Common Security Terminology PDF

Common Security Terminology Vulnerability A vulnerability is a weakness in a system, application, or process that a threat actor exploits to gain unauthorized access or cause damage. Software bugs, misconfigurations, or poor security practices can cause vulnerabilities. For example, an outdated operating system may have unpatched vulnerabilities that hackers can exploit. Threat A threat is any potential event or actor that can exploit a vulnerability to harm a system, network, or data. Threats can be intentional (e.g., hackers, malware) or unintentional (e.g., human error, natural disasters). A cybercriminal attempting to steal sensitive information is an example of a threat to an organization\'s data security. Threat Actor A threat actor is an individual, group, or entity that targets systems, networks, or data by exploiting vulnerabilities to achieve malicious objectives, such as data theft, operational disruption, or unauthorized access. Exploit An exploit is a method or tool a threat actor uses to attack. Exploits can be malicious code, scripts, or procedures designed to compromise a target. For example, a common threat includes a phishing email that might contain a link to a website that exploits a browser vulnerability to install malware. Risk Risk is potential loss, damage, or harm when a threat actor exploits a security breach or vulnerability. It measures the likelihood of a threat exploiting a vulnerability and its impact. Organizations assess and manage risks to determine the appropriate security measures to protect assets. For instance, if someone stores sensitive data on an unencrypted drive, the risk of exposure becomes high if someone loses or steals the drive. Confidentiality, Integrity, and Availability (CIA) Information security (InfoSec) is a critical part of cybersecurity that protects and secures information and information systems. The CIA Triad underpins everything in cybersecurity and represents the three core information security principles. The CIA triad is a model used to represent three core cybersecurity principles: confidentiality, integrity, and availability. Source: Federal Energy Management Program Confidentiality means protecting information and ensuring only authorized subjects (users, processes, systems) can access it. Example: A healthcare organization uses encryption to secure patients\' medical records in its database. Only authorized medical staff can access the records using strong credentials, ensuring that the sensitive information remains confidential and protected from unauthorized users. Integrity means the information will be protected against modification by unauthorized subjects. Example: An online banking system uses precautions to verify the integrity of transaction data. If an attacker attempts to alter the transaction amount during transmission, the system generates an alert, preventing the tampered transaction from being processed. Availability ensures reliable access to information when needed (timely) for authorized subjects. Example: A company manages all customer service requests through a customized application. To prevent outages or disruptions for their representatives, the company has implemented redundant servers and performs frequent data backups. Non-Repudiation In addition to confidentiality, integrity, and availability, non-repudiation is another critical information security property. Non-repudiation means a subject cannot deny having performed some action, such as deleting or altering data or sending a message. Logical Security Logical security involves an organization using software and rules to protect their networks, systems, and critical data from potential threats or unauthorized access. Organizations implement encryption, identity and access management, digital certificates, and geofencing to enhance security. Encryption Encryption is a fundamental cybersecurity process that converts readable information (plaintext) into an unreadable format (ciphertext) using a mathematical algorithm (structured sets of rules) and a cryptographic key (a string of information used along with the cryptographic algorithm to secure the data). The encryption process guarantees that only authorized individuals with the correct key can decrypt, access, and interpret the information. Encrypting Data in Transit Data in transit is when data is in motion from one location to another, including traveling over a local or wide-area network. Without encryption, data in transit is vulnerable to eavesdropping, interception, or other unauthorized access. Encryption protects data in transit by ensuring its confidentiality and integrity during transmission. Secure protocols often use encryption standards like AES to encrypt data before transmission and manage decryption at the receiving end. These protocols also include authentication mechanisms to verify trusted parties. The following are some of the most common protocols used to secure data in transit: TLS (Transport Layer Security) - A widely used protocol for encrypting traffic over the internet. It secures web traffic (e.g., HTTPS), email (e.g., IMAPS, POP3S, SMTPS), authentication (e.g., EAP-TLS, PEAP), file transfer (e.g., FTPS), and other application-level communications. SSL (Secure Sockets Layer), the predecessor to TLS, is now largely obsolete but may still be encountered in legacy systems that have not upgraded to TLS. IPsec (Internet Protocol Security) is a protocol suite that provides encryption (e.g., ESP), authentication (e.g., AH or ESP), and data integrity (e.g., HMAC) at the network layer. It is payload-agnostic, capable of securing any IP-encapsulated data. While organizations commonly use IPsec in VPNs, its capabilities extend far beyond that. IPsec secures application traffic, enables end-to-end encryption between endpoints, protects communication between networks without a VPN setup (e.g., tunnel or transport mode), secures routing protocol exchanges (e.g., securing OSPF or BGP), and more. The IKE (Internet Key Exchange) protocol works within the IPsec suite to negotiate secure cryptographic keys and algorithms, ensuring confidentiality and integrity during communication. SSH (Secure Shell) provides encrypted command-line access to remote devices, ensuring secure sessions for remote login. It also secures data transfer during file management tasks, such as those with SFTP and SCP. Comparison of Telnet and SSH traffic captured in Wireshark. The top pane shows Telnet transmitting credentials (e.g., username and password) in plaintext, making it vulnerable to interception. The lower pane demonstrates SSH encrypting traffic and securing sensitive information during transmission. Encrypting Data at Rest Data at rest is digital information that is stored on a device and is not being used or transmitted. Encrypting data at rest is critical to safeguard sensitive information and ensure it remains secure even if the device is lost, stolen, or compromised. Users can implement encryption of data at rest at different levels: Full disk encryption secures the entire storage device, including the operating system, applications, and user data. Users or systems can implement encryption at the hardware level (e.g., self-encrypting drives \[SEDs\]) or software level (e.g., Windows BitLocker or macOS FileVault). File-level encryption encrypts individual files rather than the entire storage device. Only the selected files are encrypted, while the remaining space on the medium remains unencrypted. When a user applies file-level encryption to a folder, files placed in the folder will be encrypted. Only an authorized user, application, or system can decrypt files when accessing them. Permissions and encryption keys determine who can access or modify the encrypted files. File-level encryption tools include EFS (Encrypting File System) in Windows, which encrypts files and directories to protect sensitive data; GPG (GNU Privacy Guard), a widely-used tool for encrypting individual files with public-key cryptography; and third-party software like 7-Zip and AxCrypt. Database encryption protects sensitive information stored in a database by converting data into an unreadable format using encryption algorithms. Organizations may use file-level encryption methods to secure database files while at rest. However, these methods often reduce performance, especially in environments that require frequent database reads and writes. For this reason, organizations should reserve file-level encryption for smaller environments with fewer users, where performance demands are lower. In contrast, database management systems (DBMS) typically perform encryption directly or use third-party database encryption solutions designed for optimized performance and scalability. AES (Advanced Encryption Standard) is the most trusted and widely used encryption algorithm for encrypting data at rest. It supports three key lengths: AES-128, 192, and 256 bits. AES is a standard in tools like BitLocker, FileVault, and database and file encryption standards. Symmetric and Asymmetric Encryption Modern cryptographic systems use two main types of encryption: symmetric key cryptography and asymmetric cryptography (also referred to as public key cryptography). Both use keys to encrypt and decrypt data. Symmetric encryption, such as AES, efficiently encrypts and decrypts large amounts of data, such as files, databases, or communication channels. Asymmetric encryption, such as RSA or ECC, enables secure cryptographic key exchanges, facilitates the creation of digital signatures, and verifies identities for authentication. A symmetric encryption system will use a single shared key for data encryption and decryption. In contrast, asymmetric encryption (also called public key cryptography) uses a separate public key and private key, called the key pair. The two keys are individual, unique, and mathematically related. However, it is impossible to derive one key from the other in the pair. For example, if a recipient holds a sender\'s public key, they cannot use it to generate the same sender\'s private key. The owner of a public key can distribute it; however, the related private key is kept secret. If a private key is compromised, all of the underlying functions of the key pair will be untrusted. Public and private keys in a certificate have unique, complementary functions: one encrypts, and the other decrypts. Certificates A digital certificate functions similarly to an electronic identification card and serves two primary purposes: Proving the identity of the certificate\'s owner Securely distributing the subject\'s public key. A trusted party digitally signs certificates as proof of authenticity and issues them to the intended recipients. Certificates also contain important information, including the owner\'s details, the trusted party that issued the certificate, its usage (purpose), validity period, and more. A digital certificate for the website, www.example.com, shows the issuing Certificate Authority (CA) DigiCert. Public Key Infrastructure (PKI) Digital certificates are central to Public Key Infrastructure (PKI), a framework that manages these certificates\' creation, distribution, and validation. PKI enables secure communications, such as HTTPS for websites or encrypted emails, by ensuring trust between entities. For example, when you visit a secure website (e.g., one using HTTPS), its TLS certificate proves the site\'s authenticity and establishes an encrypted connection to protect your data. Several other components make up the public key infrastructure. Certificate Authority (CA) A certificate authority (CA) develops and maintains an environment of trust, primarily for signing, issuing, and storing digital certificates. A digital certificate verifies and guarantees the owner of a public key. A certificate authority functions as a trusted party and is trusted by the certificate owner, with the subject relying on the certificate\'s validity. A public key infrastructure can employ a third-party CA or a private CA. Third-party CAs establish trust relationships between businesses or the public, untrusted internet. Examples of third-party certificate authorities include DigiCert, GeoTrust, Thawte, and GlobalSign. Organizations set up private CAs internally or as single-tenant cloud-based