Cybersecurity Fundamentals For IT Professionals - Theory.pdf

Full Transcript

Cybersecurity Fundamentals
for IT Professionals
Theory Notebook

In collaboration with
 Disclaimer - Copyrights
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌ The copyright and any other rights relating to texts, illustrations, photos or any other
files on the site belong exclusively to Thales or the mentioned owners. For the reproduction
of any elements written consent of the copyright holder must be obtained in advance.
▌ Information provided in this course is for educational purposes only.
No other use are allowed, notably you shall not use information
provided in this course to gain unauthorized access.
▌ All the information provided in this course is meant for developing Hacker Defense attitude
among the users and help preventing the hack attacks.
▌ The course is all about Ethical Hacking and White Hat hacking only.
▌ This training materials are provided 'AS IS' without warranty of any kind, either expressed or
implied.
▌ The Academy, trainers and authors of the course are no way responsible for any use or misuse of
the information given during such training.
▌ Be aware that performing hack attempts without permission is illegal and might lead to criminal
charges.
▌ Refer to the applicable laws before accessing, using, or in any other way utilizing the material
and information provided in this course.

In collaboration with
REF 65XXXXXX rev xxx
3
Course presentation

In collaboration with
 Purpose of the course
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Cybersecurity has become today the new theater of operation, the new
center of interest. It applies to everyone, everywhere.
This training is focusing mainly on the IT population as they are specifically exposed
to the external threats.
It provides an overview of the Cybersecurity main risk and challenges in an
Enterprise and highlights the best practices to assess the impacts, to ensure a
better protection on systems against Cyber Criminality and to react in case of
Crisis due to an attack.

In collaboration with
REF 65XXXXXX rev xxx
5
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

6
In collaboration with
REF 65XXXXXX rev xxx
Prerequisites

IT functions
IT organizations
▌This course is dedicated to people who are familiar with:
 Course breakdown
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

- Part 03 -
- Part 01- - Part 02 -
Cybersecurity Foundation of Cyber Data, Systems,
Concepts Security Engineering Network and
Applications Security

- Part 05 - - Part 04 -
Security Risk Management &
Operations Centre Cyber Resilience

In collaboration with
REF 65XXXXXX rev xxx
7
 Pedagogic goals and principles
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Intended learning outcome
To have an overview of:
The Cybersecurity, its environment and concepts …………………….……......…(Part 01)
(history, main attacks , threat categories)
The foundation of Cybersecurity engineering ……………………..….………….....(Part 02)
(understand how to segment and secure architecture and how to control flows)
How to protect Systems, Data, Networks and the role of the cryptography …(Part 03)
(identify products and configurations)
The Risk Management & Cyber Resilience ………….……………………………….(Part 04)
(understand risk assessment and reduction )
The Security Operations Centre (identify tools and processes) ……..…………...(Part 05)

In collaboration with
REF 65XXXXXX rev xxx
8
Part 01 –
Cybersecurity Concepts

In collaboration with
 Cybersecurity Fundamentals for IT Professionals
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Table of contents Cybersecurity Concepts
Part 01 – Cybersecurity Concepts
1. Introduction
Part 02 – Foundation of Cybersecurity
Engineering 2. Information Security

Part 03 – Data, Systems, Network, 3. Definitions
Applications Security 4. Infection Vectors
Part 04 – Risk Management & 5. Attacks
Cyber Resilience
Part 05 – Security Operations Centre

In collaboration with
REF 65XXXXXX rev xxx
10
 Definition of Cybersecurity
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Cybersecurity is the combination of people, policies,
processes and technologies employed by an enterprise to
protect its cyber assets. Cybersecurity is optimized to levels
that business leaders define, balancing the resources
required with usability/manageability and the amount of
risk offset. Subsets of cybersecurity include IT security, IoT
security, information security and OT security.
Gartner

In collaboration with
REF 65XXXXXX rev xxx
11
 Definition of a “Cyber Attack”
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Subject to a number of nuances that depend Civilians
in which context the word is used Military

“A cyber-attack is an action undertaken by
hostile agents who seek to disrupt or to harm a
nation, an organization or an individual, by
Hospitals Cyber Bank

disturbing their activities, hurting their conscience,
Insurers
Attack Lawyers
or by stealing, incapacitating or destroying their
assets.”

