PAPER DSE
603(B) :CYBER SECURITY
UNIT-I: INTRODUCTION
TO CYBER SECURITY, CYBER SECURITY VULNERABILITIES AND CYBER SECURITY
SAFEGUARDS: INTRODUCTION TO CYBER SECURITY: OVERVIEW OF CYBERSECURITY, INTERNET GOVERNANCE – CHALLENGES AND CONSTRAINTS, CYBERTHREATS:- CYBER WARFARE-CYBER CRIME-CYBER TERRORISM-CYBER ESPIONAGE, NEED FORA COMPREHENSIVE CYBER SECURITY POLICY, NEED FOR A NODAL AUTHORITY, NEEDFOR AN INTERNATIONAL CONVENTION ON CYBERSPACE. CYBER SECURITYVULNERABILITIES: OVERVIEW, VULNERABILITIES IN SOFTWARE, SYSTEM ADMINISTRATION,COMPLEX NETWORK ARCHITECTURES, OPEN ACCESS TO ORGANIZATIONAL DATA, WEAKAUTHENTICATION, UNPROTECTED BROADBAND COMMUNICATIONS, POOR CYBER SECURITYAWARENESS. CYBER SECURITY SAFEGUARDS: OVERVIEW, ACCESS CONTROL, AUDIT,AUTHENTICATION, BIOMETRICS, CRYPTOGRAPHY, DECEPTION, DENIAL OF SERVICEFILTERS, ETHICAL HACKING, FIREWALLS, INTRUSION DETECTION SYSTEMS,RESPONSE, SCANNING, SECURITY POLICY, THREAT MANAGEMENT.
UNIT-II: SECURING
WEB APPLICATION, SERVICES AND SERVERS: INTRODUCTION, BASICSECURITY FOR HTTP APPLICATIONS AND SERVICES, BASIC SECURITY FOR SOAPSERVICES, IDENTITY MANAGEMENT AND WEB SERVICES, AUTHORIZATION PATTERNS,SECURITY CONSIDERATIONS, CHALLENGES.
UNIT-III: INTRUSION
DETECTION AND PREVENTION: INTRUSION, PHYSICAL THEFT, ABUSE OF PRIVILEGES, UNAUTHORIZEDACCESS BY OUTSIDER, MALWARE INFECTION, INTRUSION DETECTION AND PREVENTIONTECHNIQUES, ANTI-MALWARE SOFTWARE, NETWORK BASED INTRUSION DETECTIONSYSTEMS, NETWORK BASED INTRUSION PREVENTION SYSTEMS, HOST BASED INTRUSIONPREVENTION SYSTEMS, SECURITY INFORMATION MANAGEMENT, NETWORK SESSIONANALYSIS, SYSTEM INTEGRITY VALIDATION.
UNIT-I
INTRODUCTION TO CYBER SECURITY, CYBER SECURITY VULNERABILITIES AND CYBER SECURITY SAFEGUARDS
Overview of
Cyber Security
Cyber
security is the most concerned matter as cyber threats and attacks are
overgrowing. Attackers are now using more sophisticated techniques to target
the systems. Individuals, small scale businesses or large organization, are all
being impacted.
So, all these firms whether IT or
non IT firms have understood the importance of Cyber Security and focusing on adopting
all possible measures to deal with cyber threats.
Cyber Security
Cyber
security is the application of technologies, processes and controls to protect
systems, networks, programs, devices and data from cyber attacks.
It
aims to reduce the risk of cyber attacks and protect against the unauthorised
exploitation of systems, networks and technologies.
OR
Cyber
security is the protection of Internet-connected systems, including hardware,
software, and data from cyber attacks.
It is
made up of two words one is cyber and other is security.
Cyber
is related to the technology which contains systems, network and programs or
data.
Whereas
Security related to the
protection which includes systems security, network security and application
and information security.
Internet
Governance
Internet
governance is the development and application of shared principles, norms,
rules, decision: making procedures, and programs that shape the evolution and
use of the Internet.
It
describes how the Internet was and is currently governed, some of the
controversies that occurred along the way, and the ongoing debates about how
the Internet should or should not be governed in the future.
Internet governance involves translation of ip address through the Domain Name System and into domain
name
The
term “Internet governance” first started to be used in connection with the
governance of Internet identifiers such as domain names and IP addresses, which
led to the formation of ICANN (Internet
Corporation for Assigned Names and Numbers). Since then, the economic,
political, social and military implications of Internet governance have
expanded to embrace a number of other areas of policy.
Challenges in
Cyber Security
Challenges
of the cyber security industry are as dynamic as the field itself. The
cybersecurity landscape is ever changing as new technologies emerge and
transform businesses' measures to secure their networks.
Listing
out some of the most common types of cyber attacks:
Ransomware attacks:
ü Ransomware is a type of malware in which the data on a victim's
computer is locked, and payment is demanded before the ransomed data is
unlocked. After successful payment, access rights returned to the victim.
ü Ransomware attacks are critical for individual users but more so
for businesses who can’t access the data for running their daily operations.
IoT attacks:
ü IoT stands for Internet of Things. It is a system of interrelated
physical devices which can be accessible through the internet.
ü The connected physical devices have a unique identifier (UID) and
have the ability to transfer data over a network without any requirements of
the human:to:human or human:to:computer interaction.
Phishing attacks:
ü Phishing is a type of social engineering attack often used to
steal user data, including login
credentials and credit card numbers
ü . It occurs when an attacker, masquerading as a trusted entity,
dupes a victim into opening an email, instant message, or text message
Software vulnerabilities:
ü A software vulnerability is a defect in software that could allow
an attacker to gain control of a system.
