Note
Studied by 15 peopleNoteStudied by 22 peopleNoteStudied by 8 peopleNoteStudied by 18 peopleNoteStudied by 21 peopleNoteStudied by 67 people
D315 Network and Security Foundations (trial)
Section 1:
Lesson 1.1: Introduction to Networking Concepts
• What is computer networking?
○ A network consists of two or more computers connected by media with applications to support sharing information
○ Used for sharing files located on servers or other devices
○ Can share other hardware over network
○ Sharing applications
○ Can communicate over a network with email or Iming
○ Can use VoIP for speaking
• The building blocks of networks:
○ Composed of three parts
§ Devices: Computers, servers, printers, drives
§ Applications: file transfer, email, imaging
§ Networks: LANs WANs and TCP/IP
• History of Information Security:
○ Tech has rapidly evolved in the last 50 years
○ 1950's and 1069's
§ Computers were primarily used for corporations
§ Information security doesn’t exist
§ Physical security is the main safeguard
○ 1970's
§ Physical security switched to network security
§ Various potential threats and possible security measures identified
§ ARPANET - The Advanced Research Projects Agency was created
○ 1980:
§ The rise of networking brought out viruses and hackers
○ 1990s:
§ Rise of IA (information Assurance)
§ Non-repudiation - aimed to ensure data could not be denied by sender or recipient
□ Achieved through digital signatures and other cryptographic techniques
§ Firewalls also became prevalent
§ Authentication began to gain prominence
○ 2000s:
§ NISS unveiled 5 objectives
□ Availability
□ Integrity
□ Confidentiality
□ Accountability
□ Assurance
§ Crackdowns on cybercrime became more common
○ 2010s:
§ A number of data breaches happened
○ InfoSec Today:
§ Common callouts from infosec today
□ Ransomware
□ Cryptojacking
□ State-sponsored attacks
□ Phishing
□ IoT attacks
□ Smart Medical devices
• Establish Network Connections:
○ Home networks usually consist of:
§ A modem
§ An ISP provided router that also acts as a gateway
§ And other devices that are connected to the network whether through wifi or wired
□ Wired and wireless connections select from specific pools of IP addresses
○ Corp networks usually contain a lot more:
§ Internal network:
□ Desktop clients
□ File servers
□ Mobile clients
□ Communication servers
□ Infrastructure and Management servers
□ Application Servers
§ Perimeter:
□ Application servers
□ Access servers
□ Proxy servers
□ Security
§ External:
□ Could services
□ internet
□ Branch offices or partners
Network Devices:
• Routers:
○ Layer 3 device
○ Used to forward data packets to other networks based on the IP addresses of the networks
§ Gateway devices since it sits on the "border" of the network
○ Connects at least two layers
§ LAN/WAN
§ LAN/LAN
§ LAN/ISP
○ Can contain
§ CPU
§ Memory
§ I/O interfaces
○ Special purpose device
§ Doesn’t require a keyboard or display
○ Types of Routers
§ Broadband
□ Connects both computers together and to the internet
§ Wireless router
□ Creates a wireless signal in a home or office environment
§ Other types
□ Edge router
® On the edge of ISP
□ Subscriber edge router
® Implemented in an organization
□ Inter-provider border router
® ISP to ISP - core of the internet
□ Core router
® On inside and doesn’t touch the internet
® Networks within organizations will use these
• Cable and DSL modems:
○ Hardware devices that connects to a remote network or the internet
○ Stands for "modulate" and "demodulate"
§ Sends and receives data
□ Telephone line
□ Cable line
○ Dial-Up Modems
§ Internet connection established using a modem and telephone line
§ Dial into ISP to establish connection
§ Slow speeds
□ Max of 56 kbps
○ DSL (Digital Subscriber Line)
§ Popular for transferring digital signals over standard telephone lines
§ DSL modems are used to connect to a DSL ISP
□ Has superseded dial-up
§ Some came with wifi capabilities
○ Cable modems:
§ Hardware device using coax cable tv-lines to provide fast internet
□ always on
□ Fast data transfer rates
• Wireless Access Points (WAPs):
○ Special purpose for WLAN
○ Access points are used to provide a hotspot for wireless clients close by
○ Acts as a bridge between wired and wireless networks
○ Often multifunctional
○ Can be used to
§ Strengthen security
§ Extend wireless range
○ SSID is essentially a name for the network
§ Usually is broadcasted so users can connect to it
○ For security reasons the SSID can be hidden
§ Software can unveil hidden SSIDs though
○ Rogue Access Points and Evil Twin:
§ A rogue access point is an unauthorized access point connected to a network
§ An evil twin poses as a legitimate access point, possibly using a portable hotspot, and harvests data
• Wireless Range Extenders:
○ Extends radio frequency range
○ Functions at layer 1 of OSI model
§ Extend ethernet network segment
○ Lacks intelligence
§ Simply passes data traffic across itself
○ Distances
§ Depends on
□ Transmit power of AP
□ Gain of antenna
§ Clients
□ Also a transmitter and receiver
○ Connectivity
§ Allows PCs and other devices to connect to a WLAN
□ Outside of the WAPs normal range
○ Effective communication requires that
§ Transmitter and receiver can hear each other
• Transmission Media:
○ Voltage defines 1s and 0s
§ A cable or transmission medium is needed to transmit this information
○ Low bit error rate is essential to supporting high data transmissions like
§ Voice
§ Video
§ Live gaming
○ The four most common types of transmission media are:
§ Copper:
□ Used in unshielded twisted-pair (UTP) and shielded twisted-pair (STP)
□ Depending on application UTP or STP can be used for low-, medium-, and high-speed transmissions and data networking
□ Most common in office buildings and wired network environments
□ Typically used for voice and data communications to the dektop location
§ Coaxial:
□ Rugged indoor or outdoor cable
□ Coaxial has outside insulation sheath supported by a metal inner conductor and metallic braided sheath
□ The braided sheath surrounds the metal inner conductor
□ Coax cables use radio frequency (RF) to support greater bandwidth and transmissions at further distances
§ The cable TV infrastructure is supported by coaxial cable to the residence, with types like:
□ RG-6: Typically used for audio, video, and tv transmission equipment
□ RG-58: Used for RF transmissions and antennae cabling to radio equipment
□ RG-58/U: 10Base2 Ethernet, also known as Thinnet
□ RG-59/U: Closed circuit television (CCTV) transmission to monitors
□ RG-*u: 10Base5 Ethernet, also known as thicknet
□ RG-60U: High definition television (HDTV) and high-speed cable modems
§ Glass/fiber:
□ Contain a glass core surrounded by glass cladding
□ Light travels through the glass core
□ There is a primary buffer as a protective cover and an outer sheath that acts as a jacket to protect the fiber cable
□ Supports large amounts of data transmission over far distances
□ Used for long haul data transmission
□ typically have multiple strands in the same cable that allow multiple devices to be connected to each end
□ Single mode optical equipment and transceivers can operate in bidirectional mode supporting full duplex
□ A technique called wavelength division multiplexing (WDM) allows multiple waves of light to travel through a single strand
• Structured Wiring Systems:
○ A modular cabling solution that is flexible including both outside and indoor cabling
○ These have the following benefits:
§ Modular and flexible for supporting end-to-end connectivity
§ Support rapid moves, adds, and changes
§ Have a lifespan of more than 10 years of operation
§ Support high-speed bandwidth and connectivity to the desktop
○ A structured wiring system has the following parts
§ Workstation outlet and RJ-45 connections: The termination point at the desktop location where the twisted-pair cabling is connected to an 8-pin modular RJ-45 connector
§ Intermediate distribution frame (IDK) or wiring closet: The location or room or room where building backbone cabling terminates to provide connectivity to desktop locations
§ Intrabuilding distribution: Cabling that emanates from a main distribution frame (MDF) or data center facility to an intermediate distribution frame (IDF) or wiring closet
§ Main distribution frame (MDF) or data center: The location or room where backbone cabling terminates to provide connectivity to the data center facility
§ Campus or building backbone distribution: Interbuilding cabling that consists of fiber optic backbone cabling and twisted-pair bundled cabling to support 10-20 years or more of connectivity for a campus or building
• STP vs UTP:
○ Shielded Twisted Pair vs Unshielded Twisted Pair:
§ All forms of ethernet cables use twisted pair cabling
§ Shielded twisted pair uses a foil or mesh shield to reduce noise and cross talk
□ Also requires electrical ground
○ Data rates and installation
§ UTP
□ easier to install
□ Flexible
□ Smaller
□ Lighter
□ Slower data rates
§ STP
□ Can be more challenging to install
□ Provides higher data rates
○ Direct Burial STP
§ Under ground installation
§ Direct burial rated shielding cabling is ideal for outdoor implementations or installs directly in the ground
□ With or without a conduit
○ UTP Implementations
§ Home or office environments where crosstalk isnt a concern
§ Used for telephone connections
○ STP implementations
§ Environments susceptible to EMI
□ Airports
□ Industrial
□ Hospitals
• Optical Fiber Cabling:
○ Data transmitted using pulses of light
○ Transmits over great distances
○ Highly secure data transmission
○ Not effected by EMI
○ Single-mode and multi-mode fiber
○ Fiber Connectors:
Network Topology:
• The following are examples of network-attachable devices:
○ Computers
○ Printers
○ Mobile devices and tablets
○ Servers (application, web, email, network-attached storage, etc)
○ LAN switches
○ Routers
• Devices can connect to networks through wired or wireless connections
§ The layout of how devices connect to a network is the network topology
□ The map of the network that shows how devices connect to one another and how they communicate via a connection media
○ There are two considerations for topology:
§ Physical topology is the picture of the actual network devices and the medium used to connect to the network
□ Each device connects to a network using at least one connection medium
□ The medium can be wires, radio waves, or even light waves
§ Logical topography is how the actual network works and how data is transferred
□ This view focuses more on how the network operates and is not concerned with certain physical properties of the network
□ Shows how the network logically connects at the Data Link layer where the MAC and LLC sublayers reside
§ Most topology refers to shapes describing the general organization of the network
□ Each type of network topology has both advantages and disadvantages
® Ring- A shared ring connecting multiple devices together
® Bus - a shared network transmission medium allowing only one device to communicate at a time
® Star - A star-wired connection aggregation point, typically from a wiring closet
® Point-to-point - A direct link or connection between two devices
® Mesh - multipoint connections and direct links between network devices
® Hybrid/star wired bus - also known as a tree topology; a shared, star-wired connection aggregation point to a LAN switch
