Cybersecurity Prologue
Cybersecurity Prologue
Cybersecurity Prologue
There has been several data breaches and cyber attacks in recent history.
Organizations are trying their best to prevent security breaches.
Any cybersecurity event could vandalize the hard-earned reputation and loss of large
asset values. It's high time that people understand more about Cybersecurity and be
cautious at the same time.
Course Elements
Welcome to the course Cybersecurity. In this course, you will learn the following
topics.
What is Cybersecurity?
Malicious Programs
Core Security Principles
Risks, Threats, and Vulnerabilities
Cybersecurity Threats
Cybersecurity Architecture
Cybersecurity Incidents
Operating System Security
Email Protection
Network Security
Cyberworld
Get introduced to the different cybercrimes and attacks in this video before you delve
into the details of Cybersecurity.
Understanding Cybersecurity
Cybersecurity is the method of protecting programs, networks, and systems from
digital attacks. Cybersecurity includes technologies, processes, and controls.
Generally, cyberattacks are intended at damaging, modifying, or accessing sensitive
information; disrupting normal business processes; or extracting money from users.
Focus of Cybersecurity
Myths
These are the following myths about computer viruses:
An error message displayed on the system, symbolizes virus infection - False, it
can mean software/hardware issues.
Worms and Viruses always need user interaction - False, malicious code is run.
Email attachments received from known senders are safe - Wrong, they can be
utilized to spread infection.
Antivirus programs will end all threats - There is no 100% protection.
Malware cannot inflict physical damage to systems - For example, Stuxnet
Computer Worm
Malicious programs or Malware are specifically designed to delete, block,
modify, or disrupt the performance of computers and computer networks.
Malwares include Viruses, Worms, Trojans, Spyware, Adware, Ransomware,
and Scareware. Out of these, Viruses and Worms are two of the most familiar
malicious programs.
Virus
Virus is a type of malicious software that can self-replicate and spread to other systems
or hosts, eventually corrupting the systems.
Requires an active operating system/active host program or an already-infected system
to run and cause damage.
Virus spreads easily to other hosts through some means, one of the frequent means
being email attachment.
Worm
Unlike virus, worm is a standalone software that does not need human help/host
program to spread.
Worms can advance and self-replicate within a system using up resources such as
processing and memory.
Enters the system through a vulnerability and attacks information-transport
features/file-transport of the system.
2 of 14
Botnets
Malnets
While Botnets are largely used to distribute spam and malware to other users, Malnet
is used to draw users in and infect them.
Botnets are controlled by a single or few command servers, whereas Malnets deploy
fast-changing infrastructures.
The Malnet infrastructures allow cybercriminals to open dynamic attacks that can
remain unnoticed for days or months, by conventional anti-virus vendors.
Malvertising
New concept for spreading malware is even challenging to combat as it can enter into
a webpage and spread through a system unknowingly.
Malvertising is injecting malicious or malware-laden advertisements
into genuine online advertising networks and webpages.
It is easy for attackers to spread across a large number of websites without
directly compromising them.
The interesting stuff about the spread of infections through malvertising is that
it does not require any user actions such as clicking or downloading.
Antivirus Software
Antivirus software tracks all the files that come into the system from various sources
such as USB, mail, or websites, and checks if they match any of its virus or PUP
signatures.
If they match, it typically removes or quarantines them.
Approximately 95% effective in detecting viruses and PUP's, since new viruses and
PUP's are being created frequently.
Antivirus software requires to be continuously updated so that new signatures can be
included.
Confidentiality
Confidentiality is the security attribute that aims to achieve data privacy and
protection against unauthorized disclosure.
Personal Identifiable Information (PIIs) include Social Security; Credit card
information; Account numbers; and Business information such as Financial data,
Employee records, and Trade secrets. All of these are categorized as Confidential
information.
Integrity
Protecting data from unauthorized modification is called Integrity.
Availability
Availability is the security attribute that ensures data and services are available
to authorized users whenever required.