CAs to establish internal trust relationships. A compromise of the CA causes the entire PKI to collapse. The functions of a certificate authority include: Signing and issuing digital certificates (only after receiving a request and validating the requester\'s identity). Self-signing its root certificate and providing its public key in that certificate. Confirming the identity of a certificate owner. Guaranteeing the validity of a certificate. Establishing trust in the PKI. Enforce certificate and key lifecycle management. Certificate Signing Request (CSR) Certificate registration is when a subject sends an application to a certificate authority to request a digital certificate. When an applicant (subject) wants to procure a certificate, they must first generate a public/private key pair. The subject retains the private key and submits the certificate signing request (CSR) with the public key. The CSR is an encrypted message that identifies information about the requester or their organization, the public key, and a means of proving authenticity (digital signature). The certificate authority will review the CSR and verify the subject\'s information is valid. The level of identity check will vary, depending on the type of certificate requested. For example, to check the CSR for a web domain, the CA will validate that the requester is responsible for the domain name and that the subject name matches the fully qualified domain name (FQDN). If the certificate request is approved, the CA digitally signs the certificate with its private key and sends it to the requester. The Certificate Authority (CA) handles the Certificate Signing Request (CSR) process directly. The root CA delegates registration to the registration authority (RA), which is a subordinate of the root CA. The Certificate Signing Request (CSR) process is sent to the Registration Authority (RA), which acts on behalf of the CA. Certificate Revocation List When a user visits a website, the browser checks the certificate\'s validity with the issuing certificate authority. This validity check includes several items, such as the date of publication, the date of expiry, and the revocation or suspension status. If all checks are valid, the browser renders the web page. An illustration of the digital certificate validation process, where the sender provides a certificate, the recipient verifies it with a trusted Certificate Authority (CA), and trust is established based on the CA\'s validation. The owner may suspend a certificate, temporarily putting it on hold for a specific duration, referred to as the suspension grace period. If the certificate is still within its validity period, the owner can reinstate it. An owner may use certificate suspension when a certificate\'s status is questioned (e.g., suspected compromise). Due to security risks or obsolescence, the owner may permanently revoke a certificate before its scheduled expiration date. Revoking a certificate means it will no longer be valid, cannot be validated by the CA, and cannot be reinstated. What about the certificate that is revoked or suspended? What mechanism informs the browser if this is the case? The issuing CA is responsible for maintaining a list of revoked and suspended certificates, referred to as a certificate revocation list (CRL). All certificates contain a field directing the browser where to find the list, and the CA must present the CRL to the browser or system requesting the status of a CA\'s certificates. The browser downloads the entire CRL to check a certificate\'s status and the certificate\'s presence in question. Many browsers will download a copy of an updated CRL every 24 hours to reduce network bandwidth consumption and save time. Several risks are related to the CRL system: Users may have their legacy browsers configured to bypass CRL checks. Each CRL has an update period, and a system may accept revoked certificates due to delays in updating them. Expiration dates should not replace the use of a CRL, as a revoked certificate must still be explicitly identified as invalid regardless of its expiration status. Another method for checking for up-to-date certificate information is through the use of the Online Certificate Status Protocol (OCSP). Instead of downloading an entire CRL from the CA, the client sends an OCSP request to an OCSP responder (server) for a real-time status update. OCSP is faster than using CRLs and provides a timelier, up-to-date response. Self-Signed Certificates A self-signed certificate is one that the entity signs instead of a trusted certificate authority. The same entity that will use the certificate also generates, signs, and issues it, meaning it lacks validation from a trusted CA, and browsers or systems do not inherently trust it. Administrators can designate certificates as untrusted and set them never to expire, posing a security risk if not implemented correctly. Self-signed certificates are commonly used for test or development environments and should never be used to protect critical assets. This is a browser warning indicating a potential security risk due to a self-signed certificate, which is not trusted by default and could expose users to security threats. Identity and Access Management (IAM) Identity and Access Management (IAM) is a foundational cybersecurity framework for managing and ensuring the right people, devices, and things have the proper access to authorized resources at the right time. IAM plays a critical role in mitigating unauthorized access, securing sensitive data, and supporting the integrity of networked systems. A typical IAM system has a centralized user directory that contains details about identification, authentication, access control, governance, and auditing. Authentication Authentication proves that a user is who they claim to be. Authentication mechanisms that use a username and single password combination are considered weak. Most users, if given the choice, will naturally choose low-entropy passwords because they are easy to remember. Low entropy means a low level of randomness, disorder, or uncertainty. Multifactor Authentication (MFA) Using a single password-only authentication system puts an organization, its users, and its data at risk. The risks associated with password-only authentication include weak passwords, password reuse, insecure password recovery mechanisms, and flawed authentication methods. A multifactor authentication (MFA) solution replaces a single user account and password with a combination of authentication factors used together. MFA does not mean two passwords but rather requires the combination of two or more different factors. Something You Know Factor Something you know is a knowledge factor, including anything that can be recalled, such as passwords, personal identification numbers (PINs), or swipe patterns. While still common, a single knowledge factor is the easiest to defeat. Something You Have Factor Something you have is a possession factor and refers to any physical object in the user\'s possession, such as a USB key or drive, smart card, token device, key fob, or smartphone. Something You Are Factor Something you are is an inherence factor, referring to factors associated with the user and tendered for authentication. Biometric methods may include facial, palm, fingerprint, voice, or iris/retinal recognition. Behavior methods may consist of typing keystrokes, gait, or handwriting analysis. Somewhere You Are Factor Somewhere you are is a location-based factor established on the user or device\'s location. An authentication system can determine the location of a user\'s device on-premises by analyzing the source IP address, VLAN membership, physical network port, or Wi-Fi network. Additionally, location can be determined using technologies such as location services (e.g., GPS), geolocation (e.g., IP-based tracking), or geofencing (virtual boundaries). The somewhere you are factor does not usually serve as a primary means of authentication, but it can enhance security when used as part of multifactor authentication or as a continuous authentication method. Hard and Soft Authentication Tokens A hard authentication token authenticator is a physical device that can generate a token to identify and authenticate a user. Examples of hard token authenticators include: Smart cards use certificate-based authentication to store credentials securely. Security keys are portable hardware security modules (HSM) with USB or NFC interfaces. One-time password (OTP) devices generate and display a one-time token the user enters for authentication. Hard tokens are typically more secure than soft tokens because they are physically isolated and do not rely on external networks for delivery, reducing their vulnerability to interception or phishing attacks. A soft authentication token is a one-time password generated by a security system (identity provider) and sent to the user. Delivery methods include SMS text messages sent to a registered phone number and emails sent to a registered email account. Soft tokens are valid for a single use and can enhance security by enforcing an expiration time. Time-Based Authentication Time-Based One-Time Passwords (TOTP) are a commonly used method of time-based authentication that enhances security by generating ephemeral, unique, one-time codes based on a shared secret and the current time. Authentication systems will typically validate these codes for only a short time (e.g., 30-60 seconds) while allowing them to be used only once, reducing the risk of replay attacks or unauthorized access. How TOTP Works Shared Secret: When setting up TOTP, a secret (a random key) is established between the user\'s authentication app and the system (identity provider). Code Generation: The authentication app (e.g., Google Authenticator or Microsoft Authenticator) uses the shared secret and the current time to generate a unique, temporary code using a secure hashing algorithm. The identity provider performs the same calculation to validate the entered code. User Verification: During login, the user enters the code supplied by the authenticator in addition to their username and password (or another authentication factor). The system checks the code for validity and grants or denies access. For example, users sign in to a secure application with their username and password. The system prompts them to open their TOTP app and enter the displayed code. This second authentication factor ensures that only someone with the registered device can finalize the login. TOTP enhances security by generating short-lived and unique codes, making them nearly impossible to intercept or reuse. Because the codes are generated locally on the user\'s device, there is no need to rely on a network for delivery, eliminating risks such as interception or tampering during transmission. Additionally, TOTP is easy to implement and widely supported by free tools and apps, including Google Authenticator, Microsoft Authenticator, and Authy. The theft of a device with an authenticator app installed poses specific risks, especially if the device is not adequately secured. A Microsoft sign-in request is used in tandem with Microsoft Authenticator App. Source: Microsoft.com Single Sign-On (SSO) Single sign-on (SSO) is an authentication mechanism that allows users to authenticate once using one set of credentials to gain access to related, yet independent, resources without requiring additional authentication. Using SSO means a user doesn\'t have to sign in to every authorized application or resource because an authentication token is passed to each application seamlessly. For example, an employee can log into a company\'s intranet with one set of credentials and access email, file storage, and other services without signing in separately for each. Lightweight Directory Access Protocol (LDAP) Lightweight Directory Access Protocol (LDAP) is an open, vendor- and product-agnostic protocol for applications to query, update, and add data quickly and at scale. A common use of LDAP is to support a centralized location to store user credentials (e.g., usernames and passwords). LDAP supports a directory structure where each entry contains a collection of attributes that define a unique identifier, referred to as a distinguished name (DN). Developers optimized LDAP for