making it
easier to connect mobile devices. The second way is when a criminal gains physical
access to an organization by sneaking in and installs the rogue access point. Since
both are unauthorized, both pose risks to the organization.

A rogue access point can also refer to a criminal�s access point. In this instance,
the criminal sets up the access point as a MitM device to capture login information
from users.

An Evil Twin attack uses the criminal�s access point improved with higher power and
higher gain antennas to look like a better connection option for users. After users
connect to the evil access point, the criminals can analyze traffic and execute
MitM attacks.

RF Jamming
Wireless signals are susceptible to electromagnetic interference (EMI), radio-
frequency interference (RFI), and may even be susceptible to lightning strikes or
noise from fluorescent lights. Wireless signals are also susceptible to deliberate
jamming. Radio frequency (RF) jamming disrupts the transmission of a radio or
satellite station so that the signal does not reach the receiving station.

The frequency, modulation, and power of the RF jammer needs to be equal to that of
the device that the criminal wants to disrupt in order to successfully jam the
wireless signal.

Bluejacking and Bluesnarfing

Bluetooth is a short-range, low-power protocol. Bluetooth transmits data in a
personal area network, or PAN, and can include devices such as mobile phones,
laptops, and printers. Bluetooth has gone through several version releases. Easy
configuration is a characteristic of Bluetooth, so there is no need for network
addresses. Bluetooth uses pairing to establish the relationship between devices.
When establishing the pairing, both devices use the same passkey.

Bluetooth vulnerabilities have surfaced, but due to the limited range of Bluetooth,
the victim and the attacker need to be within range of each other.

Bluejacking is the term used for sending unauthorized messages to another Bluetooth
device. A variation of this is to send a shocking image to the other device.
Bluesnarfing occurs when the attacker copies the victim's information from his
device. This information can include emails and contact lists.

WEP and WPA Attacks

Wired Equivalent Privacy (WEP) is a security protocol that attempted to provide a
wireless local area network (WLAN) with the same level of security as a wired LAN.
Since physical security measures help to protect a wired LAN, WEP seeks to provide
similar protection for data transmitted over the WLAN with encryption.

WEP uses a key for encryption. There is no provision for key management with WEP,
so the number of people sharing the key will continually grow. Since everyone is
using the same key, the criminal has access to a large amount of traffic for
analytic attacks.

WEP also has several problems with its initialization vector (IV) which is one of
the components of the cryptographic system:
It is a 24-bit field, which is too small.
It is cleartext, which means it is readable.
It is static so identical key streams will repeat on a busy network.
Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols to
replace WEP. WPA2 does not have the same encryption problems because an attacker
cannot recover the key by observing traffic. WPA2 is susceptible to attack because
cyber criminals can analyze the packets going between the access point and a
legitimate user. Cyber criminals use a packet sniffer and then run attacks offline
on the passphrase.

Defending Against Wireless and Mobile Device Attacks

There are several steps to take to defend against wireless and mobile device
attacks. Most WLAN products use default settings. Take advantage of the basic
wireless security features such as authentication and encryption by changing the
default configuration settings.

Restrict access point placement with the network by placing these devices outside
the firewall or within a demilitarized zone (DMZ) which contains other untrusted
devices such as email and web servers.

WLAN tools such as NetStumbler may discover rogue access points or unauthorized
workstations. Develop a guest policy to address the need when legitimate guests
need to connect to the Internet while visiting. For authorized employees, utilize a
remote access virtual private network (VPN) for WLAN access.

Application Attacks

Cross-Site Scripting
Cross-site scripting (XSS) is a vulnerability found in web applications. XSS allows
criminals to inject scripts into the web pages viewed by users. This script can
contain malicious code.

Cross-site scripting has three participants: the criminal, the victim, and the
website. The cyber-criminal does not target a victim directly. The criminal
exploits vulnerability within a website or web application. Criminals inject
client-side scripts into web pages viewed by users, the victims. The malicious
script unknowingly passes to the user's browser. A malicious script of this type
can access any cookies, session tokens, or other sensitive information. If
criminals obtain the victim�s session cookie, they can impersonate that user.

Code Injection
One way to store data at a website is to use a database. There are several
different types of databases such as a Structured Query Language (SQL) database or
an Extensible Markup Language (XML) database. Both XML and SQL injection attacks
exploit weaknesses in the program such as not validating database queries properly.

XML Injection

When using an XML database, an XML injection is an attack that can corrupt the
data. After the user provides input, the system accesses the required data via a
query. The problem occurs when the system does not properly scrutinize the input
request provided by the user. Criminals can manipulate the query by programming it
to suit their needs and can access the information on the database.

All sensitive data stored in the database is accessible to the criminals and they
can make any number of changes to the website. An XML injection attack threatens
the security of the website.
SQL Injection

The cybercriminal exploits a vulnerability by inserting a malicious SQL statement

in an entry field. Again, the system does not filter the user input correctly for
characters in an SQL statement. Criminals use SQL injection on websites or any SQL
database.

Criminals can spoof an identity, modify existing data, destroy data, or become
administrators of the database server.

Buffer Overflow
A buffer overflow occurs when data goes beyond the limits of a buffer. Buffers are
memory areas allocated to an application. By changing data beyond the boundaries of
a buffer, the application accesses memory allocated to other processes. This can
lead to a system crash, data compromise, or provide escalation of privileges.

The CERT/CC at Carnegie Mellon University estimates that nearly half of all
exploits of computer programs stem historically from some form of buffer overflow.
The generic classification of buffer overflows includes many variants, such as
static buffer overruns, indexing errors, format string bugs, Unicode and ANSI
buffer size mismatches, and heap overruns.

Remote Code Executions

Vulnerabilities allow a cybercriminal to execute malicious code and take control of
a system with the privileges of the user running the application. Remote code
execution allows a criminal to execute any command on a target machine.

Take, for example, Metasploit. Metasploit is a tool for developing and executing
exploit code against a remote target. Meterpreter is an exploit module within
Metasploit that provides advanced features. Meterpreter allows criminals to write
their own extensions as a shared object. Criminals upload and inject these files
into a running process on the target. Meterpreter loads and executes all of the
extensions from memory, so they never involve the hard drive. This also means that
these files fly under the radar of antivirus detection. Meterpreter has a module
for controlling a remote system�s webcam. Once a criminal installs Meterpreter on
the victim�s system, he or she can view and capture images from the victim�s
webcam.

ActiveX Controls and Java

When browsing the web, some pages may not work properly unless the user installs an
ActiveX control. ActiveX controls provide the capability of a plugin to Internet
Explorer. ActiveX controls are pieces of software installed by users to provide
extended capabilities. Third parties write some ActiveX controls and they may be
malicious. They can monitor browsing habits, install malware, or log keystrokes.
ActiveX controls also work in other Microsoft applications.

Java operates through an interpreter, the Java Virtual Machine (JVM). The JVM
enables the Java program�s functionality. The JVM sandboxes or isolates untrusted
code from the rest of the operating system. There are vulnerabilities, which allow
untrusted code to go around the restrictions imposed by the sandbox. There are also
vulnerabilities in the Java class library, which an application uses for its
security. Java is the second biggest security vulnerability next to Adobe�s Flash
plugin.

Defending Against Application Attacks

The first line of defense against an application attack is to write solid code.
Regardless of the language used, or the source of outside input, prudent
programming practice is to treat all input from outside a function as hostile.
Validate all inputs as if they were hostile.

Keep all software including operating systems and applications up to date, and do
not ignore update prompts. Not all programs update automatically. At the very
least, select the manual update option. Manual updates allow users to see exactly
what updates take place.

The Art Of Protecting Secrets

The principles of cryptology explain how modern day protocols and algorithms secure
communications. Cryptology is the science of making and breaking secret codes. The
development and use of codes is cryptography. Studying and breaking codes is
cryptanalysis. Society has used cryptography for centuries to protect secret
documents. For example, Julius Caesar used a simple alphabetic cipher to encrypt
messages to his generals in the field. His generals would have knowledge of the
cipher key required to decrypt the messages. Today, modern day cryptographic
methods ensure secure communications.

Access control is, as its name suggests, a way of controlling access to a building,
a room, a system, a database, a file, and information. Organizations employ a
variety of access control techniques to protect confidentiality. This chapter will
examine the four steps in the access control process: 1) identification, 2)
authentication, 3) authorization, and 4) accountability. In addition, the chapter
describes the different access control models and access control types.

The chapter concludes by discussing the various ways users mask data. Data
obfuscation and steganography are two techniques used to accomplish data masking

What is Cryptography?
Cryptology is the science of making and breaking secret codes. Cryptography is a
way to store and transmit data so only the intended recipient can read or process
it. Modern cryptography uses computationally secure algorithms to make sure that
cyber criminals cannot easily compromise protected information.

Data confidentiality ensures privacy so that only the intended receiver can read
the message. Parties achieve this through encryption. Encryption is the process of
scrambling data so that an unauthorized party cannot easily read it.

When enabling encryption, readable data is plaintext, or cleartext, while the

encrypted version is encrypted text or ciphertext. Encryption converts the
plaintext readable message to ciphertext, which is the unreadable, disguised
message. Decryption reverses the process. Encryption also requires a key, which
plays a critical role in encrypting and decrypting a message. The person possessing
the key can decrypt the ciphertext to plaintext.

Historically, parties have used various encryption algorithms and methods. An

algorithm is the process or formula used to solve a problem. Julius Caesar is said
to have secured messages by putting two sets of the alphabet, side-by-side, and
then shifting one of them by a specific number of places. The number of places in
the shift serves as the key. He converted plaintext into ciphertext using this key,
and only his generals, who also had the key, knew how to decipher the messages.
This method is the Caesar cipher.

The History of Cryptography

The history of cryptography started in diplomatic circles thousands of years ago.
Messengers from a king�s court took encrypted messages to other courts.
Occasionally, other courts not involved in the communication, attempted to steal
messages sent to a kingdom they considered an adversary. Not long after, military
commanders started using encryption to secure messages.

Over the centuries, various cipher methods, physical devices, and aids encrypted
and decrypted text:

All cipher methods use a key to encrypt or decrypt a message. The key is an
important component in the encryption algorithm. An encryption algorithm is only as
good as the key used. The more complexity involved, the more secure the algorithm.
Key management is an important piece in the process.

Creating Ciphertext
Each encryption method uses a specific algorithm, called a cipher, to encrypt and
decrypt messages. A cipher is a series of well-defined steps used to encrypt and
decrypt messages. There are several methods of creating ciphertext:

Transposition � letters are rearranged (Figure 1)

Substitution � letters are replaced (Figure 2)
One-time pad � plaintext combined with a secret key creates a new character, which
then combines with the plaintext to produce ciphertext (Figure 3)
Old encryption algorithms, such as the Caesar cipher or the Enigma machine,
depended on the secrecy of the algorithm to achieve confidentiality. With modern
technology, where reverse engineering is often simple, parties use public-domain
algorithms. With most modern algorithms, successful decryption requires knowledge
of the appropriate cryptographic keys. This means that the security of encryption
lies in the secrecy of the keys, not the algorithm.

Some modern encryption algorithms still use transposition as part of the algorithm.

Key management is the most difficult part of designing a cryptosystem. Many

cryptosystems have failed because of mistakes in their key management, and all
modern cryptographic algorithms require key management procedures. In practice,
most attacks on cryptographic systems involve attacking the key management system,
rather than the cryptographic algorithm itself.

Two Types of Encryption

Cryptographic encryption can provide confidentiality by incorporating various tools
and protocols.

There are two approaches to ensuring the security of data when using encryption.
The first is to protect the algorithm. If the security of an encryption system
depends on the secrecy of the algorithm itself, the most important aspect is to
guard the algorithm at all costs. Every time someone finds out the details of the
algorithm, every party involved would need to change the algorithm. That approach
does not sound very secure or manageable. The second approach is to protect the
keys. With modern cryptography, the algorithms are public. The cryptographic keys
ensure the secrecy of the data. Cryptographic keys are passwords that are part of
the input into an encryption algorithm together along with the data requiring
encryption.

There are two classes of encryption algorithms:

Symmetric algorithms - These algorithms use the same pre-shared key, sometimes
called a secret key pair, to encrypt and decrypt data. Both the sender and receiver
know the pre-shared key before any encrypted communication begins. As shown in
Figure 1, symmetric algorithms use the same key to encrypt and decrypt the
plaintext. Encryption algorithms that use a common key are simpler and need less
computational power.
Asymmetric algorithms - Asymmetrical encryption algorithms use one key to encrypt
data and a different key to decrypt data. One key is public and the other is
private. In a public-key encryption system, any person can encrypt a message using
the public key of the receiver, and the receiver is the only one that can decrypt
it using his private key. Parties exchange secure messages without needing a pre-
shared key, as shown in Figure 2. Asymmetric algorithms are more complex. These
algorithms are resource intensive and slower to execute.

Private Key Encryption

The Symmetrical Encryption Process

Symmetric algorithms use the same pre-shared key to encrypt and decrypt data, a
method also known as private-key encryption.

For example, Alice and Bob live in different locations and want to exchange secret
messages with one another through the mail system. Alice wants to send a secret
message to Bob.

Private-key encryption uses a symmetric algorithm. As illustrated by the keys in

the figure, Alice and Bob have identical keys to a single padlock. The key exchange
happened prior to sending any secret messages. Alice writes a secret message and
puts it in a small box that she locks using the padlock. She mails the box to Bob.
The message is safe inside the box as the box makes its way through the post office
system. When Bob receives the box, he uses his key to unlock the padlock and
retrieve the message. Bob can use the same box and padlock to send a secret reply
back to Alice.

If Bob wants to talk to Carol, he needs a new pre-shared key for that communication
to keep it secret from Alice. The more people Bob wants to communicate with
securely, the more keys he will need to manage.

Types of Cryptography
The most common types of cryptography are block ciphers and stream ciphers. Each
method differs in the way that it groups bits of data to encrypt it.

Block Ciphers

Block ciphers transform a fixed-length block of plaintext into a common block of

ciphertext of 64 or 128 bits. Block size is the amount of data encrypted at any one
time. To decrypt this ciphertext, apply the reverse transformation to the
ciphertext block, using the same secret key.

Block ciphers usually result in output data that is larger than the input data,
because the ciphertext must be a multiple of the block size. For example, Data
Encryption Standard (DES) is a symmetric algorithm that encrypts blocks in 64-bit
chunks using a 56-bit key. To accomplish this, the block algorithm takes data one
chunk at a time, for example, 8 bytes per chunk, until the entire block is full. If
there is less input data than one full block, the algorithm adds artificial data,
or blanks, until it uses the full 64 bits, as shown in Figure 1 for the 64 bits on
the left.

Stream Ciphers

Unlike block ciphers, stream ciphers encrypt plaintext one byte or one bit at a
time, as shown in Figure 2. Think of stream ciphers as a block cipher with a block
size of one bit. With a stream cipher, the transformation of these smaller
plaintext units varies, depending on when they are encountered during the
encryption process. Stream ciphers can be much faster than block ciphers, and
generally do not increase the message size, because they can encrypt an arbitrary
number of bits.

A5 is a stream cipher that provides voice privacy and encrypts cell phone
communications. It is also possible to use DES in stream cipher mode.

Complex cryptographic systems can combine block and stream in the same process.

Symmetric Encryption Algorithms

Numerous encryption systems use symmetric encryption. Some of the common encryption
standards that use symmetric encryption include the following:

3DES (Triple DES): Digital Encryption Standard (DES) is a symmetric block cipher
with 64-bit block size that uses a 56-bit key. It takes a 64-bit block of plaintext
as input and outputs a 64-bit block of ciphertext. It always operates on blocks of
equal size and it uses both permutations and substitutions in the algorithm. A
permutation is a way of arranging all elements of a set.

Triple DES encrypts data three times and uses a different key for at least one of
the three passes, giving it a cumulative key size of 112-168 bits. 3DES is
resistant to attack, but it is much slower than DES.

The 3DES encryption cycle is as follows:

1. Data encrypted by first DES

2. Data decrypted by second DES

3. Data re-encrypted by third DES

The reverse process decrypts the ciphertext.

IDEA: The International Data Encryption Algorithm (IDEA) uses 64-bit blocks and
128-bit keys. IDEA performs eight rounds of transformations on each of the 16
blocks that results from dividing each 64-bit block. IDEA was the replacement for
DES, and now PGP (Pretty Good Privacy) uses it. PGP is a program that provides
privacy and authentication for data communication. GNU Privacy Guard (GPG) is a
licensed, free version of PGP.

AES: The Advanced Encryption Standard (AES) has a fixed block size of 128-bits with
a key size of 128, 192, or 256 bits. The National Institute of Standards and
Technology (NIST) approved the AES algorithm in December 2001. The U.S. government
uses AES to protect classified information.

AES is a strong algorithm that uses longer key lengths. AES is faster than DES and
3DES, so it provides both a solution for software applications as well as hardware
use in firewalls and routers.

Other block ciphers include Skipjack (developed by the NSA), Blowfish, and Twofish.

Public Key Encryption

The Asymmetrical Encryption Process

Asymmetric encryption, also called public-key encryption, uses one key for
encryption that is different from the key used for decryption. A criminal cannot
calculate the decryption key based on knowledge of the encryption key, and vice
versa, in any reasonable amount of time.
If Alice and Bob exchange a secret message using public-key encryption, they use an
asymmetric algorithm. This time Bob and Alice do not exchange keys prior to sending
secret messages. Instead, Bob and Alice each have a separate padlock with separate
corresponding keys. For Alice to send a secret message to Bob, she must first
contact him and ask him to send his open padlock to her. Bob sends the padlock but
keeps his key. When Alice receives the padlock, she writes her secret message and
puts it in a small box. She also puts her open padlock in the box but keeps her
key. She then locks the box with Bob�s padlock. When Alice locks the box, she is no
longer able to get inside because she does not have a key to that padlock. She
mails the box to Bob and, as the box travels through the mail system, no one is
able to open it. When Bob receives the box, he can use his key to unlock the box
and retrieve the message from Alice. To send a secure reply, Bob puts his secret
message in the box, along with his open padlock, and locks the box using Alice�s
padlock. Bob mails the secured box back to Alice.

For example, in Figure 1, Alice requests and obtains Bob�s public key. In Figure 2,
Alice uses Bob�s public key to encrypt a message using an agreed-upon algorithm.

Asymmetric Encryption Algorithms

Asymmetric algorithms use formulas that anyone can look up. The pair of unrelated
keys is what makes these algorithms secure. The asymmetric algorithms include:

RSA (Rivest-Shamir-Adleman) - uses the product of two very large prime numbers with
an equal length of between 100 and 200 digits. Browsers use RSA to establish a
secure connection.

Diffie-Hellman - provides an electronic exchange method to share the secret key.

Secure protocols, such as Secure Sockets Layer (SSL), Transport Layer Security
(TLS), Secure Shell (SSH), and Internet Protocol Security (IPsec), use Diffie-
Hellman.

ElGamal - uses the U.S. government standard for digital signatures. This algorithm
is free for use because no one holds the patent.

Elliptic Curve Cryptography (ECC) - uses elliptic curves as part of the algorithm.
In the U.S., the National Security Agency uses ECC for digital signature generation
and key exchange.

Key Management
Key management includes the generation, exchange, storage, use, and replacement of
keys used in an encryption algorithm.

Key management is the most difficult part of designing a cryptosystem. Many

cryptosystems have failed because of mistakes in their key management procedures.
In practice, most attacks on cryptographic systems target the key management level,
rather than the cryptographic algorithm itself.

As shown in the figure, there are several essential characteristics of key

management to consider.

Two terms used to describe keys are:

Key length - Also called the key size, this is the measure in bits.
Keyspace - This is the number of possibilities that a specific key length can
generate.
As key length increase, the keyspace increases exponentially. The keyspace of an
algorithm is the set of all possible key values. Longer keys are more secure;
however, they are also more resource intensive. Almost every algorithm has some
weak keys in its keyspace that enable a criminal to break the encryption via a
shortcut.

Comparing Encryption Types

It is important to understand the differences between symmetric and asymmetric
encryption methods. Symmetric encryption systems are more efficient and can handle
more data. However, key management with symmetric encryption systems is more
problematic and harder to manage. Asymmetric cryptography is more efficient at
protecting the confidentiality of small amounts of data, and its size and speed
make it more secure for tasks such as electronic key exchange which is a small
amount of data rather than encrypting large blocks of data.