ü These defects can be because of the way the software is designed,
or because of a flaw in the way that it’s coded.
ü An attacker can exploit a software vulnerability to steal or
manipulate sensitive data, join a system to a botnet, install a backdoor, or
plant other types of malware
Machine learning and AI attacks:
ü Machine Learning and Artificial Intelligence technologies have
proven highly beneficial for massive development in various sectors, it has its
vulnerabilities as well.
ü These technologies can be exploited
by unlawful individuals to carry out cyberattacks and pose threats to
businesses.
BYOD policies:
- Most organizations have a Bring:Your:Own:Device policy for their
employees.
- Having such systems poses multiple challenges in Cyber Security.
- Firstly, if the device is running an outdated or pirated version
of the software, it is already an excellent medium for hackers to access. Since
the method is being used for personal and professional reasons, hackers can
easily access confidential business data.
- Secondly, these devices make it easier to access your private
network if their security is compromised.
- Thus, organizations should let go of BYOD policies and provide
secure devices to the employees, as such systems possess enormous challenges of
Computer Security and network compromise.
Insider attacks:
- Employees with malicious intent can leak or export confidential
data to competitors or other individuals. This can lead to huge financial and
reputational losses for the business.
- These challenges of Computer Security can be negated by monitoring
the data and the inbound and outbound network traffic.
- Installing firewall devices for routing data through a centralized
server or limiting access to files based on job roles can help minimize the
risk of insider attacks.
Outdated hardware:
- New updates might not be compatible with the hardware of the device.
This is what leads to outdated hardware, wherein the hardware isn’t advanced
enough to run the latest software versions.
- This leaves such devices on an older version of the software,
making them highly susceptible to cyber attacks.
Constraints in Cyber
Security
Creating
an effective cyber security program has three constraints: quality, budget, and resources.
With these constraints, there’s a variety of
choices you can take:
- You can adapt a program that is of high quality and low cost but it will take many internal resources.
- You can adapt a program that is of low internal resources and high quality but will be costly.
- You can adapt a program that is of low cost and low internal resources but it will have low quality.
Cyber
Threats: Cyber Warfare:Cyber Crime:Cyber
terrorism:Cyber Espionage
Cyber Threats: A cyber threat refers to any
possible malicious attack that seeks to unlawfully access data, disturb digital
operations or damage information.
Following
are some Cyber Threats:
Cyber warfare:
Cyber
warfare encompasses all the actions and processes that aim to attack a nation
in order to cause harm that is comparable to the traditional warfare.
Some
experts claim that in today’s world, warfare has evolved in a way that allows
the use of technology to create destructive results.
Some experts, on the other hand, believe that the term cyber warfare is not suitable for the government level, aggressive cyber attacks since it does not cause physical damage and follow a similar structure as a traditional ‘war.’
Cyber Crime:
Cyber
crime or computer:oriented crime is a crime that includes a computer and a
network.
Cyber
crime is the use of a computer as a weapon for committing crimes such as
committing fraud, identities theft or breaching privacy.
Cyber
crime, especially through the Internet, has grown in importance as the computer
has become central to every field like commerce, entertainment and government.
Cyber crime may danger a person or a nation’s
security and financial health.
Cyber terrorism:
Cyber
terrorism is the use of the computer and internet to perform violent acts that
result in loss of life. This may include different type of activities either by
software or hardware for threatening life of citizens.
In
general, Cyber terrorism can be defined as an act of terrorism committed
through the use of cyberspace or computer resources.
Cyber Espionage:
Cyber espionage is a form of
cyber attack that steals classified, sensitive data or intellectual property to
gain an advantage over a competitive company or government entity.
Need for a
Comprehensive Cyber Security Policy
Security
policies are a formal set of rules which is issued by an organization to ensure
that the user who are authorized to access company technology and information
assets comply with rules and guidelines related to the security of information.
A security policy also considered to be a
"living document" which means that the document is never finished,
but it is continuously updated as requirements of the technology and employee
changes.
We
use security policies to manage our network security. Most types of security
policies are automatically created during the installation. We can also
customize policies to suit our specific environment.
Need of Security
policies:
1) It increases
efficiency.
2) It upholds
discipline and accountability
3) It can make or break a business deal
4) It helps to
educate employees on security literacy
There are some important cyber
security policies recommendations describe below:
Virus
and Spyware Protection policy:
It helps to detect
threads in files, to detect applications that exhibits suspicious behavior.
Removes, and
repairs the side effects of viruses and security risks by using signatures.
Firewall
Policy:
It blocks the unauthorized
users from accessing the systems and networks that connect to the Internet.
It detects the attacks by cybercriminals and removes the
unwanted sources of network traffic.
Intrusion
Prevention policy:
This policy
automatically detects and blocks the network attacks and browser attacks.
It also protects applications from vulnerabilities and
checks the contents of one or more data packages and detects malware which is
coming through legal ways.
Application and Device Control:
This policy protects a system's resources from
applications and manages the peripheral devices that can attach to a system.
The device control policy applies to both Windows and Mac computers whereas application control policy can be applied only to Windows clients.
Need for a Nodal
Authority
CERT-In( Indian
Computer Emergency Response Team ) is the national nodal agency for
responding to computer security incidents as and when they occur. CERT-In is
operational since January 2004.
CERT-In has been designated to serve as the national agency
to perform the following functions in the area of cyber security:
- Collection,
analysis and dissemination of information on cyber incidents.
- Forecast
and alerts of cyber security incidents.
- Emergency
measures for handling cyber security incidents.
- Coordination
of cyber incident response activities.
·
Issue
guidelines, advisories, vulnerability notes and whitepapers relating to
information security practices, procedures, prevention, response and reporting
of cyber incidents.
·
Such
other functions relating to cyber security may be prescribed.
Need for an
International convention on Cyberspace
The Convention is the first international treaty on crimes
committed via the Internet and other computer networks, dealing particularly
with infringements of copyright, computer-related fraud, child pornography,
hate crimes, and violations of network security.
Its main objective, set out in the preamble (preface), is to pursue a common criminal policy aimed at the protection of society against cybercrime, especially by adopting appropriate legislation and fostering international cooperation.
The Convention aims
principally at:
·
Harmonizing
the domestic criminal substantive law elements of offenses(crime) and connected
provisions in the area of cyber-crime
·
Providing
for domestic criminal procedural law powers necessary for the investigation and
prosecution of such offenses as well as other offenses committed by means of a
computer system or evidence in relation to which is in electronic form
· Setting
up a fast and effective regime of international cooperation
The following offenses are defined by the Convention:
- illegal access
- illegal interception
- data interference
- system interference
- misuse of devices
- computer-related forgery
- computer-related fraud
- offenses related to copyright and neighboring rights.
It also sets out such procedural law issues as expedited
preservation of stored data, expedited preservation and partial disclosure of
traffic data, production order, search and seizure of computer data, real-time
collection of traffic data, and interception of content data.
The Electronic
Privacy Information Center said:
The Convention includes a list of crimes that each signatory
state must transpose into their own law.
It requires the criminalization of such activities as
hacking (including the production, sale, or distribution of hacking tools) and
offenses relating to child pornography, and expands criminal liability for
intellectual property violations.
It also requires each
signatory state to implement certain procedural mechanisms within their laws.
For example, law
enforcement authorities must be granted the power to compel an Internet service
provider to monitor a person's activities online in real time.
Finally, the Convention requires signatory states to provide
international cooperation to the widest extent possible for investigations and
proceedings concerning criminal offenses related to computer systems and data,
or for the collection of evidence in electronic form of a criminal offense.
Law enforcement
agencies will have to assist police from other participating countries to
cooperate with their mutual assistance requests.
In response to the rejection, the U.S. Congress enacted the PROTECT Act to amend the provision, limiting the ban to any visual depiction "that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct"
Cyber Security Vulnerabilities
Vulnerabilities
are weaknesses in a system that gives threats the opportunity to compromise
assets.
All
systems have vulnerabilities. Even though the technologies are improving but
the number of vulnerabilities are increasing such as tens of millions of lines
of code, many developers, human weaknesses, etc.
Vulnerabilities mostly happened because of
Hardware, Software, Network and Procedural vulnerabilities.
Vulnerabilities
in software
Software vulnerability is a defect
in software that could allow an attacker to gain control of a system. These
defects can be because of the way the software is designed, or because of a
flaw in the way that it’s coded.
Software Vulnerability Work
- An attacker first finds out if a system
has software vulnerability by scanning it. The scan can tell the attacker
what types of software are on the system, are they up to date, and whether any
of the software packages are vulnerable.
- When the attacker finds that out, he or
she will have a better idea of what types of attacks to launch against the
system. A successful attack would result in the attacker being able to
run malicious commands on the target system.
- An attacker can exploit a software
vulnerability to steal or manipulate sensitive data, join a system to a botnet,
install a backdoor, or plant other types of malware.
- Also, after penetrating into one network
host, the attacker could use that host to break into other hosts on the same
network.
There
are two main things that can cause a software
vulnerability.
- A flaw in the program’s
design, such as in the login function, could introduce a vulnerability.
- But, even if the design
is perfect, there could still be a vulnerability if there’s a mistake in the
program source code.
Coding errors could introduce several types of
vulnerabilities, which include the following:
Buffer overflows – These allow someone to put more
data into an input field than what the field is supposed to allow. An
attacker can take advantage of this by placing malicious commands into the
overflow portion of the data field, which would then execute.
SQL Injection – This could allow an attacker to inject
malicious commands into the database of a web application. The attacker
can do this by entering specially-crafted Structured Query Language commands
into either a data field of a web application form, or into the URL of the web
application. If the attack is successful, the unauthorized and
unauthenticated attacker would be able to retrieve or manipulate data from the
database.
Third-party libraries – Many programmers use third-party
code libraries, rather than try to write all software from scratch. This
can be a real time-saver, but it can also be dangerous if the library has any
vulnerabilities. Before using any of these libraries, developers need to
verify that they don’t have vulnerabilities.
Application Programming Interfaces – An
API, which allows software programs to communicate with each other, could also
introduce a software vulnerability. Many APIs are not set up with strict
security policies, which could allow an unauthenticated attacker to gain entry
into a system.
Deal with a Software Vulnerability
The
best way to deal with a software vulnerability is to prevent it from happening
in the first place. Software developers need to learn secure coding
practices, and automatic security testing must be built into the entire
software development process.
Makers are responsible to continually monitor for
publications of new vulnerabilities that affect software they sold. Once such a
vulnerability is discovered they must patch it as quickly as possible and send
an update to the users.
End users have the responsibility of keeping their
systems up-to-date, especially with installing security-related software
patches.
System
administration
A
security systems administrator is someone who gives expert advice to companies
regarding their internal security procedures and can also help to detect any
weaknesses in a company's computer network that may make them vulnerable to
cyber attacks.
