Hello, and welcome to this guide. Although this is a roleplaying forum, I've taken to making random guides for subjects that I study for my course - it might help you create more depth in your roleplay, but honestly, I don't care. I just want to pass my exams.
In this guide I will go over the brief principles of Cyber and Information Security. It might help those of us with a less than basic understanding of the concepts of security on and offline, and get them to understand terms like CIA Triad model, DOS attack, and MFA authentication techniques.
What is cyber and information security? What is the difference?
Cyber security is the use of various technologies and processes to defend and secure networks, computers, programs and data from attack, damage or unauthorized access.
Information security is described as protecting information and information systems from unauthorized access, use, disclosure, disrupton, modification or destruction.
As you can see they seem very similar - that is because they are and they are heavily interlinked to the point where without information security, all your efforts in cyber security are more or less moot and vice versa. Imagine you have a computer and you have some valuable files on that (ex: photo's of your vacation with your grandfather and mother). You don't want someone to access this computer and files (ex: your deadbeat dad that can't stand your happiness because he broke up with your mother. Get over it Harry. He wants to delete your files).
Applying information security would mean you need to protect your files against your deadbeat dad and his unauthorized access, but how are you gonna do that? Information security would mean something like an identification process that is not necessarily based on cyberspace. For instance, you lock your room so he cannot access the information system physically.
But that isn't enough. Some people have learned to access systems from afar, and when you understand some concepts about internet and cyberspace among others, 'hacking' isn't nearly as hard as it's made out to be. Some files that are meant to be government-level top secret are accessible, freely floating on the internet, because nobody bothered to run a check on where the files were. So even if someone can't access the physical location of your info, they can still access it digitally.
So apply cybersecurity. There are numerous systems available for that - think passwords, firewalls, authentication sequences or something as simple as 'access levels.' Although the latter two are perhaps out of reach for a private user, they are possibilities for users as part of a corporation.
Using both physical security and digital security, you should be able to protect your files. Take that Harry.
Footnote: primary reason for files being accessed by unauthorized people is human error. Placing a file in a location that is open-access to everyone is not the fault of the security system, it's human error. Having a password is a tool, not a solution - it's up to the user not to disclose the password and take good care of it. In the end, you are the sole responsible for not disclosing information. The system is there to help, not to do the work.
CIA Triad Model
Some data is worth more than others - unlike the farm animals in animal farm, certain documents have a higher importance, and thus worth, than other documents. (Ex: your bank details have a higher value than your 3rd grade science report) In order to determine the worth of a document you need to consider the following factors of the CIA triad model.
C - Confidentiality
Who is supposed to access this? Confidentiality discussion talks about protecting sensitive information from unauthorized disclosure. Determining the level of confidentiality determines also who should be able to access documents. Confidentiality controls who has a need to know and who does not. Note; right to know =/= need to know. Even if you have a right to know, you are not guaranteed access. Without confidentiality, a file is worthless, because the wrong people have the file already.
I - Integrity
What are the files? Integrity harbors not the integrity of the user but of the files. It can be determined to be the practice of safeguarding the completeness, accuracy an timeliness of a file. A file with destroyed integrity is inaccessible, does not contain the right information, is inaccurate, or arrived too late to be meaningful, and therefore is worthless.
A - Availability
How to access the files? Availability is simply put the infrastructure that your files are on - if your IT services are not functioning properly, and I cannot access the files I need, then the files have no value to me because I cannot use them. The information and the vitalIT services need to be functional when required.
As you can see the value of a file is determined not by the presence of some of these criteria but by all of them. A file can have a low level of confidentiality, but there needs to be a determination of that low level. A file that is intended as a low confidentiality file (ex: a code of conduct for employees will likely not contain sensitive information and can be freely shared) still has a label of some confidentiality.
A file needs a description of confidentiality to be of any value. If a file is integer (the file is in working state and has not been changed) and available (the file can be retrieved) but no confidentiality, then the worth is instantly 0, because unauthorized users can retrieve the data and utilize it.
Similarly, a file needs to have integrity to be of any value. If a file is confidential (the right people only can access it) and available (the file can be retrieved) but is not integer, then the worth is instantly 0, because the file can not be used.