Protecting Information
Protection Mechanisms
CIA compliant system offers protection mechanisms that provide layered
protection to the data.
Use of proper checks and layered approach enhances confidentiality, integrity,
and availability.
Model
Multiple Layers - Different controls guard the system against various threats coming at
different levels.
Abstraction - Used for efficiency.
Data Hiding - Keeps data undiscoverable by unauthorized personnel.
Encryption - A technique used for masking the original data so that it can’t be
interpreted right away.
Cryptography Types
Two categories of the encryption algorithm include:
Uses two different sets of keys for encryption and decryption (public and private key)
Although the public key may be freely shared, the private key is kept confidentially,
Very slow and utilized to encrypt data smaller than 2048 bits or smaller key size
Optimized to encrypt symmetric encryption keys, which are then utilized to encrypt much
bigger blocks of data.
Utilized for key exchange, non-repudiation, and authentication.
Ciphertext
Ciphertext is a written document or text language in which the plaintext has altered its
form, a form which cannot be communicated, read, or understood. It is also called an
encrypted text.
How it Works?
Applications of Cryptography
• Integrity check — Cryptography uses hash function, to ensure data has not been
modified, erased or lost in an accidental, or unauthorized manner.
• Authentication — It uses a digital signature or Message Authentication Code.
1. Assets
The probable danger that in general, are difficult to control. Threats can involve nature,
terrorists, or unhappy employee.
3. Vulnerabilities
Weakness or security flaw in a system. Threats can exploit assets if assets are
vulnerable. An internet-connected system can show a vulnerability if it is left unpatched.
4. Risks
Consequently, to know the risk to assets, the possible vulnerabilities and threats must
be analyzed.
Risk = Threat * Vulnerability
The first little pig constructed a house of straw, but the wolf blows it down and
eats the pig.
The second little pig constructed a house of sticks, but the wolf also blows it
down and eats the pig.
The third little pig constructed a house of bricks, which the wolf cannot blow it
down.
As you see in all three scenarios, the threat is 100% as the wolf attempts to blow the
house down.
Vulnerability
Up Next!
Hope you understood that vulnerability can be fixed and hence it needs to be
addressed regularly. This, in turn, would help to reduce risks.
Let's learn about Attack Surfaces in the next topi
Attack Types
Phishing
It is one of the critical cyber threats of all time. The main aim of phishing is to fool or
distract the victim and to obtain all the confidential details like card number, password,
bank account, and address. Phishing spreads via phone calls or email.
Password Attack
Hackers do not require any forged URL, code, or emails to perform this attack. They
can execute it by cracking passwords. Crackers may deploy any password cracking
tool for triggering this attack.
Drive-By Download
Drive-by download might get triggered just by visiting a website. After entering a
website, unusual downloads might b
Hardware vulnerabilities covers items that users install such as plug-in flash drives or
software.
Cybersecurity Threat
Cybersecurity Threat is a scenario that tries to exploit possible vulnerabilities to
breach security; thus impacting an ongoing business.
Example Scenario: Hacker or cybercriminal may want to hack bank accounts or collect
personal information and even lock or encrypt your data for exploitation.
Classification of Threats
Malicious: A Hacker or disgruntled employee who is interested in a specific asset or
information only.
Intrusion Phases
A malicious attacker works towards his objectives by planning/performing a set
of activities. E.g., exfiltration. Network intrusion happens in a phased manner.
Reconnaissance - Continuous search for identification of possible targets.
Weaponize - Malware Pairing with a deliverable. E.g., MS-office.
Delivery - Transmit the weapon to the identified target. E.g., email and websites.
Exploitation - Exploiting vulnerable system apps. E.g., Triggering a weapon
code.
Installation - Backdoor Installation for persistent access.
Command and control - Hands-on keyboard access required for weapon
communication.
Botmaster Threat
Most of the cyberattacks are being automated or semi-automated by a specific
group of Botmasters.
