SEC_ Cyber Security.pdf

Transcript

Skill Enhancement Course
Cyber-Security
Notes

Table of Contents
Skill Enhancement Course 1
Cybersecurity Awareness: Key Security Terms & Concepts 2
Cybersecurity Awareness: Exposure to Security Risk 11
Cybersecurity Awareness: Security Foundations 16
Cyber Security Foundations 17
 Cybersecurity Awareness: Key Security Terms &
Concepts

Cyber-Security Terms and Concept needs to be understood to understand the criticality of the
information, threat, attack etc.
Handle the request and concerns of the clients and customers

Terms
Asset
That has a value for an organisation. They bring in value to the organisation and must be
protected.
Can be in tangible form (servers), or in intangible form (data)
Information - databases, files (transactional, information procedures), archive
information
Software assets - OS, MS Office. System and application software.
Physical assets - Systems, buildings, furniture, equipment, devices
Services - Computing of voice and data, value added services
Risk
It is a probability that may or may not materialise. It is the potential of losing something that is
valuable that can be high or low depending on the asset and the situation.
Internal or external to the organisation, depending on where it originated. Total risk can never
be eliminated, but can be reduced by eliminating certain risks.
Exposure
Something that increase the likelihood of the risk.
The asset being exploited by the threat agent.
Threat
Exploits weakness and when exploited affects the confidentiality, integrity, availability, which
eventually causes the destruction or modification of the asset.
Can be intentional or unintentional.
Man-made - data theft, denial-of-service (DoS) attack
Natural - hurricane, flood
Can exploit vulnerabilities or bugs,
Threat actor
 Threats are originated by something that pushes a risk to a threat. This threat actor materialises
the risk.
He is the entity that is responsible for the threat. Also has a malicious intent, known as a
malicious actor. Be a person or a group.
They are not allowed or have access to the system, but do so through illegal means. Attacking
the system through the vulnerability, deleting or doing harm to the system.
Have a motive, steal information, unauthorized someone, disrupt the system, create a
backdoor, delete the system.
Outside, or insider of the organisation.
Threat vector
Can be a process, method, or tactic used by the threat actor to get access to the system
Can be a malware, virus, downloaded by an insider, social engineering, phishing email, network
vulnerability, vulnerability exploitation.
Also known as attack vector
Target
The goal of the threat actor. Without a target, the security attack cannot exist.
To gain valuable information or control.
Can be an individual, application, server, or an organisation.
Contains vulnerabilities, or security gaps that can be exploited.
Vulnerability
Flaw, error, weakness in a systems design that can be exploited by a threat actor.
Can be exploited when discovered. The vulnerability leads to the exploitation of the system.
Protected by security control or countermeasure, but they can also have vulnerability.
0-Day vulnerability is one that hasn’t been discovered before, but the security team must patch
them and secure them immediately.
Bug in protocol, SQL injection into an application
Countermeasure
Security measure. To protect valuable information.
Threats can make the information vulnerable, and this is implemented to prevent a threat.
They are not implemented alone. They are implemented in layers, known as defence-in-depth.
Must implement multiple of them to circumvent a threat, when you cannot prevent a threat.
Known as deterrents, rather than prevention, bc prevention is impossible due to multiple
vulnerabilities.

Threat Actors
Advanced Persistent Threat (APT)
 Most dangerous as they are difficult to detect and keep an extremely low profile. Equipped
with the most sophisticated tools.
The motive is to get to the data but do not cause disruption or destruction. Their main goal is
to get to the sensitive information.
Cyber-criminals
They are after the data, money or information, and will sell it in the underground web or black
market.
Ransomware is their main tool is to extract money out of their target. Money is their main
motive.
Hacktivist
People or individual who are after a social cause. They have an agenda or follow a certain
philosophy.
The main goal is to expose secrets, or to stop any political agenda, or organisation whose
practices do not seem in favour of the public.
Terrorist
They are against governments, and are after sensitive information. Their main goal is complete
their objective.
Will cause severe damage to the information systems, and infrastructure. Called as
cyber-terrorists.
Insider threats
They are internal to the organisation, and have access to a lot of assets and information, and
network services.
They are within the organisation and will always have an upper edge over the external entities.
The main goal is to bypass the implementations because they have a specific reason. They are
only after the organisation.
Script Kiddies
People who are very inclined to sort of get into the system, to prove they can hack and end up
causing damage.
Nation states
Well funded, directed and usually sponsored by the nations. Can steal information, data and
have sophisticated tools. To cause espionage or disruption of services.
External threat
Sit outside the network and breach into the network.
Internal Threat
They are within the network and have access to the resources and valuable data.
Target
Anybody who is there on the internet. A server with open acces to the internet, or focused
target. Typically they are found through reconnaissance, selcted adn they attacked through
vulnerabilities.
Find the web server that is hosting the target, and exploit the vulnerabilities within its
countermeasures or security to gain access to the target.
Reconnaissance is required to see the possibility of attack, to see the existing infrastructure, and
the possibility of exploiting the vulnerability.
Motivations could be data theft, disruption of the entire web application. They usually have a
structured plan beforehand. Since IT has reached to every industry in the world, they can
attack any industry. They go after the data to make it public or sell it for money.
Types of targets
○ Chemical, Electronic, Manufacturing, Aerospace, Automotive, Government, Energy,
Telecommunications, Consumer, and Healthcare.

Threat agent initiates the threat which exploits the vulnerability.
The vulnerability generates a risk which can damage an asset.
The asset is exposed and can be handled by a countermeasures.

Security Threat
Internal
Can put in security measures.
Employees, contractors, consultantas, vendors.
External
Can put in countermeasures
Nation-state, Hackers, hacktivist, script kiddies
Natural
Not in your control
Hurricane, earthquake

Mobile Technology
Mobiles in an organisation are allowed to carried information, valuable or quantity, by the
employees.
Mobiles are prone to vulnerability. The organisation has an app that can be used to hold all the
information, yet they are vulnerabilities.
Human are vulnerable to a range of threats, despite the best security measures.
 Improper platform usage, insecure data storage, insecure communication, insecure
authentication, insufficient cryptography, insecure authorisation, client code quality, code
tampering, reverse engineering, and extraneous functionality.
Mobile Malware
Financial trojans have increased to a great extent, ransomware, and become a key threat.
Distributed by poorly controlled app stores, repackaged existing apps, or SMS links.
Largely designed to steal personal and financial information.
Jailbroken iPhones and rooted Android phones are most vulnerable.

Cloud Computing
Backbone of the IT infrastructure, and most companies have moved their infrastructure in the
cloud, or have partial infrastructure. The cloud is available on a subscription and metered basis.
Another industries are also using, or completed switched.
On-site infrastructure is difficult to scale and implement and assimilate. The cloud is infinitely
scalable and assimilation.
Cloud Threats
○ Management interface failure, virtual machine level (VM-level) attacks, malicious
insider, service failure, weak authentication, inadequate infrastructure design,
multi-tenancy, and misconfiguration.
Cloud Application and Data threats
○ Social engineering, cross-site scripting (XSS), domain name system (DNS), SQL
injection, sniffing, DoS or DDoS (Denial of service), OpenStack component, Man in
the middle (MITM) attack,

Advanced Persistent Threat (ATP)
A threat that is well funded, highly skilled, establish their presence within the organisation, and
difficult to trace. They will move deeper to find more valuable information.
Advanced means that they use higher level of sophistication. Highly advanced methods of
attack, expert skills and resources, use sophisticated and custom tools, all aimed at achieving
their goals and purpose.
Persistent means that they maintain an undetected presence, stay within the system for a long
period of time, to obtain data without damage. Have specific goals and objectives until they are
met, and intend to stay in the target zone long-term.
Threat means motivated, skilled and persistent. Have coordinated human actions, capability,
intent, and are resourceful and well-funded. Aimed at intellectual property, or government
infrastructure.
 Characteristics
Use social engineering as a key tool. Work with clear and defined objectives against a target.
Well-funded by sponsors. Well-organised in the form of hierarchy. Low profile attacks.
Extremely stealthy and remain undetected. Do not cause damage to avoid downtime to avoid
detection. Do not follow the hit-and-run method.
APT actors
Nation state actors, organised crime groups, hacktivist groups, corporate espionage actors,
cyberterrorists.
Life cycle
Reconnaissance. Initial intrusion to the network or system. Installing the backdoor. Obtaining
user credentials. Installing tools for control. Performing privilege escalation. Performing lateral
movement. Maintaining persistence.

