Cybersecurity - Significance

There has been several data breaches and cyber attacks in recent history.
Organizations are trying their best to prevent security breaches.
Any cybersecurity event could vandalize the hard-earned reputation and loss of large
asset values. It's high time that people understand more about  Cybersecurity and be
cautious at the same time.

Course Elements
Welcome to the course Cybersecurity. In this course, you will learn the following
topics.

 What is Cybersecurity?
 Malicious Programs
 Core Security Principles
 Risks, Threats, and Vulnerabilities
 Cybersecurity Threats
 Cybersecurity Architecture
 Cybersecurity Incidents
 Operating System Security
 Email Protection
 Network Security

Cyberworld
Get introduced to the different cybercrimes and attacks in this video before you delve
into the details of Cybersecurity.

Understanding Cybersecurity
Cybersecurity is the method of protecting programs, networks, and systems from
digital attacks. Cybersecurity includes technologies, processes, and controls.
Generally,  cyberattacks are intended at damaging, modifying, or accessing sensitive
information; disrupting normal business processes; or extracting money from users.

Virtual Local Area Network

A virtual local area network (VLAN) reduces the threats and physical barricades to
the host as part of the same subnet while building smaller broadcast domains.
VLANs offer many advantages over traditional LANs.
 Simplified Administration - When a computer is reallocated, it can still be part
of the same VLAN without any hardware reconfiguration.
 Performance - By reducing broadcast and multicast, and creating Broadcast
Domain using switches instead of routers.

Why is Cybersecurity Required?

 It protects the integrity and data of computing assets in an organization’s
network.
 It defends those assets against all threat factors throughout the entire life-cycle of
a cyberattack.

Keeping pace with cybersecurity strategies and operations can be a challenge,

as cyberspace expands with technologies like cloud and mobile computing.

Office of Personnel Management in the US was

hacked in April 2015, resulting in the theft of
approximately 21.5 million personnel records. It is
believed to be one of the most important historic
violation.
The data breach compromised on Personally
Identifiable Information (PII) like Social Security
Numbers, name, and address.

Focus of Cybersecurity

The focus of  cybersecurity is on preventing, mitigating, detecting, investigating,

and responding to  cyber attacks.
The complexity of cyberspace implies that there are potentially endless lists of attack
scenarios and malicious programs. You will learn about the different malicious
programs in the next section!

Myths
These are the following myths about computer viruses:
 An error message displayed on the system, symbolizes virus infection - False, it
can mean software/hardware issues.
 Worms and Viruses always need user interaction - False, malicious code is run.
 Email attachments received from known senders are safe - Wrong, they can be
utilized to spread infection.
 Antivirus programs will end all threats - There is no 100% protection.
 Malware cannot inflict physical damage to systems - For example, Stuxnet
Computer Worm
 Malicious programs or  Malware are specifically designed to delete, block,
modify, or disrupt the performance of computers and computer networks.


 Malwares include Viruses, Worms, Trojans, Spyware, Adware, Ransomware,
and Scareware. Out of these, Viruses and Worms are two of the most familiar
malicious programs.

Worm and Virus

Virus

 Virus is a type of malicious software that can self-replicate and spread to other systems
or hosts, eventually corrupting the systems.
  Requires an active operating system/active host program or an already-infected system
to run and cause damage.
 Virus spreads easily to other hosts through some means, one of the frequent means
being email attachment.

Worm

 Unlike virus, worm is a standalone software that does not need human help/host
program to spread.
 Worms can advance and self-replicate within a system using up resources such as
processing and memory.
 Enters the system through a vulnerability and attacks information-transport
features/file-transport of the system.




2 of 14

Notable Worms and Viruses

 Zeus (trojan) - targeted Microsoft Windows to
collect banking data by keystroke logging.
 Nimda (worm) - caused about 530,000,000
damages within one week. It was propagated by
locating email addresses and then appending
JavaScript.
 CryptoLocker (Trojan ransomware) - encrypts
files in the user's hard drive, and demands a
ransom to the user in order to receive the
decryption key.
Malnets and Botnets

Botnets

Botnet is derived from the words Robot and Network.