Maintaining confidentiality is important for both data at rest and data in motion.
In both cases, symmetric encryption is favored because of its speed and the
simplicity of the algorithm. Some asymmetric algorithms can significantly increase
the size of the object encrypted. Therefore, in the case of data in motion, use
public key cryptography to exchange the secret key, and then symmetric cryptography
to ensure the confidentiality of the data sent.

Applications
There are many applications for both symmetric and asymmetric algorithms.

A one-time password-generating token is a hardware device that uses cryptography to

generate a one-time password. A one-time password is an automatically generated
numeric or alphanumeric string of characters that authenticates a user for one
transaction of one session only. The number changes every 30 seconds or so. The
session password appears on a display and the user enters the password.

The electronic payment industry uses 3DES. Operating systems use DES to protect
user files and system data with passwords. Most encrypting file systems, such as
NTFS, use AES.

Four protocols use asymmetric key algorithms:

Internet Key Exchange (IKE), which is a fundamental component of IPsec Virtual

Private Networks (VPNs).
Secure Socket Layer (SSL), which is a means of implementing cryptography into a web
browser.
Secure Shell (SSH), which is a protocol that provides a secure remote access
connection to network devices.
Pretty Good Privacy (PGP), which is a computer program that provides cryptographic
privacy and authentication to increase the security of email communications.
A VPN is a private network that uses a public network, usually the Internet, to
create a secure communication channel. A VPN connects two endpoints such as two
remote offices over the Internet to form the connection.

VPNs use IPsec. IPsec is a suite of protocols developed to achieve secure services
over networks. IPsec services allow for authentication, integrity, access control,
and confidentiality. With IPsec, remote sites can exchange encrypted and verified
information.

Data in use is a growing concern to many organizations. When in use, data no longer
has any protection because the user needs to open and change the data. System
memory holds data in use and it can contain sensitive data such as the encryption
key. If criminals compromise data in use, they will have access to data at rest and
data in motion.
Access Controls

Types of Access Controls

Physical Access Controls

Physical access controls are actual barriers deployed to prevent direct contact
with systems. The goal is to prevent unauthorized users from gaining physical
access to facilities, equipment, and other organizational assets.

Physical access control determines who can enter (or exit), where they can enter
(or exit), and when they can enter (or exit).

Examples of physical access controls include the following:

Guards monitor the facility

Fences protect the perimeter
Motion detectors detect moving objects
Laptop locks safeguard portable equipment
Locked doors prevent unauthorized access
Swipe cards allow access to restricted areas
Guard dogs protect the facility
Video cameras monitor a facility by collecting and recording images
Mantraps allow access to the secured area after door 1 closes
Alarms detect intrusion

Logical Access Controls

Logical access controls are the hardware and software solutions used to manage
access to resources and systems. These technology-based solutions include tools and
protocols that computer systems use for identification, authentication,
authorization, and accountability.

Logical access controls include the following:

Encryption is the process of taking plaintext and creating ciphertext

Smart cards have an embedded microchip
Passwords are protected string of characters
Biometrics are users� physical characteristics
Access Control Lists (ACLs) define the type of traffic allowed on a network
Protocols are a set of rules that govern the exchange of data between devices
Firewalls prevent unwanted network traffic
Routers connect at least two networks
Intrusion Detection Systems monitor a network for suspicious activities
Clipping Levels are certain allowed thresholds for errors before triggering a red
flag.

Administrative Access Controls

Administrative access controls are the policies and procedures defined by
organizations to implement and enforce all aspects of controlling unauthorized
access. Administrative controls focus on personnel and business practices.
Administrative controls include the following:

Policies are statements of intent

Procedures are the detailed steps required to perform an activity
Hiring practices involves the steps an organization takes to find qualified
employees
Background checks are an employment screening that includes information of past
employment verification, credit history, and criminal history
Data classification categorizes data based on its sensitivity
Security training educates employees about the security policies at an organization
Reviews evaluate an employee�s job performance

Access Control Strategies

Mandatory Access Control

Mandatory access control (MAC) restricts the actions that a subject can perform on
an object. A subject can be a user or a process. An object can be a file, a port,
or an input/output device. An authorization rule enforces whether or not a subject
can access the object.

Organizations use MAC where different levels of security classifications exist.

Every object has a label and every subject has a clearance. A MAC system restricts
a subject based on the security classification of the object and the label attached
to the user.

For example, take the military security classifications Secret and Top Secret. If a
file (an object) is considered top secret, it is classified (labeled) Top Secret.
The only people (subjects) that may view the file (object) are those with a Top
Secret clearance. It is up to the access control mechanism to ensure that an
individual (subject) with only a Secret clearance, never gains access to a file
labeled as Top Secret. Similarly, a user (subject) cleared for Top Secret access
cannot change the classification of a file (object) labeled Top Secret to Secret.
Additionally, a Top Secret user cannot send a Top Secret file to a user cleared
only to see Secret information.

Discretionary Access Control

An object�s owner determines whether to allow access to an object with
discretionary access control (DAC). DAC grants or restricts object access
determined by the object�s owner. As the name implies, controls are discretionary
because an object owner with certain access permissions can pass on those
permissions to another subject.

In systems that employ discretionary access controls, the owner of an object can
decide which subjects can access that object and what specific access they may
have. One common method to accomplish this is with permissions, as shown in the
figure. The owner of a file can specify what permissions (read/write/execute) other
users may have.

Access control lists are another common mechanism used to implement discretionary
access control. An access control list uses rules to determine what traffic can
enter or exit a network

Role-Based Access Control

Role-based access control (RBAC) depends on the role of the subject. Roles are job
functions within an organization. Specific roles require permissions to perform
certain operations. Users acquire permissions through their role.

RBAC can work in combination with DAC or MAC by enforcing the policies of either
one. RBAC helps to implement security administration in large organizations with
hundreds of users and thousands of possible permissions. Organizations widely
accept the use of RBAC to manage computer permissions within a system, or
application, as a best practice.

Rule-Based Access Control

Rule-based access control uses access control lists (ACLs) to help determine
whether to grant access. A series of rules is contained in the ACL, as shown in the
figure.

The determination of whether to grant access depends on these rules. An example of

such a rule is one that states that no employee may have access to the payroll file
after hours or on weekends.

As with MAC, users cannot change the access rules. Organizations can combine rule-
based access control with other strategies for implementing access restrictions.
For example, MAC methods can utilize a rule-based approach for implementation.

Identification

What is Identification?
Identification enforces the rules established by the authorization policy. A
subject requests access to a system resource. Every time the subject requests
access to a resource, the access controls determine whether to grant or deny
access. For example, the authorization policy determines what activities a user can
perform on a resource.

A unique identifier ensures the proper association between allowed activities and
subjects. A username is the most common method used to identify a user. A username
can be an alphanumeric combination, a personal identification number (PIN), a smart
card, or biometric, such as a fingerprint, retina scan, or voice recognition.

A unique identifier ensures that a system can identify each user individually;
therefore, allowing an authorized user to perform the appropriate actions on a
particular resource.

Identification Controls
Cybersecurity policies determine which identification controls should be used. The
sensitivity of the information and information systems determine how stringent the
controls. The increase in data breaches has forced many organizations to strengthen
their identification controls. For example, the credit card industry in the United
States requires all vendors to convert to smart card identification systems.

Authrntication Methods

What You Know

Passwords, passphrases, or PINs are all examples of something that the user knows.
Passwords are the most popular method used for authentication. The terms
passphrase, passcode, passkey, or PIN are generically referred to as password. A
password is a string of characters used to prove a user�s identity. If this string
of characters relates back to a user (such as a name, birthdate, or address), it
will be easier for cyber criminals to guess a user�s password.

A number of publications recommend that a password be at least eight characters.

Users should not create a password that is so long that it is difficult to
memorize, or conversely, so short that it becomes vulnerable to password cracking.
Passwords should contain a combination of upper and lowercase letters, numbers, and
special characters. Click here to test current passwords.

Users need to use different passwords for different systems because if a criminal
cracks the user�s password once, the criminal will have access to all of a user�s
accounts. A password manager can help a user create and remember strong passwords.
What You Have
Smart cards and security key fobs are both examples of something that users have in
their possession.

Smart Card Security (Figure 1) � A smart card is a small plastic card, about the
size of a credit card, with a small chip embedded in it. The chip is an intelligent
data carrier, capable of processing, storing, and safeguarding data. Smart cards
store private information, such as bank account numbers, personal identification,
medical records, and digital signatures. Smart cards provide authentication and
encryption to keep data safe.

Security Key Fob (Figure 2) � A security key fob is a device that is small enough
to attach to a key ring. It uses a process called two-factor authentication, which
is more secure than a username and password combination. First, the user enters a
personal identification number (PIN). If correctly entered, the security key fob
will display a number. This is the second factor, which the user must enter to log
in to the device or network.

Who You Are

A unique physical characteristic, such as a fingerprint, retina, or voice, that
identifies a specific user is called biometrics. Biometric security compares
physical characteristics against stored profiles to authenticate users. A profile
is a data file containing known characteristics of an individual. The system grants
the user access if his or her characteristics match saved settings. A fingerprint
reader is a common biometric device.

There are two types of biometric identifiers:

Physiological characteristics � these include fingerprints, DNA, face, hands,

retina, or ear features
Behavioral characteristics - include patterns of behavior, such as gestures, voice,
typing rhythm, or the way a user walks
Biometrics is becoming increasingly popular in public security systems, consumer
electronics, and point-of-sale applications. Implementing biometrics uses a reader
or scanning device, software that converts the scanned information into digital
form, and a database that stores biometric data for comparison.

Multi-factor Authentication
Multi-factor authentication uses at least two methods of verification. A security
key fob is a good example. The two factors are something you know, such as a
password, and something you have, such as a security key fob. Take this a step
further by adding something you are, such as a fingerprint scan.

Multi-factor authentication can reduce the incidence of online identity theft

because knowing the password would not give cyber criminals access to user
information. For example, an online banking website might require a password and a
PIN that the user receives on his or her smartphone. As shown in the figure,
withdrawing cash from an ATM is another example of multifactor authentication. The
user must have the bankcard and know the PIN before the ATM will dispense cash.

Authorization

What is Authorization?
Authorization controls what a user can and cannot do on the network after
successful authentication. After a user proves his or her identity, the system
checks to see what network resources the user can access and what the user can do
with the resources. Authorization answers the question, �What read, copy, create,
and delete privileges does the user have?�

Authorization uses a set of attributes that describes the user�s access to the
network. The system compares these attributes to the information contained within
the authentication database, determines a set of restrictions for that user, and
delivers it to the local router where the user is connected.

Authorization is automatic and does not require users to perform additional steps
after authentication. Implement authorization immediately after the user
authenticates.

Using Authorization
Defining authorization rules is the first step in controlling access. An
authorization policy establishes these rules.

A group membership policy defines authorization based on membership in a specific

group. For example, all employees of an organization have a swipe card, which
provides access to the facility. If an employee�s job does not require that she
have access to the server room, her security card will not allow her to enter that
room.

An authority-level policy defines access permissions based on an employee�s

standing within the organization. For example, only senior-level employees in an IT
department may access the server room.

Accountability

What is Accountability?
Accountability traces an action back to a person or process making the change to a
system, collects this information, and reports the usage data. The organization can
use this data for such purposes as auditing or billing. The collected data might
include the log in time for a user, whether the user log in was a success or
failure, or what network resources the user accessed. This allows an organization
to trace actions, errors, and mistakes during an audit or investigation.

Implementing Accountability
Implementing accountability consists of technologies, policies, procedures, and
education. Log files provide detailed information based on the parameters chosen.
For example, an organization may look at the log for login failures and successes.
Login failures can indicate that a criminal tried to hack an account. Login
successes tell an organization which users are using what resources and when. Is it
normal for an authorized user to access the corporate network at 3:00 a.m.? The
organization�s policies and procedures spell out what actions should be recorded
and how the log files are generated, reviewed and stored.

Data retention, media disposal, and compliance requirements all provide

accountability. Many laws require the implementation of measures to secure
different data types. These laws guide an organization on the right way to handle,
store, and dispose of data. The education and awareness of an organization�s
policies, procedures, and related laws can also contribute to accountability.

Types of Security Controls

Preventive Controls
Prevent means to keep something from happening. Preventive access controls stop
unwanted or unauthorized activity from happening. For an authorized user, a
preventive access control means restrictions. Assigning user specific privileges on
a system is an example of a preventive control. Even though a user is an authorized
user, the system puts limits in place to prevent the user from accessing and
performing unauthorized actions. A firewall that blocks access to a port or service
that cyber criminals can exploit is also a preventive control.

Deterrent Controls
A deterrent is the opposite of a reward. A reward encourages individuals to do the
right thing, while a deterrent discourages them from doing the wrong thing. Cyber
security professionals and organizations use deterrents to limit or mitigate an
action or behavior, but deterrents do not stop them. Access control deterrents
discourage cyber criminals from gaining unauthorized access to information systems
and sensitive data. Access control deterrents discourage attacking systems,
stealing data, or spreading malicious code. Organizations use access control
deterrents to enforce cybersecurity policies.

Deterrents make potential cyber criminals think twice before committing a crime.
The figure lists common access control deterrents used in the cybersecurity world.

Detective Controls
Detection is the act or process of noticing or discovering something. Access
control detections identify different types of unauthorized activity. Detection
systems can be very simple, such as a motion detector or security guard. They can
also be more complex, such as an intrusion detection system. All detective systems
have several things in common; they look for unusual or prohibited activity. They
also provide methods to record or alert system operators of potential unauthorized
access. Detective controls do not prevent anything from happening; they are more of
an after-the-fact measure.

Corrective Controls
Corrective counteracts something that is undesirable. Organizations put corrective
access controls in place after a system experiences a threat. Corrective controls
restore the system back to a state of confidentiality, integrity, and availability.
They can also restore systems to normal after unauthorized activity occurs.

Recovery Controls
Recovery is a return to a normal state. Recovery access controls restore resources,
functions, and capabilities after a violation of a security policy. Recovery
controls can repair damage, in addition to stopping any further damage. These
controls have more advanced capabilities over corrective access controls.

Compensative Controls
Compensate means to make up for something. Compensative access controls provide
options to other controls to bolster enforcement in support of a security policy.

A compensative control can also be a substitution used in place of a control that

is not possible under the circumstances. For example, an organization may not be
able to have a guard dog, so instead it deploys a motion detector with a spotlight
and a barking sound.
Data Masking

What is Data Masking?

Data masking technology secures data by replacing sensitive information with a non-
sensitive version. The non-sensitive version looks and acts like the original. This
means that a business process can use non-sensitive data and there is no need to
change the supporting applications or data storage facilities. In the most common
use case, masking limits the propagation of sensitive data within IT systems by
distributing surrogate data sets for testing and analysis. Information can be
dynamically masked if the system or application determines that a user request for
sensitive information is risky.

Data Masking Techniques

Data masking can replace sensitive data in non-production environments to protect
the underlying information.

There are several data masking techniques that can ensure that data remains
meaningful but changed enough to protect it.

Substitution replaces data with authentic looking values to apply anonymity to the
data records.
Shuffling derives a substitution set from the same column of data that a user wants
to mask. This technique works well for financial information in a test database,
for example.
Nulling out applies a null value to a particular field, which completely prevents
visibility of the data.

Steganography

What is Steganography?
Steganography conceals data (the message) in another file such as a graphic, audio,
or other text file. The advantage of steganography over cryptography is that the
secret message does not attract any special attention. No one would ever know that
a picture actually contained a secret message by viewing the file either
electronically or in hardcopy.

There are several components involved in hiding data. First, there is the embedded
data, which is the secret message. The cover-text (or cover-image or cover-audio)
hides the embedded data producing the stego-text (or stego-image or stego-audio). A
stego-key controls the hiding process.

The approach used to embed data in a cover-image is using Least Significant Bits
(LSB). This method uses bits of each pixel in the image. A pixel is the basic unit
of programmable color in a computer image. The specific color of a pixel is a blend
of three colors�red, green, and blue (RGB). Three bytes of data specify a pixel�s
color (one byte for each color). Eight bits make up a byte. A 24-bit color system
uses all three bytes. LSB uses a bit of each of the red, green, and blue color
components. Each pixel can store 3 bits.

The figure shows three pixels of a 24-bit color image. One of the letters in the
secret message is the letter T, and inserting the character T changes only two bits
of the color. The human eye cannot recognize the changes made to the least
significant bits. The result is a hidden character.
Social Steganography
Social steganography hides information in plain sight by creating a message that
can be read a certain way by some to get the message. Others who view it in a
normal way will not see the message. Teens on social media use this tactic to
communicate with their closest friends while keeping others, like their parents,
unaware of what the message actually means. For example, the phrase �going to the
movies� might mean �going to the beach�.

Individuals in countries that censor media also use social steganography to get
their messages out by misspelling words on purpose or making obscure references. In
effect, they communicate to different audiences simultaneously.

Detection
Steganalysis is the discovery that hidden information exists. The goal of
steganalysis is to discover the hidden information.

Patterns in the stego-image create suspicion. For example, a disk may have unused
areas that hide information. Disk analysis utilities can report on hidden
information in unused clusters of storage devices. Filters can capture data packets
that contain hidden information in packet headers. Both of these methods are using
steganography signatures.

By comparing an original image with the stego-image, an analyst may pick up

repetitive patterns visually.

Data Obfuscation
Data obfuscation is the use and practice of data masking and steganography
techniques in the cybersecurity and cyber intelligence profession. Obfuscation is
the art of making the message confusing, ambiguous, or harder to understand. A
system may purposely scramble messages to prevent unauthorized access to sensitive
information.

Applications
Software watermarking protects software from unauthorized access or modification.
Software watermarking inserts a secret message into the program as proof of
ownership. The secret message is the software watermark. If someone tries to remove
the wateWhat is Hashing?
Users need to know that their data remains unchanged while at rest or in transit.
Hashing is a tool that ensures data integrity by taking binary data (the message)
and producing a fixed-length representation called the hash value or message
digest, as shown in the figure.

The hash tool uses a cryptographic hashing function to verify and ensure data
integrity. It can also verify authentication. Hash functions replace clear text
password or encryption keys because hash functions are one-way functions. This
means that if a password is hashed with a specific hashing algorithm, it will
always result in the same hash digest. It is considered one-way because with hash
functions, it is computationally infeasible for two different sets of data to come
up with the same hash digest or output.

Every time the data is changed or altered, the hash value also changes. Because of
this, cryptographic hash values are often called digital fingerprints. They can
detect duplicate data files, file version changes, and similar applications. These
values guard against an accidental or intentional change to the data and accidental
data corruption. Hashing is also very efficient. A large file or the content of an
entire disk drive results in a hash value with the same size.rmark, the result is
nonfunctional code.
Software obfuscation translates software into a version equivalent to the original
but one that is harder for attackers to analyze. Trying to reverse engineer the
software gives unintelligible results from software that still functions.

The Art of Ensuring Integrity

Integrity ensures that data remains unchanged and trustworthy by anyone or anything
over its entire life cycle. Data integrity is a critical component to the design,
implementation and usage of any system that stores, processes, or transmits data.
This chapter begins by discussing the types of data integrity controls used such as
hashing algorithms, salting, and keyed-hash message authentication code (HMAC). The
use of digital signatures and certificates incorporates the data integrity controls
to provide users a way of verifying the authenticity of messages and documents. The
chapter concludes with a discussion of database integrity enforcement. Having a
well-controlled and well-defined data integrity system increases the stability,
performance, and maintainability of a database system.

Types of Data Integrity Controls

Hashing Algorithms

What is Hashing?
Users need to know that their data remains unchanged while at rest or in transit.
Hashing is a tool that ensures data integrity by taking binary data (the message)
and producing a fixed-length representation called the hash value or message
digest, as shown in the figure.

The hash tool uses a cryptographic hashing function to verify and ensure data
integrity. It can also verify authentication. Hash functions replace clear text
password or encryption keys because hash functions are one-way functions. This
means that if a password is hashed with a specific hashing algorithm, it will
always result in the same hash digest. It is considered one-way because with hash
functions, it is computationally infeasible for two different sets of data to come
up with the same hash digest or output.

Every time the data is changed or altered, the hash value also changes. Because of
this, cryptographic hash values are often called digital fingerprints. They can
detect duplicate data files, file version changes, and similar applications. These
values guard against an accidental or intentional change to the data and accidental
data corruption. Hashing is also very efficient. A large file or the content of an
entire disk drive results in a hash value with the same size.

Hashing Properties
Hashing is a one-way mathematical function that is relatively easy to compute, but
significantly harder to reverse. Grinding coffee is a good analogy of a one-way
function. It is easy to grind coffee beans, but it is almost impossible to put all
of the tiny pieces back together to rebuild the original beans.