An attempt to gain illegal access to a computer An illegal attempt to harm someone's
or computer system for the purpose of causing computer system or the information on it,
damage or harm Merriam-Webster dictionary using the internet Cambridge dictionary

In collaboration with
REF 65XXXXXX rev xxx
12
 Cyber-attack definition - Take away
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌The word cyber-attack remains
unclear today:
It takes different meanings in different
contexts.
The common notion is that cyber-attacks
use information and automation
technologies to harm our values, societies,
businesses and security

▌Cyber Attacks can be divided into two
main types:
Disabling the target computer or take it
offline
Accessing data on the target computer
and maybe gain administrator privileges

In collaboration with
REF 65XXXXXX rev xxx
13
 There are two types of target systems: IT and OT systems
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌ IT (Information Technology)
▌ OT (Operational Technology)
Computer & communication systems
Hardware & software now
Software applications combined
Real-time behaviour often bounded by - Electromechanical only in past
pace of human interaction Collects information, computes
- But exceptions (financial systems, …) and causes changes in the
Little consideration for safety & reliability physical world
- “Cyber-Physical Systems”
- Automation, cars, pacemakers…
Real-time behaviour essential
Reliability paramount
Safety mandatory

In collaboration with
REF 65XXXXXX rev xxx
14
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

15
In collaboration with
REF 65XXXXXX rev xxx
https://www.enisa.europa.eu/publications/ics-scada-dependencies
Cyber-attack pathways have been immensely multiplied
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

16
In collaboration with
REF 65XXXXXX rev xxx
Around 50% of cyber alarms are not processed!!!

READINGS:

attacks-coming-report/13april2018
Cisco 2018 Annual Cybersecurity Report ,
@ http://www.isssource.com/more-ot-iot-
 Only a third of organizations have a board member in charge of cyber !
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

https://www.gov.uk/government/statistics/cyber-security-breaches-survey-
17
In collaboration with
REF 65XXXXXX rev xxx 2021/cyber-security-breaches-survey-2021
 Cyber Attack: Awareness
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌In business, value is both the key and the goal
Companies strive to preserve their value.
Value can decrease and be lost by way of cyber-attacks.
It is therefore important to get first an idea of what cyber-attacks are.
We shall present how a TV channel was attacked and what it managed to do to
Web TV and Air TV channels.

In collaboration with
REF 65XXXXXX rev xxx
18
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

19
In collaboration with
REF 65XXXXXX rev xxx
Facebook admin
Webmaster

management
Social network
TV websites

Video board
An attack on a TV channel: Understanding cyber-attacks
 An attack on a TV channel – Phase 1 = Reconnaissance
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

TV websites

Webmaster’s
Social network
management +12 months before
Reconnaissance
Facebook admin
Trials (discovery and access):
Vulnerabilities identification
Points of entry
Facebook admin account
Access to admin PC
Installation of root kits
Video board
In collaboration with
REF 65XXXXXX rev xxx
20
 An attack on a TV channel – Phase 2 = Exploration
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

I have all the TV websites
facebook account
credentials

I gain access to the
webmaster’s laptop

I can see the
Webmaster’s Mux from this
Social network server
management + 6 months before
Exploration of the intranet
Facebook admin
Get root access to admin
PC
Early malware injection
I have access to
active directory Installation of root kits
System mapping
Propagation pathways
Video board
In collaboration with
REF 65XXXXXX rev xxx
21
 An attack on a TV channel – Phase 3 = Targeting & planning
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

I have all the TV websites
facebook account
credentials

I gain access to the
webmaster laptop

Webmaster’s
Social network
management 1 to 3 months before
Procurement of a Mux for weaponising
Facebook admin
Precise targetting
Operation’s fine planning
Coordination of cyber-attack impacts
Diversion via tweeter
Broadcast control via attack on Mux
Claim on Facebook & TV website
Development & injection of payloads
Video board Rehearsals

In collaboration with
REF 65XXXXXX rev xxx
22
 An attack on a TV channel – Phase 4 = Attack Primary effect
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Primary effect Diversion
TV websites

Under control

Under control
Webmaster
Social network D day
management Change of admin passwords
Control of the Mux, …
Facebook admin Access to tweeter and diversion
Broadcasting of propaganda clips on air
Display of claims on Facebook & website
Deletion of traces on switches
Deletion of other traces and logs
Deletion of firmware…
Post-attack exploitation
Video board
Under control
In collaboration with
REF 65XXXXXX rev xxx
23
 Cyber-attacks are one arm of hostile strategies.
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Cyber-attackers are no longer amateurs
They have good reasons to act against you.
They are powerful.
They can elaborate sophisticated strategies
against you.
Cyber-attacks are part of those strategies
but not the only way.