searching and designed it to handle large directories with millions of users. LDAP is often used alongside SSO systems and is a critical component of enterprise tools like Microsoft Active Directory. Security Assertion Markup Language (SAML) Security Assertion Markup Language (SAML) is an open standard for securely exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP). The identity provider authenticates the user, writes the necessary identity and authorization information as an XML-based assertion, digitally signs it, and passes it on its way. The service provider verifies the assertion, trusts the identity provider, and authorizes the user to utilize the requested service. SAML is another common method of enabling single sign-on. For example, a company uses a central IdP, such as Microsoft Active Directory Federation Services (AD FS), to manage employee credentials. Employees must access a cloud-based service, such as Salesforce or Google Workspace, which acts as the SP. Here\'s how SAML facilitates this process: User Authentication: The employee navigates to Google Workspace, but Google redirects the user to the company\'s IdP (e.g., AD FS) for authentication. The IdP verifies the employee\'s credentials (e.g., username and password). SAML Assertion: After successful authentication, the IdP generates a SAML assertion, an XML-based message containing authentication and authorization information (e.g., the user\'s identity and roles). This SAML assertion is digitally signed to ensure authenticity and integrity. Access Granted: AD FS (the IdP) sends the SAML assertion to Google (the SP), which validates the signature and grants the employee access based on the provided information. The employee can now use Google without needing to log in again. Authorization Authorization regulates what actions a user, device, or system can perform within a system after authentication. While authentication verifies who a user is, authorization controls what that user can access and do within a system. Think of it like entering a building: authentication is like showing an ID to prove you have permission to be in the building, while authorization determines which rooms you can access based on your role or clearance level. Authorization typically relies on permissions and privileges that administrators assign. These permissions define what resources a user, device, or system can access and what operations they can perform (such as reading, writing, or executing files). Role-Based Access Control Role-based access control (RBAC) systems assign access based on subject roles, not identity. An administrator creates roles for various job functions with permissions assigned to a specific role. Subjects are assigned to one or more roles and gain implicit permissions to objects (through assignment to a role). All subjects assigned to a specific role share the same access rights and permissions. For example, a company may create roles such as \"Finance Manager,\" \"HR Assistant,\" and \"IT Administrator.\" Each role is assigned specific permissions, such as access to financial software, HR records, or network configurations. A user assigned the \"Finance Manager\" role gains permissions associated with that role, such as editing financial reports, without requiring individual access assignments. RBAC simplifies permission management by allowing administrators to manage access at the role level, making it highly scalable for large organizations. It also ensures consistent permissions for users with similar responsibilities, reducing the risk of errors or oversights. Role-based Access Control (RBAC). Least Privilege The Least Privilege Model means that people, programs, or systems should only have the level of access they need to do their jobs and nothing more. Limiting access can prevent or minimize mistakes, misuse, or hacking. For example, someone in customer service should only have access to customer-related data, like names and order history, but not sensitive information, like payroll or financial records, that aren\'t necessary for their job. Sometimes, an administrator may give a user higher-level access for a short period or a specific task. For example, if a technician needs higher access to fix a problem on a workstation, the administrator gives them that access only while they\'re working on it. Once the technician finishes the job, the administrator removes the extra access to prevent any issues later. Overall, the least privilege model helps keep businesses safer from accidents and intentional threats while allowing people to do their work efficiently. Account Management: Provisioning and Deprovisioning User Accounts Provisioning is obtaining the resources or services necessary to perform a specific activity. When applied to information technology and cybersecurity, provisioning includes configuring the resource or service according to best practices or standard operating procedures. User account provisioning entails creating accounts for new employees and employees changing roles or moving internally within the organization. Accounts for temporary access may be granted, such as for customers, business partners, vendors, or contractors. Deprovisioning user accounts revokes access to an account when a user leaves the organization, changes roles, or moves internally. An administrator may remove an account from a security group, delete it immediately, or disable it temporarily before they permanently remove it. Account Management: Permission Assignments and Implications Each user account requires permission. Organizations will determine permissions according to organizational policy, work role, or departmental membership. The organization implements them to support the principle of least privilege, meaning the user will receive only the permissions necessary to perform their role and nothing more. Assigning user accounts to security groups and granting permissions to the group instead of assigning them to individual users is common. Organizations should assign privileged access sparingly and never to a standard user account to ensure security, proper usage, and compliance with organizational policies and regulatory requirements. Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) services. Organizations commonly use it in environments requiring secure remote access, such as Wi-Fi networks, VPNs, and dial-in access. In performing AAA services, RADIUS has the following key features: Authentication: Radius verifies the identity of users attempting to access a network and works with various authentication mechanisms, such as usernames/passwords and certificates. Authorization: RADIUS determines the user\'s level of access based on their credentials and policies defined on the RADIUS server. Accounting: RADIUS can track user activities, such as login times and resource usage, providing auditing and billing capabilities. An example of the RADIUS authentication process in a wireless network: The supplicant (Wi-Fi host) communicates with the authenticator (wireless AP) using EAPoL (Extensible Authentication Protocol over LAN) to send authentication credentials. The authenticator relays these credentials to the AAA server (RADIUS) for validation. The RADIUS server verifies the credentials and sends an approval or denial back to the authenticator. The authenticator grants or denies access to the supplicant based on the RADIUS server\'s response. RADIUS offers several strengths that make it widely adopted in network environments. It is particularly beneficial in large networks with numerous users and devices where scalability is required. RADIUS is widely supported by various vendors and network devices, ensuring interoperability across diverse infrastructures. RADIUS has some limitations that organizations should consider. By default, RADIUS only encrypts user passwords during transmission, potentially exposing other data, such as usernames and attributes. RADIUS is best used with protocols like EAP (Extensible Authentication Protocol) or IPsec to enhance security. Another limitation is that RADIUS combines authentication and authorization in a single process, which may reduce flexibility in environments requiring more granular control over permissions. Terminal Access Controller Access Control System Plus (TACACS+) Terminal Access Controller Access Control System Plus (TACACS+) is another AAA protocol commonly used in network device management to control access to routers, switches, and other administrative systems. Organizations consider it more flexible than RADIUS because it separates authentication, authorization, and accounting, allowing for more granular control over user permissions and actions. TACACS+ also encrypts the entire session, not just the password, ensuring all transmitted data is secure. Additionally, it tracks and logs administrative commands, providing detailed accountability and auditing. These features make TACACS+ ideal for secure and precise administrative management of network devices. TACACS+ is more complex to set up and configure than RADIUS. Geofencing Geofencing is a logical security technique that uses geographic boundaries to control access to systems, networks, or applications. It involves setting up a virtual perimeter around a defined location using technologies like GPS, RFID, Wi-Fi, or cellular networks. When a device or user crosses this boundary, specific actions or security rules are triggered. Geofencing enhances security through: Access Restriction: Geofencing can restrict network or application access to specific geographic locations, such as corporate campuses or approved countries, minimizing exposure to unauthorized users or threats. Example: A company restricts VPN access to employees in the United States. Data Protection: It helps enforce location-based restrictions for accessing sensitive resources, ensuring compliance with regulations like GDPR or preventing data leakage. Example: Allowing access to internal servers within the company\'s office building. Device Security: Geofencing triggers security actions, such as locking devices or sending alerts, when they leave or enter specific zones. Example: Automatically turning off a mobile device\'s camera when entering secure areas. Network Segmentation Enforcement Network segmentation is a security strategy that divides a network into smaller, isolated segments to enhance performance, manage traffic, and protect sensitive resources. Segmentation enforces logical and physical boundaries between different devices, systems, or user groups, ensuring that segmentation contains potential security threats and administrators effectively control access. Segmentation is critical when managing specialized devices and uses such as IoT, IIoT, SCADA/ICS, guest networks, and BYOD. Internet of Things (IoT) and Industrial Internet of Things (IIoT) The Internet of Things (IoT) represents an enormous number of smart physical devices (things) connected to a network so they can share data with other things. The manufacturer embeds these devices with sensors, compute power, network connectivity, and software. Built-in sensors and actuators are the foundational components of IoT devices. These sensors detect changes in their environment and collect related data. Sensors can detect many changes, including temperature, motion, pressure, proximity, infrared, and smoke. Actuators respond to the data collected and allow the IoT devices to interact with the physical world. They cause physical changes, such as opening a valve, turning on a light, starting a motor, or opening and closing a door. Sensors and actuators make automation, without human interaction, possible. IoT and Industrial Internet of Things (IIoT) devices operate in network environments while being susceptible to security vulnerabilities due to their lack of built-in security features. Network segmentation is crucial for mitigating risks by isolating these devices from the rest of the production network. For example, IoT devices such as smart thermostats and security cameras can be placed in a separate network segment, preventing unauthorized access or lateral movement by attackers. Similarly, IIoT systems like manufacturing sensors or programmable logic controllers (a specialized computer used to monitor and automate industrial processes, such as