 The objective of creating a botnet is to infect as many connected devices as

possible.

 Bot is a device infected by malware, which becomes part of a network of

infected devices administered by a single attacker or attack group.
  Looks for vulnerable devices throughout the internet, instead of targeting
particular individuals, industries or companies.

Malnets

 While Botnets are largely used to distribute spam and malware to other users, Malnet
is used to draw users in and infect them.
 Botnets are controlled by a single or few command servers, whereas Malnets deploy
fast-changing infrastructures.

The Malnet infrastructures allow cybercriminals to open dynamic attacks that can
remain unnoticed for days or months, by conventional anti-virus vendors.

Malvertising
New concept for spreading malware is even challenging to combat as it can enter into
a webpage and spread through a system unknowingly.
 Malvertising is injecting malicious or malware-laden advertisements
into genuine online advertising networks and webpages.
 It is easy for attackers to spread across a large number of websites without
directly compromising them.
 The interesting stuff about the spread of infections through malvertising is that
it does not require any user actions such as clicking or downloading.

Did You Know?

In 2017, "WannaCry" ransomware had impacted

over 200,000 organizations across 150 countries, by
using the flaw in Microsoft's software.
Many companies like Telefonica, FedEx, Renault, and
NHS had a significant impact due to WannaCry
ransomware.
Infection: Signs and Symptoms
Some signs that could indicate your system is infected:

 Reduction in performance due to slow-running processes

 System instabilities
 Internet homepages changed in your browser
 Pop-up ads frequently occur than usual.
 Browser redirection
 Disabled functions
 Unable to connect to the Internet or access higher-level system control functions.

Antivirus Software

 Antivirus software tracks all the files that come into the system from various sources
such as USB, mail, or websites, and checks if they match any of its virus or PUP
signatures.
 If they match, it typically removes or quarantines them.
 Approximately 95% effective in detecting viruses and PUP's, since new viruses and
PUP's are being created frequently.
 Antivirus software requires to be continuously updated so that new signatures can be
included.
 

 The fundamental and core objective of a secure system is to

ensure Confidentiality, Integrity, and Availability. Commonly known as CIA
triad, it is widely acknowledged in information assurance models.
 In this section, you will understand more about each one of these in detail!

Confidentiality

Confidentiality is the security attribute that aims to achieve data privacy and
protection against unauthorized disclosure.
Personal Identifiable Information (PIIs) include Social Security; Credit card
information; Account numbers; and Business information such as Financial data,
Employee records, and Trade secrets. All of these are categorized as Confidential
information.

Integrity
Protecting data from unauthorized modification is called Integrity.

 Integrity is compromised when data or information is changed or tampered, either

accidentally or maliciously.
 Violation of Integrity - e.g., a student logging into the grades and changing his or
her Physics grade from D to A.

Preventing Integrity Violations:

 Auditing network for unusual or suspicious activity.

 Software intrusion detection systems such as Tripwire, can be utilized to
examine checksums for any unauthorized changes.

Availability
Availability is the security attribute that ensures data and services are available
to authorized users whenever required.

 A denial of service attack is an attack against availability. This attack sends

numerous requests to a system to interrupt services to genuine users.
 A distributed denial of service (DDoS) attack is more disruptive as it uses
botnets to launch an attack.

Protecting Information

Data leaks are not always noticeable.

Protecting Information
 Encryption is one of the key measures for protecting against loss of
confidentiality.
 Encryption transforms data into a non-decodable format, which cannot be made
sense of without decryption, which requires a secret key.
 Businesses and individuals must permit only authorized devices, processes, or
individuals to access the data.

Protection Mechanisms
 CIA compliant system offers protection mechanisms that provide layered
protection to the data.
 Use of proper checks and layered approach enhances confidentiality, integrity,
and availability.
Model

 Multiple Layers - Different controls guard the system against various threats coming at
different levels.
 Abstraction - Used for efficiency.
 Data Hiding - Keeps data undiscoverable by unauthorized personnel.
 Encryption - A technique used for masking the original data so that it can’t be
interpreted right away.

Details of Encryption will be covered in the next section.