Equation Group
One of the most well-known APT, well-funded and sophisticated, and operating since 2001.
Targets only one victim at one time, and uses various malware platforms, such as
EquationDrug, and GrayFish to steal information from the target.
Uses a command and control centre to monitor the malware and receive information.
Uses a malware to alter hard drive, fanny worm, to attack air-gapped (isolated) networks,
replace CD-ROM with infected versions, shared its exploits with Stuxnet and Flame group.
Key tools used
○ EquationDrug, DoublePulsar backdoor, Double Fantasy, FuzzBunch framework,
EternalBlue, Eternal Synergy, EternalRomance, GrayFish

Strengthen the APT Defences
Assume that you are already compromised
Dig deeper into errors and accidents
Monitor the known and its related elements
Broaden the scope
Use next-gen security solutions
Automate the investigation and validation process

Insider Threats
An internal person in the organisation, or any other entity within or related the organisation or
system.
 Has legitimate access to the network and information. Can have overprivileged access. Can
have access to privileged and confidential information.
They are difficult to detect because they are invisible due to trust of employees. They bypass the
exterior defence to being inside the organisation.
They always have an edge over the exterior entities, due to knowledge of network, and
legitimate accounts, and can access information in an unauthorised manner.
Types of insider threats
○ Pure insider
Fully embedded in the system and can wreck disruption due to access and privileges
○ Insider associate
With limited access to the security network or system, like a contractor and security
guard.
○ Insider affiliate
They are related to someone who is within the system
○ Outside affiliate
They are not related to anyone in the system, but will find ways into the organisation’s
network.
US - Computer Emergency Response Team (US - CERT)
○ Insider IT sabotage - misuses authorised level of access
○ Insider theft - used the IT systems to steal intellectual property
○ Insider fraud - uses IT to commit an identity fraud
Reasons
○ Personal - anger, frustration, ideology, divided loyalty, ego, compulsive behaviour,
adventure, or family problems.
○ Organisational - availability of confidentiality information, no classification of
information, ease of access to network resources, no security policies in existence, no
security trained employees, unwanted access, or odd shift working.
FBI’s Behavioural Indicators of Insider threats.
If the employees show one or more of these behaviours, they must be suspected.
○ Unwanted access, out of scope, copy of material, remote access at odd times, disregard
of company policies, and odd working hours.

Malware
Stands for Malicious software, that disrupts the normal functioning of a system or network.
Could also cripple the internet, or organisation.
 They can be designed to delete data, steal data, bypass access control, encrypt data, or cause
performance degradation.
Can be used as a weapon to launch attacks against a system or network. The entry point of the
system is usually opened with the malware. It can be delivered through a phishing email,
website, pirated software, open software to the system.
Can work as an independent entity, or can be controlled by a command and control (C&C)
server.
Method of Malware
○ Perform reconnaissance, trick the user, infect the user’s device, and cause damage.
Types of Malware
○ Trojan
It pretends to be a legitimate software, and is often a carrier for other malware, such as
a worm.
Requires the user’s intervention in most cases. Can be delivered though download r
email.
Virus
Attaches itself to other files. Can also attack itself to applications installers and media
Triggers when an infected file is opened and executed. Designed to disrupt the system’s
functionality by deleting data or corrupting applications and operating systems.
Worm
Replicate itself over the network. Can be delivered over the network or email.
Scans for vulnerability, self-replicating and does not require user intervention.
Can cause network performance issues after infecting the network’s systems.
Ransomware
Can encrypt the user’s data, and demands a ransom to decrypt the data. The data may
not be decrypted after paying the ransom.
Uses social engineering to trick the user. Halts the systems and displays a ransom
message.
Spyware
Designed to collect information from the user’s system without their consent. Intends
to collect and send the information to the threat actor.
Intends to stay in the user’s system without being caught.
Rootkit
Designed to remotely provide access to a malicious entity. Used to execute remote
commands to control the system of device.
Designed to subvert the security controls. Difficult to remove.
 Adware
Designed to display advertisements on a device’s screen. Can be triggered on a web
browser or a program.
Least harmful malware, but can be bundled with a spyware to track user's activities.

Security Attack
Conducted by a threat actor using a threat vector. Targeted at an individual or organisation.
Can vary depending on the objective.
Can be conducted by an insider or outsider. Usually done by exploiting a vulnerability or
weakness in a system or network.
Steps in an attack
○ Method 1 - Reconnaissance, scanning, access and escalation, exfiltration, sustainment,
assault, and obfuscation.
○ Method 2 - Reconnaissance, weaponisation, delivery, exploitation, installation,
command and control, and exfiltration.
Used by botnet to launch a DDoS, or DoS

Uncertainty in an Attack
Phases
○ Prior security risk management
○ Real-time intrusion detection
○ Posterior forensic analysis
Handling Uncertainty
○ Logical approach
When there is not much data available, and you need to use logic to solve it.
○ Statistical approach
Data is available to be gathered, and analysis can be performed to find the best
approach based on the results.
 Cyber Security Foundations

Cyber attacks
2016 Bangladeshi Bank Heist
2016 Indian debit card breach
2015 Ukraine Power grid attack
2014 Sony pictures hack

After a cyber attack
Organization name hits headlines!
Loss in business: loss of customers, reputation/brand damage, trade secrets, strategies, plans
leaked
Legal penalties: lawsuits filed by customers for privacy breach.
Regular functioning crippled: email systems down, automated payroll processing down,
network outage etc.
Defamation: Confidential emails leaked; etc.

Information that needs protection
Customer data, source code, design documents, financial reports , employee records,
intellectual property, etc.
Information systems: Computers, networks, other devices, cables etc.

Category of attacks and security objectives violated
Security objectives are also known as security goals, characteristics of information (and information
systems). Often multiple objectives are compromised in a cyber-attack. In the case of sophisticated
attacks multiple security objectives of multiple information systems are compromised.
Information disclosure
No secrecy on communication. Violates confidentiality
Tampering
Unauthorised alteration of message. Violates integrity
Denial of service
Website becomes unavailable for legitimate users. Violates availability
Spoofing
Attacker pretends to be an authentic user. Violates authenticity
 Elevation of privilege
User does an action woithout sufficient priviledge. Violates authorisation
Repudiation
Falsely denying an action. Violates non-repudiation

Information Security
Information security means protecting information and information systems from
unauthorized access, use, disclosure, disruption, modification, or destruction in order to
provide:
○ Integrity which means guarding against improper information modification or
destruction, and includes ensuring information non-repudiation and authenticity;
○ Confidentiality, which means preserving authorized restrictions on access and
disclosure, including means for protecting personal privacy and proprietary
information; and
○ Availability, which means ensuring timely and reliable access to and use of information.
CIA/DAD Triad
○ The Confidentiality, Integrity and Availability are together called as the CIA triad.
○ Sometimes the alternate way of referring is a DAD triad. DAD triad is a negative form
the CIA. DAD stands for Disclosure, Alteration & Denial. These are opposites to
Confidentiality, integrity & availability.
○ The objectives of confidentiality, integrity & availability is the foundation of
information security. All protection mechanisms aim to protect one or more of these
objectives.
AAA services
○ Authentication is verifying an identity.
○ Authorization is deciding whether a particular user is allowed to access a particular
resource or function.
○ Accounting includes two other components - auditing & non-repudiation. Auditing is
recording a log of activities of a user in a system. Accounting refers to reviewing the log
file to check for violations and hold users answerable to their actions. It includes
non-repudiation.
AAA services are used to realize the CIA principles.
For example, if you want a document to be confidential, within your team. You will assign
'read' permissions only for your team members. So you use authorization to enforce this
requirement.
 Simply put, authentication & authorization are used to control access to a resource.
Accounting is done to verify access if has not been violated

Technical Terminology
Asset
Threat
Threat agent
Vulnerability
A flaw or weakness in the system’s design, implementation or operation could be used
exploited to compromise objectives
Technical Impact
Impact on the information or the functioning of the information or system
Business impact
Harm done to the business
Attack vector
Ways in which an attack can come
Security Controls
Protection mechanisms to prevent, block or to detect attacks. Multiple security controls are
often implemented for better security.