A cryptographic hash function has the following properties:

The input can be any length.

The output has a fixed length.
The hash function is one way and is not reversible.
Two different input values will almost never result in the same hash values.

Hashing Algorithms
Hash functions are helpful to ensure that a user or communication error does not
change the data accidentally. For instance, a sender may want to make sure that no
one alters a message on its way to the recipient. The sending device inputs the
message into a hashing algorithm and computes its fixed-length digest or
fingerprint.

Simple Hash Algorithm (8-bit Checksum)

The 8-bit checksum is one of the first hashing algorithms, and it is the simplest
form of a hash function. An 8-bit checksum calculates the hash by converting the
message into binary numbers and then organizing the string of binary numbers into
8-bit chucks. The algorithm adds up the 8-bit values. The final step is to convert
the result using a process called 2�s complement. The 2�s complement converts a
binary to its opposite value, and then it adds one. This means that a zero converts
to a one, and a one converts to a zero. The final step is to add 1 resulting in an
8-bit hash value.

Click here to calculate the 8-bit hash for the message BOB.

1. Convert BOB to binary using the ASCII code, as shown in Figure 1.

2. Convert the binary numbers to hexadecimal, as shown in Figure 2.

3. Enter the hexadecimal numbers into the calculator (42 4F 42).

4. Click the Calculate button. The result is the hash value 2D.

Try the following examples:

SECRET = �S�=53 �E�=45 �C�=43 �R�=52 �E�=45 �T�=54

HASH VALUE = 3A

MESSAGE = �M�=4D �E�=45 �S�=53 �S�=53 �A�=41 �G�=47 �E�=45

HASH VALUE = FB

Modern Hashing Algorithms

There are many modern hashing algorithms widely used today. Two of the most popular
are MD5 and SHA.

Message Digest 5 (MD5) Algorithm

Ron Rivest developed the MD5 hashing algorithm, and several Internet applications
use it today. MD5 is a one-way function that makes it easy to compute a hash from
the given input data but makes it very difficult to compute input data given only a
hash value.

MD5 produces a 128-bit hash value. The Flame malware compromised the security of
MD5 in 2012. The authors of the Flame malware used an MD5 collision to forge a
Windows code-signing certificate. Click here to read an explanation of the Flame
malware collision attack.

Secure Hash Algorithm (SHA)

The U.S. National Institute of Standards and Technology (NIST) developed SHA, the
algorithm specified in the Secure Hash Standard (SHS). NIST published SHA-1 in
1994. SHA-2 replaced SHA-1 with four additional hash functions to make up the SHA
family:
SHA-224 (224 bit)
SHA-256 (256 bit)
SHA-384 (384 bit)
SHA-512 (512 bit)
SHA-2 is a stronger algorithm, and it is replacing MD5. SHA-256, SHA-384, and SHA-
512 are the next-generation algorithms

Hashing Files and Digital Media

Integrity ensures that data and information is complete and unaltered at the time
of its acquisition. This is important to know when a user downloads a file from the
Internet or a forensic examiner is looking for evidence on digital media.

To verify the integrity of all IOS images, Cisco provides MD5 and SHA checksums at
Cisco�s Download Software website. The user can make a comparison of this MD5
digest against the MD5 digest of an IOS image installed on a device, as shown in
the figure. The user can now feel confident that no one has tampered or modified
the IOS image file.

Note: The command verify /md5, shown in the figure, is beyond the scope of this
course.

The field of digital forensics uses hashing to verify all digital media that
contain files. For example, the examiner creates a hash and a bit-for-bit copy of
the media containing the files to produce a digital clone. The examiner compares
the hash of the original media with the copy. If the two values match, the copies
are identical. The fact that one set of bits is identical to the original set of
bits establishes fixity. Fixity helps to answer several questions:

Does the examiner have the files he expects?

Is the data corrupted or changed?
Can the examiner prove that the files are not corrupt?
Now the forensics expert can examine the copy for any digital evidence while
leaving the original intact and untouched.

Hashing Passwords
Hashing algorithms turn any amount of data into a fixed-length fingerprint or
digital hash. A criminal cannot reverse a digital hash to discover the original
input. If the input changes at all, it results in a different hash. This works for
protecting passwords. A system needs to store a password in a form that protects it
and can still verify that a user�s password is correct.

The figure shows the workflow for user account registration and authentication
using a hash-based system. The system never writes the password to the hard drive,
it only stores the digital hash.

Applications
Use cryptographic hash functions in the following situations:

To provide proof of authenticity when it is used with a symmetric secret

authentication key, such as IP Security (IPsec) or routing protocol authentication
To provide authentication by generating one-time and one-way responses to
challenges in authentication protocols
To provide message integrity check proof, such as those used in digitally signed
contracts, and public key infrastructure (PKI) certificates, like those accepted
when accessing a secure site using a browser
When choosing a hashing algorithm, use SHA-256 or higher as they are currently the
most secure. Avoid SHA-1 and MD5 due to the discovery of security flaws. In
production networks, implement SHA-256 or higher.

While hashing can detect accidental changes, it cannot guard against deliberate
changes. There is no unique identifying information from the sender in the hashing
procedure. This means that anyone can compute a hash for any data, as long as they
have the correct hash function. For example, when a message traverses the network,
a potential attacker could intercept the message, change it, recalculate the hash,
and append the hash to the message. The receiving device will only validate against
whatever hash is appended. Therefore, hashing is vulnerable to man-in-the-middle
attacks and does not provide security to transmitted data.

Cracking Hashes
To crack a hash, an attacker must guess the password. The top two attacks used to
guess passwords are dictionary and brute-force attacks.

A dictionary attack uses a file containing common words, phrases, and passwords.
The file has the hashes calculated. A dictionary attack compares the hashes in the
file with the password hashes. If a hash matches, the attacker will know a group of
potentially good passwords.

A brute-force attack attempts every possible combination of characters up to a

given length. A brute-force attack takes a lot of processor time, but it is just a
matter of time before this method discovers the password. Passwords need to be long
enough to make the time it takes to execute a brute-force attack too long to be
worthwhile. Hashing passwords makes it more difficult for the criminal to retrieve
those passwords.

Salting
What is Salting?
Salting makes password hashing more secure. If two users have the same password,
they will also have the same password hashes. A salt, which is a random string of
characters, is an additional input to the password before hashing. This creates a
different hash result for the two passwords as shown in the figure. A database
stores both the hash and the salt.

In the figure, the same password generates a different hash because the salt in
each instance is different. The salt does not have to be secret since it is a
random number.

Preventing Attacks
Salting prevents an attacker from using a dictionary attack to try to guess
passwords. Salting also makes it impossible to use lookup tables and rainbow tables
to crack a hash.

Lookup Tables

A lookup table stores the pre-computed hashes of passwords in a password dictionary

along with the corresponding password. A lookup table is a data structure that
processes hundreds of hash lookups per second.

Reverse Lookup Tables

This attack allows the cybercriminal to launch a dictionary or brute-force attack

on many hashes without the pre-computed lookup table. The cybercriminal creates a
lookup table that plots each password hash from the breached account database to a
list of users. The cybercriminal hashes each password guess and uses the lookup
table to get a list of users whose password matched the cybercriminal�s guess.
Since many users have the same password, the attack works well.

Rainbow Tables

Rainbow tables sacrifice hash-cracking speed to make the lookup tables smaller. A
smaller table means that the table can store the solutions to more hashes in the
same amount of space.

Implementing Salting
A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the best
choice to generate salt. CSPRNGs generate a random number that has a high level of
randomness and is completely unpredictable, so it is cryptographically secure.

To implement salting successfully, use the following recommendations:

The salt needs to be unique for every user password.

Never reuse a salt.
The length of the salt should match the length of the hash function�s output.
Always hash on the server in a web application.
Using a technique called key stretching will also help to protect against attack.
Key stretching makes the hash function very slowly. This prevents high-end hardware
that can compute billions of hashes per second less effective.

HMAC
What is an HMAC?
The next step in preventing a cybercriminal from launching a dictionary or brute-
force attack on a hash is to add a secret key to the hash. Only the person who
knows the hash can validate a password. One way to do this is to include the secret
key in the hash using a hash algorithm called keyed-hash message authentication
code (HMAC or KHMAC). HMACs use an additional secret key as input to the hash
function. The use of HMAC goes a step further than just integrity assurance by
adding authentication. An HMAC uses a specific algorithm that combines a
cryptographic hash function with a secret key.

Only the sender and the receiver know the secret key, and the output of the hash
function now depends on the input data and the secret key. Only parties who have
access to that secret key can compute the digest of an HMAC function. This
characteristic defeats man-in-the-middle attacks and provides authentication of the
data origin.

HMAC Operation
Consider an example where a sender wants to ensure that a message remains unchanged
in transit and wants to provide a way for the receiver to authenticate the origin
of the message.

As shown in Figure 1, the sending device inputs data (such as Terry Smith�s pay of
$100 and the secret key) into the hashing algorithm and calculates the fixed-length
HMAC digest or fingerprint. The receiver gets the authenticated fingerprint
attached to the message.

In Figure 2, the receiving device removes the fingerprint from the message and uses
the plaintext message with its secret key as input to the same hashing function. If
the receiving device calculates a fingerprint equal to the fingerprint sent, the
message is still in its original form. Additionally, the receiver knows the origin
of the message because only the sender possesses a copy of the shared secret key.
The HMAC function proved the authenticity of the message.
Application of HMAC
HMACs can also authenticate a web user. Many web services use basic authentication,
which does not encrypt the username and password during transmission. Using HMAC,
the user sends a private key identifier and an HMAC. The server looks up the user�s
private key and creates an HMAC. The user�s HMAC must match the one calculated by
the server.

VPNs using IPsec rely on HMAC functions to authenticate the origin of every packet
and provide data integrity checking.

As shown in the figure, Cisco products use hashing for entity authentication, data
integrity, and data authenticity purposes:

Cisco IOS routers use hashing with secret keys in an HMAC-like manner to add
authentication information to routing protocol updates.
IPsec gateways and clients use hashing algorithms, such as MD5 and SHA-1 in HMAC
mode, to provide packet integrity and authenticity.
Cisco software images on Cisco.com have an MD5-based checksum available so that
customers can check the integrity of downloaded images.
Note: The term entity can refer to devices or systems within an organization.

Signatures and the Law

What is a Digital Signature?

Handwritten signatures and stamped seals prove authorship of the contents of a
document. Digital signatures can provide the same functionality as handwritten
signatures.

Unprotected digital documents are very easy for anyone to change. A digital
signature can determine if someone edits a document after the user signs it. A
digital signature is a mathematical method used to check the authenticity and
integrity of a message, digital document, or software.

In many countries, digital signatures have the same legal importance as a manually
signed document. Electronic signatures are binding for contracts, negotiations, or
any other document requiring a handwritten signature. An audit trail tracks the
electronic document�s history for regulatory and legal defense purposes.

A digital signature helps to establish authenticity, integrity, and non-

repudiation. Digital signatures have specific properties that enable entity
authentication and data integrity as shown in the figure.

Digital signatures are an alternative to HMAC

Non-Repudiation
To repudiate means to deny. Non-repudiation is a way to ensure that the sender of a
message or document cannot deny having sent the message or document and that the
recipient cannot deny having received the message or document.

A digital signature ensures that the sender electronically signed the message or
document. Since a digital signature is unique to the individual creating it, that
person cannot later deny that he or she provided the signature.

Processes of Creating a Digital Signature

Asymmetric cryptography is the basis for digital signatures. A public key algorithm
like RSA generates two keys: one private and the other public. The keys are
mathematically related.
Alice wants to send Bob an email that contains important information for the
rollout of a new product. Alice wants to make sure that Bob knows that the message
came from her, and that the message did not change after she sent it.

Alice creates the message along with a digest of the message. She then encrypts
this digest with her private key. Alice bundles the message, the encrypted message
digest, and her public key together to create the signed document. Alice sends this
to Bob.

Bob receives the message and reads it. To make sure that the message came from
Alice, he creates a message digest of the message. He takes the encrypted message
digest received from Alice and decrypts it using Alice�s public key. Bob compares
the message digest received from Alice with the one he generated. If they match,
Bob knows that he can trust that no one tampered with the message.

Using Digital Signatures

Signing a hash instead of the whole document provides efficiency, compatibility,
and integrity. Organizations may want to replace paper documents and ink signatures
with a solution that assures the electronic document meets all legal requirements.

The following two situations provide examples of using digital signatures:

Code signing - Used to verify the integrity of executable files downloaded from a
vendor website. Code signing also uses signed digital certificates to authenticate
and verify the identity of the site
Digital certificates - Used to verify the identity of an organization or individual
to authenticate a vendor website and establish an encrypted connection to exchange
confidential data.

Comparing Digital Signature Algorithms

The three common digital signature algorithms are Digital Signature Algorithm
(DSA), Rivest-Shamir-Adleman (RSA), and Elliptic Curve Digital Signature Algorithm
(ECDSA). All three generate and verify digital signatures. These algorithms depend
upon asymmetrical encryption and public key techniques. Digital signatures require
two operations:

1. Key generation

2. Key verification

Both operations require key encryption and decryption.

DSA uses large number factorization. Governments use DSA for signing to create
digital signatures. DSA does not extend beyond the signature to the message itself.

RSA is the most common public key cryptography algorithm in use today. RSA is named
after the individuals who created it in 1977: Ron Rivest, Adi Shamir, and Leonard
Adleman. RSA depends on asymmetrical encryption. RSA covers signing and also
encrypts the content of the message.

DSA is faster than RSA as a signing services for a digital document. RSA is best
suited for applications requiring the signing and verification of electronic
documents and message encryption.

Like most areas of cryptography, the RSA algorithm is based on two mathematical
principles; modulus and prime number factorization.
ECDSA is the newest digital signature algorithm that is gradually replacing RSA.
The advantage of this new algorithm is that it can uses much smaller key sizes for
the same security and requires less computation than RSA.

What is a Digital Certificate?

A digital certificate is equivalent to an electronic passport. They enable users,
hosts, and organizations to exchange information securely over the Internet.
Specifically, a digital certificate authenticates and verifies that users sending a
message are who they claim to be. Digital certificates can also provide
confidentiality for the receiver with the means to encrypt a reply.

Digital certificates are similar to physical certificates. For example, the paper-
based Cisco Certified Network Associate Security (CCNA-S) certificate identifies
the individual, the Certificate Authority (who authorized the certificate), and for
how long the certificate is valid.

Using Digital Certificates

Refer to the figure to help understand how digital certificates are used to
authenticate a person or entity. In this scenario, Bob is purchasing an online item
from Alice's website. Bob's browser will use Alice's digital certificate to ensure
he is actually shopping on Alice's website and to secure traffic between them.

Step 1: Bob decides to buy something on Alice's website and clicks on "Proceed to
Checkout". His browser initiates a secure connection with Alice's web server and
displays a lock icon in the security status bar.

Step 2: Alice's web server receives the request and replies by sending its digital
certificate containing the web server public key and other information to Bob's
browser.

Step 3: Bob's browser checks the digital certificate against stored certificates
and confirms that he is indeed connected to Alice's web server. Only trusted
certificates permit the transaction to go forward. If the certificate is not valid,
then communication fails.

Step 4: Bob's web browser creates a unique session key that will be used for secure
communication with Alice's web server.

Step 5: Bob's browser encrypts the session key using Alice's public key and sends
it to Alice's web server.

Step 6: Alice's web server receives the encrypted message from Bob's browser. It
uses its private key to decrypt the message and discover the session key. Future
exchange between the web server and browser will now use the session key to encrypt
data.

What is a Certificate Authority?

On the Internet, continually exchanging identification between all parties would be
impractical. Therefore, individuals agree to accept the word of a neutral third
party. Presumably, the third party does an in-depth investigation prior to the
issuance of credentials. After this in-depth investigation, the third party issues
credentials that are difficult to forge. From that point forward, all individuals
who trust the third party simply accept the credentials that the third party
issues.

For example, Alice applies for a driver�s license. In this process, she submits
evidence of her identity, such as birth certificate, picture ID, and more to a
government-licensing bureau. The bureau validates Alice�s identity and permits
Alice to complete a driver�s examination. Upon successful completion, the licensing
bureau issues Alice a driver license. Later, Alice needs to cash a check at the
bank. Upon presenting the check to the bank teller, the bank teller asks her for
ID. The bank, because it trusts the government-licensing bureau, verifies her
identity and cashes the check.

A certificate authority (CA) functions the same as the licensing bureau. The CA
issues digital certificates that authenticate the identity of organizations and
users. These certificates also sign messages to ensure that no one tampered with
the messages.

What is Inside a Digital Certificate?

As long as a digital certificate follows a standard structure, any entity can read
and understand it regardless of the issuer. X.509 is a standard for a public key
infrastructure (PKI) to manage digital certificates. PKI is the policies, roles,
and procedures required to create, manage, distribute, use, store, and revoke
digital certificates. The X.509 standard specifies that digital certificates
contain the standard information shown in the figure.

The Validation Process

Browsers and applications perform a validation check before they trust a
certificate to ensure they are valid. The three processes include the following:

Certificate Discovery validates the certification path by checking each certificate

starting at the beginning with the root CA�s certificate
Path Validation selects a certificate of the issuing CA for each certificate in the
chain
Revocation determines whether the certificate was revoked and why

The Certificate Path

An individual gets a certificate for a public key from a commercial CA. The
certificate belongs to a chain of certificates called the chain of trust. The
number of certificates in the chain depends on the hierarchical structure of the
CA.

The figure shows a certificate chain for a two tier CA. There is an offline Root CA
and an online subordinate CA. The reason for the two-tier structure is that X.509
signing allows for easier recovery in the event of a compromise. If there is an
offline CA, it can sign the new online CA certificate. If there is not an offline
CA, a user has to install a new root CA certificate on every client machine, phone,
or tablet

Database Integrity

Data Integrity
Databases provide an efficient way to store, retrieve, and analyze data. As data
collection increases and data becomes more sensitive, it is important for
cybersecurity professionals to protect the growing number of databases. Think of a
database as an electronic filing system. Data integrity refers to the accuracy,
consistency, and reliability of data stored in a database. The responsibility of
data integrity falls on database designers, developers, and the organization�s
management.

The four data integrity rules or constraints are as follows:

Entity Integrity: All rows must have a unique identifier called a Primary Key
(Figure 1)

.
Domain Integrity: All data stored in a column must follow the same format and
definition (Figure 2).

Referential Integrity: Table relationships must remain consistent. Therefore, a

user cannot delete a record which is related to another one (Figure 3).

User-defined Integrity: A set of rules defined by a user which does not belong to
one of the other categories. For example, a customer places a new order, as shown
in Figure 4.

The user first checks to see if this is a new customer. If it is, the user adds the
new customer to the customers table.

Data Entry Controls

Data entry involves inputting data to a system. A set of controls ensures that
users enter the correct data.

Drop Down Master Data Controls

Have a drop down option for master tables instead of asking individuals to enter
the data. An example of drop down master data controls is using the locations list
from the U.S. postal address system to standardize addresses.

Data Field Validation Controls

Set up rules for basic checks including:

Mandatory input ensures that a required field contains data

Input masks prevent users from entering invalid data or help ensure that they enter
data consistently (like a phone number, for example)
Positive dollar amounts
Data ranges ensure that a user enters data within a given range (like a date of
birth entered as 01-18-1820, for example)
Mandatory second person approval (a bank teller receives a deposit or withdraw
request greater than a specified value triggers a second or third approval)
Maximum record modification trigger (the number of records modified exceeds a
predetermined number within a specific period of time blocks a user until a manager
identifies whether or not the transactions were legitimate)
Unusual activity trigger (a system locks when it recognizes unusual activity)

Validation Rules
A validation rule checks that data falls within the parameters defined by the
database designer. A validation rule helps to ensure the completeness, accuracy and
consistency of data. The criteria used in a validation rule include the following:

Size � checks the number of characters in a data item

Format � checks that the data conforms to a specified format
Consistency � checks for the consistency of codes in related data items
Range � checks that data lies within a minimum and maximum value
Check digit � provides for an extra calculation to generate a check digit for error
detection.

Data Type Validation

Data type validation is the simplest data validation and verifies that a user
entering data is consistent with the type of characters expected. For example, a
phone number would not contain alpha characters. Databases allow three data types:
integer, string, and decimal.

Input Validation
One of the most vulnerable aspects of database integrity management is controlling
the data input process. Many well-known attacks run against a database and insert
malformed data. The attack can confuse, crash, or make the application divulge too
much information to the attacker. Attackers use automated input attacks.

For example, users fill out a form via a Web application to subscribe to a
newsletter. A database application automatically generates and sends email
confirmations. When users receive their email confirmations with a URL link to
confirm their subscription, attackers modify the URL link. These modifications
include changing the username, email address, or subscription status. The email
returns back to the server hosting the application. If the Web server did not
verify that the email address or other account information submitted matched the
subscription information, the server received bogus information. Hackers can
automate the attack to flood the Web application with thousands of invalid
subscribers to the newsletter database.

Anomaly Verification
Anomaly detection refers to identifying patterns in data that do not conform to
expected behavior. These non-conforming patterns are anomalies, outliers,
exceptions, aberrations, or surprises in di?erent database applications. Anomaly
detection and verification is an important countermeasure or safeguard in
identifying fraud detection. Database anomaly detection can identify credit card
and insurance fraud. Database anomaly detection can protect data from massive
destruction or changes.

Anomaly verification requires verification data requests or modifications when a

system detects unusual or surprising patterns. An example of this is a credit card
with two transactions in vastly different request locations in a short time. If a
transaction request from New York City occurs at 10:30 a.m. and a second request
comes from Chicago at 10:35 a.m., the system triggers a verification of the second
transaction.

A second example occurs when an unusual number of email address modifications

happen in an unusual number of database records. Since email data launch DoS
attacks, the email modification of hundreds of records could indicate that an
attacker is using an organization�s database as a tool for his or her DoS attack.

Database Integrity Requirements

Entity Integrity
A database is like an electronic filing system. Maintaining proper filing is
critical in maintaining the trustworthiness and usefulness of the data within the
database. Tables, records, fields, and data within each field make up a database.
In order to maintain the integrity of the database filing system, users must follow
certain rules. Entity integrity is an integrity rule, which states that every table
must have a primary key and that the column or columns chosen to be the primary key
must be unique and not NULL. Null in a database signifies missing or unknown
values. Entity integrity enables proper organization of data for that record.

Referential Integrity
Another important concept is the relationship between different filing systems or
tables. The basis of referential integrity is foreign keys. A foreign key in one
table references a primary key in a second table. The primary key for a table
uniquely identifies entities (rows) in the table. Referential integrity maintains
the integrity of foreign keys.

Domain Integrity
Domain integrity ensures that all the data items in a column fall within a defined
set of valid values. Each column in a table has a defined set of values, such as
the set of all numbers for credit card numbers, social security numbers, or email
addresses. Limiting the value assigned to an instance of that column (an attribute)
enforces domain integrity. Domain integrity enforcement can be as simple as
choosing the correct data type, length and or format for a column.

The Five Nines Concept

Organizations that want to maximize the availability of their systems and data may
take extraordinary measures to minimize or eliminate data loss. The goal is to
minimize the downtime of mission critical processes. If employees cannot perform
their regular duties, the organization is in jeopardy of losing revenue.

Organizations measure availability by percentage of uptime. This chapter begins by

explaining the concept of five nines. Many industries must maintain the highest
availability standards because downtime might literally mean a difference between
life and death.

This chapter discusses various approaches that organizations can take to help meet
their availability goals. Redundancy provides backup and includes extra components
for computers or network systems to ensure the systems remain available. Redundant
components can include hardware such as disk drives, servers, switches, and routers
or software such as operating systems, applications, and databases. The chapter
also discusses resiliency, the ability of a server, network, or data center to
recover quickly and continue operation.

Organizations must be prepared to respond to an incident by establishing procedures

that they follow after an event occurs. The chapter concludes with a discussion of
disaster recovery and business continuity planning which are both critical in
maintaining availability to an organization�s resources.\

What Does the Five Nines Mean?

Five nines mean that systems and services are available 99.999% of the time. It
also means that both planned and unplanned downtime is less than 5.26 minutes per
year. The chart in the figure provides a comparison of the downtime for various
availability percentages.

High availability refers to a system or component that is continuously operational

for a given length of time. To help ensure high availability:

Eliminate single points of failure

Design for reliability
Detect failures as they occur
Sustaining high availability at the standard of five-nines can increase costs and
utilize many resources. The increased costs are due to the purchase of additional
hardware such as servers and components. As an organization adds components, the
result is an increase in configuration complexity. Unfortunately, increased
configuration complexity increases the risk factors. The more moving parts
involved, the higher the likelihood of failed components.
Environments that Require Five Nines
Although the cost of sustaining high availability may be too costly for some
industries, several environments require five nines.

The finance industry needs to maintain high availability for continuous trading,
compliance, and customer trust.

Healthcare facilities require high availability to provide around-the-clock care

for patients.

The public safety industry includes agencies that provide security and services to
a community, state, or nation.

The retail industry depends on efficient supply chains and the delivery of products
to customers. Disruption can be devastating, especially during peak demand times
such as holidays.

The public expects that the news media industry communicate information on events
as they happen. The news cycle is now around the clock, 24/7.

Threats to Availability
The following threats pose a high risk to data and information availability:

An unauthorized user successfully penetrates and compromises an organization�s

primary database
A successful DoS attack significantly affects operations
An organization suffers a significant loss of confidential data
A mission-critical application goes down
A compromise of the Admin or root user occurs
The detection of a cross-site script or illegal file server share
The defacement of an organization�s website impacts public relations
A severe storm such as a hurricane or tornado
A catastrophic event such as a terrorist attack, building bombing, or building fire
Long-term utility or service provider outage
Water damage as the result of flooding or sprinkler failure
Categorizing the impact level for each threat helps an organization realize the
dollar impact of a threat.

Designing High Availability System

High availability incorporates three major principles to achieve the goal of
uninterrupted access to data and services:

1. Elimination or reduction of single-points of failure

2. System Resiliency

3. Fault Tolerance

It is important to understand the ways to address a single point of failure. A

single point of failure can include central routers or switches, network services,
and even highly skilled IT staff. The key is that a loss of the system, process, or
person can have a very disruptive impact on the entire system. The key is to have
processes, resources, and components that reduce single points of failure. High
availability clusters is one way to provide redundancy. These clusters consist of a
group of computers that have access to the same-shared storage and have identical
network configurations. All servers take part in processing a service
simultaneously. From the outside, the server group looks like one device. If a
server within the cluster fails, the other servers continue to process the same
service as the failed device.

Systems resiliency refers to the capability to maintain availability of data and

operational processing despite attacks or disrupting event. Generally, this
requires redundant systems, in terms of both power and processing, so that should
one system fail, the other can take over operations without any break in service.
System resiliency is more than hardening devices; it requires that both data and
services be available even when under attack.

Fault tolerance enables a system to continue to operate if one or more components

fail. Data mirroring is one example of fault tolerance. Should a "fault" occur,
causing disruption in a device such as a disk controller, the mirrored system
provides the requested data with no apparent interruption in service to the user.

Measures To Improve Availability

Asset Management
Asset Identification
An organization needs to know what hardware and software are present as a
prerequisite to knowing what the configuration parameters need to be. Asset
management includes a complete inventory of hardware and software.

This means that the organization needs to know all of components that can be
subject to security risks, including:

Every hardware system

Every operating system
Every hardware network device
Every network device operating system
Every software application
All firmware
All language runtime environments
All individual libraries
An organization may choose an automated solution to keep track of assets. An
administrator should investigate any changed configuration because it may mean that
the configuration is not up-to-date. It can also mean that unauthorized changes are
happening.

Asset Classification
Asset classification assigns all resources of an organization into a group based on
common characteristics. An organization should apply an asset classification system
to documents, data records, data files, and disks. The most critical information
needs to receive the highest level of protection and may even require special
handling.

An organization can adopt a labeling system according to how valuable, how

sensitive, and how critical the information is. Complete the following steps to
identify and classify the assets of an organization:

1. Determine the proper asset identification category.

2. Establish asset accountability by identifying the owner for all information

assets and application software.

3. Determine the criteria for classification.

4. Implement a classification schema.

Asset Standardization
Asset management manages the lifecycle and inventory of technology assets including
devices and software. As part of an IT asset management system, an organization
specifies the acceptable IT assets that meet its objectives. This practice
effectively reduces the different asset types. For example, an organization will
only install applications that meet its guidelines. When administrators eliminate
applications that do not meet the guidelines, they are effectively increasing
security.

Asset standards identify specific hardware and software products that the
organization uses and supports. When a failure occurs, prompt action helps to
maintain both access and security. If an organization does not standardize its
hardware selection, personnel may need to scramble to find a replacement component.
Non-standard environments require more expertise to manage and they increase the
cost of maintenance contracts and inventory.

Threat Identification
The United States Computer Emergency Readiness Team (US-CERT) and the U.S.
Department of Homeland Security sponsor a dictionary of common vulnerabilities and
exposure (CVE). CVE contains a standard identifier number with a brief description,
and references to related vulnerability reports and advisories. The MITRE
Corporation maintains the CVE List and its public website.

Threat identification begins with the process of creating a CVE Identifier for
publicly known cybersecurity vulnerabilities. Each CVE Identifier includes the
following:

The CVE Identifier number

A brief description of the security vulnerability
Any important references

Risk Analysis
Risk analysis is the process of analyzing the dangers posed by natural and human-
caused events to the assets of an organization.

A user performs an asset identification to help determine which assets to protect.

A risk analysis has four goals:

Identify assets and their value

Identify vulnerabilities and threats
Quantify the probability and impact of the identified threats
Balance the impact of the threat against the cost of the countermeasure
There are two approaches to risk analysis.

Quantitative Risk Analysis

A quantitative analysis assigns numbers to the risk analysis process (Figure 1).
The asset value is the replacement cost of the asset. The value of an asset can
also be measured by the income gained through use of the asset. The exposure factor
(EF) is a subjective value expressed as a percentage that an asset loses due to a
particular threat. If a total loss occurs, the EF equals 1.0 (100%). In the
quantitative example, the server has an asset value of $15,000. When the server
fails, a total loss occurs (the EF equals 1.0). The asset value of $15,000
multiplied by the exposure factor of 1 results in a single loss expectancy of
$15,000.
The annualized rate of occurrence (ARO) is the probability that a loss will occur
during the year (also expressed as a percentage). An ARO can be greater than 100%
if a loss can occur more than once a year.

The calculation of the annual loss expectancy (ALE) gives management some guidance
on what it should spend to protect the asset.

Qualitative Risk Analysis

Qualitative Risk Analysis uses opinions and scenarios. Figure 2 provides an example
of table used in qualitative risk analysis, which plots the likelihood of a threat
against its impact. For example, the threat of a server failure may be likely, but
its impact may only be marginal.

A team evaluates each threat to an asset and plots it in the table. The team ranks
the results and uses the results as a guide. They may determine to take action on
only threats that fall within the red zone.

The numbers used in the table do not directly relate to any aspect of the analysis.
For example, a catastrophic impact of 4 is not twice as bad as a marginal impact of
2. This method is subjective in nature.

Mitigation
Mitigation involves reducing the severity of the loss or the likelihood of the loss
from occurring. Many technical controls mitigate risk including authentication
systems, file permissions, and firewalls. Organization and security professionals
must understand that risk mitigation can have both positive and negative impact on
the organization. Good risk mitigation finds a balance between the negative impact
of countermeasures and controls and the benefit of risk reduction. There are four
common ways to reduce risk:

Accept the risk and periodically re-assess

Reduce the risk by implementing controls
Avoid the risk by totally changing the approach
Transfer the risk to a third party
A short-term strategy is to accept the risk necessitating the creation of
contingency plans for that risk. People and organizations have to accept risk on a
daily basis. Modern methodologies reduce risk by developing software incrementally
and providing regular updates and patches to address vulnerabilities and
misconfigurations.

Outsourcing services, purchasing insurance, or purchasing maintenance contracts are

all examples of risk transfer. Hiring specialists to perform critical tasks to
reduce risk can be a good decision and yield greater results with less long term
investment. A good risk mitigation plan can include two or more strategies.

Defense in Depth

Layering
Defense in depth will not provide an impenetrable cyber shield, but it will help an
organization minimize risk by keeping it one-step ahead of cyber criminals.

If there is only one defense in place to protect data and information, cyber
criminals have only to get around that single defense. To make sure data and
information remains available, an organization must create different layers of
protection.

A layered approach provides the most comprehensive protection. If cyber criminals

penetrate one layer, they still have to contend with several more layers with each
layer being more complicated than the previous.

Layering is creating a barrier of multiple defenses that coordinate together to

prevent attacks. For example, an organization might store its top secret documents
on a server in a building surrounded by an electronic fence.

Limiting
Limiting access to data and information reduces the possibility of a threat. An
organization should restrict access so that users only have the level of access
required to do their job. For example, the people in the marketing department do
not need access to payroll records to perform their jobs.

Technology-based solutions such as using file permissions are one way to limit
access; an organization should also implement procedural measures. A procedure
should be in place that prohibits an employee from removing sensitive documents
from the premises.

Diversity
If all of the protected layers were the same, it would not be very difficult for
cyber criminals to conduct a successful attack. Therefore, the layers must be
different. If cyber criminals penetrate one layer, the same technique will not work
on all of the other layers. Breaching one layer of security does not compromise the
whole system. An organization may use different encryption algorithms or
authentication systems to protect data in different states.

To accomplish the goal of diversity, organizations can use security products

manufactured by different companies for multifactor authentication. For example,
the server containing the top secret documents is in a locked room that requires a
swipe card from one company and biometric authentication supplied by another
company.

Obscurity
Obscuring information can also protect data and information. An organization should
not reveal any information that cyber criminals can use to figure out what version
of the operating system a server is running or the type of equipment it uses. For
example, error messages should not contain any details that cyber criminals could
use to determine what vulnerabilities are present. Concealing certain types of
information makes it more difficult for cyber criminals to attack a system.

Simplicity
Complexity does not necessarily guarantee security. If an organization implements
complex systems that are hard to understand and troubleshoot, it may actually
backfire. If employees do not understand how to configure a complex solution
properly, it may make it just as easy for cyber criminals to compromise those
systems. To maintain availability, a security solution should be simple from the
inside, but complex on the outside.
Redundancy

Single Points of Failure

A single point of failure is a critical operation within the organization. Other
operations may rely on it and failure halts this critical operation. A single point
of failure can be a special piece of hardware, a process, a specific piece of data,
or even an essential utility. Single points of failure are the weak links in the
chain that can cause disruption of the organization's operations. Generally, the
solution to a single point of failure is to modify the critical operation so that
it does not rely on a single element. The organization can also build redundant
components into the critical operation to take over the process should one of these
points fail.

N+1 Redundancy
N+1 redundancy ensures system availability in the event of a component failure.
Components (N) need to have at least one backup component (+1). For example, a car
has four tires (N) and a spare tire in the trunk in case of a flat (+1).

In a data center, N+1 redundancy means that the system design can withstand the
loss of a component. The N refers to many different components that make up the
data center including servers, power supplies, switches, and routers. The +1 is the
additional component or system that is standing by ready to go if needed.

An example of N+1 redundancy in a data center is a power generator that comes

online when something happens to the main power source. Although an N+1 system
contains redundant equipment, it is not a fully redundant system.

RAID
A redundant array of independent disks (RAID) combines multiple physical hard
drives into a single logical unit to provide data redundancy and improve
performance. RAID takes data that is normally stored on a single disk and spreads
it out among several drives. If any single disk is lost, the user can recover data
from the other disks where the data also resides.

RAID can also increase the speed of data recovery. Using multiple drives will be
faster retrieving requested data instead of relying on just one disk to do the
work.

A RAID solution can be either hardware-based or software-based. A hardware-based

solution requires a specialized hardware controller on the system that contains the
RAID drives. The following terms describe how RAID stores data on the various
disks:

Parity - Detects data errors.

Striping - Writes data across multiple drives.
Mirroring - Stores duplicate data on a second drive.
There are several levels of RAID available as shown in the figure.

Spanning Tree
Redundancy increases the availability of the infrastructure by protecting the
network from a single point of failure, such as a failed network cable or a failed
switch. When designers build physical redundancy in to a network, loops and
duplicate frames occur. Loops and duplicate frames have severe consequences for a
switched network.

Spanning Tree Protocol (STP) addresses these issues. The basic function of STP is
to prevent loops on a network when switches interconnect via multiple paths. STP
ensures that redundant physical links are loop-free. It ensures that there is only
one logical path between all destinations on the network. STP intentionally blocks
redundant paths that could cause a loop.

Blocking the redundant paths is critical to preventing loops on the network. The
physical paths still exist to provide redundancy, but STP disables these paths to
prevent the loops from occurring. If a network cable or switch fails, STP
recalculates the paths and unblocks the necessary ports to allow the redundant path
to become active.

PC1 sends a broadcast out onto the network.

The trunk link between S2 and S1 fails, resulting in disruption of the original
path.
S2 unblocks the previously blocked port for Trunk2 and allows the broadcast traffic
to traverse the alternate path around the network, permitting communication to
continue.
If the link between S2 and S1 comes back up, STP again blocks the link between S2
and S3.

Router Redundancy
The default gateway is typically the router that provides devices access to the
rest of the network or to the Internet. If there is only one router serving as the
default gateway, it is a single point of failure. The organization can choose to
install an additional standby router.

In Figure 1, the forwarding router and the standby router use a redundancy protocol
to determine which router should take the active role in forwarding traffic. Each
router is configured with a physical IP address and a virtual router IP address.
End devices use the virtual IP address as the default gateway. The forwarding
router is listening for traffic addressed to 192.0.2.100. The forwarding router and
the standby router use their physical IP addresses to send periodic messages. The
purpose of these messages is to make sure both are still online and available. If
the standby router no longer receives these periodic messages from the forwarding
router, the standby router will assume the forwarding role.

The ability of a network to dynamically recover from the failure of a device acting
as a default gateway is known as first-hop redundancy.

Router Redundancy Options

The following list defines the options available for router redundancy based on the
protocol that defines communication between network devices:

Hot Standby Router Protocol (HSRP) - HSRP provides high network availability by
providing first-hop routing redundancy. A group of routers use HSRP for selecting
an active device and a standby device. In a group of device interfaces, the active
device is the device that routes packets; the standby device is the device that
takes over when the active device fails. The function of the HSRP standby router is
to monitor the operational status of the HSRP group and to quickly assume packet-
forwarding responsibility if the active router fails.
Virtual Router Redundancy Protocol (VRRP) - A VRRP router runs the VRRP protocol in
conjunction with one or more other routers attached to a LAN. In a VRRP
configuration, the elected router is the virtual router master, and the other
routers act as backups, in case the virtual router master fails.

Gateway Load Balancing Protocol (GLBP) - GLBP protects data traffic from a failed
router or circuit, like HSRP and VRRP, while also allowing load balancing (also
called load sharing) between a group of redundant routers.

Location Redundancy
An organization may need to consider location redundancy depending on its needs.
The following outlines three forms of location redundancy.

Synchronous
Synchronizes both locations in real time
Requires high bandwidth
Locations must be close together to reduce latency

Asynchronous Replication
Not synchronized in real time but close to it
Requires less bandwidth
Sites can be further apart because latency is less of an issue

Point-in-time-Replication
Updates the backup data location periodically
Most bandwidth conservative because it does not require a constant connection
The correct balance between cost and availability will determine the correct choice
for an organization.

System Resilience
Resiliency is the methods and configurations used to make a system or network
tolerant of failure. For example, a network can have redundant links between
switches running STP. Although STP does provide an alternate path through the
network if a link fails, the switchover may not be immediate if the configuration
is not optimal.

Routing protocols also provide resiliency, but fine-tuning can improve the
switchover so that network users do not notice. Administrators should investigate
non-default settings in a test network to see if they can improve network recovery
times.

Resilient design is more than just adding redundancy. It is critical to understand

the business needs of the organization, and then incorporate redundancy to create a
resilient network.

Application Resilience
Application resilience is the application�s ability to react to problems in one of
its components while still functioning. Downtime is due to failures caused by
application errors or infrastructure failures. An administrator will eventually
need to shut down applications for patching, version upgrades, or to deploy new
features. Downtime can also be the result of data corruption, equipment failures,
application errors, and human errors.

Many organizations try to balance out the cost of achieving the resiliency of
application infrastructure with the cost of losing customers or business due to an
application failure. Application high availability is complex and costly. The
figure shows three availability solutions to address application resilience. As the
availability factor of each solution increases, the complexity and cost also
increase.

IOS Resilience
The Interwork Operating System (IOS) for Cisco routers and switches include a
resilient configuration feature. It allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file. The feature maintains a secure working copy of the router IOS
image file and a copy of the running configuration file. The user cannot remove
these secure files also known as the primary bootset.

The commands shown in the figure secure the IOS image and running configuration
file.

Incident Response

Phases
Preparation
Incident response is the procedures that an organization follows after an event
occurs outside the normal range. A data breach releases information to an untrusted
environment. A data breach can occur as the result of an accidental or intentional
act. A data breach occurs anytime an unauthorized person copies, transmits, views,
steals, or accesses sensitive information.

When an incident occurs, the organization must know how to respond. An organization
needs to develop an incident response plan and put together a Computer Security
Incident Response Team (CSIRT) to manage the response. The team performs the
following functions:

Maintains the incident response plan

Ensures its members are knowledgeable about the plan
Tests the plan
Gets management�s approval of the plan
The CSIRT can be an established group within the organization or an ad hoc one. The
team follows a set of predetermined steps to make sure that their approach is
uniform and that they do not skip any steps. National CSIRTs oversee incident
handling for a country.

Detection and Analysis

Detection starts when someone discovers the incident. Organizations can purchase
the most sophisticated detection systems; however, if administrators do not review
the logs and monitor alerts, these systems are worthless. Proper detection includes
how the incident occurred, what data it involved, and what systems it involved.
Notification of the breach goes out to senior management and managers responsible
for the data and systems to involve them in the remediation and repair. Detection
and analysis includes the following:

Alerts and notifications

Monitoring and follow-up
Incident analysis helps to identify the source, extent, impact, and details of a
data breach. The organization may need to decide if it needs to call in a team of
experts to conduct the forensics investigation.
Containment and Eradication, and Recovery
Containment efforts include the immediate actions performed such as disconnecting a
system from the network to stop the information leak.

After identifying the breach, the organization needs to contain and eradicate it.
This may require additional downtime for systems. The recovery stage includes the
actions that the organization needs to take in order to resolve the breach and
restore the systems involved. After remediation, the organization needs to restore
all systems to their original state before the breach.

Post-Incident Follow-Up
After restoring all operations to a normal state, the organization should look at
the cause of the incident and ask the following questions:

What actions will prevent the incident from reoccurring?

What preventive measures need strengthening?
How can it improve system monitoring?
How can it minimize downtime during the containment, eradication, and recovery
phases?
How can management minimize the impact to the business?
A look at the lessons learned can help the organization to better prepare by
improving upon its incident response plan.

Incident Response Technologies

Network Admission Control

The purpose of Network Admission Control (NAC) allows authorized users with
compliant systems access to the network. A compliant system meets all of the policy
requirements of the organization. For example, a laptop that is part of a home
wireless network may not be able to connect remotely to the corporate network. NAC
evaluates an incoming device against the policies of the network. NAC also
quarantines the systems that do not comply and manages the remediation of
noncompliant systems.

A NAC framework can use the existing network infrastructure and third-party
software to enforce the security policy compliance for all endpoints. Alternately,
a NAC appliance controls network access, evaluates compliance, and enforces
security policy. Common NAC systems checks include:

1. Updated virus detection

2. Operating systems patches and updates

3. Complex password enforcement

Intrusion Detection Systems

Intrusion Detection Systems (IDSs) passively monitor the traffic on a network. The
figure shows that an IDS-enabled device copies the traffic stream and analyzes the
copied traffic rather than the actual forwarded packets. Working offline, it
compares the captured traffic stream with known malicious signatures, similar to
software that checks for viruses. Working offline means several things:

IDS works passively

IDS device is physically positioned in the network so that traffic must be mirrored
in order to reach it
Network traffic does not pass through the IDS unless it is mirrored
Passive means that the IDS monitors and reports on traffic. It does not take any
action. This is the definition of operating in promiscuous mode.

The advantage of operating with a copy of the traffic is that the IDS does not
negatively affect the packet flow of the forwarded traffic. The disadvantage of
operating on a copy of the traffic is that the IDS cannot stop malicious single-
packet attacks from reaching the target before responding to the attack. An IDS
often requires assistance from other networking devices, such as routers and
firewalls, to respond to an attack.

A better solution is to use a device that can immediately detect and stop an
attack. An Intrusion Prevention System (IPS) performs this function.

Intrusion Prevention Systems

An IPS builds upon IDS technology. However, an IPS device operates in inline mode.
This means that all incoming and outgoing traffic must flow through it for
processing. As shown in the figure, an IPS does not allow packets to enter the
trusted side of the network unless it has analyzed the packets. It can detect and
immediately address a network problem.

An IPS monitors network traffic. It analyzes the contents and the payload of the
packets for more sophisticated embedded attacks that might include malicious data.
Some systems use a blend of detection technologies, including signature-based,
profile-based, and protocol analysis-based intrusion detection. This deeper
analysis enables the IPS to identify, stop, and block attacks that would pass
through a traditional firewall device. When a packet comes in through an interface
on an IPS, the outbound or trusted interface does not receive that packet until the
IPS analyzes the packet.

The advantage of operating in inline mode is that the IPS can stop single-packet
attacks from reaching the target system. The disadvantage is that a poorly
configured IPS can negatively affect the packet flow of the forwarded traffic.

The biggest difference between IDS and IPS is that an IPS responds immediately and
does not allow any malicious traffic to pass, whereas an IDS allows malicious
traffic to pass before addressing the problem.

NetFlow and IPFIX

NetFlow is a Cisco IOS technology that provides statistics on packets flowing
through a Cisco router or multilayer switch. NetFlow is the standard for collecting
operational data from networks. The Internet Engineering Task Force (IETF) used
Cisco�s NetFlow Version 9 as the basis for IP Flow Information Export (IPFIX).

IPFIX is a standard format for exporting router-based information about network

traffic flows to data collection devices. IPFIX works on routers and management
applications that support the protocol. Network managers can export network traffic
information from a router and use this information to optimize network performance.

Applications that support IPFIX can display statistics from any router that
supports the standard. Collecting, storing, and analyzing the aggregated
information provided by IPFIX supported devices provides the following benefits:

Secures the network against internal and external threats

Troubleshoots network failures quickly and precisely
Analyzes network flows for capacity planning
Advanced Threat Intelligence
Advanced threat intelligence can help organizations detect attacks during one of
the stages of the cyberattack and sometimes before with the right information.

Organizations may be able to detect indicators of attack in its logs and system
reports for the following security alerts:

Account lockouts
All database events
Asset creation and deletion
Configuration modification to systems
Advanced threat intelligence is a type of event or profile data that can contribute
to security monitoring and response. As the cyber criminals become more
sophisticated, it is important to understand the malware maneuvers. With improved
visibility into attack methodologies, an organization can respond more quickly to
incidents.

Disaster Recovery

Types of Disasters
It is critical to keep an organization functioning when a disaster occurs. A
disaster includes any natural or human-caused event that damages assets or property
and impairs the ability for the organization to continue operating.

Natural Disasters

Natural disasters differ depending on location. Some of these events are difficult
to predict. Natural disasters fall into the following categories:

Geological disasters include earthquakes, landslides, volcanoes, and tsunamis

Meteorological disasters include hurricanes, tornadoes, snow storms, lightning, and
hail
Health disasters include widespread illnesses, quarantines, and pandemics
Miscellaneous disasters include fires, floods, solar storms, and avalanches
Human-caused Disasters

Human-caused disasters involve people or organizations and fall into the following
categories:
Labor events include strikes, walkouts, and slowdowns
Social-political events include vandalism, blockades, protests, sabotage,
terrorism, and war
Materials events include hazardous spills and fires
Utilities disruptions include power failures, communication outages, fuel
shortages, and radioactive fallout

Disaster Recovery Plan

An organization puts its disaster recovery plan (DRP) into action while the
disaster is ongoing and employees are scrambling to ensure critical systems are
online. The DRP includes the activities the organization takes to assess, salvage,
repair, and restore damaged facilities or assets.

To create the DRP, answer the following questions:

Who is responsible for this process?

What does the individual need to perform the process?
Where does the individual perform this process?
What is the process?
Why is the process critical?
A DRP needs to identify which processes in the organization are the most critical.
During the recovery process, the organization restores its mission critical systems
first.

Implementing Disaster Recovery Controls

Disaster recovery controls minimize the effects of a disaster to ensure that
resources and business processes can resume operation.

There are three types of IT disaster recovery controls:

Preventive measures include controls that prevent a disaster from occurring. These
measures seek to identify risks.
Keeping data backed up
Keeping data backups off-site
Using surge protectors
Installing generators

Detective measures include controls that discover unwanted events. These measures
uncover new potential threats.
Using up-to-date antivirus software
Installing server and network monitoring software

Corrective measures include controls that restore the system after a disaster or an
event.
Keeping critical documents in the disaster recovery plan.

Need for Business Continuity

Business continuity is one of the most important concepts in computer security.
Even though companies do whatever they can to prevent disasters and loss of data,
it is impossible to predict every possible scenario. It is important for companies
to have plans in place that ensure business continuity regardless of what may
occur. A business continuity plan is a broader plan than a DRP because it includes
getting critical systems to another location while repair of the original facility
is under way. Personnel continue to perform all business processes in an alternate
manner until normal operations resume.

Availability ensures that the resources required to keep the organization going
will continue to be available to the personnel and the systems that rely on them.

Business Continuity Considerations

Business continuity controls are more than just backing up data and providing
redundant hardware. Organizations need employees to properly configure and operate
systems. Data can be useless until it provides information. An organization should
look at the following:
Getting the right people to the right places
Documenting configurations
Establishing alternate communications channels for both voice and data
Providing power
Identifying all dependencies for applications and processes so that they are
properly understood
Understanding how to carry out automated tasks manually.

Business Continuity Best Practices

As shown in the figure, the National Institute of Standards and Technology (NIST)
developed the following best practices:
1. Write a policy that provided guidance to develop the business continuity plan
and assigns roles to carry out the tasks.

2. Identify critical systems and processes and prioritize them based on necessity.

3. Identify vulnerabilities, threats, and calculate risks.

4. Identify and implement controls and countermeasures to reduce risk.

5. Devise methods to bring back critical systems quickly.

6. Write procedures to keep the organization functioning in a chaotic state.

7. Test the plan.

8. Update the plan regularly.

Protecting a Cybersecurity Domain

Protecting your domain is an on-going process to secure an organization�s network
infrastructure. It requires that individuals remain constantly vigilant to threats
and take action to prevent any compromises. This chapter discusses the
technologies, processes and procedures that cybersecurity professionals use to
defend the systems, devices, and data that make up the network infrastructure.

A secure network is only as strong as its weakest link. It is important to secure

the end devices that reside on the network. Endpoint security includes securing the
network infrastructure devices on the local-area network (LAN) and end systems,
such as workstations, servers, IP phones, and access points.

Device hardening is a critical task when securing the network. It involves

implementing proven methods of physically securing network devices. Some of these
methods involve securing administrative access, maintaining passwords, and
implementing secure communications.

Methods of Defending System and Devices

Host Hardening

Operating System Security

The operating system plays a critical role in the operation of a computer system
and is the target of many attacks. The security of the operating system has a
cascading effect on the overall security of a computer system.

An administrator hardens an operating system by modifying the default configuration

to make it more secure to outside threats. This process includes the removal of
unnecessary programs and services. Another critical requirement of hardening
operating systems is the application of security patches and updates. Security
patches and updates are fixes which companies release in an effort to mitigate
vulnerability and correct faults in their products.

An organization should have a systematic approach in place for addressing system

updates by:

Establishing procedures for monitoring security-related information

Evaluating updates for applicability
Planning the installation of application updates and patches
Installing updates using a documented plan
Another critical requirement of securing operating systems is to identify potential
vulnerabilities. This can be accomplished by establishing a baseline. Establishing
a baseline enables the administrator to do a comparison of how a system is
performing versus its baseline expectations.

Microsoft Baseline Security Analyzer (MBSA) assesses missing security updates and
security misconfigurations in Microsoft Windows. MBSA checks blank, simple, or non-
existent passwords, firewall settings, guest account status, administrator account
details, security event auditing, unnecessary services, network shares, and
registry settings. After hardening the operating system, the administrator creates
the policies and procedures to maintain a high level of security.

Antimalware
Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware.
They all invade privacy, steal information, damage the system, or delete and
corrupt data.

It is important to protect computers and mobile devices using reputable antimalware

software. The following types of antimalware programs are available:

Antivirus protection - Program continuously monitors for viruses. When it detects a

virus, the program warns the user, and it attempts to quarantine or delete the
virus.
Adware protection � Program continuously looks for programs that display
advertising on a computer.
Phishing protection � Program blocks the IP addresses of known phishing websites
and warns the user about suspicious sites.
Spyware protection � Program scans for keyloggers and other spyware.
Trusted / untrusted sources � Program warns the user about unsafe programs trying
to install or unsafe websites before a user visits them.
It may take several different programs and multiple scans to remove all malicious
software completely. Run only one malware protection program at a time.

Several reputable security organizations such as McAfee, Symantec, and Kaspersky

offer all-inclusive malware protection for computers and mobile devices.

Be cautious of malicious rogue antivirus products that may appear while browsing
the Internet. Most of these rogue antivirus products display an ad or pop-up that
looks like an actual Windows warning window. They usually state that malware is
infecting the computer and prompts the user to clean it. Clicking anywhere inside
the window may actually begin the download and installation of the malware.

Unapproved, or non-compliant, software is not just software that a user

unintentionally installs on a computer. It can also come from users that meant to
install it. It may not be malicious, but it still may violate security policy. This
type of non-compliant system can interfere with company software, or network
services. Users must remove unapproved software immediately.

Patch Management
Patches are code updates that manufacturers provide to prevent a newly discovered
virus or worm from making a successful attack. From time to time, manufacturers
combine patches and upgrades into a comprehensive update application called a
service pack. Many devastating virus attacks could have been much less severe if
more users had downloaded and installed the latest service pack.

Windows routinely checks the Windows Update website for high-priority updates that
can help protect a computer from the latest security threats. These updates include
security updates, critical updates, and service packs. Depending on the setting
configured, Windows automatically downloads and installs any high-priority updates
that the computer needs or notifies the user as these updates become available.

Some organizations may want to test a patch before deploying it throughout the
organization. The organization would use a service to manage patches locally
instead of using the vendor�s online update service. The benefits of using an
automated patch update service include the following:

Administrators can approve or decline updates

Administrators can force the update of systems for a specific date
Administrators can obtain reports on the update needed by each system
Each computer does not have to connect to the vendor�s service to download patches;
a system gets the update from a local server
Users cannot disable or circumvent updates
An automated patch service provides administrators with a more controlled setting.

Host-Based Firewalls and Intrusion Detection Systems

A host-based solution is a software application that runs on a local host computer
to protect it. The software works with the operating system to help prevent
attacks.

Host-based Firewalls

A software firewall is a program that runs on a computer to allow or deny traffic

between the computer and other connected computers. The software firewall applies a
set of rules to data transmissions through inspection and filtering of data
packets. Windows Firewall is an example of a software firewall. The Windows
operating system installs it by default during installation.

The user can control the type of data sent to and from the computer by opening or
blocking selected ports. Firewalls block incoming and outgoing network connections,
unless exceptions are defined to open and close the ports required by a program.

Host Intrusion Detection Systems

A host intrusion detection system (HIDS) is software that runs on a host computer
that monitors suspicious activity. Each server or desktop system that requires
protection will need to have the software installed. HIDS monitors system calls and
file system access to ensure that the requests are not the result of malicious
activity. It can also monitor system registry settings. The registry maintains
configuration information about the computer.

HIDS stores all log data locally. It can also affect system performance because it
is resource intensive. A host intrusion detection system cannot monitor any network
traffic that does not reach the host system, but it does monitor operating system
and critical system processes specific to that host.

Secure Communications
When connecting to the local network and sharing files, the communication between
computers remains within that network. Data remains secure because it is off other
networks and off the Internet. To communicate and share resources over a network
that is not secure, users employ a Virtual Private Network (VPN).

A VPN is a private network that connects remote sites or users together over a
public network, like the Internet. The most common type of VPN accesses a corporate
private network. The VPN uses dedicated secure connections, routed through the
Internet, from the corporate private network to the remote user. When connected to
the corporate private network, users become part of that network and have access to
all services and resources as if they physically connected to the corporate LAN.

Remote-access users must have a VPN client installed on their computers to form a
secure connection with the corporate private network. The VPN client software
encrypts data before sending it over the Internet to the VPN gateway at the
corporate private network. VPN gateways establish, manage, and control VPN
connections, also known as VPN tunnels.

Operating systems include a VPN client that the user configures for a VPN
connection.

Hardening Wireless and Mobile Devices

WEP
One of the most important components of modern computing are mobile devices. The
majority of devices found on today�s networks are laptops, tablets, smart phones
and other wireless devices. Mobile devices transmit data using radio signals that
any device with a compatible antenna can receive. For this reason the computer
industry has developed a suite of wireless or mobile security standards, products
and devices. These standards encrypt information transmitted through the airwaves
by mobile devices.

Wired Equivalent Privacy (WEP) is one of the first and widely used Wi-Fi security
standards. The WEP standard provides authentication and encryption protections. The
WEP standards are obsolete but many devices still support WEP for backwards
compatibility. The WEP standard became a Wi-Fi security standard in 1999 when
wireless communication was just catching on. Despite revisions to the standard and
an increased key size, WEP suffered from numerous security weaknesses. Cyber
criminals can crack WEP passwords in minutes using freely available software.
Despite improvements, WEP remains highly vulnerable and users should upgrade
systems that rely on WEP.

WPA/WPA2
The next major improvement to wireless security was the introduction of WPA and
WPA2. Wi-Fi Protected Access (WPA) was the computer industry�s response to the
weakness of the WEP standard. The most common WPA configuration is WPA-PSK (Pre-
Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-
bit and 128-bit keys used in the WEP system.

The WPA standard provided several security improvements. First, WPA provided
message integrity checks (MIC) which could detect if an attacker had captured and
altered data passed between the wireless access point and a wireless client.
Another key security enhancement was Temporal Key Integrity Protocol (TKIP). The
TKIP standard provided the ability to better handle, protect and change encryption
keys. Advanced Encryption Standard (AES) superseded TKIP for even better key
management and encryption protection.

WPA, like its predecessor WEP, included several widely recognized vulnerabilities.
As a result, the release of Wi-Fi Protected Access II (WPA2) standard happened in
2006. One of the most significant security improvements from WPA to WPA2 was the
mandatory use of AES algorithms and the introduction of Counter Cipher Mode with
Block Chaining Message Authentication Code Protocol (CCM) as a replacement for
TKIP.

Mutual Authentication
One of the great vulnerabilities of wireless networks is the use of rogue access
points. Access points are the devices that communicate with the wireless devices
and connect them back to the wired network. Any device that has a wireless
transmitter and hardwired interface to a network can potentially act as a rouge or
unauthorized access point. The rouge access point can imitate an authorized access
point. The result is that wireless devices on the wireless network establish
communication with the rouge access point instead of the authorized access point.

The imposter can receive connection requests, copy the data in the request and
forward the data to the authorized network access point. This type of man-in-the-
middle attack is very difficult to detect and can result in stolen login
credentials and transmitted data. To prevent rouge access points, the computer
industry developed mutual authentication. Mutual authentication, also called two-
way authentication, is a process or technology in which both entities in a
communications link authenticate to each other. In a wireless network environment,
the client authenticates to the access point and the access point authenticates the
client. This improvement enabled clients to detect rouge access points before
connecting to the unauthorized device.

Host Data Protection

File Access Control

Permissions are rules configured to limit folder or file access for an individual
or for a group of users. The figure lists the permissions that are available for
files and folders.

Principle of Least Privilege

Users should be limited to only the resources they need on a computer system or on
a network. For example, they should not be able to access all files on a server if
they only need access to a single folder. It may be easier to provide users access
to the entire drive, but it is more secure to limit access to only the folder that
they need to perform their job. This is the principle of least privilege. Limiting
access to resources also prevents malicious programs from accessing those resources
if the user�s computer becomes infected.

Restricting User Permissions

If an administrator denies permissions to a network share for an individual or a

group, this denial overrides any other permission settings. For example, if the
administrator denies someone permission to a network share, the user cannot access
that share, even if the user is the administrator or part of the administrator
group. The local security policy must outline which resources and the type of
access allowed for each user and group.

When a user changes the permissions of a folder, she has the option to apply the
same permissions to all sub-folders. This is permission propagation. Permission
propagation is an easy way to apply permissions to many files and folders quickly.
After parent folder permissions have been set, folders and files created inside the
parent folder inherit the permissions of the parent folder.

