COMP 211 LO1 Student Notes PDF

Summary

These student notes cover fundamental cybersecurity concepts, including confidentiality, integrity, availability, and privacy. The notes discuss the importance of cybersecurity for businesses and how data breaches can negatively impact operations and reputation. The document also explains key concepts such as identification, authentication, and authorization.

Full Transcript

LO:01 Understand cyber security concepts

I. Cyber security concepts and why cyber security matters to business and society:

Loss of data required to undertake business processes
Diminished reputation (lack of client engagement, no longer recommended by
current clients)
Financial penalties for non-compliance with legislation (data protection, misuse of
computers)
Reduced profits (loss of financial details, paying to gain access to data being held
by third party, fraud)
Increased overheads (hardware, specialist support)
Denial of services (access to websites, ability to place orders, access to data stored
on networks)

1. Cyber security concepts

Cybersecurity refers to technologies, processes, and training that help protect systems, networks,
programs, and data from cyberattacks, damage, and unauthorized access. Cybersecurity enables
you to achieve the following goals:

Confidentiality: Information should only be visible to the right people.
Integrity: Information should only be changed by the right people or processes.
Availability: Information should be visible and accessible whenever needed.

This is commonly referred to as the Confidentiality, Integrity, Availability (CIA) model in the
context of cybersecurity.

1. Confidentiality
Confidentiality ensures that sensitive information is accessible only to authorized
individuals. It involves protecting data from unauthorized access and disclosure, often
implemented through encryption, access controls, and secure communication channels.
2. Integrity

Integrity refers to the accuracy and trustworthiness of data. It ensures that information is
not altered or tampered with by unauthorized users. Mechanisms such as checksums, hash
functions, and audit logs are used to maintain data integrity.

3. Availability

Availability ensures that information and systems are accessible to authorized users when
needed. It involves maintaining system uptime, implementing redundancy, and protecting
against denial-of-service attacks to ensure continuous access to data and services.

Privacy

Privacy relates to the appropriate handling and protection of personal information. It
involves ensuring that individuals have control over their data and that organizations
comply with relevant data protection laws and regulations.

Identification

Identification is the process of recognizing a user or entity within a system. It typically
involves a unique identifier, such as a username or ID number, that distinguishes one user
from another in the system.

Authentication

Authentication verifies the identity of a user or entity attempting to access a system. This
process often involves the use of passwords, biometrics, or two-factor authentication to
confirm that the user is who they claim to be.

Authorization

Authorization determines what an authenticated user is allowed to do within a system. It
involves granting permissions and access rights based on roles, ensuring that users can only
access resources necessary for their tasks.

Accountability
Accountability ensures that actions taken within a system can be traced back to the
responsible user or entity. This is achieved through logging and monitoring, which track
user activities and help organizations hold individuals accountable for their actions.

Cybersecurity is vital for protecting data that is essential for business processes. The loss
of this data can severely disrupt operations, leading to inefficiencies, halted workflows,
and an inability to meet customer demands. For example, if customer records, financial
data, or operational documents are compromised or lost, it can result in significant delays,
decreased productivity, and even potential legal ramifications. Moreover, data loss can
erode trust among clients and stakeholders, as they rely on businesses to manage their
information securely. Consequently, investing in robust cybersecurity measures not only
safeguards critical data but also ensures the continuity of operations, fosters customer
confidence, and upholds the organization’s reputation in an increasingly digital world.

Cybersecurity is crucial for maintaining a strong reputation in today’s interconnected
business landscape. A diminished reputation can arise from a cybersecurity breach,
leading to a loss of client trust and engagement. When sensitive data is compromised,
clients may feel vulnerable and question the organization’s ability to protect their
information, resulting in decreased loyalty and a reluctance to recommend the business to
others. Negative publicity surrounding a data breach can further amplify this issue,
deterring potential customers and damaging long-term relationships. In an era where
consumer trust is paramount, a tarnished reputation can have lasting effects, impacting
revenue and market position. Therefore, prioritizing robust cybersecurity measures not
only protects sensitive information but also fosters client confidence and encourages
positive word-of-mouth, ultimately supporting business growth and sustainability.