Fixing each vulnerability requires resources (money, time, effort). Since such resources are
limited it is important to know which vulnerabilities are very important to fix or need not be
fixed.
Without this knowledge, you might end up spending too much in protecting against an attack
that will never happen. There is a need to prioritize vulnerabilities. Two factors influences this
priority:
○ Likelihood of an attack
○ Impact due to the attack
A combined estimate of both these factors is called risk. Estimating risk is called risk analysis.
Information security is stated as a "well informed sense of assurance that the risks and controls
are in balance".

Cryptography
The practice and study of secure communication in the presence of adversaries is called
cryptography.
 Cryptography provides confidentiality and assurance of integrity, authenticity and
non-repudiation. However cryptography is equally applicable to information at rest
(information in hard disk).
Confidentiality of data in transit and at rest can be done using shared key cryptography and
public key cryptography. Integrity can be maintained by hashing. Authenticity and
Non-Repudiation can be maintained by Digital signature.
Cryptography can make use of encryption algorithms. Encryption algorithms turn messages
and information into gibberish using a cypher, and a decryption algorithm with the same key
can decode the cypher.
A key is a very large integer, and the same key can be used for encryption and decryption. Tis
method is called Shared key encryption or symmetric key encryption.
Popular encryption algorithms are Advanced Encryption Standard (AES), Triple Data
Encryption Standard (3DES), Blowfish, Twofish, Skipjack.
Disadvantages of Shared and Symmetric Key Encryption
○ Secure key distribution is problematic
Both the computers need to know the key. Through the network in plaintext form, the
key can be shared. Then the key can be ‘sniffed’ by an attacker and further encrypted
communication can be decrypted by the attacker. There is a need for a secure way for
sharing the key.
The keys can be shared through ‘out of band’ channel like a phone call, if humans
intervene. But such techniques are tedious and often not possible, especially if the
communicating parties are strangers or special devices like routers.
○ Not scalable
Given a symmetric key system with n users, each pairwise communication requires a
unique key. When a computer joins the group as the nth user, there needs to be (n-1)
keys created for communication with a new computer.
In total there will n*(n-1)/2 keys in a system of n users. The problem is as the number
of users become large, the number of keys become extremely large (increases
quadratically, O(n2)). It is very difficult to manage very large number of keys. Thus
shared key cryptosystems are not scalable.
Public Key Cryptography
○ Each user has a pair of key - a public and a private key. A private key is only known to
the user, and a public key is known to everyone. A message encrypted with the public
key can only be decrypted with the private key and vice versa.
○ Also known as asymmetric key cryptography. RSA and ELGammal are softwares that
do this.
 ○ It is scalable,
A user should know the receiver’s public key. The public keys are available to everyone
in a key server. When a new computer joins, a new entry is created in the key server for
their public key. The computer will have their private key with them.
So there are only 2*n keys required (n users * [1 public key + 1 private key]). When the
number of users increases linearly, the number of keys also increases linearly (O(n)).
○ Asymmetric key cryptography has a limitation – it is very slow. It is about 1000 times
slower than symmetric key encryption.
○ Often, both these techniques are used together to combine their advantages. One of
the problems with symmetric key cryptography was the need for a secure & efficient
way of sharing the secret key. This problem is solved by using public key cryptography
to share the secret key. Once the key is shared, all communication between sender &
receiver will use symmetric-key cryptography. (Speed advantage).

Hashing
Compare this hash value and the hash value published on the web site of Kali Linux. If they
both match, the OS file is unaltered (i.e. it is integral). If the values do not match it means the
file has been corrupt (accidentally) or tampered (by an attacker).
You will not want to install a corrupt file, because, the installation could fail, fully or partially.
Or a corrupt unstable OS will be installed. You might not get the OS file from Kali Linux
website. You might receive it from a friend or download it from some other file hosting site.
The problem is malicious person could have tampered the OS file to insert ‘malware’ and
before hosting the file.
A hash function or algorithm is a cryptographic technique. It takes an arbitrarily long input
and produces a fixed length hash value as its output. This hash value is also known as message
digest.
Input can be of any length. Output hash will be fixed length. One way function:
Computationally easy to convert from message to hash. But it is computationally infeasible to
get the actual message from hash. Collision free: It is very unlikely to find two different
messages that will have the same hash value.
Hashing is not just used for files (data at rest), it is applicable to messages transferred between
computers (data in transit) also.
To ensure integrity:
○ Whenever you install an important software in your device, you will not want a
corrupt, tampered, malware laden or unstable file to be installed. To prevent this, it is
 important to check the integrity of the downloaded file before installing it. Hashing is
widely used for performing such integrity checks.
To ensure secure storage of passwords:
○ Typically password stores hold the passwords in the hashed form. Even if a hacker gets
access to the store, the actual passwords cannot be retrieved. When a genuine user
needs access, the password entered by the user will be hashed and matched with the
passwords stored. Hash value match would result in user being successfully verified,
and a mismatch indicates an invalid user.

Digital Signature
One person may deny that they have sent the message, or the message may have originated
from an attacker or outside entity. Digital signature solves both of this.
You know that the signer will use the private key to sign the document. The receiver will use
the public key to verify the document. But you must have a pair of public-private keys to begin.
Generate a digital ID. A digital ID is a password protected file that contains the following:
○ Private key
○ Public key
○ Identity information
Identity information is information about the holder of the private key (in this
example you). Name, email address, organization and country.
The public key and the identify information are combined in a format called a public key
certificate.
The signature value in PDF implementation includes the following:
○ Digital signature (signed message digest)
○ Timestamp (time of signing)
○ Signer’s public key certificate
Generation Algorithm
○ The message to be sent is hashed to get a hash 'h'. Hash 'h', is then encrypted using the
sender’s private key (PriA) to generate signature 'S'. Sender sends the message along
with it’s signature to receiver. The signature generated in above step is unique for a
combination of a message and a private key. So, the signature will be different for
different messages sent by the same user.
 ○
Verification Algorithm
○ The received message is hashed to generate hash 'hr'. The received signature is
decrypted using sender’s public key (PubA), to generate another hash h’. If hr is found
equal to h’, it means the signature is valid. Therefore, the message is authentic and
sender cannot repudiate.
○ If the received message or signature is tampered during transit, then hr will not be
equal to h’ (signature invalid). So digital signature also provides data integrity. In fact
for a message to be authentic, it should be integral in the first place.

○

Application of Cryptography
Cryptographic mechanisms such as encryption, hashing, digital signatures require
computational resources such as CPU time and memory. Thus, they can impact performance.
The choice of a cryptographic algorithm from all available options must be done by evaluating
both the performance of each algorithm and the security levels they provide. Tradeoffs between
performance and security will often be required.
HTTP Secure (HTTPS) protocol is used to protect web transactions by encrypting the
communication between browser and the web server. The technology used for encyrption is
Transport Layer Security (TLS). (Earlier it was SSL). It relies on both symmetric and
asymmetric cryptography. The following steps describe its working.
○ When a user visits a website, the website supplies the browser its public key.
○ The browser creates a random symmetric key (called session key), encrypts it using the
website's public key and sends it the website.
○ The website then decrypts the session key using its private key.
 ○ The browser and the website use the session key for all further communication.
SSL leverages the advanced functionality of asymmetric cryptography while encrypting &
decrypting the vast majority of the data exchanged using the faster symmetric algorithm.
Devices such as laptops and smart phones often contain highly sensitive information, if lost or
stolen, could cause serious harm to an organization and its customers, employees, and affiliates.
Encryption to protect the data on these devices in the event of theft of these devices.
For example, Microsoft Windows operating system uses BitLocker and Encrypting File System
(EFS) technologies for the purpose of encryption. Other common applications include,
encrypting email, Digital Rights Management (DRM), wifi encryption.

