Cybersecurity 2 Midterm

/etc/passwd

Stores plaintext user information (user ID, group ID, home directory, default shell).

/etc/shadow

Stores encrypted passwords for users - only root can access.

/etc/group

Stores basic information about groups.

chown

Change owner of a file or directory.

chmod

Change read, write, and execute permissions.

chgrp

Change group ownership of a file or directory.

Reconnaissance Attack

Attackers gather information about a target system or network before launching more advanced attacks.

Sniffing Attack

An attacker intercepts and analyzes network traffic to steal sensitive information such as passwords or data.

Man-in-the-Middle Attack

Attackers secretly intercept and alter the communication between two parties.

Password Attack

Unauthorized access using techniques like brute force, dictionary attacks, or credential stuffing to crack passwords.

Privilege Escalation Attack

Attackers gain elevated privileges on a system, such as root or admin access.

DNS Poisoning Attack

Attackers corrupt DNS data to redirect users to malicious sites or systems.

ARP Poisoning Attack

Attackers send fake ARP messages to associate their MAC address with the IP address of another device, enabling eavesdropping or packet interception.

DHCP Starvation Attack

An attacker exhausts the available IP addresses by flooding the DHCP server with bogus requests, preventing legitimate users from obtaining an IP address

DHCP Spoofing Attack

Attackers set up a rogue DHCP server to assign malicious IP settings to users.

MAC Spoofing Attack

Attackers alter their device's MAC address to impersonate another device on the network.

Network-based Denial of Service Attack

An attack that floods a network with excessive traffic, making it unavailable for legitimate users.

Distributed Denial of Service Attack (DDoS)

Attackers use multiple systems to flood a network or service, overwhelming it and causing downtime.

Malware Attack

Attackers install malicious software, such as viruses, trojans, or ransomware, to damage or gain unauthorized access to a system.

Advanced Persistent Threat (APT)

A sophisticated and continuous hacking process where attackers gain access to a system and remain undetected for a long period to steal sensitive information.

SQL Injection Attack

Attackers exploit vulnerabilities in web applications by injecting malicious SQL code into queries, allowing unauthorized access to databases.

Cross-Site Scripting (XSS) Attack

Attackers inject malicious scripts into web pages viewed by users, which can steal session cookies or other sensitive information.

Parameter Tampering Attack

Attackers manipulate parameters exchanged between the client and server to modify data or gain unauthorized privileges.

Directory Traversal Attack

Attackers access restricted directories and execute commands outside the web server’s root directory.

Cross-Site Request Forgery Attack (CSRF)

Attackers trick users into executing unwanted actions on a web application in which they are authenticated.

Application-Level DOS Attack

A denial of service attack targeting the application layer, disrupting services by overloading application resources.

Session Hijacking Attack

Attackers take control of a user session by stealing or predicting session tokens, allowing unauthorized access.

Bluesnarfing

Attackers steal data from a Bluetooth-enabled device without the user's permission.

Bluebugging

Attackers exploit Bluetooth vulnerabilities to take control of a device and remotely execute commands.

War Driving

Attackers drive around with Wi-Fi-enabled laptops to detect open wireless networks.

Client Misassociation

An attacker sets up a rogue access point (AP) outside the corporate perimeter and tricks employees into connecting to it.

Unauthorized Association

Attackers infect a victim machine and activate rogue access points to provide an unauthorized connection to the enterprise network.

Honeypot Access Point Attack

Attackers use fake access points to trap unsuspecting users and steal sensitive information.

Rogue Access Point Attack

Rogue wireless access points placed in an 802.11 network can hijack the connections of legitimate network users.

Misconfigured Access Point Attack

Poorly configured access points allow intruders to steal the SSID and gain access to the network

Ad Hoc Connection Attack

Wi-Fi clients communicate directly in ad hoc mode, bypassing access points and exposing the network to unauthorized access.

AP MAC Spoofing

A hacker spoofs the MAC address of a WLAN client’s equipment to act as an authorized client, eavesdropping on the traffic.

Denial-of-Service Attack

Wireless DoS attacks disrupt network connections by sending broadcast "de-authenticate" commands.

WPA-PSK Cracking

Attackers sniff and capture authentication packets and brute force the WPA-PSK key.

RADIUS Replay

Attackers replay valid RADIUS server responses, authenticating without valid credentials

MAC Spoofing Attack

An attacker spoofs the MAC of a client and attempts to authenticate to the AP, leading to unauthorized network access.