Computers
hold a lot of valuable information that hackers would love to steal or destroy.
A security systems administrator handles all aspects of information security
and protects the virtual data resources of a company.
Systems
administrator is responsible installing, administering and troubleshooting an
organization’s security solutions.
Security
systems administrators train staff on proper protocols, monitor network traffic
for any suspicious activity, perform risk assessment, audit machines and their
software, update software on the latest security patches.
A security systems
administrator's responsibilities may include the following:
- Defending systems against unauthorized access
- Performing vulnerability and penetration tests
- Monitoring traffic for suspicious activity
- Configuring and supporting security tools (firewalls, antivirus,
and IDS/IPS software)
- Implementing network security policies
- Identifying threats and working on steps to defend against them
- Training employees in security awareness/procedures
- Developing and updating disaster recovery protocols
- Conducting security audits
- Providing technical security advice
- Consulting with staff, managers and executives on best security practices
Complex Network
Architectures
- Cyber security architecture,
also known as “network security
architecture”, is a framework that specifies the organizational structure,
standards, policies and functional behavior of a computer network, including
both security and network features.
- Cyber security architecture is
also the manner in which various components of computer system are organized,
synced and integrated.
- A cyber security architecture
framework is one component of a system’s overall architecture. It’s designed
and built to provide guidance during the design of an entire product/system.
- Security architecture main
purpose is to maintain your critical system’s quality attributes such as
confidentiality, integrity and availability.
- It’s also the cooperation
between hardware and software knowledge with programming proficiency, research
skills and policy development.
- A security architect is an
individual who anticipates potential cyber:threats and is quick to design
structures and systems to preempt them.
- Most organizations are exposed
to cyber security threats but a cyber security architecture plan helps you to
implement and monitor your company’s network security systems.
- A cyber security architecture
framework positions all your security controls against any form of malicious
actors and how they relate to your overall systems architecture.
- Various elements of cyber
security strategies like firewalls, antivirus programs and intrusion detection
systems play a huge role in protecting your organization against external
threats.
- This framework unifies various
methods, processes and tools in order to protect an organization’s resources,
data and other vital information.
- The success of cyber security
architecture relies heavily on the continuous flow of information throughout
the entire organization.
- Everyone must work according
to the framework and processes of your company’s security architecture.
Open Access to
Organizational Data
Access controls
authenticate and authorize individuals to access the information they are
allowed to see and use.
Access control is a method of guaranteeing that users are who they say
they are and that they have the appropriate access to company data.
At a high level, access control is a selective restriction of access to
data. It consists of two main components: authentication and authorization.
Authentication is a
technique used to verify that someone is who they claim to be. Authentication
isn’t sufficient by itself to protect data, Crowley notes. What’s needed is an
additional layer.
Authorization, which
determines whether a user should be allowed to access the data or make the
transaction they’re attempting.
There are 4 Types of access control:
Discretionary access control (DAC)
With DAC models, the data owner decides on
access. DAC is a means of assigning access rights based on rules that users
specify.
Mandatory access control (MAC)
MAC was developed using a nondiscretionary
model, in which people are granted access based on an information clearance.
MAC is a policy in which access rights are assigned based on regulations from a
central authority.
Role
Based Access Control (RBAC)
RBAC grants access based on a user’s role and
implements key security principles, such as “least privilege” and “separation
of privilege.” Thus, someone attempting to access information can only access
data that’s deemed necessary for their role.
Attribute Based Access Control (ABAC)
In ABAC, each resource and user are assigned a
series of attributes, In this dynamic method, a comparative assessment of the
user’s attributes, including time of day, position and location, are used to
make a decision on access to a resource.
Weak Authentication
Weak
Authentication describes any scenario in which the strength of the
authentication mechanism is relatively weak compared to the value of the assets
being protected. It also describes
scenarios in which the authentication mechanism is flawed or vulnerable.
Password Strength
The
“strength” of a password is related to the potential set of combinations that would
need to be searched in order to guess it.
For example, a password scheme with a length
of two characters and consisting only of digits would represent a a search
space of 100 possible passwords (10 x 10), whereas a 12 digit password would
represent 1012 possible combinations.
The larger the set of possible combinations, the harder it is to guess
and the stronger the password.
Thus,
the following factors influence password strength:
• Length: The number of characters in the
password. The greater the length, the
greater the strength.
• Character Set: The range of possible
characters that can be used in the password.
The broader the range of
characters, the greater the strength. It
is typical for strong password schemes to require upper and lower case letters,
digits, and punctuation characters.
Unprotected
Broadband communications
An unsecured network most often refers to a free Wi-Fi
(wireless) network, like at a coffeehouse or retail store. It means there’s no
special login or screening process to get on the network, which means you and
anyone else can use it.
Poor Cyber
Security Awareness
1. Opening Emails from Unknown People
2. Having Weak Login
Credentials
3. Leaving Passwords
on Sticky Notes
4. Having Access to
Everything
5. Lacking Effective
Employee Training
6. Not Updating
Antivirus Software
7. Using Unsecured Mobile Devices
Cyber Security Safeguards
- ·
Cybersecurity
safeguards are the fundamental part of a cybersecurity investment. They are the
expected outcomes of a cybersecurity investment and must be understood
sufficiently so that they can be analyzed and evaluated within a systematic
decision making process.
- ·
From the functional
perspective, there are administrative and technical safeguards.
- ·
This perspective will
be taken into account when it shall be clarified if technical means are
necessary to support or enable the safeguards.