Breaking the Cryptography System
In a 256 bit key system, there are 2256 possible keys. The decryption key is one among these
possible keys. By trying out all of these 2256 possible keys in a trial and error manner, the
cipher text can be decrypted.
The larger the key size, the more time for a brute force attack and hence the more secure is the
encryption system.
Almost all cryptographic systems have a limited life span. Moore's law, a commonly cited trend
in the advancement of computing power, states that the processing capabilities of a
state-of-the-art microprocessor will double approximately every two years.
This means that eventually processors will reach the amount of strength required to quickly
find the encryption keys used for a communication.

Network Security
Network security refers to any activity taken to protect the availability of networks and
confidentiality and integrity of data in the network. The Internet is an untrusted place.
Anything coming from it could be potentially harmful.
The organization’s network is a trusted zone. Data entering the intranet (trusted zone) from
the Internet (untrusted zone) must be carefully scrutinized. There should be mechanisms to
prevent certain data from entering the network.
Firewall and Intrusion Detection System (IDS) work as security against attacks like DoS, etc

DDoS Attacks
A large number of malware infected computers send a huge volume of requests to the target
host (victim), resulting in the victim’s loss of availability.
 A infected computer is called a bot. An IoT device in this example, was the bot. A group of
bots that receive instructions from an attacker (on whom to target and when to target) is called
a botnet.
The OVH DDoS attack is a connection-flooding DDoS attack:
Server's normal operation: for each request from a host, a server will allot some memory. When
a deluge of requests is received the server’s memory is exhausted. So the server will stop
accepting new requests.

Firewall
A firewall is a special computer that is placed between an organization’s intranet and the
Internet. In general a firewall is a a special computer or software running on a general purpose
computer or router. It controls what data (network packets) enters or leaves the network.
A traditional packet filter firewall, and more sophisticated firewalls like proxy firewalls, web
application firewalls.
All communication between the Internet and the intranet flow through this firewall. A firewall
has an access control list. Each entry is called a rule.
The firewall inspects every packet's headers – source and destination IP addresses and ports etc.
It compares the header information with each rule in the access control list, in an if-else if-else
way. If a packet matches a particular rule, then, the action specified under that rule is applied.
The action could be allowed a packet or deny entry/exit for a packet.

Host based Firewalls
The firewalls are placed between two networks and hence are called network firewalls.
A firewall that is placed between a computer and a network is called a host based firewall. It
controls traffic between the applications in the computer and the rest of the network. Windows
firewall is an example.
Apart from controlling access to internal sites, a firewall is used to block several types of attacks
like DDoS or to enforce an organization’s network policy (eg: Employees not allowed to access
Internet websites).

Demilitarised Zone
Here the public server is between two firewalls (A & B). This area where public sites are hosted
is called a demilitarized zone (DMZ). Firewall ‘A’ will be configured to block incoming port 80
packets (like before). Firewall ‘B’ will allow incoming port 80 packets but might have other
rules that protects the DMZ itself.
 Thus public sites could be accessed from Internet, but not the internal sites. Public facing
severs are more likely to be ‘hacked’. An attacker after hacking a host will attempt to ‘move
horizontally’ by hacking other hosts in the same network. In the case of DMZ it much more
difficult to do this horizontal movement across the two firewalls.

Intrusion Detection System
An unauthorized user logs on to a machine. An authorized user disables logging functionality
in a router. A worm (a type of malware) spreads to all the hosts in the network. An authorized
user (say an employee) downloads all employee directory records to his computer. An
unusually high number of login attempts in a host.
All the above examples involve an user (or computer process) trespassing or attempting to
trespass into a network (or host). Such trespasses are as intrusions.
A firewall cannot be useful in detecting or stopping such intrusions. An Intrusion Detection
System (IDS) is used to detect such intrusions.
An IDS is a dedicated computer or a software running on a general purpose computer. It is
positioned at certain points in the network. The IDS sniffs all the packets at that point. It
analyses the contents of network packets (headers and application data) and the sequence of
packets. If the analysis result indicates an intrusion, an alert message is sent to the
administrator.
An IDS can also use different log files (generated by hosts) as input for detecting intrusions.
There are two kinds of IDS based on how packets are analysed.
○ Signature based IDS
Each type of intrusion have a characteristic pattern: Certain sequence of events.
Certain format of data etc. Information that describes this pattern is called a signature
or a rule.
A signature based IDS contains a large database of attack signatures. The IDS inspects
the packets (or log files) and compares them to each signature in the database. If any of
them matched, then an alert is issued to the administrator.
Disadvantage: Signature based IDS cannot prevent unknown attacks (because
signatures are not available). Most IDSs are signature based IDS
○ Anomoly based IDS
Can detect previously unknown intrusions. Such an IDS will observe the normal
traffic in a network and creates a ‘traffic profile’. It then looks for network traffic that is
statistically unusual and issues an alert.
Anomoly based IDS can also observe the normal behaviour of users to create a
'behaviour profile'. If it sees a deviation from the normal behaviour, it issues an alert.
 An IDS can generate false positives. If a safe packet is determined as suspicious, then it is called
as false positive. Many false positives could be detected if the signatures (aka rule) are too
restrictive.
An IPS (Intrusion Prevention System) not only issues an alert but also attempts to block an
intrusion. However blocking may not always be possible. Hence detection is the next solution.
The purpose of detection is to respond to an intrusion as soon as possible to minimize the
damage.

The threats to network security is not limited to Denial of Service attacks. There are numerous
other threats such as - port scans, network mapping, OS vulnerability scanning, worms,
viruses, email spam.
The firewall and IDS can prevent or detect such threats. But they should be configured
properly in the first place. Similarly, all devices attached to a network should be configured
properly.

Application Security
Though it is easy to fix the SQL injection vulnerability, these attacks are common and have
resulted in huge losses. Neither cryptography nor network security can prevent the SQL
injection attacks.
The attack will happen irrespective of the use of encryption (HTTPS) or not. Also, for the
network security devices, the communication (containing the SQL injection attack input)
from client to web application looks safe.
Security defects in applications are introduced in the implementation (coding) phase or in the
design phase. Defects introduced in the implementation phase are security bugs. Defects
introduced in the design phase are security flaws.
Failing to do server side input validation is an example of a security design flaw. An improperly
implemented input validation logic is a security bug. Developing secure applications involves
preventing these security bugs and flaws. It is achieved by, following established,
○ secure coding practices
○ secure design principles

Secure coding is a practice to avoid introducing security bugs in the software. Security
professionals have analyzed previous attacks targeting applications and have discovered that
most vulnerabilities have arisen from common coding errors:
○ OWASP Top 10 Application Security Risks
○ SANS Top 25 Dangerous Software Errors
 As a developer/tester/code reviewer your objective is to ensure your applications don't have
these common security bugs. These guides provide secure alternatives for each of the errors (for
developers) and tips on how to detect these errors (for testers, code reviewers).

Security design flaws can be avoided by following established secure design principles:
○ OWASP Security by design principles
○ IEEE Avoiding the Top 10 Software Security Design Flaws
○ SANS Top 25 Dangerous Software Errors
Principle of least privilege
○ Users should have no more privileges than required for carrying out their normal
functions.
○ Applications, have user accounts in the database so that they can the access database. If
the web application's functionality is just to retrieve records from the database, then it
is sufficient to have a read privilege.
○ In fact, permissions should be tuned so that the application user account will not be
able to read tables of other applications.
We say 'mitigating' because it does not eliminate the vulnerability, but instead significantly
reduces the severity of the vulnerability. For example, the number of records exposed due to an
SQL injection vulnerability will be reduced if the least privilege principle is followed.
Principle of defence in depth
○ Use of multiple security controls to mitigate a vulnerability. So that even if one fails, we
can hope that other controls can prevent an attack.
○ Defence in depth is having multiple obstacles before an attacker to make it very
difficult for the attacker.
Application security is not limited to following secure coding practices and design principles. A
crucial component of application security is security testing. Security testing provides an
assurance that the application is secure. Most of the common security bugs (like SQL
injection) can be detected by automated security testing tools.
Moreover, in this section we saw SQL injection attack. But there are a lot of other severe
attacks like cross site scripting attacks, buffer overflow exploits, cross site request forgery
attacks, session hijacking etc.

