IT Elective 4: Cybersecurity Principles PDF

**EFFECTIVE DEFENSE CONSISTS OF 4 DISTINT CHALLENGES:** - Securing the infrastructure - Securing devices - Securing local networks - Securing the perimeter **CYBERSECURITY** - Is a very complex term which passes through multi-dimensional request and response. - It is a challenging task for a small enterprise to big enterprise to secure themselves from external and internal cyber-attacks. - It is a subset of information security. **The word \'Cyber\' is not singular;** it has its many forms to understand the concept using different terminologies such as: **Cyber Space**: It's a virtual world of the digital data formed by bits. **Cyber Space** is a manmade ecosystem **Cyber Economy**: Complex structure of interconnected networked systems and its environment. According to **NIST (National Institute of Standards and Technology)**, CyberSecurity is \"The ability to protect or defend the use of cyberspace from cyber-attacks.\" **Key Factors in Cybersecurity** - **Cyber Hygiene**: Strong passwords, regular updates, data backups. - **Awareness & Training**: Educate users on threats like phishing and malware. **Historical Context** - **1970s**: Early computer security for mainframes. - **1980s**: Rise of personal computers and viruses. - **1990s**: Internet spurred development of firewalls and antivirus. - **2000s**: Advanced protocols with e-commerce growth. - **2010s-Present**: Focus on mobile devices, IoT, cloud security. **Cybersecurity Impact** - **Individuals**: Data breaches, privacy concerns. - **Businesses**: Financial losses, legal consequences, intellectual property theft. - **Governments**: National security, economic impacts, public trust. **CYBERSECURITY TERMS AND CONCEPTS** - **Compliance** is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches. - **Security frameworks** are guidelines used for building plans to help mitigate risks and threats to data and privacy. - **Security controls** are safeguards designed to reduce specific security risks. They are used with security frameworks to establish a strong security posture. - **Security posture** is an organization's ability to manage its defense of critical assets and data and react to change. - A **threat actor**, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data. - An **internal threat** can be a current or former employee, an external vendor, or a trusted partner who poses a security risk. - **Network security** is the practice of keeping an organization\'s network infrastructure secure from unauthorized access. - **Cloud security** is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users. - **Programming** is a process that can be used to create a specific set of instructions for a computer to execute tasks. These tasks can include: - Automation of repetitive tasks (e.g., searching a list of malicious domains) - Reviewing web traffic - Alerting suspicious activity **SECURITY CONCEPTS** Information content & information determinacy determine the type of software applications. Content refers to input & output data, determinacy refers to the predictability of order & timing of information **Three different tools which are useful for system designers to make a robust and secure product** - **Confidentiality**: Protecting sensitive info (encryption, access control). - **Integrity**: Ensuring data is unchanged (hashing, checksums). - **Availability**: Ensuring systems are accessible (failover, maintenance). - **CIA TRIAD -** CIA triad is the main pillar of security. - **CRYPTOGRAPHY** its literal translation is "hidden writing". It mostly used to send secret messages. Securing data through encryption. - A **cryptographic algorithm** is a mathematical function which is used in encryption and decryption process. - **Combining both Cryptography + Cryptanalysis = Cryptology** - A simple substitution cipher known as **Caeser Cipher.** It is a very form of symmetric key encryption - **Symmetric Encryption**: also known as conventional encryption. 2 well-known symmetric encryption algorithm: (AES, DES). **2 REQUIREMENTS FOR SYMMETRIC ENCRYPTION ALGORITHM** - Strong encryption algorithms know to both the party sender and receiver - Secret key should be known only to sender and receiver only. - **Asymmetric Encryption**: also known as Public key cryptography uses two mathematically related but unique keys: a public key and a private key. - **Hash Functions**: One-way functions that create unique data digests**.** - **Digital Certificates**: Ensure authenticity of public keys. **Digital certificates consist of three things:** - A Public Key. - Certificate Information (Identity information about the user). - One or more digital signature. A **Public Key Infrastructure (PKI)** is a combination of policies, role, and procedures, which are needed to create, manage, distribute, use, store, and revoke digital certificates and manage, public-key encryption. It includes components such as Certificate Authority (CA) and the Registration Authority (RA). - **Certificate Authority** creates a certificate and digitally signs them using its own private key. - **Registration Authority** refers to the people which can include group, company, process, and tools which will help users to enroll them with the PKI system. - **Attack or Attack Vector**: It is the technique by which unauthorized access is gained inside the computer or network for a criminal purpose by exploiting the vulnerabilities in the system. - **Risk:** The probability of the loss from any particular threat from the threat landscape, which can exploit the system and gain the benefits from it such as loss of private and confidential information such as username and password, sensitive organization data. - **Threat:** Anything that can exploit a vulnerability, intentionally or accidentally, and obtain, damage, or destroy an asset. - **Vulnerability:** Weaknesses or gaps in a systems security program, design policies and implementation that can be exploited by different threats to gain unauthorized access of a computer system or network. - **Asset:** People, property, and information. People may include employees and customers. - **Countermeasure:** An action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, or by minimizing