- ·
The perspective of
time allows a distinction between preventive, detective and corrective
safeguards. This considers the time when a safeguard becomes effective, in
particular before, while or after an event.
- ·
Based on these
perspectives, a structure of safeguards is presented, which helps to specify
safeguards concurrently regarding function and time.
Access control
Access
control is a security technique that regulates who or what can view or use
resources in a computing environment. It is a fundamental concept in security
that minimizes risk to the business or organization.
There are two types of access
control: physical and logical.
Physical access control limits access to
campuses, buildings, rooms and physical IT assets.
Logical access control limits
connections to computer networks, system files and data.
To secure a facility, organizations use electronic access
control systems that rely on user credentials, access card readers, auditing
and reports to track employee access to restricted business locations and
proprietary areas, such as data centers.
Access control systems perform identification
authentication and authorization of users and entities by evaluating required
login credentials that can include passwords, personal identification numbers
(PINs), biometric scans, security tokens or other authentication factors.
Multifactor
authentication (MFA), which requires two or more authentication factors, is
often an important part of a layered defense to protect access control systems
Audit
- A cyber security audit is a systematic and independent examination
of an organization’s cyber security. An audit ensures that the proper security
controls, policies, and procedures are in place and working effectively.
- The objective of a cyber security audit is to provide an
organization’s management, vendors, and customers, with an assessment of an
organization’s security position.
- Audits play a critical role in helping organizations avoid cyber
threats. They identify and test your security in order to highlight any
weaknesses or vulnerabilities that could be exploited by a potential bad actor.
Specifically, an audit
evaluates:
Operational Security (a review of
policies, procedures, and security controls)
Data Security (a review of encryption use,
network access control, data security during transmission and storage)
System Security (a review of
patching processes, hardening processes, role:based access, management of
privileged accounts, etc.)
Network Security (a review of network and security controls, anti:virus
configurations, SOC, security monitoring capabilities)
Physical Security (a review of
role:based access controls, disk encryption, multifactor authentication,
biometric data, etc.)
Benefits of a cyber security
audit
A cyber security
audit is the highest level of assurance service that an independent cyber
security company offers.
It provides an
organization, as well as their business partners and customers, with confidence
in the effectiveness of their cyber security controls
An audit adds an
independent line of sight that is uniquely equipped to evaluate as well as
improve your security.
Specfically the following are
some benefits of performing an audit:
- Identifying gaps in security
- Highlight weaknesses
- Reputational value
- Testing controls
- Improving security posture
- Staying ahead of bad actors
- Assurance to vendors, employees,
and clients
- Confidence in your security
controls
- Increased performance of your technology and security
Authentication
The process of authentication in the context of computer
systems means assurance and confirmation of a user's identity.
Before a user
attempts to access information stored on a network, he or she must prove their
identity and permission to access the data.
When logging onto a network , a user must provide unique
log:in information including a user name and password, a practice which was
designed to protect a network from enter by hackers.
Authentication has further expanded in recent years to
require more personal information of the user, for example, biometrics, to
ensure the security of the account and network from those with the technical
skills to take advantage of vulnerabilities.
Authentication leads to
Authorization
Authentication now gives allowed users access to systems
and applications.
Once the system knows who users are, policies can be
applied that control where the users can go, what the users can do, and what
resources they can access. This is called authorization.
Authorization is important as it ensures that users cannot
have more access to systems and resources then they need.
This also makes it
possible to identify when someone is trying to access something they should
not.
For example only giving medical personnel and not
administrative personnel access to patient records, ensuring patient
confidentiality.
Biometrics
This method of authentication is based on the unique
biological characteristics of each user such as finger prints, voice or face
recognition, signatures and eyes.
Biometric devices often
consist of:
·
A scanner or other devices to gather the necessary data about
user.
·
Software to convert the data into a form that can be compared and
stored.
·
A database that stores information for all authorized users.
A number of different types of
physical characteristics are:
Facial Characteristics: Humans are differentiated on
the basis of facial characteristics such as eyes, nose, lips, eyebrows and chin
shape.
Fingerprints: Fingerprints are believed to
he unique across the entire human population.
Hand Geometry: Hand geometry systems
identify features of hand that includes shape, length and width of fingers.
Retinal pattern: It is concerned with the
detailed structure of the eye.
Signature: Every individual has a
unique style of handwriting, and this feature is reflected in the signatures of
a person.
Voice: This method records the frequency pattern of the voice of an individual speaker.
Cryptography
Cryptography is technique of securing information and
communications through use of codes so that only those people for whom the
information is intended can understand it and process it.
In Cryptography the techniques which are use to protect
information are obtained from mathematical concepts and a set of rule based
calculations known as algorithms to convert messages in ways that make it hard
to decode it.
These algorithms are used for cryptographic key generation, digital signing, and verification to protect data privacy, web browsing on internet and to protect confidential transactions such as credit card and debit card transactions.
Features Of Cryptography are
as follows:
Confidentiality:
Information can only be accessed by the person for whom it
is intended and no other person except him can access it.
Integrity:
Information cannot be modified in storage or transition
between sender and intended receiver without any addition to information being
detected.
Non:repudiation:
The creator/sender of information cannot deny his or her
intention to send information at later stage.
Authentication:
The identities of sender and receiver are confirmed. As
well as destination/origin of information is confirmed.
Types Of Cryptography:
Symmetric Key Cryptography:
It is an encryption system where the sender and receiver
of message use a single common key to encrypt and decrypt messages. Symmetric
Key Systems are faster and simpler but the problem is that sender and receiver
have to same exchange key in a secure manner.