Cybersecurity is essential for ensuring compliance with data protection legislation, as
failure to adhere to these laws can result in significant financial penalties. Regulations
such as the General Data Protection Regulation (GDPR) and various national data
protection laws impose strict requirements on how organizations handle personal data.
Non-compliance can lead to hefty fines, which can be a substantial financial burden and
affect overall profitability. Additionally, violations related to the misuse of computers, such
as unauthorized access or data breaches, can attract further legal repercussions, including
lawsuits and damage claims. Beyond the immediate financial impact, these penalties can
also damage an organization's reputation and erode client trust, leading to a loss of business.
By investing in robust cybersecurity practices, organizations not only safeguard themselves
against potential fines but also demonstrate a commitment to ethical data management,
fostering trust and credibility in the eyes of clients and stakeholders.

Cybersecurity is critical for protecting an organization’s financial health, as breaches can
lead to reduced profits in several ways. The loss of financial details such as banking
information, credit card data, or sensitive transaction records can result in direct financial
losses and hinder cash flow. Moreover, in cases of ransomware attacks, organizations may
 find themselves paying to regain access to data held by malicious third parties, further
depleting financial resources. Additionally, cybersecurity incidents can facilitate fraud,
leading to unauthorized transactions and potential long-term damage to the organization's
financial stability. The cumulative effect of these issues can significantly impact an
organization’s profitability and viability. Consequently, investing in strong cybersecurity
measures not only protects against immediate financial losses but also safeguards the
organization’s future growth and success by maintaining the integrity of its financial data
and operations.

Cybersecurity is vital for protecting an organization’s operations, but it can lead to
increased overheads associated with acquiring necessary hardware and specialist support.
Organizations must invest in advanced security technologies such as firewalls, antivirus
software, and intrusion detection systems to safeguard their data and systems effectively.
Additionally, hiring cybersecurity professionals or engaging third-party experts to manage
security protocols adds to operational costs. While these expenditures may appear
burdensome, they are essential for preventing breaches that could incur far greater costs in
terms of recovery, legal penalties, and reputational damage. Moreover, the potential for
denial of services highlights the critical importance of cybersecurity. Cyber-attacks, such
as Distributed Denial of Service (DDoS) attacks, can disrupt access to websites, hinder the
ability to process orders, and restrict access to essential data stored on networks. Such
disruptions can lead to significant losses in revenue, customer dissatisfaction, and long-
term damage to brand reputation. By investing in robust cybersecurity measures,
organizations not only mitigate the risk of service interruptions but also ensure operational
continuity, enhancing overall resilience in a rapidly evolving digital landscape.
Reference to read:

II. Security assurance concepts and how assurance may be achieved in practice including
penetration testing and extrinsic assurance methods

Security assurance is an umbrella term for several processes aimed at ensuring individual
system components can adequately protect themselves from attacks. Doing so requires not
just a one-time effort, but actually spans the complete system lifecycle. Security assurance
involves processes and practices that ensure an organization's security controls are effective
in protecting its information and systems from threats. Key concepts include risk
management, which identifies and assesses vulnerabilities, and the implementation of
security controls both technical and administrative to mitigate risks. Assurance can be
achieved through practical methods such as penetration testing, where ethical hackers
simulate attacks to discover vulnerabilities in a system, enabling organizations to address
weaknesses before they can be exploited by malicious actors. Additionally, extrinsic
assurance methods, including third-party audits and security certifications, provide
independent evaluations of an organization’s security posture and compliance with industry
standards. These combined strategies not only enhance the effectiveness of security
 measures but also build trust with clients and stakeholders, ensuring that the organization
remains resilient against evolving cyber threats.