the harm it can cause, or by discovering and reporting it so that corrective and proactive action can be taken. **SUBTYPES OF ATTACK** - ACTIVE ATTACK - PASSIVE ATTACK **ATTACK BASED ON ITS ORIGIN** - INSIDE ATTACK - OUTSIDE ATTACK **TOP CYBERSECURITY ATTACKS** - **Phishing Attack:** It is a type of security attack that tricks the user to divulge the sensitive and personal/confidential information which is sometimes referred to as "Phishing Scam". - **Spear phishing:** When a phishing attack is targeted to the specific individuals of the organization, it is known as spear phishing. Attackers use the solicit company logo, footer and all other style information which is present in the legit email to trick the user. - **SQL Injection Attack**: SQL which is pronounced as "squeal" stands for the structured query language. It's a programming language used to communicate with databases. It is used to store critical data of websites/users/services in their databases which can contain personal and sensitive information such as username and password, transaction details. **Types of SQL injection attacks** - Blind SQL Injection - Out of Bound SQL Injection. - **Denial-of-service (DOS) and Distributed Denial of Service (DDOS):** Denial-of-Service attack focus on disrupting or preventing legitimate users from accessing the websites or application or any other resources by sending flood of messages, packets, & connection requests, causing the target to slow down or "crash", rendering it unavailable to its users. Attacker mostly targets high-end value organizations such as media houses, banking, and financial organization, E-Commerce to disrupt their services. - **Man-In-The-Middle Attack and Session Hijacking:** Man-in-the-middle attacks are a common type of cyber security attack that allows attackers to eavesdrop on the communication between two targets. The attack takes place in between two legitimately communicating hosts, allowing the attacker to "listen" to a conversation they should normally not be able to listen. **Type of Man-In-The-Middle Attack** - Rogue access points - DNS Spoofing - ARP Spoofing - Packet Injection - SSL Striping - **Brute-Force Attack (Password Attack**): The theory behind such an attack is that if you take an infinite number of attempts to guess a password, you are bound to be right eventually. The term brute-force means overpowering the system through repetition. A brute force attack is among the simplest and least sophisticated hacking method. Brute Force attacks often use automated systems or tools to perform the attack in which different password combinations are used to try to gain entry to a network, such as a dictionary attack list or using rainbow tables. - **Malware Attack:** Malware can be described as Malicious software that is installed in your system without your consent. It can attach itself to the legitimate process or replicate itself or can put itself to startup. The objective of the malware could be to exfiltrate information, disrupt business operations, demand payment, there are many types of malwares below are some of the commonly known types: Macro Virus Ransomware Trojans Adware Logic bombs Spyware Worms Zero-Day Exploit Dropper - **Assets:** Now we will understand the assets in relation to threat actions and will map with the CIA triad**. Assets** can be categorized in various types such as hardware, software, Data, and communication channel (different devices including communication cables). - **Asset Value Assessment:** This would be the first involved in measuring the asset value which is part of the critical business process. An asset can be the people, process, hardware, software, data, any tangible or intangible (can include the reputation of the organization, loss of customer and services) things which are part of the critical business process. - **Threats actions and its Consequences:** After identifying the asset value assessment and quantifying it, next step is to conduct the Threat assessment where the potential threats are identified. There is another relative term "Hazard" is also used for the threats which are natural or not man-made, such as earthquake, flood or wind disaster which also needs to be considered and the man-made hazard can be either technological threats or terrorism which we can refer as "Threats" for simplicity. Threat Action: It is an assault on system security. Threat Analysis: An analysis of the probability of occurrences and consequences of damaging actions to a system. Threat Consequence: A security violation that results from a threat action. Includes disclosure, deception, disruption, and usurpation. - **Threat Analysis:** Our next goal here is to estimate the likelihood of a successful attack by this group of threat agents for this we will use the OWASP risk rating methodology for preparing severity of the Risk Assessment Model. - **Vulnerability Analysis:** Vulnerability is a weakness that a threat can exploit to breach security and harm your organization. Vulnerabilities can be identified through vulnerability analysis, audit reports, the NIST vulnerability database, and vendor data **Examples of vulnerabilities:** Lack of sufficient logging mechanism Memory leak Issue Input validation vulnerability Cross-site request forgery Sensitive data protection vulnerability Remote Code Execution Session management vulnerability Business logic vulnerability Cryptographic vulnerability - **Vulnerability Factors:** The goal here is to estimate the likelihood of the vulnerability involved being discovered and exploited. - **Estimating Impact:** When estimating the impact of the successful attack, it is important to consider the technical impact and business impact. Ultimately the business impact would be more important. So, by providing the appropriate technical risk details which will enable management to make the decision about the business risk. **Technical Impact Factors:** The goal is to estimate the magnitude of the impact on the system if the vulnerability were to be exploited. **Business Impact Factors:** Business impact requires a deep understanding of the different operations on which the company is working and gets maximum return on investment. - ![](media/image2.png)**The severity of RISK:** We