Asymmetric Key Cryptography:
Under this system a pair of keys is used to encrypt and
decrypt information. A public key is used for encryption and a private key is
used for decryption. Public key and Private Key are different. Even if the
public key is known by everyone the intended receiver can only decode it
because he alone knows the private key.
Hash Functions:
There is no usage
of any key in this algorithm. A hash
function is a mathematical function that converts a numerical input value into
another compressed numerical value. The input to the hash function is of
arbitrary length but output is always of fixed length.
Many operating systems use hash functions to encrypt
passwords.
Deception
Deception enables a more proactive security act. Deception
aims to avoid a cybercriminal that has managed to penetrate a network from
doing any huge damage.
It offers a more accurate and quicker detection of
attackers. It creates no false positives.
Honeypots were the first simple form of deception.
It is intended to detect existing intrusions (an illegal
act of entering) and return that breach(break) intelligence directly to the
network’s security team.
Any other cyber
security sends a huge amount of alerts for being attacked each alert need to
solve specifically but a maximum of them are false positives this is too
time:consuming and required more and more employees.
So all we need to reduce the false positives
alerts but that increases the possibility of false negatives. The potential for
false negatives is more effective than false positives, to detect this kind of
threads we need to use the Deception Technology.
There are two types
of Deception Technology described below.
Active Deception: Active Deception will provide
inaccurate information intentionally to the subjects (intruders or hackers) to
fall for the trap.
Passive Deception: Passive Deception will
provide incomplete information, o the other half of information. Intruders will
try to gain all the information and the fall for the trap.
Denial of Service
Filters
Denial of service (DOS) is a network security attack, in
which, the hacker makes the system or data unavailable to someone who needs it.
Denial of service is of
various type :
Browser Redirection
This happens when you are trying to reach a webpage;
however, another page with a different URL opens. You can view only the
directed page and are unable to view the contents of the original page. This is
because the hacker has redirected the original page to a different page.
Closing Connections
After closing the connection, there can be no
communication between the sender (server) and the receiver (client). The hacker
closes the open connection and prevents the user from accessing resources.
Data Destruction
This is when the hacker destroys the resource so that it
becomes unavailable. He might delete the resources, erase, wipe, overwrite or
drop tables for data destruction.
Resource Exhaustion
This is when the hacker repeatedly requests access for a
resource and eventually overloads the web application. The application slows
down and finally crashes. In this case the user is unable to get access to the
webpage.
Ethical Hacking
To crack passwords or to steal data ? No, it is much more
than that.
Ethical hacking is authorized
practice to scan vulnerabilities and to find potential threats on a
computer or networks. An ethical hacker finds the weak points or loopholes in a
computer, web applications or network and reports them to the organization.
Ethical hackers aim to investigate the system or network
for weak points that malicious hackers can exploit or destroy.
They
collect and analyze the information to figure out ways to strengthen the
security of the system/network/applications. By doing so, they can improve the security footprint so
that it can better withstand attacks or divert them.
Ethical
hackers are hired by organizations to look into the vulnerabilities of their
systems and networks and develop solutions to prevent data breaches. Consider
it a high:tech permutation of the old saying “It takes a thief to catch a
thief.”
They check for key
vulnerabilities include but are not limited to:
- Injection attacks
- Changes in security settings
- Exposure of sensitive data
- Breach in authentication protocols
- Components used in the system or network that may be used as access points
These are various types of
hackers:
(1) White Hat Hackers (Cyber:Security Hacker)
(2) Black Hat Hackers (Cracker)
(3) Gray Hat Hackers (Both)
White Hat Hackers:
We look for bugs and ethically report it to the
organization. We are authorized as a user to test for bugs in a website or
network and report it to them. White hat hackers generally get all the needed
information about the application or network to test for, from the organization
itself. They use their skills to test it before the website goes live or
attacked by malicious hackers.
Black Hat Hackers:
The organization doesn’t allow the user to test it. They unethically enter inside the website and steal data from the admin panel or manipulate the data. They only focus on themselves and the advantages they will get from the personal data for personal financial gain. They can cause major damage to the company by altering the functions which lead to the loss of the company at a much higher extent. This can even lead you to extreme consequences.
Grey Hat Hackers:
They sometimes access to the data and violate the law. But
never have the same intention as Black hat hackers; they often operate for the
common good. The main difference is that they exploit vulnerability publicly
whereas white hat hackers do it privately for the company.
Firewalls
Accept:
allow the traffic
Reject: block the
traffic but reply with an “unreachable error”
Drop: block the traffic with no reply
A firewall
establishes a barrier between secured internal networks
and outside
untrusted network, such as the Internet.
How Firewall Works:
Firewall match the network traffic against the rule set
defined in its table. Once the rule is matched, associate action is applied to
the network traffic.
For example, Rules
are defined as any employee from HR department cannot access the data from code
server and at the same time another rule is defined like system administrator
can access the data from both HR and technical department. Rules can be defined
on the firewall based on the necessity and security policies of the
organization.
From the perspective of a server, network traffic can be
either outgoing or incoming. Firewall maintains a distinct set of rules for
both the cases. Mostly the outgoing traffic, originated from the server itself,
allowed to pass..
Incoming traffic is treated differently. Most traffic which reaches on the firewall is one of these three major Transport Layer protocols: TCP, UDP or ICMP. All these types have a source address and destination address. Also, TCP and UDP have port numbers. ICMP uses type code instead of port number which identifies purpose of that packet.
