Professional Documents
Culture Documents
Once a botnet is established, the attacker will send instructions to each bot from
a remote control. Once the IP address is targeted, each bot will respond by sending
requests to the target, causing the server to overflow, which will result in a DDoS
attack.
However, if you are not experiencing a DDoS attack, and you just want to learn
about top digital attack information from cybersecurity incidents around the world,
where would you look? You can try internet service provider (ISP)�s stats or check
out anti-DDOS providers, or you can see what�s happening right now by looking at
digital attack maps.
To see how cybersecurity works globally, you can observe cyber-attacks and how
malicious packets interact between countries. We are going to share with you the
top cyber-attack maps that you can watch in order to visualize digital threat
incidents.
Many of the world's original hackers were computer hobbyists, programmers and
students during the 60's. Originally, the term hacker described individuals with
advanced programming skills. Hackers used these programming skills to test the
limits and capabilities of early systems. These early hackers were also involved in
the development of early computer games. Many of these games included wizards and
wizardry.
As the hacking culture evolved, it incorporated the lexicon of these games into the
culture itself. Even the outside world began to project the image of powerful
wizards upon this misunderstood hacking culture. Books such as Where Wizards Stay
up Late: The Origins of The Internet published in 1996 added to the mystique of the
hacking culture. The image and lexicon stuck. Many hacking groups today embrace
this imagery. One of the most infamous hacker groups goes by the name Legion of
Doom. It is important to understand the cyber culture in order to understand the
criminals of the cyber world and their motivations.
Sun Tzu was a Chinese philosopher and warrior in the sixth century BC. Sun Tzu
wrote the book titled, The Art of War, which is a classic work about the strategies
available to defeat the enemy. His book has given guidance to tacticians throughout
the ages. One of Sun Tzu's guiding principles was to know your opponent. While he
was specifically referring to war, much of his advice translates to other aspects
of life, including the challenges of cybersecurity. This chapter begins by
explaining the structure of the cybersecurity world and the reason it continues to
grow.
This chapter discusses the role of cyber criminals and their motivations. Finally,
the chapter explains how to become a cybersecurity specialist. These cybersecurity
specialists help defeat the cyber criminals that threaten the cyber world.
The word `domain' has many meanings. Wherever there is control, authority, or
protection, you might consider that 'area' to be a domain. Think of how a wild
animal will protect its own declared domain. In this course, consider a domain to
be an area to be protected. It may be limited by a logical or physical boundary.
This will depend on the size of the system involved. In many respects,
cybersecurity experts have to protect their domains according the laws of their own
country.
Facebook is another powerful domain within the broader Internet. The experts at
Facebook recognized that people create personal accounts every day to communicate
with family and friends. In doing so, you are volunteering a great deal of personal
data. These Facebook experts built a massive data domain to enable people to
connect in ways that were unimaginable in the past. Facebook affects millions of
lives on a daily basis and empowers companies and organizations to communicate with
people in a more personal and focused manner.
LinkedIn is yet another data domain on the Internet. The experts at LinkedIn
recognized that their members would share information in the pursuit of building a
professional network. LinkedIn users upload this information to create online
profiles and connect with other members. LinkedIn connects employees with employers
and companies to other companies worldwide. There are broad similarities between
LinkedIn and Facebook.
A look inside these domains reveals how they are constructed. At a fundamental
level, these domains are strong because of the ability to collect user data
contributed by the users themselves. This data often includes users� backgrounds,
discussions, likes, locations, travels, interests, friends and family members,
professions, hobbies, and work and personal schedules. Experts create great value
for organizations interested in using this data to better understand and
communicate with their customers and employees.
New technologies, such as Geospatial Information Systems (GIS) and the Internet of
Things (IoT), have emerged. These new technologies can track the health of trees in
a neighborhood. They can provide up-to-date locations of vehicles, devices,
individuals and materials. This type of information can save energy, improve
efficiencies, and reduce safety risks. Each of these technologies will also result
in exponentially expanding the amount of data collected, analyzed and used to
understand the world. The data collected by GIS and IoE poses a tremendous
challenge for cybersecurity professionals in the future. The type of data generated
by these devices has the potential to enable cyber criminals to gain access to very
intimate aspects of daily life.
Amateurs
Amateurs, or script kiddies, have little or no skill, often using existing tools or
instructions found on the Internet to launch attacks. Some are just curious, while
others try to demonstrate their skills and cause harm. They may be using basic
tools, but the results can still be devastating.
Hackers
This group of criminals breaks into computers or networks to gain access for
various reasons. The intent of the break-in determines the classification of these
attackers as white, gray, or black hats. White hat attackers break into networks or
computer systems to discover weaknesses in order to improve the security of these
systems. The owners of the system give permission to perform the break-in, and they
receive the results of the test. On the other hand, black hat attackers take
advantage of any vulnerability for illegal personal, financial or political gain.
Gray hat attackers are somewhere between white and black hat attackers. The gray
hat attackers may find a vulnerability and report it to the owners of the system if
that action coincides with their agenda. Some gray hat hackers publish the facts
about the vulnerability on the Internet, so that other attackers can exploit it.
Organized Hackers
The skill level required for an effective cybersecurity specialist and the shortage
of qualified cybersecurity professionals translates to higher earning potential.
Information technology is constantly changing. This is also true for cybersecurity.
The highly dynamic nature of the cybersecurity field can be challenging and
fascinating.
A cybersecurity specialist�s career is also highly portable. Jobs exist in almost
every geographic location.
Cybersecurity specialists provide a necessary service to their organizations,
countries, and societies, very much like law enforcement or emergency responders.
Becoming a cybersecurity specialist is a rewarding career opportunity.
When a threat is the possibility that a harmful event, such as an attack, will
occur.
When a vulnerability makes a target susceptible to an attack.
For example, data in the wrong hands can result in a loss of privacy for the
owners, can affect their credit, or jeopardize their career or personal
relationships. Identity theft is big business. However, it is not necessarily the
Googles and Facebooks that pose the greatest risk. Schools, hospitals, financial
institutions, government agencies, the workplace and e-commerce pose even greater
risks. Organizations like Google and Facebook have the resources to hire top
cybersecurity talent to protect their domains. As more organizations build large
databases containing all of our personal data, the need for cybersecurity
professionals increases. This leaves smaller businesses and organizations competing
for the remaining pool of cybersecurity professionals. Cyber threats are
particularly dangerous to certain industries and the records they must maintain.
Medical Records
Medical devices, such as fitness bands, use the cloud platform to enable wireless
transfer, storage and display of clinical data like heart rates, blood pressures
and blood sugars. These devices can generate an enormous amount of clinical data
that can become part of a medical record.
Education Records
Criminals use packet-sniffing tools to capture data streams over a network. This
means that all sensitive data, like usernames, passwords and credit card numbers,
are at risk. Packet sniffers work by monitoring and recording all information
coming across a network. Criminals can also use rogue devices, such as unsecured
Wi-Fi access points. If the criminal sets this up near a public place, such as a
coffee shop, unsuspecting individuals may sign on and the packet sniffer copies
their personal information.
Domain Name Service (DNS) translates a domain name, such as www.facebook.com, into
its numerical IP address. If a DNS server does not know the IP address, it will ask
another DNS server. With DNS spoofing (or DNS cache poisoning), the criminal
introduces false data into a DNS resolver�s cache. These poison attacks exploit a
weakness in the DNS software that causes the DNS servers to redirect traffic for a
specific domain to the criminal�s computer, instead of the legitimate owner of the
domain.
Packets transport data across a network or the Internet. Packet forgery (or packet
injection) interferes with an established network communication by constructing
packets to appear as if they are part of a communication. Packet forgery allows a
criminal to disrupt or intercept packets. This process enables the criminal to
hijack an authorized connection or denies an individual�s ability to use certain
network services. Cyber professionals call this a man-in-the-middle attack.
The examples given only scratch the surface of the types of threats criminals can
launch against Internet and network services.
Over the last decade, cyberattacks like Stuxnet proved that a cyberattack could
successfully destroy or interrupt critical infrastructures. Specifically, the
Stuxnet attack targeted the Supervisory Control and Data Acquisition (SCADA) system
used to control and monitor industrial processes. SCADA can be part of various
industrial processes in manufacturing, production, energy and communications
systems. Click here to view more information about Stuxnet attack.
The advanced threat potential that exists today demands a special breed of cyber
security experts.
In the U.S., the National Security Agency (NSA) is responsible for intelligence
collection and surveillance activities. The NSA built a new data center just to
process the growing volume of information. In 2015, the U.S. Congress passed the
USA Freedom Act ending the practice of collecting U.S. Citizens� phone records in
bulk. The program provided metadata that gave the NSA information about
communications sent and received.
The efforts to protect people�s way of life often conflicts with their right to
privacy. It will be interesting to see what happens to the balance between these
rights and the safety of Internet users.
Baiting
Baiting relies on the curiosity or greed of the victim. What distinguishes baiting
from other types of social
engineering is the promise of an item or good that hackers use to entice victims.
Baiters may offer users free
music or movie downloads if the users surrender their login credentials to a
certain site. Baiting attacks are
not restricted to online schemes. Attackers can exploit human curiosity with
physical media like USB drives.
Shoulder Surfing
Shoulder surfing is literally looking over someone's shoulder to get information.
Shoulder surfing is an
effective way to get information in crowded places because it is relatively easy to
stand next to someone and
watch as they fill out a form or enter a PIN number at an ATM machine. Shoulder
surfing can also be done
long distance with the aid of modern cell phones, binoculars, or other vision-
enhancing devices. To prevent
shoulder surfing, experts recommend that you shield paperwork or your keypad from
view by using your body
or cupping your hand. There are even screen shields that make shoulder surfing much
more difficult.
Pretexting
Pretexting is using deception to create a scenario to convince victims to divulge
information they should not
divulge. Pretexting is often used against organizations that retain client data,
such as financial data, credit
card numbers, utilities account numbers, and other sensitive information.
Pretexters often request information
Lab - Explore Social Engineering Techniques
� 2021 - 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public Page 2
of 3 www.netacad.com
from individuals in an organization by impersonating a supervisor, helpdesk clerk,
or client, usually by phone,
email, or text.
Tailgating
Tailgating tricks the victim into helping the attacker gain unauthorized access
into the organization�s physical
facilities. The attacker seeks entry into a restricted area where access is
controlled by software-based
electronic devices or human guards. Tailgating can also involve the attacker
following an employee closely to
pass through a locked door before the door locks behind the employee.
Dumpster diving
In the world of social engineering, dumpster diving is a technique used to retrieve
discarded information
thrown in the trash to carry out an attack on a person or organization. Dumpster
diving is not limited to
searching through the trash for obvious treasures like access codes or passwords
written down on sticky
notes, it can also involve electronic information left on desktops, or stored on
USB drives.
Traditional Data
With the emergence of IoT, there is much more data to be managed and secured. All
of these connections, plus the expanded storage capacity and storage services
offered through the Cloud and virtualization, has led to the exponential growth of
data. This data expansion created a new area of interest in technology and business
called �Big Data".
Algorithm attacks can track system self-reporting data, like how much energy a
computer is using, and use that information to select targets or trigger false
alerts. Algorithmic attacks can also disable a computer by forcing it to use memory
or by overworking its central processing unit. Algorithmic attacks are more devious
because they exploit designs used to improve energy savings, decrease system
failures, and improve efficiencies.
Safety Implications
Emergency call centers in the U.S. are vulnerable to cyberattacks that could shut
down 911 networks, jeopardizing public safety. A telephone denial of service (TDoS)
attack uses phone calls against a target telephone network tying up the system and
preventing legitimate calls from getting through. Next generation 911 call centers
are vulnerable because they use Voice-over-IP (VoIP) systems rather than
traditional landlines. In addition to TDoS attacks, these call centers can also be
at risk of distributed-denial-of-service (DDoS)The National Cybersecurity Workforce
Framework
The Workforce Framework categorizes cybersecurity work into seven categories.
Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.
Within each category, there are several specialty areas. The specialty areas then
define common types of cybersecurity work. attacks that use many systems to flood
the resources of the target making the target unavailable to legitimate users.
There are many ways nowadays to request 911 help, from using an app on a smartphone
to using a home security system.
Protect and Defend includes the identification, analysis, and mitigation of threats
to internal systems and networks.
Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.
Industry Certifications
In a world of cybersecurity threats, there is a great need for skilled and
knowledgeable information security professionals. The IT industry established
standards for cybersecurity specialists to obtain professional certifications that
provide proof of skills, and knowledge level.
CompTIA Security+
Cyber heroes also analyze policy, trends, and intelligence to understand how cyber
criminals think. Many times, this may involve a large amount of detective work.
The first dimension of the Cybersecurity Cube includes the three principles of
information security. Cybersecurity professionals refer to the three principles as
the CIA Triad. The second dimension identifies the three states of information or
data. The third dimension of the cube identifies the expertise required to provide
protection. These are often called the three categories of cybersecurity
safeguards.
The chapter also discusses the ISO cybersecurity model. The model represents an
international framework to standardize the management of information systems.
Data in transit
Data at rest or in storage
Data in process
The protection of cyberspace requires cybersecurity professionals to account for
the safeguarding of data in all three states.
Cybersecurity Safeguards
The third dimension of the Cybersecurity Cube defines the skills and discipline a
cybersecurity professional can call upon to protect cyberspace. Cybersecurity
professionals must use a range of different skills and disciplines available to
them when protecting the data in the cyberspace. They must do this while remaining
on the �right side� of the law.
The Cybersecurity Cube identifies the three types of skills and disciplines used to
provide protection. The first skill includes the technologies, devices, and
products available to protect information systems and fend off cyber criminals.
Cybersecurity professionals have a reputation for mastering the technological tools
at their disposal. However, McCumber reminds them that the technological tools are
not enough to defeat cyber criminals. Cybersecurity professionals must also build a
strong defense by establishing policies, procedures, and guidelines that enable the
users of cyberspace to stay safe and follow good practices. Finally, users of
cyberspace must strive to become more knowledgeable about the threats of the
cyberspace and establish a culture of learning and awareness.
Controlling Access
Access control defines a number of protection schemes that prevent unauthorized
access to a computer, network, database, or other data resources. The concepts of
AAA involve three security services: Authentication, Authorization and Accounting.
These services provide the primary framework to control access.
Authorization services determine which resources users can access, along with the
operations that users can perform. Some systems accomplish this by using an access
control list, or an ACL. An ACL determines whether a user has certain access
privileges once the user authenticates. Just because you can log onto the corporate
network does not mean that you have permission to use the high-speed color printer.
Authorization can also control when a user has access to a specific resource. For
example, employees may have access to a sales database during work hours, but the
system locks them out after hours.
Accounting keeps track of what users do, including what they access, the amount of
time they access resources, and any changes made. For example, a bank keeps track
of each customer account. An audit of that system can reveal the time and amount of
all transactions and the employee or system that executed the transactions.
Cybersecurity accounting services work the same way. The system tracks each data
transaction and provides auditing results. An administrator can set up computer
policies to enable system auditing.
The concept of AAA is similar to using a credit card. The credit card identifies
who can use it, how much that user can spend, and accounts for items or services
the user purchased.
Cybersecurity accounting tracks and monitors in real time. Websites, like Norse,
show attacks in real-time based on data collected as part of an accounting or
tracking system. Click here to visit the Norse list of attack maps.
All of the laws listed in the figure include a provision for dealing with privacy
starting with U.S. laws in Figure 1. Figure 2 lists a sampling of international
efforts. Most of these laws are a response to the massive growth in data
collection.
Methods used to ensure data integrity include hashing, data validation checks, data
consistency checks, and access controls. Data integrity systems can include one or
more of the methods listed above.
Integrity Checks
An integrity check is a way to measure the consistency of a collection of data (a
file, a picture, or a record). The integrity check performs a process called a hash
function to take a snapshot of data at an instant in time. The integrity check uses
the snapshot to ensure data remains unchanged.
Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash
functions use complex mathematical algorithms. The hashed value is simply there for
comparison. For example, after downloading a file, the user can verify the
integrity of the file by comparing the hash values from the source with the one
generated by any hash calculator.
Five Nines
People use various information systems in their day-to-day lives. Computers and
information systems control communications, transportation and the manufacturing of
products. The continuous availability of information systems is imperative to
modern life. The term high availability, describes systems designed to avoid
downtime. High availability ensures a level of performance for a higher than normal
period. High availability systems typically include three design principles.
Ensuring Availability
Organizations can ensure availability by implementing the following:
Equipment maintenance
Regular equipment maintenance can dramatically improve system uptime. Maintenance
included component replacement, cleaning and alignment.
Backup testing
Backup of organization data, configuration data and personal data ensures system
availabilty. Backup systems should also be tested to ensure these systems work
properly and that data can be recovered in the event of data loss.
Disaster planning
Disaster planning is a critical part of increasing system availabilty. Employees
and customers should know how to respond to a disaster. The cybersecurity team
should practice response and test backup systems and be familiar with procedures
for restoring critical systems.
Redundant array of independent disks (RAID) uses multiple hard drives in an array,
which is a method of combining multiple disks so that the operating system sees
them as a single disk. RAID provides improved performance and fault tolerance.
A storage area network (SAN) architecture is a network based storage system. SAN
systems connect to the network using high-speed interfaces allowing improved
performance and the ability to connect multiple servers to a centralized disk
storage repository.
Cloud storage is a remote storage option that uses space on a data center provider
and is accessible from any computer with Internet access. Google Drive, iCloud, and
Dropbox are all examples of cloud storage providers.
Direct-attached storage can be one of the most difficult types of data storage to
manage and control. Direct-attached storage is vulnerable to malicious attacks on
the local host. Stored data may also include backup data. Backups can be manual or
automatic. Organizations should limit the types of data stored on direct-attached
storage. In particular, an organization would not store critical data on direct-
attached storage devices.
Network storage systems offer a more secure option. Network storage systems
including RAID, SAN and NAS provide greater performance and redundancy. However,
network storage systems are more complicated to configure and manage. They also
handle more data, posing a greater risk to the organization if the device fails.
The unique challenges of network storage systems include configuring, testing, and
monitoring the system.
Sneaker net � uses removable media to physically move data from one computer to
another
Wired networks � uses cables to transmit data
Wireless networks � uses radio waves to transmit data
Organizations will never be able to eliminate the use of a sneaker net.
Wired networks include copper-wired and fiber optic media. Wired networks can serve
a local geographical area (Local Area Network) or they can span great distances
(Wide Area Networks).
Wireless networks are replacing wired networks. Wireless networks are becoming
faster and able to handle more bandwidth. Wireless networks expand the number of
guest users with mobile devices on small office home office (SOHO) and enterprise
networks.
Both wired and wireless networks use packets or data units. The term packet refers
to a unit of data that travels between an origin and a destination on the network.
Standard protocols like Internet Protocol (IP) and Hypertext Transfer Protocol
(HTTP) define the structure and formation of data packets. These standards are open
source and are available to the public. Protecting the confidentiality, integrity,
and availability of transmitted data is one of the most important responsibilities
of a cybersecurity professional.
Protecting data confidentiality � cyber criminals can capture, save and steal data
in-transit. Cyber professionals must take steps to counter these actions.
Protecting data integrity � cyber criminals can intercept and alter data in-
transit. Cybersecurity professionals deploy data integrity systems that test the
integrity and authenticity of transmitted data to counter these actions.
Protecting data availability - cyber criminals can use rogue or unauthorized
devices to interrupt data availability. A simple mobile device can pose as a local
wireless access point and trick unsuspecting users into associating with the rogue
device. The cybercriminal can hijack an authorized connection to a protected
service or device. Network security professionals can implement mutual-
authentication systems to counter these actions. Mutual-authentication systems
require the user to authenticate to the server, and requests the server to
authenticate to the user.
Protection of data integrity starts with the initial input of data. Organizations
use several methods to collect data, such as manual data entry, scanning forms,
file uploads, and data collected from sensors. Each of these methods pose potential
threats to data integrity. An example of data corruption during the input process
includes data entry errors or disconnected, malfunctioning, or inoperable system
sensors. Other examples can include mislabeling and incorrect or mismatched data
formats.
Data modification refers to any changes to the original data such as users manually
modifying data, programs processing and changing data, and equipment failing
resulting in data modification. Processes like encoding/decoding,
compression/decompression and encryption/decryption are all examples of data
modification. Malicious code also results in data corruption.
Data corruption also occurs during the data output process. Data output refers to
outputting data to printers, electronic displays or directly to other devices. The
accuracy of output data is critical because output provides information and
influences decision-making. Examples of output data corruption include the
incorrect use of data delimiters, incorrect communication configurations, and
improperly configured printers.
Challenges of Protecting Data In-Process
Protecting against invalid data modification during processing can have an adverse
impact. Software errors are the reason for many mishaps and disasters. For example,
just two weeks before Christmas, some of Amazon�s third-party retailers experienced
a change in the advertised price on their items to just one cent. The glitch lasted
for one hour. The error resulted in thousands of shoppers getting the deal of a
lifetime and the company losing revenue. In 2016, the Nest thermostat malfunctioned
and left users with no heat. The Nest thermostat is a smart technology owned by
Google. A software glitch left users, literally, out in the cold. A software update
went wrong, forcing the device�s batteries to drain and leaving it unable to
control temperature. As a result, customers were unable to heat their homes or get
hot water on one of the coldest weekends of the year.
Types of Malware
Cyber criminals target user�s end devices through the installation of malware.
Click Play to view an animation of the three most common types of malware.
Viruses
Worms
Worms are responsible for some of the most devastating attacks on the Internet. For
example, in 2001, the Code Red worm infected 658 servers. Within 19 hours, the worm
infected over 300,000 servers.
Trojan horse
A Trojan horse is malware that carries out malicious operations under the guise of
a desired operation such as playing an online game. This malicious code exploits
the privileges of the user that runs it. A Trojan horse differs from a virus
because the Trojan binds itself to non-executable files, such as image files, audio
files, or games.
Logic Bombs
A logic bomb is a malicious program that uses a trigger to awaken the malicious
code. For example, triggers can be dates, times, other programs running, or the
deletion of a user account. The logic bomb remains inactive until that trigger
event happens. Once activated, a logic bomb implements a malicious code that causes
harm to a computer. A logic bomb can sabotage database records, erase files, and
attack operating systems or applications. Cybersecurity specialists recently
discovered logic bombs that attack and destroy the hardware components in a
workstation or server including the cooling fans, CPU, memory, hard drives and
power supplies. The logic bomb overdrives these devices until they overheat or
fail.
Ransomware
Ransomware holds a computer system, or the data it contains, captive until the
target makes a payment. Ransomware usually works by encrypting data in the computer
with a key unknown to the user. The user must pay a ransom to the criminals to
remove the restriction.
Payment through an untraceable payment system is always the criminal�s goal. Once
the victim pays, the criminal supplies a program that decrypts the files or sends
an unlock code.
A rootkit modifies the operating system to create a backdoor. Attackers then use
the backdoor to access the computer remotely. Most rootkits take advantage of
software vulnerabilities to perform privilege escalation and modify system files.
Privilege escalation takes advantage of programming errors or design flaws to grant
the criminal elevated access to network resources and data. It is also common for
rootkits to modify system forensics and monitoring tools, making them very hard to
detect. Often, a user must wipe and reinstall the operating system of a computer
infected by a rootkit.
Antivirus Program - The majority of antivirus suites catch most widespread forms of
malware. However, cyber criminals develop and deploy new threats on a daily basis.
Therefore, the key to an effective antivirus solution is to keep the signatures
updated. A signature is like a fingerprint. It identifies the characteristics of a
piece of malicious code.
Up-to-Date Software - Many forms of malware achieve their objectives through
exploitation of vulnerabilities in software, both in the operating system and
applications. Although operating system vulnerabilities were the main source of
problems, today�s application-level vulnerabilities pose the greatest risk.
Unfortunately, while operating system vendors are becoming more and more responsive
to patching, most application vendors are not.
Spam
Email is a universal service used by billions worldwide. As one of the most popular
services, email has become a major vulnerability to users and organizations. Spam,
also known as junk mail, is unsolicited email. In most cases, spam is a method of
advertising. However, spam can send harmful links, malware, or deceptive content.
The end goal is to obtain sensitive information such as a social security number or
bank account information. Most spam comes from multiple computers on networks
infected by a virus or worm. These compromised computers send out as much bulk
email as possible.
Even with these security features implemented, some spam might still get through.
Watch for some of the more common indicators of spam:
Adware typically displays annoying pop-ups to generate revenue for its authors. The
malware may analyze user interests by tracking the websites visited. It can then
send pop-up advertising pertinent to those sites. Some versions of software
automatically install Adware. Some adware only delivers advertisements, but it is
also common for adware to come with spyware.
Scareware persuades the user to take a specific action based on fear. Scareware
forges pop-up windows that resemble operating system dialogue windows. These
windows convey forged messages stating that the system is at risk or needs the
execution of a specific program to return to normal operation. In reality, no
problems exist, and if the user agrees and allows the mentioned program to execute,
malware infects his or her system.
Phishing
Phishing is a form of fraud. Cyber criminals use email, instant messaging, or other
social media to try to gather information such as login credentials or account
information by masquerading as a reputable entity or person. Phishing occurs when a
malicious party sends a fraudulent email disguised as being from a legitimate,
trusted source. The message intent is to trick the recipient into installing
malware on his or her device or into sharing personal or financial information. An
example of phishing is an email forged to look like it came from a retail store
asking the user to click a link to claim a prize. The link may go to a fake site
asking for personal information, or it may install a virus.
Spear phishing is a highly targeted phishing attack. While phishing and spear
phishing both use emails to reach the victims, spear phishing sends customized
emails to a specific person. The criminal researches the target�s interests before
sending the email. For example, a criminal learns that the target is interested in
cars and has been looking to buy a specific model of car. The criminal joins the
same car discussion forum where the target is a member, forges a car sale offering,
and sends an email to the target. The email contains a link for pictures of the
car. When the target clicks on the link, he or she unknowingly installs malware on
the computer. Click here to learn more about email frauds.
Plugins
The Flash and Shockwave plugins from Adobe enable the development of interesting
graphic and cartoon animations that greatly enhance the look and feel of a web
page. Plugins display the content developed using the appropriate software.
Until recently, plugins had a remarkable safety record. As Flash-based content grew
and became more popular, criminals examined the Flash plugins and software,
determined vulnerabilities, and exploited Flash Player. Successful exploitation
could cause a system crash or allow a criminal to take control of the affected
system. Expect increased data losses to occur as criminals continue to investigate
the more popular plugins and protocols for vulnerabilities.
SEO Poisoning
Search engines such as Google work by ranking pages and presenting relevant results
based on users� search queries. Depending on the relevancy of web site content, it
may appear higher or lower in the search result list. SEO, short for Search Engine
Optimization, is a set of techniques used to improve a website�s ranking by a
search engine. While many legitimate companies specialize in optimizing websites to
better position them, SEO poisoning uses SEO to make a malicious website appear
higher in search results.
The most common goal of SEO poisoning is to increase traffic to malicious sites
that may host malware or perform social engineering. To force a malicious site to
rank higher in search results, attackers take advantage of popular search terms.
Browser Hijacker
It is difficult to stop spam, but there are ways to diminish its effects. For
example, most ISPs filter spam before it reaches the user�s inbox. Many antivirus
and email software programs automatically perform email filtering. This means that
they detect and remove spam from an email inbox.
Organizations must also make employees aware of the dangers of opening email
attachments that may contain a virus or a worm. Do not assume that email
attachments are safe, even when they come from a trusted contact. A virus may be
trying to spread by using the sender�s computer. Always scan email attachments
before opening them.
Keeping all software updated ensures that the system has all of the latest security
patches applied to take away known vulnerabilities. Click here to learn more about
avoiding browser attacks.
Social Engineering
Social engineering is a completely non-technical means for a criminal to gather
information on a target. Social engineering is an attack that attempts to
manipulate individuals into performing actions or divulging confidential
information.
Social engineers often rely on people�s willingness to be helpful but also prey on
people�s weaknesses. For example, an attacker could call an authorized employee
with an urgent problem that requires immediate network access. The attacker could
appeal to the employee�s vanity, invoke authority using name-dropping techniques,
or appeal to the employee�s greed.
Something for Something (Quid pro quo) - This is when an attacker requests personal
information from a party in exchange for something, like a gift.
Authority � people are more likely to comply when instructed by �an authority�
Intimidation � criminals bully a victim into taking action
Consensus/Social Proof � people will take action if they think that other people
like it too
Scarcity � people will take action when they think there is a limited quantity
Urgency � people will take action when they think there is a limited time
Familiarity/Liking � Criminals build a rapport with the victim to establish a
relationship
Trust � Criminals build a trusting relationship with a victim which may require
more time to establish
Methods of Deception
"One man's trash is another man's treasure". This phrase can be especially true in
the world of dumpster diving which is the process of going through a target's trash
to see what information an organization throws out. Consider securing the trash
receptacle. Any sensitive information should be properly disposed of through
shredding or the use of burn bags, a container that holds classified or sensitive
documents for later destruction by fire.
A hoax is an act intended to deceive or trick. A cyber hoax can cause just as much
disruption as an actual breach would cause. A hoax elicits a user reaction. The
reaction can create unnecessary fear and irrational behavior. Users pass hoaxes
through email and social media.
A mantrap prevents piggybacking by using two sets of doors. After individuals enter
an outer door, that door must close before entering the inner door.
Online, Email, and Web-based Deception
Forwarding hoax emails and other jokes, funny movies, and non-work-related emails
at work may violate the company's acceptable use policy and result in disciplinary
actions.
Never provide confidential information or credentials via email, chat sessions, in-
person, or on the phone to unknown parties.
Resist the urge to click on enticing emails and website links.
Keep an eye out for uninitiated or automatic downloads.
Establish policies and educate employees about those policies.
When it comes to security, give employees a sense of ownership.
Do not fall to pressure from unknown individuals.
Attacks
A Distributed DoS Attack (DDoS) is similar to a DoS attack, but it originates from
multiple, coordinated sources. As an example, a DDoS attack could proceed as
follows:
Sniffing
Sniffing is similar to eavesdropping on someone. It occurs when attackers examine
all network traffic as it passes through their NIC, independent of whether or not
the traffic is addressed to them or not. Criminals accomplish network sniffing with
a software application, hardware device, or a combination of the two. As shown in
the figure, sniffing views all network traffic or it can target a specific
protocol, service, or even string of characters such as a login or password. Some
network sniffers observe all traffic and modify some or all of the traffic as well.
Sniffing also has its benefits. Network administrators may also use sniffers to
analyze network traffic, identify bandwidth issues, and troubleshoot other network
issues.
Spoofing
Spoofing is an impersonation attack, and it takes advantage of a trusted
relationship between two systems. If two systems accept the authentication
accomplished by each other, an individual logged onto one system might not go
through an authentication process again to access the other system. An attacker can
take advantage of this arrangement by sending a packet to one system that appears
to have come from a trusted system. Since the trusted relationship is in place, the
targeted system may perform the requested task without authentication.
MAC address spoofing occurs when one computer accepts data packets based on the MAC
address of another computer.
IP spoofing sends IP packets from a spoofed source address to disguise itself.
Address Resolution Protocol (ARP) is a protocol that resolves IP addresses to MAC
addresses for transmitting data. ARP spoofing sends spoofed ARP messages across a
LAN to link the criminal�s MAC address with the IP address of an authorized member
of the network.
The Domain Name System (DNS) associates domain names with IP addresses. DNS server
spoofing modifies the DNS server to reroute a specific domain name to a different
IP address controlled by the criminal.
Man-in-the-middle
A criminal performs a man-in-the-middle (MitM) attack by intercepting
communications between computers to steal information crossing the network. The
criminal can also choose to manipulate messages and relay false information between
hosts since the hosts are unaware that a modification to the messages occurred.