○ Point-to-Point networks:
§ Called point-to-point when computers or devices are connected directly to one another
□ These communications are based on time slots and polling where communication controllers poll each dumb terminal one at a time to provide a time slot for data transmission
§ Legacy computer systems tended to be host-based meaning it consists of a central computer such as a mainframe with many users connecting directly to it
□ Terminals were used to access the central computer and typically has a keyboard and monitor that can input data to the central computer
® These had not much other purpose and were called dumb terminals
® These terminals connected to central computers using a serial communications connection that would send or receive one character at a time in a serial fashion
® The standard for serial connectivity was based on the 25-pin connector defined by the EIA as the RS-232 serial communications standard
◊ Defines how data terminal equipment (DTE) devices communicate with data circuit-terminating equipment (DCE)
◊ Include terminals, printers, and any devices that can connect to a pc
○ Bus:
§ Most common type of topology
§ Originated by the first LAN vendors such as
□ IBM PC Network
□ ARCNET
□ and eventually the first IEEE 802.3a CSMA/CD standard for 10Base5 coaxial cable-based topologies
§ Delivers a linear network throughout a computer room, wiring closet, and external workstations and devices
§ A bus topology starts with coaxial cable supporting high-speed networking, but has physical limitations on distance and a max number of device connections
§ They are simple to construct but require transceivers to transmit and receive communications
§ Communications signaling goes in both directions so devices need to go one at a time, causing a collision if they transmit at the same time
○ Ring:
§ Token ring was a common topology deployed in the 1980's and 1990's
§ Made popular by IBM as its LAN architecture of choice
§ IBM led the IEEE 802.5 Token Ring standard, which competed with IEEE 802.3 CSMA/CD
§ Within token ring, all stations are connected in a logical ring while being star wired from a central location
§ Attached devices must have permission to transmit on the network, being granted via a token that circulates the ring
□ Token ring-attached devices can transmit only when they have an available token, eliminating collisions
○ Star:
§ Ring networks have a physical path length - the length of transmission media
§ The star-wired topology has all nodes directly connected to a common central computer, or hub
• Wireless Topologies:
○ Wireless Ad Hoc:
§ LAN that is built as devices are added/connected
§ Each device can connect to each other
§ Advantages:
□ Bypasses need for a router
® Devices connect to other devices on the network to access files
® Often more affordable
□ Speed
® Quickly connect multiple computers
◊ no additional hardware needed
○ Infrastructure Networks
§ Devices connect to a wired network
□ Using an access point
□ WLAN doesn’t replace wired LAN
® used to extend functionality to wireless network
§ Advantages
□ Scalable
® Using multiple APs can reduce congestion and increase overall coverage
® Roam between interlocking points without losing a connection to the network
§ Drawbacks
□ More complicated to set up
□ More expensive to set up since it requires an AP
Network Deployments:
• On-Premise vs Cloud Deployments
○ On-premise:
§ Exists within enterprise infrastructure
§ Workers will have physical access
§ Biggest drawback is cost for acquiring hardware and software for functions
○ Cloud deployments:
§ Has the potential for no infrastructure, but hosted third party services allows cloud access from personal devices
§ Off-site servers
§ Software as a Service
○ Hybrid Deployments:
§ Provides means for on-premise to transfer to cloud deployments
• Hybrid-Cloud Overview:
○ Combo of public cloud infrastructure and private cloud infrastructure
○ Key Features:
§ Sharing data and applications
§ Scalable services
§ Improved cost
§ Reduced capital expenditure
§ Critical data remains behind firewall
• Multi and Hybrid Cloud Deployments:
○ Multi-Cloud:
§ Private cloud, alongside multiple cloud vendors
□ Multiple vendors are used for redundancy in case of total service outages
○ Benefits of Hybrid and Multi
§ Elasticity
§ Automation
§ Flexibility
Application Architectures:
• Architecture Types and Examples:
○ The main architectures still in use today are:
§ Host-based:
□ Software applications all began as host-based architectures
□ Everything ran on the central host; all storage, data access software (DBMS), user interface processing
□ Most business software started as host-based applications
® These were almost always closed systems with strict access controls
® Security was easy compared to todays requirements
§ Client-based Client/server:
□ Client-based:
® Organizations used "diskless computers" connected to the corporate network
® Data was stored on the central server while everything ran on the client
® Speeds reached 10 mbps so as soon as a few systems were connected the network was saturated and slowed
□ Client/Server applications:
® Splits the data and processing tasks into two main partitions; Servers handle data while clients handle the processing
® Works better than pure client based model
® Still popular for many enterprise class applications
§ Cloud computing/N-Tier:
□ To remedy performance and utilization problems, architects introduced the application server (appServer)
® A program that runs on a central server that handles processing logic
® appServer can read vast amounts of data from the DBMS using a high-speed network connection and process data on a high-powered server
® Sends only the results over the network to the client
® Pushing processing logic up to a new server was originally called a 3-tier architecture (client, appServer, and database each represent a separate tier)
□ N-tier:
® Used to exist only in an in-house data center
® Today organizations of any size can lease data center infrastructure to implement an N-Tier architecture
® A web based model allows end-users to run browser software as the UI
§ Peer-to-peer (P2P):
□ Peers share data and processing with each other
□ Works well for situations in which contention for data is low
□ Clients rely primarily on local resources and only share what they need
□ Work well in collaborative environments
○ Examining where core processing functions occur can help classify an architecture
○ There are four main processing functions:
§ Data-storage: Where the application data is stored; Is your data stored on a central server or copied to each client(or in between)?
§ Data access: How do clients access application data? Is your data stored in files or in a repository like a database, that requires a database management system (DBMS) to control access to data? If your application has a DBMS where is it located?
§ Processing logic: AKA business logic, this is the software that carries out most of the computations on your application data. Processing logic is normally identified by anmy code that handles data that is stored in your repository. Where should functions be run?
§ User Interface: User interface functions generally focus on getting data from, and presenting data to, end users. End users don’t have to be humans- output files, printers, and remote processes can all be classified as end users. (Data consumers). Does a function interact with an end user? Is it a user interface function.
• Using Windows Commands:
○ "ipconfig" returns network info like IP addresses, gateways, and subnet mask
§ IPv4 Ips use dots to separate octets
§ IPv6 uses colons to separate octets - Will start with "fe80" a local link prefix that’s used whenever IPv6 is activated
○ ipconfig/all gives even more detail like:
§ Host name
§ DNS
§ Adapter settings
○ nslookup - queries DNS server
○ "arp -a" reveals mapping of ip addresses to physical MAC addresses
○ netstat - provides network statistics and can display active connections, listening ports, and associated addresses - also available in linux
• Linux commands:
○ "ip a" (stands for ip address)
§ Lists IP and network info
○ "/etc/netplan/FILE"
§ can be used to configure IP addressing with a YAML config file
○ "/etc/resolve.conf"
§ Gives info on dns servers
○ "ifconfig" - interface config, similar to ipconfig
Networking Standards and Models:
• Standards:
○ 802.11:
§ 802.11a:
□ Extension to 802.11 and supports
® Up to 54 Mbps bandwidth
® Frequency spectrum around 5 GHz
◊ This shortens the range of 802.11a networks
◊ Causes penetration of obstacles more difficult at longer range
□ Pros:
® Speed
® Regulated frequency prevents signal interference
□ Cons:
® Higher cost
® Shorter range and easily obstructed
§ 802.11b:
□ Bandwidth up to 11 Mbps
® Comparable to traditional ethernet
□ Unregulated 2.4 GHz signaling frequency
® Often used by vendors due to lower production costs
® Can incur interference from devices on same range
◊ Microwaves
◊ Cordless Phones
◊ Other appliances
□ Pros:
® Cost effective
® Good signal and not easily obstructed
□ Cons:
® Slowest max speed
® Interference possible
§ 802.11g:
□ Emerged in 2002 and 2003
® Combines best of both "a" and "b"
® Bandwidth up to 54 Mbps
® Uses 2.4 GHz for greater range
® Backward compatible with 802.11b adapters
□ Pros:
® Fast max speed
® Good signal range that isnt easily obstructed
□ Cons:
® More expensive
® May incur interference
§ 802.11n:
□ Referred to as Wireless N
□ Improves on 802.11g
® Greater bandwidth
® Support for multiple wireless signals and antennas
◊ MIMO technology
□ Supports up to 300Mbps bandwidth
® Better range
® Increased signal intensity
□ Pros:
® Fastest max speed
® Best range
® Most resistant to interference
® Backward compatible
□ Cons:
® Standard not finalized
® More expensive than "g"
§ 802.11ac:
□ Newest generation
□ Utilizes dual band and supports simultaneous connections
® 2.4 GHz
® 5 GHz
□ Backward compatible with 802.11b/g/n
□ Bandwidth rated up to 1300 Mbps on 5GHz
□ 450 Mbps on 2.4 GHz
○ Ethernet:
§ 10Base-T
□ The "10" represents speed
□ The "Base" stands for base-band signaling
□ The "T" part can mean different things but here its for twisted-pair cabling
§ 100Base-TX:
□ 100 Mbps
□ Base-band
□ The "TX" is for twisted-pair cabling and full-duplex
§ 1000Base-SX"
□ 1000 Mbps
□ Base-Band
□ SX is short wavelength over fiber full duplex
§ 10GBase-SR:
□ 10 Gbps speed over fiber
□ Baseband
□ SR: Short wavelength extended range
□ CAT-6a can support
§ 40GBase-SR4:
□ 40 Gbps
□ base-band- usually in a data center
□ SR4 - identifies range and cabling
§ 100GBase-SR10:
□ 100 Gbps speed
□ Base-band
□ SR10 identifies cabling and range
TCP/IP Model:
• Transmission Control Protocol/Internet Protocol (TCP/IP) Reference Model
○ Defines 4 layers as opposed to OSIs 7 layers
○ Represents the same functionality as OSI model but several of the OSI layers are combined to streamline the model
○ Each layer is responsible for a different phase of communication where the layer logically communicates with the corresponding node layer
○ Summary of TCP/IP Reference Model layers
§ Application Layer :
□ Top of the reference model which maps to layers 5, 6, and 7 of OSI
□ Interacts with applications that need to gain access to network services
□ Includes most of the high-level protocols application software uses for network comms.