In addition, the location of the data and the action performed on the data
determine the permission propagation:

Data moved to the same volume will keep the original permissions
Data copied to the same volume will inherit new permissions
Data moved to a different volume will inherit new permissions
Data copied to a different volume will inherit new permission

File Encryption
Encryption is a tool used to protect data. Encryption transforms data using a
complicated algorithm to make it unreadable. A special key returns the unreadable
information back into readable data. Software programs encrypt files, folders, and
even entire drives.

Encrypting File System (EFS) is a Windows feature that can encrypt data. The
Windows implementation of EFS links it directly to a specific user account. Only
the user that encrypted the data will be able to access the encrypted files or
folders.

A user can also choose to encrypt an entire hard drive in Windows using a feature
called BitLocker. To use BitLocker, at least two volumes must be present on a hard
disk.

Before using BitLocker, the user needs to enable Trusted Platform Module (TPM) in
the BIOS. The TPM is a specialized chip installed on the motherboard. The TPM
stores information specific to the host system, such as encryption keys, digital
certificates, and passwords. Applications, like BitLocker, that use encryption can
make use of the TPM chip. Click TPM Administration to view the TPM details, as
shown in the Figure.

BitLocker To Go encrypts removable drives. BitLocker To Go does not use a TPM chip,
but still provides encryption for the data and requires a password.

System and Data Backups

An organization can lose data if cyber criminals steal it, equipment fails, or a
disaster occurs. For this reason, it is important to perform a data backup
regularly.

A data backup stores a copy of the information from a computer to removable backup
media. The operator stores the backup media in a safe place. Backing up data is one
of the most effective ways of protecting against data loss. If the computer
hardware fails, the user can restore the data from the backup once the system is
functional.

The organization�s security policy should include data backups. Users should
perform data backups on a regular basis. Data backups are usually stored offsite to
protect the backup media if anything happens to the main facility.

These are some considerations for data backups:

Frequency - Backups can take a long time. Sometimes it is easier to make a full
backup monthly or weekly, and then do frequent partial backups of any data that has
changed since the last full backup. However, having many partial backups increases
the amount of time needed to restore the data.
Storage - For extra security, transport backups to an approved offsite storage
location on a daily, weekly, or monthly rotation, as required by the security
policy.
Security � Protect backups with passwords. The operator then enters the password
before restoring the data on the backup media.
Validation - Always validate backups to ensure the integrity of the data.

Images and Content Control

Content Screening and Blocking

Content control software restricts the content that a user can access using a web
browser over the Internet. Content control software can block sites that contain
certain types of material such as pornography or controversial religious or
political content. A parent may implement content control software on the computer
used by a child. Libraries and schools also implement the software to prevent
access to content considered objectionable.

An administrator can implement the following types of filters:

Browser-based filters through a third-party browser extension

Email filters through a client- or server-based filter
Client-side filters installed on a specific computer
Router-based content filters that block traffic from entering the network
Appliance-based content filtering similar to router based
Cloud-based content filtering
Search engines such as Google offers the option of turning on a safety filter to
exclude inappropriate links from search results.

Disk Cloning and Deep Freeze

Many third-party applications are available to restore a system back to a default
state. This allows the administrator to protect the operating system and
configuration files for a system.

Disk cloning copies the contents of the computer�s hard disk to an image file. For
example, an administrator creates the required partitions on a system, formats the
partition, and then installs the operating system. She installs all required
application software and configures all hardware. The administrator then uses disk-
cloning software to create the image file. The administrator can use the cloned
image as follows:

To automatically wipe a system and restore a clean master image

To deploy new computers within the organization
To provide a full system backup

Deep Freeze �freezes� the hard drive partition. When a user restarts the system,
the system reverts to its frozen configuration. The system does not save any
changes that the user makes, so any applications installed or files saved are lost
when the system restarts.

If the administrator needs to change the system�s configuration, she must first
�thaw� the protected partition by disabling Deep Freeze. After making the changes,
she must re-enable the program. The administrator can configure Deep Freeze to
restart after a user logs out, shuts down after a period of inactivity, or shuts
down at a scheduled time.

These products do not offer real-time protection. A system remains vulnerable until
the user or a scheduled event restarts the system. A system infected with malicious
code though, gets a fresh start as soon as the system restarts.

Physical Protection of Workstations

Security Cables and Locks

There are several methods of physically protecting computer equipment:

Use cable locks with equipment.

Keep telecommunication rooms locked.
Use security cages around equipment.
Many portable devices and expensive computer monitors have a special steel bracket
security slot built in to use in conjunction with cable locks.

The most common type of door lock is a standard keyed entry lock. It does not
automatically lock when the door closes. Additionally, an individual can wedge a
thin plastic card such as a credit card between the lock and the door casing to
force the door open. Door locks in commercial buildings are different from
residential door locks. For additional security, a deadbolt lock provides extra
security. Any lock that requires a key, though, poses a vulnerability if the keys
are lost, stolen, or duplicated.

A cipher lock, uses buttons that a user presses in a given sequence to open the
door. It is possible to program a cipher lock. This means that a user�s code may
only work during certain days or certain times. For example, a cipher lock may only
allow Bob access to the server room between the hours of 7 a.m. and 6 p.m. Monday
through Friday. Cipher locks can also keep a record of when the door opened, and
the code used to open it.

Logout Timers
An employee gets up and leaves his computer to take a break. If the employee does
not take any action to secure his workstation, any information on that system is
vulnerable to an unauthorized user. An organization can take the following measures
to deter unauthorized access:

Idle Timeout and Screen Lock

Employees may or may not log out of their computer when they leave the workplace.
Therefore, it is a security best practice to configure an idle timer that will
automatically log the user out and lock the screen after a specified period. The
user must log back in to unlock the screen.

Login Times

In some situations, an organization may want employees to log in during specific

hours, such as 7 a.m. to 6 p.m. The system blocks logins during the hours that fall
outside of the allowed login hours.

GPS Tracking
The Global Positioning System (GPS) uses satellites and computers to determine the
location of a device. GPS technology is a standard feature on smartphones that
provide real-time position tracking. GPS tracking can pinpoint a location within
100 meters. This technology is available to track children, senior citizens, pets,
and vehicles. Using GPS to locate a cell phone without the user�s permission though
is an invasion of privacy and it is illegal.

Many cell phone apps use GPS tracking to track a phone�s location. For example,
Facebook allows users to check in to a location, which is then visible to people in
their networks.

Inventory and RFID Tags

Radio frequency identification (RFID) uses radio waves to identify and track
objects. RFID inventory systems use tags attached to all items that an organization
wants to track. The tags contain an integrated circuit that connects to an antenna.
RFID tags are small and require very little power, so they do not need a battery to
store information to exchange with a reader. RFID can help automate asset tracking
or wirelessly lock, unlock, or configure electronic devices.

RFID systems operate within different frequencies. Low frequency systems have a
shorter read range and slower data read rates, but are not as sensitive to radio
wave interference caused by liquids and metals that are present. Higher frequencies
have a faster data transfer rate and longer read ranges, but are more sensitive to
radio wave interference.
Methods of Server Hardening

Secure Remote Access

Managing Remote Access

Remote access refers to any combination of hardware and software that enables users
to access a local internal network remotely.

With the Windows operating system, technicians can use Remote Desktop and Remote
Assistance to repair and upgrade computers. Remote Desktop, allows technicians to
view and control a computer from a remote location. Remote Assistance allows
technicians to assist customers with problems from a remote location. Remote
Assistance also allows the customer to view the repair or upgrade in real time on
the screen.

The Windows installation process does not enable remote desktop by default.
Enabling this feature opens port 3389 and could result in a vulnerability if a user
does not need this service.

Telnet, SSH, and SCP

Secure Shell (SSH) is a protocol that provides a secure (encrypted) management
connection to a remote device. SSH should replace Telnet for management
connections. Telnet is an older protocol that uses unsecure plaintext transmission
of both the login authentication (username and password) and the data transmitted
between the communicating devices. SSH provides security for remote connections by
providing strong encryption when a device authenticates (username and password) and
for transmitting data between the communicating devices. SSH uses TCP port 22.
Telnet uses TCP port 23.

In Figure 1, cyber criminals monitor packets using Wireshark.

In Figure 2, cyber criminals capture the username and password of the administrator
from the plaintext Telnet session.

Figure 3 shows the Wireshark view of an SSH session. Cyber criminals track the
session using the IP address of the administrator device.

but in Figure 4, the session encrypts the username and password.

Administrative Measures
Secure copy (SCP) securely transfers computer files between two remote systems. SCP
uses SSH for data transfer (including the authentication element), so SCP ensures
the authenticity and confidentiality of the data in transit.

Securing Ports and Services

Cyber criminals exploit the services running on a system because they know that
most devices run more services or programs than they need. An administrator should
look at every service to verify its necessity and evaluate its risk. Remove any
unnecessary services.
A simple method that many administrators use to help secure the network from
unauthorized access is to disable all unused ports on a switch. For example, if a
switch has 24 ports and there are three Fast Ethernet connections in use, it is
good practice to disable the 21 unused ports.

The process of enabling and disabling ports can be time-consuming, but it enhances
security on the network and is well worth the effort.

Privileged Accounts
Cyber criminals exploit privileged accounts because they are the most powerful
accounts in the organization. Privileged accounts have the credentials to gain
access to systems and they provide elevated, unrestricted access. Administrators
use these accounts to deploy and manage operating systems, applications, and
network devices.

Organization should adopt the following best practices for securing privileged
accounts:

Identify and reduce the number of privileged accounts

Enforce the principle of least privilege
Establish a process for revocation of rights when employees leave or change jobs
Eliminate shared accounts with passwords that do not expire
Secure password storage
Eliminate shared credentials for multiple administrators
Automatically change privileged account passwords every 30 or 60 days
Record privileged sessions
Implement a process to change embedded passwords for scripts and service accounts
Log all user activity
Generate alerts for unusual behavior
Disable inactive privileged accounts
Use multi-factor authentication for all administrative access
Implement a gateway between the end-user and sensitive assets to limit network
exposure to malware
Locking down privileged accounts is critical to the security of the organization.
Securing these accounts needs to be a continuous process. An organization should
evaluate this process to make any required adjustments to improve security.

Group Policies
In most networks that use Windows computers, an administrator configures Active
Directory with Domains on a Windows Server. Windows computers are members of a
domain. The administrator configures a Domain Security Policy that applies to all
computers that join. Account policies are automatically set when a user logs in to
Windows.

When a computer is not part of an Active Directory domain, the user configures
policies through Windows Local Security Policy. In all versions of Windows except
Home edition, enter secpol.msc at the Run command to open the Local Security Policy
tool.

An administrator configures user account policies such as password policies and

lockout policies by expanding Account Policies > Password Policy. With the settings
shown in Figure 1, users must change their passwords every 90 days and use the new
password for at least one (1) day. Passwords must contain eight (8) characters and
three of the following four categories: uppercase letters, lowercase letters,
numbers, and symbols. Lastly, the user can reuse a password after 24 unique
passwords.
An account Lockout Policy locks a computer for a configured duration when too many
incorrect login attempts occur. For example, the policy shown in Figure 2 allows
the user to enter the wrong username and/or password five times. After five
attempts, the account locks users out for 30 minutes. After 30 minutes, the number
of attempts resets to zero and the user can attempt to login again.

More security settings are available by expanding the Local Policies folder. An
Audit Policy creates a security log file used to track the events listed in Figure
3.

Enable Logs and Alerts

A log records all events as they occur. Log entries make up a log file, and a log
entry contains all of the information related to a specific event. Logs that relate
to computer security have grown in importance.

For example, an audit log tracks user authentication attempts, and an access log
provides all of the details on requests for specific files on a system. Monitoring
system logs can determine how an attack occurred and whether the defenses deployed
were successful.

With the increase in the sheer number of log files generated for computer security
purposes, the organization should consider a log management process. Log management
determines the process for generating, transmitting, storing, analyzing, and
disposing of computer security log data.

Operating System Logs

Operating system logs record events that occur because of operational actions
performed by the operating system. System events include the following:

Client requests and server responses such as successful user authentications

Usage information that contains the number and size of transactions in a given
period of time
Security Application Logs

Organizations use network-based or system-based security software to detect

malicious activity. This software generates a security log to provide computer
security data. Logs are useful for performing auditing analysis and identifying
trends and long-term problems. Logs also enable an organization to provide
documentation showing that it is in compliance with laws and regulatory
requirements.

Physical Protection of servers

Power
A critical issue in protecting information systems is electrical power systems and
power considerations. A continuous supply of electrical power is critical in
today's massive server and data storage facilities. Here are some general rules in
building effective electrical supply systems:

Data centers should be on a different power supply from the rest of the building
Redundant power sources: two or more feeds coming from two or more electrical
substations
Power conditioning
Backup power systems are often required
UPS should be available to gracefully shutdown systems
An organization must protect itself from several issues when designing its
electrical power supply systems.

Power Excess

Spike: momentary high voltage

Surge: prolonged high voltage

Power Loss

Fault: momentary loss of power

Blackout: complete loss of power

Power Degradation

Sag/dip: momentary low voltage

Brownout: prolonged low voltage
Inrush Current: initial surge of power

Heating, Ventilation, and Air Conditioning (HVAC)

HVAC systems are critical to the safety of people and information systems in the
organization's facilities. When designing modern IT facilities, these systems play
a very important role in the overall security. HVAC systems control the ambient
environment (temperature, humidity, airflow, and air filtering) and must be planned
for and operated along with other data center components such as computing
hardware, cabling, data storage, fire protection, physical security systems and
power. Almost all physical computer hardware devices come with environmental
requirements that include acceptable temperature and humidity ranges. Environmental
requirements appear in a product specifications document or in a physical planning
guide. It is critical to maintain these environmental requirements to prevent
system failures and extend the life of IT systems. Commercial HVAC systems and
other building management systems now connect to the Internet for remote monitoring
and control. Recent events have shown such systems (often called "smart systems")
also raise big security implications.

One of the risks associated with smart systems is that the individuals who access
and manage the system work for a contractor or a third-party vendor. Because HVAC
technicians need to be able to find information quickly, crucial data tends to be
stored in many different places, making it accessible to even more people. Such a
situation allows a wide network of individuals, including even associates of
contractors, to gain access to the credentials for an HVAC system. The interruption
of these systems can pose considerable risk to the organization's information
security.

Hardware Monitoring
Hardware monitoring is often found in large server farms. A server farm is a
facility that houses hundreds or thousands of servers for companies. Google has
many server farms around the world to provide optimal services. Even smaller
companies are building local server farms to house the growing number of servers
need to conduct business. Hardware monitoring systems are used to monitor the
health of these systems and to minimize server and application downtime. Modern
hardware monitoring systems use USB and network ports to transmit the condition of
CPU temperature, power supply status, fan speed and temperature, memory status,
disk space and network card status. Hardware monitoring systems enable a technician
to monitor hundreds or thousands of systems from a single terminal. As the number
of server farms continues to grow, hardware-monitoring systems have become an
essential security countermeasure.

Network Hardening Methods

Securing Network Devices

Operation Centers
The Network Operation Center (NOC)
that provide administrators with a
The NOC is ground zero for network
software distribution and updates,
management.
is one or more locations containing the tools
detailed status of the organization�s network.
troubleshooting, performance monitoring,
communications management, and device

The Security Operation Center (SOC) is a dedicated site that monitors, assesses,
and defends the organization�s information systems such as websites, applications,
databases, data centers, networks, servers, and user systems. A SOC is a team of
security analysts who detect, analyze, respond to, report on, and prevent
cybersecurity incidents.

Both of these entities use a hierarchical tier structure to handle events. The
first tier handles all events and escalates any event that it cannot handle to the
second tier. Tier 2 staff reviews the event in detail to try to resolve it. If they
cannot, they escalate the event to Tier 3, the subject matter experts.

To measure the overall effectiveness of an operation center, an organization will

conduct realistic drills and exercises. A tabletop simulation exercise is a
structured walk-through by a team to simulate an event and evaluate the center�s
effectiveness. A more effective measure is to simulate a full-fledged intrusion
with no warning. This involves using a Red Team, an independent group of
individuals who challenges processes within an organization, to evaluate the
organization�s effectiveness. For example, the Red Team should attack a critical
mission system and include reconnaissance and attack, privilege escalation, and
remote access.

Switches, Routers, and Network Appliances

Network devices ship with either no passwords or default passwords. Change the
default passwords before connecting any device to the network. Document the changes
to network devices and log the changes. Lastly, examine all configuration logs.

The following sections discuss several measures that an administrator can take to
protect various network devices.

Switches
Network switches are the heart of the modern data communication network. The main
threat to network switches are theft, hacking and remote access, attacks against
network protocols like ARP/STP or attacks against performance and availability.
Several countermeasures and controls can protect network switches including
improved physical security, advanced configuration, and implementing proper system
updates and patches as needed. Another effective control is the implementation of
port security. An administrator should secure all switch ports (interfaces) before
deploying the switch for production use. One way to secure ports is by implementing
a feature called port security. Port security limits the number of valid MAC
addresses allowed on a port. The switch allows access to devices with legitimate
MAC addresses while it denies other MAC addresses.

VLANs
VLANs provide a way to group devices within a LAN and on individual switches. VLANs
use logical connections instead of physical connections. Individual ports of a
switch can be assigned to a specific VLAN. Other ports can be used to physically
interconnect switches and allow multiple VLAN traffic between switches. These ports
are called trunks.

For example, the HR department may need to protect sensitive data. VLANs allow an
administrator to segment networks based on factors such as function, project team,
or application, without regard for the physical location of the user or device.
Devices within a VLAN act as if they are in their own independent network, even if
they share a common infrastructure with other VLANs. A VLAN can separate groups
that have sensitive data from the rest of the network, decreasing the chances of
confidential information breaches. Trunks allow individuals on the HR VLAN to be
physically connected to multiple switches.

There are many different types of VLAN vulnerabilities and attacks. These can
include attacking the VLAN and Trucking protocols. These attack details are beyond
the scope of this course. Hackers can also attack VLAN performance and
availability. Common countermeasures include monitoring VLAN changes and
performance, advanced configurations and regular system patching and updates to the
IOS.

Firewalls

Firewalls are hardware or software solutions that enforce network security

policies. A firewall filters unauthorized or potentially dangerous traffic from
entering the network. A simple firewall provides basic traffic filtering
capabilities using access control lists (ACLs). Administrators use ACLs to stop
traffic or permit only specified traffic on their networks. An ACL is a sequential
list of permit or deny statements that apply to addresses or protocols. ACLs
provide a powerful way to control traffic into and out of a network. Firewalls keep
attacks out of a private network and are a common target of hackers in order to
defeat the firewall protections. The main threat to firewalls are theft, hacking
and remote access, attacks against ACLs or attacks against performance and
availability. Several countermeasures and controls can protect firewalls including
improved physical security, advanced configuration, secure remote access and
authentication, and proper system updates and patches as needed.

Routers

Routers form the backbone of the Internet and communications between different
networks. Routers communicate with one another to identify the best possible path
to deliver traffic to different networks. Routers use routing protocols to make
routing decision. Routers can also integrate other services like switching and
firewall capabilities. These operations make routers prime targets. The main threat
to network routers are theft, hacking and remote access, attacks against routing
protocols like RIP/OSPF or attacks against performance and availability. Several
countermeasures and controls can protect network routers including improved
physical security, advanced configuration settings, use of secure routing protocols
with authentication, and proper system updates and patches as needed.

Wireless and Mobile Devices

Wireless and mobile devices have become the predominant type of devices on most
modern networks. They provide mobility and convenience but pose a host of
vulnerabilities. These vulnerabilities include theft, hacking and unauthorized
remote access, sniffing, man-in-the-middle attacks, and attacks against performance
and availability. The best way to secure a wireless network is to use
authentication and encryption. The original wireless standard, 801.11, introduced
two types of authentication as shown in the figure:

Open system authentication - Any wireless device can connect to the wireless
network. Use this method in situations where security is of no concern.

Shared key authentication - Provides mechanisms to authenticate and encrypt data

between a wireless client and AP or wireless router.
The three shared key authentication techniques for WLANs are as follows:

Wired Equivalent Privacy (WEP) - This was the original 802.11 specification
securing WLANs. However, the encryption key never changes when exchanging packets,
making it easy to hack.
Wi-Fi Protected Access (WPA) - This standard uses WEP, but secures the data with
the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP
changes the key for each packet, making it much more difficult to hack.
IEEE 802.11i/WPA2 - IEEE 802.11i is now the industry standard for securing WLANs.
802.11i and WPA2 both use the Advanced Encryption Standard (AES) for encryption,
which is currently the strongest encryption protocol.
Since 2006, any device that bears the Wi-Fi Certified logo is WPA2 certified.
Therefore, modern WLANs should always use the 802.11i/WPA2 standard. Other
countermeasure include improved physical security and regular system updates and
patching of devices.