Threat Modelling
When an application is deployed, many threat agents predominantly from the Internet, try to
attack that application. A single security loophole in the application can cause severe damage to
 it. Hence, every organization wants their applications to be secure and protected against such
damages. This demands for designing and developing secure applications without loopholes.
Threat modelling is one important activity carried out in the design phase of the software
development life-cycle that helps in identifying and addressing security loopholes. This activity
enables organizations to develop highly secure applications.
Threat modelling is a process where the design of the application is analysed to find potential
security problems. Following are the steps involved in threat modelling process:
○ The design of the application, usually represented as a Data Flow Diagram (DFD) will
be taken for analysis.
○ A threat modelling team comprising software designers/developers and software
security analysts will analyse the DFD and brainstorm to identify potential security
problems (threats) that can endanger the security of the application.
○ The identified set of threats to the applications are collectively called as a threat model.
○ Threat modelling team will identify vulnerabilities that might be exploited by the
identified threats and will identify suitable counter-measures to address all the threats
in the threat model.

Need for Threat Modelling
Software designers and developers approach software security in two ways - "Security as
Afterthought" (not a good practice) and "Security Early in the SDLC" (best practice).
○ Helps in building a very robust application that is secure by design, by identifying
security defects even before the code is written.
○ Drastically reducing the effort in redesigning and rewriting the software (as in the case
of Security as Afterthought approach).
Software Development Life Cycle (SDLC) is a process implemented by software developers to
design and test their software. It helps in improving the quality of the software and looks after
the overall development of the software. It is divided into many phases where each phase has its
own significance.
 Earlier, software development practice treated security as an “afterthought” i.e. security will
become a focus only during the testing phase of the SDLC after the software has been designed
and implemented. During security testing, many security defects might be identified in the
application which will require redesign of the software or rewriting some code of the software
to correct the defect. This redesign and rewriting code is a significant source of wasteful effort.
This rising and significant wasteful effort forced software designers/developers to adopt the
new approach - Security Early in the SDLC.
Current software development practice has shifted from the approach of “security as
afterthought” to “thinking about security early in the SDLC – in the design phase”. This
approach is also known as “shift left (in the SDLC)”. One of the key activities in this approach
is threat modelling.
○ Design related security defects are identified by analysing the design documents and
the design will be corrected.
○ Potential implementation (or code) related security defects will be anticipated by
analysing the design documents, and necessary precautions will be taken to avoid such
defects before even beginning the implementation phase.
In the SDLC model, the cost to resolve an issue increases in the later phases of development.
Thus, it is important to run a thorough assessment on the application to know the current
status of the security level and resolve the potential threats as early as possible. That is why,
threat modelling is introduced in the design phase.

Following are some the benefits of implementing Threat Modeling:
○ Allows architects and designers to evaluate the design of the application for
vulnerabilities in the design phase.
○ Helps in future release of a software to evaluate whether new security controls need to
be put in place or existing controls are sufficient.
○ Helps in cost reduction by mitigating threats in early SDLC.
○ Reduces cost by removing maximum security defects before development.
○ Provides a clear "line of sight" across a project and cut down errors and efforts.

Threat Modelling involves the following steps:
○ Step 1: Identify security objectives - Enumerate the security objectives of the
application, i.e. the security requirements that must be fulfilled by the application.
○ Step 2: Create an Application Overview - Identify important characteristics and
elements (such as relational database servers, business logic, application server,
client-side application) of the systems and external actors (users, administrators or
 other systems/applications) that affect the application.
All these functionalities should be understood before implementing other steps. A fine
understanding of all the functionalities of the application helps in defining the scope of
the application. An overview of a particular application will help in getting details of all
the possible vulnerabilities present in the application. This step helps you to identify
relevant threats during step 4.
○ Step 3: Decompose your application - Draw a model of the application that details the
interaction (data flow) between various elements in the application.
○ Step 4: Identify threats - Analyse the model of the application to identify threats
relevant to your application and context.
○ Step 5: Identify vulnerabilities - Analyse the application to identify vulnerabilities in
various elements that can be exploited by various threats.
After threats and vulnerabilities are identified, security controls or countermeasures for these
threats/vulnerabilities must be identified. All this information will be documented.

Assets of an application are one of the main reasons behind any cyber-attack. Weak measures
taken to protect the assets can aid hackers in exploiting the application.
Assets can be broadly classified into:
○ Data: Any sensitive data like Customer Information, User ID, Passwords, Credit card
information
○ Resources: Resources can again be classified into software and hardware resources
Software: Application, application database, third party software and any
software that needs to be secured
Hardware: Application, web and database servers
All these assets need to be documented in order to protect them from the atrocities of potential
hackers.

An application grants some set of access rights specifically defined for its users. These access
rights are the trust levels implied by an application. These trust levels need to be documented in
order to monitor the access rights at every entry point and required to engage with the asset of
an application. Also, data flow diagrams can be developed with privilege boundaries using the
information about the trust levels.

A high-level visualization of the working of an application can be provided by Data Flow
Diagrams (DFDs). DFDs help in understanding how the data is designed to flow within the
system. All the documented components play a major role while drafting a DFD. The below
 DFD is drawn using a tool (we will see more on this later). It is also common to use a
whiteboard and marker to draw the DFD. The DFD is a model of the application, and the
process of drawing this DFD is simply called as modelling the application.

Vulnerabilities are divided into different categories: -
○ Authentication and Authorization vulnerabilities
○ Input/Data validation vulnerabilities
○ Configuration management vulnerabilities
○ Sensitive data vulnerabilities
○ Session management vulnerabilities
○ Cryptography vulnerabilities
○ Parameter manipulation vulnerabilities
○ Exception management vulnerabilities
○ Auditing and logging vulnerabilities

Microsoft’s DREAD
Microsoft’s DREAD Threat-Risk ranking model can be used to determine the ranking of a
threat. In order to determine the threat, basic questions to be answered for each factor of risk,
for example:
○ For Damage: How big would the damage be if the attack succeeded?
○ For Reproducibility: How easy is it to reproduce an attack to work?
○ For Exploitability: How much time, effort, and expertise is needed to exploit the
threat?
○ For Affected Users: If a threat were exploited, what percentage of users would be
affected?
○ For Discoverability: How easy is it for an attacker to discover this threat?
Each risk component is assigned a value between 0 (low) and 9 (high) so that a quantifiable
score can be created for potential threats. It helps in prioritizing the security responses
according to the rank of the individual threats.
One can define the rating as low (L), medium (M) and high (H) on the following basis of the
value received by calculating the average of the DREAD components of a particular threat i.e.
(D+R+E+A+D)/5

The techniques and controls that are used to mitigate the exploitation that can be caused by a
potential threat through known or unknown vulnerabilities are called as countermeasures.
 Documenting the identified threats, vulnerabilities, countermeasures and other details are
important. If this information was not documented, it is very likely that some threats are not
addressed even though they were identified during the threat modeling process.

Threat modeling is a manually intensive task that relies solely on the specification documents,
data flow diagrams and the knowledge of an individual which is abstract in nature. There are
chances of threats being missed mainly because one particular data flow has not been analysed
or because of insufficient knowledge of the person about emerging threats.
Since manual threat modeling is time-consuming, most threat models are drawn holistically at
a software architecture/design level and not at individual use case level. Because of this, threats
related to a specific use case may be missed out.
A threat modeling tool can help in alleviating these difficulties. Benefits of using a threat
modeling tool:
○ Make use of rich knowledge of threat repository (library) for a given component.
○ Draw Data Flow Diagrams (DFD) easily.
○ Automate the identification of threats and vulnerabilities.
○ Automatically come up with required countermeasures.
○ Generate documents.
External Entities
This is an external interactor that is outside your area of control. It could be a user that is
calling your API or web application, or it could be another component that calls your API.
Example-People, Other Systems, Microsoft.com, etc.
Process
It is a collection of code or web methods or components that performs some computations on
the data. It is basically a group of functions that performs some actions. Example- DLLs,
EXEs, COM object, Services, Assemblies, etc.
Data Flow
It basically represents the communication links used for data transfer between entities or
components within the system. Example-Function call, Network traffic, Remote Procedure
Call (RPC), etc.
Data Store
A unit that holds the data. That is, Data repository. Example-Database, Registry, Queue/Stack,
etc.
Trust Boundary
Occurs when one component doesn’t trust the other component outside its boundary without
sufficient authorization. Example-Process boundary, File system, etc.
 Using these components, one can draw a model (precisely the data flow diagram) of the
application. But the model so formed can be an incorrect one.

This is a complete threat model because the source of data is present in this diagram. Here, the
customer is the external entity that sends data to the SQL database through the web
application. Also, there is proper data flow between SQL Database and Web Server and
between Customer and Web Server.

Tthe rules that need to be followed while drawing the model of the application are:
○ Data stores should have a sink - When you mention a database or a data store,
remember to include the entity that will be using that store.
○ Data doesn’t flow magically - Don’t connect two entities without an intermediate
process.
○ Data doesn’t appear magically - A Web Server needs an interface (such as an API) to
connect to a data store.
○ There should not be any required component missing - Skipping any component in
the diagram will make it incomplete.
○ Right flow of data - The flow of data should be in appropriate direction. The arrows
should be drawn such that it correctly shows that the data is flowing from which
component to which component.

Access Management
Subject
A subject is an entity, usually a user, device, or process, that requests access to resources or
services in a system. The subject is often authenticated and authorized before access is granted.
 Object
An object is a resource or entity within a system that a subject wants to access. Objects can be
files, databases, services, or any data that subjects need to interact with.
Identity
Identity refers to the distinct attributes or characteristics that uniquely define a subject within
a system. It is what distinguishes one user or entity from another and is often verified through
authentication processes.
Attributes
An identity store is a repository that holds identity information such as usernames, passwords,
roles, and attributes. It is where authentication and authorization decisions draw information
from. Examples include Active Directory, LDAP, or custom databases.
Identity store
An identity store is a repository that holds identity information such as usernames, passwords,
roles, and attributes. It is where authentication and authorization decisions draw information
from. Examples include Active Directory, LDAP, or custom databases.
Access
Access refers to the ability of a subject to interact with an object in a system. It can be read,
write, execute, or any form of interaction allowed by the system's policies.
Authentication
Authentication is the process of verifying the identity of a subject. This typically involves
confirming that a subject is who they claim to be, often through passwords, biometrics, tokens,
or other verification methods.
Authorization
Authorization is the process of determining what actions a subject is allowed to perform on an
object. Once a subject is authenticated, authorization policies define what resources or services
they can access and what actions they can take.
Accountability
Accountability ensures that all actions and access to resources by subjects are logged, tracked,
and can be audited. This ensures that any unauthorized or malicious actions can be traced back
to the responsible party, promoting transparency and security.

Single Sign On
SSO is an authentication process that allows a user to access multiple applications or systems
with a single set of login credentials. Instead of requiring separate usernames and passwords for
each application, SSO enables users to authenticate once and gain access to all authorized
systems without having to log in again for each one.
 How SSO Works:
1. User Authentication:
When a user tries to access an application or service, they are redirected to the SSO
authentication service. The user provides their login credentials (username and password, for
example) to the SSO service.
2. Token Generation:
Once authenticated, the SSO service generates a security token or session that contains the
user's identity and access information. This token is encrypted and passed back to the
application or system the user is trying to access.
3. Access to Applications:
The application verifies the token with the SSO service. If the token is valid, the application
grants the user access without requiring them to log in again.
4. Token Reuse:
As the user navigates to other applications within the same SSO environment, the existing
token can be reused. The user does not need to re-enter their credentials, as long as the token is
still valid.
Benefits of SSO:
○ User Convenience: Users only need to remember one set of credentials, reducing the
hassle of multiple logins.
○ Improved Security: SSO can enhance security by centralizing authentication and
allowing for stronger, more consistent security policies (e.g., multi-factor
authentication).
○ Reduced IT Burden: IT departments spend less time managing multiple passwords
and can focus on securing a single authentication point.
○ Streamlined User Experience: Users can easily switch between applications without
repeated logins, improving productivity.
Risks and Considerations:
○ Single Point of Failure: If the SSO system is compromised, an attacker could
potentially gain access to all connected applications.
○ Session Management: Managing token expiration and ensuring users are logged out
securely across all applications can be challenging.
○ Compatibility: Not all applications may support SSO, requiring careful integration
planning.
Examples of SSO:
○ Enterprise SSO: Common in corporate environments where employees access multiple
internal systems (e.g., HR systems, email, file storage).
 ○ Web SSO: Used for accessing various web applications like Google services (Gmail,
Google Drive, YouTube) with one Google account.
○ Federated SSO: Allows users to authenticate across multiple organizations or domains
(e.g., using your Google credentials to log into third-party websites).
SSO simplifies the user experience while maintaining security, making it a popular choice for
both enterprises and service providers.

Password Management
With SSO enabled IAM systems in organisation, single credentials are sufficient to access all the
internal applications. Although, this makes it easy for the uses to access, it also makes it easy for
a hacker to gain control of all the linked application at once on hacking this single password.
Hence, it is also necessary to build strong access mechanisms to avoid any such violation of
access rights by having set strong password and by managing it.
Password management refers to the practices, tools, and strategies used to create, store, manage,
and secure passwords. Effective password management is crucial in maintaining strong
cybersecurity, as passwords are often the first line of defense against unauthorized access to
systems, applications, and data.
Key Aspects of Password Management:
Password Creation:
○ Strong Passwords: Passwords should be complex, using a combination of uppercase
and lowercase letters, numbers, and special characters. They should also be sufficiently
long (e.g., at least 12-16 characters) to resist brute-force attacks.
○ Avoid Common Passwords: Users should avoid easily guessable passwords such as
"password123," "qwerty," or any personal information like birthdays.
Password Storage:
○ Secure Storage: Passwords should never be stored in plain text. Instead, they should be
stored using cryptographic hashing algorithms, which convert passwords into a secure
format that cannot be easily reversed.
○ Password Managers: These are software tools that securely store and organize
passwords. They can generate strong, random passwords and store them in an
encrypted vault, accessible only with a master password or through multi-factor
authentication.
Password Policies:
○ Regular Updates: Organizations often enforce policies that require users to change
passwords regularly (e.g., every 60-90 days). However, it's important not to make this
too frequent, as it may lead to weaker password practices.
 ○ Password Reuse: Users should be discouraged from reusing passwords across different
accounts. A compromise on one account could lead to vulnerabilities in others if the
same password is used.
Multi-Factor Authentication (MFA):
○ Additional Layer: Password management can be greatly enhanced by implementing
MFA, which requires users to provide two or more verification factors (e.g., a password
and a fingerprint, or a password and a code sent to a mobile device).
○ Reduced Risk: Even if a password is compromised, the additional factor makes
unauthorized access much more difficult.
Password Recovery:
○ Secure Recovery Processes: Password recovery mechanisms (e.g., security questions,
email resets) should be secure and not easily exploitable. Recovery processes should
involve multi-factor authentication whenever possible.
○ User Education: Users should be educated about the risks of phishing and social
engineering attacks, which often target password recovery processes.
Monitoring and Alerts:
○ Breach Detection: Some password managers and security tools monitor for data
breaches and notify users if their credentials have been exposed, prompting them to
change passwords immediately.
○ Login Alerts: Users can enable alerts that notify them when a login attempt is made
from an unrecognized device or location.
Password Sharing:
○ Avoid Sharing: Passwords should not be shared. If sharing is necessary, it should be
done through secure means (e.g., using a password manager’s sharing feature that keeps
passwords encrypted).
○ Role-Based Access Control: Instead of sharing passwords, organizations should
implement role-based access control (RBAC) where each user has access to the
resources they need without sharing accounts.
User Training and Awareness:
○ Phishing Awareness: Educate users about phishing attacks that attempt to steal
passwords through deceptive emails or websites.
○ Password Hygiene: Promote good password hygiene practices, such as not writing
down passwords in insecure places, and being cautious of where passwords are entered.
Benefits of Good Password Management:
○ Enhanced Security: Strong and well-managed passwords reduce the likelihood of
unauthorized access and data breaches.
 ○ Simplified Management: Password managers simplify the process of handling multiple
strong passwords, reducing the burden on users.
○ Compliance: Many regulatory frameworks (e.g., GDPR, HIPAA) require
organizations to implement strong password management practices to protect sensitive
information.
Challenges in Password Management:
○ User Resistance: Users might resist adopting strong passwords or password managers
due to perceived complexity or inconvenience.
○ Password Fatigue: Managing numerous passwords without proper tools can lead to
fatigue, where users start using weaker passwords or reusing them across platforms.
Tools and Best Practices:
○ Password Managers: Tools like LastPass, 1Password, and Dashlane help manage and
securely store passwords.
○ Password Generation: Use password managers to generate strong, unique passwords
for each account.
○ Regular Audits: Organizations should conduct regular audits of password practices
and update policies as needed.
Effective password management is critical for both individuals and organizations to protect
against unauthorized access and maintain the integrity of sensitive information.