Once more, a file needs to be available to be of any value. If a file is confidential (the right people only can access it) and integer (it's in working state and has not been changed) but it is not available, then the worth is instantly 0, because the file cannot be retrieved.
Maintaining the CIA triad model therefore means that your file will always be worth what it's supposed to be worth.
Types of Attacks
Attacks are more common place than one thinks, but they have different purposes and therefore different types. Not all attacks are meant to deny service, for example. For the different purposes you need a different approach. These types of attacks typically target one or more elements of the CIA triad model.
Interruption
Interruption attacks are typically among the lines of DOS attacks. They interrupt the infrastructure and cause files to become unusable or unavailable. They are meant to disrupt the work of the target. They often affect availability but they can potentially affect integrity of the files as well.
Modification
Modification attacks are typically among the lines of unauthorized access. These attacks tamper with the assets of a target, such as editing files or processes. They almost always harm the integrity of assets, but also have the potential to represent an availability attack.
Interception
Interception attacks are typically among the lines of unauthorized access. These attacks similarly to modification access the assets of a target but do not modify assets. Instead they simply observe, allowing them access to assets, processes, or environments. They always harm the confidentiality of the accessed assets.
Fabrication
Fabrication attacks are typically among the lines of unauthorized access. These attacks also flow forth from unauthorized access but rather then observing or editing, generate new information. They generate data, processes or communications or other activities using the accessed system. These attacks typically threaten the integrity of data, but can also harm the availability of assets.
Risk Management
Threats use vulnerabilities, which results in exposure of assets, which translates to risk, which is mitigated by security controls, which protects assets that are endangered by threats. Using security controls therefore enables you to defend against threats.
The process for risk management dictates that you must first dictate what the risks are, which is called a risk analysis;
- Identify your assets
You must know what you want to protect before you can begin protecting it. Protecting everything is economically unviable, which is why we determine assets to only be things of importance, whether it is economical or for the functioning of your company/private person. An asset is whatever is of importance to the core purpose of your organization. - Identify your threats
You must also know who or what can endanger your assets. This can be human (corporate espionage, human error, disgruntled employees) or natural (fire, flooding, earthquakes). Any asset is always at risk from something and there are infinite threats. For more detailed information, see; risk assessment. A threat is anything that can damage or harm your assets in such a way that they sustain damage, permanent or temporary, that can potentially harm the core purpose of an organization. - Assess vulnerabilities
Vulnerabilities exist in any process and consist of things that can be exploited by your threats to access or damage your assets. For example, a building that has an unsound structural integrity has a vulnerability (unsound structural integrity) to earthquakes (threat). A police station with inadequate oversight over the area in front of the police station has a vulnerability (inadequate oversight) to disgruntled civilians (threat) firebombing the police station. A vulnerability is a weakness in the system and/or process that can be exploited by a threat to access and damage your assets. - Assess risks
Assessing the risks means that you must assess the risk level of a threat taking action. Risk is calculated by a formulate that goes as follows: risk = impact x probability (probability = threat x vulnerability). Most often levels are used for this, from low (1) to critical(4) with the steps in between being medium (2) and high (3). If the impact is critical (loss of life) and the probability is medium, then the score would be 4x2 = 8. Following that, a matrix is made that determines the meaning of these scores (which is dependent on the wishes of the company, as some companies are more accepting of high risks than others). Risk is the assessment of an impact multiplied by the probability of the event occurring. - Mitigate risks
Once you have determined what risks are important and which ones are not you can begin mitigating them. Typically this is done with security control measures. These can be physical, mechanical or organizational.
However, there is not just 1 method of risk management (mitigation). Different actions can be taken dependent on your wishes.
- Avoid
Avoiding the risk by not taking a certain action or using a certain tool - Accept
Accepting the risk, not taking any further action against the risk and hoping the risk doesn't manifest - Mitigate
Mitigating the risk by building security measures against the risk - Transfer
Transfering the risk management to someone else (ex: writing software code, there is a risk that there will be an error in the code. Contracting another company to write the code for you, and you make them responsible for any errors in the code, transfering risk and responsibility to them) - Exploit (not part of course material but I list it anyway)
Positive risks exist, such as having so much use of an application or product that your servers/sales people cannot deal with the sheer amount of requests. This is a possible thing and you should exploit this risk as much as you can.