Cryptography - World of Encryption

 The word cryptography was framed by combining two Greek words ‘Krypto’,
which means hidden, and ‘graphene’, which means writing.
 Considered to be used by Egyptians in 1900 B.C, cryptography allows secure
communication despite the existence of malicious third-parties (adversaries).
 Encryption optimizes an algorithm and a key to reconstruct a plaintext input into a
ciphertext encrypted output.
In this section, you will learn more about Cryptography.

Cryptography Types
Two categories of the encryption algorithm include:

Symmetric Encryption Algorithm

 Both encryption and decryption use the same key.

 Utilized for encrypting vast amounts of data (such as a full database or disk partition) as
it is quick.
 Primarily used for privacy and confidentiality.
Asymmetric Encryption Algorithm

 Uses two different sets of keys for encryption and decryption (public and private key)
 Although the public key may be freely shared, the private key is kept confidentially,
 Very slow and utilized to encrypt data smaller than 2048 bits or smaller key size
 Optimized to encrypt symmetric encryption keys, which are then utilized to encrypt much
bigger blocks of data.
 Utilized for key exchange, non-repudiation, and authentication.

How Cryptography Works?

Plaintext

Any language that is conveyed and comprehended is a cleartext or plaintext. It is

human readable.

Ciphertext

Ciphertext is a written document or text language in which the plaintext has altered its
form, a form which cannot be communicated, read, or understood. It is also called an
encrypted text.

How it Works?

 Plaintext is encrypted before transmitting over the medium.

 The ciphertext encrypted message, which is accepted at the one end of the
medium and decrypted to receive the original plaintext message.

Applications of Cryptography
• Integrity check — Cryptography uses hash function, to ensure data has not been
modified, erased or lost in an accidental, or unauthorized manner.
• Authentication — It uses a digital signature or Message Authentication Code.

Risks, Threats, and Vulnerabilities

Understanding cybersecurity needs a thorough understanding of the
terms Assets, Risks, Threats, and Vulnerabilities.

1. Assets

 Assets can be tangible and intangible resources that can be assigned a value.

 Example of tangible assets is printers and computers.
 Intangible assets consist of trade secrets, databases, and company records.

Risks, Threats, and Vulnerabilities

2. Threats

The probable danger that in general, are difficult to control. Threats can involve nature,
terrorists, or unhappy employee.

3. Vulnerabilities

Weakness or security flaw in a system. Threats can exploit assets if assets are
vulnerable. An internet-connected system can show a vulnerability if it is left unpatched.
4. Risks

Risks occur unexpectedly and are a blend of vulnerabilities and threats.

Risk can be represented as threat times vulnerabilities.

Consequently, to know the risk to assets, the possible vulnerabilities and threats must
be analyzed.
Risk = Threat * Vulnerability

 Risk is a behavior of a threat utilizing a vulnerability.

 A risk could cause business disruption, financial loss, or even loss of life.

Scenario - Determining Risk

You have to understand this short story of The Three Little Pigs and wolf to
understand the process and significance of performing Risk Analysis.
There were three little pigs.

 The first little pig constructed a house of straw, but the wolf blows it down and
eats the pig.
 The second little pig constructed a house of sticks, but the wolf also blows it
down and eats the pig.
 The third little pig constructed a house of bricks, which the wolf cannot blow it
down.

So now, how would you be performing the Risk analysis?

Three Little Pigs - Risk Analysis

Threat

As you see in all three scenarios, the threat is 100% as the wolf attempts to blow the
house down.

Vulnerability

However, as for vulnerability, is where the change occurs.

 Straw house - 90% vulnerable that it is going to be blown down.

 Stick house - 40% vulnerable as the wolf has less chance compared to a straw house.
  Brick house - 0% vulnerable that wolf cannot break it down.

The vulnerability can be fixed, so you should check and address vulnerabilities regularly.