□ Common protocols include
® Dynamic Host Config Protocol (DHCP)
® Hypertext Transfer Protocol (HTTP)
® Internet Message Access Protocol (IMAP)
® File Transfer Protocol (FTP)
® Post Office Protocol (POP)
® Session Initiation Protocol (SIP)
□ Application Layer protocols are the most visible protocols in internet applications
□ Lower layer protocols are hidden from view and are accessed as calls from within the OSs network stack
□ Application layer protocols arent usually concerned with the specific details of how a message arrives
□ All the Application Layer protocols must do is pass a message to the lower-layer protocols, along with the destination address
§ Transport to Host-to-Host Layer:
□ Provides end-to-end delivery which maps to OSI layer 4 (The Transport Layer)
□ Segments the data and adds a checksum to properly validate data to ensure that it isnt corrupted
□ The transport layer takes care of all the details ensuring a message makes it to its destination
□ Some responsibilities include:
® Data arrives in same state it was sent (error correction)
® Missing data is retransmitted
® Data is presented to the Application Layer in the correct order
® Duplicate data is dropped
® Network path problems are handled (congestion or failed links)
□ The most common TCP/IP transport layer protocols are:
® Transmission Control Protocol (TCP) : Data pieces are encapsulated with a header making a TCP segment
® User Datagram Protocol (UDP) : Encapsulates each data piece in a header to create a datagram
□ The Application and Transport layer Protocols generally connect to remote nodes using specific ports to communicate
® Communication is made easier using well-known default port numbers
§ Network or Internet Layer:
□ Maps to OSI layer 3 (the Network Layer)
□ Handles the routing of packets as they move around the network
□ This layer examines each packet, determines destination, and makes the necessary routing decision to get it to its destination
□ Primarily made up of the Internet Protocol and other protocols that support IP
® Other supporting protocols include (ICMP and IPSec)
□ Provides transparency to the upper layer protocols
§ Physical or Network Access Layer:
□ Corresponds to OSI layers 1 and 2
□ Lowest layer and is the point at which the higher-layer protocols interface with network transport media
□ Takes packets from the internet Layer and places them on physical media for transmission to the next node
□ Common protocols include:
® Address Resolution Protocol (ARP)
® Layer 2 Tunneling Protocol (L2TP)
® Point-to-Point Protocol (PPP)
® Media Access Control (Ethernet, Digital Subscriber Line [DSL], Fiber Distributed Data interface [FDDI], etc)
• Open Systems Interconnection Reference Model (OSI):
○ A template for building and using a network and resources
○ Was created in 1970s with a goal of creating a new communication standard for networking
○ Still in use today as both a reference and a mean of teaching network communications
○ Technology can be designed for any one layer without worrying about how the other layers work, the layers just need to be able to talk to each other
§ Only the services required are needed for development
○ Layer 7 - Responsible for interacting with end users, applications must interact through network to be considered a part of this layer
§ Sends or receives network requests
§ Example: Browser/web browser
§ UI responsible for received information
§ End of data transfer
§ Examples
□ HTTP/HTTPS, FTP, SMTP, DNS, DHCP
○ Layer 6 - Responsible for coding of data, including file formats and character representations. From a security viewpoint encryption happens at the presentation layer
§ Formal Data
□ Represent
□ Format
□ Structure
□ Encapsulation
§ Compression/encryption
§ Compatibility with host OS
○ Layer 5 - Maintains communication sessions between computers. Creates, maintains, and disconnects communications between processes over the network
§ Manages and monitors sessions between devices
○ Layer 4 - Breaks data into packets and properly transmits them over the network. Flow control and error checking take place here
§ Ensures transport reliability
§ Handles transport issues between hosts
§ Virtual Circuits:
□ Establish
□ Maintain
□ Terminate
§ Fault detection/ recovery information flow control
○ Layer 3 - Responsible for logical implementation of a network. One important feature being logical addressing (like IP addresses)
§ Routes packets based on IP addresses
§ Logical addressing - IPv4, IPv6, IPX, Appletalk
§ Devices include things like routers
○ Layer 2 - Responsible for transmitting information on computers within the same LAN. Uses MAC addresses for identification
§ Prepares information for the physical layer
§ Access to media = frame
§ Ethernet = main data link layer in use
§ Sub-layers:
□ Logical link layer - error checking
□ Media Access Control Layer - access to media
○ Layer 1 - Responsible for physical operation of the network. Must translate binary into the language of the transport medium
§ Any component that works with an electrical signal
□ Cabling
□ Interface cards
□ Jacks
• OSI Model vs the TCP/IP stack:
Virtualization:
• Refers to the abstraction of some physical component into a logical object
○ A VM can virtualize hardware resources like memory, storage, processors, and network connectivity
○ A hypervisor (VMM) is the software in which VMs operate
○ A VMM needs to exhibit these three properties to correctly satisfy their condition:
§ Fidelity: The environment for the VM is essentially identical to the original physical hardware
§ Isolation or Safety: The VMM must have complete control of system resources
§ Performance: There should be little to no difference in performance between the VM and physical equivalent
○ Between the 70's and 80's there were more than 70 different PC Oss
○ Consolidation ratio: The number of VMs to physical machine
§ Drives down cost saving companies millions of dollars
○ Containment: Virtualizing processes from hardware that has expired maintenance license and wont be replaced
Hypervisors:
• Describing a hypervisor:
○ At the highest level, a hypervisor is an arbiter of resources
○ Software that sits between physical resources and virtual machines on a server
○ Provide a virtual environment for workloads, enable virtual networks, and offer clustering for high availability
• Type 1 Hypervisor:
○ Runs directly on the server hardware without an OS beneath it, making it a bare-metal implementation
○ This hypervisor can directly communicate with the hardware resources in the stack below it, making it more efficient than a type 2 hypervisor
○ Also considered to be more secure than type 2
○ Less processing is needed for a Type 1 hypervisor so more VMs can run on each hose
• Type 2 Hypervisor:
○ An application that runs in a traditional OS
§ Examples: Vmware Fusion, Vmware Workstation, Parallels, VirtualBox
○ Less reliable due to more points of failure:
§ Anything that affects the availability of the underlying OS can impact the hypervisor and its guests
○ Uses more physical resources than Type 1 since the underlying OS utilizes resources along with the hypervisor
○ Typically used for single developer development environments
§ Acts more like another application since it runs on top of OS
○ The Role Of A Hypervisor:
§ The host has to see and have access to various hardware resources needed to function
□ Provide functionality to any operating system its supporting with the host hardware
§ The hypervisor not only has to abstract hardware from each of the virtual guests, but also needs to balance workload
□ In a sense a hypervisor is an operating system of its own for hardware, but services entire (virtual) servers
○ I/O Processing:
§ On top of storage I/O requests, the hypervisor handles Network I/O, memory processing, and CPU work also
Cloud Computing:
• The Cloud Value Proposition
○ Allows for online resource management
○ Access anywhere anytime
○ Cost can be more efficient with tremendous resources available
○ Higher security than an on premise environment
• The Risks of Cloud Computing:
○ Security and privacy:
§ Data stored in the cloud has a location not known to the owner of the data
§ Control account can be compromised giving vulnerability to data
§ Migration can be an issue if legacy tools arent supported by new changes
§ Multi-platform management can cause complications and confusion, as well as a loss of control for users
§ No guarantee that services or tools can be compatible with your current cloud service
§ Downtime is dependent on the service being used since youre only utilizing the space, not managing the hardware
§ Can result in vendor lock-in and insecure APIs
Cloud Service Models:
• Three Service Models:
○ Infrastructure as a service (IaaS):
§ On demand access to data infrastructure resources
□ Hard drives, servers, network equipment
□ No up front purchase required
□ Includes VMs, storage, virtual networks, devices or appliances
§ Characteristics:
□ Resources are available as a service
□ Pay-as-you-go pricing
□ Highly scalable
□ Platform virtualization
□ IaaS provider manages the infrastructure
§ Advantages:
□ Most flexible model
□ Reduces cost and IT expenditures
□ Improves availability and continuity
□ Managed and updated by provider
§ Disadvantages:
□ Security threats
□ Legacy apps may not be an option depending on the service
□ Increase in internal training
□ Multitenancy security
○ Platform as a service (PaaS):
§ Dev tools and services made to make coding and deploying apps quick and efficient
□ Infrastructure with software services
□ Vendor provided hardware and software tools
□ Delivered over internet
□ Framework delivery for application development
§ Characteristics:
□ Uses virtualization technology
□ Scalable
□ Services for app dev, testing, and deployment
□ Accessible to multiple users
§ Advantages:
□ Cost effective app dev and deployment
□ Almost unlimited scalability
□ Provider maintains resources
□ Easy migration
□ Rapid release
§ Disadvantages:
□ Integration complexity
□ Data security
□ Legacy systems may not be compatible
□ Runtime and operational issues
○ Software as a service (SaaS:
§ Software designed for end users that is deployed, delivered, and accessed over the internet
□ Cloud based software and applications
□ Internet based access
□ No downloads or installations
§ Characteristics:
□ Vender hosted on remote server
□ Multi-platform support
□ Vendor handles management and updates
§ Advantages:
□ Vendor managed completely
□ Reduces time and cost
□ Frees company technical staff
§ Disadvantages:
□ Interoperability and integration issues
□ Data security concerns
□ Customizations and features may be limited
□ Performance and downtime issues
Introduction to Network Security:
• What is Information Security?:
○ Security = free from danger or risk
§ Since there is always some amount of risk present, achieving security is aspirational
○ Information systems security is the collection of activities that protect the information system and data in it
○ Privacy data of individuals:
§ Name, address, date of birth
§ Social security number
§ Bank and account number
§ Credit card number
§ Utility account info
§ Mortgage account info
§ Insurance
§ Securities and brokerage account numbers
○ Corporate Intellectual property:
§ Trade secrets
§ Product development
§ Sales and marketing strategies
§ Financial records
§ Copyrights, patents, etc
○ Online B2C and B2B transactions:
§ Online banking
§ Online healthcare and insurance
§ E-commerce, E-government services
§ Online education and transcripts
○ Government intellectual property:
§ National security
§ Military and DoD strategies
• The purpose of Network Security:
○ Protects data, network, hardware, and software
○ Prevent and monitor unauthorized access to network resources
§ Shared folders
§ Shared applications
○ Prevent malicious activities like:
§ misuse
§ Modification
§ Disruption
§ Destruction
○ Protects data during transaction and rest
○ Protects network assets
• Why implement network security?:
○ Ensure availability of resources
○ Provide authentication and authorization on network resources
○ Protect resources while allowing access to legit users
• Network Security Coverage:
○ Networks
○ Network apps
○ Network devices and systems
○ Protocols
○ Services
○ Data
• Cybersecurity Approaches:
○ Compliance Based
§ Also uses risk based approach
§ Known as standards based security
§ Implements controls based on a standard even if they're not needed
§ Uses a checklist-based attitude
○ Risk Based
§ Focuses security implementation based on one or more risks
§ Addresses risks that may be beyond an organizations tolerance and security needs
○ Ad hoc based
§ Cannot be implemented with other frameworks
§ Implements security without rationale
§ Can be driven by a vendor
• Assets and Risks:
○ Several key terms for cybersecurity
§ Asset
□ Anything of value to an organization(information, users, etc)
□ Can be tangible or intangible
□ Types of assets:
® information - databases, files, archives