Risk Mitigation Controls
So, you are ready to mitigate the risks you've assessed. Good. There are three forms of risk mitigation control (also called security control) that you can use.
Physical, logical/technical and organizational/administrative.
Physical security is the use of physical objects to secure your assets, such as fences, doors, locks, camera's and guards. Although not directly linked to information and cyber security, these can be used to limit access to areas that have assets that can be used to access other assets (like protecting a server room).
Logical/technical security is the use of more digital measures to secure your assets, such as passwords, firewalls, and the encryption of your data.
Organizational/administrative security is the creation and usage of administrative policy to help secure assets. These can include standard policies for security, routines, background checks, creating security awareness, and having set procedures.
All of these are required, just like the CIA triad model. Removing one of these will endanger your assets because threats can use a variety of ways to access your assets.
For example, you have a location with a server room that contains highly important information, like the location of your favorite strip club. A threat (your spouse) wishes to access it to find out where the hell you're going when you say you're visiting your parents.
If physical security and logical/technical security are both present, but there is no organizational/administrative security, then your spouse can exploit this weakness by, for instance, using the lack of guard routines and standard operating procedures to circumvent physical detection (guards have no routines -> she can sneak around the defenses unnoticed) and the mechanical/logical security (lack of security awareness -> ICT personnel leaves keycard laying around -> she can access the server room and bypass the firewall with her access on the keycard).
If there is logical/technical and organizational/administrative security but no physical security, then your spouse can exploit the weakness by, for instance, using the lack of guards to take a ICT expert at gunpoint and force them to access the server for you. As there are no locks or anything present to stop you, and nobody to raise alarm, like a guard, you can freely access the server room, get the information, and leave.
If there is physical security and organizational/administrative security, but no logical/mechanical security, then you don't need to access the room at all and you can access the server online or through hacking the server. Because there is a lack of control methods and alerting systems (IDS, intrusion detection system) or a prevention system (IPS, intrusion prevention system), you won't even be notified that someone accessed your servers.
Identification, authentication, authorization
Although often used in a sequence, these three concepts are different. They form a process when used successfully, and most workplaces (yes, yours too!) will use these even if you don't directly notice. The sequence follows these steps:
- Identification
The user confesses (claims) their identification. EX: 'I'm Odin.' - Authentication
The program runs a set of methods to determine the truth of my claim of identification. EX: login credentials are correct. Low-security websites as RPG with no real valuable data require only small proofs of authentication, and assume that only the owner of an account knows the login credentials. As always, you are responsible for maintaining that information as confidential. Additional methods can be bio metrics, visual confirmation, face detection, a secret question that only that person knows the answer too, a codeword or sentence. - Authorization
The user claimed their identity and confirmed it's truth, authorization then determines the privileges of that person i.e. none, read, write, read/write.
Methods of Authentication: passwords
Passwords are currently the most used authentication method in the world. It is also the weakest form. Passwords are difficult to guess and easy to remember, but they put the responsibility entirely in the users' hands. Vulnerabilities of the password are;
- Having a weak password
(password123) - Sharing and/or reusing your password
('Sure you can use my password? It's password123. Oh, I also use it on my bank account, and work related email! What do you mean I got hacked?') - Insecure transmission and/or storage
(Somewhere between you and the receiver there was an interception of your password, or your password was stored insecurely either on your end or the server end.)
So how do passwords get compromised?
- Guessing
Guessing is a standard technique and pretty low-tech but it does happen, especially with users who use low-security passwords (no numbers, predictable words, no upper and lower case letters) - Social engineering attacks
- Impersonation
Impersonating a user to gain access to their accounts, by for instance pretending to have lost your credentials - Shoulder surfing
Looking over someone's shoulder as they enter their password - Dumpster diving
Looking through someone's trash (or perhaps their desk or notebook) to find their credentials
- Impersonation
- Technical attacks
- Keylogger
Program that is based on hardware/software that logs the keys a user enters and then either stores it for retrieval by hand or forwards it to the users' computer - Sniffing
- Stealing and cracking ('recovering') stored passwords
Using password hashes to 'brute force' (attempt all combinations) or dictionary attack (using common words/password combinations) to crack a password
- Keylogger
So what are recommended practices, for users and providers?
For users:
- Use strong passwords
- Don't re-use the same password for different systems
- Change passwords periodically
- Don't share passwords with others
- Use password managers (can also provide risk with inadequate usage..)
For providers:
- Use more complex hashing algorithms
- Salt the passwords/hashes
- Secure passwords at rest, and when they are in transit
Methods of Authentication: authentication factors
When looking at authentication factors, there are 3 classes of authentication.
- Something you know
- Password
- PIN
- Codephrase/word
- Something you have
- Smartcard
Creditcard-sized cards that contain integrated circuit cards and store private keys and certificates (overlap with hard tokens) - Hard token
Hard tokens are hardware based 'tokens' such as a keycard that give you access to areas of a building or allow you to login - Soft token
Soft tokens are software based 'tokens' that are generated using software, providing a one-time PIN to use for logging in, typically used through smartphone apps
- Smartcard
- Something you are
- Biometrics
Biometrics are your person, so these can include your fingerprint, retina/eye scan, facial recognition...
- Biometrics
Applying authentication factors: MFA/2FA
MFA (multi factor authentication) and/or 2FA (two factor authentication) is what is considered to be a best practice in authentication security. It means that you combine two of the authentication sequences, such as;
- password + token code
- smartcard + PIN
- fingerprint scan and token code
Authorization
Authorization is what determines that the action or process you are trying to perform is possible according to your privileges and rights that are assigned to your authenticated identity. So, you need to have an identity and need to be authenticated. So, when you are logged in, you will have more privileges than when you are not logged in.
Authorization typically operates on the 'Principle of Least Privilege' which means that a process, user, or program should only have the privileges that they need at a bare minimum to fulfill their duties. EX: a program that creates backups of your C:// drive only needs access to privileges relevant to backing up data, and does not need to install new programs. As such they only get access to privileges related to backing up data, and not for installing new programs.
This typically occurs through ACL's (access control lists) which is a list of users, programs and processes on a network. Each of these then has the privileges attached to it, for example, read, write, read/write, or full access. For more complex processes additional privileges can be made, for example in a bank, a bank-teller doesn't need access to the vault, but the bank director might need access to it. On that principle, the bank-teller won't receive the access to the vault, but the bank director will, on the principle of least privilege.
Access control methods
Alright, so you wanna limit the access of some users on the principle of least access (or, you're just a cunt and want people to not have any power). There are multiple ways you can accomplish this with different settings for the respective processes.
- Discretionary Access Control (DAC)
Access is determined by resource owner i.e. the owner of a folder can assign access to users, processes and programs - Mandatory Access Control (MAC)
Access is controlled by the person that has the authority to do so (team leaders, etc) and whose privilege gives them that right - Role and Rule based access control (RBAC)
- Attribute-based access control
Are there multiple levels of importance? Then apply these:
- Bell-La Padula model
Focuses on confidentiality, meaning you can't read upwards in the chain, and can't write downwards. - Biba model
Focused on integrity, meaning you can't write upwards and can't read downwards. - Clark-Wilson model
Commercial model of the integrity-based model - Brewer-Nash model (also called Chinese Wall)
Focused on preventing conflict of interest
Accountability
What is accountability? Accountability in cybersecurity means that you can trace activities in the environment back to the source. The benefits of accountability rest in non-repudiation (inability to contest a claim because of evidence), deterrence, intrusion detection & prevention, admissibility of records. This is accomplished by logging events. Logging events is the process of recording data about events to a log file or a database - what happened, where did it happen.. It is largely reactive and typically these files only get opened when something goes wrong.
If logging is the action of recording events to a log, then monitoring is the action of reviewing and analyzing the logs. This way, you combine reactive with pro-active. It can be done manually (sifting through it yourself) or automatically (with a bot).
Compliancy
Compliancy is also important for cybersecurity, which is the act of conforming or adhering to laws, rules, regulations, but also industrial standards. The USA has a lot more acts that are to do with the standards of cybersecurity, although the European laws are more centralized and contain most of the USA's standards in singular laws.