MitM allows the criminal to take control over a device without the user�s
knowledge.
Click the steps in the figure to learn the basics of a MitM attack.
Zero-Day Attacks
A zero-day attack, sometimes referred to as a zero-day threat, is a computer attack
that tries to exploit software vulnerabilities that are unknown or undisclosed by
the software vendor. The term zero hour describes the moment when someone discovers
the exploit. During the time it takes the software vendor to develop and release a
patch, the network is vulnerable to these exploits, as shown in the figure.
Defending against these fast-moving attacks requires network security professionals
to adopt a more sophisticated view of the network architecture. It is no longer
possible to contain intrusions at a few points in the network.
Keyboard Logging
Keyboard logging is a software program that records or logs the keystrokes of the
user of the system. Criminals can implement keystroke loggers through software
installed on a computer system or through hardware physically attached to a
computer. The criminal configures the key logger software to email the log file.
The keystrokes captured in the log file can reveal usernames, passwords, websites
visited, and other sensitive information.
Keyboard loggers can be legitimate, commercial software. Parents often purchase key
logger software to track the websites and behavior of children using the Internet.
Many anti-spyware applications are able to detect and remove unauthorized key
loggers. Although keylogging software is legal, criminals use the software for
illegal purposes.
To prevent DoS and DDoS attacks, ensure patches and upgrades are current,
distribute the workload across server systems, and block external Internet Control
Message Protocol (ICMP) packets at the border. Network devices use ICMP packets to
send error messages. For example, the ping command uses ICMP packets to verify that
a device can communicate with another on the network.
To prevent DoS and DDoS attacks, ensure patches and upgrades are current,
distribute the workload across server systems, and block external Internet Control
Message Protocol (ICMP) packets at the border. Network devices use ICMP packets to
send error messages. For example, the ping command uses ICMP packets to verify that
a device can communicate with another on the network.
A rogue access point can also refer to a criminal�s access point. In this instance,
the criminal sets up the access point as a MitM device to capture login information
from users.
An Evil Twin attack uses the criminal�s access point improved with higher power and
higher gain antennas to look like a better connection option for users. After users
connect to the evil access point, the criminals can analyze traffic and execute
MitM attacks.
RF Jamming
Wireless signals are susceptible to electromagnetic interference (EMI), radio-
frequency interference (RFI), and may even be susceptible to lightning strikes or
noise from fluorescent lights. Wireless signals are also susceptible to deliberate
jamming. Radio frequency (RF) jamming disrupts the transmission of a radio or
satellite station so that the signal does not reach the receiving station.
The frequency, modulation, and power of the RF jammer needs to be equal to that of
the device that the criminal wants to disrupt in order to successfully jam the
wireless signal.
Bluetooth vulnerabilities have surfaced, but due to the limited range of Bluetooth,
the victim and the attacker need to be within range of each other.
Bluejacking is the term used for sending unauthorized messages to another Bluetooth
device. A variation of this is to send a shocking image to the other device.
Bluesnarfing occurs when the attacker copies the victim's information from his
device. This information can include emails and contact lists.
WEP uses a key for encryption. There is no provision for key management with WEP,
so the number of people sharing the key will continually grow. Since everyone is
using the same key, the criminal has access to a large amount of traffic for
analytic attacks.
WEP also has several problems with its initialization vector (IV) which is one of
the components of the cryptographic system:
It is a 24-bit field, which is too small.
It is cleartext, which means it is readable.
It is static so identical key streams will repeat on a busy network.
Wi-Fi Protected Access (WPA) and then WPA2 came out as improved protocols to
replace WEP. WPA2 does not have the same encryption problems because an attacker
cannot recover the key by observing traffic. WPA2 is susceptible to attack because
cyber criminals can analyze the packets going between the access point and a
legitimate user. Cyber criminals use a packet sniffer and then run attacks offline
on the passphrase.
Restrict access point placement with the network by placing these devices outside
the firewall or within a demilitarized zone (DMZ) which contains other untrusted
devices such as email and web servers.
WLAN tools such as NetStumbler may discover rogue access points or unauthorized
workstations. Develop a guest policy to address the need when legitimate guests
need to connect to the Internet while visiting. For authorized employees, utilize a
remote access virtual private network (VPN) for WLAN access.
Application Attacks
Cross-Site Scripting
Cross-site scripting (XSS) is a vulnerability found in web applications. XSS allows
criminals to inject scripts into the web pages viewed by users. This script can
contain malicious code.
Cross-site scripting has three participants: the criminal, the victim, and the
website. The cyber-criminal does not target a victim directly. The criminal
exploits vulnerability within a website or web application. Criminals inject
client-side scripts into web pages viewed by users, the victims. The malicious
script unknowingly passes to the user's browser. A malicious script of this type
can access any cookies, session tokens, or other sensitive information. If
criminals obtain the victim�s session cookie, they can impersonate that user.
Code Injection
One way to store data at a website is to use a database. There are several
different types of databases such as a Structured Query Language (SQL) database or
an Extensible Markup Language (XML) database. Both XML and SQL injection attacks
exploit weaknesses in the program such as not validating database queries properly.
XML Injection
When using an XML database, an XML injection is an attack that can corrupt the
data. After the user provides input, the system accesses the required data via a
query. The problem occurs when the system does not properly scrutinize the input
request provided by the user. Criminals can manipulate the query by programming it
to suit their needs and can access the information on the database.
All sensitive data stored in the database is accessible to the criminals and they
can make any number of changes to the website. An XML injection attack threatens
the security of the website.
SQL Injection
Criminals can spoof an identity, modify existing data, destroy data, or become
administrators of the database server.
Buffer Overflow
A buffer overflow occurs when data goes beyond the limits of a buffer. Buffers are
memory areas allocated to an application. By changing data beyond the boundaries of
a buffer, the application accesses memory allocated to other processes. This can
lead to a system crash, data compromise, or provide escalation of privileges.
The CERT/CC at Carnegie Mellon University estimates that nearly half of all
exploits of computer programs stem historically from some form of buffer overflow.
The generic classification of buffer overflows includes many variants, such as
static buffer overruns, indexing errors, format string bugs, Unicode and ANSI
buffer size mismatches, and heap overruns.
Take, for example, Metasploit. Metasploit is a tool for developing and executing
exploit code against a remote target. Meterpreter is an exploit module within
Metasploit that provides advanced features. Meterpreter allows criminals to write
their own extensions as a shared object. Criminals upload and inject these files
into a running process on the target. Meterpreter loads and executes all of the
extensions from memory, so they never involve the hard drive. This also means that
these files fly under the radar of antivirus detection. Meterpreter has a module
for controlling a remote system�s webcam. Once a criminal installs Meterpreter on
the victim�s system, he or she can view and capture images from the victim�s
webcam.
Java operates through an interpreter, the Java Virtual Machine (JVM). The JVM
enables the Java program�s functionality. The JVM sandboxes or isolates untrusted
code from the rest of the operating system. There are vulnerabilities, which allow
untrusted code to go around the restrictions imposed by the sandbox. There are also
vulnerabilities in the Java class library, which an application uses for its
security. Java is the second biggest security vulnerability next to Adobe�s Flash
plugin.
Keep all software including operating systems and applications up to date, and do
not ignore update prompts. Not all programs update automatically. At the very
least, select the manual update option. Manual updates allow users to see exactly
what updates take place.
The principles of cryptology explain how modern day protocols and algorithms secure
communications. Cryptology is the science of making and breaking secret codes. The
development and use of codes is cryptography. Studying and breaking codes is
cryptanalysis. Society has used cryptography for centuries to protect secret
documents. For example, Julius Caesar used a simple alphabetic cipher to encrypt
messages to his generals in the field. His generals would have knowledge of the
cipher key required to decrypt the messages. Today, modern day cryptographic
methods ensure secure communications.
Access control is, as its name suggests, a way of controlling access to a building,
a room, a system, a database, a file, and information. Organizations employ a
variety of access control techniques to protect confidentiality. This chapter will
examine the four steps in the access control process: 1) identification, 2)
authentication, 3) authorization, and 4) accountability. In addition, the chapter
describes the different access control models and access control types.
The chapter concludes by discussing the various ways users mask data. Data
obfuscation and steganography are two techniques used to accomplish data masking
What is Cryptography?
Cryptology is the science of making and breaking secret codes. Cryptography is a
way to store and transmit data so only the intended recipient can read or process
it. Modern cryptography uses computationally secure algorithms to make sure that
cyber criminals cannot easily compromise protected information.
Data confidentiality ensures privacy so that only the intended receiver can read
the message. Parties achieve this through encryption. Encryption is the process of
scrambling data so that an unauthorized party cannot easily read it.
Over the centuries, various cipher methods, physical devices, and aids encrypted
and decrypted text:
All cipher methods use a key to encrypt or decrypt a message. The key is an
important component in the encryption algorithm. An encryption algorithm is only as
good as the key used. The more complexity involved, the more secure the algorithm.
Key management is an important piece in the process.
Creating Ciphertext
Each encryption method uses a specific algorithm, called a cipher, to encrypt and
decrypt messages. A cipher is a series of well-defined steps used to encrypt and
decrypt messages. There are several methods of creating ciphertext:
Some modern encryption algorithms still use transposition as part of the algorithm.
There are two approaches to ensuring the security of data when using encryption.
The first is to protect the algorithm. If the security of an encryption system
depends on the secrecy of the algorithm itself, the most important aspect is to
guard the algorithm at all costs. Every time someone finds out the details of the
algorithm, every party involved would need to change the algorithm. That approach
does not sound very secure or manageable. The second approach is to protect the
keys. With modern cryptography, the algorithms are public. The cryptographic keys
ensure the secrecy of the data. Cryptographic keys are passwords that are part of
the input into an encryption algorithm together along with the data requiring
encryption.
Symmetric algorithms - These algorithms use the same pre-shared key, sometimes
called a secret key pair, to encrypt and decrypt data. Both the sender and receiver
know the pre-shared key before any encrypted communication begins. As shown in
Figure 1, symmetric algorithms use the same key to encrypt and decrypt the
plaintext. Encryption algorithms that use a common key are simpler and need less
computational power.
Asymmetric algorithms - Asymmetrical encryption algorithms use one key to encrypt
data and a different key to decrypt data. One key is public and the other is
private. In a public-key encryption system, any person can encrypt a message using
the public key of the receiver, and the receiver is the only one that can decrypt
it using his private key. Parties exchange secure messages without needing a pre-
shared key, as shown in Figure 2. Asymmetric algorithms are more complex. These
algorithms are resource intensive and slower to execute.
For example, Alice and Bob live in different locations and want to exchange secret
messages with one another through the mail system. Alice wants to send a secret
message to Bob.
If Bob wants to talk to Carol, he needs a new pre-shared key for that communication
to keep it secret from Alice. The more people Bob wants to communicate with
securely, the more keys he will need to manage.
Types of Cryptography
The most common types of cryptography are block ciphers and stream ciphers. Each
method differs in the way that it groups bits of data to encrypt it.
Block Ciphers
Block ciphers usually result in output data that is larger than the input data,
because the ciphertext must be a multiple of the block size. For example, Data
Encryption Standard (DES) is a symmetric algorithm that encrypts blocks in 64-bit
chunks using a 56-bit key. To accomplish this, the block algorithm takes data one
chunk at a time, for example, 8 bytes per chunk, until the entire block is full. If
there is less input data than one full block, the algorithm adds artificial data,
or blanks, until it uses the full 64 bits, as shown in Figure 1 for the 64 bits on
the left.
Stream Ciphers
Unlike block ciphers, stream ciphers encrypt plaintext one byte or one bit at a
time, as shown in Figure 2. Think of stream ciphers as a block cipher with a block
size of one bit. With a stream cipher, the transformation of these smaller
plaintext units varies, depending on when they are encountered during the
encryption process. Stream ciphers can be much faster than block ciphers, and
generally do not increase the message size, because they can encrypt an arbitrary
number of bits.
A5 is a stream cipher that provides voice privacy and encrypts cell phone
communications. It is also possible to use DES in stream cipher mode.
Complex cryptographic systems can combine block and stream in the same process.
3DES (Triple DES): Digital Encryption Standard (DES) is a symmetric block cipher
with 64-bit block size that uses a 56-bit key. It takes a 64-bit block of plaintext
as input and outputs a 64-bit block of ciphertext. It always operates on blocks of
equal size and it uses both permutations and substitutions in the algorithm. A
permutation is a way of arranging all elements of a set.
Triple DES encrypts data three times and uses a different key for at least one of
the three passes, giving it a cumulative key size of 112-168 bits. 3DES is
resistant to attack, but it is much slower than DES.
IDEA: The International Data Encryption Algorithm (IDEA) uses 64-bit blocks and
128-bit keys. IDEA performs eight rounds of transformations on each of the 16
blocks that results from dividing each 64-bit block. IDEA was the replacement for
DES, and now PGP (Pretty Good Privacy) uses it. PGP is a program that provides
privacy and authentication for data communication. GNU Privacy Guard (GPG) is a
licensed, free version of PGP.
AES: The Advanced Encryption Standard (AES) has a fixed block size of 128-bits with
a key size of 128, 192, or 256 bits. The National Institute of Standards and
Technology (NIST) approved the AES algorithm in December 2001. The U.S. government
uses AES to protect classified information.
AES is a strong algorithm that uses longer key lengths. AES is faster than DES and
3DES, so it provides both a solution for software applications as well as hardware
use in firewalls and routers.
Other block ciphers include Skipjack (developed by the NSA), Blowfish, and Twofish.
For example, in Figure 1, Alice requests and obtains Bob�s public key. In Figure 2,
Alice uses Bob�s public key to encrypt a message using an agreed-upon algorithm.
RSA (Rivest-Shamir-Adleman) - uses the product of two very large prime numbers with
an equal length of between 100 and 200 digits. Browsers use RSA to establish a
secure connection.
ElGamal - uses the U.S. government standard for digital signatures. This algorithm
is free for use because no one holds the patent.
Elliptic Curve Cryptography (ECC) - uses elliptic curves as part of the algorithm.
In the U.S., the National Security Agency uses ECC for digital signature generation
and key exchange.
Key Management
Key management includes the generation, exchange, storage, use, and replacement of
keys used in an encryption algorithm.
Key length - Also called the key size, this is the measure in bits.
Keyspace - This is the number of possibilities that a specific key length can
generate.
As key length increase, the keyspace increases exponentially. The keyspace of an
algorithm is the set of all possible key values. Longer keys are more secure;
however, they are also more resource intensive. Almost every algorithm has some
weak keys in its keyspace that enable a criminal to break the encryption via a
shortcut.
Maintaining confidentiality is important for both data at rest and data in motion.
In both cases, symmetric encryption is favored because of its speed and the
simplicity of the algorithm. Some asymmetric algorithms can significantly increase
the size of the object encrypted. Therefore, in the case of data in motion, use
public key cryptography to exchange the secret key, and then symmetric cryptography
to ensure the confidentiality of the data sent.
Applications
There are many applications for both symmetric and asymmetric algorithms.
The electronic payment industry uses 3DES. Operating systems use DES to protect
user files and system data with passwords. Most encrypting file systems, such as
NTFS, use AES.
VPNs use IPsec. IPsec is a suite of protocols developed to achieve secure services
over networks. IPsec services allow for authentication, integrity, access control,
and confidentiality. With IPsec, remote sites can exchange encrypted and verified
information.
Data in use is a growing concern to many organizations. When in use, data no longer
has any protection because the user needs to open and change the data. System
memory holds data in use and it can contain sensitive data such as the encryption
key. If criminals compromise data in use, they will have access to data at rest and
data in motion.
Access Controls
Physical access control determines who can enter (or exit), where they can enter
(or exit), and when they can enter (or exit).
For example, take the military security classifications Secret and Top Secret. If a
file (an object) is considered top secret, it is classified (labeled) Top Secret.