Cyberattack usually starts with a known URL address. Then by scanning around
their LAN or internet space, it can exploit all its associated vulnerable systems
also.
Threat Modeling
Threat modeling is a process by which potential vulnerabilities and threats can be
recognized, enumerated, and prioritized – all from the view of a hypothetical attacker.
Considerations
Identify Security Objectives - Security objectives are the goals that have a
significant influence on the confidentiality, integrity, and availability constraints of
data and applications in a system.
Survey the Application - Analyze and identify assets, data flow, and trust
boundaries (UML component diagram).
Decompose the application - Identify the features and modules that make up
an application (How a module validates and processes data before storing it).
Identify Threats and Vulnerabilities - It is essential to consider threats not only
from the cyber perspective but also from across the spectrum of physical,
personnel, and people.
Dynamic analysis
Dynamic or Behavioral analysis is done by observing the behavior of the malware and is
often performed in a sandbox-virtual environment to prevent malware from actually
infecting production systems.
Threat Management
Threat Management is the best practice for managing cyber threats that enables early
identification of vulnerabilities using data-driven situational analysis.
Risk Mitigation
Reduce risks by preventing cyberattacks using various security related tools, policies,
best practices, and guidelines available with latest technologies.
STRIDE - It is a threat classification model that helps to limit the potential false positives
threat. This model is used to help reason and find threats to a system.
Mitigation Steps
i) Classify Assets - Classify information assets based on their business significance.
ii) Stay Informed - IT and security teams need to stay updated on the latest threat
attacks.
iii) Effective Controls - It is critical and continuous monitoring control is required.
iv) Governance and Reporting - Inform senior management of cybersecurity policies
and control mechanisms.
Big data analytics can be used to detect long and slow Advanced Persistent
Threats.
Machine-learning and UEBA - User entity and Behavior Analytics
Intelligence feeds - Threat intelligence feeds, malware analysis, and
vulnerability scans
Threat Intelligence
Threat intelligence is required at the following levels.
Cybersecurity Architecture
Cybersecurity architecture is about understanding one's Business Scope, requirements,
and then design and develop a security architecture to implement and support it.
Controls
In the Security Architecture Control definition, you are not advised to set one
parameter, so we have to define controls at the different stages to detect and
avoid possible threats.
Example: For better control, you can define five levels of SLA security controls
each from 98.9 to 98.5, respectively along with action points.
SABSA Framework
Sherwood Applied Business Security Architecture (SABSA) framework is an
open source framework and is used to create Enterprise Security Architecture.
A risk-driven method is based on the analysis of the business requirements
The primary objective is to protect the business with the required level of
security.
SABSA Framework is commonly represented as 6X6 SABSA matrix.
SABSA Matrix
6X6 SABSA matrix is divided into four 3X3 matrices for better representation.
SABSA Matrix
Before designing security architecture, you should identify and define role-
based privileges for associates working in different locations as per the required
timeline.
SABSA Matrix
In the Security Architecture designing phase, you should consider physical and
operational components like data structure, model, standard practices,
product tools, and required support services.
SABSA Matrix
Finally, user interface and applications should provide security platform support to all
identified operational schedules and its corresponding business functions.
Incident Management
Incident is an event that may lead to business operational disruption.
Preparation - Involve the team and define the required procedures for guidance.
ncident Response
Preparation
Response
Incident Category
Incident Category can be defined according to business priorities ranging from
their testing incidents to any unauthorized attack.
Precursor shows us the incident may occur. Example: Flight cabin crew alarm
would be a precursor to any Airline Incident.
Indicator shows us the incident may have occurred. Example: Indication for
breaching minimum required SLA%.
When authenticating into a system, you use any one of the three things:
Length of at least eight characters.
Combination of upper or lowercase letters, numbers, punctuation marks, and symbols.
Using passphrase for an even stronger password. For example, LetsGototheba!!park
Now, you will have a detailed look at Biometric Authentication in the next topic.
Biometric Authentication
Biometrics authenticate by using an individual's unique attributes or behavior.
