Uploaded by tkhockenberry

Format-Security-plus-Study-Guide

advertisement
SYO-601: CompTIA Security+
Study Guide with Practice Questions & Labs
Third Edition
www.ipspecialist.net
1
Document Control
Proposal Name
:
CompTIA Security+
Document Edition
:
Third Edition
Document Release Date
:
27th September 2021
Reference
:
SYO-601
Copyright © 2021 IPSpecialist LTD.
Registered in England and Wales
Company Registration No: 10883539
Registration Office at: Office 32, 19-21 Crawford Street, London W1H 1PJ, United Kingdom
www.ipspecialist.net
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any
means, electronic or mechanical, including photocopying, recording, or by any information
storage and retrieval system, without the written permission from IPSpecialist LTD, except for the
inclusion of brief quotations in a review.
Feedback:
If you have any comments regarding the quality of this book, or otherwise alter it to better suit
your needs, you can contact us through email at info@ipspecialist.net
Please make sure to include the book’s title and ISBN in your message.
2
About IPSpecialist
IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND DEDICATED TO YOUR
SUCCESS.
Our philosophy is to treat our customers like family. We want you to succeed, and we are
willing to do everything possible to help you make it happen. We have the proof to back
up our claims. We strive to accelerate billions of careers with great courses, accessibility,
and affordability. We believe that continuous learning and knowledge evolution are the
most important things to keep re-skilling and up-skilling the world.
Planning and creating a specific goal is where IPSpecialist helps. We can create a career
track that suits your visions as well as develop the competencies you need to become a
professional Network Engineer. We can also assist you with the execution and evaluation
of your proficiency level, based on the career track you choose, as they are customized to
fit your specific goals.
We help you STAND OUT from the crowd through our detailed IP training content
packages.
Course Features:
 Self-Paced Learning
 Learn at your own pace and in your own time
 Covers Complete Exam Blueprint
 Prep-up for the exam with confidence
 Case Study Based Learning
 Relate the content with real-life scenarios
 Subscriptions that Suits You
 Get more and pay less with IPS subscriptions
 Career Advisory Services
 Let the industry experts plan your career journey
 Virtual Labs to test your skills
 With IPS vRacks, you can evaluate your exam preparations
 Practice Questions
 Practice questions to measure your preparation standards
 On Request Digital Certification
 On request digital certification from IPSpecialist LTD.
3
About the Authors:
This book has been compiled with the help of multiple professional engineers who
specialize in different fields, e.g., Networking, Security, Cloud, Big Data, IoT, etc. Each
engineer develops content in his/her own specialized field, which is then compiled to form
a comprehensive certification guide.
About the Technical Reviewers:
Nouman Ahmed Khan
AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless), CISSP, CISA, CISM,
Nouman Ahmed Khan is a Solution Architect working with a major telecommunication
provider in Qatar. He works with enterprises, mega-projects, and service providers to help
them select the best-fit technology solutions. He also works as a consultant to understand
customer business processes and helps select an appropriate technology strategy to
support business goals. He has more than fourteen years of experience working in
Pakistan/Middle-East & the UK. He holds a Bachelor of Engineering Degree from NED
University, Pakistan, and an M.Sc. in Computer Networks from the UK.
Abubakar Saeed
Abubakar Saeed has more than twenty-five years of experience managing, consulting,
designing, and implementing large-scale technology projects, extensive experience
heading ISP operations, solutions integration, heading Product Development, Pre-sales,
and Solution Design. Emphasizing adhering to Project timelines and delivering as per
customer expectations, he always leads the project in the right direction with his
innovative ideas and excellent management skills.
Dr. Fahad Abdali
Dr. Fahad Abdali is a seasoned leader with extensive experience managing and growing
software development teams in high-growth start-ups. He is a business entrepreneur with
more than 18 years of experience in management and marketing. He holds a Bachelor's
Degree from NED University of Engineering and Technology and a Doctor of Philosophy
(Ph.D.) from the University of Karachi.
Mehwish Jawed
Mehwish Jawed is working as a Senior Research Analyst. She holds a Master's and
Bachelors of Engineering degree in Telecommunication Engineering from NED University
of Engineering and Technology. She also worked under the supervision of HEC Approved
supervisor. She has more than three published papers, including both conference and
4
journal papers. She has a great knowledge of TWDM Passive Optical Network (PON). She
also worked as a Project Engineer, Robotic Trainer in a private institute and has research
skills in the field of communication networks. She has both technical knowledge and
industry-sounding information, which she utilizes effectively when needed. She also has
expertise in cloud platforms, as in AWS, GCP, Oracle, and Microsoft Azure.
Ayesha Sheikh
Ayesha Sheikh is a professional technical content writer. She holds a Bachelor’s Degree in
Computer Engineering from Sir Syed University of Engineering & Technology. She has
hands-on experience on SDN (Software Defined Network), Java, .NET development,
machine learning, PHP, Artificial Intelligence, Python, and other programming and
development platforms as well as Database Management Systems like SQL, Oracle, and so
on. She is an excellent research analyst and is capable of performing all her tasks in a fast
and efficient way.
5
Free Resources:
For Free Resources: Please visit our website and register to access your desired Resources
Or contact us at: info@ipspecialist.net
Career Report: This report is a step-by-step guide for a novice who wants to develop
his/her career in the field of computer networks. It answers the following queries:






What are the current scenarios and future prospects?
Is this industry moving towards saturation, or are new opportunities knocking at the
door?
What will the monetary benefits be?
Why get certified?
How to plan, and when will I complete the certifications if I start today?
Is there any career track that I can follow to accomplish the specialization level?
Furthermore, this guide provides a comprehensive career path towards being a specialist
in networking and highlights the tracks needed to obtain certification.
IPS Personalized Technical Support for Customers: Good customer service means
helping customers efficiently, in a friendly manner. It is essential to be able to handle issues
for customers and do your best to ensure they are satisfied. Providing good service is one
of the most important things that can set our business apart from the others of its kind.
Excellent customer service will result in attracting more customers and attain maximum
customer retention.
IPS offers personalized TECH support to its customers to provide better value for money.
If you have any queries related to technology and labs, you can simply ask our technical
team for assistance via Live Chat or Email.
6
Our Products
Study Guides
IPSpecialist Study Guides are the ideal guides to developing the hands-on skills necessary
to pass the exam. Our Study Guides cover the official exam blueprint and explain the
technology with real-life case study-based labs. The content covered in each Study Guide
consists of individually focused technology topics presented in an easy-to-follow, goaloriented, step-by-step approach. Every scenario features detailed breakdowns and
thorough verifications to help you completely understand the task and associated
technology.
We extensively used mind maps in our Study Guides to visually explain the technology.
Our Study Guides have become a widely used tool to learn and remember information
effectively.
vRacks
Our highly scalable and innovative virtualized lab platforms let you practice the
IPSpecialist Study Guide at your own time and your own place as per your convenience.
Exam Cram
Our Exam Crams notes are a concise bundling of condensed notes of the complete exam
blueprint. It is an ideal and handy document to help you remember the most important
technology concepts related to the certification exam.
Practice Questions
IP Specialists' Practice Questions are dedicatedly designed from a certification exam
perspective. The collection of these questions from our Study Guides is prepared keeping
the exam blueprint in mind, covering not only important but necessary topics as well. It is
an ideal document to practice and revise your certification.
7
Content at a glance
Chapter 01: Threats, Attacks, and Vulnerabilities ............................ 29
Chapter 02: Architecture and Design ............................................... 147
Chapter 03: Implementation ............................................................. 252
Chapter 04: Operations and Incident Response ............................. 344
Chapter 05: Governance, Risk, and Compliance ............................. 446
Answers .............................................................................................. 522
Acronyms ...........................................................................................536
References ......................................................................................... 548
About Our Products.......................................................................... 560
8
Table of Contents
Chapter 01: Threats, Attacks, and Vulnerabilities ............................ 29
Technology Brief................................................................................................................ 29
An Overview of Social Engineering Techniques .............................................................. 29
Spam ................................................................................................................................30
Credential Harvesting .................................................................................................... 33
Mind Map........................................................................................................................ 35
Malware Concepts .............................................................................................................. 35
Ransomware....................................................................................................................36
Trojan ..............................................................................................................................36
Command and Control...................................................................................................38
Lab 1-01: HTTP RAT Trojan ........................................................................................... 42
Cryptography Attacks ....................................................................................................... 56
Mind Map........................................................................................................................58
Web Application Attacks ...............................................................................................58
Privilege Escalation.........................................................................................................58
Injections........................................................................................................................ 60
Structured Query Language (SQL) ............................................................................... 60
Session Replay Attack .................................................................................................... 66
Resource Exhaustion ..................................................................................................... 66
Pass the Hash ................................................................................................................. 67
Mind Map....................................................................................................................... 67
Network Attacks ................................................................................................................ 67
Wireless Network Concepts.............................................................................................. 68
Evil Twin ........................................................................................................................ 69
Layer 2 attacks .................................................................................................................... 73
Address Resolution Protocol (ARP) Poisoning ............................................................. 73
Media Access Control (MAC) Flooding ......................................................................... 73
9
Domain Name System (DNS) ........................................................................................74
Domain hijacking ...............................................................................................................74
Distributed Denial-of-Service (DDoS) .......................................................................... 75
How Distributed Denial-of-Service Attacks Work ...................................................... 76
Operational Technology (OT) .......................................................................................... 76
Malicious Code or script execution ............................................................................... 77
Macros and Visual Basic for Application (VBA) .............................................................. 78
Mind Map....................................................................................................................... 78
Threat Actors ..................................................................................................................... 79
Insider Threat ................................................................................................................. 81
Hacktivists ...................................................................................................................... 81
Script Kiddies ................................................................................................................. 82
Hacker ............................................................................................................................ 82
Threat Actor Attributes ......................................................................................................83
Internal/External ............................................................................................................83
Level of Sophistication .................................................................................................. 84
Resources/Funding ........................................................................................................ 84
Intent/Motivation .......................................................................................................... 84
Vectors ............................................................................................................................... 84
Wireless.............................................................................................................................. 84
Email ...................................................................................................................................85
Social Media ....................................................................................................................85
Mind Map....................................................................................................................... 92
Vulnerability Assessment .................................................................................................. 92
Weak Configurations..................................................................................................... 94
Improper or Weak Patch Management............................................................................ 96
Operating System (OS) ................................................................................................. 96
Data Exfiltration ............................................................................................................ 99
Mind Map...................................................................................................................... 100
Threat Hunting ................................................................................................................. 100
10
Vulnerability Scanning ...................................................................................................... 101
Lab 1-01: Installing and Using Vulnerability Assessment Tool ........................................ 101
Web 2.0 ......................................................................................................................... 128
Web App Threats .......................................................................................................... 128
SIEM (Security Information and Event Management) ............................................... 130
Review Reports .............................................................................................................. 131
User Behavior Analysis .................................................................................................. 131
Log Aggregation.............................................................................................................132
Mind Map....................................................................................................................... 133
Penetration Testing ....................................................................................................... 133
Rules of Engagement .................................................................................................... 136
Lateral Movement .........................................................................................................137
Privilege Escalation........................................................................................................137
Persistence .....................................................................................................................137
Cleanup ......................................................................................................................... 138
Pivoting ......................................................................................................................... 138
Exercise Types ............................................................................................................... 140
White Team ................................................................................................................... 141
Purple Team ................................................................................................................... 141
Mind Map...................................................................................................................... 142
Practice Question ............................................................................................................. 143
Chapter 02: Architecture and Design ............................................... 147
Technology Brief............................................................................................................... 147
The Significance of Security Ideas in a Business Setting ................................................ 148
Security Overview ......................................................................................................... 148
Configuration Management ......................................................................................... 148
Internet Protocol Schema ............................................................................................ 149
Data Sovereignty .............................................................................................................. 150
Data Protection ................................................................................................................ 150
Data Loss Prevention .................................................................................................... 150
11
Masking ......................................................................................................................... 150
Encryption..................................................................................................................... 150
At Rest ........................................................................................................................... 150
In Transit/Motion .......................................................................................................... 151
In Processing .................................................................................................................. 151
Tokenization .................................................................................................................. 151
Rights Management ...................................................................................................... 151
Hardware Security Module (HSM) ...................................................................................152
Geographical Considerations ............................................................................................153
Cloud Access Security Broker (CASB) ..............................................................................153
Response and Recovery Controls......................................................................................155
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection ....................... 156
Hashing ............................................................................................................................. 156
API Considerations ............................................................................................................157
Site Resiliency ................................................................................................................... 158
Hot Site ......................................................................................................................... 158
Cold Site ........................................................................................................................ 158
Warm site ...................................................................................................................... 158
Deception and Disruption ............................................................................................... 158
Honeypots ..................................................................................................................... 159
Honeyfiles ..................................................................................................................... 159
Honeynets ..................................................................................................................... 159
Lab 2-01: Configuring Honeypot on Windows Server 2016 ....................................... 159
DNS Sinkhole ................................................................................................................ 163
Mind Map...................................................................................................................... 164
Virtualization and Cloud Computing Concepts ............................................................. 164
What is Cloud Computing, and how does it work? .................................................... 164
Cloud Service Providers ............................................................................................... 170
On-Premises vs. Off-Premises ..................................................................................... 170
Fog Computing ............................................................................................................. 170
12
Edge Computing ........................................................................................................... 170
Thin Client ..................................................................................................................... 171
Containers ...................................................................................................................... 171
Microservices/API ........................................................................................................ 172
Infrastructure as Code .................................................................................................. 172
Serverless architecture ................................................................................................. 174
Services Integration ...................................................................................................... 174
Resource Policies ...........................................................................................................175
Transit Gateway .............................................................................................................175
Virtualization .................................................................................................................175
VM Escape Protection ...................................................................................................175
Mind Map...................................................................................................................... 176
Secure Application Development, Deployment, and Automation Concepts ............... 176
Environment ................................................................................................................. 176
Provisioning and De-Provisioning ............................................................................... 178
Integrity Measurement ................................................................................................. 179
Secure Coding Techniques ........................................................................................... 179
Open Web Application Security Project (OWASP).................................................... 180
Software Diversity.......................................................................................................... 181
Automation/Scripting ................................................................................................... 181
Elasticity ........................................................................................................................ 182
Scalability ...................................................................................................................... 182
Version Control ............................................................................................................ 182
Mind Map...................................................................................................................... 183
Summarize Authentication and Authorization Design Concepts ................................. 183
Authentication Methods .............................................................................................. 185
Technologies ................................................................................................................. 186
Authentication Applications ........................................................................................ 189
AAA (Authentication, Authorization, and Accounting) Framework ........................ 193
Multi-Factor Authentication ........................................................................................ 194
13
Gaining Access .................................................................................................................. 197
Cloud vs. On-Premises Requirements ......................................................................... 198
Mind Map...................................................................................................................... 199
Implementation of Cybersecurity Resilience .................................................................. 199
Redundancy .................................................................................................................. 199
Disk ............................................................................................................................... 199
Network......................................................................................................................... 201
Replication .................................................................................................................... 203
Backup Types ............................................................................................................... 204
Non-Persistence ............................................................................................................ 205
High Availability .......................................................................................................... 206
Restoration Order ........................................................................................................ 206
Diversity ....................................................................................................................... 206
Mind Map......................................................................................................................207
The Security Implications of Embedded and Specialized Systems ............................... 208
Embedded Systems ...................................................................................................... 208
Supervisory Control and Data Acquisition (SCADA)/Industrial Control System (ICS)
Facilities ....................................................................................................................... 208
Internet of Things (IoT) .............................................................................................. 208
IoT Communication Models ......................................................................................... 211
Specialized .................................................................................................................... 214
Voice over IP ..................................................................................................................215
Heating, Ventilation, Air Conditioning ........................................................................215
Drones/AVs ................................................................................................................... 216
Multifunction Printer ................................................................................................... 216
Real-Time Operating System ....................................................................................... 216
Surveillance Systems .................................................................................................... 216
System on Chip ............................................................................................................. 216
Communication Considerations .................................................................................. 217
Mind Map...................................................................................................................... 218
14
The Importance of Physical Security Controls ............................................................... 218
Bollards/Barricades....................................................................................................... 219
Mantraps ....................................................................................................................... 219
Badges ...........................................................................................................................220
Alarms ...........................................................................................................................220
Signage ..........................................................................................................................220
Cameras .........................................................................................................................220
Industrial Camouflage .................................................................................................. 221
Personnel ...................................................................................................................... 221
Locks ............................................................................................................................. 222
USB Data Blocker ......................................................................................................... 222
Lighting ......................................................................................................................... 222
Fencing .......................................................................................................................... 222
Fire Suppression ........................................................................................................... 222
Sensors .......................................................................................................................... 222
Visitor Logs ................................................................................................................... 223
Faraday Cages ............................................................................................................... 223
Air Gap .......................................................................................................................... 223
The Demilitarized Zone (DMZ) ................................................................................... 223
Protected Cable Distribution ....................................................................................... 224
Secure Areas .................................................................................................................. 224
Secure Data Destruction ..............................................................................................226
Mind Map...................................................................................................................... 227
The Basics of Cryptographic Concepts ............................................................................228
Cryptography ................................................................................................................228
Types of Cryptography .................................................................................................228
Digital Signatures .........................................................................................................229
Key Length .................................................................................................................... 230
Key Stretching............................................................................................................... 230
Salting............................................................................................................................ 230
15
Hashing ..........................................................................................................................231
Key Exchange ................................................................................................................ 232
Elliptic-Curve Cryptography ........................................................................................ 233
Perfect Forward Secrecy ............................................................................................... 234
Quantum ....................................................................................................................... 234
Blockchain..................................................................................................................... 234
Cipher Suites ................................................................................................................. 235
Symmetric vs. Asymmetric........................................................................................... 235
Lightweight Cryptography ........................................................................................... 239
Steganography .............................................................................................................. 239
Mind Map...................................................................................................................... 241
Homomorphic Encryption ........................................................................................... 247
Common Use Cases ...................................................................................................... 247
Limitations .................................................................................................................... 247
Mind Map..................................................................................................................... 248
Practice Question ............................................................................................................ 249
Chapter 03: Implementation ............................................................. 252
Implement Secure Protocols ............................................................................................ 252
Protocols ........................................................................................................................... 252
Secure Real-time Protocol (SRTP) ............................................................................... 252
NTP................................................................................................................................ 252
S/MIME ......................................................................................................................... 253
SSL/TLS ......................................................................................................................... 253
FTPS .............................................................................................................................. 253
LDAP ............................................................................................................................. 253
SSH ................................................................................................................................ 253
DHCP ............................................................................................................................ 253
Secure File Transfer Protocol (SFTP) .......................................................................... 254
Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP) ..... 266
Mind Map......................................................................................................................267
16
Implement Host or Application Security Solutions .......................................................267
Endpoint Protection .....................................................................................................267
Boot Integrity ............................................................................................................... 269
Application Security .....................................................................................................270
Hardening ..................................................................................................................... 271
Self-Encrypting Drive (SED)/ Full-Disk Encryption (FDE) ........................................ 273
Hardware Root of Trust ............................................................................................... 273
Trusted Platform Module (TPM) ................................................................................. 273
Sandboxing ................................................................................................................... 273
Mind Map...................................................................................................................... 274
Implement Secure Network Designs ............................................................................... 274
Load Balancing ............................................................................................................. 274
Network Segmentation ................................................................................................ 275
Network-based Intrusion Detection System (NIDS)/Network-based Intrusion
Prevention System (NIPS) ............................................................................................279
Firewall .......................................................................................................................... 283
Firewall Architecture ................................................................................................... 286
Types of Firewall .......................................................................................................... 290
Access control list (ACL) .............................................................................................. 293
Route security Quality of service (QoS) ...................................................................... 293
Implications of IPv6 ..................................................................................................... 293
Port Spanning/Port Mirroring .................................................................................... 294
Monitoring Services ..................................................................................................... 294
File Integrity Monitors ................................................................................................ 294
Mind Map......................................................................................................................295
Wireless Security Settings ................................................................................................295
Cryptographic Protocols ..............................................................................................295
Authentication Protocols ............................................................................................ 296
Methods ........................................................................................................................297
Installation Considerations ......................................................................................... 298
17
Mind Map..................................................................................................................... 299
Implement Secure Mobile Solutions .............................................................................. 299
Connection Methods and Receivers ........................................................................... 299
Mobile Device Management (MDM) .......................................................................... 301
Mobile Devices.............................................................................................................. 305
Enforcement and Monitoring ...................................................................................... 305
Deployment Models .....................................................................................................308
Mind Map..................................................................................................................... 309
Cybersecurity Solutions to the Cloud............................................................................. 309
Cloud Security Controls .............................................................................................. 309
Network..........................................................................................................................312
Compute........................................................................................................................ 314
Solutions ........................................................................................................................315
Cloud-native controls vs. third-party solutions .......................................................... 316
Mind Map...................................................................................................................... 318
Implement Identity and Account Management Controls .............................................. 318
Identity .......................................................................................................................... 318
Account Types .............................................................................................................. 319
Account Policies ........................................................................................................... 320
Mind Map...................................................................................................................... 322
Implement Authentication and Authorization Solutions .............................................. 322
Authentication Management ....................................................................................... 322
Authentication .............................................................................................................. 324
Access Control Schemes ............................................................................................... 328
Mind Map...................................................................................................................... 330
Implement Public Key Infrastructure.............................................................................. 330
Public Key Infrastructure (PKI) ................................................................................... 330
Types of certificates ...................................................................................................... 335
Certificate Formats ....................................................................................................... 337
Concepts........................................................................................................................ 338
18
Mind Map......................................................................................................................340
Practice Questions............................................................................................................ 341
Chapter 04: Operations and Incident Response ............................. 344
Introduction......................................................................................................................344
Appropriate Tools to Assess Organization Security .......................................................344
Network Reconnaissance and Discovery .....................................................................344
File Manipulation ......................................................................................................... 355
Shell and Script Environments .................................................................................... 357
Packet Capture and Replay .......................................................................................... 358
Lab 4-01: Introduction to Wireshark ........................................................................... 359
Forensics ....................................................................................................................... 362
Mind Map......................................................................................................................364
Importance of Policies, Processes, and Procedures for Incident Response .................. 365
Incident Response Plans .............................................................................................. 365
Incident Response Process ........................................................................................... 365
Exercises ........................................................................................................................ 367
Attack Frameworks.......................................................................................................368
Stakeholder Management ............................................................................................ 375
Communication Plan.................................................................................................... 375
Continuity of Operations Planning (COOP)............................................................... 375
Incident Response Team .............................................................................................. 376
Retention Policies ......................................................................................................... 376
Mind Map...................................................................................................................... 377
Appropriate Data Source to Support an Incident Investigation .................................... 377
Vulnerability Analysis .................................................................................................. 377
Lab 4-02: Installing and Using a Vulnerability Assessment Tool ..............................386
Lab 4-03: Vulnerability Scanning using the Nessus Vulnerability Scanning Tool ... 405
Analyze Vulnerability Scan Results ............................................................................. 417
Appropriate Solutions/Recommendations to Remediate the Discovered
Vulnerabilities............................................................................................................... 419
19
SIEM DashBoard .......................................................................................................... 420
Log Files ........................................................................................................................ 422
syslog/rsyslogs/syslog-ng ............................................................................................. 425
Journalctl ....................................................................................................................... 425
nxlog .............................................................................................................................. 425
Bandwidth monitors .................................................................................................... 426
Metadata ...................................................................................................................... 426
Netflow .......................................................................................................................... 427
Protocol Analyzer Output ........................................................................................... 428
Mind Map..................................................................................................................... 429
Use of Mitigation Techniques or Controls to Secure an Environment ........................ 429
Reconfigure Endpoint Security Solution .................................................................... 429
Configuration Changes.................................................................................................430
Isolation ........................................................................................................................ 431
Containment ................................................................................................................. 431
Segmentation ................................................................................................................ 432
SOAR ............................................................................................................................. 432
Mind Map...................................................................................................................... 433
The Key Aspect of Digital Forensics ................................................................................ 433
Documentation/Evidence ............................................................................................ 433
Acquisition .................................................................................................................... 435
On-Premises vs. Cloud .................................................................................................438
Integrity........................................................................................................................ 440
Preservation ................................................................................................................. 440
E-discovery ................................................................................................................... 440
Data recovery ................................................................................................................ 441
Non-repudiation ........................................................................................................... 441
Strategic Intelligence/ CounterIntelligence (CI) ........................................................ 441
Mind Map..................................................................................................................... 442
Practice Questions............................................................................................................443
20
Chapter 05: Governance, Risk, and Compliance ............................. 446
Introduction..................................................................................................................... 446
GRC Concepts .............................................................................................................. 446
Why GRC? .................................................................................................................... 446
Functions Supported by GRC...................................................................................... 447
Analyze Risks Associated with Cloud Infrastructure .................................................... 448
Risk Assessment/Analysis ........................................................................................... 448
Cloud Attack Vectors .................................................................................................. 448
Virtualization Rısks ..................................................................................................... 450
Counter-Measure Strategies........................................................................................ 450
Security Controls .............................................................................................................. 451
Physical and Environmental Protection ...................................................................... 451
System and Communication Protection ..................................................................... 452
Category of Security Control ........................................................................................ 452
Types of Security Control ............................................................................................. 453
Mind Map..................................................................................................................... 454
Importance of Applicable Regulations, Standards, or Frameworks that Impact
Organizational Security Posture. .................................................................................... 454
Regulations, Standards, and Legislation .................................................................... 454
Benchmarks/Secure Configuration Guides ................................................................ 466
Mind Map..................................................................................................................... 470
Importance of Policies to Organizational Security ........................................................ 470
Policies ......................................................................................................................... 470
Personnel Security ........................................................................................................ 471
Diversity of Training Techniques ............................................................................... 479
Third-Party Risk Management.................................................................................... 479
Data ...............................................................................................................................483
Credential Management System ................................................................................. 487
Credential Policies ....................................................................................................... 488
Organizational Policies ............................................................................................... 489
21
Mind Map......................................................................................................................493
Risk Management Processes and Concepts ....................................................................493
Threat Assessment....................................................................................................... 494
Risk Types .................................................................................................................... 494
Risk Management Strategies ....................................................................................... 495
Risk Monitoring ........................................................................................................... 496
Analyze Risks Associated with Cloud Infrastructure................................................. 496
Disaster ......................................................................................................................... 502
Business Impact Analysis ............................................................................................. 502
MindMap....................................................................................................................... 505
Privacy and Sensitive Data Concepts in Relation to Security ........................................ 505
Organizational consequences of privacy breaches ..................................................... 505
Notifications of Breaches ............................................................................................ 506
Data Types .................................................................................................................... 507
Privacy Enhancing Technologies ................................................................................ 508
Roles and Resposnibilities ............................................................................................. 511
Information Lifecycle ....................................................................................................512
Privacy Impact Assessment ...........................................................................................513
Terms of Agreement ......................................................................................................513
Privacy Notice/ Privacy Policy ......................................................................................513
Mind Map...................................................................................................................... 514
Data Security and Privacy Practices ................................................................................ 514
Data Destruction and Media Sanitization ................................................................... 514
Data Sensitivity Labelling and Handling ..................................................................... 516
Data Retention ...............................................................................................................517
Legal and Compliance ...................................................................................................517
Mind Map...................................................................................................................... 518
Practice Questions............................................................................................................ 519
Answers .............................................................................................. 522
Chapter 01: Threats, Attacks, and Vulnerabilities .......................................................... 522
22
Chapter 02: Architecture and Design .............................................................................. 525
Chapter 03: Implementation ............................................................................................ 528
Chapter 04: Operations and Incident Response ............................................................. 530
Chapter 05: Governance, Risk, and Compliance ............................................................. 533
Acronyms ...........................................................................................536
References ......................................................................................... 548
About Our Products.......................................................................... 560
23
CompTIA Certification: Security +
About this Certifications
This certification covers all the information you need to pass the CompTIA Security+ Exam
that is SY0-601. The workbook is designed to take a practical approach to learn with reallife examples and case studies.







Covers complete CompTIA Security+ SY0-601 blueprint
Summarized content
Case Study based approach
Downloadable vRacks
Practice Questions
100% pass guarantee
Mind maps
CompTIA Certifications
CompTIA certification helps to establish and build your IT career. It benefits you in various
ways, either seeking certification to have a job in IT or want to upgrade your IT career with
a leading certification, that is, CompTIA certification.
Figure 1. CompTIA Certifications Pathway
24
CompTIA Certification: Security +
About Security+ Certification
The purpose of this certification is to make you a better IT Security Tech. All the essential
principles for network security are covered in this Security+ certification.
The skills or techniques you will learn when you obtain the Security+ certificate:






Configuring a secure network for protection against threats, malware, etc.
Identification of vulnerabilities in a network and provision of proper mitigation
techniques.
Knowledge of the latest threats that harm your system intelligently.
Implementation of secure protocols and appropriate security checks and the
establishment of end-to-end host security.
Implementation of access and identity management controls to have your data in
legal hands.
Ability to use encryption, configuring wireless security for information safety
purposes.
Figure 2. CompTIA Security Certifications Pathway
About the CompTIA Security+ Exam





Exam Number: SY0-601 CompTIA Security+
Duration: 90 minutes
Number of Questions: Maximum 90
Types of Questions: Multiple choice & performance-based
Passing Marks: 750
The CompTIA Security+ Exam (SY0-601) is a 90-minute qualifying exam with a maximum
of 90 questions for the CompTIA certification. The CompTIA Security+ Exam certifies the
25
CompTIA Certification: Security +
successful applicants with the awareness and skills needed to configure and install the
systems to secure the networks, devices, & applications.
This exam measures your ability to accomplish the following technical tasks:





Attacks, Threats, and Vulnerabilities (24%)
Architecture and Design (21%)
Implementation (25%)
Operation and Incident Response (16%)
Governance, Risk, and Compliance (14%)
How to become Security+ certified?
Step 1: Choose a certification: Explore what is available and choose an IT certification
that will benefit you in accomplishing your career target.
To study various IT career tracks and to choose the best certification for yourself, you can
use the “CompTIA Career Roadmap.”
CompTIA has four core IT certifications: IT Fundamental, A+, Network+, and Security+
that examine your knowledge from entry to the expert level.
If you have the skills to secure a network & deter hackers and want to become a highly
efficient IT Security Tech, CompTIA Security+ is the right type of certification.
Step 2: Learning & Training: Exam preparation can be done through self-study with
textbooks, practice exams, and online classroom programs. However, this course provides
you with all the information and offers complete assessments in one place to help you pass
the CompTIA Security+ Exam.
IPSpecialist provides full support to the candidates in order for them to pass the exam.
Step 3: Familiarization with Exam: A great suggestion is to first understand what you
are training for. For that, we are providing you not only the exam objectives but practice
questions too, in order to give you a thorough idea about your final exam of certification.
Step 4: Register & Take Exam for Certification: After all the learning process, the next
step is to take your test. Certification exams are offered at different locations all over the
world. To register for an exam, contact the authorized test delivery partner of CompTIA,
contact Pearson VUE.
The following are the steps for registration and scheduling an exam:
1. Buy the exam voucher from here, “Buy a certification exam voucher.”
2. Find and visit a testing center, “testing center.”
3. Create a Pearson VUE account & Schedule your exam. Here is a link for that “Create
a Pearson VUE testing account and schedule your exam.”
26
CompTIA Certification: Security +
4. You will receive a confirmation email having testing information after the
registration process.
5. You are ready for the test.
Step 5: Results: After you complete an exam at an authorized testing center, you will get
immediate, online notification of your pass or fail status. If you have passed the exam, a
congratulatory email will be forwarded to you with guidelines to access your record.
Make sure to keep a record of the email address you used for the registration and score
report with an exam registration number. This information is required to log in to your
certification account.
The CompTIA Security+ certification exam will verify the successful candidate has the
knowledge and skills required to:




Assess the security posture of an enterprise environment and recommend and
implement appropriate security solutions
Monitor and secure hybrid environments, including cloud, mobile, and IoT
Operate with an awareness of applicable laws and policies, including principles of
governance, risk, and compliance
Identify, analyze, and respond to security events and incidents
This is equivalent to two years of hands-on experience working in a security/systems
administrator job role.
Recommended Knowledge















Compare and contrast different types of social engineering techniques.
Analyze potential indicators to determine the type of attack.
Analyze potential indicators, associated with application attacks.
Analyze potential indicators, associated with network attacks.
Explain different threat actors, vectors, and intelligence sources.
The security concerns associated with various types of vulnerabilities.
Summarize the techniques used in security assessments.
The techniques used in penetration testing.
The importance of security concepts in an enterprise environment.
Summarize virtualization and cloud computing concepts.
Summarize secure application development, deployment, and automation concepts.
Summarize authentication and authorization design concepts.
Implement cybersecurity resilience.
The security implications of embedded and specialized systems.
The importance of physical security controls.
27
CompTIA Certification: Security +




