The only people (subjects) that may view the file (object) are those with a Top
Secret clearance. It is up to the access control mechanism to ensure that an
individual (subject) with only a Secret clearance, never gains access to a file
labeled as Top Secret. Similarly, a user (subject) cleared for Top Secret access
cannot change the classification of a file (object) labeled Top Secret to Secret.
Additionally, a Top Secret user cannot send a Top Secret file to a user cleared
only to see Secret information.
In systems that employ discretionary access controls, the owner of an object can
decide which subjects can access that object and what specific access they may
have. One common method to accomplish this is with permissions, as shown in the
figure. The owner of a file can specify what permissions (read/write/execute) other
users may have.
Access control lists are another common mechanism used to implement discretionary
access control. An access control list uses rules to determine what traffic can
enter or exit a network
RBAC can work in combination with DAC or MAC by enforcing the policies of either
one. RBAC helps to implement security administration in large organizations with
hundreds of users and thousands of possible permissions. Organizations widely
accept the use of RBAC to manage computer permissions within a system, or
application, as a best practice.
As with MAC, users cannot change the access rules. Organizations can combine rule-
based access control with other strategies for implementing access restrictions.
For example, MAC methods can utilize a rule-based approach for implementation.
Identification
What is Identification?
Identification enforces the rules established by the authorization policy. A
subject requests access to a system resource. Every time the subject requests
access to a resource, the access controls determine whether to grant or deny
access. For example, the authorization policy determines what activities a user can
perform on a resource.
A unique identifier ensures the proper association between allowed activities and
subjects. A username is the most common method used to identify a user. A username
can be an alphanumeric combination, a personal identification number (PIN), a smart
card, or biometric, such as a fingerprint, retina scan, or voice recognition.
A unique identifier ensures that a system can identify each user individually;
therefore, allowing an authorized user to perform the appropriate actions on a
particular resource.
Identification Controls
Cybersecurity policies determine which identification controls should be used. The
sensitivity of the information and information systems determine how stringent the
controls. The increase in data breaches has forced many organizations to strengthen
their identification controls. For example, the credit card industry in the United
States requires all vendors to convert to smart card identification systems.
Authrntication Methods
Users need to use different passwords for different systems because if a criminal
cracks the user�s password once, the criminal will have access to all of a user�s
accounts. A password manager can help a user create and remember strong passwords.
What You Have
Smart cards and security key fobs are both examples of something that users have in
their possession.
Smart Card Security (Figure 1) � A smart card is a small plastic card, about the
size of a credit card, with a small chip embedded in it. The chip is an intelligent
data carrier, capable of processing, storing, and safeguarding data. Smart cards
store private information, such as bank account numbers, personal identification,
medical records, and digital signatures. Smart cards provide authentication and
encryption to keep data safe.
Security Key Fob (Figure 2) � A security key fob is a device that is small enough
to attach to a key ring. It uses a process called two-factor authentication, which
is more secure than a username and password combination. First, the user enters a
personal identification number (PIN). If correctly entered, the security key fob
will display a number. This is the second factor, which the user must enter to log
in to the device or network.
Multi-factor Authentication
Multi-factor authentication uses at least two methods of verification. A security
key fob is a good example. The two factors are something you know, such as a
password, and something you have, such as a security key fob. Take this a step
further by adding something you are, such as a fingerprint scan.
Authorization
What is Authorization?
Authorization controls what a user can and cannot do on the network after
successful authentication. After a user proves his or her identity, the system
checks to see what network resources the user can access and what the user can do
with the resources. Authorization answers the question, �What read, copy, create,
and delete privileges does the user have?�
Authorization uses a set of attributes that describes the user�s access to the
network. The system compares these attributes to the information contained within
the authentication database, determines a set of restrictions for that user, and
delivers it to the local router where the user is connected.
Authorization is automatic and does not require users to perform additional steps
after authentication. Implement authorization immediately after the user
authenticates.
Using Authorization
Defining authorization rules is the first step in controlling access. An
authorization policy establishes these rules.
Accountability
What is Accountability?
Accountability traces an action back to a person or process making the change to a
system, collects this information, and reports the usage data. The organization can
use this data for such purposes as auditing or billing. The collected data might
include the log in time for a user, whether the user log in was a success or
failure, or what network resources the user accessed. This allows an organization
to trace actions, errors, and mistakes during an audit or investigation.
Implementing Accountability
Implementing accountability consists of technologies, policies, procedures, and
education. Log files provide detailed information based on the parameters chosen.
For example, an organization may look at the log for login failures and successes.
Login failures can indicate that a criminal tried to hack an account. Login
successes tell an organization which users are using what resources and when. Is it
normal for an authorized user to access the corporate network at 3:00 a.m.? The
organization�s policies and procedures spell out what actions should be recorded
and how the log files are generated, reviewed and stored.
Preventive Controls
Prevent means to keep something from happening. Preventive access controls stop
unwanted or unauthorized activity from happening. For an authorized user, a
preventive access control means restrictions. Assigning user specific privileges on
a system is an example of a preventive control. Even though a user is an authorized
user, the system puts limits in place to prevent the user from accessing and
performing unauthorized actions. A firewall that blocks access to a port or service
that cyber criminals can exploit is also a preventive control.
Deterrent Controls
A deterrent is the opposite of a reward. A reward encourages individuals to do the
right thing, while a deterrent discourages them from doing the wrong thing. Cyber
security professionals and organizations use deterrents to limit or mitigate an
action or behavior, but deterrents do not stop them. Access control deterrents
discourage cyber criminals from gaining unauthorized access to information systems
and sensitive data. Access control deterrents discourage attacking systems,
stealing data, or spreading malicious code. Organizations use access control
deterrents to enforce cybersecurity policies.
Deterrents make potential cyber criminals think twice before committing a crime.
The figure lists common access control deterrents used in the cybersecurity world.
Detective Controls
Detection is the act or process of noticing or discovering something. Access
control detections identify different types of unauthorized activity. Detection
systems can be very simple, such as a motion detector or security guard. They can
also be more complex, such as an intrusion detection system. All detective systems
have several things in common; they look for unusual or prohibited activity. They
also provide methods to record or alert system operators of potential unauthorized
access. Detective controls do not prevent anything from happening; they are more of
an after-the-fact measure.
Corrective Controls
Corrective counteracts something that is undesirable. Organizations put corrective
access controls in place after a system experiences a threat. Corrective controls
restore the system back to a state of confidentiality, integrity, and availability.
They can also restore systems to normal after unauthorized activity occurs.
Recovery Controls
Recovery is a return to a normal state. Recovery access controls restore resources,
functions, and capabilities after a violation of a security policy. Recovery
controls can repair damage, in addition to stopping any further damage. These
controls have more advanced capabilities over corrective access controls.
Compensative Controls
Compensate means to make up for something. Compensative access controls provide
options to other controls to bolster enforcement in support of a security policy.
There are several data masking techniques that can ensure that data remains
meaningful but changed enough to protect it.
Substitution replaces data with authentic looking values to apply anonymity to the
data records.
Shuffling derives a substitution set from the same column of data that a user wants
to mask. This technique works well for financial information in a test database,
for example.
Nulling out applies a null value to a particular field, which completely prevents
visibility of the data.
Steganography
What is Steganography?
Steganography conceals data (the message) in another file such as a graphic, audio,
or other text file. The advantage of steganography over cryptography is that the
secret message does not attract any special attention. No one would ever know that
a picture actually contained a secret message by viewing the file either
electronically or in hardcopy.
There are several components involved in hiding data. First, there is the embedded
data, which is the secret message. The cover-text (or cover-image or cover-audio)
hides the embedded data producing the stego-text (or stego-image or stego-audio). A
stego-key controls the hiding process.
The approach used to embed data in a cover-image is using Least Significant Bits
(LSB). This method uses bits of each pixel in the image. A pixel is the basic unit
of programmable color in a computer image. The specific color of a pixel is a blend
of three colors�red, green, and blue (RGB). Three bytes of data specify a pixel�s
color (one byte for each color). Eight bits make up a byte. A 24-bit color system
uses all three bytes. LSB uses a bit of each of the red, green, and blue color
components. Each pixel can store 3 bits.
The figure shows three pixels of a 24-bit color image. One of the letters in the
secret message is the letter T, and inserting the character T changes only two bits
of the color. The human eye cannot recognize the changes made to the least
significant bits. The result is a hidden character.
Social Steganography
Social steganography hides information in plain sight by creating a message that
can be read a certain way by some to get the message. Others who view it in a
normal way will not see the message. Teens on social media use this tactic to
communicate with their closest friends while keeping others, like their parents,
unaware of what the message actually means. For example, the phrase �going to the
movies� might mean �going to the beach�.
Individuals in countries that censor media also use social steganography to get
their messages out by misspelling words on purpose or making obscure references. In
effect, they communicate to different audiences simultaneously.
Detection
Steganalysis is the discovery that hidden information exists. The goal of
steganalysis is to discover the hidden information.
Patterns in the stego-image create suspicion. For example, a disk may have unused
areas that hide information. Disk analysis utilities can report on hidden
information in unused clusters of storage devices. Filters can capture data packets
that contain hidden information in packet headers. Both of these methods are using
steganography signatures.
Data Obfuscation
Data obfuscation is the use and practice of data masking and steganography
techniques in the cybersecurity and cyber intelligence profession. Obfuscation is
the art of making the message confusing, ambiguous, or harder to understand. A
system may purposely scramble messages to prevent unauthorized access to sensitive
information.
Applications
Software watermarking protects software from unauthorized access or modification.
Software watermarking inserts a secret message into the program as proof of
ownership. The secret message is the software watermark. If someone tries to remove
the wateWhat is Hashing?
Users need to know that their data remains unchanged while at rest or in transit.
Hashing is a tool that ensures data integrity by taking binary data (the message)
and producing a fixed-length representation called the hash value or message
digest, as shown in the figure.
The hash tool uses a cryptographic hashing function to verify and ensure data
integrity. It can also verify authentication. Hash functions replace clear text
password or encryption keys because hash functions are one-way functions. This
means that if a password is hashed with a specific hashing algorithm, it will
always result in the same hash digest. It is considered one-way because with hash
functions, it is computationally infeasible for two different sets of data to come
up with the same hash digest or output.
Every time the data is changed or altered, the hash value also changes. Because of
this, cryptographic hash values are often called digital fingerprints. They can
detect duplicate data files, file version changes, and similar applications. These
values guard against an accidental or intentional change to the data and accidental
data corruption. Hashing is also very efficient. A large file or the content of an
entire disk drive results in a hash value with the same size.rmark, the result is
nonfunctional code.
Software obfuscation translates software into a version equivalent to the original
but one that is harder for attackers to analyze. Trying to reverse engineer the
software gives unintelligible results from software that still functions.
What is Hashing?
Users need to know that their data remains unchanged while at rest or in transit.
Hashing is a tool that ensures data integrity by taking binary data (the message)
and producing a fixed-length representation called the hash value or message
digest, as shown in the figure.
The hash tool uses a cryptographic hashing function to verify and ensure data
integrity. It can also verify authentication. Hash functions replace clear text
password or encryption keys because hash functions are one-way functions. This
means that if a password is hashed with a specific hashing algorithm, it will
always result in the same hash digest. It is considered one-way because with hash
functions, it is computationally infeasible for two different sets of data to come
up with the same hash digest or output.
Every time the data is changed or altered, the hash value also changes. Because of
this, cryptographic hash values are often called digital fingerprints. They can
detect duplicate data files, file version changes, and similar applications. These
values guard against an accidental or intentional change to the data and accidental
data corruption. Hashing is also very efficient. A large file or the content of an
entire disk drive results in a hash value with the same size.
Hashing Properties
Hashing is a one-way mathematical function that is relatively easy to compute, but
significantly harder to reverse. Grinding coffee is a good analogy of a one-way
function. It is easy to grind coffee beans, but it is almost impossible to put all
of the tiny pieces back together to rebuild the original beans.
Hashing Algorithms
Hash functions are helpful to ensure that a user or communication error does not
change the data accidentally. For instance, a sender may want to make sure that no
one alters a message on its way to the recipient. The sending device inputs the
message into a hashing algorithm and computes its fixed-length digest or
fingerprint.
The 8-bit checksum is one of the first hashing algorithms, and it is the simplest
form of a hash function. An 8-bit checksum calculates the hash by converting the
message into binary numbers and then organizing the string of binary numbers into
8-bit chucks. The algorithm adds up the 8-bit values. The final step is to convert
the result using a process called 2�s complement. The 2�s complement converts a
binary to its opposite value, and then it adds one. This means that a zero converts
to a one, and a one converts to a zero. The final step is to add 1 resulting in an
8-bit hash value.
Click here to calculate the 8-bit hash for the message BOB.
4. Click the Calculate button. The result is the hash value 2D.
HASH VALUE = 3A
HASH VALUE = FB
Ron Rivest developed the MD5 hashing algorithm, and several Internet applications
use it today. MD5 is a one-way function that makes it easy to compute a hash from
the given input data but makes it very difficult to compute input data given only a
hash value.
MD5 produces a 128-bit hash value. The Flame malware compromised the security of
MD5 in 2012. The authors of the Flame malware used an MD5 collision to forge a
Windows code-signing certificate. Click here to read an explanation of the Flame
malware collision attack.
The U.S. National Institute of Standards and Technology (NIST) developed SHA, the
algorithm specified in the Secure Hash Standard (SHS). NIST published SHA-1 in
1994. SHA-2 replaced SHA-1 with four additional hash functions to make up the SHA
family:
SHA-224 (224 bit)
SHA-256 (256 bit)
SHA-384 (384 bit)
SHA-512 (512 bit)
SHA-2 is a stronger algorithm, and it is replacing MD5. SHA-256, SHA-384, and SHA-
512 are the next-generation algorithms
To verify the integrity of all IOS images, Cisco provides MD5 and SHA checksums at
Cisco�s Download Software website. The user can make a comparison of this MD5
digest against the MD5 digest of an IOS image installed on a device, as shown in
the figure. The user can now feel confident that no one has tampered or modified
the IOS image file.
Note: The command verify /md5, shown in the figure, is beyond the scope of this
course.
The field of digital forensics uses hashing to verify all digital media that
contain files. For example, the examiner creates a hash and a bit-for-bit copy of
the media containing the files to produce a digital clone. The examiner compares
the hash of the original media with the copy. If the two values match, the copies
are identical. The fact that one set of bits is identical to the original set of
bits establishes fixity. Fixity helps to answer several questions:
Hashing Passwords
Hashing algorithms turn any amount of data into a fixed-length fingerprint or
digital hash. A criminal cannot reverse a digital hash to discover the original
input. If the input changes at all, it results in a different hash. This works for
protecting passwords. A system needs to store a password in a form that protects it
and can still verify that a user�s password is correct.
The figure shows the workflow for user account registration and authentication
using a hash-based system. The system never writes the password to the hard drive,
it only stores the digital hash.
Applications
Use cryptographic hash functions in the following situations:
While hashing can detect accidental changes, it cannot guard against deliberate
changes. There is no unique identifying information from the sender in the hashing
procedure. This means that anyone can compute a hash for any data, as long as they
have the correct hash function. For example, when a message traverses the network,
a potential attacker could intercept the message, change it, recalculate the hash,
and append the hash to the message. The receiving device will only validate against
whatever hash is appended. Therefore, hashing is vulnerable to man-in-the-middle
attacks and does not provide security to transmitted data.
Cracking Hashes
To crack a hash, an attacker must guess the password. The top two attacks used to
guess passwords are dictionary and brute-force attacks.
A dictionary attack uses a file containing common words, phrases, and passwords.
The file has the hashes calculated. A dictionary attack compares the hashes in the
file with the password hashes. If a hash matches, the attacker will know a group of
potentially good passwords.
Salting
What is Salting?
Salting makes password hashing more secure. If two users have the same password,
they will also have the same password hashes. A salt, which is a random string of
characters, is an additional input to the password before hashing. This creates a
different hash result for the two passwords as shown in the figure. A database
stores both the hash and the salt.