Default policy: It is very difficult to explicitly cover
every possible rule on the firewall. For this reason, the firewall must always
have a default policy. Default policy only consists of action (accept, reject
or drop).
Suppose no rule is defined about SSH connection to the
server on the firewall. So, it will follow the default policy. If default
policy on the firewall is set to accept, then any computer outside of your
office can establish an SSH connection to the server. Therefore, setting
default policy as drop (or reject) is always a good practice
Intrusion Detection Systems
An Intrusion Detection System (IDS) is a system that
monitors network traffic for suspicious activity and issues alerts when such
activity is discovered.
It is a software
application that scans a network or a system for the harmful activity or policy
breaching.
Any malicious venture or violation is normally reported
either to an administrator or collected centrally using a security information
and event management (SIEM) system.
A SIEM system integrates outputs from multiple sources and
uses alarm filtering techniques to differentiate malicious activity from false
alarms.
Although intrusion detection systems monitor networks for
potentially malicious activity, they are also disposed to false alarms.
Hence, organizations need to find:tune their IDS products
when they first install them. It means properly setting up the intrusion
detection systems to recognize what normal traffic on the network looks like as
compared to malicious activity.
Intrusion prevention systems also monitor network packets
inbound the system to check the malicious activities involved in it and at once
send the warning notifications.
Classification of Intrusion
Detection System:
IDS are classified into 5
types:
Network Intrusion Detection
System (NIDS):
Network intrusion detection systems (NIDS) are set up at a
planned point within the network to examine traffic from all devices on the
network.
It performs an
observation of passing traffic on the entire subnet and matches the traffic
that is passed on the subnets to the collection of known attacks.
Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator.
An example of a
NIDS is installing it on the subnet where firewalls are located in order to see
if someone is trying to crack the firewall.
Host Intrusion Detection
System (HIDS):
Host intrusion detection systems (HIDS) run on independent
hosts or devices on the network.
A HIDS monitors the incoming and outgoing packets from the
device only and will alert the administrator if suspicious or malicious
activity is detected.
It takes a snapshot
of existing system files and compares it with the previous snapshot.
If the analytical
system files were edited or deleted, an alert is sent to the administrator to
investigate.
An example of HIDS usage can be seen on mission:critical
machines, which are not expected to change their layout.
Protocol:based Intrusion
Detection System (PIDS):
Protocol:based intrusion detection system (PIDS) comprises
a system or agent that would consistently resides at the front end of a server,
controlling and interpreting the protocol between a user/device and the server.
It is trying to
secure the web server by regularly monitoring the HTTPS protocol stream and
accept the related HTTP protocol.
As HTTPS is un:encrypted and before instantly entering its
web presentation layer then this system would need to reside in this interface,
between to use the HTTPS.
Application Protocol:based
Intrusion Detection System (APIDS):
Application Protocol:based Intrusion Detection System
(APIDS) is a system or agent that generally resides within a group of servers.
It identifies the
intrusions by monitoring and interpreting the communication on
application:specific protocols.
For example, this
would monitor the SQL protocol explicit to the middleware as it transacts with
the database in the web server.
Response
Response
is a term used to describe the process by which an organization handles a data
breach(break) or cyber attack, including the way the organization attempts to
manage the consequences(result or effect) of the attack or breach (the
“incident”).
Ultimately,
the goal is to effectively manage the incident so that the damage is limited
and recovery time and costs, as well as collateral (additional) damage such as brand
reputation, are kept at a minimum.
Organizations
should, at minimum, have a clear incident response plan in place. This plan
should define what constitutes an incident for the company and provide a clear,
guided process to be followed when an incident occurs.
Additionally, it’s advisable to specify the
teams, employees, or leaders responsible for both managing the overall incident
response initiative and those tasked with taking each action specified in the
incident response plan.
Who Handles
Incident Responses?
Typically,
incident response is conducted by an organization’s computer incident response
team (CIRT), also known as a cyber incident response team. CIRTs usually are
comprised of security and general IT staff, along with members of the legal,
human resources, and public relations departments.
A
CIRT is a group that “is responsible for responding to security breaches,
viruses, and other potentially catastrophic (destruction) incidents in
enterprises that face significant security risks. In addition to technical
specialists capable of dealing with specific threats, it should include experts
who can guide enterprise executives on appropriate communication in the wake of
such incidents.”
Six Steps For Effective Incident Response
Preparation:
The most important phase of
incident response is preparing for an inevitable (unavoidable) security breach.
Preparation
helps organizations determine how well their CIRT will be able to respond to an
incident and should involve policy, response plan/strategy, communication,
documentation, determining the CIRT members, access control, tools, and
training.
Identification: Identification is the process through which incidents are
detected, ideally promptly to enable rapid response and therefore reduce costs
and damages.
For this step of effective incident response,
IT staff gathers events from log files, monitoring tools, error messages,
intrusion detection systems, and firewalls to detect and determine incidents
and their scope.
Containment:
Once an incident is detected
or identified, containing it is a top priority. The main purpose of containment
is to contain the damage and prevent further damage from occurring.
It’s important to note that all of SANS’
recommended steps within the containment phase should be taken, especially to
“prevent the destruction of any evidence that may be needed later for
prosecution.” These steps include short:term containment, system back-up, and
long-term containment.
Eradication:
Eradication is the phase of
effective incident response that entails removing the threat and restoring
affected systems to their previous state, ideally while minimizing data loss.
Ensuring
that the proper steps have been taken to this point, including measures that
not only remove the malicious content but also ensure that the affected systems
are completely clean, are the main actions associated with eradication.
