CYB. Cybersecurity Fundamentals (part 2) PDF

Summary

This document is lecture notes on cybersecurity fundamentals for a Master in Artificial Intelligence course. Topics like Cybersecurity General Principles, Security by Design, Defense in Depth, Least Privilege, and Zero Trust, and Data Security aspects, like Data Encryption are covered in the document. The course was given at the ESEI - University of Vigo in 2024.

Full Transcript

CYB. Cybersecurity Fundamentals (part 2)

Master in Artificial Intelligence
2024/25
ESEI – University of Vigo
Table of Contents

Cybersecurity General Principles
Security by Design
Defense in Depth
Least Privilege
Zero Trust

Data Security
Data Encryption

1
Cybersecurity General Principles
Cybersecurity General Principles

Generally accepted best practices that provide guidance for the
design and implementation of effective cybersecurity measures.

ˆ Security by Design
ˆ Defense in Depth
ˆ Least Privilege
ˆ Zero Trust

2
Security by Design

Security should be an integral part of the design and development
process of information systems from the very beginning

Goal Build security into the very fabric of a system or application
rather than adding it as a post-incident response
Utility
ˆ Prevent vulnerabilities and security flaws from being
introduced during development/deployment
ˆ Reduce the need for costly retroactive security measures
Achieved by
ˆ Security assessments, code reviews, and security testing
during system development
ˆ Educate developers on secure coding practices

3
Defense in Depth

Implement multiple layers of security controls to protect against
a wide range of threats

Goal Design complementary security controls so that if one layer
is breached, the other layers continue to protect.
Utility
ˆ Reduces the impact of single points of failure
(redundancy in security protection)
ˆ Increases overall security robustness and resilience
Achieved by Using a combination of security technologies, access
controls, and monitoring at various levels/points of the IT
infrastructure (physical, network, hosts, users, data)

4
Defense in Depth (II) – Multiple Layers of Defense

5
Least Privilege

System elements (users, applications, services) should have the
minimum level of access or permissions necessary to perform
their authorized tasks

Goal Reduce the attack surface and limit potential damage (intentional
or accidental) by restricting and controlling the capabilities of users
and systems
Utility ˆ Minimizes the risk of unauthorized access or misuse
ˆ Potential damage from insider threats or compromised
accounts is limited by the (minimal) privileges that are granted
Achieved by
ˆ Restricting administrative (root) privileges
ˆ Implementing role-based access control (RBAC) and access
control lists (ACL) to grant only necessary permissions
ˆ Regularly review and update of access privileges

6
Least Privilege (II)

Related practices

ˆ Separation of Duties Critical functions divided among multiple
individuals/systems to prevent single points of failure and abuse
ˆ Minimal Exposure Points Reduces potential attack surface by
minimizing the num. of entry and exit points in a system or network
ˆ Network segmentation
ˆ Run services on their own machines (physical, virtual, container)
ˆ Disable unused, redundant services, user accounts, etc
ˆ Deny by Default Systems, networks, and access controls are
configured to deny all access by default and only allow access to
resources that have been explicitly approved

7
Zero Trust

Security model where trust is never assumed, even among
internal users or devices

ˆ Verification is always required from anyone or anything trying to
access resources inside or outside the organization

Goal Protect critical resources from unauthorized access and reduce the
attack surface by eliminating implicit trust within the network
Utility Enhances security by verifying the identity and trustworthiness of
users, devices, and applications before granting access
Achieved by
ˆ Identity verification and Least Privilege principle
ˆ Continuous activity monitoring (users, endpoints, applications
and network)

8
Data Security
Data Security

Protecting data from unauthorized access, disclosure, alteration, or
destruction

 remains confidential

Goal Ensure sensitive information maintains its integrity

is available when needed


(a) Typical Vulnerabilities and Weaknesses

Unauthorized Access access to data without proper authorization
Data Leakage/Exfiltraion data leak through intentional or
unintentional means
Data Integrity Threats data is altered intentionally or unintentionally
Lack of Data Backup absence or deficiencies in backup management

9
Data Security (II)

(b) (some) Countermeasures

Data Encryption Encrypting data both in transit and at rest →
avoid unauthorized access and leakage
Authentication Multi-factor authentication, user identity
management, password policies → reduce the risk of
unauthorized access
Access Control Robust access controls: authorization, role-based
access control, least privilege, user behavior monitor,
permissions review and update

10
Data Security (III)

Data Classification Classify data based on its sensitivity and
apply appropriate security controls accordingly
Data Loss Prevention (DLP) DLP policies and DLP solutions
to monitor, detect, and prevent data leaks of sensitive data
Backup and Recovery Regular data backups and well established
disaster recovery plans → ensure data availability in case of
data loss or cyberattacks

11
Data Encryption

Fundamental technique to protect sensitive information from
unauthorized access, disclosure, and tampering.

ˆ Transformation (encryption) of data (plain text) into an unreadable
format (ciphertext)
ˆ Ciphertex can only be decrypted by authorized parties who possess
the decryption key

Data encryption uses

Confidenciality protection Encrypted sensitive information (both in
transit [TLS/SSL] and at rest [encrypted file systems]) remains
unreadable without the appropriate decryption key.

12
Data Encryption (II)

Data integrity assurance Encryption (digital signatures, hash function,
message authentication codes [MAC]) allow data recipients to verify
the integrity and authenticity during transmission/processing
Authentication and identity management Certificate-based
authentication and identity tokens (JSON Web Tokens, Single Sign-On
tokens) use encryption to securely transmit user identity information
Encryption and hash functions also used in password management
Digital signatures Verify the authenticity, integrity, and source of
digital documents, messages, or transactions
In conjunction with digital certificates, are in the foundations for
ensuring trust in e-commerce and e-government applications

13
Symmetric Encryption

The same key (secret key) is used for both encryption and
decryption
(+) Very efficient in data processing
(–) Requires a shared secret between sender and recipient

Algorithms Advanced Encryption Standard (AES), Data Encryption
Standard (DES), Triple DES (3DES)
Use cases Efficient for securing data in transit and at rest
Commonly used for securing files, emails, and data over secure
connections

14
Asymmetric Encryption (Public-Key Encryption)
(
public key (anyone can use it to encrypt/decrypt)
Uses a pair of keys
private key (only its owner has access to it)
(+) No need for shared secret
(–) Much higher computational cost than symmetric encryption
Requires third party authentication of public keys (digital certificates)

Example Algorithms RSA (Rivest-Shamir-Adleman), Elliptic Curve
Cryptography (ECC).
Use Cases More versatile than symmetric encryption
ˆ Secure key exchange in (1) hybrid encryption and (2) securing
communication channels (SSL/TLS) for network traffic
ˆ Digital signatures (origin authentication, integrity, non-repudiation)
ˆ Certificate-based authentication

15
Hybrid Encryption



 asymmetric encryption

 (for key exchange)
Hybrid Encryption combines

 symmetric encryption


(for actual data transfer)

ˆ Shared secret issues solved by using asymetric encryption
ˆ Performance issues solved by using symetric encryption on
actual data

16