In the figure, the same password generates a different hash because the salt in
each instance is different. The salt does not have to be secret since it is a
random number.
Preventing Attacks
Salting prevents an attacker from using a dictionary attack to try to guess
passwords. Salting also makes it impossible to use lookup tables and rainbow tables
to crack a hash.
Lookup Tables
Rainbow Tables
Rainbow tables sacrifice hash-cracking speed to make the lookup tables smaller. A
smaller table means that the table can store the solutions to more hashes in the
same amount of space.
Implementing Salting
A Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) is the best
choice to generate salt. CSPRNGs generate a random number that has a high level of
randomness and is completely unpredictable, so it is cryptographically secure.
HMAC
What is an HMAC?
The next step in preventing a cybercriminal from launching a dictionary or brute-
force attack on a hash is to add a secret key to the hash. Only the person who
knows the hash can validate a password. One way to do this is to include the secret
key in the hash using a hash algorithm called keyed-hash message authentication
code (HMAC or KHMAC). HMACs use an additional secret key as input to the hash
function. The use of HMAC goes a step further than just integrity assurance by
adding authentication. An HMAC uses a specific algorithm that combines a
cryptographic hash function with a secret key.
Only the sender and the receiver know the secret key, and the output of the hash
function now depends on the input data and the secret key. Only parties who have
access to that secret key can compute the digest of an HMAC function. This
characteristic defeats man-in-the-middle attacks and provides authentication of the
data origin.
HMAC Operation
Consider an example where a sender wants to ensure that a message remains unchanged
in transit and wants to provide a way for the receiver to authenticate the origin
of the message.
As shown in Figure 1, the sending device inputs data (such as Terry Smith�s pay of
$100 and the secret key) into the hashing algorithm and calculates the fixed-length
HMAC digest or fingerprint. The receiver gets the authenticated fingerprint
attached to the message.
In Figure 2, the receiving device removes the fingerprint from the message and uses
the plaintext message with its secret key as input to the same hashing function. If
the receiving device calculates a fingerprint equal to the fingerprint sent, the
message is still in its original form. Additionally, the receiver knows the origin
of the message because only the sender possesses a copy of the shared secret key.
The HMAC function proved the authenticity of the message.
Application of HMAC
HMACs can also authenticate a web user. Many web services use basic authentication,
which does not encrypt the username and password during transmission. Using HMAC,
the user sends a private key identifier and an HMAC. The server looks up the user�s
private key and creates an HMAC. The user�s HMAC must match the one calculated by
the server.
VPNs using IPsec rely on HMAC functions to authenticate the origin of every packet
and provide data integrity checking.
As shown in the figure, Cisco products use hashing for entity authentication, data
integrity, and data authenticity purposes:
Cisco IOS routers use hashing with secret keys in an HMAC-like manner to add
authentication information to routing protocol updates.
IPsec gateways and clients use hashing algorithms, such as MD5 and SHA-1 in HMAC
mode, to provide packet integrity and authenticity.
Cisco software images on Cisco.com have an MD5-based checksum available so that
customers can check the integrity of downloaded images.
Note: The term entity can refer to devices or systems within an organization.
Unprotected digital documents are very easy for anyone to change. A digital
signature can determine if someone edits a document after the user signs it. A
digital signature is a mathematical method used to check the authenticity and
integrity of a message, digital document, or software.
In many countries, digital signatures have the same legal importance as a manually
signed document. Electronic signatures are binding for contracts, negotiations, or
any other document requiring a handwritten signature. An audit trail tracks the
electronic document�s history for regulatory and legal defense purposes.
Non-Repudiation
To repudiate means to deny. Non-repudiation is a way to ensure that the sender of a
message or document cannot deny having sent the message or document and that the
recipient cannot deny having received the message or document.
A digital signature ensures that the sender electronically signed the message or
document. Since a digital signature is unique to the individual creating it, that
person cannot later deny that he or she provided the signature.
Alice creates the message along with a digest of the message. She then encrypts
this digest with her private key. Alice bundles the message, the encrypted message
digest, and her public key together to create the signed document. Alice sends this
to Bob.
Bob receives the message and reads it. To make sure that the message came from
Alice, he creates a message digest of the message. He takes the encrypted message
digest received from Alice and decrypts it using Alice�s public key. Bob compares
the message digest received from Alice with the one he generated. If they match,
Bob knows that he can trust that no one tampered with the message.
Code signing - Used to verify the integrity of executable files downloaded from a
vendor website. Code signing also uses signed digital certificates to authenticate
and verify the identity of the site
Digital certificates - Used to verify the identity of an organization or individual
to authenticate a vendor website and establish an encrypted connection to exchange
confidential data.
1. Key generation
2. Key verification
DSA uses large number factorization. Governments use DSA for signing to create
digital signatures. DSA does not extend beyond the signature to the message itself.
RSA is the most common public key cryptography algorithm in use today. RSA is named
after the individuals who created it in 1977: Ron Rivest, Adi Shamir, and Leonard
Adleman. RSA depends on asymmetrical encryption. RSA covers signing and also
encrypts the content of the message.
DSA is faster than RSA as a signing services for a digital document. RSA is best
suited for applications requiring the signing and verification of electronic
documents and message encryption.
Like most areas of cryptography, the RSA algorithm is based on two mathematical
principles; modulus and prime number factorization.
ECDSA is the newest digital signature algorithm that is gradually replacing RSA.
The advantage of this new algorithm is that it can uses much smaller key sizes for
the same security and requires less computation than RSA.
Digital certificates are similar to physical certificates. For example, the paper-
based Cisco Certified Network Associate Security (CCNA-S) certificate identifies
the individual, the Certificate Authority (who authorized the certificate), and for
how long the certificate is valid.
Step 1: Bob decides to buy something on Alice's website and clicks on "Proceed to
Checkout". His browser initiates a secure connection with Alice's web server and
displays a lock icon in the security status bar.
Step 2: Alice's web server receives the request and replies by sending its digital
certificate containing the web server public key and other information to Bob's
browser.
Step 3: Bob's browser checks the digital certificate against stored certificates
and confirms that he is indeed connected to Alice's web server. Only trusted
certificates permit the transaction to go forward. If the certificate is not valid,
then communication fails.
Step 4: Bob's web browser creates a unique session key that will be used for secure
communication with Alice's web server.
Step 5: Bob's browser encrypts the session key using Alice's public key and sends
it to Alice's web server.
Step 6: Alice's web server receives the encrypted message from Bob's browser. It
uses its private key to decrypt the message and discover the session key. Future
exchange between the web server and browser will now use the session key to encrypt
data.
For example, Alice applies for a driver�s license. In this process, she submits
evidence of her identity, such as birth certificate, picture ID, and more to a
government-licensing bureau. The bureau validates Alice�s identity and permits
Alice to complete a driver�s examination. Upon successful completion, the licensing
bureau issues Alice a driver license. Later, Alice needs to cash a check at the
bank. Upon presenting the check to the bank teller, the bank teller asks her for
ID. The bank, because it trusts the government-licensing bureau, verifies her
identity and cashes the check.
A certificate authority (CA) functions the same as the licensing bureau. The CA
issues digital certificates that authenticate the identity of organizations and
users. These certificates also sign messages to ensure that no one tampered with
the messages.
The figure shows a certificate chain for a two tier CA. There is an offline Root CA
and an online subordinate CA. The reason for the two-tier structure is that X.509
signing allows for easier recovery in the event of a compromise. If there is an
offline CA, it can sign the new online CA certificate. If there is not an offline
CA, a user has to install a new root CA certificate on every client machine, phone,
or tablet
Database Integrity
Data Integrity
Databases provide an efficient way to store, retrieve, and analyze data. As data
collection increases and data becomes more sensitive, it is important for
cybersecurity professionals to protect the growing number of databases. Think of a
database as an electronic filing system. Data integrity refers to the accuracy,
consistency, and reliability of data stored in a database. The responsibility of
data integrity falls on database designers, developers, and the organization�s
management.
.
Domain Integrity: All data stored in a column must follow the same format and
definition (Figure 2).
User-defined Integrity: A set of rules defined by a user which does not belong to
one of the other categories. For example, a customer places a new order, as shown
in Figure 4.
The user first checks to see if this is a new customer. If it is, the user adds the
new customer to the customers table.
Have a drop down option for master tables instead of asking individuals to enter
the data. An example of drop down master data controls is using the locations list
from the U.S. postal address system to standardize addresses.
Validation Rules
A validation rule checks that data falls within the parameters defined by the
database designer. A validation rule helps to ensure the completeness, accuracy and
consistency of data. The criteria used in a validation rule include the following:
Input Validation
One of the most vulnerable aspects of database integrity management is controlling
the data input process. Many well-known attacks run against a database and insert
malformed data. The attack can confuse, crash, or make the application divulge too
much information to the attacker. Attackers use automated input attacks.
For example, users fill out a form via a Web application to subscribe to a
newsletter. A database application automatically generates and sends email
confirmations. When users receive their email confirmations with a URL link to
confirm their subscription, attackers modify the URL link. These modifications
include changing the username, email address, or subscription status. The email
returns back to the server hosting the application. If the Web server did not
verify that the email address or other account information submitted matched the
subscription information, the server received bogus information. Hackers can
automate the attack to flood the Web application with thousands of invalid
subscribers to the newsletter database.
Anomaly Verification
Anomaly detection refers to identifying patterns in data that do not conform to
expected behavior. These non-conforming patterns are anomalies, outliers,
exceptions, aberrations, or surprises in di?erent database applications. Anomaly
detection and verification is an important countermeasure or safeguard in
identifying fraud detection. Database anomaly detection can identify credit card
and insurance fraud. Database anomaly detection can protect data from massive
destruction or changes.
Entity Integrity
A database is like an electronic filing system. Maintaining proper filing is
critical in maintaining the trustworthiness and usefulness of the data within the
database. Tables, records, fields, and data within each field make up a database.
In order to maintain the integrity of the database filing system, users must follow
certain rules. Entity integrity is an integrity rule, which states that every table
must have a primary key and that the column or columns chosen to be the primary key
must be unique and not NULL. Null in a database signifies missing or unknown
values. Entity integrity enables proper organization of data for that record.
Referential Integrity
Another important concept is the relationship between different filing systems or
tables. The basis of referential integrity is foreign keys. A foreign key in one
table references a primary key in a second table. The primary key for a table
uniquely identifies entities (rows) in the table. Referential integrity maintains
the integrity of foreign keys.
Domain Integrity
Domain integrity ensures that all the data items in a column fall within a defined
set of valid values. Each column in a table has a defined set of values, such as
the set of all numbers for credit card numbers, social security numbers, or email
addresses. Limiting the value assigned to an instance of that column (an attribute)
enforces domain integrity. Domain integrity enforcement can be as simple as
choosing the correct data type, length and or format for a column.
Organizations that want to maximize the availability of their systems and data may
take extraordinary measures to minimize or eliminate data loss. The goal is to
minimize the downtime of mission critical processes. If employees cannot perform
their regular duties, the organization is in jeopardy of losing revenue.
This chapter discusses various approaches that organizations can take to help meet
their availability goals. Redundancy provides backup and includes extra components
for computers or network systems to ensure the systems remain available. Redundant
components can include hardware such as disk drives, servers, switches, and routers
or software such as operating systems, applications, and databases. The chapter
also discusses resiliency, the ability of a server, network, or data center to
recover quickly and continue operation.
The finance industry needs to maintain high availability for continuous trading,
compliance, and customer trust.
The public safety industry includes agencies that provide security and services to
a community, state, or nation.
The retail industry depends on efficient supply chains and the delivery of products
to customers. Disruption can be devastating, especially during peak demand times
such as holidays.
The public expects that the news media industry communicate information on events
as they happen. The news cycle is now around the clock, 24/7.
Threats to Availability
The following threats pose a high risk to data and information availability:
2. System Resiliency
3. Fault Tolerance
Asset Management
Asset Identification
An organization needs to know what hardware and software are present as a
prerequisite to knowing what the configuration parameters need to be. Asset
management includes a complete inventory of hardware and software.
This means that the organization needs to know all of components that can be
subject to security risks, including:
Asset Classification
Asset classification assigns all resources of an organization into a group based on
common characteristics. An organization should apply an asset classification system
to documents, data records, data files, and disks. The most critical information
needs to receive the highest level of protection and may even require special
handling.
Asset standards identify specific hardware and software products that the
organization uses and supports. When a failure occurs, prompt action helps to
maintain both access and security. If an organization does not standardize its
hardware selection, personnel may need to scramble to find a replacement component.
Non-standard environments require more expertise to manage and they increase the
cost of maintenance contracts and inventory.
Threat Identification
The United States Computer Emergency Readiness Team (US-CERT) and the U.S.
Department of Homeland Security sponsor a dictionary of common vulnerabilities and
exposure (CVE). CVE contains a standard identifier number with a brief description,
and references to related vulnerability reports and advisories. The MITRE
Corporation maintains the CVE List and its public website.
Threat identification begins with the process of creating a CVE Identifier for
publicly known cybersecurity vulnerabilities. Each CVE Identifier includes the
following:
Risk Analysis
Risk analysis is the process of analyzing the dangers posed by natural and human-
caused events to the assets of an organization.
A quantitative analysis assigns numbers to the risk analysis process (Figure 1).
The asset value is the replacement cost of the asset. The value of an asset can
also be measured by the income gained through use of the asset. The exposure factor
(EF) is a subjective value expressed as a percentage that an asset loses due to a
particular threat. If a total loss occurs, the EF equals 1.0 (100%). In the
quantitative example, the server has an asset value of $15,000. When the server
fails, a total loss occurs (the EF equals 1.0). The asset value of $15,000
multiplied by the exposure factor of 1 results in a single loss expectancy of
$15,000.
The annualized rate of occurrence (ARO) is the probability that a loss will occur
during the year (also expressed as a percentage). An ARO can be greater than 100%
if a loss can occur more than once a year.
The calculation of the annual loss expectancy (ALE) gives management some guidance
on what it should spend to protect the asset.
Qualitative Risk Analysis uses opinions and scenarios. Figure 2 provides an example
of table used in qualitative risk analysis, which plots the likelihood of a threat
against its impact. For example, the threat of a server failure may be likely, but
its impact may only be marginal.
A team evaluates each threat to an asset and plots it in the table. The team ranks
the results and uses the results as a guide. They may determine to take action on
only threats that fall within the red zone.
The numbers used in the table do not directly relate to any aspect of the analysis.
For example, a catastrophic impact of 4 is not twice as bad as a marginal impact of
2. This method is subjective in nature.
Mitigation
Mitigation involves reducing the severity of the loss or the likelihood of the loss
from occurring. Many technical controls mitigate risk including authentication
systems, file permissions, and firewalls. Organization and security professionals
must understand that risk mitigation can have both positive and negative impact on
the organization. Good risk mitigation finds a balance between the negative impact
of countermeasures and controls and the benefit of risk reduction. There are four
common ways to reduce risk:
Defense in Depth
Layering
Defense in depth will not provide an impenetrable cyber shield, but it will help an
organization minimize risk by keeping it one-step ahead of cyber criminals.
If there is only one defense in place to protect data and information, cyber
criminals have only to get around that single defense. To make sure data and
information remains available, an organization must create different layers of
protection.
Limiting
Limiting access to data and information reduces the possibility of a threat. An
organization should restrict access so that users only have the level of access
required to do their job. For example, the people in the marketing department do
not need access to payroll records to perform their jobs.
Technology-based solutions such as using file permissions are one way to limit
access; an organization should also implement procedural measures. A procedure
should be in place that prohibits an employee from removing sensitive documents
from the premises.
Diversity
If all of the protected layers were the same, it would not be very difficult for
cyber criminals to conduct a successful attack. Therefore, the layers must be
different. If cyber criminals penetrate one layer, the same technique will not work
on all of the other layers. Breaching one layer of security does not compromise the
whole system. An organization may use different encryption algorithms or
authentication systems to protect data in different states.