® Software - operating systems, software licenses
® Physical assets - systems, building, furniture
® Services - voice, data
§ Risk
□ The potential or probability that a loss may occur
□ Is focused on the potential of future events
□ Cannot always be eliminated
§ Threat
§ Vulnerability
• Myths and Misconceptions:
○ Overly restrictive
○ Security teams not only work with servers, they are also responsible for best practices, policies, and processes
○ Not all security teams are hackers
○ Many believe that only larger organizations get targeted, but in reality all businesses are targeted
• Security vs Usability
○ Low usability has high security
○ High security has lower usability
• Risks Threats and Vulnerabilities:
○ Risk management is a formal approach to how organizations address risk
§ Risks and threats affect businesses, individuals, and governments
§ Criminals who attempt to compromise your IT infrastructure often go unidentified and unpunished
○ Risk Management and Information Security:
§ Risk Management is a central focus of information security
□ Every action (or inaction) involves some degree of risks
§ Two key risk management principles:
□ Do not spend more to protect an asset than it is worth:
® Risk impact can extend beyond recovery costs, i.e. loss of customer confidence leading to low sales
□ Every countermeasure requires resources to implement and therefore should be aligned with a specific risk
® A countermeasure that doesn’t mitigate a specific identified risk is a solution seeking a problem; the cost is difficult to justify
□ The steps in planning to manage information security risk is to:
® Conduct a business impact analysis (BIA)
◊ This identifies an organizations most important business functions and how risks could impact each one
® Once the BIA is created a business continuity plan (BCP) needs to be in place for a company to operate in the face of a disruption caused by a realized risk
® A disaster recovery plan (DCP) must be developed and maintained to help address situations that damage or destroy necessary parts of the supporting IT infrastructure
• Risk Terminology:
○ Risk:
§ The likelihood that something bad will happen
§ The extent of damage (or positive effect) from a threat determines the level of risk
○ Threat:
§ Something bad that might happen to an organization
§ Anything that is a threat to a company from a tornado close to a data center, to an attacker exfiltrating and leaking sensitive data
○ Vulnerability:
§ Any exposure that could allow a threat to be realized
§ Involves weaknesses like a software bug, or side effects of employees using personal devices to access corporate email or network
○ Impact:
§ Refers to the amount of risk or harm caused by a threat or vulnerability that is exploited by a perpetrator
§ For example malware infecting a system and encrypting or corrupting data
○ Events:
§ A measurable occurrence that has an impact on the business, whether having little effect or escalating to an incident
○ Incidents:
§ Any event that either violates or threatens to violate a company's security policy and that’s justifies a countermeasure
○ Safeguards:
§ Address gaps or weaknesses in the controls that could otherwise lead to a realized threat
○ Countermeasures:
§ Mitigate or address a specific threat
• Elements of Risk:
○ Threats of risk include assets, vulnerabilities, and threats
○ Existing vulnerabilities and new threats emerge daily and be identified and addressed with proactive procedures
• Purpose of Risk Management:
○ To identify possible problems before something bad happens
○ Risks should be identified:
§ Before they lead to an incident
§ In time to enable a plan and begin risk-handling activities (controls and countermeasures)
§ On a continuous basis across the life of the product, system, or project
○ Risk can never be reduced to zero
§ Contingency planning focuses on building the plans to anticipate and respond to risk without interrupting functionality
• The Risk Management Process:
○ Identify Risks:
§ Brainstorming: Involved getting unstructured input from members of the organization in a group meeting
§ Surveys: Organizations will send lists of prepared questions to a variety of people from different areas of the organization for input
§ Interviews: Can be an effective approach to gather details on risks from the interviewees perspective
§ Working groups: Focuses on soliciting feedback from a group of individuals selected from a specific work area to help identify risks
§ Checklists: Can help ensure the breadth of risks are covered
§ Historical information: Can be valuable for risk identification
○ Assess and Prioritize Risks:
§ Good risk assessment explains the company's risk environment to managers in terms they clearly understand, and what risks can halt productivity
§ Risk assessment can be approached in two ways:
□ Quantitative risk assessment: Cost or value of the identified risk is determined and its financial impact is examined
® Financial business decisions can be made in alignment with a risk transfer strategy
® This type of assessment is easier to automate
® More objective than a qualitative analysis by attempting to describe a risk in financial terms and put a dollar value on each risk
□ Qualitative Risk Assessment: Risk impact is examined by assigning a rating for each identified risk
® Assessor must examine both the risk impact and the likelihood of occurrence
® Requires diverse input by people in other departments
§ Quantitative Risk Assessment:
□ The assets value and probability that a loss will be encountered must be assessed
□ Calculating an events loss expectancy is a multistep process:
1. Calculate the Asset Value (AV):
◊ An asset is anything of value to an organization.
◊ Can be tangible or intangible
◊ Asset value should consider the replacement value of equipment or systems
◊ Includes factors such as lost productivity and loss of reputation or customer confidence
2. Calculate the Exposure Factor (EF):
◊ The exposure factor represents the percentage of the asset value that would be lost if an incident occurs
3. Calculate the Single Loss Expectancy (SLE):
◊ A single loss can be calculated using the two preceding factors: The AV times the EF
4. Determine how often a loss is likely to occur every year:
◊ Called the annualized rate of occurrence (ARO), or risk likelihood
◊ Difficult since historical data cant necessarily predict the future
5. Determine annualized loss expectancy(ALE):
◊ The SLE times the ARO
◊ Helps an organization identify overall impact of a risk
◊ For infrequent events the ALE will be much less than the SLE
§ Qualitative Risk Assessment:
□ Every risk can be judged on two scales:
® Probability or likelihood:
◊ How often an event is anticipated to occur
® Impact:
◊ How much the event will affect production
○ Plan a Risk Response Strategy:
§ Some of the most common responses to negative risks when developing risk management strategies:
□ Reduce (reduction/mitigation):
® Uses various administrative, technical, or physical controls to mitigate or reduce identified risks, like antivirus software
□ Transfer (transference/assignment):
® Allows an organization to transfer the risk to another entity, such as insurance
® Risks can also be transferred to insulate an organization from excessive liability
□ Accept (acceptance):
® Allows an organization to accept risk and is dependent on the risk appetite of senior management
□ Avoid (avoidance):
® Just as described, not taking a risk
® Loss exceeds potential value gained
§ There are some positive risks as well:
□ Exploit (exploitation):
® Take advantage of an opportunity that arises when responding to a risk
□ Share (sharing):
® Sharing a positive risk involves using a third party to capture the opportunity associated with that risk
□ Enhance (enhancement):
® Increasing the positive impact probability of a risk associated impact
□ Accept(acceptance):
® Taking no steps due to the potential effects of the risk being positive
○ Acceptable Range Of Risk/Residual Risk:
§ The acceptable range of risk determines how activities and countermeasures are defined.
○ Implement the Risk Response Plan:
§ Security controls are the safeguards or countermeasures that an organization uses to avoid, counteract or minimize loss or system unavailability
□ Some controls manage different phases of people processes, called administration controls
§ Administrative controls develop and ensure compliance with policy and procedures
§ Controls carried out by a computer system are called technical controls
§ Activity phase controls can be administrative or technical:
□ Detective Controls:
® Identify that a threat has landed in a system
® An intrusion detection system (IDS) is an example of detective control
® Can detect system attacks like port scans and logs it
□ Preventative Controls:
® Stop threats from coming in contact with a vulnerability
® Intrusion Prevention Systems (IPS) are examples of this
® Configured to actively block an attack
□ Corrective Controls:
® Reduce the effects of a threat
® Reloading a malware infected machines OS is an example of corrective control
□ Deterrent Control:
® Deter actions that can result in violations
® Not quite preventative, deterrent can be something like a confirmation box after making a system change
□ Compensating Controls:
® Controls that are implemented to address a threat in place that doesn’t have a straightforward risk mitigating solution
○ Selecting Safeguards and Countermeasures:
§ Specific purposes of countermeasures:
□ Fix known exploitable software flaws
□ Develop and enforce operational procedures and access controls (data and system)
□ Provide encryption capability
□ Improve physical security
□ Disconnect unreliable networks
§ Examples of specific security responsibilities individuals may hold
□ Delete redundant/guest accounts
□ Train system admins
□ Train everyone
□ Install virus-scanning software
□ Install IDS/IPS and network scanning tool
○ Pricing/Costing a Countermeasure:
§ Factors include:
□ Product costs:
® Includes base price, price of additional features, and costs associated with the SLA or annual maintenance
□ Implementation Costs:
® Refers to changes in the infrastructure, construction, design, and training
□ Compatibility costs:
® The countermeasure must be compatible with overall infrastructure
□ Environmental costs:
® If a countermeasure uses a lot of energy, consideration must be given to whether the electrical system would be able to provide that energy and to offset the excess heat generated
□ Testing costs:
® Testing takes time and money and causes disruptions
□ Productivity impact;
® Many controls affect productivity such as generating more calls to help desk or slowing response times for users
• Monitor and Control Risk Response:
○ When evaluating countermeasures there are a few points to consider:
§ The countermeasure might pose a new risk to an organization:
□ Might create a false sense of security, or even become another point of failure
□ Continuous monitoring, checking compliance and design, and regular maintenance are necessary
§ Perform certification and accreditation of countermeasure programs:
□ Systems, controls, and applications should go through a change control process before hitting production
□ Also applies to making changes to existing production systems
§ Follow best practices and due diligence:
□ Exercised by frequently evaluating whether countermeasures are performing as expected
IT and Network Infrastructure:
• Intellectual Property:
○ The central asset of many organizations
§ Can involve data or unique business processes
§ More data equals more value to the company, and if that data has metadata then its even more valuable
○ Data breaches and data loss occurs every day in every aspect of life
§ Can include identity, business, or intellectual property theft
• Finances and Financial Data:
○ Financial assets are among the highest value assets in any organization
§ Can be real assets like bank or trading accounts, purchasing accounts, corp credit cards, and other sources of cash
§ Financial data can include customer info, personal financial info, usernames and passwords, and other access types to personal finance info
§ Financial asset loss from malicious attacks is a worst-case scenario for all organizations
• Service Availability and Productivity:
○ Downtime is the time during which a service is not available due to maintenance or failure
○ Often downtime is scheduled by administrators to perform things like patches or upgrades
§ This downtime is typically scheduled when it will have the least business impact
○ Unintentional downtime is usually from a technical failure, human error, or an attach
§ Downtime due to malicious attacks is growing rapidly
○ Opportunity Cost: Or true downtime cost is the amount of money a company loses due to either intentional or unintentional downtime
• Reputation:
○ When companies experience data breaches or attacks it will also put their image on the line and can damage reputations
• Who are the Perpetrators?