Up Next!
Hope you understood that vulnerability can be fixed and hence it needs to be
addressed regularly. This, in turn, would help to reduce risks.
Let's learn about Attack Surfaces in the next topi

Attack Types
Phishing
It is one of the critical cyber threats of all time. The main aim of phishing is to fool or
distract the victim and to obtain all the confidential details like card number, password,
bank account, and address. Phishing spreads via phone calls or email.
Password Attack
Hackers do not require any forged URL, code, or emails to perform this attack. They
can execute it by cracking passwords. Crackers may deploy any password cracking
tool for triggering this attack.
Drive-By Download
Drive-by download might get triggered just by visiting a website. After entering a
website, unusual downloads might b

What is an Attack Surface?

An attack surface denotes any probable, unknown or known vulnerabilities across
fields of exposure like Software, Hardware, Network, and User.
To reduce risks, the attack surface needs to be decreased.

Attack Surfaces - Software and Hardware

Software Attack Surface

 It consists of web pages, DLLs, executables, configurations, services, and

applications available to authorized users.
 It is intended to point to vulnerabilities that can make anything from a system
crash to a small annoyance.

Software vulnerabilities include code injection and buffer overflow.

Hardware Attack Surface Attack Surfaces - Network and
User

Network Attack Surface

Network attack surface comprises interfaces, ports, applications, devices, protocols,

and exposure to channels.

Network attack surface could be reduced by doing the following actions:

  Ensuring only required features are enabled
 Closing unnecessary ports
 Implementing intrusion prevention systems
 Implementing firewalls

User Attack Surface

 Users are the weakest channel in the user attack surface.

 User attack surface can be traced and blocked by logging and auditing.

 Hardware attacks can also be achieved via a network communication

connection.
 Hardware can create a platform for an attack, but physical access to the system
is needed.

Hardware vulnerabilities covers items that users install such as plug-in flash drives or
software.

Cybersecurity Threat
Cybersecurity Threat is a scenario that tries to exploit possible vulnerabilities to
breach security; thus impacting an ongoing business.

It is very critical due to increasing exposure to Internet, growth of wireless

technology, and evolution of various smart devices (Internet of Things).

Example Scenario: Hacker or cybercriminal may want to hack bank accounts or collect
personal information and even lock or encrypt your data for exploitation.
Classification of Threats
Malicious: A Hacker or disgruntled employee who is interested in a specific asset or
information only.

Non-Malicious: Attack that happens due to neglected factors compromising security.

 A non-malicious attack could impact a person or business in the following ways:
o Compromise information: Information theft and retrieval of discarded
materials.
o Compromise functions: Error in its function and abusing rights.

Intrusion Phases
A malicious attacker works towards his objectives by planning/performing a set
of activities. E.g., exfiltration. Network intrusion happens in a phased manner.
 Reconnaissance - Continuous search for identification of possible targets.
 Weaponize - Malware Pairing with a deliverable. E.g., MS-office.
 Delivery - Transmit the weapon to the identified target. E.g., email and websites.
 Exploitation - Exploiting vulnerable system apps. E.g., Triggering a weapon
code.
 Installation - Backdoor Installation for persistent access.
 Command and control - Hands-on keyboard access required for weapon
communication.

Advanced Persistent Threats

Advanced Persistent Threat (APT) is a kind of a network attack, where an
unauthorized person gains access to a network and remains there undetected for a long
duration. The main intention of APT is stealing data instead of damaging network or
organization.
Characteristics of APT:

 APT tends to be highly customizedto a specific target.

 Deployment is semi-automated and operates slowly to remain unnoticed.
 It has specific objectives depending upon the source of the attack, which may change
over time.
 APT follows this method: Infiltrate to hide and then continue its operation.
 It takes command and control to provide customized malware updates.

Botmaster Threat
  Most of the cyberattacks are being automated or semi-automated by a specific
group of Botmasters.
 Cyberattack usually starts with a known URL address. Then by scanning around
their LAN or internet space, it can exploit all its associated vulnerable systems
also.

Threat Modeling
Threat modeling is a process by which potential vulnerabilities and threats can be
recognized, enumerated, and prioritized – all from the view of a hypothetical attacker.

Considerations

 Identify Security Objectives - Security objectives are the goals that have a
significant influence on the confidentiality, integrity, and availability constraints of
data and applications in a system.
 Survey the Application - Analyze and identify assets, data flow, and trust
boundaries (UML component diagram).
 Decompose the application - Identify the features and modules that make up
an application (How a module validates and processes data before storing it).
 Identify Threats and Vulnerabilities - It is essential to consider threats not only
from the cyber perspective but also from across the spectrum of physical,
personnel, and people.