In collaboration with
REF 65XXXXXX rev xxx
24
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

25
In collaboration with
REF 65XXXXXX rev xxx
Motivations of cyber-attacks
 The Cyber Kill Chain (CKC)
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Readings:
In collaboration with https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
REF 65XXXXXX rev xxx
26 https://en.wikipedia.org/wiki/Tor_%28anonymity_network%29
https://blog.insiderattack.net/deep-dive-into-tor-the-onion-router-6de4c25beba7
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

27
In collaboration with
REF 65XXXXXX rev xxx
Attackers are strategists
 How powerful are cyber-attackers?
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

Classes of potential attackers
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Competitors/Corporations
Employees/insiders

State cyber-forces
Individual hackers

(Cyber) Terrorists

Organised crime
(H)activists
Characteristics of potential attackers
Time to prepare: Time needed to prepare the attack, including the research
of information, exploitation, analysis of the difficulty to successfully conduct
the attack, development of dedicated malicious software, etc. There is no
reason why any class of attackers could not take the time required to
perpetrate an attack.
Expertise: Skills required to achieve the attack. Expertise can be gained by
surveillance, open source research, specialized training, or years of practice
in industry. Computer science and cyber-security education curricula will
prepare more and more competent engineers.
Knowledge of the target: May be on design, implementation, operational
procedures, vulnerabilities and weaknesses, etc. Those with only remote
access or inferior means will have less knowledge.
Means: Equipment or other means required to be able to perform the
attack, and the ease by which the materials or equipment can be acquired
to carry out the attack. New attack technologies like AIAs, costly equipment
and abundant human resources needed to perform large-scale, combined,
in-depth attacks will be on hand only to those who have the largest financial
and institutional capacities.
Impunity: Represents the assessment (by attackers or defenders) of the
likelihood of being identified during the attack (accountability) and
subjected to sanctions. States and the organised crime are more likely to be
In collaboration with
REF 65XXXXXX rev xxx
at bay from such difficulties.
28 NB: Green = Yes/Achievable; Orange = Uncertain/Difficult; Red = No/Impossible/Maximum risk
 The cyber threat to the World is now a daily reality, everywhere
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

Readings: Some statistics and data

https://www.symantec.com/security-center/threat-report
https://www.hackmageddon.com/category/security/cyber-
attacks-statistics/

Source:
https://reports.weforum.org/global-risks-report-2020/survey-results/the-global-risks-
interconnections-map-2020/

In collaboration with
REF 65XXXXXX rev xxx
29
 A rapid review of the history of cyber-attacks
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌ 1971: Cap’n Crunch cereals gave away a ▌Serge Humpich (1997)
plastic whistle for kids.
Discovered a serious flaw in
If you blew the toy, it made a 2600 Hz tone.
the Credit Card system used in
Blowing the Captain Crunch whistle into an France
AT&T phone made free long distance phone
calls possible. Tried to negotiate a deal with
This was using an AT&T phone system’s
the bank association.
characteristic against the system itself. He was arrested after buying
a metro ticket (~1 OMR) with a
counterfeit credit cards to
prove the flaw.
He was arrested and
convicted in 2000 to a ten
months suspended sentence.

In collaboration with
REF 65XXXXXX rev xxx
30
 A rapid review of the history of cyber-attacks
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌ 2009: Skygrabber software ($26) + a satellite dish
Access to the video traffic generated by a Predator drone

▌ 2015: Attack on a Jeep Cherokee 2014 model
Demonstration of attack capacity and vulnerabilities in cars

▌ The rise of ransomware
2013 CryptoLocker (Ciphering files)
2016 Petya (file System)
2017 WannaCry (NotPetya) spreads via Eternal Blue
2019 LockerGoga

▌ 2019: Ransomware attacks - Example of Norsk Hydro, an aluminium maker
(03/2019)
- Industrial processes switched to manual mode
- Some plants temporarily stopped
- Power plants running on isolated IT systems
- Interfered with negotiation to reopen a plant in Brazil
- Web site down and Shares lost 1.1%
- Potential disruption of customer supply
- Forced to establish backup plans
- Norwegian Security Authority helped, and liaised with other nations

▌ From now on: Self-propagating malware
Future: Autonomous Intelligent Malware

In collaboration with
REF 65XXXXXX rev xxx
31
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