controlling machinery or production lines) can be segmented to protect critical operations. In healthcare, IoT-enabled medical devices are isolated from administrative systems to safeguard sensitive patient data. Supervisory Control and Data Acquisition (SCADA) systems, Industrial Control Systems (ICS), and Operational Technology (OT) An Industrial Control System (ICS) is a combination of control mechanisms and instrumentation that work together to operate or automate some type of industrial workflow. A workflow is a system for managing repetitive tasks that follow an order. Control mechanisms include programmable logic units (which perform overall system control), human-machine interfaces (such as a control panel used by an operator), and a control server. A Supervisory Control And Data Acquisition (SCADA) system does not provide full control of an ICS. It focuses on the long-distance monitoring and control of multiple single-site ICSs. SCADA automates the process of performing tasks and collecting data, eliminating workers needing to travel from site to site to perform these actions. ICS/SCADA implementations operate within many industrial sectors. ICS/DCS systems typically operate in manufacturing, water and wastewater treatment, power generation, chemicals, and oil refineries. SCADA systems commonly operate in power distribution/transmission, water treatment and distribution, and pipeline control and monitoring. Historically, engineers designed ICS/SCADA systems without any concern for security. However, in recent years, these systems have had a high level of security awareness. Defense against the threats associated with ICS/SCADA systems requires an intentional, multi-layered approach: risk assessment, vulnerability scanning, real-time monitoring, segmentation, and authentication/authorization controls. Operational Technology (OT) refers to the hardware and software systems used to monitor, control, and manage industrial equipment in the manufacturing, utilities, and transportation industries. OT includes technologies such as industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs), which operate in real-time to ensure the safe and continuous functioning of critical infrastructure. As OT systems are increasingly connected to corporate IT networks, they become potential cyberattack targets. Network segmentation is essential to isolate OT systems from IT environments, reducing the risk of unauthorized access or malware propagation. For example, a manufacturing plant might segment its OT network, controlling robotic assembly lines from its corporate IT network to protect against ransomware attacks. Guest Networks Guest networks are isolated segments within a network designed to provide internet access for visitors or temporary users while preventing access to internal systems or sensitive data. They are found in businesses, schools, and other organizations. Bring Your Own Device (BYOD) Bring Your Own Device (BYOD) refers to the practice of allowing employees to connect to the corporate network and use their personal devices, such as smartphones, tablets, or laptops, for work-related tasks. While convenient and cost-effective, BYOD introduces security risks, as personal devices may lack proper security controls or could already be compromised. Organizations will typically place these devices on a dedicated VLAN or network segment separate from the production network. Organizations restrict BYOD devices to accessing only the services and data required for work-related tasks. They will monitor traffic from BYOD devices for potential threats while enforcing security policies to ensure compliance with security standards. Deception and Disruption Technologies Deception and disruption technologies are techniques and tools used early in the attack lifecycle to lure attackers into revealing their motives, tactics, techniques, and procedures. Simply stated, we fool the active attacker into showing us what they are doing, how they are doing it, and what tools they use to carry out an attack. Properly implemented, these technologies will supply vast intelligence about the attacker. The organization can use this information to limit the scope and impact of an active attack and defend against future attacks. These technologies can also provide a means of diverting the attacker\'s focus from real resources to decoys. Deception technologies include: A honeypot is a system or resource that mimics an essential target service or system and looks attractive to adversaries. It acts as a decoy and can assist cybersecurity analysts in collecting real-time data related to an attack. A properly configured honeypot may have the advantage of wasting the attacker\'s time and resources in compromising a decoy. When configuring a honeypot, the analyst must exercise caution as an experienced and skilled adversary can easily identify it and use it as a pivot point to compromise other systems. Organizations design honeypots to attract adversaries, but they may also attract legitimate users either intentionally (to detect insider attacks) or unintentionally. A honeynet is two or more honeypots interconnected to simulate a network subnet or entire network, providing a broader network and attack surface for an adversary to interact with. Organizations may use a honeynet when a honeypot is deemed insufficient in scope. A visual representation of a honeypot and honeynet setup. The honeypot, connected to the network, is designed to attract and monitor attackers. A honeynet consists of multiple honeypots working together to simulate a network, providing deeper insights into malicious activities and attack methods while isolating threats from the LAN and WAN. Physical Security Physical security is an essential component of an organization\'s overall cybersecurity posture. It aids in supporting confidentiality, integrity, and availability and helps to protect an organization\'s assets, such as access to its physical structure, networking hardware, servers, structured cabling, and other critical infrastructure. The use of physical security controls (e.g., cameras, locks) is the primary defense in preventing unauthorized physical access. Cameras Security cameras are key to monitoring and recording activity in sensitive locations like server rooms, data centers, and restricted areas. They offer real-time surveillance for administrators and capture footage for audits or investigations. Many modern cameras support remote access, allowing secure monitoring from any location. For example, a company might place cameras at server room entrances to track access and ensure only authorized individuals enter. Locks Locks are essential for physical security. They control who can enter devices, rooms, and buildings. Only authorized people can unlock them using keys, keycards, PINs, or fingerprints. Traditional locks are cheaper but not very flexible. Electronic locks offer better tracking and can be managed with keycards or PIN codes. Biometric locks use unique features like fingerprints, providing higher security. For example, a company might use fingerprint-activated locks on data center doors to ensure that only approved staff can enter. Audits and Regulatory Compliance Audits and regulatory compliance enforce key network security practices, ensuring systems and data are properly protected. Data Locality Data locality refers to the geographic location where data is processed and stored. Regulations and organizational policies often mandate that data remain within specific jurisdictions to comply with privacy laws and security standards. An organization may choose to store data locally to reduce the risks associated with transferring data between countries. Payment Card Industry Data Security Standards (PCI DSS) The Payment Card Industry Data Security Standards (PCI DSS) provide a framework to protect cardholder data and secure payment processing systems. These security standards pertain to any organization that stores, processes, or transmits credit card information. Key requirements include firewalls and network segmentation to protect payment systems, encrypting cardholder data during transmission and storage, controlling access to sensitive information, and regularly monitoring security measures. For instance, a retail store can comply with PCI DSS by segmenting its point-of-sale (POS) systems from its corporate network and encrypting transactions. General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) is a comprehensive European Union law that protects personal data and privacy. It relates to any organization involved in processing the personal data of EU citizens regardless of where it is located. Key points in the regulation include minimizing data collection, obtaining consent, providing individuals access to their data, allowing data deletion when requested, and notifying regulators and affected individuals of data breaches. Organizations that follow these standards improve security, build customer trust, and avoid legal penalties. Compliance with data locality, PCI DSS, and GDPR protects sensitive data and supports strong network security. Social Engineering Social engineering, often called \"hacking the human,\" takes advantage of human vulnerabilities such as trust, fear, curiosity, greed, and the tendency to act before fully understanding or verifying all the pertinent information. It involves exploiting human vectors. Social engineering manipulates, influences, tricks, or deceives individuals into sharing information they shouldn\'t, downloading files they shouldn\'t, clicking links they shouldn\'t, running programs they shouldn\'t, or sending money to cybercriminals. Social engineering is practical because it uses psychological manipulation and plays on human emotions. The primary purpose of social engineering is for an attacker to gain information through reconnaissance of a target to facilitate unauthorized access or intrusion. A successful social engineering attack can lead users to reveal confidential or sensitive information or perform an action that causes a security incident. Social engineering makes up a broad attack surface and includes several attack vectors. Phishing Phishing is by far one of the most common types of social engineering. In a phishing attack, attackers pose as a trusted individual or organization and send fraudulent messages to deceive users into providing sensitive information. Phishing attacks often come in the form of: Emails that appear legitimate but include links to malicious websites or attachments. SMS messages (smishing) or phone calls (vishing) asking for personal details. Fake login pages that mimic legitimate sites. Browser notifications that display phishing messages disguised as system alerts or notifications that appear to be from trusted sources. There are several tactics that users can implement to protect from phishing attempts. Always validate the source of a message by checking the sender\'s email address (phishing) or phone number (smishing and vishing) before responding. Any legitimate organization should never ask for sensitive information via email or SMS. Hover over links before clicking. Hovering will show the website address (URL), allowing the user to verify that the link matches the legitimate website. However, these links are often extremely long and/or cryptic. Don\'t click When in doubt; manually enter the site\'s URL. Be very cautious with attachments, particularly from unknown senders. These often contain malware. Enable two-factor authentication (2FA) on sites that offer it. 2FA provides a second means of authenticating besides just signing in. An example of a phishing email disguised as a security alert from a bank using a deceptive link (http://bank0famerica.com with a zero instead of an \"o\") to trick victims into providing sensitive account information. Dumpster Diving Dumpster diving involves attackers searching trash bins, recycling containers, or electronic waste for sensitive information that they can use to increase their knowledge of an organization, compromise security, or obtain unauthorized access. What are attackers looking for? Printed documentation like employee directories, company memos, financial records, passwords written on sticky notes, network diagrams, policy manuals, etc., that an attacker can