USA:
- CFAA
Computer Fraud and Abuse Act - HIPPA
Health Insurance Portability Act - FISMA
Federal inf. Sec. mgt. Act - DMCA
Digital millenium copyright act
EU:
- NIS directive
EU directive on network and information security - GDPR directive
New EU General Data Protection Regulation
International:
- ISO 2700x family
ISO standards for general safety and security - ISO 27001
Requirements for ISMS - 27005
Information Security Risk Management Standards
Encryption, decryption, ciphers, keys...
When talking about encryption we typically focus on one thing: how to beat encryption. The study of beating encryption is called cryptoanalysis - the study of defeating codes and ciphers. Encryption is it's opposite, and is the act of giving data and info a certain kind of protection so that people that aren't allowed to open it don't have access.
Decryption itself is not bad, in fact it is simply opening the encrypted message with a cipher or key - so, if you have the key given to you by the one sending the message, then you're all good.
Keys are the pieces of information (parameters) that determines a functional output of a cryptographic algorithm. For encryption algorithms, a key specifies the translation of plaintext (your text) into ciphertext (the encrypted text) and then translates it back during decryption from ciphertext to plaintext.
This encryption typically happens in one of two ways: symmetric and asymmetrical. Symmetric encryption only uses 1 key for both encryption and decryption. This key must then be shared by the sender to the receiver. Symmetric encryption..
- Is faster than asymmetric encryption
- Can't cover nonrepudiaton
- Has the issue of handing over the key
- Has two types of cyphers - block (64 bits) and stream (1 bit)
- Has well known algorithms: DES, 3DES, AES, CBC, OFB, CTR, TCB
Asymmetrical encryption uses two keys; a public one and a private one on the end of the receiver. Asymmetrical encryptions...
- are easy to commute in one direction
- Extremely difficult to reverse
- Advantage is that you no longer need to share your key over the phone or in person
- Well known algorithms are: RSA ECC SSL, ECC, ECDSA, PGP, VoIP (voice over IP), DSS
A third encryption method is the use of hashing, which you can envision as 'keyless cryptography'. Hashing generates a string of 'hashcode' that is largely unique to the message. Hashes cannot be used to discover the contents of a message, but can be used to verify that the message has not changed - as such, it is used to maintain integrity, but can not guarantee the confidentiality of the message (i.e. anyone can read the message as long as they don't alter it, and the hashcode will never alert you to it).
So why use hash functions if everyone can read it?
- Integrity Verification
Because the hashcode will change if you alter the message within, you can compare the original hashcode vs. the new hashcode and see if it has changed. That way you can verify that the sent message and receive message are the same. - File downloading
You can use it to verify that the file you downloaded is the same as the file that someone sent you, for example when downloading a videogame, to verify that the contents are not broken or unusable (or at least are meant to be functional). - Forensic evidence
Useful for verifying that forensic evidence hasn't been altered or changed - Anti-malware
Used for anti-malware purposes by reporting when a hashcode is different from what it is meant to be, which means that a malware program can be attached to a legitimate program
Digital Signatures and Certificates
Digital signatures allows us to sign messages and such, to enable detection of changes to the message, to ensure that the message was legitimately sent by the expected sender, and to prevent the sender from denying that he/she sent the message (nonrepudiation.. can't deny that you sent it if your signature is on it).
Certificates are related to keys, and tie a publickey to a person. Typically these are used to identify particular people. As such, a CA is a certificate authority.
Basic Network Security Threats
This is basically the cool stuff that we all wanna know about. When you think about 'hackers' like anonymous this is basically what they do (and it's far less complex and complicated.. kinda like 'even a monkey can do it' levels of uncomplicated).
When looking at the internet, it is not 1 giant machine that generates 'internet' out of thin air. Rather, it's a system that consists of large amounts of systems and sub-systems. Most devices nowadays are tapped into one network, but are capable of communicating with large amounts of other networks. It works as follows:
- You connect to your ethernet connection
- Your ethernet connection connects to the ISP (internet service provider)
- The ISP then connects you to billions of other devices and servers
To facilitate this your device has an IP network - comparable to a home address for yourself. Typically they look like this in the IPv4 system - xxx.xxx.xx.xxx, where the first few numbers indicate regions or countries, although nowadays they more often represent networks and sub-networks. The hierarchy of the entire string is like so:
- Country/network
- Region/network
- Subnetwork
- Individual device
However, we are currently transitioning to IPv6, which is a much longer string, comprised of 128 bits of information compared to the original 32... this is because the IPv4 system only allowed for 4 billion individual IP addresses - compared to the 340 undecillion addresses in IPv6 - yes that is a real number.
However, it is impossible for your home address to know every other IP address in the world - that's where DNS servers come in. DNS servers translate the string of an IP address (000.000.00.000 for example) into a domain name and vice versa, and allowed you to search the internet. If you enter the website google.com then the DNS server translates that to whatever IP address that website might be using, and then take you to that IP address.
That's where the first risk comes in; spoofing.
Spoofing is when someone tags into a DNS server and changes the IP address that corresponds to a website. For example, if he finds the website 'google.com' he can change the IP from 000.000.00.000 to 111.111.11.111 which is his own website. If he sets this site up in a believable way he could convince people to log in on that website.. and spread their information to him. Or he could use it to install malware, or other kinds of tricks.
Other network threats: (D)DOS
(D)DOS or (Distributed) Denial of Service attacks are relatively simple attacks that are often carried out on a large scale, using botnets or large amounts of people participating. The attacks can be carried out relatively simply, manually by typing a ping request by hand over and over (very inefficient, however, and likely not to result in anything) or by using ready-for-use programs such as LoIC or HoIC.
DDOS attacks target the accessibility of whatever network you are targeting and can 'hit people off' of their internet, if you target a specific IP. When playing a videogame, for example, you can find out the IP address of some player and then 'hit them off' the internet to have an easier time in the game.
DDOS attacks can also target networks - a year or two ago, some teenagers used a botnet to DDOS the DNS servers of Ziggo, a ISP in the Netherlands, and on their own managed to DDOS the entire ISP's servers into nothing, cutting hundreds of thousands of Ziggo users off of their internet and causing millions worth of damage.
Naturally, DDOSing is illegal.
Other network threats: (Active) reconnaissance
Reconnaissance is typically used in the military fashion for gathering information preliminary to an operation. In cyber security, it means much the same, except it implies that a user scouts for weaknesses in a system or network. In most cases that translated as 'port scanning' which is using a port scanner to find open ports. This type of attack is typically seen as a passive attack, as they are not exactly 'causing trouble' more so than that they are just looking for information.
The way to deal with them is simply put to close your ports well enough and use an IPS (intrusion prevention system).
Other network threats: Sniffing
Sniffing is the interception of internet packages, whole or partial amounts of it, in order to look through the data and find passwords or login info, or other info that can be used or is interesting enough. If you send a package from your computer to the server, such as when logging into RPG, you're sending a package to RPG with the info and the server then responds with 'okay that checks out, logging in' and lets you log in.
If your packages are 'being sniffed' then that means that they are being intercepted mid-way through and sought through by malicious people, seeking to find your login data.
Other network threats: Man in the Middle
A man in the middle attack is similar to the prior, sniffing, however differs in the fact that a communication occurs between two people but, unbeknownst to them, a third parties computer is between theirs. They intercept, read and can edit the communication if they wish, before the message ends at the receiving end. This way you can unintentionally spread confidential information, but the man in the middle could also send information that can endanger the two other parties.
Other network threats: Spreading Malware
Malware are malicious types of software that gather private information, access private networks, or cause problems on the receiving end. However this is simply a gathering name for other malicious software, examples of which are:
- Trojan horses
Presents itself as a real piece of software while doing damage - Computervirus
Infects files and does a lot of damage - Computerworm
Spreads itself through the network without having to infect files and does a lot of damage, a better version of the virus - Backdoors
Allows people to enter software through a backdoor - Bootsectorvirus
Infects the boot drives of your computer and disables them, preventing you from booting up - Rootkit
Allows the sender complete control over the computer - Keylogger
Logs the keys that are being hit
How to prevent attacks
A first line of defense is often the firewall. A firewall is a mechanism for controlling the entry of data packets into and out of your network. It's often just placed in a place where we see the trust change - the level of trust in an internal network is different than when a network communicates with the internet itself. There are a few types of firewalls, some 'better' than others, depending on your needs.
