Introduction To Information Security Terminology PDF

Summary

This document provides an introduction to information security terminology, covering general concepts like resources, vulnerabilities, threats and risks. It explains different types of hackers, malicious codes (like viruses and worms), and various types of network security measures, including physical, logical, and administrative security.

Full Transcript

1.1.2. Information security terminology

1.1.2.1. General terminology
– A resource: any object that has value for an organization and must be protected.

– A vulnerability: a weakness in a system, which may be exploited by a threat.

– A threat: a potential danger to a resource or to the functioning of a network.

– An attack: this is an action carried out to harm a resource.

– A risk: the possibility of an organization’s resource being lost, modified, destroyed or suffering other
negative consequences. The risk may arise from a single threat or several threats or the exploitation of a
vulnerability:

A risk = a resource + a threat + a vulnerability

– A countermeasure: protection that mitigates a potential threat or a risk.

1.1.2.2. Types of hackers
There are different kinds of hackers in the field of information technology:
– “hackers”: this group is defined as people who are “network maniacs” and only wish to understand the
working of computer systems, while also testing their own knowledge and tools;
– “white hat hackers”: these are individuals who carry out safety audits in order to test that an
organization’s computer networks are well-protected;
– “black hat hackers”: these are experienced individuals who work towards illegal ends by carrying out
data theft, hacking accounts, infiltrating systems etc.;
– “gray hat hackers”: individuals who are a mix of a “white hat” and “black hat” hackers;
– “blue hat hackers”: these are individuals who test bugs in order to ensure that applications work
smoothly;
– “script-kiddies”: these are individuals with very basic IT security management skills and who try to
infiltrate systems using scripts and programs developed by others;
– “hacktivists”: these are individuals who are chiefly driven by ideological motives;
– “phreakers”: these are individuals who are specialized in attacking telephonic systems. In general, they
work towards placing free calls;
– “carders”: these are individuals who specialize in attacking smart card systems.
1.1.2.3. Malicious codes
The most common types of malicious codes or malware that may be used by hackers are:
– virus: this is a program that attaches itself to a software to carry out a specific, undesirable function on a
computer. Most viruses need to be activated by the user. However, they can also be set to “idle mode” for
prolonged periods as they can also be programmed to avoid detection;
– worms: these are independent programs that exploit known vulnerabilities with the aim of slowing down a
network. They do not need to be activated by the user, and they can duplicate themselves and attempt to infect
other hosts in the network;
– spyware: these are spy software that are generally used in order to influence the user, to buy certain products or
services. Spyware is not usually automatically self-propagating but install themselves without permission. They are
programmed to:
\endash collect the user’s personal information,
 \endash track browsing activity on the internet in order to detect the user’s preferences,
\endash redirect HTTP requests towards pre-set advertising sites;
– adware: this refers to any software that displays advertisements without the user’s permission, often in the
form of pop-up windows;
– scaryware: this refers to a category of software that is used to convince users that their system has been
infected by viruses and suggests solutions, with the goal being to sell software;
– Trojan horse: this is a program characterized by two features:
\endash behavior that is apparently useful to the user,
\endash hidden malicious behavior, which usually leads to access to the machine on which this
software is executed;

– ransomware: ransomware is a program that is designed to block access to a computer system, by
encrypting the contents until a certain amount of money is paid in order to restore the system.

1.2. Types of network security

We identify three categories of network security.

1.2.1. Physical security

Physical security involves all aspects of the environment in which the resources are installed. This may
include:
– the physical security of server rooms, network devices etc.;
– the prevention of accidents and fires;
– uninterrupted power supply;
– video surveillance etc.

1.2.2. Logical security

Logical security refers to the implementation of an access control system (using a software) in order to
secure resources. This may include:
– applying a reliable security strategy for passwords;
– setting up an access model that is based on authentication, authorization and traceability;
– ensuring the correct configuration of network firewalls;
– putting in place IPS (intrusion prevention systems);
– using VPNs (Virtual Private Network) etc.

1.2.3. Administrative security

Administrative security allows the internal monitoring of an organization using a manual of procedures.

This may include:
– preventing errors and frauds;
– defining the responsibilities of different actors or operators;
– protecting the integrity of the company’s property and resources;
– ensuring that all operations concerning handling of material are recorded;
 – rationally managing the company’s property;
– ensuring effective and efficient management of activities.

NOTE.– You can now attempt Exercise 1.