Obscurity
Obscuring information can also protect data and information. An organization should
not reveal any information that cyber criminals can use to figure out what version
of the operating system a server is running or the type of equipment it uses. For
example, error messages should not contain any details that cyber criminals could
use to determine what vulnerabilities are present. Concealing certain types of
information makes it more difficult for cyber criminals to attack a system.
Simplicity
Complexity does not necessarily guarantee security. If an organization implements
complex systems that are hard to understand and troubleshoot, it may actually
backfire. If employees do not understand how to configure a complex solution
properly, it may make it just as easy for cyber criminals to compromise those
systems. To maintain availability, a security solution should be simple from the
inside, but complex on the outside.
Redundancy
N+1 Redundancy
N+1 redundancy ensures system availability in the event of a component failure.
Components (N) need to have at least one backup component (+1). For example, a car
has four tires (N) and a spare tire in the trunk in case of a flat (+1).
In a data center, N+1 redundancy means that the system design can withstand the
loss of a component. The N refers to many different components that make up the
data center including servers, power supplies, switches, and routers. The +1 is the
additional component or system that is standing by ready to go if needed.
RAID
A redundant array of independent disks (RAID) combines multiple physical hard
drives into a single logical unit to provide data redundancy and improve
performance. RAID takes data that is normally stored on a single disk and spreads
it out among several drives. If any single disk is lost, the user can recover data
from the other disks where the data also resides.
RAID can also increase the speed of data recovery. Using multiple drives will be
faster retrieving requested data instead of relying on just one disk to do the
work.
Spanning Tree
Redundancy increases the availability of the infrastructure by protecting the
network from a single point of failure, such as a failed network cable or a failed
switch. When designers build physical redundancy in to a network, loops and
duplicate frames occur. Loops and duplicate frames have severe consequences for a
switched network.
Spanning Tree Protocol (STP) addresses these issues. The basic function of STP is
to prevent loops on a network when switches interconnect via multiple paths. STP
ensures that redundant physical links are loop-free. It ensures that there is only
one logical path between all destinations on the network. STP intentionally blocks
redundant paths that could cause a loop.
Blocking the redundant paths is critical to preventing loops on the network. The
physical paths still exist to provide redundancy, but STP disables these paths to
prevent the loops from occurring. If a network cable or switch fails, STP
recalculates the paths and unblocks the necessary ports to allow the redundant path
to become active.
Router Redundancy
The default gateway is typically the router that provides devices access to the
rest of the network or to the Internet. If there is only one router serving as the
default gateway, it is a single point of failure. The organization can choose to
install an additional standby router.
In Figure 1, the forwarding router and the standby router use a redundancy protocol
to determine which router should take the active role in forwarding traffic. Each
router is configured with a physical IP address and a virtual router IP address.
End devices use the virtual IP address as the default gateway. The forwarding
router is listening for traffic addressed to 192.0.2.100. The forwarding router and
the standby router use their physical IP addresses to send periodic messages. The
purpose of these messages is to make sure both are still online and available. If
the standby router no longer receives these periodic messages from the forwarding
router, the standby router will assume the forwarding role.
The ability of a network to dynamically recover from the failure of a device acting
as a default gateway is known as first-hop redundancy.
Hot Standby Router Protocol (HSRP) - HSRP provides high network availability by
providing first-hop routing redundancy. A group of routers use HSRP for selecting
an active device and a standby device. In a group of device interfaces, the active
device is the device that routes packets; the standby device is the device that
takes over when the active device fails. The function of the HSRP standby router is
to monitor the operational status of the HSRP group and to quickly assume packet-
forwarding responsibility if the active router fails.
Virtual Router Redundancy Protocol (VRRP) - A VRRP router runs the VRRP protocol in
conjunction with one or more other routers attached to a LAN. In a VRRP
configuration, the elected router is the virtual router master, and the other
routers act as backups, in case the virtual router master fails.
Gateway Load Balancing Protocol (GLBP) - GLBP protects data traffic from a failed
router or circuit, like HSRP and VRRP, while also allowing load balancing (also
called load sharing) between a group of redundant routers.
Location Redundancy
An organization may need to consider location redundancy depending on its needs.
The following outlines three forms of location redundancy.
Synchronous
Synchronizes both locations in real time
Requires high bandwidth
Locations must be close together to reduce latency
Asynchronous Replication
Not synchronized in real time but close to it
Requires less bandwidth
Sites can be further apart because latency is less of an issue
Point-in-time-Replication
Updates the backup data location periodically
Most bandwidth conservative because it does not require a constant connection
The correct balance between cost and availability will determine the correct choice
for an organization.
System Resilience
Resiliency is the methods and configurations used to make a system or network
tolerant of failure. For example, a network can have redundant links between
switches running STP. Although STP does provide an alternate path through the
network if a link fails, the switchover may not be immediate if the configuration
is not optimal.
Routing protocols also provide resiliency, but fine-tuning can improve the
switchover so that network users do not notice. Administrators should investigate
non-default settings in a test network to see if they can improve network recovery
times.
Application Resilience
Application resilience is the application�s ability to react to problems in one of
its components while still functioning. Downtime is due to failures caused by
application errors or infrastructure failures. An administrator will eventually
need to shut down applications for patching, version upgrades, or to deploy new
features. Downtime can also be the result of data corruption, equipment failures,
application errors, and human errors.
Many organizations try to balance out the cost of achieving the resiliency of
application infrastructure with the cost of losing customers or business due to an
application failure. Application high availability is complex and costly. The
figure shows three availability solutions to address application resilience. As the
availability factor of each solution increases, the complexity and cost also
increase.
IOS Resilience
The Interwork Operating System (IOS) for Cisco routers and switches include a
resilient configuration feature. It allows for faster recovery if someone
maliciously or unintentionally reformats flash memory or erases the startup
configuration file. The feature maintains a secure working copy of the router IOS
image file and a copy of the running configuration file. The user cannot remove
these secure files also known as the primary bootset.
The commands shown in the figure secure the IOS image and running configuration
file.
Incident Response
Phases
Preparation
Incident response is the procedures that an organization follows after an event
occurs outside the normal range. A data breach releases information to an untrusted
environment. A data breach can occur as the result of an accidental or intentional
act. A data breach occurs anytime an unauthorized person copies, transmits, views,
steals, or accesses sensitive information.
When an incident occurs, the organization must know how to respond. An organization
needs to develop an incident response plan and put together a Computer Security
Incident Response Team (CSIRT) to manage the response. The team performs the
following functions:
After identifying the breach, the organization needs to contain and eradicate it.
This may require additional downtime for systems. The recovery stage includes the
actions that the organization needs to take in order to resolve the breach and
restore the systems involved. After remediation, the organization needs to restore
all systems to their original state before the breach.
Post-Incident Follow-Up
After restoring all operations to a normal state, the organization should look at
the cause of the incident and ask the following questions:
A NAC framework can use the existing network infrastructure and third-party
software to enforce the security policy compliance for all endpoints. Alternately,
a NAC appliance controls network access, evaluates compliance, and enforces
security policy. Common NAC systems checks include:
The advantage of operating with a copy of the traffic is that the IDS does not
negatively affect the packet flow of the forwarded traffic. The disadvantage of
operating on a copy of the traffic is that the IDS cannot stop malicious single-
packet attacks from reaching the target before responding to the attack. An IDS
often requires assistance from other networking devices, such as routers and
firewalls, to respond to an attack.
A better solution is to use a device that can immediately detect and stop an
attack. An Intrusion Prevention System (IPS) performs this function.
An IPS monitors network traffic. It analyzes the contents and the payload of the
packets for more sophisticated embedded attacks that might include malicious data.
Some systems use a blend of detection technologies, including signature-based,
profile-based, and protocol analysis-based intrusion detection. This deeper
analysis enables the IPS to identify, stop, and block attacks that would pass
through a traditional firewall device. When a packet comes in through an interface
on an IPS, the outbound or trusted interface does not receive that packet until the
IPS analyzes the packet.
The advantage of operating in inline mode is that the IPS can stop single-packet
attacks from reaching the target system. The disadvantage is that a poorly
configured IPS can negatively affect the packet flow of the forwarded traffic.
The biggest difference between IDS and IPS is that an IPS responds immediately and
does not allow any malicious traffic to pass, whereas an IDS allows malicious
traffic to pass before addressing the problem.
Applications that support IPFIX can display statistics from any router that
supports the standard. Collecting, storing, and analyzing the aggregated
information provided by IPFIX supported devices provides the following benefits:
Organizations may be able to detect indicators of attack in its logs and system
reports for the following security alerts:
Account lockouts
All database events
Asset creation and deletion
Configuration modification to systems
Advanced threat intelligence is a type of event or profile data that can contribute
to security monitoring and response. As the cyber criminals become more
sophisticated, it is important to understand the malware maneuvers. With improved
visibility into attack methodologies, an organization can respond more quickly to
incidents.
Disaster Recovery
Types of Disasters
It is critical to keep an organization functioning when a disaster occurs. A
disaster includes any natural or human-caused event that damages assets or property
and impairs the ability for the organization to continue operating.
Natural Disasters
Natural disasters differ depending on location. Some of these events are difficult
to predict. Natural disasters fall into the following categories:
Human-caused disasters involve people or organizations and fall into the following
categories:
Labor events include strikes, walkouts, and slowdowns
Social-political events include vandalism, blockades, protests, sabotage,
terrorism, and war
Materials events include hazardous spills and fires
Utilities disruptions include power failures, communication outages, fuel
shortages, and radioactive fallout
Preventive measures include controls that prevent a disaster from occurring. These
measures seek to identify risks.
Keeping data backed up
Keeping data backups off-site
Using surge protectors
Installing generators
Detective measures include controls that discover unwanted events. These measures
uncover new potential threats.
Using up-to-date antivirus software
Installing server and network monitoring software
Corrective measures include controls that restore the system after a disaster or an
event.
Keeping critical documents in the disaster recovery plan.
Availability ensures that the resources required to keep the organization going
will continue to be available to the personnel and the systems that rely on them.
2. Identify critical systems and processes and prioritize them based on necessity.
Microsoft Baseline Security Analyzer (MBSA) assesses missing security updates and
security misconfigurations in Microsoft Windows. MBSA checks blank, simple, or non-
existent passwords, firewall settings, guest account status, administrator account
details, security event auditing, unnecessary services, network shares, and
registry settings. After hardening the operating system, the administrator creates
the policies and procedures to maintain a high level of security.
Antimalware
Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware.
They all invade privacy, steal information, damage the system, or delete and
corrupt data.
Be cautious of malicious rogue antivirus products that may appear while browsing
the Internet. Most of these rogue antivirus products display an ad or pop-up that
looks like an actual Windows warning window. They usually state that malware is
infecting the computer and prompts the user to clean it. Clicking anywhere inside
the window may actually begin the download and installation of the malware.
Patch Management
Patches are code updates that manufacturers provide to prevent a newly discovered
virus or worm from making a successful attack. From time to time, manufacturers
combine patches and upgrades into a comprehensive update application called a
service pack. Many devastating virus attacks could have been much less severe if
more users had downloaded and installed the latest service pack.
Windows routinely checks the Windows Update website for high-priority updates that
can help protect a computer from the latest security threats. These updates include
security updates, critical updates, and service packs. Depending on the setting
configured, Windows automatically downloads and installs any high-priority updates
that the computer needs or notifies the user as these updates become available.
Some organizations may want to test a patch before deploying it throughout the
organization. The organization would use a service to manage patches locally
instead of using the vendor�s online update service. The benefits of using an
automated patch update service include the following:
Host-based Firewalls
The user can control the type of data sent to and from the computer by opening or
blocking selected ports. Firewalls block incoming and outgoing network connections,
unless exceptions are defined to open and close the ports required by a program.
A host intrusion detection system (HIDS) is software that runs on a host computer
that monitors suspicious activity. Each server or desktop system that requires
protection will need to have the software installed. HIDS monitors system calls and
file system access to ensure that the requests are not the result of malicious
activity. It can also monitor system registry settings. The registry maintains
configuration information about the computer.
HIDS stores all log data locally. It can also affect system performance because it
is resource intensive. A host intrusion detection system cannot monitor any network
traffic that does not reach the host system, but it does monitor operating system
and critical system processes specific to that host.
Secure Communications
When connecting to the local network and sharing files, the communication between
computers remains within that network. Data remains secure because it is off other
networks and off the Internet. To communicate and share resources over a network
that is not secure, users employ a Virtual Private Network (VPN).
A VPN is a private network that connects remote sites or users together over a
public network, like the Internet. The most common type of VPN accesses a corporate
private network. The VPN uses dedicated secure connections, routed through the
Internet, from the corporate private network to the remote user. When connected to
the corporate private network, users become part of that network and have access to
all services and resources as if they physically connected to the corporate LAN.
Remote-access users must have a VPN client installed on their computers to form a
secure connection with the corporate private network. The VPN client software
encrypts data before sending it over the Internet to the VPN gateway at the
corporate private network. VPN gateways establish, manage, and control VPN
connections, also known as VPN tunnels.
Operating systems include a VPN client that the user configures for a VPN
connection.
WEP
One of the most important components of modern computing are mobile devices. The
majority of devices found on today�s networks are laptops, tablets, smart phones
and other wireless devices. Mobile devices transmit data using radio signals that
any device with a compatible antenna can receive. For this reason the computer
industry has developed a suite of wireless or mobile security standards, products
and devices. These standards encrypt information transmitted through the airwaves
by mobile devices.
Wired Equivalent Privacy (WEP) is one of the first and widely used Wi-Fi security
standards. The WEP standard provides authentication and encryption protections. The
WEP standards are obsolete but many devices still support WEP for backwards
compatibility. The WEP standard became a Wi-Fi security standard in 1999 when
wireless communication was just catching on. Despite revisions to the standard and
an increased key size, WEP suffered from numerous security weaknesses. Cyber
criminals can crack WEP passwords in minutes using freely available software.
Despite improvements, WEP remains highly vulnerable and users should upgrade
systems that rely on WEP.
WPA/WPA2
The next major improvement to wireless security was the introduction of WPA and
WPA2. Wi-Fi Protected Access (WPA) was the computer industry�s response to the
weakness of the WEP standard. The most common WPA configuration is WPA-PSK (Pre-
Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-
bit and 128-bit keys used in the WEP system.
The WPA standard provided several security improvements. First, WPA provided
message integrity checks (MIC) which could detect if an attacker had captured and
altered data passed between the wireless access point and a wireless client.
Another key security enhancement was Temporal Key Integrity Protocol (TKIP). The
TKIP standard provided the ability to better handle, protect and change encryption
keys. Advanced Encryption Standard (AES) superseded TKIP for even better key
management and encryption protection.
WPA, like its predecessor WEP, included several widely recognized vulnerabilities.
As a result, the release of Wi-Fi Protected Access II (WPA2) standard happened in
2006. One of the most significant security improvements from WPA to WPA2 was the
mandatory use of AES algorithms and the introduction of Counter Cipher Mode with
Block Chaining Message Authentication Code Protocol (CCM) as a replacement for
TKIP.
Mutual Authentication
One of the great vulnerabilities of wireless networks is the use of rogue access
points. Access points are the devices that communicate with the wireless devices
and connect them back to the wired network. Any device that has a wireless
transmitter and hardwired interface to a network can potentially act as a rouge or
unauthorized access point. The rouge access point can imitate an authorized access
point. The result is that wireless devices on the wireless network establish
communication with the rouge access point instead of the authorized access point.
The imposter can receive connection requests, copy the data in the request and
forward the data to the authorized network access point. This type of man-in-the-
middle attack is very difficult to detect and can result in stolen login
credentials and transmitted data. To prevent rouge access points, the computer
industry developed mutual authentication. Mutual authentication, also called two-
way authentication, is a process or technology in which both entities in a
communications link authenticate to each other. In a wireless network environment,
the client authenticates to the access point and the access point authenticates the
client. This improvement enabled clients to detect rouge access points before
connecting to the unauthorized device.
