Foundations of Cybersecurity Study Guide: Introduction to Cybersecurity

Introduction to Cybersecurity: Course Foundations

  • Definition of Cybersecurity: Cybersecurity is the study of how digital systems fail under intentional attack rather than accidental errors.

  • Core Focus of the Course:     * Reasoning about systems, assumptions, and failures.     * Treating security as a design and analysis problem rather than a checklist.

  • Rationale for Starting with Foundations:     * Design Origins: Most security failures originate from early design decisions.     * Stability of Principles: While tools evolve quickly, security principles remain stable over time.     * Value of Failure Analysis: Understanding why systems fail is considered more valuable than simply learning specific attacks.     * Avoiding False Confidence: Foundational thinking prevents misplaced confidence in a system's security.     * Intuition Building: The ultimate aim is to build long-term security intuition.

Evolution of Computing Systems: Then vs. Now

  • Historical Systems (The 1970s):     * Isolation: Systems like university mainframes were accessed only from terminals inside a controlled building.     * Trusted Users: Users were registered students or staff.     * Physical Control: Security relied on physical access to the building.     * Low Complexity: There was little need for strong digital authentication or protection against malicious behavior.

  • Modern Systems:     * Interconnectivity: Systems like a Learning Management System (LMS) are accessible 24/724/7 via the internet by thousands of users globally.     * Continuous Exposure: Risks are continuous, global, and unavoidable due to automated scanners probing for misconfigurations.     * External Dependencies: Software relies heavily on open-source libraries, third-party payment APIs, and cloud storage. A vulnerability in code the developer did not write can compromise the entire application.     * Expanded Attack Surfaces: Cloud and mobile computing expose APIs, management dashboards, storage buckets, and virtual machines. Each new interface is a potential entry point.     * Violated Assumptions: Modern systems often still rely on old assumptions (e.g., users will only use a web form), but attackers bypass interfaces to send crafted requests directly to backend APIs.

The Necessity of Cybersecurity

  • Interdependence: Integration removes isolation barriers, making the security of different systems dependent on one another.

  • Attack Automation: AI and automated bots allow for massive-scale threats. Reports indicate that half of system traffic is now an automated threat.

  • Asymmetrical Defense: Defenders must secure everything, while attackers only need to find one weakness.

  • Decreased Cost of Attacking:     * Basic DDoS-for-hire ("booter/stresser"): $5$15\$5 - \$15 per hour (Short-duration attacks using rented botnets).     * Hourly botnet rental: Approximately $8$9\$8 - \$9 per hour (approx. $67\$67 per 24hours24\,hours).     * Small-medium botnet rental: $30$4800\$30 - \$4800 per month.     * Large IoT botnet rental: $4600$7500\$4600 - \$7500 per week.     * Botnet purchase (one-time access): $99$10000+\$99 - \$10000+ for long-term control of compromised hosts.     * Botnet malware source code (leaked/older): $10$50\$10 - \$50.     * Historical bulk bot sales: Approximately $20\$20 for 10001000 bots.

Accidents vs. Attacks

  • Bugs: Unintentional failures arising from mistakes or oversights in design or implementation.

  • Attacks: Intentional actions carried out by adversaries seeking to exploit system weaknesses.

  • Adaptive Adversaries: Attackers change their behavior in response to defensive measures.

  • Insufficiency of Bug-Fixing: Simply fixing bugs is not enough because attackers actively seek new ways to break the system.

Case Study: Evolving Systems and Assumptions

  • Example 1: The SIS Evolution:     * A Student Information System (SIS) was originally designed for internal staff in a controlled environment.     * Over time, it was connected to an LMS for remote access and automated features.     * A vulnerability in the LMS allowed unauthorized access to SIS records and grade modification.     * Detection was difficult because the access appeared as legitimate system behavior.

  • Example 2: The Fallacy of Compliance and HTTPS:     * A company deploys an internal web app with HTTPS and passes a compliance audit.     * Critical Questions: HTTPS does not protect against logic flaws or authenticated misuse. Compliance does not guarantee the absence of vulnerabilities.

  • Example 3: "We’ll Secure It Later":     * Teams often prioritize functionality and deadlines, planning to add security incrementally.     * Architectural Consequences: Decisions made early that are hard to change later include Trust Boundaries (which components are safe), Identity Models (user roles), and Data Flows.     * Dependent Controls: Access control, isolation/containment, and auditing must be architectural choices made at the start.

  • Example 4: The Misuse of Strong Encryption:     * A system uses strong encryption for data but utilizes a single shared administrative account with credentials reused across services.     * An attacker phishes the credentials.     * Result: The strong encryption becomes irrelevant because the attacker has the keys to the kingdom via the weak administrative account.

Core Principles of Security

  • What Security is NOT: It is not a feature, a single tool, encryption alone, compliance, or optional.

  • Security as a System Property: Security emerges from the interaction of software, hardware, data, networks, and users. A secure component in an insecure system remains insecure.