○ Hackers:
§ Someone who breaks into a system without authorization
○ Ethical Hackers:
§ Hackers that have been hired by an organization to attempt to find security vulnerabilities in a network
○ Black-hat hackers:
§ Try to break IT security and gain access to systems with no authorization
○ White-hat hackers:
§ Ethical hackers
§ Professionals who have authorization to identify vulnerabilities and perform penetration testing
○ Gray-hat hackers:
§ Hackers with average ability that may or may not become white or black hat hackers
Risks, Threats, and Vulnerabilities in an IT Infrastructure:
• Risks threats and vulnerabilities all go together
○ Risk is the probability that something will happen
○ Threat is anything that can damage or compromise an asset
○ Vulnerability is a weakness in the design or software code itself
• Threat Targets:
• Threat Types:
○ The following three major threat types directly threaten each of the CIA tenets:
§ Disclosure threats
§ Alteration threats
§ Denial or destruction threats
○ Disclosure Threats:
§ Disclosure occurs any time unauthorized users access confidential info and can happen with these two techniques:
□ Sabotage: Destruction of property or obstruction of operations
® Technically attacks the availability property of information security
□ Espionage: The act of spying to obtain secret information
○ Alteration Threats:
§ A threat that violates information integrity
§ Compromises systems by making unauthorized changes to data
§ Can occur while data is on server or while its in transit
§ Enabling tracking of these systems can help identify any alterations made to systems
○ Denial or Destruction Threats:
§ Makes assets or resources unavailable or unusable
§ Violates the Availability tenet of information security
What is a Malicious Attack?:
• A threat on IT infrastructure as an attack on some system or network that succeeds by exploiting a vulnerability or weakness within
• Can consist of all or a combination of:
○ Fabrications: Involve the creation of some deception in order to trick unsuspecting users
○ Interceptions: Eavesdropping on transmissions and redirecting for unauthorized use
○ Interruptions: Cause a break in a communication channel, blocking the transmission of data
○ Modifications: The alteration of data contained in transmissions or files
• Some active threats include:
○ Birthday attacks
○ Brute-forcing
○ Credential stuffing
○ Dictionary password attacks
○ IP spoofing
○ Hijacking
○ Replay attacks
○ Man-in-the-middle attacks
○ Masquerading
○ Social engineering
○ Phreaking
○ Phishing
○ Pharming
Identifying Network Vulnerabilities:
• Protocol Vulnerabilities:
○ Outdated or insecure by default
• Insecure Protocols:
○ Telnet
○ FTP - passwords sent over plain text
○ HTTP - everything over plain text, can be modified
○ POP3 or IMAP
○ Ciphers and hashing algorithms that are out of data
• Secure Variants:
○ SSH - secure shell
○ SFTP - Secure File Transfer
○ HTTPS - Secure connections
○ POP3S and IMAPS - secure socket layer equivalent
○ TLS 1.3 and SHA-3
• Empty or Weak Passwords:
○ Strong password enforcement along with best practices can help protect guessed passwords
• Firewalls:
○ Control by IP address if possible
○ Incoming and outgoing are equally important
○ Logging is important
Attacker Types:
• Anatomy of an Attack:
○ What motivates attackers?:
§ Money
§ Fame
§ Imposing political beliefs or systems onto others
§ Anger/Revenge
§ Nation state worker carrying out state-level cyberwarfare or economic espionage
○ What is the purpose of an attack?:
§ Denial of Availability: DoS, DDoS, or ransomware attacks prevent legitimate users from accessing systems or data
§ Data modification: Issues commands to access a file on a local or network drive and change it or remove it
□ Can also modify security settings
§ Data Export (exfiltration): Information theft that gets forwarded over internet or email to an attacker
§ Launch Point: The target computer for use as a launch for infection on other computers
○ Types of attacks:
§ Unstructured Attacks:
□ Intent of attacker may just be for the challenge or prestige
§ Structured Attacks:
□ Complex tools and focused efforts are utilized
□ Sophisticated hacking techniques are used to identify, probe, penetrate, and carry out malicious activities
□ Motivated by politics, money, anger, or just wanting to cause destruction
§ Direct Attacks:
□ Attacks on specific targets
§ Indirect Attacks:
□ Occur as a result of a preprogrammed hostile code exploit
□ Indiscriminate attacks
○ Phases of an attack:
§ Reconnaissance and Probing:
□ Tools can include:
® DNS and ICMP tools within the TCP/IP suite
® Standard and custom SNMP tools
® Port scanners and port mappers
® Security probes
CIA Triad:
• Confidentiality:
○ Networks must secure data transmissions by limiting access, encrypting the payload, and enduring the data is secure at rest
○ Confidentiality is a driver for enabling security controls
• Integrity:
○ Data must be accurate and not altered
○ Ethernet frames have a built-in data integrity check (CRC)
§ CRC is an error code function and is used to detect single or double digit errors during transmission, storage, and retrieval
• Availability:
○ Ensures that the network, systems, applications, and data are accessible
○ The following elements must be available:
§ Authorized user with valid workstation or laptop device
§ Network Time Protocol (NTP) and DNS servers
§ Physical wired or wireless LAN
§ Identification, authorization, and authentication
§ Role based access
§ Auditing, monitoring, and logging of user sessions
• Network Security Scope:
○ The seven domains of IT infrastructure:
§ User:
□ Includes humans, which are the weakest link in the entire security chain
§ Workstation:
□ The point of entry for the user into the network and IT infrastructure
§ LAN:
□ The physical Data Link Layer network and logical access control to the network
□ Requires network access control (NAC), identification, authorization, authentication, and log monitoring
§ LAN to WAN:
□ The Internet ingress/egress, where the organizations private network connects to the public internet
□ Dematerialized zone (DMZ) virtual LAN (VLAN), Internet Protocol Security (IPSec), VPN, terminations, and threat monitoring
§ WAN:
□ The network connectivity solution or link that interconnects an organizations facilities
□ Network performance monitoring, encryption in transit, and use of secure communications protocols
§ Remote Access:
□ Mobile users must remotely access the network; this domain requires audit and monitoring enabled
□ Secure remote access with IPSec VPNs, multifactor authentication, and audit and monitoring enabled
§ System/Application:
□ Where applications and data are hosted (datacenter or cloud)
○ Transport Layer Security (TLS) and Encryption:
§ The successor to Secure Sockets Layer (SSH)
§ 1.0 in 1999
§ 1.1 in 2006
§ 1.2 in 2008
§ 1.3 in 2018
§ TLS 1.3 is secure because it uses symmetric cryptography to encrypt data being transmitted
§ The TLS handshake is a secret negotiation that happens to create a random key
Network Risks, Threats and Vulnerabilities:
• A risk is the probability of something bad happening:
○ Loss of availability, slow performance, unauthorized access, or data breach
• A threat is something bad that can happen to a network:
○ DoS attack, brute force attack, man-in-the-middle etc.