use. Discarded electronics like hard disk drives, solid-state drives, USB drives, DVD/BD, or any other storage media with encrypted or recoverable data. An attacker could use login information, such as badges, IDs, documents with barcodes or QR codes, old credentials, or software keys, to gain physical or logical access. Shredded documents that an attacker could reconstruct. Dumpster diving has several potential impacts on organizational security: An attacker can use identity theft to gather personal or corporate identity information to impersonate legitimate individuals. An attacker could use exposed credentials, such as usernames and passwords, to obtain unauthorized access to systems. An attacker can use recovered information for reconnaissance, helping them craft targeted phishing campaigns or gain physical access to restricted areas. Mishandling or improperly disposing of sensitive information can lead to regulatory or legal violations. There are several tactics that organizations can implement to protect from dumpster diving attempts. Use cross-cut shredders to ensure an attacker cannot reconstruct documents. Use secure data disposal methods to wipe completely or physically destroy storage devices before disposal or recycling. Implement company-wide policies for secure disposal of sensitive physical and digital materials. Educate employees on the risks of dumpster diving and the importance of secure data handling. Implement physical security measures for dumpsters and recycling areas using locks and enforcing restricted access policies. Shoulder Surfing Attackers use shoulder surfing to observe sensitive information visually by physically watching someone enter data, such as passwords, PINs, financial data, credit card numbers, CVV codes, or other credentials, without their knowledge or consent. An attacker may attempt shoulder surfing through direct observation by the attacker positioning themselves near the victim or using tools like binoculars or cameras. Attackers often attempt shoulder surfing in crowded places where people are less likely to notice they are under surveillance. Shoulder surfing impacts an organization\'s security in several ways: Compromised credentials can grant attackers access to personal or organizational systems. Stolen baking information can lead to financial loss through unauthorized transactions. Shoulder surfing can expose sensitive data, potentially leading to data breaches. How can organizations and individuals take precautions against shoulder surfing? Security awareness training is essential in making people mindful of their surroundings when entering sensitive information. Users can implement privacy screens (screen filters) to prevent side-angle viewing. When entering PINs at ATMs or payment terminals, shield the keypad from view. While in public places, avoid working on sensitive tasks that could expose sensitive data. Tailgating Tailgating occurs when an unauthorized person obtains physical access to a secured environment by closely following an authorized individual, often without their awareness or permission. Tailgating differs from piggybacking because the unauthorized individual follows the authorized person through an entrance without their knowledge. In piggybacking, the authorized person knowingly allows or fails to prevent the unauthorized individual\'s entry. There are several strategies an organization can employ to protect from tailgating (and piggybacking) attempts. All individuals must badge or authenticate separately, even when entering as a group. Use turnstiles, access control vestibules, or similar mechanisms to restrict access to one person at a time. Educate employees on recognizing and preventing tailgating attempts while emphasizing vigilance at secure entry points. Deploy cameras or other surveillance systems to monitor doors and entryways. Ensure visitors are always escorted and correctly identified and authenticated. Malware Malware (short for malicious software) includes any software intentionally designed with harmful intent, such as: System damage involves corruption or deletion of files, slowing down system performance, crashing applications or the operating system, maliciously altering system settings, or making information inaccessible. Operations disruption refers to hindering or interrupting normal activities or processes of a system, network, or organization. It may take the form of shutting down servers, blocking access to websites, overloading a system or network, interfering with communication between systems, or delaying or stopping essential tasks (such as financial transactions). Information theft can involve harvesting (gathering) login credentials, capturing financial details, collecting personally identifiable information, stealing intellectual property (confidential trade secrets or documents), or logging a user\'s keystrokes (to gather sensitive keyboard input). Gaining unauthorized access refers to tactics such as bypassing security systems, taking control of a system remotely, compromising and accessing privileged accounts or sensitive areas, or creating backdoors that allow an attacker to maintain permanent access to a system without detection. Illegal profit generation means making money through deceptive or unauthorized methods for financial gain. Some examples include demanding ransom payments, displaying intrusive ads to generate revenue through clicks or views, stealing financial information like credit card numbers or bank credentials, using compromised systems to mine cryptocurrency, or selling stolen data or intellectual property. There are many types of malware, each with a unique way of causing harm: Viruses are programs that attach themselves to another program or file called the \"host.\" Viruses require user interaction to execute (trigger) their malicious code (payload), meaning the malware runs when the user launches the host file or program. Once executed, viruses can propagate by attaching copies of themselves to other host files or programs on the infected system and may spread through removable media, shared network drives, or email attachments. Worms are standalone malware that self-replicate to spread across networks and systems without human interaction or host files. Worms typically carry a payload (additional malicious software or instructions) that may include installing backdoors (secret access points allowing attackers to control the system), deleting files, launching other attacks, or delivering different types of malware. A Trojan, or Trojan horse, is malware that disguises itself as a legitimate (harmless) application and tricks users into installing it through deceptive tactics. Once installed, a Trojan carries out its objectives, such as stealing data, installing other malware, holding a system and data at ransom, spying or tracking user activity, or providing remote access to the victim\'s system to an attacker. Trojans do not self-replicate but rely on social engineering to get onto a victim\'s system. Trojans are delivered using phishing emails (containing malicious links or email attachments), drive-by downloads (where visiting a compromised website is all that\'s required to download the malware automatically), or fake (or legitimate, compromised) software from untrusted websites. Ransomware is malware specifically designed to prevent users from accessing their data. Some forms of ransomware lock the user out of their system and, more commonly, encrypt the data with a secret key. Some varieties of ransomware also use double extortion techniques in which the attacker threatens to publically release the data if the user or organization does not pay the ransom. Once the user pays the ransom (often required within a deadline), typically via cryptocurrency, the attacker sends the key to the user to unlock their system or decrypt their data. Attackers can deliver ransomware via email attachments or malicious links, software vulnerabilities (weaknesses), insecure networks, or malicious websites or ads. A screenshot of the ransom note left on a system infected with the WannaCry ransomware attack launched worldwide in 2017. Source: Securelist.com Spyware is malware that covertly monitors and gathers information about a user\'s activities without their knowledge or permission. It can collect login credentials, financial information, browsing habits, or personal details. Once collected, spyware can return the data to the attacker or third party for malicious purposes or monetary profit. Several types of spyware can be utilized, such as keyloggers (record all keystrokes from the keyboard), adware (display targeted ads), tracking cookies, or banking Trojans (capture financial information). An attacker commonly delivers spyware via phishing and social engineering, malicious websites, system and software vulnerabilities, or bundled with other software (typically free or pirated). A rootkit is malicious software that gives an attacker hidden, high-permission level, and unauthorized access to a system. Rootkits typically provide attackers administrator (or \"root\") level access, allowing them hidden, unnoticed malicious activity. Rootkits can infect operating systems, software, and firmware and are used to maintain long-term, persistent (remains after reboot or attempts to remove it) control over a compromised system. Rootkits are a serious threat to a compromised system due to the attacker\'s ability to gain and maintain complete system control, their inherent nature of being undetected for long periods, and their ability to hide from standard anti-malware scanners and tools. Attackers often deliver rootkits via Trojans, social engineering attacks, or physical access. Anti-Malware Software Anti-malware software scans devices to identify malware and remove malicious threats. Most modern anti-malware products utilize a combination of scanning, detection, and remediation techniques. Anti-Malware Scanning Types Real-time scanning continuously monitors the system\'s activities, such as launching programs, opening and saving data files, downloading, web browsing and internet traffic, software installation, and external drive connections. Scheduled scans perform a more comprehensive, system-wide check that typically includes a deep scan of all files and directories, a scan of compressed files, system settings, and system boot and startup files. Detection Methods of Anti-Malware Software Signature-based detection is used to identify known malware by comparing scanned files or programs to a database of malware signatures. A signature is a unique pattern within the code extracted from a particular piece of malware. For example, the following string is the signature for the EICAR test virus file: A Windows Defender Antivirus scan located the EICAR test file and notified the user. Clicking "Learn more" takes the user to a Microsoft web page explaining that the file is not malicious but a test file. Antivirus software uses this specific string to detect the EICAR test file. This test file is not harmful. Anti-malware software vendors build their programs to recognize this test signature as verification that their program is correctly detecting known malware signatures. But how does anti-malware software detect new or unknown threats without signatures? Detecting these types of threats is where heuristic detection comes into play. Heuristic (or behavioral-based) detection monitors and analyzes programs and files in real-time, looking for suspicious behaviors or characteristics typical of malware. Most anti-malware software allows users to opt-in to cloud-based submission of suspected malware for further analysis. Suppose the anti-malware vendor determines the suspicious file or program is malware. In that case, a signature is created, named, added to the database, and distributed to users in their next signature update. Remediation Methods of Anti-Malware Software When anti-malware software suspects or confirms malware, it employs several remediation (neutralization or removal) methods to address the potential threat. Quarantining is the first step in remediating malware. It isolates the threat and prevents the file from being accessed or the program from running. This process gives users or malware analysts time to review the file. Deletion or Removal: When malware