  • The Weakest-Link Principle: System security is determined by its weakest dependency. Attackers target the easiest point of entry early on.

  • Trade-offs: Design requires balancing Security, Performance, Usability, and Availability.

  • Complexity as a Vulnerability: Utilizing too many tools (firewalls, IDS, SIEMs, etc.) leads to misconfigurations and rule conflicts, creating new gaps.

Assets, Threats, and Risk

  • Assets: Items of value whose loss causes harm. Value is context-dependent (e.g., an exam paper is highly valuable before the exam, less so after).     * Exercise Ranking: Exam questions (highest) > Student email accounts > Course schedules > Public website content > Archived lecture slides (lowest).

  • Threats: Potential causes of harm that exist even if no attack is active. They cannot be eliminated, only mitigated or managed.

  • Vulnerabilities: Exploitable weaknesses originating from design, implementation, or configuration. A vulnerability only becomes a security issue if it is exposed and reachable.

  • Exposure: Connectivity and access paths that make a vulnerability reachable.

  • Risk: The potential for harm emerging only when a Threat exploits a Vulnerability in an Exposed Asset.

  • Attacks: Intentional attempts to cause harm, driven by adversarial goals.

Murphy’s General Laws in Cybersecurity

  • The Cyber Edition: "If it can be hacked, it will be."

  • Law of Damage: If several things can go wrong, the one causing the most damage will occur. If there is a worse time for it to happen, it will occur then.

  • Law of Inevitability: If anything simply cannot go wrong, it will anyway.

  • Law of Hidden Complexity: If you circumvent four known ways a procedure can go wrong, a fifth, unprepared-for way will develop.

  • Law of Entropy: Things left to themselves tend to go from bad to worse (e.g., unpatched systems lead to full compromise).

  • Law of Oversight: If everything seems to be going well, you have overlooked something.

  • Law of Precedence: Whenever you set out to do something, something else must be done first (e.g., you must fix outdated dependencies before addressing a firewall rule).

  • Impact on Security: Systems must be designed assuming failure and misuse are inevitable; the goal is resilience and graceful handling of failure.

Case Study: Silent Security Failure

  • Scenario: A university registration system verifies if a user is logged in but not if they own the record they are requesting. A student modifies request parameters to change another student's grades.

  • Analysis:     * Assets: Grades, academic integrity, trust.     * Flaw: Authentication check exists, but authorization (ownership) check is missing.     * Action: Intentional parameter tampering.     * Result: Harm occurred without a system crash or error logs, making it silent and difficult to detect.

Security Objectives

  • NIST Definition of Cybersecurity: ‘‘Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation.’’

  • Core Objectives (The CIA Triad and Beyond):     1. Confidentiality: Ensuring info is not disclosed to unauthorized entities. (Examples: protecting exam questions, internal emails).     2. Integrity: Ensuring data and system states are not altered improperly. This includes both Data Integrity (accuracy of info) and System Integrity (the system behaves as intended).     3. Availability: Ensuring systems are accessible by legitimate users when needed (e.g., the platform must work during exam time).     4. Authentication & Authenticity: Verifying the identity of users and the origin of data.     5. Accountability: Requiring the actions of an entity to be traced uniquely to that entity to support non-repudiation and legal action.

Data Collection and Privacy

  • Confidentiality vs. Privacy: Confidentiality is a technical protection against unauthorized access. Privacy is the right to protect personal data and involves legal and ethical considerations.

  • Personally Identifiable Information (PII): SSN, Credit card numbers, medical records, biometric data, passport numbers.

  • Linkable Information: Date of birth, ZIP code, gender, race, education.     * Statistic: The combination of gender, birth date, and postal code is sufficient to identify 87%87\% of individuals in the United States.

  • Categories of Collected Data:     * Online Behavior: Sites visited, content viewed, purchases made.     * Location Data: GPS, Wi-Fi signals, IP addresses, geo-tagged photos.     * Communication Data: Text messages, emails, phone call metadata.     * Biometric Data: Fingerprints, voiceprints, face-prints.     * Financial Data: Transaction history, investment, income.     * Health Data: Fitness/wellness apps, electronic health records.

  • Data Collectors: Mobile/Internet service providers (for billing/marketing), Social Media, App providers, Government agencies, and Hackers.

Security Objective Trade-offs

  • Confidentiality vs. Availability: Strict multi-factor authentication in a hospital emergency may delay life-saving care.

  • Availability vs. Integrity: An exam platform prioritizing uptime might disable validation checks, leading to data inconsistencies.

  • Integrity vs. Confidentiality: Publishing accurate public audit logs for transparency can accidentally expose sensitive user identifiers.

  • Authentication vs. Availability: Overloaded MFA servers during peak registration can prevent legitimate students from logging in.

  • Accountability vs. Privacy: Continuous employee monitoring improves accountability but reduces individual privacy and morale.

  • Confidentiality vs. Usability: End-to-end encryption where the user is solely responsible for keys ensures confidentiality but leads to total data loss if a password is forgotten.