Identity Federation
Federated Identity Management (FIM) is managing a single identity information among
multiple enterprises to let users use the same identity information to gain access across inter
and intra enterprise networks.
Identity federation is a system that allows users to authenticate across multiple systems,
organizations, or domains using a single identity credential. It facilitates secure and seamless
access to resources across different security domains without the need for multiple separate
login credentials. Identity federation is commonly used in environments where users need to
access resources from different organizations or services, such as in business partnerships or
when using cloud services.
Federated Identity:
○ A federated identity is a single digital identity that is trusted across multiple systems or
organizations. Users can use this identity to access various services without needing to
create separate accounts for each one.
Identity Provider (IdP):
 ○ The Identity Provider is the entity that authenticates the user and issues a token or
credential asserting the user’s identity. Examples of IdPs include organizations, social
media platforms (like Google or Facebook), or dedicated services like Microsoft Azure
AD.
Service Provider (SP):
○ The Service Provider is the entity or system that the user wants to access. The SP relies
on the IdP to authenticate the user and then grants access based on the identity and
attributes provided by the IdP.
Trust Relationships:
○ Identity federation relies on trust relationships between the Identity Provider and the
Service Provider. These relationships are often established through digital certificates or
shared cryptographic keys, ensuring that tokens or credentials from the IdP are
accepted by the SP.
Single Sign-On (SSO):
○ Identity federation often incorporates SSO, allowing users to log in once and access
multiple services without needing to re-authenticate. SSO within a federated identity
context works across different domains or organizations.
Standards and Protocols:
○ SAML (Security Assertion Markup Language): A widely-used XML-based standard
for exchanging authentication and authorization data between IdPs and SPs.
○ OAuth: A protocol that allows third-party services to exchange tokens for resource
access, often used for delegated access.
○ OpenID Connect: An identity layer built on top of OAuth 2.0, providing an
easy-to-use protocol for federated authentication.
How Identity Federation Works:
○ User Authentication:
A user attempts to access a service provided by an SP. The SP redirects the user to the
IdP for authentication, often through a web-based interface.
○ Token Generation:
The IdP authenticates the user (e.g., using username and password, multi-factor
authentication). Upon successful authentication, the IdP generates a token or assertion
containing the user’s identity information and attributes.
○ Token Exchange:
The user is redirected back to the SP with the token provided by the IdP. The SP
verifies the token with the IdP and, if valid, grants the user access to the requested
service.
 ○ Access Granted:
The user can now access the service without needing a separate login for that specific
SP.
Benefits of Identity Federation:
○ User Convenience: Users can access multiple services across different organizations or
domains with a single set of credentials, reducing password fatigue and the need to
remember multiple logins.
○ Security: Identity federation centralizes authentication, allowing organizations to
enforce consistent security policies, such as strong password requirements and
multi-factor authentication.
○ Scalability: Organizations can easily integrate with partners, vendors, and cloud services
without managing separate user accounts for each service.
○ Streamlined IT Management: IT departments can manage identities centrally,
reducing the administrative overhead associated with managing multiple user accounts
and credentials.
Use Cases of Identity Federation:
○ Enterprise Collaboration: Companies in a partnership might use identity federation to
allow employees from one organization to access resources from another without
requiring new accounts.
○ Cloud Services: Users can log into cloud services (e.g., Microsoft 365, Salesforce) using
their corporate credentials, thanks to federation between the enterprise's IdP and the
cloud provider.
○ Education: Universities often use federated identity to allow students to access
resources across different campuses or partner institutions.
Challenges and Considerations:
○ Trust Management: Establishing and maintaining trust relationships between IdPs and
SPs can be complex, especially when multiple organizations are involved.
○ Interoperability: Ensuring that different systems and protocols (e.g., SAML, OAuth)
work together seamlessly can be challenging, especially in heterogeneous environments.
○ Security Risks: If the IdP is compromised, it could lead to unauthorized access across
multiple systems, making the security of the IdP critical.
Examples of Identity Federation:
○ Shibboleth: A widely used open-source identity federation system, particularly in the
education sector.
○ SAML Federation: Often used in enterprise environments for federated access to cloud
services.
 ○ OAuth with OpenID Connect: Commonly used for social logins, where users can log
in to third-party websites using credentials from services like Google or Facebook.
Identity federation simplifies and secures access across multiple systems, making it a powerful
tool in modern cybersecurity and identity management strategies.

Authorisation
Secure access management is carried out with the aid of Authentication, Authorisation and
Accountability (AAA) services. As seen earlier, authentication was carried out to provide access
to legitimate subjects on the right set of objects.
Besides authentication, it is imperative to manage access permission on objects for different
category of subjects. This next level of Access Management is carried out by Authorisation.
Authorisation is a process of granting access permissions to subjects on various objects based
on the subject's nature of work and job role. This will significantly cut down the undesirable
access gained by the subjects. Authorisation also helps in keeping a tab on number of access
violations.
Authorization is the process of determining what actions a user or system is allowed to perform
on a resource after they have been authenticated. It controls access to data, services, and
functionalities based on the user’s identity, role, or other attributes, ensuring that only
authorized users can perform specific actions within a system.
Authentication vs. Authorization:
○ Authentication verifies the identity of a user (e.g., confirming they are who they claim
to be).
○ Authorization determines what the authenticated user is allowed to do (e.g., what files
they can access or what operations they can perform).
Permissions:
○ Permissions define specific rights or privileges assigned to a user, group, or role. For
example, permissions might include reading a file, writing to a database, or executing a
command.
Roles:
○ Roles group users with similar responsibilities and assign them a common set of
permissions. Role-Based Access Control (RBAC) is a common method where roles like
"admin," "user," or "guest" determine what a user can do within a system.
Access Control Models:
○ Discretionary Access Control (DAC): Access is granted based on the identity of the
user and the discretion of the resource owner. The owner can assign permissions to
others.
 ○ Mandatory Access Control (MAC): Access is based on fixed policies established by a
central authority, often involving classifications and labels (e.g., classified, secret).
○ Role-Based Access Control (RBAC): Access is determined based on roles assigned to
users, and permissions are granted based on those roles.
○ Attribute-Based Access Control (ABAC): Access decisions are based on attributes of
users, objects, and the environment, such as time of day, location, or the sensitivity of
the data.
Access Control Lists (ACLs):
○ ACLs are lists that specify which users or systems are allowed or denied access to
specific resources. An ACL might list specific users and their permissions, such as
"read," "write," or "execute."
Policy Enforcement Point (PEP) and Policy Decision Point (PDP):
○ PEP: The component that enforces access control decisions by allowing or denying
access based on the authorization policy.
○ PDP: The component that makes the decision on whether to allow or deny access,
based on the policies in place.
Least Privilege Principle:
○ This principle dictates that users should be granted the minimum level of access—or
permissions—necessary to perform their job functions. It helps reduce the risk of
unauthorized access or misuse of privileges.
Auditing and Logging:
○ Authorization processes should include logging and auditing mechanisms to track who
accessed what resources and when. This helps in detecting unauthorized access
attempts and ensuring compliance with policies.
How Authorization Works:
○ User Authentication:
The process begins with the user being authenticated, usually by providing credentials
(e.g., username and password).
○ Policy Evaluation:
Once authenticated, the system evaluates authorization policies to determine what
resources the user can access. This might involve checking roles, permissions, and other
attributes.
○ Decision Making:
The system's PDP makes a decision based on the evaluation. If the user's attributes and
permissions align with the policy, access is granted; otherwise, it is denied.
 ○ Access Enforcement:
The system's PEP enforces the decision by either allowing or denying the user access to
the resource. The action is logged for auditing purposes.
Types of Authorization:
○ Role-Based Authorization:
Users are assigned roles, and permissions are granted based on these roles. For example,
an "Admin" role might have full access, while a "User" role has limited access.
○ Attribute-Based Authorization:
Access decisions are made based on attributes such as user location, time of access, or
the sensitivity of the data. This allows for more granular and context-aware access
control.
○ Policy-Based Authorization:
Authorization is based on predefined policies that specify the conditions under which
access is granted or denied. Policies can be simple (e.g., "Admins can access all
resources") or complex (e.g., "Access is granted if the user is in the office and it's during
business hours").
Common Use Cases:
○ Enterprise Systems: Employees might have different levels of access to corporate
resources based on their role in the organization (e.g., HR staff can access employee
records, while IT staff can access system configurations).
○ Cloud Services: Users are granted or denied access to cloud resources based on their
identity, roles, and policies defined by the cloud provider.
○ Web Applications: Users are authorized to perform actions (e.g., view, edit, delete)
based on their role within the application, such as "admin" or "regular user."
Challenges in Authorization:
○ Complexity: As systems grow and evolve, managing and maintaining authorization
rules and policies can become complex, leading to potential security gaps.
○ Dynamic Environments: In dynamic environments like cloud computing, where
resources and users frequently change, keeping authorization policies up to date is
challenging.
○ Consistency: Ensuring that authorization policies are consistently applied across all
systems and resources can be difficult, especially in large, distributed environments.
Best Practices:
○ Implement the Principle of Least Privilege: Always assign the minimum necessary
permissions to users.
 ○ Regularly Review Permissions: Periodically review and update permissions to ensure
they align with current user roles and responsibilities.
○ Use Role-Based Access Control (RBAC): Group users by roles to simplify the
management of permissions.
○ Audit and Monitor Access: Regularly audit and monitor access logs to detect and
respond to unauthorized access attempts.
○ Automate Policy Management: Use tools and systems that allow for automated
management and enforcement of authorization policies, especially in large or complex
environments.
Authorization is a critical aspect of cybersecurity, ensuring that only authorized users can
access and interact with specific resources, thus protecting sensitive data and maintaining
system integrity.