is confirmed, the anti-malware software may be configured to delete the infected file permanently from the system. Sanitization or Cleaning: In some cases, anti-malware software may attempt to sanitize (clean or disinfect) the infected file. Sanitization differs from deletion in that sanitization removes only the malicious code from the file while keeping the original, unaffected part of the file intact. This method is particularly important when a data file is infected. Blocking Execution: If malware (or potential malware) is detected but not yet executed, anti-malware software may block the program from running. After blocking, the anti-malware software will often continue to analyze the threat and quarantine. If the anti-malware software mistakenly detects the program as malware, it may allow the program to continue execution. Restoration: If the anti-malware software wrongly flags a file as malware (false positive), anti-malware provides an option for the user or administrator to restore it from quarantine. Reporting to Vendor: When heuristic detection locates suspicious files or programs, most anti-malware software sends the data to the vendor for further analysis. After analysis, the appropriate action (quarantine, delete, clean, or restore) may be automatically taken based on the results. Best Practices for Anti-Malware Use Install only reputable anti-malware software obtained from trusted, widely-recognized software vendors. Turn on automatic updates to ensure the anti-malware signature database can recognize the latest malware. Regular updates also keep the heuristic detection feature updated. Set a schedule so the software will perform regular scans to detect any hidden threats that real-time scanning may have missed. Avoid downloading from untrusted sites. Download only from official or reputable sites. Disable unnecessary features since certain malware can exploit features like scripting or macros (a specific type of script often used in office applications like Word, Excel, etc.). Denial of Service (DoS) A denial-of-service attack (DoS) occurs when legitimate users cannot access a service due to the actions of a threat actor. Denial of service can affect almost any service, including email, website, web app, database, network infrastructure, internet connectivity, or physical hardware, and can be intentional or accidental. A malicious DoS attack exploiting a protocol vulnerability or configuration weakness in a website could make the site unavailable for use. If this attack originates from a single attacker at a single location, security controls will likely be effective at detecting and blocking this attack. Most DoS attacks fall into buffer overflow attacks and flooding attacks. Buffer overflow can cause application or system crashes, sluggish performance, or resource consumption (network, storage, CPU time, memory, etc.). Flooding saturates a target with an overwhelming number of spoofed packets from requests or replies (ICMP, NTP, SYN, DNS, etc.). Distributed Denial of Service (DDoS) Another form of DoS is distributed denial of service (DDoS). Unlike a DoS attack that originates from a single attacker\'s system or location, a DDoS attack occurs when multiple machines from separate locations cooperate to attack a single target. DDoS attackers will gain control of numerous systems through malware infection and then use these systems as bots (collectively known as a botnet) to carry out the attack. Unknown to the victims that their devices are compromised, the individual bots remain dormant under the control of their attacker until the attacker calls on them to perform coordinated, large-scale malicious attacks against a target. The botnet will simultaneously forward overwhelming traffic to the target, causing services to stop responding. A DoS attack is easier to identify and block, whereas a DDoS attack is more difficult to determine the source and block it. A botnet of bots is under the control of an attack handler who is carrying out a Distributed Denial of Service (DDoS) attack, which is overwhelming the victim with traffic. Common attacks from botnets include spam email and phishing campaigns, data theft, cryptocurrency mining, distributed denial of service (DDoS) attacks, or click fraud (bots generate fake clicks on online ads). A reflected DoS (often called distributed reflected DoS \[DRDoS\]) attack involves sending forged requests to many servers. The attacker will spoof the source IP address of the target victim, causing the servers to send their replies to the victim (instead of the spoofed sources). The vast number of unsolicited replies will rapidly overwhelm the target. An amplified attack is a reflected attack that magnifies the bandwidth of the replies sent to the target victim. Several services and application protocols with weaknesses can be exploited and used in an amplification attack. Protocols commonly targeted include Network Time Protocol (NTP), Domain Name System (DNS), and Simple Network Management Protocol (SNMP). An amplification attack relies on small requests sent to a server that results in a significantly larger reply to the target, overwhelming it. Like the reflected DoS attack, the attacker spoofs the target\'s source address. For example, consider a request sent to an NTP server asking for a list of the last 600 hosts that requested time updates. If exploited, this request (48 bytes) will result in a reply over 200 times or greater than the request (9600 bytes or more). Combine this amplification with many bots, and the attack is significant enough to overwhelm the target. DDoS indicators of attack include unusually slow network performance, unexplained spikes in network traffic, or sudden loss of connectivity or access to services. On-Path Attack An attacker uses an on-path attack (formally referred to as a man-in-the-middle or MiTM attack) to attain a position between two parties without their knowledge. This position can allow the attacker to monitor, capture, relay, and modify communications on the path between hosts. On-path attacks take two general forms: passive and active. In a passive attack, the attacker monitors and intercepts communications to steal information without altering the data. In an active attack, the attacker manipulates the data or injects malicious commands, potentially disrupting the communication or compromising the security of one or both parties. On-path attacks leverage several common methods to intercept or manipulate communication: Wi-Fi eavesdropping occurs when attackers monitor public or unsecured wireless network traffic to intercept data. DNS spoofing allows attackers to alter DNS name resolution, redirecting users to malicious websites that mimic legitimate ones (pharming). In session hijacking, attackers steal session tokens to impersonate users and gain unauthorized access to network hosts. In ARP spoofing, an attacker associates their MAC address with a legitimate device\'s IP address on a local network, redirecting traffic through their host. Individuals and organizations can take several preventative measures to mitigate on-path attacks. Use secure protocols like HTTPS, TLS, or VPNs to encrypt communications. Implement multifactor authentication and mutual authentication to verify the identity of communicating parties. Enable secure network configurations like firewalls and static ARP entries, and configure DNSSEC for secure DNS communications. Avoid public or unsecured wireless networks or use a VPN. Media Access Control (MAC) Flooding Media Access Control (MAC) flooding is a network attack in which an attacker sends many packets with fake MAC addresses to a switch. The goal is to overwhelm the switch\'s MAC address table (Content Addressable Memory \[CAM\] table), causing it to enter a fail-open state and flood all traffic to all ports. Flooding allows attackers to sniff and intercept traffic not intended for their host. Modern enterprise-grade switches may implement mitigation technologies for MAC flooding attacks. However, several best practices will further enhance protection against flooding attacks. Enable port security to limit the number of MAC addresses per port. Use VLANs to isolate traffic and limit the potential attack impact. Use network monitoring and logging tools to detect abnormal traffic patterns, such as excessive MAC learning on a port. Enable advanced switch features to maintain MAC table integrity, such as MAC address aging, sticky MAC, port security, and dynamic ARP inspection. Ensure the device has the latest firmware and security patches. ARP Poisoning and ARP Spoofing The Address Resolution Protocol (ARP) maps an IP address to a MAC address, allowing communication within a local network segment. When a device needs to communicate with another on the same network segment, it sends an ARP request to find the MAC address linked to the target IP address. The target device responds with an ARP reply containing its MAC address. ARP poisoning and spoofing are related attacks that manipulate the Address Resolution Protocol (ARP) to intercept, modify, or disrupt network communication. ARP spoofing occurs when an attacker sends malicious ARP replies, mapping their MAC address to the IP address of a legitimate device. The target updates its ARP cache with the spoofed information, directing traffic to the attacker instead of the legitimate device. ARP poisoning occurs when one or more devices on the network have their ARP caches modified with spoofed entries. In a single-device attack, the attacker targets the ARP cache of a specific device (e.g., workstation or server) and typically associates the attacker\'s MAC address with the gateway\'s IP address, directing the device\'s traffic through the attacker\'s system. When an attacker sends spoofed ARP replies to multiple devices to poison their ARP caches, the attacker can intercept all traffic from various targets. The key distinction between ARP spoofing and ARP poisoning: ARP spoofing is the act of sending malicious ARP replies to a target. ARP poisoning is when devices hold incorrect cache entries due to spoofing. Attackers typically used the following steps to perform an ARP cache spoofing and poisoning attack to obtain on-path access: The attacker must have access to the network and will scan it, looking for two active IP addresses (e.g., workstation and router). A typical target for one of the devices is usually a default gateway router. The attacker will use a spoofing tool (such as arpspoof, Ettercap, or Scapy) to broadcast unsolicited ARP replies with a spoofed MAC address. This step is when the spoofing takes place. The two target devices update their ARP cache entries to reflect the new spoofed mappings. This step is when the poisoning takes place. The attacker is now positioned between the router and the workstation, eavesdropping on all communication, resulting in a successful on-path attack. Illustration of ARP poisoning, where an attacker corrupts the ARP cache of devices to intercept or redirect network traffic by associating their MAC address with a legitimate IP address. The impact of ARP attacks on a network includes: Network disruption caused by misrouting, communication delays, or complete loss of connectivity. Data modification as traffic passes through the attacker\'s device before being forwarded to the intended recipient. Interception of data in transit potentially exposes sensitive information. ARP spoofing can be a basis for further on-path attacks, session hijacking, or credential theft. On-path attacks, such as ARP poisoning and spoofing, can be challenging to detect because attackers typically relay legitimate traffic. However, some signs may be evident, such as random and frequent disconnections from networks or services or noticeable network latency. DNS Spoofing and DNS Poisoning The domain name system (DNS) resolves host names and services into their corresponding IP addresses (and vice versa for reverse DNS). Name resolution is crucial on local area networks and the Internet. Without its use, users would have to remember IP addresses for every site they visit. Attackers often exploit DNS as a popular attack vector using DRDoS attacks, spoofing, poisoning, or hijacking. DNS spoofing involves sending forged DNS responses to a device, tricking it into accepting fake IP