• A vulnerability is a weakness in design:
○ Network security architecture design, network software OS vulnerability, bug in software code
• There are three categories of network security controls:
○ Administrative
○ Physical
○ Technical
• Network risks impact CIA negatively as followed:
○ Availability to production application data is impacted
○ Integrity of data is compromised
○ Confidentiality is compromised
○ Access controls are compromised
○ Core switch is down with no redundancy
○ Departmental switch is down with no redundancy
○ Metro Ethernet fiber link is cut with no redundancy
○ Critical network systems are down
○ Network outage turns into disaster scenario
○ Network performance is degraded
○ VLAN hopping taking place:
§ Takes place when a misconfigured Layer 2 VLAN or ACL permits a host computer to see and hop onto another VLAN
§ A properly configured ACL will deny access to that Layer 2 VLAN, eliminating the threat of packet sniffing
• Network threats that negatively impact CIA:
○ Compromised Access Controls:
§ User login credentials can be compromised if stringent passwords with frequent changes aren't supported
○ De-authentication:
§ A Wi-Fi DoS attack that impacts a wireless endpoint:
○ DoS/DDoS attack with reflection and amplification:
§ Unlimited ping packets or half open TCP SYN packets are sent to a targeted IP host device
§ Flooding of IP or TCP packets will impact the CPU resources of the targeted host unless blocked
§ Reflection occurs when an attacker spoofs the source IP address of request packets pretending to be the host
○ Evil twin:
§ Fake or bogus Wi-Fi network mimics a production one with the intent to capture user keystrokes
○ Hacker Attack:
§ A malicious attempt to gain unauthorized access to a system, application, and sensitive data
§ Can be performed at the Network Layer or the Application Layer
○ Insider threat:
§ Pertains to a disgruntled employee or an employee who may be extorted to provide sensitive information
○ Logic bomb:
§ A hidden application that unleashes malicious software or performs a malicious malware task
○ Malware Attack:
§ Attackers try to get users to click on an attachment or embedded URL link to unleash malware
§ Trojans, worms, spyware, botnet software, and rootkits are examples of malware
○ Man in the Middle (MitM) attack:
§ Requires the attacker to have physical connectivity to the network
§ Can be a layer 2 or 3 switch, WLAN, or some other point on the network
○ No visibility into the network
○ Password brute force attacks
○ Personal computer or mobile device is used
○ Phishing email
○ Ransomware
○ Rogue IP host device
○ Sensitive data not put in proper place
○ Social engineering
○ Spoofing
○ Unauthorized access attempts
○ Unaware users
○ Vishing
○ Web app attack
○ Workstations with sysadmin enabled
• Network vulnerabilities summarized:
○ OS software vulnerabilities and bugs
○ Application software vulnerabilities and software bugs
○ Weak layered security design
Conducting a Network Security Risk Assessment:
• Compliance laws and standards for each vertical industry have specific requirements for network security and privacy:
○ FERPA:
§ The Family Educational Rights and Privacy Act has a data security checklist for educational delivery organiations
○ FISMA:
§ The Federal Information Security Modernization Act of 2014 has several; requirements for network security, access controls, remote access, and security assessments for US federal agencies and contractors
○ GDPR:
§ The General Data Protection Regulation defines requirements for security of personally identifiable information (PII) data, security assessments, and data privacy assessments
○ GLBA:
§ The Gramm-Leech-Bliley Act has a Safeguards Rule definition requiring organizations to build a security program and conduct periodic risk assessments for banking and financial institutions
○ HIPAA:
§ The Healthcare Insurance Portability and Accountability Act has control requirements for healthcare organizations
§ PCI DSS:
□ The Payment Card Industry Data Security Standard has rules in place for merchants and service providers for accepting and processing gift cards
• Common risk management terms:
○ Risk acceptance
○ Risk avoidance
○ Risk mitigation
○ Risk transfer
• Best practices for performing a network security risk assessment:
○ Pick a framework to use:
§ Can be regulatory compliance framework, technical standard, or NIST approved standard
○ Define scope:
§ Can be entire framework or a subset of the framework
○ Identify assets
○ Identify risks, threats, and vulnerabilities
○ Assess the gap, risk, threat, or vulnerability
○ Evaluate the risk exposure and likelihood of occurrence
○ Assign ownership for risk managing the outcomes
Layered Network Security Architectures:
○ Layer 1:
§ People security addresses HR onboarding/offboarding employees, annual security awareness training, and IT security policies and procedures
○ Layer 2:
§ Physical security policies and procedures
○ Layer 3:
§ Perimeter security addresses where the private IP data network connects to the public internet
○ Layer 4:
§ Network security addresses access controls, network segmentation, audit and monitoring, and data encryption
○ Layer 5:
§ Endpoint security addresses workstations, laptops, home computers, and mobile device
○ Layer 6:
§ Application Security addresses the actual hardware code, app delivery, and hosting
○ Layer 7:
§ Data security addresses confidentiality of sensitive data at rest and in transmission
Network Security Controls:
• Mitigates risk
• Security controls are safeguards to avoid, detect, counteract, or minimize security risks, threats, and vulnerabilities
• Three different kinds of security controls or safeguards:
○ Administrative:
§ Pertains to HR and people
○ Physical:
§ Pertains to the data center, hosting facility, or wiring closets housing sensitive equipment or cabling
○ Technical:
§ Pertains to the hardware and software solutions that are implemented to address gaps or weaknesses
Network Security Operations:
• Common Security Policies:
○ Data handling:
§ Determines if a corps data is restricted to only specific internal roles or made public
§ Should identify any legal or regulatory restrictions
§ Includes naming and labeling schema
§ Outlines data ownership, custodianship, and stewardship
○ Password Policies:
§ Stringent policies must be in place when applicable
§ Represents leadership of security governance
§ Fine line between strong long passwords and unrememberable passwords
○ Acceptable Use Policy:
§ An agreement between parties that outlines the appropriate use of access to a corporate network or the internet
§ Describes what users may and may not do on the network
§ Deemed to be one of the most important aspects of a written security policy
§ Useful for business that offer services to employees or services
§ Terms must be accepted to use
§ Common AUP elements:
□ Data access and disclosure
□ Data retention
□ Asset custodianship
□ Passwords
□ System access
□ Clean desk policy
□ Removable device policy
□ Web surfing
□ AR
○ Bring your own device policy
§ Employees are permitted to use their personal devices to access data and systems
§ Four basic options:
□ Unlimited access for personal devices
□ Access only to non-sensitive systems and data
□ Access with IT control over personal device apps and stored data
□ Access while preventing local storage of data
○ Privacy Policy:
§ Main goal:
□ Protect IP for a corporation
□ Personal Identifiable Information
□ PHI personal health information
• Human centered design principles:
○ Four major principles:
§ Ensure root issue is solved
§ People are the main focus
§ Focus on system interactions and not just one part
§ Perform prototyping and testing iteratively and quickly
○ Root problem Identification:
§ Focus on that cause and not the symptoms
§ Needs to be an integral part of the design process
○ People Centered Approach:
§ Design should be focused on people not technology
§ The history, culture, and beliefs of the group
○ Focus of the Entire System:
§ All parts are equally important
§ Improvement on a part shouldn’t weaken the system
○ Prototyping and Testing:
§ An iterative process needs to be used to manage development
§ Should be used to quickly elicit feedback
§ Testing should be with real users
• Least Privilege:
○ Based on providing the lowest amount of rights possible for a user to complete tasks
§ Limits exposure and access
§ Varied security levels
□ Based on task
□ Lowest level required
• Fail Safe:
○ States when a system failure occurs it should fail to a safe sate
○ Exceptions:
§ Not errors
§ Event outside natural process flow
§ Not necessarily an error
§ Has specific handling requirements
○ Errors:
§ Mistakes or faults
§ Can be human error
§ Have specific handling requirements
○ Error/Exception Handling:
§ Handled in a predictable and acceptable way
§ System fails safely
§ System returns to normal operation
○ Explicit Deny:
§ Deny by default
§ Authorization should be denied by default
○ Think Error Codes Not Error Messages:
• Economy of Mechanism:
○ Keep things as simple as possible
§ Complex software can be difficult to protect and is prone to problems
○ Use Existing Trusted Components:
§ Trusted libraries
§ Trusted infrastructure
§ Trusted Utilities
○ Only the essentials:
§ Services:
□ Eliminate non-essential services
§ Protocols:
□ Eliminate non-essential protocols
○ Determine Essentials:
§ Start with minimal services and protocols and activate them as required
• Complete Mediation:
○ Refers to when a subject requests access and its verification
○ Authorization is never bypassed
○ Operating systems:
§ Security kernel - can never be circumvented
○ Prevention of bypass:
§ During design potential bypasses are considered and prevented
○ Session management:
§ Cookies
§ Cached credentials
§ Tokens
§ Certificates
• Open Design:
○ Security of system must be independent of its design
§ The algorithm must be open and accessible and not related to design
○ Security through obscurity:
§ Keys and passwords in source code
○ Code open to review:
§ Peer review can uncover missed issues and standards compliance
• Separation of Duties:
○ Given a specific task multiple parties are invoke to complete it
§ Some tasks may need to be split
§ No single person can complete task
○ Rationale:
§ No single individual is responsible for a task
○ Implementation:
§ System design
§ Multiple conditions
§ Enforces all checks and balances required by system
○ Secret sharing and splitting:
§ Very sensitive data involved
§ Defined as a method of distributing a secret to a group
§ Participants allocated a share
§ Individual shares are useless
• Least Common Mechanism:
○ Prevent unintentional sharing of information
○ Eliminates potential pathways for secret sharing
Firewalls:
• A firewall controls flow of traffic
○ Prevents unauthorized network traffic from entering or leaving a particular segment of the network
○ Can be placed between internal network and outside world or within internal subnetworks
○ Do not solve all network security problems
○ Firewalls can provide the following filtering features:
§ Flood guard: Rules can limit traffic bandwidth from hosts reducing the chances of flooding
§ Loop protection: Firewalls can look at message addresses to determine whether a message is being sent in an unending loop. which can be another form of flooding
§ Network segmentation: Filtering rules enforce divisions, or separations, between networks, thus keeping traffic from moving from one network to another
• Firewall types:
○ A firewall contains rules that a packet must contain to be able to pass through
○ Beyond its basic functionality, firewall technology includes three main types:
§ Packet Filtering:
□ Very basic
□ Compares received traffic with rules that define which traffic will permit to pass through the firewall
□ Makes its decision for each packet that passes through but has no memory of packets it encountered before
§ Stateful Inspection:
□ This firewall remembers information about the status of a network communication
□ Once the first packet in a communication is received its communication session is remembered until its closed
□ Needs to check rules only when a new communication session starts
§ Application proxy:
□ This type of firewall doesn’t allow packets to travel directly between systems on opposite sides of the firewall
□ Instead it opens separate communications with each system and then acts as proxy between them
• Firewall Deployment Techniques:
○ Border Firewall:
§ Most basic approach
§ Simply separate the protected network from the internet
§ Normally sit behind the router and receive all communications passing from the private network to the internet
§ Usually use either packet sniffing or stateful inspection
○ Screened Subnet:
§ Used for when it is not possible to block all traffic into a network, like a public website or an email server
§ Has three network interfaces
§ Two set up identically to a border firewall with one connecting to internet and the other connecting to the internal network
§ The third interface connects to a special network known as the screened subnet, or demilitarized zone (DMZ)
○ Multilayered Firewalls:
§ Useful for when networks have different security levels
○ Unified Threat Management:
§ UTM
§ Provide filtering as well as many other security services:
□ URL filter:
® Examines URL as opposed to IP address
□ Content Inspection:
® Looks at some or all network packets to determine if it should be allowed to pass
□ Malware inspection:
® Looks at packet content for signs of malware
• IDS/IPS
○ Intrusion Detection Systems
○ Intrusion Protection Systems
○ Can be broken down into deployments