1.3. The main risks related to the logical security of the network

1.3.1. Different kinds of network attacks

1.3.1.1. Reconnaissance attacks
The aim of reconnaissance attack or “passive attack” is to collect information on the target network in order
to detect all the vulnerabilities. In general, this attack uses the following basic methods:
– “ping sweep”: the attacker sends ping packets to a range of IP addresses to identify the computers that are
part of a network.
– port scanning: the attacker carries out a port analysis (TCP and UDP) in order to discover what services
are being run on a target computer;
– packet sniffing: “packet sniffing” makes it possible to capture data (generally Ethernet frames) that are
traveling over a network, with the aim of identifying MAC addresses, IP addresses or the number of ports used
in a target network. This attack can even make it possible to discover user names or passwords. The most
commonly used packet capture software is wireshark and tcpdump.

1.3.1.2. Password attacks
The goal of these attacks is to discover usernames and passwords in order to access various resources. There
are two commonly used methods in this type of attack:
– dictionary attack: this method uses a list of words or phrases that are commonly used as passwords;
– brute force attack: this method tries out all possible combinations of letters, numbers and symbols to
detect a user’s password.

1.3.1.3. Access attacks
The aim of these attacks is to try and recover sensitive information about network components. The
following methods are commonly used to carry out an access attack:
– phishing: phishing is an attempt to recover sensitive information (usually financial information such as
credit card details, login, password, etc.), by sending unsolicited emails with fake URLs;
– pharming: this is another network attack that aims to redirect traffic from one website to another website;
– “Man-in-the-middle” attack: an attacker places themselves between two network components to try and
benefit from the data being exchanged. This attack is based, among other things, on:. spoofing: this is a practice in which communication is sent from an unknown source disguised as a
reliable source for the receiver. This makes it possible to deceive a firewall, a TCP service, an authentication
server etc. Spoofing may take place at several levels: MAC address, IP address, TCP/UDP port, a DNS domain
name,. hijacking: the attacker hijacks a session between a host and server to obtain unauthorized access to
this service. This attack relies on spoofing;
– mixed attacks: Mixed attacks combine the characteristics of viruses, worms, and other software to collect
user information.
1.3.1.4. Network attacks against availability
– DoS or Denial of Service attacks are attacks that render a service unavailable in various ways. These
attacks can be divided into two main categories:. denial of service by saturation: these attacks consist of flooding a machine with false requests so that it
is unable to respond to real requests;. denial of service by exploiting vulnerability: these attacks consist of exploiting a weakness in a
remote system in order to make it unavailable.

– DDoS or Distributed Denial of Service attacks are a type of DoS attack originating from many connected
computers controlled by hackers who attack from different geographic locations. The principles underlying
these attacks are based on the follow methods (among others):. SYN flood attacker: an attacker sends several TCP-SYN packets to set up a 'TCP' connection without
sending a “SYN-ACK” message;. ICMP flood: an attacker sends the target computer multiple fake ICMP packets.

1.3.1.5. Close attacks
A close attack is unusual in that the attacker is physically close to the target system. The attacker takes
advantage of the fact that they are close to the target devices to reset a router, for example, or start a server with
a CD etc.

1.3.1.6. Attacks on the approval relationships
When taking control of a network machine, the attacker exploits the relationship of approval between this
machine and the various peripheral devices on a network in order to gain greater control.

1.3.2. Network security measures

In order to ensure greater security to a network within a company, the following measures are
recommended:
– separation of resources: the network of resources of an organization and various sensitive data must be
located in different security zones (for example, creation of a DMZ cone). Access to the network of an
organization and to databases must be carried out through highly monitored mechanisms.
– deep protection: network security devices must be used in different locations of the organization’s
network;
– the “least privilege” rule: each user must be assigned only the minimal level of access required to carry
out a given task;
– adequate protection: protection mechanisms must be installed in a reliable and effective manner at all
levels of the network;
– restricting the consultation of information: only information required for carrying out a specific task
must be provided to a given employee.
– separation of tasks and job rotation: the separation of tasks and job rotation contributes to a better
implementation of security policies in organizations and to the reduction of vulnerabilities.

1.3.3. Vulnerability audit measures

A computer network audit must include the following five categories:
– preventive measures: these include precautions taken to prevent the exploitation of a vulnerability,
through the use of a firewall, physical locks and an administrative security strategy;
– detective measures: these include the retrieval of all information on intrusion into the network or system
using system logs, intrusion prevention systems (IPS), anti-spoofing technologies and surveillance cameras;
– corrective measures: these include determining the cause of a security violation and then mitigating these
effects through updating viruses or IPS;
– recovery measures: these enable system recovery after an incident;
 – deterrence measures: these discourage persons who try to breach network security.

-