Assessment and Management

Static analysis
Static or Code Analysis is performed by dissecting the different resources of the binary
file without executing it and studying each component. Example: Analysis using
Machine or Assembly code.

Dynamic analysis
Dynamic or Behavioral analysis is done by observing the behavior of the malware and is
often performed in a sandbox-virtual environment to prevent malware from actually
infecting production systems.

Threat Management
Threat Management is the best practice for managing cyber threats that enables early
identification of vulnerabilities using data-driven situational analysis.

 Threat analytics: Manual and automated intelligence data collection

 Behavioral modeling: Real-time monitoring
 Advanced analytics: To provide situational Awareness

Risk Mitigation
Reduce risks by preventing cyberattacks using various security related tools, policies,
best practices, and guidelines available with latest technologies.
STRIDE - It is a threat classification model that helps to limit the potential false positives
threat. This model is used to help reason and find threats to a system.

 Spoofing - of valid user identity

 Tampering - Misusing the end user read/write access.
 Repudiation - False denial of origin or receipt.
 Information disclosure - data/information leak
 Denial of Service - Resources unavailable to its intended users.
 Elevation of privilege - exploiting a bug to gain admin access.

Mitigation Steps
i) Classify Assets - Classify information assets based on their business significance.
ii) Stay Informed - IT and security teams need to stay updated on the latest threat
attacks.
iii) Effective Controls - It is critical and continuous monitoring control is required.
iv) Governance and Reporting - Inform senior management of cybersecurity policies
and control mechanisms.

Cyber Threat Hunting - Prediction

Cyber threat hunting is a proactive process to predict potential risks efficiently using
the following things.

 Big data analytics can be used to detect long and slow Advanced Persistent
Threats.
 Machine-learning and UEBA - User entity and Behavior Analytics
 Intelligence feeds - Threat intelligence feeds, malware analysis, and
vulnerability scans

Threat Intelligence
Threat intelligence is required at the following levels.

 Strategic level - Research analysis and reports. Example: Duqu 2.0 reportfrom

Kaspersky published as a result of malware analysis.

 Tactical level - Information exchange between operating communities.

Example: FS-ISACis an intelligence-sharing community for the banking industry.
  Operational level - Real-time feed protocols are used within a community.
Example: STIX TAXII protocol.

Cybersecurity Architecture
Cybersecurity architecture is about understanding one's Business Scope, requirements,
and then design and develop a security architecture to implement and support it.

Architecture Risk and Controls

Risks
 Security Architecture should identify and protect against Risks. For effective
management, it should be a continuous operational activity.
 Example: For maintaining minimum 98% SLA, you can define the security
control parameter SLA at 98.5% for taking appropriate actions when needed to
avoid penalty risk.

Controls
 In the Security Architecture Control definition, you are not advised to set one
parameter, so we have to define controls at the different stages to detect and
avoid possible threats.
 Example: For better control, you can define five levels of SLA security controls
each from 98.9 to 98.5, respectively along with action points.

SABSA Framework
 Sherwood Applied Business Security Architecture (SABSA) framework is an
open source framework and is used to create Enterprise Security Architecture.
 A risk-driven method is based on the analysis of the business requirements
 The primary objective is to protect the business with the required level of
security.
 SABSA Framework is commonly represented as 6X6 SABSA matrix.

SABSA Matrix
6X6 SABSA matrix is divided into four 3X3 matrices for better representation.

In the architecture framework part, a business considers its Security

policies, Risk, Process, Control, Attributes, Information, and Strategies.

SABSA Matrix
  Before designing security architecture, you should identify and define role-
based privileges for associates working in different locations as per the required
timeline.

SABSA Matrix
  In the Security Architecture designing phase, you should consider physical and
operational components like data structure, model, standard practices,
product tools, and required support services.

SABSA Matrix
Finally, user interface and applications should provide security platform support to all
identified operational schedules and its corresponding business functions.

Did You Know?