Users should be limited to only the resources they need on a computer system or on
a network. For example, they should not be able to access all files on a server if
they only need access to a single folder. It may be easier to provide users access
to the entire drive, but it is more secure to limit access to only the folder that
they need to perform their job. This is the principle of least privilege. Limiting
access to resources also prevents malicious programs from accessing those resources
if the user�s computer becomes infected.
When a user changes the permissions of a folder, she has the option to apply the
same permissions to all sub-folders. This is permission propagation. Permission
propagation is an easy way to apply permissions to many files and folders quickly.
After parent folder permissions have been set, folders and files created inside the
parent folder inherit the permissions of the parent folder.
In addition, the location of the data and the action performed on the data
determine the permission propagation:
Data moved to the same volume will keep the original permissions
Data copied to the same volume will inherit new permissions
Data moved to a different volume will inherit new permissions
Data copied to a different volume will inherit new permission
File Encryption
Encryption is a tool used to protect data. Encryption transforms data using a
complicated algorithm to make it unreadable. A special key returns the unreadable
information back into readable data. Software programs encrypt files, folders, and
even entire drives.
Encrypting File System (EFS) is a Windows feature that can encrypt data. The
Windows implementation of EFS links it directly to a specific user account. Only
the user that encrypted the data will be able to access the encrypted files or
folders.
A user can also choose to encrypt an entire hard drive in Windows using a feature
called BitLocker. To use BitLocker, at least two volumes must be present on a hard
disk.
Before using BitLocker, the user needs to enable Trusted Platform Module (TPM) in
the BIOS. The TPM is a specialized chip installed on the motherboard. The TPM
stores information specific to the host system, such as encryption keys, digital
certificates, and passwords. Applications, like BitLocker, that use encryption can
make use of the TPM chip. Click TPM Administration to view the TPM details, as
shown in the Figure.
BitLocker To Go encrypts removable drives. BitLocker To Go does not use a TPM chip,
but still provides encryption for the data and requires a password.
A data backup stores a copy of the information from a computer to removable backup
media. The operator stores the backup media in a safe place. Backing up data is one
of the most effective ways of protecting against data loss. If the computer
hardware fails, the user can restore the data from the backup once the system is
functional.
The organization�s security policy should include data backups. Users should
perform data backups on a regular basis. Data backups are usually stored offsite to
protect the backup media if anything happens to the main facility.
Frequency - Backups can take a long time. Sometimes it is easier to make a full
backup monthly or weekly, and then do frequent partial backups of any data that has
changed since the last full backup. However, having many partial backups increases
the amount of time needed to restore the data.
Storage - For extra security, transport backups to an approved offsite storage
location on a daily, weekly, or monthly rotation, as required by the security
policy.
Security � Protect backups with passwords. The operator then enters the password
before restoring the data on the backup media.
Validation - Always validate backups to ensure the integrity of the data.
Disk cloning copies the contents of the computer�s hard disk to an image file. For
example, an administrator creates the required partitions on a system, formats the
partition, and then installs the operating system. She installs all required
application software and configures all hardware. The administrator then uses disk-
cloning software to create the image file. The administrator can use the cloned
image as follows:
Deep Freeze �freezes� the hard drive partition. When a user restarts the system,
the system reverts to its frozen configuration. The system does not save any
changes that the user makes, so any applications installed or files saved are lost
when the system restarts.
If the administrator needs to change the system�s configuration, she must first
�thaw� the protected partition by disabling Deep Freeze. After making the changes,
she must re-enable the program. The administrator can configure Deep Freeze to
restart after a user logs out, shuts down after a period of inactivity, or shuts
down at a scheduled time.
These products do not offer real-time protection. A system remains vulnerable until
the user or a scheduled event restarts the system. A system infected with malicious
code though, gets a fresh start as soon as the system restarts.
The most common type of door lock is a standard keyed entry lock. It does not
automatically lock when the door closes. Additionally, an individual can wedge a
thin plastic card such as a credit card between the lock and the door casing to
force the door open. Door locks in commercial buildings are different from
residential door locks. For additional security, a deadbolt lock provides extra
security. Any lock that requires a key, though, poses a vulnerability if the keys
are lost, stolen, or duplicated.
A cipher lock, uses buttons that a user presses in a given sequence to open the
door. It is possible to program a cipher lock. This means that a user�s code may
only work during certain days or certain times. For example, a cipher lock may only
allow Bob access to the server room between the hours of 7 a.m. and 6 p.m. Monday
through Friday. Cipher locks can also keep a record of when the door opened, and
the code used to open it.
Logout Timers
An employee gets up and leaves his computer to take a break. If the employee does
not take any action to secure his workstation, any information on that system is
vulnerable to an unauthorized user. An organization can take the following measures
to deter unauthorized access:
Employees may or may not log out of their computer when they leave the workplace.
Therefore, it is a security best practice to configure an idle timer that will
automatically log the user out and lock the screen after a specified period. The
user must log back in to unlock the screen.
Login Times
GPS Tracking
The Global Positioning System (GPS) uses satellites and computers to determine the
location of a device. GPS technology is a standard feature on smartphones that
provide real-time position tracking. GPS tracking can pinpoint a location within
100 meters. This technology is available to track children, senior citizens, pets,
and vehicles. Using GPS to locate a cell phone without the user�s permission though
is an invasion of privacy and it is illegal.
Many cell phone apps use GPS tracking to track a phone�s location. For example,
Facebook allows users to check in to a location, which is then visible to people in
their networks.
RFID systems operate within different frequencies. Low frequency systems have a
shorter read range and slower data read rates, but are not as sensitive to radio
wave interference caused by liquids and metals that are present. Higher frequencies
have a faster data transfer rate and longer read ranges, but are more sensitive to
radio wave interference.
Methods of Server Hardening
With the Windows operating system, technicians can use Remote Desktop and Remote
Assistance to repair and upgrade computers. Remote Desktop, allows technicians to
view and control a computer from a remote location. Remote Assistance allows
technicians to assist customers with problems from a remote location. Remote
Assistance also allows the customer to view the repair or upgrade in real time on
the screen.
The Windows installation process does not enable remote desktop by default.
Enabling this feature opens port 3389 and could result in a vulnerability if a user
does not need this service.
In Figure 2, cyber criminals capture the username and password of the administrator
from the plaintext Telnet session.
Figure 3 shows the Wireshark view of an SSH session. Cyber criminals track the
session using the IP address of the administrator device.
Administrative Measures
Secure copy (SCP) securely transfers computer files between two remote systems. SCP
uses SSH for data transfer (including the authentication element), so SCP ensures
the authenticity and confidentiality of the data in transit.
The process of enabling and disabling ports can be time-consuming, but it enhances
security on the network and is well worth the effort.
Privileged Accounts
Cyber criminals exploit privileged accounts because they are the most powerful
accounts in the organization. Privileged accounts have the credentials to gain
access to systems and they provide elevated, unrestricted access. Administrators
use these accounts to deploy and manage operating systems, applications, and
network devices.
Organization should adopt the following best practices for securing privileged
accounts:
Group Policies
In most networks that use Windows computers, an administrator configures Active
Directory with Domains on a Windows Server. Windows computers are members of a
domain. The administrator configures a Domain Security Policy that applies to all
computers that join. Account policies are automatically set when a user logs in to
Windows.
When a computer is not part of an Active Directory domain, the user configures
policies through Windows Local Security Policy. In all versions of Windows except
Home edition, enter secpol.msc at the Run command to open the Local Security Policy
tool.
More security settings are available by expanding the Local Policies folder. An
Audit Policy creates a security log file used to track the events listed in Figure
3.
For example, an audit log tracks user authentication attempts, and an access log
provides all of the details on requests for specific files on a system. Monitoring
system logs can determine how an attack occurred and whether the defenses deployed
were successful.
With the increase in the sheer number of log files generated for computer security
purposes, the organization should consider a log management process. Log management
determines the process for generating, transmitting, storing, analyzing, and
disposing of computer security log data.
Operating system logs record events that occur because of operational actions
performed by the operating system. System events include the following:
Power
A critical issue in protecting information systems is electrical power systems and
power considerations. A continuous supply of electrical power is critical in
today's massive server and data storage facilities. Here are some general rules in
building effective electrical supply systems:
Data centers should be on a different power supply from the rest of the building
Redundant power sources: two or more feeds coming from two or more electrical
substations
Power conditioning
Backup power systems are often required
UPS should be available to gracefully shutdown systems
An organization must protect itself from several issues when designing its
electrical power supply systems.
Power Excess
Power Loss
Power Degradation
One of the risks associated with smart systems is that the individuals who access
and manage the system work for a contractor or a third-party vendor. Because HVAC
technicians need to be able to find information quickly, crucial data tends to be
stored in many different places, making it accessible to even more people. Such a
situation allows a wide network of individuals, including even associates of
contractors, to gain access to the credentials for an HVAC system. The interruption
of these systems can pose considerable risk to the organization's information
security.
Hardware Monitoring
Hardware monitoring is often found in large server farms. A server farm is a
facility that houses hundreds or thousands of servers for companies. Google has
many server farms around the world to provide optimal services. Even smaller
companies are building local server farms to house the growing number of servers
need to conduct business. Hardware monitoring systems are used to monitor the
health of these systems and to minimize server and application downtime. Modern
hardware monitoring systems use USB and network ports to transmit the condition of
CPU temperature, power supply status, fan speed and temperature, memory status,
disk space and network card status. Hardware monitoring systems enable a technician
to monitor hundreds or thousands of systems from a single terminal. As the number
of server farms continues to grow, hardware-monitoring systems have become an
essential security countermeasure.
The Security Operation Center (SOC) is a dedicated site that monitors, assesses,
and defends the organization�s information systems such as websites, applications,
databases, data centers, networks, servers, and user systems. A SOC is a team of
security analysts who detect, analyze, respond to, report on, and prevent
cybersecurity incidents.
Both of these entities use a hierarchical tier structure to handle events. The
first tier handles all events and escalates any event that it cannot handle to the
second tier. Tier 2 staff reviews the event in detail to try to resolve it. If they
cannot, they escalate the event to Tier 3, the subject matter experts.
The following sections discuss several measures that an administrator can take to
protect various network devices.
Switches
Network switches are the heart of the modern data communication network. The main
threat to network switches are theft, hacking and remote access, attacks against
network protocols like ARP/STP or attacks against performance and availability.
Several countermeasures and controls can protect network switches including
improved physical security, advanced configuration, and implementing proper system
updates and patches as needed. Another effective control is the implementation of
port security. An administrator should secure all switch ports (interfaces) before
deploying the switch for production use. One way to secure ports is by implementing
a feature called port security. Port security limits the number of valid MAC
addresses allowed on a port. The switch allows access to devices with legitimate
MAC addresses while it denies other MAC addresses.
VLANs
VLANs provide a way to group devices within a LAN and on individual switches. VLANs
use logical connections instead of physical connections. Individual ports of a
switch can be assigned to a specific VLAN. Other ports can be used to physically
interconnect switches and allow multiple VLAN traffic between switches. These ports
are called trunks.
For example, the HR department may need to protect sensitive data. VLANs allow an
administrator to segment networks based on factors such as function, project team,
or application, without regard for the physical location of the user or device.
Devices within a VLAN act as if they are in their own independent network, even if
they share a common infrastructure with other VLANs. A VLAN can separate groups
that have sensitive data from the rest of the network, decreasing the chances of
confidential information breaches. Trunks allow individuals on the HR VLAN to be
physically connected to multiple switches.
There are many different types of VLAN vulnerabilities and attacks. These can
include attacking the VLAN and Trucking protocols. These attack details are beyond
the scope of this course. Hackers can also attack VLAN performance and
availability. Common countermeasures include monitoring VLAN changes and
performance, advanced configurations and regular system patching and updates to the
IOS.
Firewalls
Routers
Routers form the backbone of the Internet and communications between different
networks. Routers communicate with one another to identify the best possible path
to deliver traffic to different networks. Routers use routing protocols to make
routing decision. Routers can also integrate other services like switching and
firewall capabilities. These operations make routers prime targets. The main threat
to network routers are theft, hacking and remote access, attacks against routing
protocols like RIP/OSPF or attacks against performance and availability. Several
countermeasures and controls can protect network routers including improved
physical security, advanced configuration settings, use of secure routing protocols
with authentication, and proper system updates and patches as needed.
Open system authentication - Any wireless device can connect to the wireless
network. Use this method in situations where security is of no concern.
Wired Equivalent Privacy (WEP) - This was the original 802.11 specification
securing WLANs. However, the encryption key never changes when exchanging packets,
making it easy to hack.
Wi-Fi Protected Access (WPA) - This standard uses WEP, but secures the data with
the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP
changes the key for each packet, making it much more difficult to hack.
IEEE 802.11i/WPA2 - IEEE 802.11i is now the industry standard for securing WLANs.
802.11i and WPA2 both use the Advanced Encryption Standard (AES) for encryption,
which is currently the strongest encryption protocol.
Since 2006, any device that bears the Wi-Fi Certified logo is WPA2 certified.
Therefore, modern WLANs should always use the 802.11i/WPA2 standard. Other
countermeasure include improved physical security and regular system updates and
patching of devices.
RIP limits the number of hops allowed in a path on a network from the source device
to the destination. The maximum number of hops allowed for RIP is fifteen. RIP is a
routing protocol used to exchange routing information about which networks each
router can reach and how far away those networks are. RIP calculates the best route
based on hop count. Figure 4 lists RIP vulnerabilities and defenses against RIP
attack. Hackers can target routers and the RIP protocol. Attacks on routing
services can effect performance and availability. Some attacks can even result in
traffic redirection. Use secure services with authentication and implement system
patching and updates to protect routing services such as RIP.
Having the correct time within networks is important. Correct time stamps
accurately track network events such as security violations. Additionally, clock
synchronization is critical for the correct interpretation of events within syslog
data files as well as for digital certificates.
Network Time Protocol (NTP) is a protocol that synchronizes the clocks of computer
systems over data networks. NTP allows network devices to synchronize their time
settings with an NTP server. Figure 5 lists the various methods used to provide
secure clocking for the network. Cyber criminals attack timeservers to disrupt
secure communication that depends on digital certificates and to hide attack
information like accurate time stamps.
VoIP Equipment
Voice over IP (VoIP) uses networks such as the Internet to make and receive phone
calls. The equipment required for VoIP includes an Internet connection plus a
phone. Several options are available for the phone set:
Cameras
An Internet camera sends and receives data over a LAN and/or the Internet. A user
can remotely view live video using a web browser on a wide range of devices
including computer systems, laptops, tablets, and smartphones.
Cameras come in various forms including the traditional security camera. Other
options include Internet cameras discreetly hidden in clock radios, books, or DVD
players.
Internet cameras transmit digital video over a data connection. The camera connects
directly to the network and has everything required for transferring the images
over the network. The figure lists best practices for camera systems.
Videoconferencing Equipment
Videoconferencing allows two or more locations to communicate simultaneously using
telecommunication technologies. These technologies take advantage of the new high
definition video standards. Products like Cisco TelePresence enable a group of
people in one location to conference with a group of people from other locations in
real time. Videoconferencing is now part of normal day-to-day operations in
industries like the medical field. Doctors can review patient symptoms and consult
with experts to identify potential treatments.
Many local pharmacies employ physician assistants that can link live to doctors
using videoconferencing to schedule visits or emergency responses. Many
manufacturing organizations are using teleconferencing to help engineers and
technicians perform complex operations or maintenance tasks. Videoconferencing
equipment can be extremely expensive and are high value targets for thieves and
cyber criminals. Cyber criminals target these systems in order to eavesdrop on
video calls or to affect performance and availability.
Businesses use these devices to track inventory, vehicles, and personnel. IoT
devices contain geospatial sensors. A user can globally locate, monitor, and
control environmental variables such as temperature, humidity, and lighting. The
IoT industry poses a tremendous challenge to information security professionals
because many IoT devices capture and transmit sensitive information. Cyber
criminals target these systems in order to intercept data or to affect performance
and availability.