Network and Routing Services

Cyber criminals use vulnerable network services to attack a device or to use it as
part of the attack. To check for insecure network services, review a device for
open ports using a port scanner. A port scanner is an application that probes a
device for open ports by sending a message to each port and waiting for a response.
The response indicates how the port is used. Cyber criminals will also use port
scanners for the same reason. Securing network services ensures that only necessary
ports are exposed and available.

Dynamic Host Control Protocol (DHCP)

DHCP uses a server to assign an IP address and other configuration information

automatically to network devices. In effect, the device is getting a permission
slip from the DHCP server to use the network. Attackers can target DHCP servers in
order to deny access to devices on the network. Figure 1 provides a security
checklist for DHCP.

Domain Name System (DNS)

DNS resolves a Uniform Resource Locator URL or website address

(http://www.cisco.com) to the IP address of the site. When users type a web address
into the address bar they depend on DNS servers to resolve the actual IP address of
that destination. Attackers can target DNS servers in order to deny access to
network resources or redirect traffic to rogue websites. Click on Figure 2 to view
a security checklist for DNS. Use secure service and authentication between DNS
servers to protect them from these attacks.

Internet Control Messaging Protocol (ICMP)

Network devices use ICMP to send error messages like a requested service is not
available or that the host could not reach the router. The ping command is a
network utility that uses ICMP to test the reachability of a host on a network.
Ping sends ICMP messages to the host and waits for a reply. Cyber criminals can
alter the use of ICMP for the evil purposes listed in Figure 3. Denial-of-Service
attacks use ICMP, so many networks filter certain ICMP requests to prevent such
attacks.

Routing Information Protocol (RIP)

RIP limits the number of hops allowed in a path on a network from the source device
to the destination. The maximum number of hops allowed for RIP is fifteen. RIP is a
routing protocol used to exchange routing information about which networks each
router can reach and how far away those networks are. RIP calculates the best route
based on hop count. Figure 4 lists RIP vulnerabilities and defenses against RIP
attack. Hackers can target routers and the RIP protocol. Attacks on routing
services can effect performance and availability. Some attacks can even result in
traffic redirection. Use secure services with authentication and implement system
patching and updates to protect routing services such as RIP.

Network Time Protocol (NTP)

Having the correct time within networks is important. Correct time stamps
accurately track network events such as security violations. Additionally, clock
synchronization is critical for the correct interpretation of events within syslog
data files as well as for digital certificates.

Network Time Protocol (NTP) is a protocol that synchronizes the clocks of computer
systems over data networks. NTP allows network devices to synchronize their time
settings with an NTP server. Figure 5 lists the various methods used to provide
secure clocking for the network. Cyber criminals attack timeservers to disrupt
secure communication that depends on digital certificates and to hide attack
information like accurate time stamps.

Voice and Video Equipment

VoIP Equipment
Voice over IP (VoIP) uses networks such as the Internet to make and receive phone
calls. The equipment required for VoIP includes an Internet connection plus a
phone. Several options are available for the phone set:

A traditional phone with an adapter (the adapter acts as a hardware interface

between a traditional, analog phone and a digital VoIP line)
A VoIP-enabled phone
VoIP software installed on a computer
Most consumer VoIP services use the Internet for phone calls. Many organizations,
though, use their private networks because they provide stronger security and
service quality. VoIP security is only as reliable as the underlying network
security. Cyber criminals target these systems in order to gain access to free
phone services, eavesdrop on phone calls, or to affect performance and
availability.

Implement the following countermeasures to secure VoIP:

Encrypt voice message packets to protect against eavesdropping.

Use SSH to protect gateways and switches.
Change all default passwords.
Use an intrusion detection system to detect attacks such as ARP poisoning.
Use strong authentication to mitigate registration spoofing (cyber criminals route
all incoming calls for the victim to them), proxy impersonating (tricks the victim
into communicating with a rogue proxy set up by the cyber criminals), and call
hijacking (the call is intercepted and rerouted to a different path before reaching
the destination).
Implement firewalls that recognize VoIP to monitor streams and filter abnormal
signals.
When the network goes down, voice communications will also go down.

Cameras
An Internet camera sends and receives data over a LAN and/or the Internet. A user
can remotely view live video using a web browser on a wide range of devices
including computer systems, laptops, tablets, and smartphones.

Cameras come in various forms including the traditional security camera. Other
options include Internet cameras discreetly hidden in clock radios, books, or DVD
players.

Internet cameras transmit digital video over a data connection. The camera connects
directly to the network and has everything required for transferring the images
over the network. The figure lists best practices for camera systems.

Videoconferencing Equipment
Videoconferencing allows two or more locations to communicate simultaneously using
telecommunication technologies. These technologies take advantage of the new high
definition video standards. Products like Cisco TelePresence enable a group of
people in one location to conference with a group of people from other locations in
real time. Videoconferencing is now part of normal day-to-day operations in
industries like the medical field. Doctors can review patient symptoms and consult
with experts to identify potential treatments.

Many local pharmacies employ physician assistants that can link live to doctors
using videoconferencing to schedule visits or emergency responses. Many
manufacturing organizations are using teleconferencing to help engineers and
technicians perform complex operations or maintenance tasks. Videoconferencing
equipment can be extremely expensive and are high value targets for thieves and
cyber criminals. Cyber criminals target these systems in order to eavesdrop on
video calls or to affect performance and availability.

Network and IoT Sensors

One of the fastest sectors of information technology is the use of intelligent
devices and sensors. The computer industry brands this sector as the Internet of
Things (IoT). Businesses and consumers use IoT devices to automate processes,
monitor environmental conditions, and alert the user of adverse conditions. Most
IoT devices connect to a network via wireless technology and include cameras, door
locks, proximity sensors, lights, and other types of sensors used to collect
information about an environment or the status of a device. Several appliance
manufacturers use IoT to inform users that parts need replacement, components are
failing, or supplies are running out.

Businesses use these devices to track inventory, vehicles, and personnel. IoT
devices contain geospatial sensors. A user can globally locate, monitor, and
control environmental variables such as temperature, humidity, and lighting. The
IoT industry poses a tremendous challenge to information security professionals
because many IoT devices capture and transmit sensitive information. Cyber
criminals target these systems in order to intercept data or to affect performance
and availability.

Physical Security

Physical Access Control

Fencing and Barricades

Physical barriers are the first thing that comes to mind when thinking about
physical security. This is the outermost layer of security, and these solutions are
the most publicly visible. A perimeter security system typically consists of the
following components:

Perimeter fence system

Security gate system
Bollards (a short post used to protect from vehicle intrusions
Vehicle entry barriers
Guard shelters
A fence is a barrier that encloses secure areas and designates property boundaries.
All barriers should meet specific design requirements and fabric specifications.
High-security areas often require a "top guard" such as barbed wire or concertina
wire. When designing the perimeter, fencing systems use the following rules:

1 meter (3-4 ft.) will only deter casual trespassers

2 meters (6-7 ft.) are too high to climb by casual trespassers
2.5 meters (8 ft.) will offer limited delay to a determined intruder
Top guards provide an added deterrent and can delay the intruder by severely
cutting the intruder; however, attackers can use a blanket or mattress to alleviate
this threat. Local regulations may restrict the type of fencing system an
organization can use.

Fences require regular maintenance. Animals may burrow under the fence or the earth
may wash out leaving the fence unstable providing easy access for an intruder.
Inspect fencing systems regularly. Do not park any vehicles near fences. A parked
vehicle near the fence can assist the intruder climbing over or damaging the fence.

Biometrics
Biometrics describes the automated methods of recognizing an individual based on a
physiological or behavioral characteristic. Biometric authentication systems
include measurements of the face, fingerprint, hand geometry, iris, retina,
signature, and voice. Biometric technologies can be the foundation of highly secure
identification and personal verification solutions. The popularity and use of
biometric systems has increased because of the increased number of security
breaches and transaction fraud. Biometrics provides confidential financial
transactions and personal data privacy. For example, Apple uses fingerprint
technology with its smartphones. The user�s fingerprint unlocks the device and
accesses various apps such as online banking or payment apps.
When comparing biometric systems there are several important factors to consider
including accuracy, speed or throughput rate, acceptability to users, uniqueness of
the biometric organ and action, resistance to counterfeiting, reliability, data
storage requirements, enrollment time, and intrusiveness of the scan. The most
important factor is accuracy. Accuracy is expressed in error types and rates.

The first error rate is Type I Errors or false rejections. A Type I Error rejects a
person that registers and is an authorized user. In access control, if the
requirement is to keep the bad guys out, false rejection is the least important
error. However, in many biometric applications, false rejections can have a very
negative impact on business. For example, bank or retail store needs to
authenticate customer identity and account balance. False rejection means that the
transaction or sale is lost, and the customer becomes upset. Most bankers and
retailers are willing to allow a few false accepts as long as there are minimal
false rejects.

The acceptance rate is stated as a percentage and is the rate at which a system
accepts unenrolled individuals or imposters as authentic users. False acceptance is
a Type II error. Type II errors allow the bad guys in so they are normally
considered to be the most important error for a biometric access control system.

The most widely used method to measure the accuracy of biometric authentication is
the Crossover Error Rate (CER). The CER is the rate where false rejection rate and
the false acceptance rate are equal.

Badges and Access Logs

An access badge allows an individual to gain access to an area with automated entry
points. An entry point can be a door, a turnstile, a gate, or other barrier. Access
badges use various technologies such as a magnetic stripe, barcode, or biometrics.

A card reader reads a number contained on the access badge. The system sends the
number to a computer that makes access control decisions based on the credential
provided. The system logs the transaction for later retrieval. Reports reveal who
entered what entry points at what time.

Surveillance

Guards and Escorts

All physical access controls including deterrent and detection systems ultimately
rely on personnel to intervene and stop the actual attack or intrusion. In highly
secure information system facilities, guards control access to the organization�s
sensitive areas. The benefit of using guards is that they can adapt more than
automated systems. Guards can learn and distinguish many different conditions and
situations and make decisions on the spot. Security guards are the best solution
for access control when the situation requires an instantaneous and appropriate
response. However, guards are not always the best solution. There are numerous
disadvantages to using security guards including cost and the ability to monitor
and record high volume traffic. The use of guards also introduces human error to
the mix.

Video and Electronic Surveillance

Video and electronic surveillance supplement or in some cases, replace security
guards. The benefit of video and electronic surveillance is the ability to monitor
areas even when no guards or personnel are present, the ability to record and log
surveillance videos and data for long periods, and the ability to incorporate
motion detection and notification.
Video and electronic surveillance can also be more accurate in capturing events
even after they occur. Another major advantage is that video and electronic
surveillance provide points of view not easily achieved with guards. It can also be
far more economical to use cameras to monitor the entire perimeter of a facility.
In a highly secure environment, an organization should place video and electronic
surveillance at all entrances, exits, loading bays, stairwells and refuse
collection areas. In most cases, video and electronic surveillance supplement
security guards.

RFID and Wireless Surveillance

Managing and locating important information system assets are a key challenge for
most organizations. Growth in the number of mobile devices and IoT devices has made
this job even more difficult. Time spent searching for critical equipment can lead
to expensive delays or downtime. The use of Radio Frequency Identification (RFID)
asset tags can be of great value to the security staff. An organization can place
RFID readers in the door frames of secure areas so that they are not visible to
individuals.

The benefit of RFID asset tags is that they can track any asset that physically
leaves a secure area. New RFID asset tag systems can read multiple tags
simultaneously. RFID systems do not require line-of-sight to scan tags. Another
advantage of RFID is the ability to read tags that are not visible. Unlike barcodes
and human readable tags that must be physically located and viewable to read, RFID
tags do not need to be visible to scan. For example, tagging a PC up under a desk
would require personnel to crawl under the desk to physically locate and view the
tag when using a manual or barcode process. Using an RFID tag would allow personnel
to scan the tag without even seeing it.

This chapter discussed the technologies, processes and procedures that

cybersecurity professionals use to defend the systems, devices, and data that make
up the network infrastructure.

Host hardening includes securing the operating system, implementing an antivirus

solutions, and using host-based solutions such as firewalls and intrusion detection
systems.

Server hardening includes managing remote access, securing privileged accounts, and
monitoring services.

Data protection includes file access control and implementing security measures to
ensure the confidentiality, integrity, and availability of data.

Device hardening also involves implementing proven methods of physically securing

network devices. Protecting your cybersecurity domain is an on-going process to
secure an organization�s network infrastructure and requires constant vigilance
when monitoring threats.

Becoming a Cybersecurity Specialist

The advancement of technology provided a number of devices used in society on a
daily basis that interconnects the world. This increased connectivity, though,
results in increased risk of theft, fraud, and abuse throughout the technology
infrastructure. This chapter categorizes the information technology infrastructure
into seven domains. Each domain requires the proper security controls to meet the
requirements of the CIA triad.

The chapter discusses the laws that affect technology and cybersecurity
requirements. Many of these laws focus on different types of data found in various
industries and contain privacy and information security concepts. Several agencies
within the U.S. government regulate an organization�s compliance with these types
of laws. The cybersecurity specialist needs to understand how the law and the
organization�s interests help to guide ethical decisions. Cyber ethics looks at the
effect of the use of computers and technology on individuals and society.

Organizations employ cybersecurity specialists in many different positions, such as

penetration testers, security analysts, and other network security professionals.
Cybersecurity specialists help protect personal data and the ability to use network
based services. The chapter discusses the pathway to becoming a cybersecurity
specialist. Finally, this chapter discusses several tools available to
cybersecurity specialists.

Cybersecurity Domains

User Domains
Common User Threats and Vulnerabilities
The User Domain includes the users who access the organization�s information
system. Users can be employees, customers, business contractors and other
individuals that need access to data. Users are often the weakest link in the
information security systems and pose a significant threat to the confidentiality,
integrity, and availability of the organization�s data.

Risky or poor user practices often undermine even the best security system. The
following are common user threats found in many organizations:

No awareness of security � users must be aware of sensitive data, security policies

and procedures, technologies and countermeasures provided to protect information
and information systems.
Poorly enforced security policies � all users must be aware of security policies
and consequences of not complying with the organization�s policies.
Data theft � data theft by users can cost organizations financially resulting in
damage to an organization�s reputation or posing a legal liability associated with
disclosure of sensitive information.
Unauthorized downloads � many network and workstation infections and attacks trace
back to users who download unauthorized emails, photos, music, games, apps,
programs and videos to workstations, networks, or storage devices.
Unauthorized media � the use of unauthorized media like CDs, USB drives and network
storage devices can result in malware infections and attacks.
Unauthorized VPNs � VPNs can hide the theft of unauthorized information. The
encryption normally used to protect confidentiality blinds the IT security staff to
data transmission without proper authority.
Unauthorized websites � accessing unauthorized websites can pose a risk to the
user�s data, devices and the organization. Many websites prompt the visitors to
download scripts or plugins that contain malicious code or adware. Some of these
sites can take over devices like cameras and applications.
Destruction of systems, applications, or data � accidental or deliberate
destruction or sabotage of systems, application and data pose a great risk to all
organizations. Activists, disgruntled employees and industry competitors can delete
data, destroy devices or misconfigure devices to make data and information systems
unavailable.
No technical solution, controls or countermeasures make information systems any
more secure than the behaviors and processes of the people who use these systems.

Managing User Threats

Organizations can implement various measures to manage user threats:

Conduct security awareness training by displaying security awareness posters,

inserting reminders in banner greetings, and sending email reminders to employees.
Educate users annually on policies, staff manuals, and handbook updates.
Tie security awareness to performance review objectives.
Enable content filtering and antivirus scanning for email attachments.
Use content filtering to permit or deny specific domain names in accordance with
Acceptable Use Policies (AUP).
Disable internal CD drives and USB ports.
Enable automatic antivirus scans for inserted media drives, files, and email
attachments.
Restrict access for users to only those systems, applications, and data needed to
perform their job.
Minimize write/delete permissions to the data owner only.
Track and monitor abnormal employee behavior, erratic job performance, and use of
IT infrastructure during off-hours.
Implement access control lockout procedures based on AUP monitoring and compliance.
Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring
for sensitive employee positions and access.
The table shown in the figure matches up user domain threats with the
countermeasures used to manage it.

Common Threats to Devices

A device is any desktop computer, laptop, tablet, or smartphone that connects to
the network.

The following pose a threat to devices:

Unattended workstations � workstations left powered on and unattended pose a risk

of unauthorized access to network resources
User downloads � downloaded files, photos, music, or videos can be a vehicle for
malicious code
Unpatched software � software security vulnerabilities provide weaknesses that
cyber criminals can exploit
Malware � new viruses, worms, and other malicious code come to light on a daily
basis

Managing Device Threats

Organizations can implement various measures to manage threats to devices:

Establish policies for password protection and lockout thresholds on all devices.
Enable screen lockout during times of inactivity.
Disable administrative rights for users.
Define access control policies, standards, procedures, and guidelines.
Update and patch all operating systems and software applications.
Implement automated antivirus solutions that scan the system and update the
antivirus software to provide proper protection.
Deactivate all CD, DVD, and USB ports.
Enable automatic antivirus scans for any CD�s, DVD�s, or USB drives inserted.
Use content filtering.
Mandate annual security awareness training or implement security awareness
campaigns and programs that run throughout the year.

Common Threats to the LAN

The local area network (LAN) is a collection of devices interconnected using cables
or airwaves. The LAN Domain requires strong security and access controls since
users can access the organization�s systems, applications, and data from the LAN
domain.

The following pose a threat to the LAN:

Unauthorized LAN access � wiring closets, data centers, and computer room must
remain secure
Unauthorized access to systems, applications, and data
Network operating system software vulnerabilities
Network operating system updates
Unauthorized access by rogue users on wireless networks
Exploits of data in-transit
LAN servers with different hardware or operating systems � managing and
troubleshooting servers becomes more difficult with varied configurations
Unauthorized network probing and port scanning
Misconfigured firewall

Managing Threats to the LAN

Organizations can implement various measures to manage threats to the local area
network:

Secure wiring closets, data centers, and computer rooms. Deny access to anyone
without the proper credentials.
Define strict access control policies, standards, procedures, and guidelines.
Restrict access privileges for specific folders and files based on need.
Require passphrases or authentication for wireless networks.
Implement encryption between devices and wireless networks to maintain
confidentiality.
Implement LAN server configuration standards.
Conduct post-configuration penetration tests.
Disable ping and port scanning.

Common Threats to the Private Cloud (WAN)

The Private Cloud Domain includes private servers, resources, and IT infrastructure
available to members of an organization via the Internet.

The following pose a threat to the private cloud:

Unauthorized network probing and port scanning

Unauthorized access to resources
Router, firewall, or network device operating system software vulnerability
Router, firewall, or network device configuration error
Remote users accessing the organization�s infrastructure and downloading sensitive
data

Managing Threats to the Private Cloud

Organizations can implement various measures to manage threats to the private
cloud:

Disable ping, probing, and port scanning.

Implement intrusion detection and prevention systems.
Monitor inbound IP traffic anomalies.
Update devices with security fixes and patches.
Conduct penetration tests post configuration.
Test inbound and outbound traffic.
Implement a data classification standard.
Implement file transfer monitoring and scanning for unknown file type.
Common Threats to the Public Cloud
The Public Cloud Domain includes services hosted by a cloud provider, service
provider, or Internet provider. Cloud providers do implement security controls to
protect the cloud environment, but organizations are responsible for protecting
their resources on the cloud. Three different service models exist from which an
organization may choose:

Software as a service (SaaS) � a subscription-based model that provides access to

software that is centrally hosted and accessed by users via a web browser.
Platform as a service (PaaS) � provides a platform that allows an organization to
develop, run, and manage its applications on the service�s hardware using tools
that the service provides.
Infrastructure as a service (IaaS) � provides virtualized computing resources such
as hardware, software, servers, storage and other infrastructure components over
the Internet.
The following pose a threat to the public cloud:

Data breaches
Loss or theft of intellectual property
Compromised credentials
Federated identity repositories are a high-value target
Account hijacking
Lack of understanding on the part of the organization
Social engineering attacks that lure the victim
Compliance violation

Managing Threats to the Public Cloud

Organizations can implement various measures to manage threats to the physical
facilities:

Multifactor authentication
Use of encryption
Implement one-time passwords, phone-based authentication, and smartcards
Distributing data and applications across multiple zones
Data backup procedures
Due diligence
Security awareness programs
Policies

Common Threats to Physical Facilities

The Physical Facilities Domain includes all of the services used by an organization
including HVAC, water, and fire detection. This domain also includes physical
security measures employed to safeguard the facility.