WEP Cracking

Attackers sniff and capture packets, running a WEP cracking program to obtain the WEP key.

Fragmentation Attack

Attackers obtain 1500 bytes of a pseudo-random generation algorithm (PRGA) to forge WEP packets used for injection attacks.

Jamming Signal Attack

Attackers use high-gain amplifiers to flood an area with signal interference, disrupting the legitimate AP.

Supply Chain Attack

Attackers compromise a system by exploiting weaknesses in third-party hardware, software, or services.

Prevent Supply Chain Attacks

vendor assessment, secure communication, code review, digitally signed updates, privileged access management, and adopting zero-trust architectures

Ultimate Goal of Network Defense

To protect an organization’s information, systems, and network infrastructure from unauthorized access, misuse, modification, service denial, or any form of degradation and disruption

Information Assurance (IA)

Ensures defense-in-depth security. These principles enable an organization’s security activities, safeguarding the network against attacks.

Benefits of Network Defense

- Protect information assets.

- Comply with government and industry-specific regulations.

- Ensure secure communication with clients and suppliers.

- Reduce the risk of being attacked.

- Gain a competitive edge by offering more secure services.

Challenges of Network Defense

- Distributed Computing Environments: Modern networks are vast and complex, potentially leading to serious security vulnerabilities, which attackers exploit.

- Emerging Threats: Threats are evolving daily, with network attacks becoming more technically sophisticated and organized.

- Lack of Network Security Skills: Organizations struggle to defend themselves due to a shortage of skilled security professionals.

Approaches to Network Defense

- Preventive Approaches: Techniques to avoid threats or attacks on the target network.

- Reactive Approaches: Methods used to detect attacks when they occur.

- Retrospective Approaches: Techniques to investigate the causes of attacks and contain, remediate, and recover from damage.

- Proactive Approaches: Measures that help anticipate and make informed decisions about potential future attacks.

Administrative Security Control

Policies, procedures, and practices that manage and regulate an organization’s security.

Physical Security Control

Protection of physical infrastructure, such as buildings, servers, and other hardware.

Technical Security Control

Security measures implemented via technology, such as firewalls, encryption, and antivirus software.

Multilayered Security Order

1. Policies

Organizational rules and regulations that dictate how security is managed.

2. Physical

Physical barriers and security mechanisms to prevent unauthorized access to critical infrastructure.

3. Perimeter

Defenses at the boundary of the network, such as firewalls and intrusion detection systems (IDS).

4. Internal Network

Protection mechanisms within the internal infrastructure to prevent insider threats or lateral movement of attacks.

5. Host

Security measures on individual machines or devices, such as antivirus software and patch management.

6. Application

Security practices at the application level, including secure coding and vulnerability patching.

7. Data

Protection of the data itself, through encryption, access control, and backups.

PCI-DSS

Ensures that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

HIPAA

Establishes data privacy and security provisions to safeguard medical information.

GDPR

A legal framework that sets guidelines for the collection and processing of personal data of individuals within the European Union.

SOX

U.S. legislation enacted to improve the accuracy and reliability of corporate disclosures and to protect investors from fraudulent accounting activities.

GLBA

Requires financial institutions to explain how they share and protect their customers' private information.

DMCA

Protects copyrighted material by criminalizing circumvention of copyright-protection systems.

FISMA

Mandates that federal agencies develop, document, and implement an information security program to protect their data.

GIRSA

Designed to provide a legal framework for the protection of government information on the Internet.

Regulatory Frameworks & Compliance (Top-Down in Importance)

1. Regulatory Frameworks (e.g., PCIDSS)

2. Policies (e.g., Encryption Policy)

3. Standards (e.g., Encryption Standards like AES or RSA)

4. Procedures, Practices, & Guidelines (e.g., Data Encryption Procedures, Practices, & Guidelines)

Steps to Create & Implement a Security Policy

1. Risk Assessment

2. Learn from Standard Guidelines

3. Include Senior Management & Key Staff

4. Define Clear Penalties and Enforce Them

5. Publish the Policy

6. Ensure All Employees Read, Sign, and Understand the Policy

7. Deploy Tools to Enforce the Policy

8. Train Employees on the Policy

9. Regularly Review and Update the Policy

Enterprise Information Security Policy (EISP)

High-level policy establishing the organization's overall security strategy.

Issue-Specific Security Policy (ISSP)

Focuses on specific areas of security, such as email or internet usage.