will now prepare the severity of the risk which can be obtained by combining the different impact factors. - **Countermeasures (Control**): In this step, we have to identify the existing security policies and protocols which are placed. Are they being adequate with the current threat landscape? Or it needs to modify and update the security posture of the organization. What level of risk is acceptable to the organization. This will help the security team and top management to understand the risk levels and they can focus on more high-level risks. - **Documentation:** This is the final step in which risk assessment report is prepared to support the management to take appropriate decision on policies, procedures, budget allocation. For each threat, the report should have corresponding vulnerabilities, assets at risk, impact, and control remediation. - **APT (ADVANCE PERSISTENT THREAT) attacks** are initiated to steal highly sensitive data rather than cause damage to the target organization\'s network. The goal of most APT attacks is to achieve and maintain ongoing access to the targeted network rather than to get in and out as quickly as possible. - The term **Advance** is related to the systematically crafting an attack vector in terms of its advanced and very targeted code used which is very effective. - **Persistent.** The attacker will not stop after failing once or twice. - The **"Threat"** process indicates human involvement in orchestrating the attack. **APT THREAT VECTORS:** - **External:** - **Internet:** Email Attachments, File Sharing, Pirated Softwares, Mass Vulnerability Exploits Physical: Infection using external devices (USB, CD, External Disk Drives), Malicious IT Equipment, Rogue Wifi Access points, Stolen Mobile devices / Laptops - **Internal:** - **Trusted Insider:** Rogue Employee. Third Party Contractors & Vendors Trusted Channel: Stolen Credentials, P2P tapping, Un-Trusted devices, Hijacked Cell communications - **Insecure Build:** Insecure Devices, Unpatched software versions, Misconfigured Device. - **Information Leakage:** Exposure of sensitive material on online/social media. - **Application Security:** Fuzzing / Reverse Engineering, Buffer Overflows. - The **cybersecurity kill chain** is a model used to identify and describe the stages of a cyber-attack, from initial reconnaissance to data exfiltration. - The term **kill chain** was first used in the military which is related to the structuring of an attack, which includes identification of the target, getting a foothold in the organization, attack timing, and decision, destruction of the target. **Traditional Military Kill Chain includes multiple stages which are listed below:** Find: Locate the target. Fix: Fix their location, make it difficult for them to move. Track: Monitor their movement. Target: Select an appropriate weapon or asset to use on the target to create desired effects. Engage: Apply the weapon to the target. Assess: Evaluate the effects of the attack, including any intelligence gathered at the location. **Cybersecurity policy** is not easy to understand. They become useless if the employee, customers or stakeholders are unable to understand and follow. So, it is very important to have a good cybersecurity policy in place.![](media/image4.png) - **Health Insurance Portability and Accountability Act (HIPAA):** HIPAA was first enacted in 1996. HIPAA was established as a standard to protect the individuals\' electronic personal health information(ePHI). **What is considered protected health information under HIPAA?** A patient\'s name, address, birth date, and Social Security number. An individual\'s physical or mental health condition. Any care provided to an individual. Information concerning the payment for the care provided to the individual that identifies the patient, or information for which there is a reasonable basis to believe could be used to identify the patient. **HIPAA contains five different sections or titles which are listed below.** TITLE 1: HIPAA Insurance Reform TITLE 2: HIPAA Administrative Simplification TITLE 3: Tax Related Health Provisions TITLE 4: Application and Enforcement of Group Health Plan Requirements TITLE 5: Revenue Offsets - **National Institute of Standard and Technology (NIST):** President of the United States issued an Executive Order to improve the nations critical infrastructure which was directed to NIST. NIST has worked with different stakeholders and created a framework with the collaboration between industries, government. The Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure - **Components of the Framework**: Cybersecurity framework consists of three main components: The Core, Implementation Tier, and Profiles. **The NIST Framework Core consists of five concurrent and continuous Functions** - Identify - Protect - Detect - Respond - Recover - **ISO/IEC 27000-series:** It is also known as the \'ISMS Family of Standards\' or \'ISO27K\' for short comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). **PDCA CYCLE** - **Plan** - **Do** - **Check** - **Act** - **Payment Card Industry (PCI) Security Standards:** The PCI security council provides a robust set of standards and supporting materials to enhance the security for payment card data security **Cardholder Data includes:** Permanent Account Number (PAN) Cardholder Name Expiry Date Service Code **Sensitive Authentication Data:** Magnetic chip data or data stored on the chip. CVV2/CID/CAV2 PIN **NIST** - National Institute of Standards and Technology **AES** - Advanced Encryption Standard **DES** - Data Encryption Standard **PKI** - Public Key Infrastructure **CA** - Certificate Authority **RA** - Registration Authority **SQL** - Structured Query Language **DDOS** - Distributed Denial of Service **APT** - Advance Persistent Threat **HIPAA** - Health Insurance Portability and Accountability Act **ePHI** - Electronic Personal Health **NIST** - National Institute of Standard and Technology **ISO** - International Organization for Standardization **IEC** - International Electrotechnical Commission **PDCA** - Plan Do Check Act **PCI** - Payment Card Industry **Malware** - Malicious Software

IT Elective 4: Cybersecurity Principles PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue