Chapter 3 - 01 - Discuss Information Security Fundamentals_fax_ocred.pdf

Full Transcript

R LyLersecurity Technician Network Security Fundamentals Module 9 Exam 212-82 Flow Discuss Network Security Fundamentals NETWORK SECURITY This section introduces the nee d for security; elements of information security; the functionality, and usability tria security, ngle; NIST cyb ersecurity framew ork ; security challenges; and impact of information security attacks. Module 03 Page 406 Certified Cybersecurity Technici an Copyright © by EC-Council All Rights Reserved. Reproduction ic Stric Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Information security is a state of well-being of information and infrastructure in which the possibility of v ¥ ,and i L All Rights Reserved. Reproduction ks Strictly Prohibited. What is Information Security? Information security is “the state of the well-being of information and infrastructure in which the possibility of theft, tampering, or disruption of information and services is kept low or tolerable.” Information security refers to the protection or safeguarding of information and information systems that use, store, and transmit information from unauthorized access, disclosure, alteration, and destruction. Module 03 Page 407 Certified Cybersecurity Technician Copyright © by EC-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Need for Security Evolution of technology, focused on ease @ of use Rely on the use of computers for accessing, providing, or just storing information @ Increased network environment and @ network-based applications Direct impact of security breach on the corporate asset base and goodwill ,// @ @.‘ @ OQ Increasing complexity of computer infrastructure administration and management Copyright © by Y [ PYTig L All € Rights Reserved. Reproductionis Strictly Prohibited Need for Security Today, organizations are increasingly getting networked, as information is exchanged at the speed of thought. Also, the evolution of technology, focused on ease of use. Routine tasks rely on the use of computers for accessing, providing, or just storing information. However, as information assets differentiate the competitive organization from others of its kind, so do they register an increase in their contribution to the corporate capital? There is a sense of urgency on behalf of the organization to secure these assets from likely threats and vulnerabilities. The subject of addressing information security is vast and it is the endeavor of this course to give the student a comprehensive body of knowledge required to secure the information assets under his/her consideration. This course assumes that organizational policies exist that are endorsed from the top-level management and that business objective and goals related to the security have been incorporated as part of the corporate strategy. A security policy is the specification of how objects in a security domain are allowed to interact. The importance of security in the contemporary information and telecommunications scenario cannot be overemphasized. There are myriad reasons for securing ICT infrastructure. The evolution of computers has transcended from the annals of universities to laptops and PDAs. Initially, computers were designed to facilitate research, and this did not place much emphasis on security as these resources, being scarce, were meant for sharing. The permeation of computers into the routine workspace, and daily life, see more control being transferred to computers and a higher dependency on them for facilitating important routine tasks. This further increased the usage of network environment and network-based applications. Any disruption meant loss of time, money, and sometimes-even loss of life. Also, the increasing complexity of computer infrastructure administration and management is showing direct impact of security breach on the corporate asset base and goodwill. Module 03 Page 408 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Elements Exam 212-82 of Information Security Confidentiality @ Integrity Assurance that the information is accessible only to those authorized to have access o e The trustworthiness of data or resources in terms of preventing improper or unauthorized changes Ruthenticity 0 Availability Assurance that the systems responsible for delivering, storing, and processing information are accessible when required by the authorized users Non-Repudiation Refers to the characteristic of a communication, document, or any data that ensures the quality of being genuine A guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message Copyright © by L All Rights Reserved. Reproductionis Strictly Prohibited l Elements of Information Security Information security relies on five authenticity, and non-repudiation. = major elements: confidentiality, integrity, availability, Confidentiality Confidentiality is the assurance that the information is accessible only to authorized. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper disposal of equipment (such as DVDs, USB drives, and Blu-ray discs). * Integrity Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only authorized people can update, add, or delete data). = Availability Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include disk arrays for redundant systems and clustered machines, antivirus software (DDoS) prevention systems. Module 03 Page 409 to combat malware, and distributed denial-of-service Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Authenticity Authenticity refers to the characteristic of communication, documents, or any data that ensures the quality of being genuine or uncorrupted. The major role of authentication is to confirm that a user is genuine. Controls such as biometrics, smart cards, and digital certificates ensure the authenticity of data, transactions, communications, and documents. * Non-Repudiation Non-repudiation is a way to guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. Individuals and organizations use digital signatures to ensure non-repudiation. Module 03 Page 410 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 The Security, Functionality, and Usability Triangle Level of security in any system can be defined by the strength of three components: Moving the ball towards Functionality security means less functionality and usability (Features) Security (Restrictions) Copyright © by EC meil Al Rights Reserved. Reproductionis Strictly Prohibited I The Security, Functionality, and Usability Triangle Technology is evolving at an unprecedented rate. As a result, new products that are reaching the market focus more on ease-of-use than on secure computing. Though technology was originally developed for “honest” research and academic purposes, it has not evolved at the same pace as users’ proficiency. Moreover, in this evolution, system designers often overlook vulnerabilities during the intended deployment of the system. However, adding more built-in default security mechanisms allows users more competence. It is becoming difficult for security professionals to allocate resources, exclusively for securing systems, with the augmented use of computers for an increasing number of routine activities. This includes the time needed to check log files, detect vulnerabilities, and apply security update patches. As routine activities consume system professionals’ time, leaving less time for vigilant administration, there is little time to deploy measures and secure computing resources on a regular and innovative basis. This fact has increased the demand for dedicated security professionals to constantly monitor and defend ICT (Information and Communication Technology) resources. Originally, to “hack” meant to possess extraordinary computer skills to explore hidden features of computer systems. In the context of information security, hacking is defined as the exploitation of vulnerabilities of computer systems and networks and requires great proficiency. However, today there are automated tools and codes available on the Internet that make it possible for anyone, who possesses the will, to succeed at hacking. However, mere compromise of system security does not denote hacking success. There are websites that insist on “taking back the Internet” as well as people who believe that they are doing everyone a favor by posting details of their exploits. In reality, doing so serves to hamper the skill level required to become a successful attacker. Module 03 Page 411 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 The ease with which system vulnerabilities can be exploited has increased while the knowledge curve required to perform such exploits has decreased. The concept of the elite “super attacker” is an illusion. However, the fast-evolving genre of “script kiddies” is largely comprised of lesser-skilled individuals having second-hand knowledge of performing exploits. One of the main impediments contributing to the growth of security infrastructure lies in the unwillingness of exploited or compromised victims to report such incidents for fear of losing the goodwill and faith of their employees, customers, or partners, and/or of losing market share. The trend of information assets influencing the market has seen more companies thinking twice before reporting incidents to law enforcement officials for fear of “bad press” and negative publicity. The increasingly networked environment, with companies often using their websites as single points of contact across geographical boundaries, makes it critical for security professionals to take countermeasures to prevent exploits that can result in data loss. This is why corporations need to invest in security measures to protect their information assets. Level of security in any system can be defined by the strength of three components: * Functionality: The set of features provided by the system. = Usability: The GUI components used to design the system for ease of use. = Security: Restrictions imposed on accessing the components of the system. The relationship between these three components is demonstrated by using a triangle because increase or decrease in any one of the components automatically affects the other two components. Moving the ball towards any of the three components means decreasing the intensity of other two components. The diagram represents the relationship between functionality, usability, and security. For example, as shown in the figure, if the ball moves towards Security it means increased security and decreased Functionality and Usability. If the ball is in the center of the triangle, then all the three components are balanced. If the ball moves towards usability it means an increased Usability and decreased Functionality as well as Security. For any implementation of security controls, all the three components have to be considered carefully and balanced to get acceptable functionality and usability with acceptable security. Moving the ball towards security means less Functionality (Features) functionality and usability Security Usability (Restrictions) (GUY) Figure 3.1: Security, Functionality, and Usability Triangle Module 03 Page 412 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 NIST Cybersecurity Framework (CSF) O NIST brought all stakeholders together to form a community to design a Cybersecurity Framework (CSF) that addresses all the security risks and supports continuous business operations NIST CSF Functions and Categories Identify % Asset Management Protect < “* Business Environment 2 % Governance % Risk Assessment * Risk Management Strate, 8y Identity Management and Access Control e Training. Detect «+ Data Security «+ Information Protection Recover «» Anomalies and Events ++ Response Planning “* Recovery Planning %+ Continuous Security < Communications ** Improvements i < Analysis " +» Monitoring. Respond % Detection Processes Processes and Procedures. < Maintenance “* Protective Technology ‘Q“ o o Communications % Mitigation % Improvements [e] 0 @] |'_°]| fl https://www.nist.gov Copyright © by EC-{ cil All Rights Reserved. Reproduction is Strictly Prohibited. NIST Cybersecurity Framework (CSF) Source: https://www.nist.gov The ever-growing cyber threat landscape is forcing organizations to be alert in tackling evolving cyber threats in order to secure their business infrastructure and deliver continuous services to their customers. To assist enterprises in managing cybersecurity risks, NIST brought all stakeholders together to form a community to design a Cybersecurity Framework (CSF) that addresses all the security risks and supports continuous business operations. CSF includes best practices, guidelines, and industry standards that assist enterprises in handling risks. CSF consists of a set of key components such as the following. = Core It offers a set of operations or activities that help in attaining the desired security outcomes. It includes industry standards, practices, guidelines, operations, functions, and results that interact with cybersecurity activities. = Tiers They are different levels of implementations that help in assessing and planning cybersecurity activities. They offer segment-wise approaches for enterprises to deal with cybersecurity risks. = Profiles They are used to determine how standards, practices, guidelines, functions, and their categories should be aligned with the business needs, risk tolerance, and resources. A profile allows enterprises to build a roadmap to minimize security risks. Module 03 Page 413 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals * Exam 212-82 |mplementation Guidelines They propose common techniques to adopt the NIST CSF. It defines common information flow and decisions at different levels within an enterprise to manage risks. Functions and Categories of NIST CSF The following framework functions are not defined to create a serial path or attain the required end state; rather, they are recommended to be performed simultaneously and uninterruptedly to create operational conditions that help in addressing security risks. = |dentify: This function deals with designing an enterprise understanding to handle cybersecurity risks including data, people, assets, systems, and other capabilities. The operations in the identify function are important aspects for the productive use of the framework. Being aware of the business context, resources used for different functions, and associated cyber risks can allow enterprises to concentrate and prioritize their risks as well as improve risk management plans to run business effectively. The subdivisions or categories of this function include the business environment, governance, asset management, risk assessment, and risk management strategy. * Protect: This function involves designing and implementing proper protection methods to ensure critical service delivery. The function provides the capability to restrict and control the impact of critical cybersecurity incidents. The subdivisions or categories of this function include awareness training, information protection processes and procedures, identity management and access control, data security, maintenance, and protective technology. = Detect: This function entails the design and implementation = of suitable operations to discover unexpected cybersecurity events across a network. This function provides the ability to discover cybersecurity events without any delay. The subdivisions or categories of this function include continuous security monitoring, anomalies and events, and detection processes. Respond: This function involves the design and implementation of suitable operations to respond based on detected cybersecurity events. This function allows controlling the impact of critical cybersecurity events. The subdivisions or categories of this function include communications, mitigation, response planning, analysis, and improvements. = Recover: This function deals with designing and implementing suitable operations to support strategies for defense and reinstitute services that were affected by cybersecurity events. This function supports the timely recovery of services to the normal condition or state to minimize the impact of security events. The subdivisions or categories of this function include communications, recovery planning, and improvements. Module 03 Page 414 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 Security Challenges Z4b> Annd \\}-L/ QU Compliance to government laws and regulations Lack of qualified and skilled cybersecurity professionals Difficulty in centralizing security in a distributed computing environment Fragmented and complex privacy and data protection regulations Compliance issues due to the implementation of Bring Your Own Device (BYOD) policies in companies Relocation of sensitive data from legacy data centers to the cloud without proper configuration Copyright © by EC-C iL Al Rights Reserved. Reproductionis Strictly Prohibited