Physical Security
Fences require regular maintenance. Animals may burrow under the fence or the earth
may wash out leaving the fence unstable providing easy access for an intruder.
Inspect fencing systems regularly. Do not park any vehicles near fences. A parked
vehicle near the fence can assist the intruder climbing over or damaging the fence.
Biometrics
Biometrics describes the automated methods of recognizing an individual based on a
physiological or behavioral characteristic. Biometric authentication systems
include measurements of the face, fingerprint, hand geometry, iris, retina,
signature, and voice. Biometric technologies can be the foundation of highly secure
identification and personal verification solutions. The popularity and use of
biometric systems has increased because of the increased number of security
breaches and transaction fraud. Biometrics provides confidential financial
transactions and personal data privacy. For example, Apple uses fingerprint
technology with its smartphones. The user�s fingerprint unlocks the device and
accesses various apps such as online banking or payment apps.
When comparing biometric systems there are several important factors to consider
including accuracy, speed or throughput rate, acceptability to users, uniqueness of
the biometric organ and action, resistance to counterfeiting, reliability, data
storage requirements, enrollment time, and intrusiveness of the scan. The most
important factor is accuracy. Accuracy is expressed in error types and rates.
The first error rate is Type I Errors or false rejections. A Type I Error rejects a
person that registers and is an authorized user. In access control, if the
requirement is to keep the bad guys out, false rejection is the least important
error. However, in many biometric applications, false rejections can have a very
negative impact on business. For example, bank or retail store needs to
authenticate customer identity and account balance. False rejection means that the
transaction or sale is lost, and the customer becomes upset. Most bankers and
retailers are willing to allow a few false accepts as long as there are minimal
false rejects.
The acceptance rate is stated as a percentage and is the rate at which a system
accepts unenrolled individuals or imposters as authentic users. False acceptance is
a Type II error. Type II errors allow the bad guys in so they are normally
considered to be the most important error for a biometric access control system.
The most widely used method to measure the accuracy of biometric authentication is
the Crossover Error Rate (CER). The CER is the rate where false rejection rate and
the false acceptance rate are equal.
A card reader reads a number contained on the access badge. The system sends the
number to a computer that makes access control decisions based on the credential
provided. The system logs the transaction for later retrieval. Reports reveal who
entered what entry points at what time.
Surveillance
The benefit of RFID asset tags is that they can track any asset that physically
leaves a secure area. New RFID asset tag systems can read multiple tags
simultaneously. RFID systems do not require line-of-sight to scan tags. Another
advantage of RFID is the ability to read tags that are not visible. Unlike barcodes
and human readable tags that must be physically located and viewable to read, RFID
tags do not need to be visible to scan. For example, tagging a PC up under a desk
would require personnel to crawl under the desk to physically locate and view the
tag when using a manual or barcode process. Using an RFID tag would allow personnel
to scan the tag without even seeing it.
Server hardening includes managing remote access, securing privileged accounts, and
monitoring services.
Data protection includes file access control and implementing security measures to
ensure the confidentiality, integrity, and availability of data.
The chapter discusses the laws that affect technology and cybersecurity
requirements. Many of these laws focus on different types of data found in various
industries and contain privacy and information security concepts. Several agencies
within the U.S. government regulate an organization�s compliance with these types
of laws. The cybersecurity specialist needs to understand how the law and the
organization�s interests help to guide ethical decisions. Cyber ethics looks at the
effect of the use of computers and technology on individuals and society.
Cybersecurity Domains
User Domains
Common User Threats and Vulnerabilities
The User Domain includes the users who access the organization�s information
system. Users can be employees, customers, business contractors and other
individuals that need access to data. Users are often the weakest link in the
information security systems and pose a significant threat to the confidentiality,
integrity, and availability of the organization�s data.
Risky or poor user practices often undermine even the best security system. The
following are common user threats found in many organizations:
Establish policies for password protection and lockout thresholds on all devices.
Enable screen lockout during times of inactivity.
Disable administrative rights for users.
Define access control policies, standards, procedures, and guidelines.
Update and patch all operating systems and software applications.
Implement automated antivirus solutions that scan the system and update the
antivirus software to provide proper protection.
Deactivate all CD, DVD, and USB ports.
Enable automatic antivirus scans for any CD�s, DVD�s, or USB drives inserted.
Use content filtering.
Mandate annual security awareness training or implement security awareness
campaigns and programs that run throughout the year.
Unauthorized LAN access � wiring closets, data centers, and computer room must
remain secure
Unauthorized access to systems, applications, and data
Network operating system software vulnerabilities
Network operating system updates
Unauthorized access by rogue users on wireless networks
Exploits of data in-transit
LAN servers with different hardware or operating systems � managing and
troubleshooting servers becomes more difficult with varied configurations
Unauthorized network probing and port scanning
Misconfigured firewall
Secure wiring closets, data centers, and computer rooms. Deny access to anyone
without the proper credentials.
Define strict access control policies, standards, procedures, and guidelines.
Restrict access privileges for specific folders and files based on need.
Require passphrases or authentication for wireless networks.
Implement encryption between devices and wireless networks to maintain
confidentiality.
Implement LAN server configuration standards.
Conduct post-configuration penetration tests.
Disable ping and port scanning.
Data breaches
Loss or theft of intellectual property
Compromised credentials
Federated identity repositories are a high-value target
Account hijacking
Lack of understanding on the part of the organization
Social engineering attacks that lure the victim
Compliance violation
Multifactor authentication
Use of encryption
Implement one-time passwords, phone-based authentication, and smartcards
Distributing data and applications across multiple zones
Data backup procedures
Due diligence
Security awareness programs
Policies
Implement policies, standards, and procedures for staff and visitors to ensure the
facilities are secure.
Conduct software testing prior to launch.
Implement data classification standards.
Develop a policy to address application software and operating system updates.
Implement backup procedures.
Develop a business continuity plan for critical applications to maintain
availability of operations.
Develop a disaster recovery plan for critical applications and data.
Implement logging.
Cyber criminals that break into a system, steal credit card numbers, and release a
worm are performing unethical actions. How does an organization view the actions of
a cybersecurity specialist if they are similar? For example, a cybersecurity
specialist may have the opportunity to stop the spread of a worm preemptively by
patching it. In effect, the cybersecurity specialist is releasing a worm. This worm
is not malicious, though, so does this case get a pass?
Utilitarian Ethics
During the 19th century, Jeremy Benthan and John Stuart Mill created Utilitarian
Ethics. The guiding principle is that any actions that provide the greatest amount
of good over bad or evil are ethical choices.
The guiding principle for the Rights Approach is that individuals have the right to
make their own choices. This perspective looks at how an action affects the rights
of others to judge whether an action is right or wrong. These rights include the
right to truth, privacy, safety, and that society applies laws fairly to all
members of society.
The Common-Good Approach proposes that the common good is whatever benefits the
community. In this case, a cybersecurity specialist looks at how an action affects
the common good of society or the community.
Cybercrime
Laws prohibit undesired behaviors. Unfortunately, the advancements in information
system technologies are much greater than the legal system of compromise and
lawmaking. A number of laws and regulations affect cyberspace. Several specific
laws guide the policies and procedures developed by an organization to ensure that
they are in compliance.
Cybercrime
The growth in cybercrime is due to a number of different reasons. There are many
tools widely available on the Internet now, and potential users do not need a great
deal of expertise to use these tools.
Organizations Created to Fight Cybercrime
There are a number of agencies and organizations out there to aid the fight against
cybercrime.
Criminal laws enforce a commonly accepted moral code backed by the authority of the
government. Regulations establish rules designed to address consequences in a
rapidly changing society enforcing penalties for violating those rules. For
example, the Computer Fraud and Abuse Act is a statutory law. Administratively, the
FCC and Federal Trade Commission have been concerned with issues such as
intellectual property theft and fraud. Finally, common law cases work their ways
through the judicial system providing precedents and constitutional bases for laws.
Risk assessments
Annual inventory of IT systems
Policies and procedures to reduce risk
Security awareness training
Testing and evaluation of all IT system controls
Incident response procedure
Continuity of operations plan
Industry-Specific Laws
Many industry specific laws have a security and/or a privacy component. The U.S.
government requires compliance from organizations within these industries.
Cybersecurity specialists must be able to translate the legal requirements into
security policies and practices.
Private industry also recognizes how important uniform and enforceable standards
are. A Security Standards Council composed of the top corporations in the payment
card industry designed a private sector initiative to improve the confidentiality
of network communications.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual
rules governing how to protect credit card data as merchants and banks exchange the
transaction. The PCI DSS is a voluntary standard (in theory) and merchants/vendors
can choose whether they wish to abide by the standard. However, vendor
noncompliance may result in significantly higher transaction fees, fines up to
$500,000, and possibly even the loss of the ability to process credit cards.
Since World War II, the United States has regulated the export of cryptography due
to national security considerations. The Bureau of Industry and Security in the
Department of Commerce now controls non-military cryptography exports. There are
still export restrictions to rogue states and terrorist organizations.
Countries may decide to restrict the import of cryptography technologies for the
following reasons:
The Computer Fraud and Abuse Act (CFAA) has been in force for over 20 years. The
CFAA provides the foundation for U.S. laws criminalizing unauthorized access to
computer systems. The CFAA makes it a crime to knowingly access a computer
considered either a government computer or a computer used in interstate commerce,
without permission. The CFAA also criminalizes the use of a computer in a crime
that is interstate in nature.
Protecting Privacy
The following U.S. laws protect privacy.
This act establishes a Code of Fair Information Practice that governs the
collection, maintenance, use, and dissemination of personally identifiable
information about individuals that is maintained in systems of records by federal
agencies.
FOIA enables public access to U.S. government records. FOIA carries a presumption
of disclosure, so the burden is on the government as to why it cannot release the
information.
This Federal law gave students access to their education records. FERPA operates on
an opt-in basis, as the student must approve the disclosure of information prior to
the actual disclosure. When a student turns 18 years old or enters a postsecondary
institution at any age, these rights under FERPA transfer from the student�s
parents to the student.
This amendment to the Comprehensive Crime Control Act of 1984 prohibits the
unauthorized access of a computer. The CFAA increased the scope of the previous Act
to cases of great federal interest. These cases are defined as involving computers
belonging to the federal government or some financial institutions or where the
crime is interstate in nature.
The U.S. Congress passed CIPA in 2000 to protect children under the age of 17 from
exposure to offensive Internet content and obscene material.
The Video Privacy Protection Act protects an individual from having the video
tapes, DVD�s and games rented disclosed to another party. The statute provides the
protections by default, thus requiring a video rental company to obtain the
renter�s consent to opt out of the protections if the company wants to disclose
personal information about rentals. Many privacy advocates consider VPPA to be the
strongest U.S. privacy law.
California was the first state to pass a law regarding the notification of the
unauthorized disclosure of personally identifiable information. Since then, many
other states have followed suit. Each of these disclosure notice laws is different,
making the case for a unifying federal statute compelling. This act requires that
the agencies provide consumers notice of their rights and responsibilities. It
mandates that the state notify citizens whenever PII is lost or disclosed. Since
the passage of SB 1386, numerous other states have modeled legislation on this
bill.
Privacy Policies
Policies are the best way to ensure compliance across an organization, and a
privacy policy plays an important role within the organization, especially with the
numerous laws enacted to protect privacy. One of the direct outcomes of the legal
statutes associated with privacy has been the development of a need for corporate
privacy policies associated with data collection.
International Laws
With the growth of the Internet and global network connections, unauthorized entry
into a computer system, or computer trespass, has emerged as a concern that can
have national and international consequences. National laws for computer trespass
exist in many countries, but there can always be gaps in how these nations handle
this type of crime.
Convention on Cybercrime
EPIC promotes privacy and open government laws and policies globally and focuses on
EU-US relations.
SCAP uses open standards to enumerate security software flaws and configuration
issues. The specifications organize and measure security-related information in
standardized ways. The SCAP community is a partnership between the private and
public sector to advance the standardization of technical security operations.
The NVD uses the Common Vulnerability Scoring System to assess the impact of
vulnerabilities. An organization can use the scores to rank the severity of
vulnerabilities that it finds within its network. This, in turn, can help determine
the mitigation strategy.
The site also contains a number of checklists that provide guidance on configuring
operating systems and applications to provide a hardened environment.
CERT
The Software Engineering Institute (SEI) at Carnegie Mellon University helps
government and industry organizations to develop, operate, and maintain software
systems that are innovative, affordable, and trustworthy. It is a Federally Funded
Research and Development Center sponsored by the U.S. Department of Defense.
The CERT Division of SEI studies and solves problems in the cybersecurity arena
including security vulnerabilities in software products, changes in networked
systems, and training to help improve cybersecurity. CERT provides the following
services:
ACSC defined four challenges that will help shape its priorities:
Cybersecurity Weapons
Vulnerability Scanners
A vulnerability scanner assesses computers, computer systems, networks, or
applications for weaknesses. Vulnerability scanners help to automate security
auditing by scanning the network for security risks and producing a prioritized
list to address weaknesses. A vulnerability scanner looks for the following types
of vulnerabilities:
Penetration Testing
Penetration testing (pen testing) is a method of testing the areas of weaknesses in
systems by using various malicious techniques. Pen testing is not the same as
vulnerability testing. Vulnerability testing just identifies potential problems.
Pen testing involves a cybersecurity specialist that hacks a website, network, or
server with the organization�s permission to try to gain access to resources with
the knowledge of usernames, passwords, or other normal means. The important
differentiation between cyber criminals and cybersecurity specialists is that the
cybersecurity specialists have the permission of the organization to conduct the
tests.
One of the primary reasons that an organization uses pen testing is to find and fix
any vulnerability before the cyber criminals do. Penetration testing is also known
as ethical hacking.
Packet Analyzers
Packet analyzers (or packet sniffers) intercept and log network traffic. The packet
analyzer captures each packet, shows the values of various fields in the packet,
and analyzes its content. A sniffer can capture network traffic on both wired and
wireless networks. Packet analyzers perform the following functions:
Security Tools
There is no one size fits all when it comes to the best security tools. A lot is
going to depend on the situation, circumstance, and personal preference. A
cybersecurity specialist must know where to go to get sound information.
Kali
Kali is an open source Linux security distribution. IT professionals use Kali Linux
to test the security of their networks. Kali Linux incorporates more than 300
penetration testing and security auditing programs on a Linux platform.
An organization needs the ability to monitor networks, analyze the resulting data,
and detect malicious activity.
A senior manager responsible for IT and ISM (often the audit sponsor)
Information security professionals
Security administrators
Site/physical security manager and facilities contacts
HR contact for HR matters such as disciplinary action and training
Systems and network managers, security architects and other IT professionals
The types of information security positions can be broken down as follows:
Definers provide policies, guidelines, and standards and include consultants who do
risk assessment and develop the product and technical architectures and senior
level individuals within an organization who have a broad knowledge, but not a lot
of in-depth knowledge.
Builders are the real techies who create and install security solutions.
Monitors administer the security tools, perform the security monitoring function,
and improve the processes.
Indeed.com
Advertised as the world's #1 job site, Indeed.com attracts over 180 million unique
visitors every month from over 50 different countries. Indeed is truly a worldwide
job site. Indeed helps companies of all sizes hire the best talent and offers the
best opportunity for job seekers.
CareerBuilder.com
CareerBuilder serves many large and prestigious companies. As a result, this site
attracts specific candidates that typically have more education and higher
credentials. The employers posting on CareerBuilder commonly get more candidates
with college degrees, advanced credentials and industry certifications.
USAJobs.gov
The chapter discussed the laws that affect technology and cybersecurity
requirements. Laws such as FISMA, GLBA, and FERPA focus on protecting
confidentiality. Laws that focus on the protection of integrity include FISMA, SOX,
and FERPA, and laws that concern availability includes FISMA, GLBA, SOX, and CIPA.
In addition to the laws in force, the cybersecurity specialist needs to understand
how the use of computers and technology affect both individuals and society.