- Packet filtering firewalls
Looks at the contents of a package at a glance, then makes a large assumption whether it will be allowed to pass based on;- Source
- Destination IP address
- Port number
- Protocol being used
- Stateful packet inspection firewall
Operates at the same principle level of the packet filtering firewall, where they inspect packets. However, rather than only checking packages out of context, the stateful packet inspection firewall can check firewalls on a granular level - inspecting them at all times no matter where they are in the network - Deep packet inspection firewalls
These add another layer of intelligence to our firewalls - the first two can only look at the structure of the data, while the deep packet inspection firewall can inspect the contents and then reassemble it, so that it can look at what is being sent and where. - Proxy servers
A highly specialized form of firewall, it is more commonly known for it's other purposes, namely circumventing access restrictions through a proxy, or to circumvent IP-related bans. Proxies generate a new IP address that can be used to choke traffic, allowing us to filter it for unwanted messages (spam) or attacks. Similarly, it's purposes can also be nefarious - such as circumventing an IP ban. However, these purposes are usually done through unrefined 3rd party websites that are clumsy to use and can spread malware, because the users are not skilled enough to set up their own proxy server. - DMZ (Demilitarized zone)
A network design that puts two firewalls in place and then places parts of a network in between. Although it's not technically a firewall, it incorporates the firewalls into it's design. Imagine it like so:
| Email server |
Firewall A Email server Firewall B
This way, outsiders can reach the email server through the initial firewall, but the email server itself is separated from the internal network, preventing bad stuff that got through the first firewall from passing through to the internal network.
Other measures you can take against intrusions and risks are these:
- IDS (Intrusion detection system)
Imagine it as a program that is constantly attempting to detect intrusions into the system. These can be based on the host or network; HIDS and NIDS respectively. - IPS (Intrusion prevention system)
- Signature based IPS
Intrusion detection that scans based on signatures - it has a database with known signatures of intrusions that it scans for. When it detects such a signature, the alarms go off. Typically it'll quarantine the detected intrusion, and wait for user input on what to do (typically, deleting the file). It's a good system but needs to be updated frequently, as new viruses use new signatures! - Anomaly based IPS
Rather than use a database of signatures, this IDS establishes a baseline of 'normal' network usage and establishes what the norm is. Once it's done that, it'll look out for any deviations from that norm, and report it and quarantine whatever is causing the deviation.
- Signature based IPS
- HTTPS
A more secure web communication protocol consisting of encrypted HTTP communications. This on top of SSL/TLS: secure sockets layer/transport layer security. This is what RPG uses. - VPN networks
Networks that tunnel directly to an internal network through a VPN, functioning almost identical to a proxy although a VPN is secured in a tunnel. It provides us with a solution for sending sensitive information over public networks, for example someone working from home. - Honeypot
Setting a trap for hackers, trapping them in a network, or for tracking hacking methods. If you use multiple ot honeypots on one network you make a honeynet. This strategy actively engages, and deceives, hackers.
Wifi, open, IOT
If you're at home, chances are you're on either ethernet or WiFi. Despite ethernet offering speed advantages, WiFi is popular because of it's mobility. However, there are risks involved in WiFi that cannot be prevented by programs - human error will be the prime reason of falling victim to these risks.
WiFi uses either an open, WEP, WPA, or WPA2 security system. Only the last, WPA2, is considered 'safe' as the others are outdated or compromised. Common risks of using public WiFi are:
- Sniffing
- Evil Twin
Public networks that have the same name and setup as 'official' public wifi which they then use to look at your traffic - Man in the Middle
- Unauthorized access to shared files
Sharing files on your 'shared files' can result in people accessing them without you intending for them to do so
So, how to protect against these? Simple:
- Use HTTPS, or VPN
- Don't share files on your device
- Caution and awareness, use common sense. If it feels bad, it's probably bad!