2. Penetration testing

A penetration test, also known as a pen test, is a simulated cyberattack against your
computer system to check for exploitable vulnerabilities. In the context of web application
security, penetration testing is commonly used to augment a web application firewall
(WAF).
Pen testing can involve the attempted breaching of any number of application systems,
(e.g., application protocol interfaces (APIs), frontend/backend servers) to uncover
vulnerabilities, such as unsanitized inputs that are susceptible to code injection attacks.
Insights provided by the penetration test can be used to fine-tune your WAF security
policies and patch detected vulnerabilities.

1. Planning and reconnaissance

The first stage involves:
Defining the scope and goals of a test, including the systems to be addressed and the testing
methods to be used.
Gathering intelligence (e.g., network and domain names, mail server) to better understand
how a target works and its potential vulnerabilities.

2. Scanning
 The next step is to understand how the target application will respond to various intrusion
attempts. This is typically done using:
Static analysis – Inspecting an application’s code to estimate the way it behaves while
running. These tools can scan the entirety of the code in a single pass.
Dynamic analysis – Inspecting an application’s code in a running state. This is a more
practical way of scanning, as it provides a real-time view into an application’s performance.

3. Gaining Access

This stage uses web application attacks, such as cross-site scripting, SQL
injection and backdoors, to uncover a target’s vulnerabilities. Testers then try and exploit
these vulnerabilities, typically by escalating privileges, stealing data, intercepting traffic,
etc., to understand the damage they can cause.

4. Maintaining access

The goal of this stage is to see if the vulnerability can be used to achieve a persistent
presence in the exploited system— long enough for a bad actor to gain in-depth access.
The idea is to imitate advanced persistent threats, which often remain in a system for
months in order to steal an organization’s most sensitive data.

5. Analysis

The results of the penetration test are then compiled into a report detailing:
Specific vulnerabilities that were exploited
Sensitive data that was accessed
The amount of time the pen tester was able to remain in the system undetected

3. Extrinsic assurance methods

Extrinsic assurance methods are external approaches used to validate and verify the quality,
reliability, or compliance of a product, service, or system. They provide confidence to stakeholders
by demonstrating that certain standards or criteria are met. Here are some key examples:

1. Third-Party Certifications: Obtaining certifications from independent organizations
(e.g., ISO, CE) that confirm adherence to industry standards.
2. External Audits: Engaging independent auditors to assess compliance with regulatory or
quality frameworks, providing an unbiased evaluation.
3. Accreditation: Gaining recognition from authoritative bodies that validate an institution
or program's quality against established benchmarks.
 4. Customer Feedback and Reviews: Collecting reviews and ratings from users to gauge
satisfaction and performance, which can serve as a form of social proof.
5. Regulatory Compliance: Meeting governmental or industry regulations, which can act as
a form of assurance that products or services meet necessary safety and quality standards.
6. Warranty and Guarantees: Offering warranties that promise repair, replacement, or
refund if the product fails to meet specified standards.

III. Tools used in Cyber Security e.g., Kali, Parrot OS, Backbox etc

Kali Linux is an open-source distribution designed for cybersecurity professionals, ethical
hackers, and penetration testers. It is Debian-derived and focused on providing over 600
tools for penetration testing and security auditing. Offensive Security actively developed
Kali Linux and is one of the most popular security distributions used by ethical hackers
and Infosec companies. Kali Linux was designed to be used by professionals, web admins,
and anyone who knows how to run Kali Linux; it was not designed for general use. Kali
Linux has numerous security-hacker applications pre-installed for exploitation tools,
forensic tools, hardware hacking, information gathering, password cracking, reverse
engineering, wireless attacks, web applications, stress testing, sniffing and spoofing,
vulnerability analysis, and many more.

Parrot Security (originally Parrot OS, Parrot) is a free and open-source GNU/Linux
distribution that is based on Debian Stable and designed for security experts, computer
forensics, reverse engineering, hacking, penetration testing, anonymity, privacy, and
cryptography. Frozenbox develops it and comes with MATE as the default desktop
environment. It has a complete portable arsenal for IT security and digital forensics
activities. Parrot operating system is available in three editions: Security, Home, and
Architect Editions, even as a Virtual Machine for the Raspberry Pi and Docker.