address mappings. DNS spoofing does not poison the server; instead, it manipulates individual systems by successfully racing ahead of legitimate DNS responses with a bogus response. Illustration of a DNS spoofing attack: Two separate ipconfig /displaydns commands show how a malicious domain (spoofedbank.com) is added to the DNS cache, followed by the legitimate domain (realbank.com) being poisoned to redirect to the same malicious IP address. DNS poisoning occurs when an attacker injects false information into a server\'s DNS cache. This poisoned cache entry redirects all users seeking name resolution to malicious IP addresses instead of legitimate ones. Poisoned entries persist in the server\'s cache until the Time-to-Live value expires or the cache is automatically or manually cleared. The key distinction between DNS spoofing and DNS poisoning: DNS spoofing targets and affects individual users or devices without modifying the server. DNS poisoning targets the DNS server\'s cache and can affect all users who rely on that server for name resolution. The impact of DNS spoofing and poisoning attacks include: Attackers may redirect users to malicious websites designed to steal credentials, deliver malware, or display fraudulent content. Attackers can intercept sensitive information like payment details or login credentials. Disruption of services can make legitimate services unreachable, causing downtime. Standard mitigation techniques include implementing DNSSEC, DNS over HTTPS, or DNS over TLS. Rogue Devices and Services Rogue devices and services are unauthorized or malicious entities connected to a network that disrupt normal operations, expose sensitive information, or provide means for future attacks. Rogue DHCP Server A rogue DHCP server is an unauthorized DHCP server introduced into the network, providing clients with incorrect IP address configurations. A rogue DHCP server can be a physical device (e.g., router, IoT device, or computer) or a software-based service configured to provide DHCP responses. Unintentional or malicious rogue DHCP servers enter the network through a compromised or unsecured port, often introduced by attackers or misconfigurations. For example, an employee wants to add Wi-Fi capability to the network and unknowingly connects a SOHO Wi-Fi router with DHCP enabled. The router begins handing out IP address configuration with an incorrect default gateway, causing multiple devices to lose connectivity. When clients request IP address configurations, they typically accept the configuration from the first server to respond to the request. When a rogue DHCP server exists on the network, it competes with the legitimate DHCP in responding first to clients\' requests. If the rogue server wins, the client accepts and uses incorrect IP configuration information from the rogue server. The impact of incorrect IP configuration through rogue DHCP servers includes: The client receives a malicious default gateway assignment to redirect traffic through the attacker\'s host. The client gets a malicious DNS server assignment to redirect users to phishing sites. The client receives a conflicting IP address configuration, causing connectivity issues. Rogue Access Points (APs) A rogue access point (AP) is an unauthorized wireless access point connected to a network. It may be set up intentionally by an attacker or unintentionally by employees or users who do not understand the security implications. Rogue APs can either be physically connected to the network or operate independently. They can introduce significant risks by providing an entry point for unauthorized access, interception of sensitive data, or disruption of legitimate wireless traffic. An entity (intentionally or unintentionally) connects a rogue AP directly to the wired network, often through an unsecured Ethernet port. This rogue AP becomes a gateway for wireless devices to connect to the wired network without authentication or authorization. A rogue AP may broadcast a wireless SSID mimicking the legitimate network\'s name. Unsuspecting users associate with this rogue AP, thinking it is legitimate, unknowingly exposing their traffic to the attacker. Attackers may configure rogue APs as intermediaries between wireless users and the legitimate network. This on-path exploitation allows the attacker to intercept, monitor, or manipulate user traffic in real-time. Rogue APs can interfere with legitimate wireless traffic, degrading network performance or causing disconnections. Organizations in regulated industries may face fines or penalties if rogue APs lead to data breaches, violating standards such as PCI DSS or GDPR. Evil Twin An evil twin is a rogue AP attack in which the attacker uses a wireless AP that mimics a legitimate network. The evil twin is implemented with tools like mobile hotspots, portable routers, or software-defined (e.g., virtualized) APs and uses the same SSID as the authentic network. The attacker often positions their AP closer to users or boosts its transmit signal strength to overcome the legitimate AP. Attackers can bypass the need for security credentials for the legitimate AP by exploiting how devices and users connect to Wi-Fi networks: Creating an Open Network: An attacker configures an AP with the identical SSID as the legitimate AP but leaves it as open authentication with or without encryption. Exploiting Misconfigured Devices: Misconfigured devices may prioritize connecting to networks with familiar \"trusted\" SSIDs and accept open or weaker security settings. Deauthentication Attacks: The attacker sends deauthentication packets to force clients to disconnect from the legitimate AP. After disconnecting, devices attempt to reconnect automatically. The evil twin has a stronger wireless signal or responds faster, and the client connects. User Prompt Manipulation: The attacker\'s evil twin AP forces users to re-enter their credentials, claiming the network requires re-authentication. The evil twin tricks users into providing their Wi-Fi password, which the attacker can use to configure the evil twin with the same security settings as the legitimate AP. The impact of evil twin APs includes: Attackers can capture unencrypted sensitive information, which can lead to data theft. Evil twins facilitate on-path attacks, enabling attackers to modify or inject malicious data into communications. Users redirected to spoofed login pages may unknowingly provide credentials directly to the attacker. VLAN Hopping VLAN hopping is a network attack in which an attacker exploits vulnerabilities in the VLAN configuration to obtain unauthorized access to traffic on different VLANS. There are two primary methods an attacker can utilize to carry out a VLAN hopping attack: Switch spoofing occurs when the attacker configures their device to act like a switch. The attacker then negotiates a trunking link with the target switch by mimicking a legitimate switch using Dynamic Trunking Protocol. Once the attacker has established the trunk link, they gain access to multiple VLANs. Illustration of a VLAN hopping attack using switch spoofing, where an attacker exploits dynamic trunk negotiation to gain unauthorized access to all VLANs on a network. Double tagging occurs when an attacker crafts a packet with two VLAN tags (802.1Q headers). Outer Tag: The tag matches the first switch\'s native VLAN and corresponds to the VLAN of the attacker\'s port. Inner Tag: Corresponds to the target VLAN. Demonstration of a double-tagging VLAN hopping attack, where an attacker crafts packets with two VLAN tags to exploit a trunk port\'s native VLAN configuration and gain unauthorized access to a target VLAN. Double tagging exploits a lack of VLAN tag verification across multiple switches. When the packet reaches the first switch, the outer tag is tripped and forwarded to the VLAN indicated by the inner tag. If the second switch does not verify VLAN tags, it routes the packet to the target VLAN. Double tagging is a one-way attack because the attacker\'s packets reach the target VLAN, but the target cannot route replies back to the attacker. This limitation makes double tagging effective for injecting packets for reconnaissance or disruption. The impact of VLAN hopping includes: Attackers gain unauthorized access to traffic from VLANs they are not authorized to access. Sensitive information, such as credentials or private communication, may be exposed. Attackers can disrupt legitimate services or overwhelm systems by injecting malicious traffic into target VLANs. As with most attacks, VLAN hopping increases the organization\'s attack surface. Device Hardening Manufacturers of network devices configure them with default settings that are typically well-documented and publicly available. The first step in hardening is changing default settings to improve security. Hardening refers to the methods and tasks for enhancing the security of devices, software, and systems while reducing the organization\'s attack surface. Change Default Usernames and Passwords Default usernames and passwords are configured on new devices or systems when the manufacturer initially sets them up. On most devices and systems, default credentials are well-known values an adversary can acquire through a simple web search. An administrator must change these with strong values before the organization uses the system, as threat actors will scan target devices early in the attack life cycle to compromise a device\'s authentication service by submitting default username and password combinations. Disable Unused Ports and Services Every device, such as routers, switches, and servers, comes with ports (physical and logical) and services enabled by default. Not all of these are necessary for your organization\'s operations. Unused ports and services can act as open doors for attackers. Disabling them reduces your attack surface and the opportunity for an attacker to exploit them. A few best practice examples for disabling unused ports and services include: Disable unused network protocols on devices: For example, on a network printer, disable unused protocols such as Telnet, FTP, or SNMP. If these protocol functions are required, choose the secure alternative ports/services (e.g., SSH instead of Telnet, SFTP or FTPS instead of FTP, and SNMPv3 with authentication and encryption). Turn off legacy services: On your Windows servers, for example, disable older, vulnerable services like SMBv1 and SMBv2c in favor of SMBv3. Administratively deactivate unused interfaces on switches and routers: For example, shut down unused Ethernet ports on a managed switch to prevent unauthorized devices from connecting. Disable default administrative management interfaces: For example, turn off remote management interfaces such as HTTP, Telnet, or TFTP and use secure alternatives like HTTPS, SSH, or FTPS respectively. Network Access Control (NAC) Network Access Control (NAC) is a fundamental aspect of network security that ensures only authorized devices and users can connect to the network. Port Security Every active network wall jack and switch port allows a threat actor to access the Ethernet network. Without proper security mechanisms, attackers can place themselves directly on a Layer 2 network segment. Port security is a feature on network switches that restricts access to specific ports based on defined rules. Port security is essential because it prevents unauthorized devices from connecting to the network and mitigates risks such as rogue devices and network-based attacks (e.g., MAC address spoofing, VLAN hopping, ARP poisoning, MAC flooding, or unauthorized network sniffing). For example, an organization might allow only one device to connect to a specific switch port. MAC Filtering MAC filtering is a means of preventing unauthorized access to a Layer 2 segment via a switch. Recall that the NIC\'s unique MAC address identifies it, and manufacturers burn this address into the card during production. MAC filtering is a feature of switches in which the administrator creates a list of allowed (or disallowed) MAC addresses and maps them to individual switch ports. When a NIC is attached to a switch port, the switch compares the MAC address of the connected NIC with the list on the switch and either allows or denies access. MAC limiting is a form of MAC filtering, but instead of allowing only a single MAC address, the switch will allow multiple MAC addresses on a single switch port. The switch will deny access to any additional device connected to that specific port. Both MAC filtering and MAC limiting require static mapping of MAC addresses to switch ports. MAC filtering is enabled on a SOHO Wi-Fi router, allowing only specific wireless clients based on their MAC address. 