32
In collaboration with
REF 65XXXXXX rev xxx
Visitors can be a threat... Key executives may be spied on...
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

33
In collaboration with
REF 65XXXXXX rev xxx
On Board Diagnostic
Automobiles are a target:

Heating Ventilation Air-Conditioning
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

35
In collaboration with
REF 65XXXXXX rev xxx
Crypto-currencies are a juicy target

Source: www.hackmageddon.com
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

36
In collaboration with
REF 65XXXXXX rev xxx
Cyber-attacking a high-pressure die casting process to harm clients
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

37
In collaboration with
REF 65XXXXXX rev xxx
What about military systems?...
 Cybersecurity Fundamentals for IT Professionals
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Table of contents Cybersecurity Concepts
Part 01 – Cybersecurity Concepts
1. Introduction
Part 02 – Foundation of Cybersecurity
Engineering 2. Information Security

Part 03 – Data, Systems, Network, 3. Definitions
Applications Security 4. Infection Vectors
Part 04 – Risk Management & 5. Attacks
Cyber Resilience
Part 05 – Security Operations Centre

In collaboration with
REF 65XXXXXX rev xxx
38
 Information Security > Introduction
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌What does “information” stand for?
A set of contextualized structured data Data

Digital Information can take various forms:
- Communications (networks, VoIP…)
Information
- Files and documents
▌Sensitive information:
Personal information (GDPR) Context

Health & Insurance information (HIPAA)
Banking information (PCI-DSS)
Patents…

In collaboration with
REF 65XXXXXX rev xxx
39
 Information Security > Objectives
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Information Security:
Processes, policies and tools designed and Confidentiality
deployed to protect information

▌CIA Triad
Model designed to guide
Information System Security development Information
within an organization
System

Availability Integrity

In collaboration with
REF 65XXXXXX rev xxx
40
 Information Security > Confidentiality
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Confidentiality
Assurance that sensitive information is not accessed by / disclosed to
unauthorized entities such as persons, processes or devices.

Confidentiality covers data: Access Control,
- in storage, File Permission,
- during processing, Encryption,
- in transit.
Strong Passwords,

Examples: Two-Factor Authentication...
- Credit card data transmission,
- Password and sensitive file storage,
- Etc.

In collaboration with
REF 65XXXXXX rev xxx
41
 Information Security > Integrity
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Integrity
Assurance that information has not been altered (modification or destruction)
- Intact
- Complete
- Accurate
Access Control,
File Permission,
Examples:
Encryption,
- Data loss detection during transit
- File or Configuration File modification Logging, Backup,
- Checksum control Hashes, Digital Signatures...
- Etc.

In collaboration with
REF 65XXXXXX rev xxx
42
 Information Security > Availability
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Availability
Assurance that the access to an information or a service is timely and reliable.

Examples:
- Distributive allocation Access Control,
- Redundancy High Availability,
- Fault tolerance
Data Replication,
- Redundant Array of Independent Disks (RAID)
- Disaster Recovery Plan (DRP) Backup,
- Business Continuity Plan (BCP) DRP, BCP...
- Etc…

In collaboration with
REF 65XXXXXX rev xxx
43
 This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.

44
In collaboration with
REF 65XXXXXX rev xxx
▌In terms of asset :

Availability
4 aptitudes that can be jeopardized

Traceability
Confidentiality

Integrity
Information Security > What cyber-attacks compromise?
 Information Security > System’s Aptitudes (Target)
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌Confidentiality
▌Availability
to prevent data leakage, theft or loss
to access Information or resources
and to protect from unauthorized
required and to return to nominal
disclosure
service levels from downtime as fast as
specified.

▌Integrity ▌Traceability
Confidentiality

to keep hardware, software, to prove, as specified, who, how,
data and system configurations where and when which systems,
in their specified nominal state. devices or data were used,
Traceability
modified, transferred or stored.

Availability Integrity

In collaboration with
REF 65XXXXXX rev xxx
45
 Information Security > Policies and Procedures
part or disclosed to a third party without the prior written consent of Thales - © Thales 2019 All rights reserved.
This document may not be reproduced, modified, adapted, published, translated, in any way, in whole or in

▌IS Policies and procedures goals
Designing and implementing security practices to protect
critical business process and IT assets
Those practices are meant to mature over time

Use processes to focus on:
- Risk assessment and information management through IS governance
- Threat prevention and handling through Change Management
- Post-attack recovery and resiliency through Incident Response Plans

In collaboration with
REF 65XXXXXX rev xxx
46