In the year 2016, a massive debit card crack hit major Indian banks such as SBI, ICICI
Bank, HDFC Bank, Yes Bank, and Axis Bank, compromising as many as 3.2 million
debit cards. It is considered to be one of the biggest ever breaches of financial data in
India.
The breach was found to have originated through a malware that was introduced in the
systems of Hitachi Payment Services, a provider of ATMs and Point of Sale services.
Managing Identity
 For Managing user identities and access rights, you must map according to
their required business roles and responsibilities.
 One of the advanced capability of access management is single sign-on that
automatically logs in the user throughout the session after their initial successful
login.
Example: In TCS, for active learners, SSO-login happens from iEvolve to Udemy
website (External Content vendor) for a smooth learning experience.

Monitoring and Prevention

Monitoring part of security architecture includes various detection tools to
monitor intrusions of malware and throw alerts by Reviewing of security-related
events and Logging of security-related events.
Preventive mechanism can exist in the firewall, mail servers, or at any endpoint
devices.

Incident Management
Incident is an event that may lead to business operational disruption.

Incident management is a set of activities performed to Prepare, Identify, Analyze,

and Solve issues to prevent future incidents.

You will understand more about incidents in this section.

Prepare, Detect, and Analyze

Preparation

 Involves training the incident response team after establishing required tools,

processes, and resources.

Incidents must be prioritized based on the Business impact.

Detection and Analysis

 A continuous process that often requires as much intuition as intelligence for

detecting any malware intrusion and their remote connections.
Many incidents require further investigations to find the source and reasons for the
attack along with containment and eradication of affected and vulnerable systems for
recovery activities.

Incident Response - Life Cycle

 Preparation - Involve the team and define the required procedures for guidance.

 Detection and Analysis - Work on incidents that require further investigations to

find the source and reasons for the attack.
  Containment, Eradication, and Recovery - Take control of the incident before
it gets worse, then remove and recover the affected system securely.

 Post-Incident activities - Document the learning outcome along with the

required measures and controls.

 A cyber-security breach occurred between

May - July 2017 in U.S. Equifax Inc.
 Cyber attackers had accessed
approximately 145.5 million U.S. Equifax
consumers data including their full names,
Social Security numbers, credit card information,
birth dates, addresses, and driver license
numbers.

Incident Response Maturity Assessment Tool

Crest UK has developed an open source tool, Incident response maturity
assessment, which is a spreadsheet-based tool used to assess an organization's
readiness for its response to a cyber attack.
It follows three phases such as Prepare, Response, and Follow-up.

ncident Response
Preparation

 Conduct a critical assessment of your organization.

 Carry out a security threat analysis from practical incidents.
 Consider the implication of people, process, technology, and information.
 Create appropriate control framework.
 Review your state of readiness.

Response

 Identify the cybersecurity incident.

 Define objectives and investigate the situation.
 Take appropriate pre-approved or required actions.
 Recover systems data and connectivity.
Post-Incident Activities
Below are the recommended Incident response activities:
Follow-Up

 Investigate incidents more thoroughly.

 Report Incident to relevant stakeholders.
 Carry out a Post-Incident review.
 Update key information, controls, and processes.
 Perform trend analysis.
 Communicate and share the lessons learned.

Incident Category
 Incident Category can be defined according to business priorities ranging from
their testing incidents to any unauthorized attack.
 Precursor shows us the incident may occur. Example: Flight cabin crew alarm
would be a precursor to any Airline Incident.
 Indicator shows us the incident may have occurred. Example: Indication for
breaching minimum required SLA%.

Critical Decision Point

The responsive challenge is maintaining the optimum balance between  under
responsive(being vulnerable) and  over responsive(risk of false alarm).

 Deep packet inspection can be used to give more context to the precursor or

indicator.
 If an indicator has turned into an incident, prioritization is perhaps the
most critical decision point in the incident handling process.

What is User Authentication?

User Authentication is a process that allows a device to check the identity and
authenticity of a person who needs to connect to a network resource.

When authenticating into a system, you use any one of the three things:

 Password (simple and inexpensive)

 Smart card or a token
 Biometric, such as a fingerprint, iris recognition, or voice recognition.