Recovery: Testing, monitoring, and validating systems while putting them
back into production in order to verify that they are not re-infected or
compromised are the main tasks associated with this step of incident response.
This phase also includes decision making in
terms of the time and date to restore operations, testing and verifying the
compromised systems, monitoring for abnormal behaviors, and using tools for
testing, monitoring, and validating system behavior.
Lessons Learned:
Lessons learned are a critical
phase of incident response because it helps to educate and improve future
incident response efforts.
This is the step that gives organizations the
opportunity to update their incident response plans with information that may
have been missed during the incident, plus complete documentation to provide
information for future incidents.
Lessons
learned reports give a clear review of the entire incident and may be used
during recap meetings, training materials for new CIRT members, or as
benchmarks for comparison.
Proper preparation and planning
are the key to effective incident response. Without a clear-cut plan and course
of action, it’s often too late to coordinate effective response efforts after a
breach or attack has occurred. Taking the time to create a comprehensive incident
response plan can save your company substantial time and money by enabling you
to regain control over your systems and data promptly when an inevitable breach
occurs.
Scanning
- Scanning is the second phase of hacking.
- Scanning can be considered a logical extension (and overlap) of active reconnaissance that helps attackers identify specific vulnerabilities.
- It's often that attackers use automated tools such as network
scanners and war dialers to locate systems and attempt to discover vulnerabilities.
- An attacker follows a particular sequence of steps in order to
scan a network. The scanning methods may differ based on the attack objectives,
which are set up before the attackers actually begin this process.
How Scanning Tools Help
Hackers:
- The most commonly used tools are vulnerability scanners that can
search for several known vulnerabilities on a target network and potentially
detect thousands of vulnerabilities.
- Organizations that deploy intrusion detection systems still have
reason to worry because attackers can use evasion techniques at both the
application and network levels.
- Attackers can gather critical network information, such as the mapping of systems, routers, and
firewalls, with simple tools like traceroute,
Cheops, a network management tool,
to add sweeping functionality.
- Port scanners can be used to detect
listening ports to find information about the nature of services running on the
target machine.
- The primary defense technique against port scanners is to shut
down unnecessary services. Appropriate filtering may also be adopted as a
defense mechanism, but attackers can still use tools to determine filtering
rules.
Security policy
Security policies
are a formal set of rules which is issued by an organization to ensure that the
user who are authorized to access company technology and information assets
comply with rules and guidelines related to the security of information.
A security policy also considered to be a
"living document" which means that the document is never finished,
but it is continuously updated as requirements of the technology and employee
changes.
We use security
policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies
to suit our specific environment.
There are some important cybersecurity
policies recommendations describe below-
1.
Virus and Spyware Protection policy
- It helps to detect, removes, and
repairs the side effects of viruses and security risks by using
signatures.
- It helps to detect the threats in the
files which the users try to download by using reputation data from
Download Insight.
- It helps to detect the applications
that exhibit suspicious behaviour by using SONAR heuristics and reputation
data.
2.
Firewall Policy
- It blocks the unauthorized users from
accessing the systems and networks that connect to the Internet.
- It detects the attacks by
cybercriminals.
- It removes the unwanted sources of
network traffic.
3.
Intrusion Prevention policy
o
This policy automatically detects and
blocks the network attacks and browser attacks.
o It also protects applications from
vulnerabilities.
o
It checks the contents of one or more data
packages and detects malware which is coming through legal ways.
4.
Live Update
policy
o
This policy can be categorized into two
types one is Live Update Content policy, and another is Live Update Setting
Policy.
o
The Live Update policy contains the setting
which determines when and how client computers download the content updates
from Live Update.
o
We can define the computer that clients
contact to check for updates and schedule when and how often clients computer
check for updates.
5.
Application and Device Control
o
This policy protects a system's resources
from applications and manages the peripheral devices that can attach to a
system.
o
The device control policy applies to both
Windows and Mac computers whereas application control policy can be applied
only to Windows clients.
6.
Exceptions policy
o
This policy provides the ability to exclude
applications and processes from detection by the virus and spyware scans.
7.
Host Integrity policy
o
This policy provides the
ability to define, enforce, and restore the security of client computers to
keep enterprise networks and data secure.
o
We use this policy to
ensure that the client's computers who access our network are protected and
compliant with companies? securities policies.
o This policy requires that the client system must have installed antivirus.
Threat
Management
Threat
management is a process used by cybersecurity professionals to prevent cyber
attacks, detect cyber threats and respond to security incidents.
Following are Threat
management Types:
Identify
Cybersecurity
teams need a thorough understanding of the organization's most important assets
and resources. The identify function includes categories, such as asset
management, business environment, governance, risk assessment, risk management
strategy and supply chain risk management.
Protect
The
protect function covers much of the technical and physical security controls
for developing and implementing appropriate safeguards and protecting critical
infrastructure. These categories are identity management and access control,
awareness and training, data security, information protection processes and
procedures, maintenance and protective technology.
Detect
The
detect function implements measures that alert an organization to cyberattacks.
Detect categories include anomalies and events, continuous security monitoring
and early detection processes.
Respond
The
respond function ensures an appropriate response to cyberattacks and other
cybersecurity events. Categories include response planning, communications,
analysis, mitigation and improvements.
Recover
Recovery activities implement plans for cyber resilience and ensure business continuity in the event of a cyberattack, security breach or another cybersecurity event. The recovery functions are recovery planning improvements and communications
No comments:
Post a Comment