Understanding vulnerabilities
There are three types of vulnerabilities;
- OS (Operating System) vulnerabilities
Vulnerabilities coming forth from OS, typically 'zero day' vulnerabilities though not always. - Browser vulnerabilities
Vulnerabilities in your web browser - Application weakness
Vulnerabilities in programs and applications that you are running. Can be crossed with browser vulnerabilities if an app/program runs in the browser. Usually, this comes from bad coding - not designed with security in mind. Common abuses of vulnerabilities are:- SQL Injections
Web-based applications often use SQL, which stores information about users. By entering data in a SQL command, such asselect * from list where information = 'a' or 'b' = 'b'
. Because 'b' is always 'b' the SQL application will return all the information in the list, which can include personal details, like names, phone numbers, credit card details, and so forth. - XSS (Cross Site Scripting)
A type of attack where the user can insert malicious scripts into a trusted website, typically web applications, which will then return that script to unsuspecting visitors. The script will then play out.
- SQL Injections
Malicious software
According to Europol, Malware (short for malicious software) is designed to infiltrate a computer system or mobile device without the knowledge or consent of the owner, to gain control over the device, steal valuable info, or damage the data.
There are three categorizations in malware;
- Viruses
Attaches itself to legitimate communications or software - Worms
Exists on it's own, and is able to self-replicate - Trojans
Poses as a legitimate software, but is really a malicious one
These are common malware;
- Ransomware
Software that takes your computer/device hostage and forces you to pay money to unlock the device again - Scareware
Software that replicates the above with false threats and scare techniques in an attempt to get the target to buy fake softwares to get rid of the scareware - Adware
Software that constantly plays ads and popups, usually coming from malicious and shady websites - Spyware
Software that simply spies on the target - Backdoors
- Rootkits
- Bot malware
Software that adds the target to a botnetwork
What to do? Hardening OS
Hardening your OS means that you minimize the functions of your OS to limit the surface of vulnerability - the less programs an OS is using and/or running, the less vulnerabilities there are for malware to use. There are six steps to hardening an OS.
- Remove all unnecessary software
- Remove/disable unnecessary services
- Change default accounts
- Apply principle of least privilege
- Apply software updates timely
- Make use of logging and auditing
Data security
The basics of data security for a company/organization are as follow:
- Encryption
You must encrypt, when data is at rest or in motion, always encrypt - Physical security
You must also always have physical security as mentioned before - you need all 3 forms of security - Backups
If you have backups you can always restore your work - Have a BCP (Business Continuity Plan)
A plan that sets up how to continue your business when you are infected so that loss of money is minimized - DR (Disaster Recovery)
Know how to recover from disaster - be capable of resetting. First you should apply BCP - if that fails, use DR.
Other risks that aren't malware
- Social engineering
Social engineering is a type of attack where an attacker uses human interaction (social skills) to obtain or compromise information about an organization or it's computer systems. - Phishing
Typically uses email or other communications to pose as a legitimate website to retrieve information about users, like login details. Has numerous 'sub methods'.- Spear phishing
Targets specific people or organizations - Whaling
Targets high profile people like a CEO - Vishing
Uses voice instead of e-mail (scam calls)
- Spear phishing
- Other online scams and fraud schemes, i.e. Nigerian prince scam
- Pretexting
When a person lies to obtain information about one person, in order to commit identity fraud and use that to access systems - Baiting
Just grab a USB or floppy disk, infect it with a virus, and label it something interesting then leave it where someone will find it. Someone, somewhere will use it - Tailgating
Following someone into an area they don't have access to by following someone that does have access directly behind them, to get through doors
Types of hackers
7 types of (malicious) hackers:
- Professional cyber criminals
- Spammers and adware spreaders
- Advanced persistent threat agents
- Corporate spies
- Hacktivists
- Cyber warriors (more advanced version of keyboard warriors)
- Rogue hackers
However, there are also three other types of hackers;
- Black hat hacker
Highly skilled hacker with malicious intentions - White hat hacker
Highly skilled hacker with good intentions, such as hacking corporations and alerting them to the vulnerabilities - Script kiddie
Typically younger teens that use ready-made programs that require no actual hacking skills. Very low skilled, usually bad intentions
Other ways the internet/devices can be used in malicious ways
- Cyberbullying
Bullying someone online - Cyberstalking
Stalking someone online, tracking their movements - Cyber harassment
Harassing people online - Cyber extortion and sextortion
Extorting people for money or sex online - ''Revenge porn''/nonconsensual pornography
Posting videos/pictures of someone who hasn't consented to it online, as a result of revenge or other reasons