Explore more about User Authentication in this section.

Password - The Secret Word!
Password authenticates and allows access to the system.
Passwords are a mere sequence of characters and are prone to security issues. Steps
should be taken to create strong passwords.
The following are few ways for creating strong passwords:

 Length of at least eight characters.
 Combination of upper or lowercase letters, numbers, punctuation marks, and symbols.
 Using passphrase for an even stronger password. For example, LetsGototheba!!park

Smart Card - Shrunken World

Smart card is a small credit card sized card with an embedded chip, containing
information about the user.
 User Information like credit and buying inclination, loyalty program data, and
even medical information are captured in the smart card.
 It could as well as store identification data such as fingerprints and passwords
and can be used as a security token. It contains encryption keys used for data
encryption systems.
Used for access control. Some examples such as:

 Employee access and ID badges.

 Membership cards for nightclubs.
 VIP access cards.
 Banking cards which enable access to funds.

Smart Card for Multifactor Authentication

Smart cards are generally used as part of a multifactor authentication solution.
Scenario:

A user swipes the card into the smart card reader.

 The card implements multiple forms of authentication, such as a password or biometric

identifier.
 The smart card processes the data, which eliminates the need for data to be transmitted
to another machine. It helps to reduce the threat of data theft.

Now, you will have a detailed look at Biometric Authentication in the next topic.

Biometric Authentication
Biometrics authenticate by using an individual's unique attributes or behavior.
Of course, it is the most expensive way to prove identity. Biometrics recognize an
individual by checking the captured biometric with the stored biometric template in the
system.

Biometrics are divided into two categories:

 Behavioral Trait based on a person's activities such as walking, signature, or voice.

 Physiological Biometrics based on measurements of parts of the body such as Hand,
face, fingerprint, or iris.

These are used in multifactor authentication systems. For example, you would place
your fingerprint on a sensor and then put your pin in (multifactor authentication).

Biometrics - Explained
  Biometrics could permanently last for a lifetime. It simplifies access control on devices
and networks.

Behavioral:

 Gait is a newer biometric. This is the way someone walks, and we can capture that gait
from a distance.
 Signature - This is the way someone signs, the pressure of the stroke and curves.
 Voice Recognition - It recognizes who is speaking, the inflection, and the patterns of
their speech. However, it is different from speech recognition.
Physiological:

 Hand geometry is one of the first biometrics and measures each finger and the hands as
a whole.
 Facial recognition - A camera scans the face, and it identifies key indicators, the nose,
the forehead, and the cheeks.
 Iris recognition - It identifies the colored portion of the eye and the patterns of an iris
are very unique.

Biometrics would be of more use in the future.

Introducing RADIUS
One of the methods used for access control for external users is Remote
Authentication Dial-In User Service (RADIUS).
RADIUS Security is being used to do the following activities:

 Authenticate clients and determine who they are.

 Authorize what clients can and cannot do on a network.
 Monitor and record activity on the network with Accounting.

An extension of RADIUS, called TACACS, Terminal-Access Controller Access Control

System is very similar to RADIUS.

 Access control for routers, network access servers, and other networked computing
devices are provided by it.

Three Chain Links of RADIUS Security

Authentication, Authorization, and Accounting (AAA) are the foundations of effective
network security. One of the major AAA networking protocols is RADIUS.

Email
Email is among the most commonly used communication tool for personal and
business use.

 Emails pose a high-security risk.

  Emails carry abusive content, including junk mail and spam.
 Forging email addresses take place when an email is sent via malware, including viruses
and worms, spammers, and phishing attacks.

All abusive emails have a fake sender address, hiding a sender's real address. Being
anonymous is the key to effectively impersonating an identity to obtain passwords or
personal data.

In this section, you will understand more about Email Security Threats.

Email client becomes a victim of several malicious activities introduced via email.

Different types of email security threats include:

Spam

 Spam is a term used for unwanted or abusive email.

 It is flooding an email system with multiple unwanted messages.
 Spam targets email recipients with direct mail messages.
 A spammer's goal is to reach as many recipients as possible with the intention that
some might respond.