802.1X Restricting access to network ports using MAC address filtering (or limiting) is time-consuming and prone to spoofing. The IEEE 802.1X is a standard for port-based network access control on Ethernet switches and wireless access points. Devices use this protocol for network authentication before they are allowed full connectivity to the network. 802.1X restricts network traffic to authentication data only, ensuring that devices cannot exchange meaningful data on the network until they successfully authenticate. The switch becomes a client in an 802.1X authentication, authorization, and accounting (AAA) architecture: Supplicant: The user or client requesting access to the network. Authentication server: This server, typically a RADIUS server, is responsible for validating authentication requests and informing the authenticator whether the connection is allowed. The authenticator is the intermediary between the supplicant and the authentication server (e.g., an Ethernet switch or wireless access point). It passes the supplicant\'s request to the server and relays the server\'s response back to the supplicant. The authentication server often runs software that supports Extensible Authentication Protocol (EAP) and Remote Authentication Dial-In User Service (RADIUS). Until the client authenticates, the supplicant allows only EAP over LAN (EAPOL) traffic. The process works as follows: The supplicant sends a request for authentication to the authenticator using EAPOL. The authenticator forwards the supplicant\'s request to the authentication server using RADIUS. The authentication server validates the credentials and responds to the authenticator. Once authentication succeeds, the authenticator allows normal data flow, fully connecting the supplicant to the network. Diagram illustrating the 802.1X authentication process, showing the Supplicant (wired host), Authenticator (switch), and AAA Server (RADIUS) interacting via EAPoL, RADIUS, and LDAP. The Authenticator enforces access control based on authentication results, with credentials verified through Active Directory. Security Rules Security rules are critical for managing and controlling network traffic and protecting systems from unauthorized access or malicious content. They provide granular control over what is allowed or denied on a network. Three key components include Access Control Lists (ACLs), URL Filtering, and Content Filtering. Access Control List (ACL) An access control list (ACL) is a set of rules applied to network devices (e.g., routers and firewalls) that determine whether incoming or outgoing traffic is allowed or denied. ACLs provide precise control over traffic, such as blocking unauthorized access, preventing specific types of traffic, and restricting users from accessing sensitive resources. ACLs evaluate traffic based on criteria such as: Source and destination IP addresses. Protocols (e.g., TCP, UDP, and ICMP). Ports (e.g., HTTP: port 80, HTTPS: port 443, and SFTP: port 22). ACLs are evaluated in order, starting from the top. The system applies the first matching rule and ignores all subsequent rules. Traffic that matches a rule is either allowed or denied. For example: This ACL, identified by number 111, has two access control entries: The first line allows (permit) TCP traffic from the source subnet (192.168.1.0/24) to any destination (any) that matches (eq) the destination port (443) for HTTPS. The second line is part of the same ACL (101) and blocks (deny) all IP traffic regardless of protocol (ip) from any source subnet (any) to any destination (any). Administrators refer to the first rule as an explicit allow and the second (last rule in this example) as an explicit deny. Best practices for ACLs suggest placing an explicit deny rule as the last rule in the list. However, if there is no matching rule in the ACL, all unmatched traffic is automatically denied by default (implicit deny). Uniform Resource Locator (URL) Filtering Uniform Resource Locator (URL) filtering is a technology that restricts access to specific web addresses (URLs) in real-time. Unlike broader web filtering, which categorizes websites by content type, URL filtering operates more granularly, targeting specific domain names or paths. Administrators can implement URL filtering through: Blocklists (blocking access to specific URLs, such as known phishing sites or malicious domains) Allowlists (allowing only pre-approved URLs) Dynamic analysis (inspecting requested URLs against a database in real-time) This level of granular control has several benefits for the organization, such as enforcing compliance with policies and preventing malware by reducing the risks of phishing attacks and drive-by downloads (automatic downloading of malicious software without the user\'s knowledge or consent). With most web traffic now encrypted, URL filtering often relies on SSL/TLS inspection to analyze destination URLs. Modern systems can decrypt traffic, check it for policy violations, and re-encrypt it before forwarding. Administrators must carefully manage this process to maintain user privacy, ensure compliance, and minimize performance impacts introduced through encryption. Content Filtering Content filtering restricts or monitors data transmitted over a network. It focuses on deeper inspection and filtering of the content of web pages, emails, or files rather than just filtering by URL or IP address. Content filtering is a crucial component of modern network security, helping to enforce organizational policies, prevent data breaches, and protect users from harmful or inappropriate material. Content filtering inspects data and applies policies to control access or block specific content. The filter analyzes data packets in transit to identify patterns such as URLs embedded in content, MIME types (e.g., identifying file types like.exe), sensitive information (e.g., credit card numbers, social security numbers), keywords (e.g., offensive or explicit language), or categories that match predefined policies. An organization can deploy content filters on-premises as a dedicated device or integrate them into firewalls or Unified Threat Management (UTM) appliances. Cloud platforms provide scalable and centralized content filtering without requiring physical infrastructure. Content filtering serves several vital purposes in network security and organizational policy enforcement: Preventing malware and phishing: Content filtering blocks harmful email attachments or links to known malicious websites. It scans web pages for suspicious code or scripts to protect users from harmful content. Enforcing acceptable use policies: Content filtering restricts access to content unrelated to business operations, such as streaming services or social media, and can block inappropriate material. An Acceptable Use Policy (AUP) is a set of rules that outlines users\' acceptable and prohibited activities when accessing an organization\'s network, systems, or resources. Protecting sensitive data: Content filtering prevents data exfiltration by scanning outbound traffic for sensitive information, such as SSNs, credit card numbers, or confidential files, and blocking the unauthorized transmission of such data. Ensuring compliance with regulatory requirements: Content filtering can help ensure compliance with laws such as GDPR or PCI DSS by blocking risky or non-compliant content. Filtering content can present a few challenges. Like URL filtering, content filtering must decrypt SSL/TLS traffic to inspect encrypted data. Filtering systems might block legitimate content if policies are too broad or poorly configured. Deep packet inspection, used by content filtering, requires significant processing power that could increase latency, especially in high-traffic environments. Zones The trusted zone is private and under the organization\'s administrative control. Hosts in this zone use private IP addresses, which are not accessible by unsolicited external requests. Devices in the trusted zone typically include authentication credentials and directory services, sensitive data repositories, trusted client devices, and other internal resources. The untrusted zone is public and beyond the organization\'s control. Hosts in this zone use public IP addresses managed by internet service providers. This zone allows filtered outbound access from the trusted zone. Devices in the untrusted zone often include publicly accessible web resources and public DNS servers. The organization controls the screened subnet, or demilitarized zone, with public-facing hosts. These hosts allow access from the untrusted zone and permit connections from the trusted zone. However, they should not initiate communication with the trusted zone. Devices in the screened subnet typically include web servers, email servers, remote access servers, VoIP gateways, and proxy servers. This separation minimizes risks to trusted resources. Visualization of security zones in a network, including the Trusted/Private Zone for internal resources, the Screened Subnet (DMZ) for public-facing servers, and the Untrusted/Public Zone for internet and hosted resources, with firewalls enforcing boundaries between zones. Key Management Key management refers to the processes and practices involved in generating, distributing, storing, rotating, and revoking cryptographic keys. Proper key management ensures the security and integrity of cryptographic systems used in network security. Cryptographic keys are fundamental to securing data in transit and at rest through encryption, authentication, and integrity mechanisms. Proper key management ensures these keys remain secure, available, and effective throughout their lifecycle. Key Generation: The key management lifecycle begins with creating secure keys for encryption, decryption, or digital signatures. For example, an organization creates ECC keys for VPN authentication and AES keys for encryption. Key Distribution: Securely sharing keys between devices, users, or systems that need to communicate securely. For example, organizations can use protocols like Diffie-Hellman for secure key exchange/agreement or PKI to distribute public keys. Key Storage: Prevents unauthorized access to keys while stored at rest. For example, private keys can be stored in a hardware security module (HSM) or securely encrypted on disk. An HSM is a physical device designed to securely generate, store, and manage cryptographic keys. Key Rotation (or Key Updating): Regularly updating keys to limit the risk of compromise, such as rotating encryption keys for wireless networks using WPA3-Enterprise or TLS certificates. Key Revocation: Permanently disabling compromised or outdated keys to prevent misuse. For example, an organization may revoke a TLS certificate for a public-facing server in case of a suspected breach. Key Destruction: Securely erase keys that are no longer in use to prevent unauthorized recovery. For example, when decommissioning an old server, cryptographic keys stored on the server are securely erased using a tool that overwrites the data multiple times. If the organization stores keys in an HSM, the HSM\'s key destruction process is initiated. Key Access Control involves limiting who or what can access and use cryptographic keys. For example, it may use role-based access control (RBAC) or M-of-N control to access private keys. In M-of-N control, there are N total authorized entities with access, but at least M entities must collaborate to use or access the key. Key Recovery: Ensuring a key owner can securely retrieve a key if it becomes temporarily inaccessible due to accidental loss or disaster scenarios. For example, an administrator accidentally deletes a key that encrypts a database on an operational server. The key is securely stored in an escrow system, allowing administrators to recover it.

Common Security Terminology PDF

Document Details

Tags

Related

Summary

Full Transcript