System-Specific Security Policy (SSSP)

Details the security requirements for individual systems or devices.

Promiscuous Policy

No restrictions on internet or remote access. Everything is allowed.

Permissive Policy

Starts with open access but blocks known dangerous services or threats.

Paranoid Policy

Extremely restrictive, allowing little or no internet access.

Prudent Policy

Balances security with functionality, blocking all but essential services.

Steps to Implement Security Awareness Training

1. Explain Benefits to Upper Management

2. Perform Gap Assessment

3. Schedule Regular Training Sessions

4. Review Training Performance Regularly

5. Simulate Phishing Attacks

6. Re-train Employees Who Fail

7. Implement Policy and Training Process

IT Asset Management (ITAM)

Involves maintaining a log of all IT infrastructure assets, which include hardware, software, licenses, and organizational information. It ensures assets are properly tracked, compliant, and secured.

Physical/Hardware Asset Management

Manages IT hardware, physical inventory, and networking products.

Software Asset Management

Oversees software installations and policies.

Network Asset Management

Manages network devices, such as routers and firewalls.

Digital Asset Management

Manages digital data, including images, videos, and documents.

Mobile Device Management

Oversees employee mobile devices connected to the network.

Cloud Asset Management

Manages security and functionality of cloud services.

Separation of Duties (SoD)

This principle helps mitigate risk by dividing tasks among different individuals to avoid conflicts of interest and reduce the likelihood of malicious activities or security breaches. Some regulations, like GDPR, emphasize the importance of clearly defined roles and responsibilities to enhance security.

Need-to-Know

Under this principle, access to information is restricted to only what is necessary to perform specific tasks, ensuring that sensitive data remains secure.

Principle of Least Privilege (POLP)

Extends the need-to-know principle by granting users only the minimum access needed to perform their job. This enhances security, system stability, and protects the organization from potential internal threats.

DAC (Discretionary Access Control)

Allows users to control access to their own data.

MAC (Mandatory Access Control)

A stricter model where access is controlled by the system based on policies set by an administrator.

RBAC (Role-Based Access Control)

Grants access based on the roles users hold within the organization.

ABAC (Attribute-Based Access Control)

A dynamic model where access is based on user attributes, environment, or resource attributes.

Logical Implementation of DAC, MAC, RBAC

Logical implementations are carried out using Access Control Lists (ACLs), group policies, passwords, and account restrictions.

Logical Implementation of ABAC

Implemented using a policy-based approach, where multiple attributes (role, time, resource, etc.) define access. It allows for fine-grained access control with tools like XACML (Extensible Access Control Markup Language) which enables defining policies to handle access requests.

Keycloak

An open-source identity and access management system (IAM) that provides authentication, user management, and fine-grained authorization based on user attributes.

Bell-LaPadula Model

Focuses on confidentiality:

- No read-up (users cannot read data above their security level)

- No write-down (users cannot write data to lower security levels)

Biba Model

Focuses on integrity:

- No read-down (users cannot read data below their integrity level)

- No write-up (users cannot write data to higher integrity levels)

Network Segmentation

Involves dividing a network into smaller sub-networks or segments, each isolated from others, which helps improve security by limiting access to critical resources.

Best Practices for Network Segmentation

- Least Privilege

Limit access to data based on specific roles to strengthen security.

- Limit Third-Party Access

Restrict remote access from third-party vendors to minimize vulnerabilities.

- Audit & Monitor

Regularly audit and monitor network activity to identify and fix gaps in security.

- Design for Ease of Access

Ensure legitimate access paths are easier to use than illegitimate ones.

- Segment Similar Resources

Combine similar resources into common segments to streamline security policy application.

- Avoid Over-Segmentation

Too many segments can lead to complexity and operational difficulties.

- Visualize the Network

Understand how data flows through the network to make informed decisions on segmentation.

SSL (Secure Sockets Layer) / TLS (Transport Layer Security)

Cryptographic protocols designed to provide secure communication over the internet.

VPN (Virtual Private Network)

Extends a private network across a public network, allowing secure data transmission.

HTTPS

A secure version of HTTP, it uses TLS/SSL to encrypt communication between a web server and browser.

Firewalls

Enforce policies for incoming and outgoing traffic to protect the network.

IDS (Intrusion Detection System)

Monitors for suspicious activity and potential intrusions.

IPS (Intrusion Prevention System)

Detects and prevents intrusions in real-time.