BackBox Software is an American Network Infrastructure Automation and Security
solution provider specialising in developing cutting-edge solutions for organisations
worldwide. Founded in 2010, the company has become one of the leading providers of
automated security assessments, breach testing and vulnerability management solutions.
Its mission is to help businesses protect their critical assets by providing effective security
tools that can identify and address vulnerabilities, detect and mitigate cyber attacks, and
ensure regulatory compliance. BackBox’s solutions are designed to simplify complex
security operations and enable organisations to focus on their core business objectives
without worrying about cyber security threats. BackBox offers a centralised management
solution that backs up the configurations of all security and network devices extremely
easily through a single application and real-time dashboard, allowing you to quickly and
easily restore them in the event of a disaster or recovery need.

IV. Horizon scanning including use of recognised sources of threat intelligence and
vulnerabilities
 Horizon scanning is a proactive approach used in cybersecurity and risk management to
identify emerging threats, vulnerabilities, and trends that could impact an organization. It
involves systematic monitoring of various sources to anticipate potential risks and prepare
accordingly. Here are key elements and recognized sources used in horizon scanning:

Key Elements of Horizon Scanning

1. Identifying Threats: Monitoring potential threats from various vectors, including
cyberattacks, malware, insider threats, and geopolitical risks.
2. Vulnerability Assessment: Keeping track of new vulnerabilities in software and
hardware that could be exploited by attackers.
3. Trend Analysis: Observing trends in cybercrime, technology adoption, and regulatory
changes that may influence security postures.
4. Collaboration and Sharing: Engaging with industry peers, government bodies, and
information-sharing organizations to gather insights and share knowledge.

Threat intelligence involves collecting, analyzing, and interpreting data related to potential
or current threats to an organization’s security. Threat intelligence and cyber threat tools
help organizations understand the risks of different types of attacks, and how best to defend
against them. Cyber threat intelligence also helps mitigate attacks that are already
happening. An organization’s IT department may gather its own threat intelligence, or they
may rely on a threat intelligence service to gather information and advise on best security
practices. Organizations that employ software defined networking (SDN) can use threat
intelligence to quickly reconfigure their network to defend against specific types of cyber
attacks.
 Horizon scanning strategic process that involves systematically identifying and analyzing
potential future threats and vulnerabilities that could impact an organization or industry.
By leveraging recognized sources of threat intelligence such as government agencies,
cybersecurity firms, industry groups, and open source intelligence organizations can gather
valuable insights into emerging risks. This process includes monitoring trends in
technology, regulatory changes, and geopolitical events, as well as examining vulnerability
databases like the National Vulnerability Database (NVD). Continuous engagement with
stakeholders and the use of threat intelligence platforms (TIPs) further enhance the ability
to predict and prepare for potential disruptions. Ultimately, horizon scanning enables
organizations to adopt a proactive stance, ensuring they are equipped to address and
mitigate risks before they materialize.

V. Difference between threat intelligence and threat hunting

Aspect Threat Intelligence Threat Hunting
The collection and analysis of Proactive search for threats within a
Definition information about potential or current network to identify and mitigate them
threats to inform defense strategies. before they cause harm.
To provide insights that inform security To detect threats that have bypassed
Purpose
policies and defenses. existing security measures.
Internal investigation, focusing on
External information, including threat
Focus anomalies and indicators of compromise
actors, vulnerabilities, and attack vectors.
(IoCs) within the network.
Real-time or near-real-time analysis
Often retrospective or predictive, looking
Timeframe aimed at
at trends and historical data.
identifying ongoing threats.
SIEM (Security Information and Event
Threat feeds, reports, and analysis
Tools Used Management), EDR (Endpoint Detection
platforms.
and Response), and custom scripts.
Typically involves security operations
Team
Often involves analysts and researchers. center (SOC) teams and incident
Composition
responders.
Strategic insights for decision-making Immediate identification and remediation
Outcome
and policy development. of threats.