Spoofing

 Spoofing is one of the techniques used while sending spam email.

 It hides the real entity. When one looks at an email's From: field, it appears legitimate,
but it generally is not.

Email Security Threats

Phishing

 Someone spoofs their identity and casting a wide net to many recipients. This act is
known as phishing.
 Recipients are generally redirected to a fake website, where they might be asked to
enter personal information or even on a click, they might download a virus.

Pharming

 Pharming is related to phishing; however, it uses the malicious code.

 Redirects users to fake websites and uses a technique called DNS cache poisoning.

Did You Know?

  50% of recipients open emails and click on
phishing links within the  first hour of being
sent.
 Phishing emails include fake notifications from
banks, e-payment systems, email providers,
social networks, and online games.

 Defense Mechanisms
 60% of emails received in an organization are marked as  spam every year.


 Emails can carry a wide variety of extensions. Malware protection recognizes

these extensions as possible threats and is quarantined.
 Scripts embedded within the email and can run when a user opens the email and
completes some malicious act

Defense Mechanism
What should you do to defend yourself?

 Use caution when opening emails.

 Check before you click a link in an email if you're not sure.
 Delete if you suspect anything fishy.
 Use an anti-virus with the virus definitions updated using real-time protection.
 Do not share your password.

RADIUS

What is a Firewall?
Firewall plays an essential role in Network Security.

A firewall is a hardware or software based method that controls incoming and

outgoing data traffic based on a set of guidelines that either permit or deny traffic on a
network or host.

Firewalls should be used in every network as they monitor threats.

Classes of Firewall
  Class 1 - Host-based software firewall used on a laptop or desktop computer.
 Class 2 - Router firewall that generally offers straightforward firewall attributes.
They are not utilized in an enterprise network for security reasons, as they
cannot endure aggressive attacks.
 Class 3 - Low-end hardware firewall. These are suitable for small businesses,
as they have united threat management, with anti-spyware and anti-
virus capabilities.
 Class 4 - High-end hardware firewalls. They are useful for small and mid-size
businesses as they offer edge protection and critical infrastructure
environments without decreasing performance.
 Class 5 - High-end server firewalls utilized when the stakes are high and are
developed for high throughput needs.

Network Access Protection

A network device that does not have an active firewall and updated patches, can
incur a high risk to the corporate network.

Network access protection is a framework that utilizes a Network Policy Server. Here,
the Network Policy Server stores the health policies and analyses the health of
computers. Three policies are supported.
 Connection requests concludes whether requests from RADIUS clients are
managed by a RADIUS server or Network Policy Server.
 Network policies define if a connection is rejected or authorized.
 Health policies define the conditions that must be fulfilled in order to connect to
the network.

Let's take a look at VLAN in the upcoming cards.

Up Next!
There is a system to protect the real network and to gather evidence of intruders to
learn about attack methodologies.
The next card will talk about a similar system called  Honeypot.

What is a Honeypot?
A Honeypot is a system set up to lure an attacker, to learn about attack methodologies
to protect the real network better, and to gather evidence of intruders.
The placement of a Honeypot depends on your objectives. These objectives can be as
follows:

 Inside LAN
 In DMZ (demilitarized zone)
 Alternatively, outside as a tasty treat for an attacker.

The best place to keep a honeypot is in DMZ because despite being a fake system, it is
essentially part of your network.
You must put exciting data in the system that can appear to be a valuable target. This
aspect is crucial since the data is part of an intrusion detection system. However, the
main focus is on gathering information.

Network Monitoring Tools

WireShark is an interactive network protocol analyzer and capture utility. It is utilized to
examine the traffic information at various levels covering from connection-level details to
the parts that create a single packet.

Tcpdump is an open source command-line tool for monitoring network traffic. It captures
and displays packet headers matching them against a set of criteria.

Network Monitoring Tools

Syslog
Syslog is a standard protocol utilized to send event messages or system log to a
specific server (syslog server). Syslog stands for System Logging Protocol.

 It is utilized initially to gather different device logs from various machines in a central
location for review and monitoring.
 The protocol is enabled on the majority of network equipment like firewalls, switches,
routers, and even some scanners and printers .