Of course, it is the most expensive way to prove identity. Biometrics recognize an
individual by checking the captured biometric with the stored biometric template in the
system.
These are used in multifactor authentication systems. For example, you would place
your fingerprint on a sensor and then put your pin in (multifactor authentication).
Biometrics - Explained
Biometrics could permanently last for a lifetime. It simplifies access control on devices
and networks.
Behavioral:
Gait is a newer biometric. This is the way someone walks, and we can capture that gait
from a distance.
Signature - This is the way someone signs, the pressure of the stroke and curves.
Voice Recognition - It recognizes who is speaking, the inflection, and the patterns of
their speech. However, it is different from speech recognition.
Physiological:
Hand geometry is one of the first biometrics and measures each finger and the hands as
a whole.
Facial recognition - A camera scans the face, and it identifies key indicators, the nose,
the forehead, and the cheeks.
Iris recognition - It identifies the colored portion of the eye and the patterns of an iris
are very unique.
Introducing RADIUS
One of the methods used for access control for external users is Remote
Authentication Dial-In User Service (RADIUS).
RADIUS Security is being used to do the following activities:
Access control for routers, network access servers, and other networked computing
devices are provided by it.
Email
Email is among the most commonly used communication tool for personal and
business use.
All abusive emails have a fake sender address, hiding a sender's real address. Being
anonymous is the key to effectively impersonating an identity to obtain passwords or
personal data.
In this section, you will understand more about Email Security Threats.
Spam
Spoofing
Someone spoofs their identity and casting a wide net to many recipients. This act is
known as phishing.
Recipients are generally redirected to a fake website, where they might be asked to
enter personal information or even on a click, they might download a virus.
Pharming
Defense Mechanisms
60% of emails received in an organization are marked as spam every year.
Defense Mechanism
What should you do to defend yourself?
RADIUS
What is a Firewall?
Firewall plays an essential role in Network Security.
Classes of Firewall
Class 1 - Host-based software firewall used on a laptop or desktop computer.
Class 2 - Router firewall that generally offers straightforward firewall attributes.
They are not utilized in an enterprise network for security reasons, as they
cannot endure aggressive attacks.
Class 3 - Low-end hardware firewall. These are suitable for small businesses,
as they have united threat management, with anti-spyware and anti-
virus capabilities.
Class 4 - High-end hardware firewalls. They are useful for small and mid-size
businesses as they offer edge protection and critical infrastructure
environments without decreasing performance.
Class 5 - High-end server firewalls utilized when the stakes are high and are
developed for high throughput needs.
Network access protection is a framework that utilizes a Network Policy Server. Here,
the Network Policy Server stores the health policies and analyses the health of
computers. Three policies are supported.
Connection requests concludes whether requests from RADIUS clients are
managed by a RADIUS server or Network Policy Server.
Network policies define if a connection is rejected or authorized.
Health policies define the conditions that must be fulfilled in order to connect to
the network.
Up Next!
There is a system to protect the real network and to gather evidence of intruders to
learn about attack methodologies.
The next card will talk about a similar system called Honeypot.
What is a Honeypot?
A Honeypot is a system set up to lure an attacker, to learn about attack methodologies
to protect the real network better, and to gather evidence of intruders.
The placement of a Honeypot depends on your objectives. These objectives can be as
follows:
Inside LAN
In DMZ (demilitarized zone)
Alternatively, outside as a tasty treat for an attacker.
The best place to keep a honeypot is in DMZ because despite being a fake system, it is
essentially part of your network.
You must put exciting data in the system that can appear to be a valuable target. This
aspect is crucial since the data is part of an intrusion detection system. However, the
main focus is on gathering information.
Tcpdump is an open source command-line tool for monitoring network traffic. It captures
and displays packet headers matching them against a set of criteria.
It is utilized initially to gather different device logs from various machines in a central
location for review and monitoring.
The protocol is enabled on the majority of network equipment like firewalls, switches,
routers, and even some scanners and printers .