The following pose a threat to an organization�s facilities:

Natural threats including weather problems and geological hazards

Unauthorized access to the facilities
Power interruptions
Social engineering to learn about security procedures and office policies
Breach of electronic perimeter defenses
Theft
An open lobby that allows a visitor to walk straight through to the inside
facilities
An unlocked data center
Lack of surveillance

Managing Threats to Physical Facilities

Organizations can implement various measures to manage threats to the physical
facilities:

Implement access control and closed-circuit TV (CCTV) coverage at all entrances.

Establish policies and procedures for guests visiting the facility.
Test building security using both cyber and physical means to covertly gain access.
Implement badge encryption for entry access.
Develop a disaster recovery plan.
Develop a business continuity plan.
Conduct security awareness training regularly.
Implement an asset tagging system.

Common Threats to Applications

The Application Domain includes all of the critical systems, applications, and
data. Additionally, it includes the hardware and any logical design required.
Organizations are moving applications like email, security monitoring and database
management to the public cloud.

The following pose a threat to applications:

Unauthorized access to data centers, computer rooms, and wiring closets

Server downtime for maintenance purposes
Network operating system software vulnerability
Unauthorized access to systems
Data loss
Downtime of IT systems for an extended period
Client/server or web application development vulnerabilities

Managing Threats to Applications

Organizations can implement various measures to manage threats to the Application
Domain:

Implement policies, standards, and procedures for staff and visitors to ensure the
facilities are secure.
Conduct software testing prior to launch.
Implement data classification standards.
Develop a policy to address application software and operating system updates.
Implement backup procedures.
Develop a business continuity plan for critical applications to maintain
availability of operations.
Develop a disaster recovery plan for critical applications and data.
Implement logging.

Ethics anf Guiding Principles

Ethics of a Cybersecurity Specialist

Ethics is the little voice in the background guiding a cybersecurity specialist as
to what he should or should not do, regardless of whether it is legal. The
organization entrusts the cybersecurity specialist with the most sensitive data and
resources. The cybersecurity specialist needs to understand how the law and the
organization�s interests help to guide ethical decisions.

Cyber criminals that break into a system, steal credit card numbers, and release a
worm are performing unethical actions. How does an organization view the actions of
a cybersecurity specialist if they are similar? For example, a cybersecurity
specialist may have the opportunity to stop the spread of a worm preemptively by
patching it. In effect, the cybersecurity specialist is releasing a worm. This worm
is not malicious, though, so does this case get a pass?

The following ethical systems look at ethics from various perspectives.

Utilitarian Ethics

During the 19th century, Jeremy Benthan and John Stuart Mill created Utilitarian
Ethics. The guiding principle is that any actions that provide the greatest amount
of good over bad or evil are ethical choices.

The Rights Approach

The guiding principle for the Rights Approach is that individuals have the right to
make their own choices. This perspective looks at how an action affects the rights
of others to judge whether an action is right or wrong. These rights include the
right to truth, privacy, safety, and that society applies laws fairly to all
members of society.

The Common-Good Approach

The Common-Good Approach proposes that the common good is whatever benefits the
community. In this case, a cybersecurity specialist looks at how an action affects
the common good of society or the community.

No clear-cut answers provide obvious solutions to the ethical issues that

cybersecurity specialists face. The answer as to what is right or wrong can change
depending on the situation and the ethical perspective.

Computer Ethics Institute

The Computer Ethics Institute is a resource for identifying, assessing, and
responding to ethical issues throughout the information technology industry. CEI
was one of the first organizations to recognize the ethical and public policy
issues arising from the rapid growth of the information technology field. The
figure lists the Ten Commandments of Computer Ethics created by the Computer Ethics
Institute.

Cyber Laws and Liability

Cybercrime
Laws prohibit undesired behaviors. Unfortunately, the advancements in information
system technologies are much greater than the legal system of compromise and
lawmaking. A number of laws and regulations affect cyberspace. Several specific
laws guide the policies and procedures developed by an organization to ensure that
they are in compliance.

Cybercrime

A computer may be involved in a cybercrime in a couple of different ways. There is

computer-assisted crime, computer-targeted crime, and computer-incidental crime.
Child pornography is an example of computer-incidental crime�the computer is a
storage device and is not the actual tool used to commit the crime.

The growth in cybercrime is due to a number of different reasons. There are many
tools widely available on the Internet now, and potential users do not need a great
deal of expertise to use these tools.
Organizations Created to Fight Cybercrime

There are a number of agencies and organizations out there to aid the fight against
cybercrime.

Federal Bureau of Investigation Internet Crime Complaint Center (IC3)

IniraGard
National White Collar Crime Center(NW3C)
Bureau of Justice Assistance U.S. Department of Justice(BJA)

Civil, Criminal, and Regulatory Cyber Laws

In the United States, there are three primary sources of laws and regulations:
statutory law, administrative law, and common law. All three sources involve
computer security. The U.S. Congress established federal administrative agencies
and a regulatory framework that includes both civil and criminal penalties for
failing to follow the rules.

Criminal laws enforce a commonly accepted moral code backed by the authority of the
government. Regulations establish rules designed to address consequences in a
rapidly changing society enforcing penalties for violating those rules. For
example, the Computer Fraud and Abuse Act is a statutory law. Administratively, the
FCC and Federal Trade Commission have been concerned with issues such as
intellectual property theft and fraud. Finally, common law cases work their ways
through the judicial system providing precedents and constitutional bases for laws.

The Federal Information Security Management Act (FISMA)

Congress created FISMA in 2002 to change the U.S. government�s approach to

information security. As the largest creator and user of information, federal IT
systems are high value targets for cyber criminals. FISMA applies to federal
agencies� IT systems and stipulates that agencies create an information security
program that includes the following:

Risk assessments
Annual inventory of IT systems
Policies and procedures to reduce risk
Security awareness training
Testing and evaluation of all IT system controls
Incident response procedure
Continuity of operations plan

Industry-Specific Laws
Many industry specific laws have a security and/or a privacy component. The U.S.
government requires compliance from organizations within these industries.
Cybersecurity specialists must be able to translate the legal requirements into
security policies and practices.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act is a piece of legislation that mainly affects the

financial industry. A portion of that legislation, though, includes privacy
provisions for individuals. The provision provides for opt-out methods so that
individuals can control the use of information provided in a business transaction
with an organization that is part of the financial institution. The GLBA restricts
information sharing with third-party firms.
Sarbanes-Oxley Act (SOX)

Following several high-profile corporate accounting scandals in the U.S., congress

passed the Sarbanes-Oxley Act (SOX).The purpose of SOX was to overhaul financial
and corporate accounting standards and specifically targeted the standards of
publicly traded firms in the United States.

Payment Card Industry Data Security Standard (PCI DSS)

Private industry also recognizes how important uniform and enforceable standards
are. A Security Standards Council composed of the top corporations in the payment
card industry designed a private sector initiative to improve the confidentiality
of network communications.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual
rules governing how to protect credit card data as merchants and banks exchange the
transaction. The PCI DSS is a voluntary standard (in theory) and merchants/vendors
can choose whether they wish to abide by the standard. However, vendor
noncompliance may result in significantly higher transaction fees, fines up to
$500,000, and possibly even the loss of the ability to process credit cards.

Import/Export Encryption Restrictions

Since World War II, the United States has regulated the export of cryptography due
to national security considerations. The Bureau of Industry and Security in the
Department of Commerce now controls non-military cryptography exports. There are
still export restrictions to rogue states and terrorist organizations.

Countries may decide to restrict the import of cryptography technologies for the
following reasons:

The technology may contain a backdoor or security vulnerability.

Citizens can anonymously communicate and avoid any monitoring.
Cryptography may increase levels of privacy above an acceptable level.

Security Breach Notification Laws

Businesses are collecting ever-increasing amounts of personal information about
their customers, from account passwords and email addresses to highly sensitive
medical and financial information. Companies large and small recognize the value of
big data and data analytics. This encourages organizations to collect and store
information. Cyber criminals are always looking for ways to obtain such information
or access and exploit a company�s most sensitive, confidential data. Organizations
that collect sensitive data need to be good data custodians. In response to this
growth in data collection, several laws require organizations that collect personal
information to notify individuals if a breach of their personal data occurs. To see
a list of these laws click here.

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act (ECPA) addresses a myriad of legal

privacy issues that resulted from the increasing use of computers and other
technology specific to telecommunications. Sections of this law address email,
cellular communications, workplace privacy, and a host of other issues related to
communicating electronically.

Computer Fraud and Abuse Act (1986)

The Computer Fraud and Abuse Act (CFAA) has been in force for over 20 years. The
CFAA provides the foundation for U.S. laws criminalizing unauthorized access to
computer systems. The CFAA makes it a crime to knowingly access a computer
considered either a government computer or a computer used in interstate commerce,
without permission. The CFAA also criminalizes the use of a computer in a crime
that is interstate in nature.

The Act criminalizes trafficking in passwords or similar access information, and

the act makes it a crime to transmit a program, code, or a command knowingly that
results in damage.

Protecting Privacy
The following U.S. laws protect privacy.

Privacy Act of 1974

This act establishes a Code of Fair Information Practice that governs the
collection, maintenance, use, and dissemination of personally identifiable
information about individuals that is maintained in systems of records by federal
agencies.

Freedom of Information ACT (FOIA)

FOIA enables public access to U.S. government records. FOIA carries a presumption
of disclosure, so the burden is on the government as to why it cannot release the
information.

There are nine disclosure exemptions pertaining to FOIA.

National security and foreign policy information

Internal personnel rules and practices of an agency
Information specifically exempted by statute
Confidential business information
Inter- or intra-agency communication subject to deliberative process, litigation,
and other privileges
Information that, if disclosed, would constitute a clearly unwarranted invasion of
personal privacy
Law enforcement records that implicate one of a set of enumerated concerns
Agency information from financial institutions
Geological and geophysical information concerning wells

Family Education Records and Privacy Act (FERPA)

This Federal law gave students access to their education records. FERPA operates on
an opt-in basis, as the student must approve the disclosure of information prior to
the actual disclosure. When a student turns 18 years old or enters a postsecondary
institution at any age, these rights under FERPA transfer from the student�s
parents to the student.

U.S. Computer Fraud and Abuse Act (CFAA)

This amendment to the Comprehensive Crime Control Act of 1984 prohibits the
unauthorized access of a computer. The CFAA increased the scope of the previous Act
to cases of great federal interest. These cases are defined as involving computers
belonging to the federal government or some financial institutions or where the
crime is interstate in nature.

U.S. Children�s Online Privacy Protection Act (COPPA)

This federal law applies to the online collection of personal information by
persons or entities under U.S. jurisdiction from children under 13 years of age.
Before information can be collected and used from children (ages 13 and under),
parental permission needs to be obtained.

U.S. Children�s Internet Protection Act (CIPA)

The U.S. Congress passed CIPA in 2000 to protect children under the age of 17 from
exposure to offensive Internet content and obscene material.

Video Privacy Protection Act (VPPA)

The Video Privacy Protection Act protects an individual from having the video
tapes, DVD�s and games rented disclosed to another party. The statute provides the
protections by default, thus requiring a video rental company to obtain the
renter�s consent to opt out of the protections if the company wants to disclose
personal information about rentals. Many privacy advocates consider VPPA to be the
strongest U.S. privacy law.

Health Insurance Portability & Accountability Act

The standards mandate safeguards for physical storage, maintenance, transmission,

and access to individuals� health information. HIPAA mandates that organizations
that use electronic signatures have to meet standards ensuring information
integrity, signer authentication, and nonrepudiation.

California Senate Bill 1386 (SB 1386)

California was the first state to pass a law regarding the notification of the
unauthorized disclosure of personally identifiable information. Since then, many
other states have followed suit. Each of these disclosure notice laws is different,
making the case for a unifying federal statute compelling. This act requires that
the agencies provide consumers notice of their rights and responsibilities. It
mandates that the state notify citizens whenever PII is lost or disclosed. Since
the passage of SB 1386, numerous other states have modeled legislation on this
bill.

Privacy Policies

Policies are the best way to ensure compliance across an organization, and a
privacy policy plays an important role within the organization, especially with the
numerous laws enacted to protect privacy. One of the direct outcomes of the legal
statutes associated with privacy has been the development of a need for corporate
privacy policies associated with data collection.

Privacy Impact Assessment (PIA)

A privacy impact assessment ensures that personally identifiable information (PII)

is properly handled throughout an organization.

Establish PIA scope.

Identify key stakeholders.
Document all contact with PII.
Review legal and regulatory requirements.
Document potential issues found when comparing requirements and practices.
Review findings with key stakeholders.

International Laws
With the growth of the Internet and global network connections, unauthorized entry
into a computer system, or computer trespass, has emerged as a concern that can
have national and international consequences. National laws for computer trespass
exist in many countries, but there can always be gaps in how these nations handle
this type of crime.

Convention on Cybercrime

The Convention on Cybercrime is the first international treaty on Internet crimes

(EU, U.S., Canada, Japan, and others). Common policies handle cybercrime and
address the following: copyright infringement, computer-related fraud, child
pornography, and violations of network security.

Electronic Privacy Information Center (EPIC)

EPIC promotes privacy and open government laws and policies globally and focuses on
EU-US relations.

Cybersecurity Information Websites

National Vulnerability Database

The National Vulnerability Database (NVD) is a U.S. government repository of
standards-based vulnerability management data that uses the Security Content
Automation Protocol (SCAP). SCAP is a method for using specific standards to
automate vulnerability management, measurement, and policy compliance evaluation.

SCAP uses open standards to enumerate security software flaws and configuration
issues. The specifications organize and measure security-related information in
standardized ways. The SCAP community is a partnership between the private and
public sector to advance the standardization of technical security operations.

The NVD uses the Common Vulnerability Scoring System to assess the impact of
vulnerabilities. An organization can use the scores to rank the severity of
vulnerabilities that it finds within its network. This, in turn, can help determine
the mitigation strategy.

The site also contains a number of checklists that provide guidance on configuring
operating systems and applications to provide a hardened environment.

CERT
The Software Engineering Institute (SEI) at Carnegie Mellon University helps
government and industry organizations to develop, operate, and maintain software
systems that are innovative, affordable, and trustworthy. It is a Federally Funded
Research and Development Center sponsored by the U.S. Department of Defense.

The CERT Division of SEI studies and solves problems in the cybersecurity arena
including security vulnerabilities in software products, changes in networked
systems, and training to help improve cybersecurity. CERT provides the following
services:

Helps to resolve software vulnerabilities

Develops tools, products, and methods to conduct forensic examinations
Develops tools, products, and methods to analyze vulnerabilities
Develops tools, products, and methods to monitor large networks
Helps organizations determine how effective their security-related practices are
CERT has an extensive database of information about software vulnerabilities and
malicious code to help develop solutions and remediation strategies.
Internet Storm Center
The Internet Storm Center (ISC) provides a free analysis and warning service to
Internet users and organizations. It also works with Internet Service Providers to
combat malicious cyber criminals. The Internet Storm Center gathers millions of log
entries from intrusion detection systems every day using sensors covering 500,000
IP addresses in over 50 countries. The ISC identifies sites used for attacks and
provides data on the types of attacks launched against various industries and
regions of the world.

The website offers the following resources:

An InfoSec Diary Blog Archive

Podcasts which include the Daily Stormcasts, daily 5-10 minute information security
threat updates
InfoSec Job Postings
Information Security News
InfoSec Tools
InfoSec Reports
SANS ISC InfoSec Forums
The SANS Institute supports the Internet Storm Center. SANS is a trusted source for
information security training, certification, and research.

The Advanced Cyber Security Center

The Advanced Cyber Security Center (ACSC) is a non-profit organization that brings
together industry, academia, and government to address advanced cyber threats. The
organization shares information on cyber threats, engages in cybersecurity research
and development, and creates education programs to promote the cybersecurity
profession.

ACSC defined four challenges that will help shape its priorities:

Build resilient systems to recover from attacks and failures.

Enhance mobile security.
Develop real-time threat sharing.
Integrate cyber risks with enterprise risk frameworks.

Cybersecurity Weapons

Vulnerability Scanners
A vulnerability scanner assesses computers, computer systems, networks, or
applications for weaknesses. Vulnerability scanners help to automate security
auditing by scanning the network for security risks and producing a prioritized
list to address weaknesses. A vulnerability scanner looks for the following types
of vulnerabilities:

Use of default passwords or common passwords

Missing patches
Open ports
Misconfiguration of operating systems and software
Active IP addresses
When evaluating a vulnerability scanner, look at how it is rated for accuracy,
reliability, scalability, and reporting. There are two types of vulnerability
scanners to choose from�software-based or cloud-based.

Vulnerability scanning is critical for organizations with networks that include a

large number of network segments, routers, firewalls, servers, and other business
devices.

Penetration Testing
Penetration testing (pen testing) is a method of testing the areas of weaknesses in
systems by using various malicious techniques. Pen testing is not the same as
vulnerability testing. Vulnerability testing just identifies potential problems.
Pen testing involves a cybersecurity specialist that hacks a website, network, or
server with the organization�s permission to try to gain access to resources with
the knowledge of usernames, passwords, or other normal means. The important
differentiation between cyber criminals and cybersecurity specialists is that the
cybersecurity specialists have the permission of the organization to conduct the
tests.

One of the primary reasons that an organization uses pen testing is to find and fix
any vulnerability before the cyber criminals do. Penetration testing is also known
as ethical hacking.

Packet Analyzers
Packet analyzers (or packet sniffers) intercept
analyzer captures each packet, shows the values
and analyzes its content. A sniffer can capture
wireless networks. Packet analyzers perform the
and log network traffic. The packet
of various fields in the packet,
network traffic on both wired and
following functions:

Network problem analysis

Detection of network intrusion attempts
Isolation of exploited system
Traffic logging
Detection of network misuse

Security Tools
There is no one size fits all when it comes to the best security tools. A lot is
going to depend on the situation, circumstance, and personal preference. A
cybersecurity specialist must know where to go to get sound information.

Kali

Kali is an open source Linux security distribution. IT professionals use Kali Linux
to test the security of their networks. Kali Linux incorporates more than 300
penetration testing and security auditing programs on a Linux platform.

Network Situational Awareness

An organization needs the ability to monitor networks, analyze the resulting data,
and detect malicious activity.

Exploring the Cybersecurity Profession

Defining the Roles of Cybersecurity Professionals

The ISO standard defines the role of cybersecurity professionals. The ISO 27000
framework requires:

A senior manager responsible for IT and ISM (often the audit sponsor)
Information security professionals
Security administrators
Site/physical security manager and facilities contacts
HR contact for HR matters such as disciplinary action and training
Systems and network managers, security architects and other IT professionals
The types of information security positions can be broken down as follows:

Definers provide policies, guidelines, and standards and include consultants who do
risk assessment and develop the product and technical architectures and senior
level individuals within an organization who have a broad knowledge, but not a lot
of in-depth knowledge.
Builders are the real techies who create and install security solutions.
Monitors administer the security tools, perform the security monitoring function,
and improve the processes.

Job Search Tools

A variety of websites and mobile applications advertise information technology
jobs. Each site targets varying job applicants and provides different tools for
candidates researching their ideal job position. Many sites are job site
aggregators, a job search site that gathers listings from other job board and
company career sites and displays them in a single location.

Indeed.com

Advertised as the world's #1 job site, Indeed.com attracts over 180 million unique
visitors every month from over 50 different countries. Indeed is truly a worldwide
job site. Indeed helps companies of all sizes hire the best talent and offers the
best opportunity for job seekers.

CareerBuilder.com

CareerBuilder serves many large and prestigious companies. As a result, this site
attracts specific candidates that typically have more education and higher
credentials. The employers posting on CareerBuilder commonly get more candidates
with college degrees, advanced credentials and industry certifications.

USAJobs.gov

The federal government posts any openings on USAJobs.

This chapter categorizes the information technology infrastructure created by the

advancement of technology into seven domains. The successful cybersecurity
specialist should be aware of the proper security controls in each domain required
to meet the requirements of the CIA triad.

The chapter discussed the laws that affect technology and cybersecurity
requirements. Laws such as FISMA, GLBA, and FERPA focus on protecting
confidentiality. Laws that focus on the protection of integrity include FISMA, SOX,
and FERPA, and laws that concern availability includes FISMA, GLBA, SOX, and CIPA.
In addition to the laws in force, the cybersecurity specialist needs to understand
how the use of computers and technology affect both individuals and society.