VI. The significance of identified trends in cyber security threats and how to deal with attack
techniques:

❖ Zero-day hazards
 Zero-day hazards are vulnerabilities in software that are exploited by attackers before the
developer has had a chance to release a patch or fix. The term "zero-day" indicates that the
developers have had zero days to address the vulnerability once it is discovered. These
vulnerabilities are particularly dangerous because they can be exploited without any prior
warning, making them hard to defend against.

Characteristics of Zero-Day Hazards

1. Unknown to Developers: The vulnerability is typically unknown to the software vendor,
leaving systems unprotected.
2. High Impact: Zero-day exploits can lead to severe consequences, including data breaches,
system failures, and unauthorized access.
3. Limited Detection: Traditional security measures may not recognize the exploit until after
it has been used, making detection challenging.

Examples of Zero-Day Hazards

1. Stuxnet (2010):

Stuxnet was a highly sophisticated worm that targeted Iran’s nuclear facilities. It exploited
multiple zero-day vulnerabilities in Windows, which allowed it to spread and manipulate
industrial control systems. It reportedly caused significant damage to Iran's nuclear
program.

2. Adobe Flash Vulnerability (2015):

A zero-day vulnerability was discovered in Adobe Flash that allowed attackers to execute
arbitrary code on affected systems. Cybercriminals used this vulnerability to deploy
malware, impacting a wide range of users before Adobe released a patch.

3. Microsoft Windows Vulnerability (2020):

A zero-day vulnerability in Microsoft Windows was discovered that could allow attackers
to execute remote code.This vulnerability was actively exploited in the wild, leading to
increased alerts from cybersecurity organizations.

How to deal with Zero-Day Hazards

1. Regular Updates and Patching

Regular updates and patching are crucial for maintaining software security.
Vulnerabilities often exist in software, and once discovered, developers typically
 release patches to fix these issues. Zero-day hazards take advantage of these
unpatched vulnerabilities, so timely updates are essential.

Benefits:

Reduces the attack surface by closing known vulnerabilities.
Minimizes the window of opportunity for attackers.

2. Intrusion Detection Systems (IDS)

Intrusion Detection Systems monitor network traffic and system activities for
suspicious behavior or known attack patterns. IDS can detect potential zero-day
exploits by analyzing anomalies and alerts based on predefined rules or behavior
profiles.

Benefits:
Provides real-time monitoring and alerts for potential security incidents.
Helps in identifying and responding to zero-day attacks before they cause significant
damage.

3. Threat Intelligence

Threat intelligence involves gathering and analyzing information about emerging threats
and vulnerabilities. This information helps organizations understand the tactics,
techniques, and procedures (TTPs) used by attackers.

Benefits:
Enhances awareness of current threats and vulnerabilities.
Informs strategic decisions for threat mitigation.
4. Isolation and Segmentation

Isolation and segmentation involve dividing your network into distinct segments to control
access and limit the spread of potential attacks. This strategy helps contain threats, making
it harder for attackers to move laterally within the network.

Benefits:

Reduces the potential impact of a zero-day attack by containing it to a limited area of the
network.
Enhances overall security posture by enforcing stricter access controls.
 ❖ Ransomware

Ransomware is a type of malicious software (malware) designed to deny access to a
computer system or data until a ransom is paid. It typically encrypts files or locks users out
of their systems, rendering them inaccessible. Attackers demand payment, often in
cryptocurrency, to restore access or provide a decryption key.

Types of Ransomware

1. Crypto Ransomware: This is the most common type, which encrypts files and demands a
ransom for the decryption key.
2. Locker Ransomware: Instead of encrypting files, it locks users out of their devices or
systems, making it impossible to use them until the ransom is paid.
3. Scareware: This type uses scare tactics, displaying fake alerts to convince users to pay for
unnecessary security software or services.
4. Double Extortion Ransomware: Involves not only encrypting data but also stealing it and
threatening to publish it if the ransom is not paid.