Accountability
Despite the controlled access management through authentication and authorization there are
chances of attacks by internal threat agents to compromise the enterprise Information System
(IS). This necessitates logging of day-to-day activities of the subject w.r.t usage of enterprise IS.
Hence, it is advisable to enable auditing and logging features at organizational end. This is
taken care by Accountability.
Accountability is to establish responsibility for one's actions/events performed on system back
in time by tracing, logging and auditing. This will ensure to keep up the security objective of
Non-Repudiation.
Audit Trails:
○ An audit trail is a chronological record of activities and events that occur within a
system. These records include details such as who performed an action, what action
was performed, when it was performed, and from where it was performed.
○ Audit trails are crucial for post-incident analysis, allowing organizations to trace back
actions to specific users or processes and understand the sequence of events leading to a
security incident.
Logging and Monitoring:
○ Logging involves recording events and activities within a system, such as logins, file
access, and changes to configurations. Monitoring refers to the continuous observation
of these logs to detect anomalies, unauthorized access, or other suspicious activities.
○ Effective logging and monitoring provide real-time insights and historical data that
help maintain accountability.
Non-Repudiation:
 ○ Non-repudiation ensures that a user or entity cannot deny the authenticity of their
actions or communications. This is often achieved through digital signatures,
cryptographic hashing, and secure logging.
○ Non-repudiation is critical in legal and compliance contexts, where it’s necessary to
prove that certain actions were performed by specific individuals.
User Identification and Authentication:
○ Accountability relies on strong user identification and authentication mechanisms to
ensure that actions are attributed to the correct individual or entity. Without reliable
authentication, it’s difficult to hold users accountable for their actions.
○ Multi-factor authentication (MFA) and biometrics are examples of methods that
enhance the reliability of user identification.
Access Control and Permissions:
○ Proper access control mechanisms ensure that users can only perform actions for which
they are authorized. By restricting access based on roles, permissions, and policies,
organizations can limit the scope of actions a user can take, making it easier to hold
them accountable for their activities.
○ Role-based access control (RBAC) and attribute-based access control (ABAC) are
common methods used to manage permissions and maintain accountability.
Policy Enforcement:
○ Organizations define policies that dictate acceptable behavior, security practices, and
compliance requirements. Accountability is enforced by ensuring that users and
systems adhere to these policies.
○ Violations of policies are logged and monitored, and users are held accountable for
non-compliance.
Incident Response:
○ Accountability plays a critical role in incident response. When a security incident
occurs, accountability ensures that the actions leading up to and following the incident
are well-documented and can be reviewed to identify the responsible parties.
○ Effective incident response depends on the ability to trace actions, understand the
cause of the incident, and take corrective measures.
Compliance and Legal Requirements:
○ Many regulations and standards (e.g., GDPR, HIPAA, ISO 27001) require
organizations to maintain accountability by tracking and auditing user activities.
Failure to do so can result in legal consequences and fines.
○ Accountability ensures that organizations can demonstrate compliance with these
regulations by providing detailed records of activities and access.
 How Accountability Works:
○ User Actions:
Users interact with the system by performing actions such as logging in, accessing files,
or executing commands. Each of these actions is logged by the system.
○ Logging and Auditing:
The system logs the details of these actions, including the user’s identity, the action
taken, the time and date, and the outcome. This log data is stored securely for future
reference. Auditing tools analyze these logs to ensure compliance with policies and
detect any unauthorized or suspicious activities.
○ Monitoring and Alerts:
Monitoring systems continuously observe logs and user activities in real time. If an
anomaly or policy violation is detected, the system may generate an alert for further
investigation. Alerts can be configured to notify administrators immediately, allowing
for a quick response to potential security threats.
○ Review and Analysis:
In the event of a security incident, the audit trail is reviewed to determine what actions
were taken, who was responsible, and how the incident occurred. This information is
crucial for responding to the incident and preventing future occurrences.
Accountability measures ensure that all steps are documented, and corrective actions
are taken.
Importance of Accountability:
○ Security: Accountability deters malicious or negligent behavior by ensuring that all
actions are tracked and can be traced back to an individual or system. This makes it
easier to identify and address security breaches.
○ Transparency: It promotes transparency within an organization, as users know their
actions are being monitored and recorded. This encourages adherence to policies and
ethical behavior.
○ Trust: Accountability builds trust between users and the organization, as it ensures that
everyone is responsible for their actions and that any misconduct will be addressed.
○ Compliance: Many industry regulations require organizations to maintain
accountability for user actions. Failing to do so can lead to legal penalties, loss of
reputation, and financial losses.
○ Incident Resolution: Accountability facilitates faster and more effective incident
resolution by providing a clear and detailed record of events, helping to identify the
root cause and responsible parties.
Challenges in Accountability:
 ○ Data Volume: In large organizations, the volume of log data can be overwhelming,
making it challenging to analyze and maintain effectively.
○ Privacy Concerns: While accountability requires monitoring and logging, it must be
balanced with privacy concerns to avoid overreach or misuse of user data.
○ Complex Environments: In complex, distributed environments, maintaining a clear
and consistent audit trail across multiple systems and platforms can be difficult.
○ False Positives: Monitoring systems may generate false positives, leading to unnecessary
alerts or investigations that can drain resources.
Best Practices for Maintaining Accountability:
○ Implement Strong Authentication: Ensure that all users are properly authenticated
using strong methods such as MFA, so actions can be reliably attributed.
○ Regularly Review and Update Policies: Keep security and access control policies up to
date and ensure they reflect current organizational needs and compliance requirements.
○ Automate Monitoring and Alerts: Use automated tools to monitor logs and generate
alerts, reducing the likelihood of human error and improving response times.
○ Conduct Regular Audits: Regularly audit logs and access records to ensure compliance
with policies and identify any unauthorized activities.
○ Educate Users: Make sure that all users are aware of the accountability measures in
place and understand their responsibilities within the system.
Accountability is a cornerstone of cybersecurity, ensuring that all actions within a system are
tracked, traceable, and auditable, thereby protecting the organization from unauthorized
access, data breaches, and non-compliance.