Security Challenges The accelerating digitization has benefited the IT industry in all ways but, it has also paved way to sophisticated cyber-attacks and cyber security challenges. There is a need for security professionals in every organization to secure their sensitive and private data. The security professionals face many challenges and threats from the cyber-attackers who are disrupting their networks and assets. The following are some of the security challenges faced by security professionals and organizations: = Compliance to government laws and regulations = Lack of qualified and skilled cybersecurity professionals = Difficulty in centralizing security in a distributed computing environment = Difficulty in overseeing end-to-end processes due to complex IT infrastructure = Fragmented and complex privacy and data protection regulations = Use of a serverless architecture and applications that rely on third-party cloud providers = Compliance issues and issues with data removal and retrieval due to the implementation of Bring Your Own Device (BYOD) policies in companies = Relocation of sensitive data from legacy data centers to the cloud without proper configuration = Weak links in supply-chain management = Increase in cybersecurity risks such as data loss and unpatched vulnerabilities and errors due to the usage of shadow IT = Shortage of research visibility and training for IT employees Module 03 Page 415 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals Exam 212-82 R Financial losses faced by the organization may be direct or indirect Losses Loss of Confidentiality Results in the loss of trust in data or resources; damage to the corporation’s and Integrity reputation; and the loss of goodwill, and business credibility Damaged Customer Relationship 0 Loss of Business V~ Reputation =47 Legal and Compliance Issues Operational Impacts Impacts the organization’s relationships with its customers, leading to the loss of customers, a decrease in sales, and a drop in profits Hurts the business’s reputation, leading to loss of existing loyal customers as well as of the potential to attract new customers Results in negative publicity for the organization and affects the business’s performance L May disable the organization by disrupting the operations of an entire organizational network Copyright © by L Al Rights Reserved, Reproductionis Strictly Prohibited. Impact of Information Security Attacks Information security attacks are a major security concern for any organization, as they can have a severe impact on the organization’s assets, resources, financial records, and other confidential data. Information security attacks are carried out by attackers with various motives and objectives and may have a severe impact on network and system resources as well as other organizational elements. Following are the impacts that information security attacks can have on the organization: * Financial Losses Organizations can go through huge financial losses due to information security attacks. Financial losses faced by organizations can be either direct or indirect: direct losses refer to the amount of money businesses have to remunerate for professional services, covering lost contracts and downtime, while indirect losses refer to the money that will be allocated by the organization organizational infrastructure. = to hire new staff, train them, and upgrade the Loss of Confidentiality and Integrity Confidentiality and integrity are They assure that the information access and is sufficiently accurate may occur due to improper data the most essential elements of information security. is accessible only to those who are authorized to have for its purpose. Confidentiality and integrity breaches handling or a hacking attempt. This results in loss of trustworthiness of data or resources, goodwill, business credibility, and trust. Module 03 Page 416 damage to corporate reputation, and loss of Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Fundamentals = Exam 212-82 Damaged Customer Relationship Trust is an important component that is required to establish customer relationship. Once an organization has been attacked, it causes permanent impact to organizational reputation and results in loss of trust among customers. This impacts the customer relationship and leads to loss of customers, decrease in sales, and drop in profits. = Loss of Business Reputation Data protection and security are fundamental components that are helpful in protecting business reputation and maintaining customer loyalty. Information security attacks diminish business reputation and lead to loss of the existing loyal customers as well as the potential to attract new customers. The impact of reputational damage can even affect suppliers, relationships with partners, investors, and other third parties. = Legal and Compliance Issues Organizations often face legal and compliance issues while dealing with security incidents. Managing the legal challenges of addressing information security is a complex process for organizations that impacts business reputation and public relations. Legal and compliance issues result in negative publicity for an organization and affect the business’s performance. = Operational Impacts Information security attacks may leave the organization disabled as they disrupt the working of an entire organizational network. They affect the operations of the organization by causing degradation in the quality of services, inability to meet service availability requirements, decrease in staff efficiency and productivity, and so on. Module 03 Page 417 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.