How to deal with Ransomware

1. Regular Backups

Schedule regular backups of all critical data to ensure that you can restore files if
they are encrypted by ransomware. Consider daily or weekly backups based on how
often your data changes.Use a combination of local and cloud backups. Store
backups offline to protect them from ransomware that might target connected
devices. Regularly test your backups to ensure they can be restored successfully.
This helps verify the integrity of your backup process.

2. User Training

Conduct training sessions to educate employees about ransomware threats and how
to recognize phishing emails, suspicious links, and attachments. Run regular
simulations to test employees' responses to phishing attempts. This helps reinforce
training and improve awareness. Encourage users to follow security best practices,
such as not opening unexpected emails, avoiding questionable websites, and
reporting suspicious activities.

3. Endpoint Protection
 Implement robust endpoint protection solutions that include antivirus, anti-
malware, and real-time threat detection capabilities. Ensure that these solutions are
kept up to date.Use application whitelisting to allow only approved applications to
run on endpoints, reducing the risk of malicious software execution.Segment your
network to limit access to sensitive data and systems. This way, even if an endpoint
is compromised, the ransomware's ability to spread is restricted.

4. Incident Response Plan

Create a detailed incident response plan specifically for ransomware attacks. Include steps for
identification, containment, eradication, and recovery. Clearly define who will handle different
aspects of the response, ensuring everyone knows their role during an incident. Regularly test the
incident response plan through drills and simulations. This prepares your team to respond
effectively in the event of a ransomware attack.

❖ Phishing attack

“Phishing” refers to an attempt to steal sensitive information, typically in the form of
usernames, passwords, credit card numbers, bank account information or other important
data in order to utilize or sell the stolen information. By masquerading as a reputable source
with an enticing request, an attacker lures in the victim in order to trick them, similarly to
how a fisherman uses bait to catch a fish.
How to deal with Phishing

1. User Education

Conduct regular training sessions to educate employees about phishing tactics, common
signs of phishing emails (such as suspicious sender addresses, spelling errors, and urgent
language), and the importance of verifying requests for sensitive information.Teach users
to recognize various forms of phishing, including spear phishing (targeted attacks) and
whaling (targeting high-level executives). Establish clear procedures for reporting
suspected phishing attempts. Encourage employees to report suspicious emails without fear
of reprimand.

2. Email Filtering

Implement robust email filtering solutions that use machine learning and heuristics to
identify and block phishing emails before they reach users' inboxes. Utilize threat
intelligence to keep email filtering systems updated with the latest phishing indicators and
known malicious domains. Enable features that block access to known phishing sites or
suspicious URLs embedded in emails, reducing the likelihood of users inadvertently
clicking on harmful links.

4. Multi-Factor Authentication (MFA)

Implement MFA for all accounts, especially those that handle sensitive information.
This adds an extra layer of security, requiring users to verify their identity through
a second method (e.g., a text message code or authenticator app) even if their
password is compromised. Educate users on the importance of MFA and how it
protects their accounts, reinforcing the message that it significantly reduces the risk
of unauthorized access.

5. Simulated Phishing Campaigns

Run simulated phishing campaigns to assess users' ability to identify phishing
attempts. This helps identify vulnerabilities in user awareness and reinforces
training. Review the results of these simulations to determine how well employees
are recognizing phishing attempts. Provide targeted follow-up training for those
who struggle to identify phishing emails. Share results with the organization to
highlight improvements and ongoing challenges, creating a culture of security
awareness.

Common references to read
1) https://www.ftc.gov/system/files/attachments/cybersecurity-small-
business/cybersecuirty_sb_factsheets_all.pdf
2) https://www.nu.edu/blog/what-is-cybersecurity/
3) https://learn.microsoft.com/en-us/training/paths/describe-basic-
concepts-of-cybersecurity/
4) https://www.ncbi.nlm.nih.gov/books/NBK556423/
5) https://www.crowdstrike.com/en-us/cybersecurity-101/threat-
intelligence/