§ If deployed on network:
□ Network: NIDS/NIPS
§ If deployed on a system will be called:
□ Host: HIDS/HIPS
§ Active:
□ IPS: NIPS/HIPS
§ Passive:
□ IDS: NIDS/HIDS
§ Work through a combo of Signature and heuristics
○ Placement Issues:
§ Can only see their own segments
□ Will need deployments or sensers in each segments, or forwarding to it
□ DMZ deployment will cause a first line of warning
§ Host critical servers should have IDS
○ Common components:
§ Sensors:
□ Software that collects traffic (packet sniffer)
§ Analyzer:
□ Can come with preconfigured rules and allows you to build your own rules
§ Manager:
□ Interface for people to use the tools
§ Events:
□ Anything an IDS deems something important
• Intrusion Detection and Prevention:
○ Data ingestion and analysis:
§ Network traffic
§ Host and app logs
○ Filter out noise:
§ Reduce false positives
○ Seeks out indicators of compromise:
§ Normal baseline comparison
○ Intrusion detection types:
§ Host based:
□ Phishing/malware
□ Removable media
□ Physical access
□ Software vulnerabilities
§ Network based:
□ Unauthorized network access
□ Scanning
□ Rogue wireless Aps
○ IDS:
§ Has host based and network based tools to perform functions to monitor detect and notify of threats
○ IPS:
§ Same capabilities as HIDS and NIDS
§ Takes steps to block attacks
§ Blocks Ips, DNS and other
• Encryption Techniques and Methods:
○ Scrambles data
○ Key is needed to unscramble
○ Data at rest or in transit
○ Symmetric vs Asymmetric
• Encryption:
○ TLS for application data
○ VPNs for management data
○ Disk encryption for stored data:
§ Encrypt before sending to cloud using traditional file or disk encryption
§ Encrypt using dedicated cloud encryption services
○ Certificate Management (PKI/CAs)
○ Key Management
• Symmetric Encryption:
○ Fast, reliable, used for bulk data
○ Same key is used to cipher and decipher, with length being determinant on algorithm
○ Examples:
§ AES
§ DES/3DES
§ IDEA
§ RC4
§ Blowfish
§ Twofish
• Asymmetric Encryption:
○ Known as public key cryptography
○ Solved key delivery problem
○ Slower but less data involved
○ Uses a key pair (encryption and decryption keys)
○ Examples:
§ RSA
§ Diffie-hellman
§ DSA
§ ElGamal
§ Elliptic Curve
• Using Encryption:
○ Process of encoding data with encryption keys
§ Allows information to be kept secret
□ Converts plaintext into ciphertext
Device Hardware: Why and How:
• Network Device Hardening:
○ Risk management means making decisions on how to handle each type of risk
○ Risk mitigation requires a countermeasure to reduce risks
○ Management and mitigation are often referred to as securing or hardening the network
○ Two main approaches:
§ Removing network connectivity to sensitive resources
§ Adding countermeasures to protect the network and any sensitive resources
○ Availability must be considered so unplugging a device is not always an option
○ Attacks of greater concern should be identified during the risk analysis process
○ Most approaches fall into one or more of the following categories:
§ A centralized device to protect the entire network:
□ Network traffic flows through a single device that examines every packet
§ A dedicated countermeasure for each device or resource:
□ Each resource connected to the network has an embedded security device or a security device between it and the network
§ A countermeasure for each typer of threat:
□ A compromise between the previous approaches
□ Several security devices attach to a network and filter traffic associated with a particular type of attack
§ Strict least privilege policy:
□ Minimum access needed to keep operations moving
§ Multilayered defense:
□ Involved multiple countermeasures that an attacker must compromise to reach any protected source
Layered Network Security Architectures:
• Defense in Depth - DiD, an approach in which several security controls are layered to protect sensitive data
○ Each layer in the DiD architecture must be assessed and include:
§ Design
§ Procurement
§ Implementation maturity
§ Layer 1:
□ People security addresses HR onboarding/offboarding and annual security
§ Layer 2:
□ Physical security addresses access to where data is held
□ Also where network equipment is housed with environmental controls
§ Layer 3:
□ Perimeter security addresses where the private IP data network connects to the public internet
§ Layer 4:
□ Network security addresses access control, network segmentation, audit and monitoring, and data encryption at rest and in transit throughout
§ Layer 5:
□ Endpoint security addresses workstations, laptops, home computers, and mobile devices
§ Layer 6:
□ Application security addresses the actual software code, application delivery, and hosting
□ Back-end databases need data at rest encryption or have additional security controls enabled such as continuous monitoring and log collection
§ Layer 7:
□ Data security addresses the confidentiality of sensitive data at rest and in transmission
• How defense in depth works:
○ Uses several defensive security controls to protect data, applications, and network
○ Applies security at all levels of the network:
§ Data and apps
§ Host
§ Network
§ Physical Environment
○ Is designed to slow down an attack - uses military approach
○ Works by leap frogging - when one defense fails another one is there to take over
○ Uses admin, physical, and technical controls
• IT Security Policy Framework:
○ Consists of policies, standards, procedures, and guidelines that reduce risks and threats
○ An IT security policy framework contains four main components:
§ Policy:
□ A short written statement that sets a course of action or direction
□ Comes from upper management and applies to the entire organization
§ Standard:
□ A detailed written definition for hardware and software and how they are to be used
□ Ensures that consistent security controls are used throughout the IT system
§ Procedures:
□ Written instructions for how to use policies and standards
□ May include a plan of action for installation, testing, and auditing of security controls
§ Guidelines:
□ A suggested course of action for using the framework
□ Guidelines can be specific or flexible regarding use
• Basic IT security policies include:
○ Acceptable Use Policy (AUP):
§ Defines actions that are and aren't allowed regarding the use of organization IT assets
§ Specific to the User Domain and mitigates risk between an organization and its employees
○ Security Awareness policy:
§ Defines how to ensure that all personnel are aware of the importance of security and behavioral expectations under the security policy
○ Asset Classification Policy:
§ Defines an organizations data classification standard
§ Designates the IT assets that are critical to the organizations mission as well as defining the organizations systems, uses, and data priorities and identifying assets that can threaten an orgs ability to continue operating
○ Asset management Policy:
§ Includes the security operation and management of all IT assets within the seven domains of a typical IT infrastructure
○ Vulnerability Assessment and Management:
§ Defines a vulnerability window for production operating systems and application software
○ Threat Assessment and Monitoring:
§ Org wide threat assessment and monitoring authority
• Threats Vulnerabilities and Mitigation:
Risk Mitigation Strategies:
• The goal is to reduce the likelihood or impact of the threat
• If the cost of mitigation is greater than expected loss, risk may be considered acceptable based on risk appetite/tolerance
• Risk:
○ The potential or probability of a loss that may occur
○ Focused on potential of future events, not current
○ Not always avoidable
• Risk-based methodology:
○ Decides what assets are of importance
○ Determines protection of assets
○ Identifies approach for protection
○ Monitors and improves controls
• Risk profile:
○ Defines an orgs willingness to take risks
○ Based on quantitative analysis - assigns numbers to each threat and their risks
○ Based on non-subjective evaluation
○ Identifies the level of risks that can be taken
○ Defines the cost and potential damage, if risk is exploited
• Risk appetite:
○ The organizations willingness to accept risk
○ Different from risk tolerance
○ Should sync with org goals
○ Helps organization understand its risk exposure
○ Helps to make risk-based decisions
• Risk Appetite Types:
○ Averse
○ Minimal
○ Cautious
○ Open
○ Hungry
• Different Risk Frameworks:
○ ISO 31000:2009
○ ENISA
○ NIST
Security Risk Identification:
• Security Risk Assessments:
○ Helpful to ID, assess, and implement security measures
○ Focus on preventing security vulnerabilities and exploits
○ Are integral to an organizations risk management process
• Cost justification:
○ Risk assessments can provide senior management with a snapshot of potential vulnerabilities
○ All organizations can be vulnerable
○ Assessments help with budgets and plans for additional resources that may be needed for protection
• Likelihood of Risk:
○ When is an organization susceptible?
○ Why would a risk occur to a specific organization?
○ Where could the risk occur?
○ How is the risk likely to take place?
• Origin of Risk:
○ External or internal
§ Both types have mitigation techniques
• Potential Impact:
○ Potential consequences are considered
○ Determine who is affected: customers or the organization
• Threat evaluation:
○ Identify potential threats that are hard to plan for and to limit
○ Put preventative measures in place even when threats may be outside an organizations control
Data Classification standards:
• Private Data:
○ Data about people that must stay private
○ Proper security controls must be in compliance
• Confidential:
○ Organization owned data
○ IP, customer lists, pricing info, and other data types
• Internal use only:
○ Information or data shared internally by an organization
• Public-domain data:
○ Info or data shared with the public
• Data States:
○ Data in transit: Data being transmitted between two end-points
○ Data at rest: Data being stored in some type of persistent media
○ Data in use: Data actively being processed or stored in memory
Access Control Models:
• Discretionary access control (DAC)
○ Each owner of a resource manages their own access control policy
• Role-based access control (RBAC)
○ Group users into categories that get specific permissions (roles)
• Attribute-based access control (ABAC)
○ Cutting edge
○ Includes role and attributes, like location or time based
○ Requires very fine tuned access controls
• Rule-based access control (RuBAC):
○ Access control in firewalls
○ Compares data to ruleset to determine access
• Context-based access control (CBAC):
○ Seen in deep packet inspection firewalls
Protection Tools:
• Antivirus
• Firewalls
• Anti-spyware
• Intrusion Detection
Encryption: Data at Rest and Data in Transit:
• Cryptography:
○ The art of transforming a readable message into a form that is readable only by authorized users:
§ Unencrypted information: Information in an understandable form; called plaintext or cleartext
§ Encrypted information: Information in a scrambled form; called ciphertext
• Securing Data at Rest and in Transit:
○ Data state:
§ Passive - not being used
§ In process - being altered in some way
§ In transit - being transferred
○ Objective:
§ Protect data:
□ Open, read, write, sharing
□ Integrity, safety
□ Upload, download, synchronization, backup, restore
○ Methodologies:
§ Access Control Lists (ACLs)
§ Database object permission
§ Implement authentication and key management methodologies
§ Storage encryption
§ Backup/restore
§ Auditing
§ Transport level encryption
§ Firewalls
§ Server hardening
§ Physical security
§ Physical hardware failover topologies at data centers
Security Operations and Administration:
• Security Administration:
○ Refers to the group of individuals responsible for planning, designing, implementing, and monitoring a security plan
○ The security operations center (SOC) is the physical location where they work
○ SEIM - Security Information and Event Management
§ A toolset that collects, assesses, and visualize a network environments state
○ SOAR - Security, orchestration, automation, and response system
§ Gives SOC teams an integrated set of tools to determine the security level of a networked environment, identify anomalies, and respond to issues in a structured manner
• Controlling Access:
○ There are four aspects to access control;
§ Identification:
□ Assertions made by users about who they are
§ Authentication:
□ The proving of that assertion
§ Authorization:
□ The permissions a legitimate user or process has on the system
§ Accountability:
□ Tracking or logging what authenticated and unauthenticated users do while accessing the system
• Documentation, Procedures, and Guidelines:
○ Several types of documentation are necessary to provide the input the security administration team needs:
§ Sensitive assets list:
□ Things sensitive to the organization like devices and computers, network components, databases, documents, and anything else that can be vulnerable to attack
§ The organizations security process:
□ How it all works
§ The authority of the persons responsible for security:
□ Which administrator is responsible or authorized for what assets and actions
§ The policies, procedures, and guidelines adopted by the organization:
□ What information needs to be communicated, how, and when its communicated
○ An organization must comply with rules on two levels:
§ Regulatory compliance:
□ Laws, government regulations, and contractual requirements must be complied with
§ Organizational compliance:
□ The organization must comply with its own policies, audits, culture, and standards
• Disaster Assessment and Recovery:
○ All systems are subject to failure or attack
○ Being able to respond and act quickly is essential to ensure an event is handled accordingly
• Security Outsourcing:
○ Firms can handle security monitoring for an organization
○ Advantages:
§ External security management firms have a high level of expertise since it focuses on security only
○ Disadvantages:
§ Firm might not know the organization well or possess enough internal knowledge necessary to protect assets
§ The organization doesn’t have its own in house capability and will need to continue using services
• Outsourcing Considerations:
○ Privacy:
§ Does the third party agree to uphold the organizations privacy policy
§ how does it plan to control how data is collected, stored, handled, and destroyed
○ Risk:
§ What additional risks exist by transferring data over a trust boundary
§ How are new risks addressed
§ Who is responsible for outsourcing risks
○ Data security:
§ How is data confidentiality and integrity protected
§ Are access controls consistent with internal controls
§ Is data availability considered
§ How is downtime handled
§ How are backups and redundant copies protected
○ Ownership:
§ Who owns the data, the infrastructure, and the media
§ Who is responsible for each component
○ Adherence to policy:
§ Does the third party commit to upholding the organizations security policies and procedures
• Several types of agreements help formalize answers to these considerations:
○ SLA - Service Level Agreement:
§ Legally binding contract between an organization and a third-party organization detailing services provided
§ Some examples of security related services detailed:
□ How and when potential security breaches are identified and communicated
□ How logs and events are reported
□ How confidential data is handled
□ What the security system uptime requirements are
○ BPA - Blanket purchase agreement:
§ Creates preapproved accounts with qualified suppliers to fulfill recurring orders for products or services
○ MOU - Memorandum of understanding:
§ Also called a letter of intent
§ An agreement between two or more parties that expresses areas of common interest that result in shared actions
§ Generally less enforceable than a formal agreement but still more formal than an oral agreement
○ ISA - Interconnection security agreement:
§ Often an extension of an MOU
§ Documents the technical requirements of interconnected assets
• Compliance:
○ Compliance can be monitored by using the following:
§ Event logs
§ Compliance Liaison
§ Remediation
• Professional Ethics:
○ Set the example
○ Encourage adopting ethical guidelines and standards
○ Inform users through security awareness training
• Code of Ethics:
○ Ensures professionalism
○ Several published codes apply to security
○ An example is the Internet Architecture Board (IAB) which provides a list of unethical and unacceptable online practices like:
§ Seeking to gain unauthorized access to the resources of the internet
§ Disrupts the intended use of the internet
§ Wastes resources through such actions
§ Destroys the integrity of computer based information
§ Compromises the privacy of users
§ Involves negligence in the conduct of internet wide experiments
• Professional Requirements:
○ Laws and regulations keep organizations operating with ethical behavior
• Personnel Security Principles:
○ The human element is a great challenge no matter how many technical solutions you implement
○ Raising awareness can go a long way in an organization where risks are present
○ Well defined job descriptions, job roles, and responsibilities can help identify exactly what users should and should not do
○ Limiting Access:
§ The least privilege core principle means limiting access to users based on levels of permissions needed for their duties
§ This keeps unauthorized users from accessing sensitive information they shouldn’t be
□ For example: weak access controls allows a salesclerk to access employee salaries
§ The need-to-know requirement states that people should only have access to the information that is absolutely necessary to fulfill their job requirements
□ Even users that have access to top secret information shouldn’t have access to all information
○ Separation of duties:
§ The principle of separation of duties breaks tasks into subtasks for different users to carry out
□ If a user is planning to harm a system, they will have to conspire or get help from other users, so it wont stay secret for long
○ Job Rotation:
§ The job rotation principle rotates employees among various subsystems to prevent collusion
§ This also provides backup if something does happen, since multiple employees will be trained on multiple subsystems
○ Mandatory Vacations:
§ Mandatory vacations can provide a chance to detect fraud
§ Users access should be suspended when they are on vacation so they cannot access systems from home and cover their tracks
○ Security Training:
§ A strong security training and awareness program is one of the best controls you can develop
§ This helps gain support of all employees and makes them into security advocates for the organization
§ Repeated training should be implemented to keep information fresh and remind employees of the importance of security
○ Security Awareness:
§ A security awareness program addresses the requirements and expectations of an organizations security policy
§ This differs from formal training in that it uses tools like posters, emails, and newsletters can do the following:
□ Teach users about security objectives
□ Inform users about trends and threats in security
□ Motivates users to comply with security policies
○ Social Engineering:
§ One of the most popular types of attacks on systems and one of the most critical areas of security
§ The most common social engineering attacks involve:
□ Intimidation
□ Name dropping
□ Appeals for help
□ Phishing
• The Infrastructure for an IT Security Policy:
• Policies:
○ Explains a company's security needs and its commitment to meeting those needs
○ Allows organizations to state different goals at very high levels that may be intended for their own employees, temporary personnel, business partners, customers, or all of these
• Standards:
○ Mandated requirements for hardware and software solutions used to address security risk throughout an organization
○ The main disadvantage of standards is vulnerability, if a product is flawed the whole organization is at risk after installing it
• Procedures:
○ Step by step systematic actions taken to accomplish security requirements or objectives
○ Provides documentation on how things are done so employees don’t try to shortcut or do things from memory
○ Procedures can do the following:
§ Reduce mistakes in a crisis
§ Ensure important steps are not missed
§ Provide for places within the process to conduct assurance checks
§ Become mandatory requirements like policies and standards
• Baselines:
○ Basic configurations for devices and services should be documented to make it easy to ensure all workstations and devices operate the same way
○ Security minimums
○ Organizations will create baselines for each system used
• Guidelines:
○ Simply actions that the organization recommends to help provide structure to a security system
○ Wording is important in a guideline, depending on how something is stated it might be seen as a "standard"
• Data Classification Standards:
○ MAC - Mandatory Access Control
§ Assigns each object a specific classification relying on the regulations that apply to specific types of data
□ Examples: protection of personal information, financial information, and health information
§ Classifying data is the duty of the data owner
§ There are three criteria for classifying data:
□ Value
□ Sensitivity
□ Criticality
• Information Classification Objectives:
○ Identify information protection requirements
§ Based on the risk the business faces if the information is disclosed or corrupted
○ Identify data value in accordance with organization policy
○ Ensure that sensitive/critical information if appropriately protected
○ Lower costs by protecting only sensitive information
○ Standardize classification labeling throughout the organization
○ Alert employees and other authorized personnel to protection requirements
○ Comply with privacy laws and regulations
• Classification Procedures:
○ Critical to effective data classification
○ Classification scope determines how to handle classified data
○ Data value is determined according to the following:
§ Exclusive possession
§ Utility
§ Cost to create or recreate the data
§ Liability
§ Convertibility
§ Operational Impact
§ Threats to the information
§ Risks
○ Assurance:
§ Auditors should review the organizations information-classification status to ensure that all parts of the organization adhere to the process
○ Configuration Management:
§ Change is always happening in information system environments
§ Configuration management is controlling configuration of systems through a controlled process
○ Hardware Inventory and Configuration Chart:
• The Change Management Process:
○ Configuration Controls:
§ Management of the baseline settings for a system so that it meets security requirements
§ Must be implemented carefully and only with prior approval
○ Change control:
§ The management of changes to the configuration
§ Ensures that changes to a production system are tested, documented, and approved
• Application Software Security:
○ System Life Cycle - SLC
○ System Development Life Cycle - SDLC
○ The System Life Cycle:
§ Steps used
□ Project initiation and Planning
□ Functional requirements and definition
□ System design specification
□ Build and document
□ Acceptance Testing
□ implementation (transition to production)
□ Operations and Maintenance
□ Disposal
• Testing application software:
○ Tests on software should be thorough enough to test for all expected and unexpected events
• Systems procurement:
○ Evaluation of new software and hardware before implementation is important due to the fact the new problems may appear with new systems
○ The following should be done:
§ Evaluate various solutions that are available
§ Evaluate vendors in terms of maintenance, support, and training
§ Use the Common Criteria to ensure that you simplify the evaluation process
§ Monitor vendor contracts and SLAs
§ Correctly install equipment and formally accept it at the end of the project
§ Follow procurement procedures to ensure a fair purchasing process
§ Monitor systems and equipment to identify those that are reaching end of life so replacement can be scheduled
○ Data Policies:
§ All data reaches an end of usefulness at some point
§ Overwriting the data or destroying it are two options as well as:
□ Degaussing: Applying a strong magnetic force
□ Physical destruction
□ Overwriting data
• Access Controls:
○ Access control is the process of protecting resources so they are used only by those with access
○ Four part access control:
§ Identification
§ Authentication
§ Authorization
§ Accountability
○ Four parts are divided into two phases:
§ Policy definition:
□ The authorization definition operates in this phase to determine access to systems
§ Policy enforcement:
□ The identification, authentication, authorization execution, and accountability processes operate in this phase to grant or reject requests for access
○ Two types of access control:
§ Physical access controls:
□ Buildings, parking lots, and other protected areas that provide physical access
□ Facilities managers are typically responsible here
§ Logical Access:
□ Control access to a computer system or network
® Username and password for example
□ Security admins use logical access controls to decide who gets access to a system and the tasks they can perform
□ The Security Kernel:
® The central part of a computing environments hardware, software, and firmware that enforces control for a computer system
□ Steps the security kernel takes enforcing access control:
® Kernel intercepts users access request
® Kernel refers to rules to determine rights
® Kernel allows or denies access based on access rules
○ Access Control Policies:
§ Four central components:
□ Users
□ Resources
□ Actions
□ Relationships
○ Authorization Policies:
§ Authorization is the process of deciding who gets access to what systems
□ Most of the time based on job roles
§ Decided primarily by a group membership policy or an authority-level policy
○ Identification Methods:
§ Usernames
§ ID cards
§ Smart cards
§ Biometrics
○ Identification guidelines:
§ Specific users will need their own unique identification
§ The guarantee that every action is associated with a unique identity is called nonrepudiation
§ An account policy should prohibit generic accounts and user account sharing
○ Processes and Requirements for Authentication:
§ Authentication is the part of access control that validates the identity someone claims in a system
§ Authentication Types:
□ Knowledge:
® Passwords, passphrases, and PINs
® Common targets of cyber attacks due to popularity and simplicity
□ Ownership:
® Things you have like smart card, key, badge, or token
□ Characteristics:
® An attribute unique to the user like biometrics or a signature
® Sometimes defined as something you are
□ Action/performance:
® Sometimes defined as something you can do
® Such as reproducing a signature
□ Behavior:
® An observable trait or behavior unique to you
® Sometimes defined as something you exhibit
□ Location:
® Somewhere you are when accessing a resource
□ Relationship:
A trusted individual with whom you have a relationship
NoteStudied by 15 peopleNoteStudied by 22 peopleNoteStudied by 8 peopleNoteStudied by 18 peopleNoteStudied by 21 peopleNoteStudied by 67 people