The basics of cryptographic concepts.
Implement secure protocols.
Implement host or application security solutions.
Implement secure network designs.
Install and configure wireless security settings.
Implement secure mobile solutions.
Apply cybersecurity solutions to the cloud.
Implement identity and account management controls
Implement authentication and authorization solutions.
Implement public key infrastructure.
Use the appropriate tool to assess organizational security.
The importance of policies, processes, and procedures for incident response.
Given an incident, utilize appropriate data sources to support an investigation.
Given an incident, apply mitigation techniques or controls to secure an environment.
Explain the key aspects of digital forensics.
Compare and contrast various types of controls.
The importance of applicable regulations, standards, or frameworks that impact
organizational security posture.
The importance of policies to organizational security.
Summarize risk management processes and concepts.
Explain privacy and sensitive data concepts in relation to security.
All the required information is included in this course.
Domain
Percentage
Domain 1
Attacks, Threats, and Vulnerabilities
24%
Domain 2
Architecture and Design
21%
Domain 3
Implementation
25%
Domain 4
Operation and Incident Response
16%
Domain 5
Governance, Risk, and Compliance
14%
28
Chapter 01: Threats, Attacks, and Vulnerabilities
Chapter 01: Threats, Attacks, and Vulnerabilities
Technology Brief
In this chapter, we will discuss the basic concepts of social engineering and how it
works. This technique is different from other information-stealing techniques that have
been discussed. All the tools and techniques used for hacking a system looked at so far
are technical and require a deep understanding of Networking, Operating Systems, and
other domains. Social Engineering is a non-technical technique for obtaining
information. It is one of the best common techniques because it is easy to use. This is
because humans are very careless and are prone to making mistakes.
There are several components to security, but humans are the most important
component. All security measures depend upon the human being. If a user is careless
about securing his/her login credentials, all security architectures will fail. Spreading
awareness, training, and briefing users about social engineering, social engineering
attacks, and the impact of their carelessness will help to strengthen security from
endpoints.
This chapter will provide an overview of social engineering concepts and types of social
engineering attacks. Here, you will learn how different social engineering techniques
work, what insider threats are, how an attacker impersonates someone on social
networking sites, and how all of these threats can be mitigated. Let's start with social
engineering concepts. This chapter will discuss the concept of wireless networks,
threats and vulnerabilities, attacks on wireless technologies, and some defense
techniques.
An Overview of Social Engineering Techniques
Social Engineering is the art of extracting sensitive information from people. Social
Engineers play with human psychology and trick people into sharing their valuable
information. In Information Security, footprinting through social engineering is done
for gathering information such as:







Credit card information
Usernames and passwords
Security devices and technology information
Operating System information
Software information
Network information
IP address and name server’s information
29
Chapter 01: Threats, Attacks, and Vulnerabilities
There are different ways to perform social engineering. The different types of social
engineering techniques are as follows:
Phishing
In the process of Phishing, emails sent to a targeted group contain messages that look
legitimate. The recipient clicks the link as provided in the email, assuming that it is a
legitimate link. Once the reader clicks the link, it redirects the user to a fake webpage
that looks like an official website. For example, the recipient may be redirected to a fake
bank webpage that then asks for sensitive information. Similarly, clicking on the link
may download a malicious script onto the recipient’s system to fetch information.
Smishing
Smishing is an alternative type of phishing attack that tricks unsuspecting victims into
handing over sensitive data via fraudulent SMS messages. This form of phishing is less
common in the corporate world than spear phishing and vishing but could become
more of a threat as we see an increase in the use of bring-your-own-device (BYOD) in
work environments.
Vishing
Vishing is an attack-type related to phishing since it attempts to trick and persuade
victims to reveal sensitive data over a social engineering attack. A victim may receive a
pre-recorded message on their phone which specifies that there has been suspicious
activity on their credit card, financial account, or other bank accounts. The victim is
told to call a definite telephone number, where he must key in identification
information. The identification information is commonly the connected PIN, account
number, or/and password value. The victim thinks this information is being sent to a
trusted source, as in their bank. However, it is being recorded by an attacker who
intends to use it for fraudulent purposes. When calls are made using VoIP, authorities
find it difficult to track because packets might pass through many different switches
around the world instead of the circuit switching employed by traditional telephone
lines.
Spam
Spamming is usually against the law, so the spammers do not want the traffic to appear
as if it came from their equipment. They will look for mail servers on the Internet or
within enterprise DMZs that have loosely configured relaying systems and utilize them
to deliver spam. If a mail server's relays are set to "wide open," the mail server can receive
any message and send it to any intended recipient. Antispam features, which are
complete layer features, must be activated on mail servers. A company's mail server
should only receive mail intended for its domain and should not forward
communications to other dubious mail servers or domains.
30
Chapter 01: Threats, Attacks, and Vulnerabilities
Spam over Internet Messaging (SPIM)
Instant messaging spam (SPIM) or Spam over Internet Messaging is a type of spamming
that practices instant messengers for this malicious action. Though this kind of
spamming is not as common as e-mail spamming, it is certainly increasing over time.
The fact that firewalls are incapable of blocking SPIM has made it more attractive for
spammers. One technique to prevent SPIM is to enable the option of receiving
immediate messages only from a known list of users.
Spear Phishing
A spear-phishing attack is a phishing attack that is crafted to trick a specific target and
not a large generic group of people. Spear phishing targets individuals. If somebody
distinguishes your particular likes, political motives, shopping habits, etc., the attacker
can craft an attack directed only at you. If an attacker sends a spoofed e-mail that seems
to have come from the mother with the subject line of “Emily’s Birthday Pictures” and
an e-mail attachment, that will most likely think it came from the mother and open the
file which will then infect the system. These generalized attacks take more time for the
hacker to craft as unique information has to be assembled about the target, but they are
more successful because they are more convincing.
Dumpster Diving
The process of looking for treasure in the trash is known as Dumpster Diving. This
technique is old but quite effective. It consists of accessing the target's trash such as
trash, printer, user desk, company trash to find phone bills, contact information,
financial information, source codes, and other helpful material.
Shoulder Surfing
In Shoulder Surfing, information is collected by standing behind a target when he is
dealing with sensitive information. Using this technique, passwords, account numbers,
or other secret information can be gathered, depending upon the carelessness of the
target.
Pharming
It is a form of cyber-attack in which a user is forwarded to a malicious website created
by the attacker. Usually, this type of redirection happens without users’ acceptance or
knowledge.
31
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-01: Software Pharming Has Become Increasingly Popular in Recent Years
Tailgating
Tailgating is a technique in which an unauthorized person gains access to a restricted
area by following the authorized person. Tailgating is easy when using Fake IDs and
following the target closely while crossing checkpoints
Whaling
In a whaling attack, an attacker selects some "big fish" in a company (CEO, CFO, COO,
CSO) and targets them because they have access to some of the firm's most sensitive
data. The attack has been fine-tuned to maximize the chances of success.
Identity Fraud
Stealing information about the identity of another person is known as Identity fraud.
Anyone with malicious intent may steal your identity by gathering documents such as
utility bills and personal and other significant information and creating a new ID card
to impersonate someone. This information may also be used to confirm the fake identity
and then take advantage of it.
32
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-02: Processes of Identity Theft
Credential Harvesting
Credential Harvesting is also known as password harvesting. The attacker sends the
victim a captivating message, typically an email containing a tenable subject and a
hyperlink or maybe an attachment, leading to a sign-in page associated with a legitimate
service that the victim is known to use. The most common are Google Drive, Office 365,
and Dropbox. Once the victim logs in, their credentials are hijacked. The attacker uses
those credentials to access another system aligned with their objectives.
Reconnaissance
Reconnaissance is a primary preparation phase for the attacker to prepare for an attack
by gathering data or information about the target before launching an attack by using
33
Chapter 01: Threats, Attacks, and Vulnerabilities
different techniques and tools. Gathering information about the target creates it easier
for an attacker. It helps to identify the target range for large-scale attacks.
In passive Reconnaissance, a hacker obtains information about the target without
directly interacting with the target. An example of passive reconnaissance includes
searching social media to obtain the target’s information.
Active Reconnaissance is obtaining knowledge by connecting directly with the target.
Interacting with the target via emails, calls, the help desk, or technical departments are
examples of active reconnaissance.
Hoax
This type of threat is where an organization is warned of a particular problem and then
asked for money to solve or remove it. These types of threats can be sent through email,
through Facebook posts, or tweets; the aim is to make money by fooling others.
Impersonation
Impersonation is a social engineering approach that uses people. Impersonation is the
act of impersonating someone or something. Impersonation, here, implies pretending
to be a legitimate user or pretending to be an authorized person. This impersonation
may be either face-to-face or through a communication channel such as email or
telephone communication, etc.
Personal impersonation is identity theft carried out by an attacker when he/she has
enough personal information about an authorized person. An attacker impersonates a
legitimate user by providing the legitimate user’s personal information (either collected
or stolen). Impersonating a technical support agent and asking for credentials is another
method of impersonation for gathering information.
34
Chapter 01: Threats, Attacks, and Vulnerabilities
Mind Map
Figure 1-03: Mind Map of Social Engineering Techniques
Malware Concepts
The term malware is an umbrella term that describes a wide variety of potentially risky
software. This malicious software is particularly designed to gain access to target
machines, steal information, and harm the target system. Any software designed with
the malicious intention that allows damaging, disabling, or limiting the control of the
authorized owner and passing control of a target system to a malware developer or
attacker, or allows any other malicious intent, can be considered malware. Viruses,
Worms, Keyloggers, Spywares, Trojans, Ransomware, and other harmful software are
among the many varieties of malware. Malware is now the most hazardous threat on
the planet. Typical viruses and worms use outdated methodologies, whereas modern
malware is designed to attack cutting-edge equipment, making it more deadly.
How can Malware enter into your system?
Malware takes advantage of the weaknesses and vulnerabilities in the operating system
or the vulnerabilities introduced by accidentally clicking on the malicious links. A
malware program starts running before the malware deploys itself on the system.
How to keep malware away?



Make sure to keep Operating Systems up to date.
Update all the Applications.
Avoid clicking unnecessary or malicious links.
35
Chapter 01: Threats, Attacks, and Vulnerabilities

Use Anti-Virus / Anti-Malware software.
Ransomware
Ransomware is a malware program that restricts access to system files and folders by
encrypting them. Some types of ransomware may lock the system as well. Once the
system is encrypted, it requires a decryption key to unlock it and its files. An attacker
then demands a ransom payment before providing the decryption key to remove
restrictions. Online payments using digital currencies that are difficult to trace, like
Ukash and Bitcoin, are used for ransoms. Ransomware is usually deployed by using
Trojans. One of the finest examples of ransomware is the WannaCry Ransomware
attack.
Following are the most common and widely known types of ransomware:





Cryptobit Ransomware
CryptoLocker Ransomware
CryptoDefense Ransomware
CryptoWall Ransomware
Police-themed Ransomware
Examples of Ransomware:

Crypto-Locker
Trojan
Any Malicious Program misleading the user about its actual intention is classified as a
Trojan. Social Engineering normally spreads Trojans. The determination or most
common use of Trojan programs are:









Creating a Backdoor
Gaining Unauthorized Access
Stealing Information
Infecting Connected Devices
Ransomware Attacks
Using Victims for Spamming
Using Victims as Botnet
Downloading other Malicious Software
Disabling Firewalls
Trojans Types

Command Shell Trojans
Command Shell Trojans are proficient as long as remote control of the command shell
of a victim. The trojan server of command shell Trojan such as Netcat is installed on the
target machine. The trojan server will open the port for command shell connection to
36
Chapter 01: Threats, Attacks, and Vulnerabilities
its client application, installed on the attacker's machine. This Client-Server based
Trojan delivers access to the Command line.

Defacement Trojans
An attacker can access, change, and extract information from any Windows program
using the Defacement Trojan. To leave their imprint, the attacker frequently replaces
the string, graphics, and logos using this information. The attacker defaces applications
using User-Styled Custom Application (UCA). Website defacement is very popularly
known; it is similar to the concept of applications running on the target machine.

HTTP/HTTPS Trojans
HTTP and HTTPS Trojans get across the firewall and execute on the target computer.
After execution, they construct an HTTP/ HTTPS tunnel to interact with the attacker
from the victim's PC.

Botnet Trojans
The amount of hacked systems is referred to as a botnet (zombies). These infected
systems are not restricted to a single LAN; they could be found all around the world.
The Command and Control Center is in charge of these botnets. These botnets are used
to carry out attacks like Denial of Service (DoS), spamming, and so on.

Proxy Server Trojans
Trojan-Proxy Server is a stand-alone virus program that can transform your computer
into a proxy server. The Proxy Server Trojan allows the attacker to utilize the victim's
computer as a proxy by enabling the proxy server on the victim's PC. This method is
used to launch further attacks while keeping the true source of the attack hidden.

Remote Access Trojans (RAT)
RAT (Remote Access Trojan) permits the attacker to get remote desktop access to a
victim's machine by permitting a Port that allows the GUI access to the remote system.
RAT consist of a back door for maintaining administrative access and control over the
victim. Using RAT, an attacker can monitor a user's activity, access confidential data
and information, take screenshots, record audio and video by a webcam, alter files and
format drives, etc.
How to prevent this malware?



You must examine the software before installing it. Install only what is trusted.
You must have a backup of your data.
You must update the antivirus software and operating system.
Trojan Construction Kit
Trojan Construction Kit permits attackers to create their specific Trojans. These
customized Trojans can be more dangerous for the target and the attacker if it backfires
37
Chapter 01: Threats, Attacks, and Vulnerabilities
or is not executed appropriately. These modified Trojans created by using construction
kits can avoid detection from viruses and Trojan scanning software.
Some Trojan Construction Kits are:

Dark Horse Trojan Virus Maker

Senna Spy Generator

Trojan Horse Construction Kit

Pyrogenic mail Trojan Construction Kit

Pandora's Box
Worms
Different Viruses, Worms are capable of replicating themselves. This ability of worms
makes them spread on a resident system very rapidly. Worms are propagating in many
different forms since the 1980s. Some kinds of evolving worms are very destructive and
responsible for devastating DoS attacks. It can move without human action or
interference inside the computer or network. They spread and take over the system
speedily. A well-known virus can be filtered over a next-generation intrusion prevention
system or firewall.
Example of worm:




Sobig worm of 2003
SQL Slammer worm of 2003
2001 attacks of Code Red and Nimba
2005 Zotob worm
Command and Control
The adversary establishes a two-way communication or command channel with its C2
server during the Command and Control (C2) phase. The adversary owns and manages
this C2 server, which is used to relay commands to compromised machines. Adversaries
can change the victim's searches and commands from afar. C2 channels have the
following characteristics:



Victim opens two-way communication channel towards C2
Mostly, the C2 channel is on the web, DNS, or email
C2 queries encoded commands
Security defenders have one last chance in this kill chain to detect and stop the assault
by blocking the C2 channel. An adversary cannot issue orders to the victim if the C2
channel is immediately disabled. Some strategies for security teams to guard against C2
communication are as follows:


Collect and block C2 IoC via Threat Intelligence or Malware analysis
Need proxies for all types of traffic (HTTP, DNS)
38
Chapter 01: Threats, Attacks, and Vulnerabilities


DNS Sink Holing and Name Server Poisoning
Monitoring network sessions
Bots
A bot is a piece of software that allows you to control a target remotely and perform
predetermined activities. It has the ability to run automatic scripts via the internet. Bots
are sometimes known as Web Robots or Internet Bots. Chatterbots and live chats are
examples of bots that can be used for social purposes. Furthermore, they can also be
used for malicious purposes in the form of malware. Hackers use malware bots to gain
complete authority over a computer.
Logic Bomb
A Logic Bomb virus is aimed to persist in a sleep mode or waiting for the state until the
end of a pre-determined period, or an event or action occurs. When the condition is
met, it triggers the virus to exploit and perform the intentional task. These logic bombs
are difficult to detect, as they cannot be detected in sleep mode, and once they are
detected, it is too late.
Spyware
Spyware is software designed for gathering information about a user’s interaction by a
system, such as login credentials, email address, and other details, without informing
the user of the target system. Mostly, spyware is used for tracking a user’s internet
interactions. The information obtained is sent to a remote destination. Spyware hides
its processes and files to avoid detection. The most common types of spyware are:
 Adware
 System Monitors
 Tracking Cookies
 Trojans
Features of Spyware
There are several spyware tools available on the internet providing several advanced
features such as:









Tracking users such as keylogging
Monitoring user’s activity such as websites visited
Recording conversations
Blocking applications and services
Remote delivery of logs
Tracking email communication
Recording removable media communication like USB
Voice recording
Video recording
39
Chapter 01: Threats, Attacks, and Vulnerabilities


Tracking location (GPS)
Mobile tracking
Keyloggers
Keystroke logging, keylogging, or keyboard capturing is monitoring or recording actions
performed by any user. For example, consider a PC with a keylogger for any purpose,
such as monitoring a user. Each key pressed by the user will be logged by this tool.
Keyloggers can be either hardware or software. The major purpose of using keyloggers
is monitoring: copying data to the clipboard, capturing screenshots by the user, and
screen logging by capturing a screenshot at every action.
Figure 1-04: Different Types of Keyloggers
Types of Keystroke Loggers
 Software Keyloggers
Software-based Keyloggers perform their function by logging actions to steal
information from the target machine. Software-based keyloggers are either remotely
installed or sent by an attacker to a user, and the user may then accidentally execute
the application. Software keyloggers include:




Application Keyloggers
Kernel Keyloggers
Hypervisor-based Keyloggers
Form Grabbing-based Keyloggers
 Hardware Keyloggers
Hardware-based Keyloggers are physical hardware or keyloggers that are installed
on hardware by physically accessing the device. Firmware-based keyloggers require
physical access to the machine to load the software into BIOS or keyboard hardware
40
Chapter 01: Threats, Attacks, and Vulnerabilities
such as a key grabber. A USB is a physical device that needs to be installed in line
with the keyboard. Hardware keyloggers are further classified into the following
types:



PC/BIOS Embedded Keyloggers
Keyloggers Keyboard
External Keyloggers
Hardware Keyloggers
Hardware Keyloggers
Website
KeyGrabber USB
http://www.keydemon.com/
KeyGrabber PS/2
http://www.keydemon.com/
VideoGhost
http://www.keydemon.com/
KeyGrabber Nano Wi-Fi
http://www.keydemon.com/
KeyGrabber Wi-Fi Premium
http://www.keydemon.com/
KeyGrabber TimeKeeper
http://www.keydemon.com/
KeyGrabber Module
http://www.keydemon.com/
KeyGhost USB Keylogger
http://www.keyghost.com/
KeyCobra Hardware Keylogger (USB and http://www.keycobra.com/
PS2)
Table 1-01: Keylogging Hardware Devices
Anti-Keyloggers
Anti-Keyloggers are application software that guarantees protection against keylogging.
This software excludes the threat of keylogging by providing SSL protection, keylogging
protection, clipboard logging protection, and screen logging protection. Some AntiKeylogger software is listed below:



Zemana Anti-Keylogger ( https://www.zemana.com )
Spyshelter Anti-Keylogger ( https://www.spyshelter.com )
Anti-Keylogger ( http://anti-keyloggers.com )
How to prevent this malware?



Update anti-virus software
Use the exfiltration process
Set up firewall rules for the file transfer from a system
41
Chapter 01: Threats, Attacks, and Vulnerabilities

Use keylogger scanner
Remote access Trojans (RATs)
Remote Access Trojans (RATs) are malicious programs running on systems and allowing
intruders to remotely access and use a system. They mimic legitimate remote control
programs used for remote administration but are used for sinister purposes instead of
helpful activities. Several RAT programs are available to the hacker (Back Orifice,
SubSeven, Netbus, and others). Once the RAT is loaded on the victim’s system, the
attacker can download or upload files, send commands, monitor user behaviors, install
zombie software, activate the webcam, take screenshots, alter files, and use the
compromised system as he pleases.
Lab 1-01: HTTP RAT Trojan
Case Study: Using HTTP RAT Trojan, create an HTTP Remote Access Trojan (RAT)
server on a Windows 7 machine (10.10.50.202). When a Trojan file is executed on the
remote machine (in our case, Windows Server 2016 with the IP address 10.10.50.211), it
will create remote access to Windows Server 2016 on Windows 7.
Configuration and Procedure:
Go to a Windows 7 machine and run the HTTP RAT Trojan.
1. Uncheck “send a notification with IP address to mail.”
2. Configure Port.
3. Click “Create.”
42
Chapter 01: Threats, Attacks, and Vulnerabilities
In the default directory where the application is installed, see a new executable file.
Forward this file to the victim’s machine.
4. Log in to the victim’s machine (in our case, Windows Server 2016) and run the file.
5. Check the task manager for a running process; you will see an HTTP Server task is
in process.
43
Chapter 01: Threats, Attacks, and Vulnerabilities
6. Go back to Windows 7.
7. Open a Web browser.
8. Go to the IP address of the victim’s machine; in our case, 10.10.50.211.
The HTTP connection is open from the victim’s machine. You can check running
processes and browse drives. You can also check the computer information of the victim
by using this tool.
9. Click “Running Processes.”
44
Chapter 01: Threats, Attacks, and Vulnerabilities
In the above output, the “running process” of the victim’s machine is shown.
10. Click “Browse.”
The output shows drives.
11. Click “Drive C.”
45
Chapter 01: Threats, Attacks, and Vulnerabilities
Output showing C drive.
12. Click “Computer Information.”
The output shows computer information.
13. To terminate the connection, click “Stop_httpRat.”
46
Chapter 01: Threats, Attacks, and Vulnerabilities
14. Refresh the browser.
The connection is successfully terminated.
15. Go to Windows Server 2016 and check the running processes.
47
Chapter 01: Threats, Attacks, and Vulnerabilities
The HTTP server process is terminated.
Rootkits
A collection of software designed to distribute privileged access to a remote user over
the targeted system is referred to as RootKits. Typically, rootkits are the group of
malicious software deployed after an attack. Once an attacker has administrative access
to the target system and can maintain privileged access for the future, it creates a
backdoor for the attacker. Rootkits frequently mask the existence of its software that
helps to avoid detection.
Rootkits Types

Application Level Rootkits
48
Chapter 01: Threats, Attacks, and Vulnerabilities
Application Level of Rootkits accomplishes manipulation of standard application
files and change of the behavior of the current application with an injection of
codes.

Kernel-Level Rootkits

The kernel is the core of an OS. Kernel-Level Rootkits are created by adding
additional codes (malicious) or replacing the original Operating System kernel
sections.
Hardware/Firmware Level Rootkits
Hardware/Firmware Level Rootkits are the type of rootkits that hide in hardware
such as the hard drive, network interface card, system BIOS that are not
inspected for integrity. These rootkits are built into chipsets and are used to
recover stolen computers, delete data, or render them useless. Furthermore,
rootkits raise privacy and security concerns due to undetectable spying.

Hypervisor Level Rootkits

Hypervisor Level Rootkits exploit hardware features like AMD-V (Hardwareassisted virtualization technologies) or Intel VT, which hosts the target OS as a
virtual machine.
Boot Loader Level Rootkits
Bootloader Level Rootkits (Bootkits) replace a legitimate boot loader with a
malicious one, enabling the Bootkits to activate before an OS run. Rootkits are a
serious threat to system security as they can infect startup codes such as the
Master Boot Record (MBR), Volume Boot Record (VBR), or boot sector. They can
be used to attack full disk encryption systems and hack encryption keys and
passwords.
Rootkit Tools




Avatar
Necurs
Azazel
ZeroAccess
Backdoor
It involves deploying a Backdoor on an organization’s computer to gain unauthorized
access to the private network.
Some other types of IoT attacks include:


Eavesdropping
Sybil Attack
49
Chapter 01: Threats, Attacks, and Vulnerabilities






Exploit Kits
Man-in-the-Middle Attack
Replay Attack
Forged Malicious Devices
Side-Channel Attack
Ransomware Attack
Password attacks
Passwords should never be sent or stored in plaintext. Most operating systems and
applications run passwords through hashing algorithms, which generate hash values,
also known as message digest values. The following practices should be followed to
properly protect an environment against password attacks:
• Passwords should not be sent in cleartext.
• Encryption algorithms or hashing functions should be used to encrypt the passwords.
• One-time password tokens should be used.
• Difficult-to-guess passwords should be used.
• Change passwords regularly.
• An Intrusion Detection System (IDS) to detect suspicious behavior should be used.
• Dictionary-cracking tools should be used to find weak passwords that users have
chosen.
• Make use of special characters, numbers, and upper- and lowercase letters.
Password Attacks Types
Password attacks are classified as one of three types:
1.
2.
3.
4.
Spraying
Dictionary
Brute force
Rainbow tables
5. Plaintext/unencrypted
Dictionary Attack
In a Dictionary Attack, a password-cracking application is used along with a dictionary
file. This dictionary file contains the entire dictionary or a list of known and common
words that can be used to try to recover a password. It is the most basic type of password
cracking, and systems that use strong, unique, and alphanumeric passwords are usually
not vulnerable to dictionary attacks.
50
Chapter 01: Threats, Attacks, and Vulnerabilities
Exam Tip:
L0phtCrack is a password recovery and auditing application. It is used to test the
strength of passwords and, on occasion, to recover lost Microsoft Windows passwords
using a dictionary, brute-force, hybrid attacks, and rainbow tables.
Brute Force Attack
A Brute Force Attack attempts to recover a password by trying every possible
combination of characters. Each combination pattern is tried until the password is
accepted. Brute forcing is the most common and basic technique for uncovering
passwords.
Online:
The usage of proxy servers to provide internet anonymity has grown in popularity over
time. Some people use it to keep their surfing habits hidden from others, allowing them
to have more personal freedom and privacy. The same functionality is used by attackers
to ensure that their activities cannot be traced back to their local computers.
The following are some of the most popular online services:





Google Earth
Google Map
Bing Map
Wikimapia
Yahoo Map
Offline:
It is common for hackers to first determine whether an intrusion detection system (IDS)
is present on the network they intend to attack. If one exists, the attacker may use a
denial-of-service attack to bring it down. These activities aim to either disable the IDS
or distract network and security personnel so that they are busy chasing the wrong
packets while the real attack occurs.
Rainbow Table
The Rainbow Table is a table that contains every possible password and has performed
all of the calculations. It is also known as a "pre-built set of hashes." The password can
be determined in a few seconds by matching up the hashes, but it does not work with
salted hashes.
Using a rainbow table to compare passwords is an example of an offline attack. Every
possibility To generate a rainbow table, every possible combination of characters is
computed for the hash. The attacker captures the target's password hash and compares
it to the rainbow table when a rainbow table contains all possible precomputed hashes.
51
Chapter 01: Threats, Attacks, and Vulnerabilities
The Rainbow table has the advantage of having all hashes precomputed. As a result, it
only takes a few moments to compare and reveal the password. A rainbow table's
limitation is that it takes a long time to generate a rainbow table by computing all
hashes.
The utilities you can use to generate rainbow tables are winrtgen, GUI-based generator,
rtgen, and command-line tool. The following hashing formats are supported:

MD2

MD4

MD5

SHA1

SHA-256

SHA-384

SHA-512 and more hashing types
Exercise
Open Winrtgen application, Click Add table button
table.
to add a new Rainbow
As needed, choose Hash, Minimum length, Maximum length, and another property.
52
Chapter 01: Threats, Attacks, and Vulnerabilities
Choose a Charset value; possibilities include Alphabets, Alphanumeric, and various
character combinations, as indicated in the diagram below.
Click Benchmark Button
to Estimate Hash Speed, Step Speed, Table PreComputation time, and other parameters.
Click Ok
to proceed.
53
Chapter 01: Threats, Attacks, and Vulnerabilities
Click Start to Compute.
Compiling all hashes will take a long time.
54
Chapter 01: Threats, Attacks, and Vulnerabilities
Once completed, the Window Table can be found in the directory.
Plaintext/Unencrypted
The attacker has encrypted data as well as plain text in this type of attack. The plain text
assists an attacker in breaking the cryptography, and it is referred to as a "crib."
Physical attacks
Physical attacks involve breaching the physical security that protects information
systems. It can be as simple as walking into a building and sitting down at a computer
system in a facility with low physical security or public access. Here is a list of some of
the different types of physical assaults:





Malicious universal
Serial Bus (USB) cable
Malicious flash drive
Card cloning
Skimming
55
Chapter 01: Threats, Attacks, and Vulnerabilities
Supply Chain Attacks
A supply chain attack is a cyber-attack that seeks to harm an organization by focusing
on less secure supply chain elements. Supply chain testing is typically directed at
companies and organizations that the client organization wishes to examine to
determine whether suppliers have adequate security controls in place. It is common
practice to request audit and assessment documentation from suppliers.
Cloud-based vs. On-premises Attacks
Cloud-based
Cloud-based DLP is used by many organizations, which is between the users and the
internet. Every bit that goes through the DLP tool means it watches every bit of network
traffic. Everything takes place in the cloud, and no hardware or software is required for
this purpose.
Cloud-based systems Cloud Computing is an advancement in architecture where
computing devices are outsourced to a third party. By renting a virtual machine hosted
by a trusted third party, cloud computing eliminates the need for on-premises devices.
This type of remote computing improves efficiency, performance, scalability, and
security. There are three types of cloud computing models. Cloud Computing Service
Types The three types of cloud computing services are as follows:
● Infrastructure-as-a-Service (IaaS)
● Platform-as-a-Service (PaaS)
● Software-as-a-Service (SaaS)
On-premises
It is a type of model that uses the same legacy IT infrastructure and runs cloud resources
within its own data center. It is also called the private cloud to provide dedicated
resources while maintaining total control and ownership of the environment.
Cryptography Attacks
Cryptography attacks are intended to recover an encryption key. Once an attacker
obtains the encryption key, they can decrypt all messages. Weak encryption algorithms
are vulnerable to cryptographic attacks. Cryptanalysis is the process of identifying flaws
in a code, encryption algorithm, or key management scheme. It can be used to either
strengthen or decrypt a cryptographic algorithm.
Birthday
A type of cryptographic attack that takes its function and exploits it through the
birthday problem in probability theory states that there is a 50% chance that two people
56
Chapter 01: Threats, Attacks, and Vulnerabilities
share the same birthday in a class of 23 students. The following equation can be used in
mathematics:
1.25
k
1/2
k = the size of the set of possible values
Collisions
Collision refers to the hash collision that means two different plaintexts have the same
hash value. This is a rare condition that should not exist in a hash algorithm. The
hashing process accepts an infinite number of inputs and produces a finite number of
outputs. Consider the following scenario: an attacker discovers a hash collision between
a legitimate and an altered document. The attacker can now easily fool the target while
remaining undetected.
Figure 1-05: Hash Collision
Downgrade
The use of some weak cryptographic algorithm instead of a strong algorithm may result
in a downgrade attack. For example, a downgrade attack was used in 1995 with web
servers.
57
Chapter 01: Threats, Attacks, and Vulnerabilities
Mind Map
Figure 1-06: Mind Map of Potential Indicators
Web Application Attacks
Other web application related attacks include:







Cookie Tampering
DoS Attack
SQL Injection
Session Hijacking
Cross-Site Request Forgery (CSRF) Attack
Cross-Site Scripting (XSS) Attack
Buffer Overflow
Privilege Escalation
This network intrusion assault takes use of programming faults or design defects to give
the attacker enhanced access to the network and its data and applications. A design
flaw, bug, or configuration oversight in a software application or operating system is
exploited with privilege escalation to access applications or user-protected resources.
An unauthorized user will not always be provided full access to a targeted system. The
privilege escalation is essential in these circumstances. The privilege escalation is of two
types: vertical and horizontal.
Privilege Escalation is further more classified into two types:
1.
Horizontal Privileges Escalation
58
Chapter 01: Threats, Attacks, and Vulnerabilities
2.
Vertical Privileges Escalation
Horizontal Privileges Escalation
In Horizontal Privileges Escalation, an attacker tries to take command of the privileges
of another user with the same set of privileges on their account. Horizontal privileges
escalation occurs when attackers attempt to access the same set of resources allowed
for a particular user.
Consider an example of horizontal privileges escalation where you have an Operating
System with multiple users, including an Administrator having full privileges, User A
and User B, and so on, with limited privileges for running applications only (so not
allowed to install or uninstall any application). Each user is given the same level of
access. User A gains access to User B by exploiting any weakness or vulnerability. User
A can now control and access User B's account.
Escalation of Vertical Privileges
In order to escalate privileges to a higher level, an attacker must first get access to the
system in Vertical Privileges Escalation. Vertical privilege escalation occurs when an
attacker tries to gain access, most commonly to the administrator account. Higher
privileges grant the attacker access to sensitive information and install, modify, and
delete files and programs such as viruses and Trojans.
Privilege Escalation Using DLL Hijacking
Applications need Dynamic Link Libraries (DLL) to run executable files. Most
applications search for DLL in directories in the Windows Operating System rather than
using a fully qualified path. Taking advantage of this legitimate DLL replaces malicious
DLL. Malicious DLLs are renamed legitimate DLLs. These malicious DLLs replace
legitimate DLLs in the directory; the executable file will load malicious DLL from the
application directory instead of the real DLL.
59
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-07: Vertical Privilege Escalation
Cross-site Scripting
The acronym for Cross-site scripting is XSS. A cross-site scripting attacker conducts a
scripting attack by sending a crafted link containing a malicious script. The script will
be executed when the user clicks on this malicious link. This script could be
programmed to extract Session IDs and send them to the attacker. An attacker performs
a Cross-site Scripting Attack by sending a crafted link with a malicious script. When the
user clicks the malicious link, the script is executed. This script might be coded to
extract and send the session IDs to the attacker.
Cross-site Request Forgery Attack
A Cross-site Request Forgery (CSRF) attack is the process of obtaining a legitimate user’s
session ID and exploiting the active session with the trusted website to perform
malicious activities.
Injections
In an Injection Attack, the system accepts data from a user without any validation.
Untrusted input is supplied to a program. An interpreter processes it as part of a
command that alters the execution of the program.
Injection attacks are of four types:




Structured Query Language (SQL)
Dynamic-Link Library (DLL)
Lightweight Directory Access Protocol (LDAP)
Extensible Markup Language (XML)
Structured Query Language (SQL)
SQL Injection Attacks use SQL websites or web applications. They rely on the strategic
injection of malicious code or script into existing queries. This malicious code is drafted
to reveal or manipulate data stored in the tables within the database. It is a powerful
and dangerous attack that finds vulnerabilities in a website or application. The concept
of SQL injection is to inject commands to reveal sensitive information from the
database, which results in a high-profile attack. It is used to add, modify, and delete
data in the database.
Dynamic Link Library (DDL)
DLL (Dynamic Link Library) injection is the process of inserting a library into a program
that contains a specific vulnerability. DLL injection also provides a point of entry for
60
Chapter 01: Threats, Attacks, and Vulnerabilities
threat actors. Applications need Dynamic Link Libraries (DLL) to run executable files.
Most applications search for DLL in directories in the Windows Operating System
rather than using a fully qualified path. Taking advantage of this legitimate DLL replaces
malicious DLL. Malicious DLLs are renamed legitimate DLLs. These malicious DLLs
replace legitimate DLLs in the directory; the executable file will load malicious DLL
from the application directory instead of the real DLL.
Figure 1-08: Dynamic-Link Library Injection
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) acronym for Lightweight Directory
Access Protocol LDAP is a free and open internet protocol. The LDAP is a protocol for
accessing and maintaining hierarchical and logical distributed directory information
services. A directory service is useful because it allows users, systems, networks, and
service information to be shared across the network. LDAP provides a centralized
location for storing usernames and passwords. To validate users, applications and
services connect to the LDAP server. THE CLIENT STARTED an LDAP session sending
an operation request to the Directory System Agent (DSA) via TCP port 389. The
communication between client and server uses Basic Encoding Rules (BER). Directory
services using LDAP include:





Active Directory
Open Directory
Oracle iPlanet
Novell eDirectory
OpenLDAP
Pointer/Object Dereference
Dereferencing a pointer is the process of inquiring about the value stored in the memory
addressable by the pointer. The program may dereference a null pointer, resulting in a
61
Chapter 01: Threats, Attacks, and Vulnerabilities
Null Pointer Exception. Null pointer errors are typically caused by a breach of one or
more programmer assumptions. The attacker may use the resulting exception to
circumvent security logic or cause the application to reveal debugging information
useful in planning future attacks.
Directory Traversal
Directory Traversal Attack is a type of attack in which an attacker attempts using a trial
and error method to access restricted directories by applying dots and slash sequences.
Through accessing the directories outside the root directory, the attacker can reveal
sensitive information about the system. Access to web content should be controlled
properly for running a secure web server. Directory traversal is an HTTP attack in which
restricted directories are allowed, and the commands are executed outside the root
directory of the web server’s commands.
This vulnerability can also exist in the web application code or the web server software
itself.
A directory traversal attack is simple to carry out if you know where to look for any
default files and folders on the system and have access to a web browser.
The main levels of security mechanisms for web servers are:


Access Control Lists (ACLs)
Root directory
Access Control Lists
These are used in the authorization process. A web server’s administrator uses this list
of users or groups authorized to access, execute, or modify particular files on the server
and other access rights.
Root Directory
It is a directory on the server file system to which users are confined: they can access
nothing above this root.
For example, if the default root directory were C:\Inetpub\wwwroot, access
to C:\Windows is not possible, but access to any other directories under the root
directory is possible. Users are prevented from accessing any files on the server through
the root directory. The prevented file may include the /etc/passwdfile on Linux/UNIX
platforms and C:\WINDOWS/system32/win.ini on Windows platforms.
Opening an Opportunity to an Attacker
This vulnerability allows stepping out of the root directory. Also, other parts of the file
system can be accessed. The attacker can view the restricted files, which could help
provide more information to further compromise the system.
62
Chapter 01: Threats, Attacks, and Vulnerabilities
An attacker can use a system vulnerable to directory traversal to exit the root directory
and access other parts of the file system. It may allow the attacker to view restricted
files, which may provide him/her with additional information to further compromise
the system. Access depends on what the user has been permitted to access in the system.
Directory Traversal Vulnerabilities Check
A Web Vulnerability Scanner is used to check whether a website and web applications
are vulnerable to directory traversal attacks. In this scan, the entire website is
automatically checked for directory traversal vulnerabilities. Further, a report on
existing vulnerabilities and how to fix them is generated. As well as directory traversal
vulnerabilities, SQL injection, cross-site scripting, and other web vulnerabilities are also
checked.
Preventing Directory Traversal Attacks
The first step is to ensure that the latest version of your web server software is installed
and all patches have been applied.
Secondly, user input is filtered effectively, which includes the data that is known to the
user. Only the data entered in the field will be submitted to the server.
Buffer Overflow
One of the most common types of operating system attacks is a buffer overflow. It has
something to do with software exploitation attacks. A buffer overflow occurs when a
program or application lacks well-defined boundaries, such as restrictions or predefined functional areas regarding the amount of data it can handle or the type of data
inputted. It causes Denial-of-Service (DoS) problems, rebooting, gaining unrestricted
access, and freezing.
What causes it to happen?



Owing to an overabundance of data in the buffer memory
When a program or process attempts to write more data to a fixed-length block
of memory (a buffer)
Coding errors
The impact of buffer overflow is that it provides an entry point for threat actors as well
as causing the system to crash or abort the program.
How to prevent it?
Open Web Application Security Project (OWASP) defines some general techniques to
prevent buffer overflows include:
63
Chapter 01: Threats, Attacks, and Vulnerabilities





Code auditing (manual or automated) Developer training – bounds checking, use
of unsafe functions, and group standards
Non-executable stacks – many operating systems support this in some way
Compiler tools – StackShield, StackGuard, and Libsafe, among others
Safe functions -Use strncat instead of strcat, strncpy instead of strcpy, and so on.
Patches – Keep your web and application servers fully patched, and keep an eye
out for bug reports relating to applications on which your code depends.
Scan your application regularly with one or more widely available scanners that
look for buffer overflow flaws in your server products and custom web
applications.
Race Conditions
When a computing system is forced to perform two or more operations simultaneously,
the condition is called a race condition. The system was designed to handle tasks in a
specific sequence. A time gap between the moment a service is initiated and the
moment a security control takes effect is beneficial for the technique.
The race condition comes either with untrusted processes causing interference or a
trusted process causing interference; the attack depends on multithreaded applications.
In a race condition, different processes can interfere with each other without having
proper control. This vulnerability is also referred to as Time of Check/Time of Use or
TOC/TOU attacks.
How a Race Condition Attack Takes Place
Race condition attack shows the vulnerability when dealing with web applications,
networking environments, and file systems. Its target list includes an access control list,
financial ledger, payroll or human resources database, transactional system, or another
data repository. In this attack, there is a very small window of opportunity available for
attackers to exploit. This attack offers some unintended consequences, but still, they
are difficult to be detected.
Anatomy of a Race Condition Flaw
An application or database updating, i.e., numbers, names, and the most current state
of information, may result in a race condition attack because, during the update process,
the database is not completely rewritten. The update then results in a gap that can last
less than a second or up to a few minutes and makes the system unprotected. This gap
period allows an attacker to send queries for compromising the system, and a race
condition attack result.
64
Chapter 01: Threats, Attacks, and Vulnerabilities
Impact of a Race Condition Attack
After compromising the system with a race condition attack, it becomes possible to steal
data, alter, manipulate, and insert malicious code, make changes to privileges, and
deactivate security controls.
Error Handling
Encountering errors and exceptions in an application is common and needs to be
handled securely. One attack methodology forces an error to move applications from
normal to exceptional handling. If the exception handling is incorrect, it can lead to a
wide range of disclosures. For example, SQL errors disclose data elements and
structures. RPC (Remote Procedure Call) errors can disclose sensitive information such
as server, filename, path, and programmatic errors, such as stack element or line
number on which an exception occurred.
Lack of Error Handling
The error message includes sensitive information about its users, environment, and
associated data. The error information provided by the server may be used to launch a
more focused attack. For example, a path traversal weakness exploitation in any
application produces the complete pathname of the installed application, which may
provide a way to find the proper number of and sequences to navigate to the targeted
file. The query logic and even passwords or other sensitive information used within the
query are revealed with an error message, which may be used for a later attack or private
information stored in the server. The implementation of an architectural security tactic
causes this weakness.
Example of Error Handling
The function “Get User Bank Account” retrieves a bank account object from a database
using the specified username and account number to query the database. An error
message is generated and written to a log file when a SQL Exception occurs while
querying the database. Sensitive information about the database query is included in
the error message that exposes the table name and column names used in the database.
This information simplifies other attacks, such as SQL injection, to access the database
directly.
Error Handling Implementation
Ensure that error messages only contain information relevant to the intended audience
and no one else. The messages must strike a balance between being too cryptic and
being insufficiently cryptic. They are not required to reveal the methods used to
determine the error. Such detailed information can be used to improve the original
attack's chances of success.
65
Chapter 01: Threats, Attacks, and Vulnerabilities
If errors must be tracked in some detail, capture them in log messages, but consider
what might happen if attackers can view them. Passwords, for example, should never be
recorded in any form. Avoid inconsistent messaging that could accidentally reveal
internal states to an attacker, such as whether a username is valid or not.
Exceptions should be handled internally, and errors containing potentially sensitive
information should not be displayed to the user.
Overly Verbose Error Handling
The risk may also be presented with overly verbose error handling routines. The detailed
explanation of the inner workings of code invites an attacker to exploit the code. For
example, an error message appearing on a website may contain details of the SQL query
by which the table structure is determined and assist in carrying out an attack.
Improper Input Handling
As we move toward web-based applications, errors have shifted from buffer overflow to
input handling issues. Improper Input Handling is the primary cause of an injection
attack, memory overflow, or structure error. Allowing invalid inputs can be disastrous.
When handling input, trust no one and handle all of it properly. The impact of improper
input handling is the increase of the attacker’s privilege level.
Replay Attack
In a Replay Attack, an attacker captures packets using a packet sniffer tool. After
capturing packets, relevant information such as passwords is extracted. An attacker
gains access to the system by generating replay traffic with the injection of extracted
information.
Session Replay Attack
Another technique for session hijacking is the Session Replay Attack. Attackers steal the
authentication token intended for the server from users and use it to replay the request
to the server, resulting in unauthorized access to the server.
Resource Exhaustion
When the system lacks all of the resources required for the function to function, this is
referred to as resource exhaustion. A system failure is the result of this type of
vulnerability.
Memory Leak
When memory is allocated during program execution and never unassigned after use,
it eventually consumes all available memory, causing the system or application to crash.
66
Chapter 01: Threats, Attacks, and Vulnerabilities
Secure sockets layer (SSL) stripping
Secure Sockets Layer (SSL) is a newer VPN technology that operates at a higher layer in
the OSI model than the VPN protocols previously discussed. It protects HTTP traffic by
working at the transport and session layers of the network stack. Because most online
browsers already have SSL capability, deployment and compatibility difficulties are low.
• Works at the transport layer and protects mainly web-based traffic
• Granular access control and configuration are available
• Easy deployment since SSL is already embedded into web browsers
• Can only protect a small number of protocol types, thus is not an infrastructure-level
VPN solution
Pass the Hash
A Pass the Hash (PtH) attack is an exploit in which an attacker captures a hashed
username and password or other credentials and uses the hash directly without cracking
it. This attack bypasses the standard authentication layers that require a clear text
password and directly enters the portion of authentication that uses the hash password.
Mind Map
Figure 1-09: Mind Map of Application Attacks
Network Attacks
The Cisco NGIPS Solution offers comprehensive network visibility, automation, security
intelligence, and next-generation protection. To detect emerging sophisticated network
67
Chapter 01: Threats, Attacks, and Vulnerabilities
attacks, it employs the most advanced and effective intrusion prevention capabilities. It
continuously collects network information, such as operating system information, file,
and application information, device and user information. This data assists NGIPS in
determining network maps and host profiles, providing context for making better
decisions about intrusive events.
A replay attack is a type of network attack in which legitimate data transmission is
maliciously or fraudulently repeated to gain unauthorized access.
Wireless
Wireless networks are a very common and popular technology. Because of the ease and
mobility of the wireless network, it has been replacing the installation of wired
networks. Using wireless networks increases not only mobility but also flexibility for
end-users. One more advantage of wireless technology is that it helps connect remote
areas where wired technology is difficult to implement. In the early days of wireless
technology, the network was not secure enough to protect information. However, many
encryption techniques are used nowadays to secure wireless communication channels.
Wireless Network Concepts
A wireless network is a type of computer network that can send and receive data over a
wireless medium such as radio waves. The primary benefit of this type of network is the
lower cost of wires and devices and the ease of installation compared to the complexity
of wired networks. Wireless communication is typically based on radio communication.
Depending on the requirements, different frequency ranges are used for various types
of wireless technology. Cell phone networks, satellite communications, microwave
communications, and other wireless networks are the most common examples.
Personal, Local, and Wide Area Networks are common applications for these wireless
networks.
The most common types of Wireless networks are:
 Evil Twin
 Rogue Access Point
 Bluesnarfing
 Bluejacking
 Disassociation
 Jamming
 Radio Frequency Identifier (RFID)
 Near-Field Communication (NFC)
 An Initialization Vector (IV)
68
Chapter 01: Threats, Attacks, and Vulnerabilities
Evil Twin
In an Evil Twin attack, an attacker facilitates a fraudulent Wi-Fi access point or any
other radio device that appears legitimate but is set up to compromise wireless
communication. An evil twin attack may be used to steal passwords and other
credentials without user knowledge. An attacker creates an evil twin with internet
devices and smartphones or some open source software by creating an easy access
hotspot and placing the device near the target with a strong signal.
Rogue Access Point
A Rogue Access Point Attack is a technique whereby a legitimate wireless network is
replaced with a rogue access point, usually with the same SSID. The user assumes the
rogue access point as the legitimate access point and connects to it. Once a user is
connected to the rogue access point, all traffic will direct through it, and the attacker
can sniff the packet to monitor activity.
Bluesnarfing
Bluesnarfing is another technique in which attackers steal information from Bluetoothenabled devices. In Bluesnarfing, attackers exploit the security vulnerabilities of
Bluetooth software, access Bluetooth-enabled devices, and steal information such as
contact lists, text messages, email, etc.
Bluejacking
In a Bluejacking attack, someone sends an unsolicited message to a Bluetooth-enabled
device. Bluejackers search for a receiving device (phone, PDA, tablet PC, or laptop) and
then send data to the ISP. Often, the Bluejacker attempts to send someone else their
business card, which will be added to the victim's address book contact list. Someone
sends an unsolicited message to a Bluetooth-enabled device in a Bluejacking attack.
Bluejackers look for a receiving device (PDA phone, tablet PC, or laptop) before sending
data to the ISP. Often, the Bluejacker will try to send their business card to someone
else, which will be added to the victim's address book contact list.
Note:
Bluesnarfing is unauthorized access from a wireless device through a Bluetooth
connection. It permits access to a calendar, contact list, e-mails, and text messages, and
on some phones, users can copy pictures and private videos.
Jamming
A Jamming Attack uses signals to prevent devices from communicating with each other
as well as with the server.
69
Chapter 01: Threats, Attacks, and Vulnerabilities
Radio Frequency Identifier (RFID)
Radio-Frequency Identification (RFID) uses the electromagnetic field and refers to a
technology whereby a reader reads digital data encoded in labels or tags via radio waves.
It is used to automatically classify and track tags attached to objects or to gain access to
a secured area.
Radio-Frequency Identification (RFID) is a data communication technology that uses
radio waves. An electronic tag is embedded in an object and can be identified and
communicated using a reader. The tag includes an integrated circuit for storing and
processing data, modulating and demodulating an RF signal, and performing other
specialized functions. The reader includes an antenna for receiving and transmitting
signals. For access control purposes, this technology can be integrated into smart cards
or other mobile transport mechanisms. Theft is a common RFID security issue.
RFID (Radio Frequency Identification) attacks include a variety of techniques such as:




Data Capture
Spoof the Reader
Denial of Service
Decryption of Communication
Near Field Communication (NFC)



It is commonly used when the communication is between the mobile device and
a device that is nearby.
They are commonly used in the payment system.
Also used to help with other wireless technologies like, it is used to help the
pairing process for Bluetooth, also used as an identity system where one can
identify themselves using the phone.
Some of the security concerns with NFC are as follows:




It is a wireless network (although short-range), but someone with an antenna
can capture and listen to the conversation.
Someone could jam the frequency and attack through denial of service.
There is also a concern about replay attacks.
If an NFC device is lost, it could be a major security issue because the person who
stole the device will use that NFC instead of the legitimate user.
Initialization Vectors (IV)
Vectors of Initiation Initialization vectors (IVs) are random values used with algorithms
to prevent patterns from forming during the encryption process. They are used in
70
Chapter 01: Threats, Attacks, and Vulnerabilities
conjunction with keys and do not need to be encrypted before being sent to their
destination. If no IVs are used, two identical plaintext values encrypted with the same
key will produce the same ciphertext. Giving attackers these types of patterns can make
it easier for them to break the encryption method and discover the key. For example, if
we have the plaintext value “See Spot run” twice in our message, we must ensure that,
despite the presence of a pattern in the plaintext message, no pattern is created in the
resulting ciphertext. As a result, the algorithm employs both the IV and the key to
increase the randomness of the encryption process. In the below figure, as shown, the
sender and receiver must have the same key to generate the same keystream.
Figure 1-10: Initialization Vectors (IV)
Note: Fig: The sender and receiver must have the same key to generate the same
keystream.
Man-in-the-Middle Attack
A Man-in-the-Middle Attack is the form of attack in which an attacker involves
himself in the communication between other nodes. A MITM attack is defined
as an attacker inserting himself/herself into a conversation between a user and
another user or server by sniffing packets and generating MITM or Replay traffic.
Some utilities for attempting Man-in-the-Middle (MITM) attacks are as follows:



SSL Strip
Burp Suite
Browser Exploitation Framework (BeEF)
71
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-11: MITM Attack
Man-in-the-Browser
In Man-in-the-Browser, the attacker first infects the victim's machine using a Trojan.
The Trojan installs malicious code on the victim’s machine in an extension that modifies
the browser's configuration upon boot. Once a user logs in to a website, the URL is
checked against a known list of the targeted websites. The event handler registers the
event upon detection. Using a DOM interface, an attacker can extract and modify the
values when the user clicks the button. The browser will send the form to the webserver
with the modified entries. Because the browser displays the original transaction details,
the user is unable to identify any interception.
Figure 1-12: Man-in-the-Browser
72
Chapter 01: Threats, Attacks, and Vulnerabilities
Layer 2 attacks
Layer 2 uses the concept of VLANs or Private VLANs (PVLAN) to separate the traffic of
two or more networks. The common layer 2 addresses Resolution Protocol (ARP)
poisoning, Media Access Control (MAC) Flooding, MAC cloning, and so on.
Address Resolution Protocol (ARP) Poisoning
ARP is a stateless protocol that ensures communication within a broadcast domain by
resolving the IP address to MAC address mapping. It is in charge of mapping L3 to L2
addresses. The ARP protocol ensures that IP addresses and MAC addresses are bound
together. The switch can study the associated MAC address information from the reply
of the specific host by broadcasting the ARP request with an IP address. If there is no
map or the map is unknown, the source will be broadcast to all nodes. Only the node
with a coordinating MAC address for that IP will respond to the demand with the MAC
address mapping packet. The switch will feed the MAC address and its connection port
information into its fixed length CAM table.
Figure 1-13: Address Resolution Protocol (ARP) Poisoning Operation
As shown in Figure 1-13, the source generates an ARP query by broadcasting the ARP
packet. A node with the MAC address that the query is destined for will reply only to
the packet. If CAM table entries are full, the frame is flooded out of all ports (other than
the port on which the frame was received). This also occurs when the frame's
destination MAC address is the broadcast address. The MAC flooding technique is used
to turn a switch into a hub, in which the switch starts broadcasting every packet. In this
scenario, each user can catch the packets, even those not intended.
Media Access Control (MAC) Flooding
73
Chapter 01: Threats, Attacks, and Vulnerabilities
MAC flooding is a technique in which an attacker sends random MAC addresses
mapped with random IP to overflow the storage capacity of a CAM table. A switch then
acts as a hub because a CAM table has a fixed length. It will now broadcast the packet
on all ports, which helps an attacker sniff the packet with ease. A Unix/Linux utility,
known as “macof,” offers MAC flooding. Using macof, a random source MAC and IP
can be sent to an interface.
Domain Name System (DNS)
Domain Name System (DNS) includes DNS Poisoning, Cybersquatting, Domain
Hijacking, and Domain Snipping. An attacker may try to spoof by poisoning the DNS
server or cache. The credentials of internal users.
The common Domain Name System (DNS) attack includes:
 Domain hijacking
 DNS poisoning
 Universal resource locator (URL) redirection
 Domain reputation
Domain hijacking
Theft of a cloud service domain name is referred to as domain hijacking. Similarly,
Phishing scams can redirect users to a bogus website. DNS hijacking is a type of attack
in which the threat actor gains access to the Domain registration and controls the traffic
flow.
Poisoning by DNS
DNS poisoning is also referred to as DNS spoofing. In a DNS Poisoning attack, the threat
actor modifies the DNS server so that when a user visits a website, it directs them to the
incorrect site (a malicious site) that they did not intend to visit (or to the site, they were
not going). DNS poisoning is accomplished by replacing the DNS configuration from a
target's web browser. All web queries are directed to a malicious proxy server controlled
by the attacker, redirecting traffic to malicious sites.
There is a distinction to be made between Hijacking and Poisoning. Spoofing involves
poisoning the DNS server's cache, whereas Hijacking involves hacking the router's DNS
settings or planting malware.
A DNS server updates its database if it receives a false entry. DNS servers maintain a
cache in which this entry is updated to provide quick query resolution to improve
performance. This poisonous false entry in DNS translation continues until the cache
expires. Attackers use DNS poisoning to direct traffic to servers and computers owned
or controlled by the attackers.
74
Chapter 01: Threats, Attacks, and Vulnerabilities
How to prevent it?




Do not go to every website you come across.
Create a password that is as strong as possible.
Make use of anti-malware software.
Being proactive can also keep you safe from cyber-attacks.
Universal Resource Locator (URL) redirection
Redirects are the exploitable vulnerabilities to steal user sessions. Destination URLs are
passed by the web applications and then redirected at the end of their operation.
Distributed Denial-of-Service (DDoS)
DDoS is similar to Denial-of-Service in that an attacker generates fake traffic. In a
Distributed DoS attack, multiple compromised systems attack a target to cause a denial
of service. Botnets are used for carrying out a DDoS attack.
A Denial-of-Service (DoS) attack on a system or network results in either denial of
service or services, a reduction in functions and operation of that system, prevention of
legitimate users accessing the resources. In short, a DoS attack on a service or network
makes it unavailable for legitimate users. The DoS attack technique is to generates huge
traffic to the target system requesting a specific service. This unexpected amount of
traffic overloads the system’s capacity and either result in a system crash or
unavailability.
Figure 1-14: Denial-of-Service Attack
75
Chapter 01: Threats, Attacks, and Vulnerabilities
Common symptoms of DoS attacks are as follows:
•
•
•
•
•
Slow performance
Increase in spam emails
Unavailability of a resource
Loss of access to a website
Disconnection of a wireless or wired internet connection
How Distributed Denial-of-Service Attacks Work
Usually, establishing a connection consists of a few steps in which a user sends a request
to a server to authenticate it. The server returns with authentication approval, and the
user acknowledges that approval. Then, the connection is established and allowed onto
the server.
During a denial-of-service attack process, an attacker sends several authentication
requests to the server. These requests have fake return addresses, meaning the server
cannot find a user to send authentication approval. The server usually waits more than
a minute before closing the session. By continuously sending requests, the attacker
causes many open connections on the server, resulting in the denial of service.
Application
A Distributed-Denial-of-Service Attack, as defined earlier, is intended to make the
target’s services unavailable. Using a Distributed-DOS attack, all IoT devices, IoT
gateways, and application servers can be targeted, and flooding requests toward them
can result in a denial of service.
Operational Technology (OT)
Operational Technology is a broad term that covers the operational network of an
organization, usually based on Industrial Control Systems (ICS). ICS refers to a control
system based on devices, systems, and controls used for the operation or function of an
automated industrial process. Different nature of industries utilizes different types of
industrial controls having different functions with different protocols. ICS is used in
almost every industrial sector, such as manufacturing, transportation, energy, aviation,
and many more. The most common ICSs are Supervisory Control and Data Acquisition
(SCADA) systems and Distributed Control Systems (DCS).
Operational technology is defined by the National Institute of Standards and
Technology as "programmable systems" or “devices that interact with the physical
environment." These systems/devices detect or cause a direct change through
monitoring and/or controlling equipment, processes, and events. Industrial control
76
Chapter 01: Threats, Attacks, and Vulnerabilities
systems, building management systems, fire control systems, and physical access
control mechanisms are examples of such systems.
Figure 1-15: Overview of OT Environment
Malicious Code or script execution
Malicious Code is the most common attack in which a file containing malicious code
stored in a USB runs when the user clicks on it. It then activates and installs some viruses
such as a logic bomb or downloads other malware from the internet.
The common Malicious Code or script execution are as follows:





PowerShell
Python
Bash
Macros
Virtual Basic for Applications (VBA)
PowerShell
PowerShell is a command-line shell and related scripting language that gives adversaries
access to almost everything in Windows.
Python
Python is cross-platform, meaning it is run on Linux/Windows as long as it is installed
on the operating system. It is an easily readable scripting language that uses .py file
extensions. It uses block identification (tabs or white spaces) for group statements, and
its second and third version is not backward compatible.
bash
A bash script is created as, place #! /bin/bash at the top of the file. From the current
directory, execute the script as, /script name, and any parameters of anyone’s choice
77
Chapter 01: Threats, Attacks, and Vulnerabilities
could be passed. The #! /path/to/interpreter is found while the shell is executing a
script.
Macros and Visual Basic for Application (VBA)
Macros are programs that are typically used with Microsoft Office products and are
written in Word Basic, Visual Basic, or VBScript. Macros help users automate actions
that they would otherwise have to do manually. Instead of performing each action
separately, users can create a series of activities and common tasks to perform when a
button is clicked. A macro virus is a platform-independent virus built in one of these
macro languages. They infect and proliferate in documents and templates. Macro
viruses are common because they are simple to create, and widely used software such
as Microsoft Office makes heavy use of macros.
A Macro Virus is a kind of virus specially designed for Microsoft Word, Excel, and other
applications using Visual Basic for Application (VBA). Macro languages help automate
and create a new process used abusively by running on a victim's system.
Mind Map
Figure 1-16: Mind Map of Potential Indicators in Network Attacks
78
Chapter 01: Threats, Attacks, and Vulnerabilities
Threat Actors
One of the roles of information security professionals is to proactively define their
organization’s systems and data. It, like any defensive strategy, necessitates knowledge
of the adversary's tactics and motivations. CompTIA's Security+ Exam is intended to
assess candidates' knowledge of the various types of threat actors and their
characteristics.
Adversary Tier
When a company performs a black-box penetration test, one of the first questions it
asks is, "Who would attack us and why?" Answering that question can assist
management in making decisions about how a penetration test will be conducted, what
techniques will be considered in the engagement, the scope of the test, and who will
conduct
it.
Threat actors are frequently rated based on their capabilities. For example, script kiddies
and casual hackers use pre-built tools to conduct their attacks, and most organizations
consider their attacks to be nuisance-level threats. However, as you continue down the
threat actors' adversary tiers as shown below Figure. The likelihood of a successful
attack and compromise increases as professional hackers organized crime. The nationstate–level attackers such as Advanced Persistent Threats (APTs) enter your threat
radar, which means that you should prepare for a breach and plan consequently.
Each of these potential adversaries is likely to have a different goal in mind: hacktivists
may want to make a political or social statement, whereas black hats and organized
crime are more likely to be profit-driven. APT actors are typically focused on the goals
of a nation-state, with other attacks motivated by different objectives.
Figure 1-17: Adversary Tier
79
Chapter 01: Threats, Attacks, and Vulnerabilities
Advance Persistent Threats (APT)
Advance Persistent Threats are the most sophisticated threats for an organization.
These threats require significant expertise and resources along with the combination of
multiple attack vectors. They further require extended foothold and adoption of security
controls placed in the target organization to evade and continually exfiltrate the
information or achieve motives. Moreover, these threats pursue their objective over an
extended period.
Figure 1-18: Advance Persistent Threats
NIST defines advanced persistent threat characteristics as:
Consisting of Multi-Attack-Stage
APT tactics, including pre-requisites and post-conditions
Pursuing its objectives repeatedly over an extended period of time
Stealth between the individual attack steps
Adapting to defenders’ efforts to resist it
Grouped set of adversarial behaviors and resources with common properties
believed to be orchestrated by a single threat actor
7. Determined to maintain the level of interaction desirable to execute its objectives
8. Concerned with what data are exfiltrated and how
1.
2.
3.
4.
5.
6.
A successful APT attack can be extremely beneficial for threat actors because of its
sophistication and targeted nature. There could be extreme political objectives targeting
80
Chapter 01: Threats, Attacks, and Vulnerabilities
military, defense, and other sensitive government bodies if state-sponsored. In smaller
scope, APTs can be significant for competitive outcomes.
Insider Threat
One of the greatest dangers that associations face is insider threats. These incorporate
the accidental loss of information of on-screen characters who take data or bargain
frameworks. In a large number of these cases, the loss of information could have been
relieved or anticipated with powerful penetration testing. However, very few
associations know about the advantages of penetration testing and are making
themselves open to ruptures.
An insider can also misuse a system within a corporate network. Users are termed
“Insiders” and have different privileges and authorization power to access and grant the
network resources.
Figure 1-19: Insider Threat
Hacktivists
Hacktivists draw attention to the target to deliver a message or promoting an agenda.
The expression hacktivism, which joins hack and activism, refers to the utilization of
PCs and some other IT framework or system to discuss and continue a political issue,
advance free speech, and support human rights. Hacktivism is fundamentally
deciphered by society as the transposition of a challenge and the common noncompliance into the internet. Hacktivism is the utilization of innovation to express
dispute. From a security point of view, there are two schools of thought: One considers
hacktivists cybercriminals to be arraigned; the other, despite being aware of the hazard
81
Chapter 01: Threats, Attacks, and Vulnerabilities
they speak up for, is a voice to listen to. It has definite effects on society with web clients'
propensities, business security, and government strategies.
Script Kiddies
A Script Kiddie, or "skiddie," is somebody who needs to have software understanding
and uses existing programs to dispatch an attacker. They are most likely to only use prebuilt attack tools and techniques. More advanced attackers will customize existing tools
or even build new tools and techniques to compromise a target. Frequently, a script
kiddie will utilize these projects without knowing how they work or what they do. For
instance, imagine a youngster getting their first PC. The kid watches a motion picture
about hacking and, after that, downloads a duplicate of Kali Linux. They start playing
with different projects while hunting down online instructional exercises. They might
think of it as just a web troll because of their absence of experience.
Note: Script kids lack the necessary skills to carry out specific attacks without their tools
on the Internet and through friends. Because these people do not necessarily
understand how the attacks are carried out, they are likely unaware of the extent of
damage they can cause.
Criminal Syndicates
A Criminal investigation deals with an allegation of criminal misconduct and violation
of federal, state, or local criminal codes. A criminal investigation occurs when a crime
has been committed, and you work with a law enforcement agency to convict the alleged
committer. It is common to gather evidence for a court of law and share the defense
evidence in such a case. As strong evidence is a key feature of this type of investigation,
using this method to gather information is useful for presenting in a court of law.
Hacker
A hacker can steal information or data such as financial information, business data,
personal data, credit card information, username, and password from a system to which
they do not have authorized access. An attacker gains access by gaining unauthorized
control of the system through various techniques and tools. They have exceptional skills
and abilities in developing software and the exploration of both software and hardware.
Hacking can be done for various reasons, the most common of which are for fun, money,
thrills, or a personal vendetta.
82
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-20: Different Types of Hackers
Google Play Hack
Ibrahim Balic, a Turkish hacker, hacked Google Play twice. He accepted responsibility
for the Google Play attack and claimed to be the mastermind behind the Apple
Developer site attack. He discovered a flaw in the Android operating system while
testing vulnerabilities in Google's Developer Console. He tested the flaw twice to ensure
that it truly existed and then used the results of his vulnerability testing to create an
Android application that exploited the flaw. Users were unable to download
applications, and developers could not upload their applications when the developer's
console crashed.
Competitors
The competitors in the organization are significant threat actors. They may attack with
multiple goals in mind, such as corrupting or stealing data or bringing someone's system
down. Competitive intelligence gathering is a method of gathering information,
analyzing it, and compiling statistics on competitors. The process of gathering
competitive intelligence is non-interfering because it gathers information through
resources such as the internet, the target organization's website, advertisements, press
releases, Annual Reports, Product Catalogues, analyst reports, and agents and
distributors.
Threat Actor Attributes
Internal/External
83
Chapter 01: Threats, Attacks, and Vulnerabilities
Internal threat actors have a significant advantage over external threat actors. They have
a limited approach to the system compared to the user, but this gives them the strength
to continue their attack. On the other hand, external threat actors must go through an
additional step to first gain access to the targeted system.
Level of Sophistication
The higher a threat actor's skill level, the better he or she will lead and plan attacks.
Strong skills result in using the simplest methods, which is directly related to the level
of sophistication.
Resources/Funding
A criminal organization has a large team and budget to continue operations for an
extended period. Advanced Persistence Threats necessitate significant resources to
engage in these types of actions, so long-term resources that large organizations or
states can manage are desired.
Intent/Motivation
The motivation or intention behind any attack can be simple or complex. For example,
the threat actor may simply wish to carry out a technique or steal something valuable.
Vectors
Vectors can be categorized as follows:







Direct access
Wireless
Email
Supply chain
Social media
Removable media
Cloud
Wireless
Wireless networks are a very common and popular technology. Because of the ease and
mobility of the wireless network, it has been replacing the installation of wired
networks. Using wireless networks increases not only mobility but also flexibility for
end-users. One more advantage of wireless technology is that it helps connect remote
areas where wired technology is difficult to implement. In the early days of wireless
technology, the network was not secure enough to protect information. However, many
encryption techniques are used nowadays to secure wireless communication channels.
84
Chapter 01: Threats, Attacks, and Vulnerabilities
Email
A major risk factor is the email system. Therefore, the DLP appliance is used by many
organizations that monitor, track and filter all the inbound and outbound emails.
Supply Chain
In September 2015, the researchers found that many Cisco routers are infected by a
malicious firmware called “SYNful Knock.” This malicious firmware allows the threat
actor to gain backdoor access to the infrastructure devices, creating trust issues. End
users realized that they require vendors in the supply chain who they can rely on to
know where this hardware is coming from. They must also ensure that these critical
devices are not connected to the Internet before security is implemented. It is always
useful to verify in some way that the hardware and the firmware inside of that hardware
are secure.
Social Media
Social media is indeed a blessing, but it easily applies some questions to the system
regarding security. Valuable information must be kept secure from the public sphere as
much as possible. Every company should have some secure boundaries for the
marketing strategies they follow.
Removable Media
In a high-security organization, users should minimize or eliminate the use of
removable media, including any removable storage devices that rely on USB or other
connection methods. It can minimize malicious files coming into the network from the
outside and data leaving the company on tiny storage mechanisms.
Cloud
Cloud-based DLP (Data Loss Prevention) is used by many organizations between users
and the internet. Every bit that goes through the DLP tool means it watches every bit of
network traffic. Everything takes place in the cloud, and no hardware or software is
required for this purpose.
Real-World Scenario
Background
Scams involving executive impersonation are on the rise, costing firms billions of dollars
each year. These crimes can target and victimize organizations of all sizes.
Challenge
A company’s email is compromised or spoofed by using social engineering to assume
the identity of the CEO, company attorney, executive, or a trusted vendor or customer.
85
Chapter 01: Threats, Attacks, and Vulnerabilities
Criminals greatly understand the victim’s normal business practices as a part of their
homework.
The executive impersonation scams are categorized as variations of the FBI's Business
Email Compromise (BEC) scam. BEC is defined to be a sophisticated scam targeting
businesses that work with foreign suppliers and/or businesses that regularly perform
wire transfer payments. The legitimate business email accounts are compromised to
carry out the scam. The unauthorized funds are transferred through social engineering
or computer intrusion techniques. This being said, what are the challenges we face, and
how to resolve the issue?
To resolve this issue, we may consider two scenarios:
Scenario #01
Data Theft:
One or more of the victim company’s executives’ email addresses are compromised in a
data theft scenario. An associate employee responsible for handling payroll or another
company employee’s Personal Identifiable Information (PII) is connected using the
executive’s email address.
Employees in Human Resources, Finance, Payroll, or Audit are the targeted individuals.
The executive’s request often expresses an urgent need for payroll or other PII data. The
crime has recently ramped up due to tax season and the associated urgency to get tax
returns completed.
Scenario #02
Executive EFT and Wire Transfer Request
What appears to be the executive as the initiator of the request is involved in this
scenario. A hacked or spoofed email address is involved in requesting if the executive's
email account is compromised. In many of the cases that took place, the criminals
hacked into the email system, and the normal business process for EFT transfer is
determined. The criminals then send the fraudulent executive email to the company’s
employees. The respective employee is responsible for handling the EFT process and
requests that the EFT be made to a customer, vendor, or financial institution.
The executive is targeted with an email in a variation of the executive wire transfer scam
that appears to be from a trusted party; vendor, customer, or foreign supplier. The prior
successful EFTs that have been completed in the past are matched with the email. Also,
86
Chapter 01: Threats, Attacks, and Vulnerabilities
the faxes or phone calls corresponding to past legitimate requests are involved in many
cases.
Figure 1-21: Typical Scenarios in Executive Impersonation Scams
Solution
How to Protect a Company?
The security awareness training, called the Executive Impersonation Fraud, is a crime
that can help to reduce risk. A fundamental part of security awareness training is
awareness of new crimes and scams in the news. The likelihood that your company will
be victimized is greatly reduced by ensuring that the employees know about this scam.
Following are some key points that are used to head off these types of scams:
* Strong internal prevention processes and procedures should be required for every
company while dealing with all EFT requests. These crimes could be prevented from
occurring by a simple, direct confirmation phone call
* All EFT requests should be held with strict external verification procedures for some
time
* Any request for sensitive data or EFT transfers involving secrecy or quick action should
be viewed as suspect.
* On the suspect’s email messages, use the “Forward” option instead of “Reply” or “Reply
All.” The likelihood of using the legitimate email address from the address book is
increased by forwarding the message to the sender. A spoofed address from the original
email is not used in this case
* Information posted on the company’s websites and social media’s sites should be
restricted and reviewed, and the details of individuals’ job duties and the organizational
structure of the company should be provided
87
Chapter 01: Threats, Attacks, and Vulnerabilities
*Always be aware of the account changes for suppliers while establishing the
relationship. A backup authentication method should be arranged that is separate from
email to avoid interception by the hacker
* An alternative backup method is utilized to authenticate and verify a request before
sending funds or data
*Ongoing security awareness training should be provided for employees to keep them
updated on the latest security scams
Mail services are configured with SPF and DMARC.3 to block spoofed emails from being
allowed into an organization
Conclusion:
The growth of innovative technology and its evolving threats needs to be monitored as
impersonation scams are increasing. The banking Trojan targets need to be analyzed.
The possibility for an organization to be a victim can be reduced by understanding how
these crimes are committed and the various variations and vectors of attacks.
Threat Intelligence sources
Open-source intelligence can also be referred to as open-source threat intelligence. The
term "OPSIT" refers to intelligence data gathered from open or public sources and is
primarily used in law enforcement, national security, and business intelligence.
One of the most important decisions is where to apply one's resources in the complex
environment of cybersecurity defenses. Threat intelligence collects information from
multiple sources that allows a system to focus on its defenses against potential threat
actors.
Open Source Intelligence (OSINT)
Open Source Intelligence (OSINT) uses open-source tools to gather statistics from
widely accessible sources and then analyze them to decide or take some action. OSINT
may be damaging when hackers use it to get knowledge about an organization. Data
from sources that are publicly available are included in OSINT. Information outside a
technology-centric organization is also included in it.
Closed/Proprietary
‘Proprietary’ is something that is owned and controlled by an individual or organization.
Therefore, proprietary data is something that is confined to a business for competitive
use.
Proprietary labeled data can be shared with a group of users other than a competitor.
The label of proprietary alerts the group not to further share that proprietary data. For
protecting proprietary data, the laws of secrecy, copyright, patent are used.
88
Chapter 01: Threats, Attacks, and Vulnerabilities
Vulnerability databases
The U.S. National Vulnerability Database (NVD) was launched by the National Institute
of Standards and Technology (NIST). The CVE entities are input to the NVD, which
automates vulnerability management, security, and compliance management using
CVE entries to provide enhanced information for each entity, for example, fixing
information, severity scores, and impact ratings. Apart from its enhanced information,
the NVD also provides advanced search features such as using an Operating System,
vendor’s name, product name, version number, and vulnerability type, severity, related
exploit range, and impact.
Dark web
Cyber attackers sell credit and debit card details on the Dark Web – their motive is clear
profit. Financial motivations are among the greatest reasons for targeting individuals
and organizations. It is no surprise that, according to Juniper Networks, cybercrime is
estimated to become $2.1 trillion by 2019.
Indicators of compromise
IOCs known as Indicators of compromise are “pieces of forensic data, such as data or
information found in system log entries or files, that identify potentially malicious
activity on a system or network.” Compromise indicators assist information security,
and IT professionals detect data breaches, malware infections, and other threat actors.
Organizations can detect attacks and act rapidly to prevent breaches or limit the
damage by stopping attacks in the early stages by monitoring for indicators of
compromise.
Automated Indicator Sharing (AIS)
The Automated Indicator Sharing (AIS) capability of the Cybersecurity and
Infrastructure Security Agency (CISA) enables the real-time exchange of machinereadable cyber threat indicators and defensive measures to help protect AIS community
members and, ultimately, reduce the prevalence of cyberattacks.
Trusted Automated eXchange of Indicator Information (STIX)/Structured Threat
Information eXpression (STIX) (TAXII)
TAXII (Trusted Automated eXchange of Indicator Information) is the core transport
mechanism for cyber threat information represented in STIX. Through TAXII services,
organizations can share cyber threat information in a secure and automated manner.
The STIX and TAXII communities work closely to ensure that they continue to provide
a full stack for sharing threat intelligence.
89
Chapter 01: Threats, Attacks, and Vulnerabilities
Predictive Analysis
Predictive analytics software applications employ variables that can be measured and
analyzed to forecast the likely behavior of people, machines, and other entities.
Predictive analytics has a wide range of applications. For example, when pricing and
issuing auto insurance policies, an insurance company is likely to consider potential
driving safety variables such as age, gender, location, type of vehicle, and driving record.
Threat Maps
Threat Mapping is another term for Vulnerability Mapping. It entails identifying
weaknesses in an environment, design flaws, and other security concerns that can
misuse an operating system, application, or website. Misconfigurations, default
configurations, buffer overflows, operating system flaws, open services, and so on are
examples of vulnerabilities. To scan a network for vulnerabilities, network
administrators and pen testers can use a variety of tools. Vulnerabilities are classified
into three categories based on their threat level: low, medium, and high. Furthermore,
they can be classified as either local or remote exploit ranges.
File/Code Repositories
Code repositories serve primarily as a central storage location for developers' source
code. Code repositories such as GitHub, Bitbucket, and SourceForge also provide
version control, bug tracking, web hosting, release management, and communications
functions that support software development. Code repositories are wonderful
collaborative tools that facilitate software development, but they also have security risks
of their own. To overcome this, developers must carefully design access controls only to
allow read and/or write access to authorized users.
Research Sources
The Research phase includes collecting information about a target organization. It may
be collected through dumpster diving, scanning an organization’s website, finding
information on the internet, gathering information from employees, etc.
Vendor Websites
Third-party users, such as vendors, consultants, and contractors, require access to
information and related systems in order to perform their job functions. Information
security begins with screening, confidentiality, and non-disclosure agreements.
Academic Journals
The term "vulnerability" is commonly used in the social sciences and policy-making,
health and social care services, and social work to refer to a wide range of groups or
individuals, but it has rarely been ideally defined or analyzed. The aim is to analyze and
clarify the concept for social work research critically. It is also important to recognize
the temporal, situational, relational, and structural nature of vulnerability.
90
Chapter 01: Threats, Attacks, and Vulnerabilities
Vulnerability Feed
Vulnerability management solutions, like any technology product, require care and
feeding. Regular maintenance of the vulnerability scanner should be conducted to
ensure the vulnerability feeds and the scanning software remain up to date.
Request for Comments (RFC)
A Request for Comments (RFC) is a formal document drafted by the Internet
Engineering Task Force (IETF) that describes the specifications for a particular
technology. Once an RFC is ratified, it becomes a formal standards document.
Conferences
To maximize the effectiveness of disaster recovery procedures, a training and awareness
campaign is beneficial. Occasionally, technical teams will gain disaster recovery
knowledge while attending training classes or conferences on the technology. But it is
also essential to train in disaster recovery procedures and policies for the organization.
Adversary Tactics, Techniques, and Procedures (TTP)
Tactics, Techniques, and Procedures (TTP) describe a method of analyzing an APT's
operation or can be used to profile a specific threat actor. Tactics refer to how an
adversary chooses to carry out his attack from start to finish. Finally, the organizational
approach of the attack is defined by the threat actor's procedures. To understand and
fight the enemy, one must first understand the attacker's Tactics, Techniques, and
Procedures (TTP). Knowing an adversary's tactics can help predict upcoming attacks
and detect those in the early stages. Understanding the Techniques used during the
campaign allows the organization to identify its blind spots and implement
countermeasures ahead of time. Finally, analyzing the adversary's procedures can help
to understand what the adversary is looking for within the target's infrastructure.
TTP described within this research is meant to show the complexity of the life-cycle
rather than provide an exhaustive list. Furthermore, it is demonstrated that attackers
can use readily available tools to carry out certain stages of the attack, allowing them to
focus on the tactical aspect rather than developing tools.
91
Chapter 01: Threats, Attacks, and Vulnerabilities
Mind Map
Figure 1-22: Mind Map of Threat actors
Vulnerability Assessment
Vulnerability is a weak point or loophole in any system or network that attackers can
exploit to gain access to the system. Any vulnerability can be used as an entry point to
their target.
Vulnerability assessment is the process of examining, identifying, and analyzing a
system's or application's ability to withstand any threat, including security processes
running on the system. Vulnerability assessment allows you to identify system flaws,
prioritize vulnerabilities, and estimate the need for and effectiveness of any additional
security layer.
Types of Vulnerability Assessment
Following are the types of vulnerability assessment:
92
Chapter 01: Threats, Attacks, and Vulnerabilities
1.
2.
3.
4.
5.
6.
7.
8.
Active Assessment
Passive Assessment
Host-based Assessment
Internal Assessment
External Assessment
Network Assessment
Wireless Network Assessment
Application Assessment Network
Vulnerability Assessment Methodology
A network vulnerability assessment examines the potential for an attack and
vulnerabilities in a network. The phases of a Network Vulnerability Assessment are as
follows:
Figure 1-23: Network Vulnerability Assessment Methodology
Acquisition
The Acquisition phase compares and reviews previously identified laws, vulnerabilities,
and procedures related to network vulnerability assessment.
Identification
Interaction with customers, employees, administration, or other people involved in
network architecture design during the Identification phase to gather technical
information.
93
Chapter 01: Threats, Attacks, and Vulnerabilities
Analysis
The information gathered is reviewed in the Analysis phase. It entails the following
steps:
• Reviewing information
• Analyzing the results of earlier recognized vulnerabilities
• Risk assessment
• Vulnerability and risk analysis
• Evaluating the effectiveness of existing security policies
Evaluation
The Evaluation phase includes:
• Inspection of identified vulnerabilities
• Identification of flaws, gaps in an existing network, and required security
considerations in a network design
• Determination of security controls required to resolve issues and vulnerabilities
• Identification of the required modification and upgrades
Generating Reports
Reports are written during the Reporting phase to document the security event and to
present to higher authorities such as a security manager, board of directors, or others.
This documentation will also come in handy for future inspections. These previously
gathered reports are also required for auditing and penetration testing. When changes
to the security mechanism are required, these reports aid in designing the security
infrastructure. These reports are typically stored in central databases. Reports include
the following information:
•
•
•
•
•
Tasks completed by each member of the team
Methods and tools used
Findings
Recommendations
Gathered information
Zero-day Attacks
There are flaws in many operating systems and applications. People are working hard
to find those flaws before the hacker does. In a zero-day attack, the attacker discovers
previously unknown vulnerabilities and exploits them before security patches are
available. It means that a zero-day attack takes advantage of vulnerabilities that are
unknown to everyone except the attacker.
Weak Configurations
94
Chapter 01: Threats, Attacks, and Vulnerabilities
Weak configuration is a vulnerability that prevents the system from meeting all of its
security objectives. The type of vulnerability allows attackers to gain access and raises
their privilege level.
Unsecure protocols
Examples of insecure protocols are Telnet and the early versions of SNMP (v1 and
v2c). Insecure protocols allow attackers and hackers to easily have access to your data
and even to remote controls.
Open permissions
Another most common mistake over the internet is the permission issue; it happens
when a file is shared over the internet, and it is not protected with the righteous
permissions, and anyone can access that file and use it in a way that is not protected
supported. Therefore, permission and permission logs should be audited actively for
such behavior in order to keep the network secure.
Error
Error and Exception encounter in an application is common, and it needs to be handled
in a secure manner. One of the attack methodologies forces an error to move
applications from normal to exceptional handling. If the exception handling is
improper, it can lead to a wide range of disclosure. For example, SQL errors disclose
data elements and data structure. Sensitive information like server, filename, and path
can be disclosed by RPC (Remote Procedure Call) error, and programmatic error can
disclose information like stack element or line number on which exception occurred.
Weak encryptions
Weak encryptions may be used during the data transmission between the server and
other systems. It can be either weak encryption or no encryption at all.
Default Setting
As no security against default settings can make the system vulnerable, default settings
must be secured from the start. This type of vulnerability, like weak configuration,
allows attackers to enter and advance their privilege level.
Open Ports and Services
The Metasploit Framework allows you to automate the discovery and exploitation
process while also providing you with the tools you need to perform the manual testing
phase of a penetration test. Metasploit Pro can be used to scan for open ports and
services, exploit vulnerabilities, pivot deeper into a network, collect evidence, and
generate test results reports. A honeypot, for example, is a computer set up on the
network as a sacrificial lamb. The system is not locked down, and all ports and services
are open. This is done to divert a potential attacker to this computer rather than
95
Chapter 01: Threats, Attacks, and Vulnerabilities
attacking legitimate production systems on a network. Because the honeypot contains
no real company information, it will not be compromised if and when it is attacked.
Improper or Weak Patch Management
Patch management is the process of software and application patch up-gradation,
including installing patches, acquiring, and testing. All Operating Systems require an
update and have different methods for the users to keep their systems up to date.
“The process of discovering, purchasing, installing, and verifying fixes for systems and
products is known as patch management. Patches are used to resolve bugs in software
and firmware that affect security and functionality.”
Firmware
Software instructions are stored in Read-Only Memory (ROM) or a Programmable
Read-Only Memory (PROM) chip.
Operating System (OS)
An Operating System is an interface (system software) to make hardware functional. It
is an intermediary between applications and computer hardware. Windows, macOS,
ChromeOS, BlackBerry, Linux are the common and popular operating systems.
Figure 1-24: Working of an Operating System
Types of Operating System
Some types of Operating systems are discussed below:

Network Operating System:
96
Chapter 01: Threats, Attacks, and Vulnerabilities
The network components use the network Operating System to provide computation and
configuration portions for networking. Every networking equipment vendor has its own
operating system like Cisco has IOS, Juniper has Junos, etc.

Server Operating System:
The “Server Operating System bridges the gap between a running application on the
server and server hardware.” Windows Operating system and Linux Operating System
are two examples of Server operating systems. Windows Operating System has a
commanding lead in the market due to its Active Directory Technology and built-in
Hyper-V capability.

Workstation Operating System:
The Workstation Operating System provides functional working space and the
graphical interface for a user to interact with the system and its different applications.
Windows are commonly seen in the role of Workstation Operating System due to the
reason of a high level of user interaction with the workstations.

Appliance Operating System:
Special-purpose appliances typically have their own operating systems. These are the
special-purpose operating systems for usual vendor-specific appliances designed to
perform specific functions only considering economics portability and functionality.

Kiosk:
Kiosks are machines that are usually set up with auto-login in a browser. The OS in
Kiosk is locked down to minimal functionality to prevent users from making any
configuration changes.

Mobile Operating System:
A type of Operating system that is optimized for mobile hardware. The Mobile
Operating System is categorized into two main types; Google’s Android OS and Apple’s
iOS. These Operating Systems are optimized to both Device capability and Desired
functionality.
Application
Application management is a challenge. Not all applications are secure, and some are
malicious, which is a rapidly growing security concern is.
How do Web Applications Work?
A web application functions in two steps;
- front-end
- back-end.
97
Chapter 01: Threats, Attacks, and Vulnerabilities
Users’ requests are handled by the front-end, where the user interacts with the web
pages. Services are communicated to the user from the server through buttons and other
controls on the web page. All processing is controlled and processed on the back-end.
Server-side languages include:






Ruby on Rails
PHP
C#
Java
Python
JavaScript
Client-side languages include:



CSS
JavaScript
HTML
Web applications work on the following layers:



Presentation Layer: This is responsible for displaying and presenting information
to the user on the client end.
Logic Layer: This is used to transform, query, edit, and otherwise manipulate
information to and from forms.
Data Layer: This is responsible for holding data and information for the
application as a whole.
Legacy Platforms
Virtual machines do a good job of serving legacy applications. A legacy application may
simply be incompatible with newer hardware and/or operating systems. Even if it does,
it may underutilize the server, so consolidating several applications makes sense.
Without virtualization, this may be difficult because such applications are not typically
written to coexist within a single execution environment.
Impacts
When an incident or risk occurs, it creates an impact on an organization. The impact
can be a financial gain or instability, reputational rise and fall, Data loss, data breaches,
Data exfiltration, Identity theft, Availability loss, and much more.
Data Loss
One of the most common potential threats that makes cloud security vulnerable is data
loss. Data loss can occur through either intentional or unintentional means. Massive
data loss, whether on a large or small scale, is disastrous and costly.
Breach of Data
98
Chapter 01: Threats, Attacks, and Vulnerabilities
Data Breaches are the most common threats to every platform. Improper encryption or
loss of encryption keys may result in data modification, erasing, theft, or misuse.
Data Exfiltration
It is the process when data from a network is taken in an unauthorized way and used
against the law. It is a security threat when someone can easily copy or retrieve data
from inside of a network and take it outside as their own.
Identity Theft
Personal impersonation is identity theft when an attacker has enough personal
information about an authorized person. An attacker impersonates a legitimate user by
providing the legitimate user’s personal information (either collected or stolen).
Impersonating a technical support agent and asking for credentials is another way to
impersonate and gather information.
Financial
The final arbiter of all work is ‘Finance' that helps us to manage a score. The gain can be
measured by profit and loss through unmitigated threats. When impacts overreach the
predicted costs linked with the planned residual risks, it turns into an issue and impacts
profit.
Reputation
One of the essential values in marketing is Reputation. Junky history or shoddy record
ruins the company’s reputation and costs the company in client base and revenue. For
example, nobody wants to give up personal information or contract with a bank with a
junky history
Availability Loss
Availability loss includes flooding and denial-of-service attacks that prevent legitimate
users from connecting or accessing the wireless network. Availability loss can be carried
out by authentication flooding, ARP poisoning, de-authentication attacks,
disassociation attack, etc.
99
Chapter 01: Threats, Attacks, and Vulnerabilities
Mind Map
Figure 1-25: Mind Map of Types of Vulnerabilities
Threat Hunting
Threat hunting is closely interconnected to penetration testing but serves a different
and distinct purpose. Threat hunters, like penetration testers, try to put themselves in
the attacker's shoes and imagine how hackers might try to circumvent an organization's
security controls. What these two disciplines do with this information differs.
While penetration testers try to evaluate an organization's security controls by testing
them in the same way that an attacker would, threat hunters use the attacker mindset
to search the organization's technology infrastructure for artifacts of a successful attack.
They consider what a hacker might do and what type of evidence they might leave
behind before going in search of that evidence.
Threat hunting is based on the “presumption of compromise,” a cybersecurity
philosophy. This approach assumes that attackers have already successfully breached
an organization and searched for evidence of successful attacks. When threat hunters
identify a potential compromise, they enter incident-handling mode, attempting to
contain, eliminate, and recover from the compromise. In order to correct deficiencies,
they also conduct a post-mortem analysis of the factors that contributed to the
100
Chapter 01: Threats, Attacks, and Vulnerabilities
compromise. Another similarity between penetration testing and threat hunting is postevent remediation: organizations use the output of both processes in similar ways.
Intelligence Fusion
Threat actors are very clever and intelligent; they stalk their targets and use various
methods of identity theft such as email phishing and eavesdropping. Once they have
obtained the identity, they attempt to gain access to the system or network in order to
do whatever they want.
Threat Feeds
Thread management solutions, like any technology product, require care and feeding.
Regular maintenance of the vulnerability scanner should be conducted in order to
ensure the vulnerability feeds and the scanning software remain up to date.
Vulnerability Scanning
Various tools have made finding vulnerabilities in an existing environment very easy in
this age of modern technology and advancement. Different tools, automated as well as
manual, are available to help find vulnerabilities. Vulnerability Scanners are automated
utilities specially developed to detect vulnerabilities, weaknesses, problems, and
loopholes in operating systems, networks, software, and applications. These scanning
tools thoroughly inspect scripts, open ports, banners, running services, configuration
errors, and other areas.
These vulnerability scanning tools include:






Nessus
OpenVAS
Nexpose
Retina
GFI LanGuard
Qualys FreeScan, etc.
These tools are used by security experts to inspect running software and applications to
find risks and vulnerabilities and by attackers to find out loopholes in an organization's
operating environment.
Lab 1-01: Installing and Using Vulnerability Assessment Tool
Main Objective: In this lab, you will learn how to set up and operate a vulnerability
assessment tool. Vulnerability scanning can be done with a variety of tools. The one I
am going to install and use is “Nessus.”
101
Chapter 01: Threats, Attacks, and Vulnerabilities
Go to the browser and type ‘Nessus Home.’ Click on the Nessus home link that has been
marked below.
This is going to take you to the Nessus registration page. You need to register in order
to get the activation code, which you are going to need to activate Nessus.
102
Chapter 01: Threats, Attacks, and Vulnerabilities
For registration, you need to put in your first name, last name, email address. Check the
checkbox and click on register.
Now to download Nessus, click on the download link.
103
Chapter 01: Threats, Attacks, and Vulnerabilities
Select the Operating system on which you are going to install Nessus. Here, we will be
installing it on Windows 8 machine (64 bit). Therefore, we will download the first link,
which is for the 64-bit version of Windows.
Now read the agreement and click on “I Agree.” Save the file to a computer.
104
Chapter 01: Threats, Attacks, and Vulnerabilities
Download and install the software.
105
Chapter 01: Threats, Attacks, and Vulnerabilities
Click "Next" after selecting "I agree."
Now, if you want to change the file destination, you can change it by clicking on the
‘change’ button or else just click “Next.”
106
Chapter 01: Threats, Attacks, and Vulnerabilities
Now, click on the “Install” button.
107
Chapter 01: Threats, Attacks, and Vulnerabilities
Once you click ‘install,’ the installation process will start.
108
Chapter 01: Threats, Attacks, and Vulnerabilities
The installation is complete. Click ‘Finish.’
109
Chapter 01: Threats, Attacks, and Vulnerabilities
It is installed now, and you are going to see this window. Just click on ‘Connect via SSL.’
110
Chapter 01: Threats, Attacks, and Vulnerabilities
Click on the ‘Advanced’ option.
111
Chapter 01: Threats, Attacks, and Vulnerabilities
Now, click on ‘Proceed to localhost.’
112
Chapter 01: Threats, Attacks, and Vulnerabilities
You now have to create an account for the Nessus server. Here, you are going to choose
a login name and password and make sure you remember it because this is what you
are going to use to log in to Nessus from now on. After inserting the username and
password, click on the ‘Continue’ button.
113
Chapter 01: Threats, Attacks, and Vulnerabilities
Now choose the scanner type that you want. Here, we have selected the first one, which
is ‘Home, professional or manager.’
114
Chapter 01: Threats, Attacks, and Vulnerabilities
Now, go to the email, copy the activation code that was forwarded to you and paste it
here. Click ‘Continue.’
After that, you are going to see this ‘Initializing’ window. It is basically fetching all the
plugins for Nessus, and this can take about 15 to 20 minutes.
Once all the plugins are installed, this Window will appear, and this is what Nessus
looks like. The first thing you have to do now is to create a policy. So, click on ‘Policies.’
115
Chapter 01: Threats, Attacks, and Vulnerabilities
Then, click on ‘Create new policy.’
You have a variety of scanner options here. We are going to perform a 'Basic Network
Scan.' To do so, select Basic network scan from the drop-down menu.
This window will now be visible to you. You must name the policy here. You can call it
whatever you like; for example, we can call it 'Basic Scan.'
116
Chapter 01: Threats, Attacks, and Vulnerabilities
In the basic setting, you have another setting option that is the ‘Permission’ setting.
Here, you have two options, one is ‘No Access,’ and the other is ‘Can Use.’ Leave it as
default and click on the ‘Discovery’ option.
Here, you have to choose the Scan Type. Either you want to scan common ports, all
ports, or you want to customize it. After selecting your desired option, click on
‘Assessment.’
117
Chapter 01: Threats, Attacks, and Vulnerabilities
Here, you are going to see three scanning options; choose whatever you want and then
click on ‘Report.’
118
Chapter 01: Threats, Attacks, and Vulnerabilities
In this window, you have multiple options, and you can see that some of them are
marked as ‘checked’ by default. For now, you can leave it as default, but if you want to
change some settings, you can change it according to your need.
In the ‘advanced’ setting option, you have three options to choose from. Select any of
them and click on the ‘Credentials’ button.
Here, we are going to choose ‘Windows' if using Windows or ‘SSH’ if using Mac or Linux.
119
Chapter 01: Threats, Attacks, and Vulnerabilities
Go ahead and insert your credentials and authentication method. If you have a domain,
you can insert that; in this case, we do not, so we are going to leave it blank. Check the
below boxes and click on the ‘Save’ button at the bottom.
And that is it. The policy has been created. Now in order to scan, you have to click on
the ‘Scan’ button up on top.
Click on the ‘Create a new scan’ option.
Go to the ‘User Defined’ option. Click on ‘Basic Scan.’
120
Chapter 01: Threats, Attacks, and Vulnerabilities
To name this Scan, we are going to label it as ‘Basic Scan,’ the same as the policy name.
You can also add a description if you want.
Select the folder where you want to save a scan and, at last, insert the IP address of the
target.
You can insert the target in different ways. Example: 192.168.1.1, 192.168.1.1/24, & test.com
121
Chapter 01: Threats, Attacks, and Vulnerabilities
You can also schedule your scan. For this, click on ‘Enabled,’ select the frequency, start
time, and time zone.
122
Chapter 01: Threats, Attacks, and Vulnerabilities
If you want to get a notification, you can add your email address. After doing all the
settings, click on the ‘Save’ button.
Here, you can see that the scanning process has started. Once the process is completed,
you can see the result by clicking on the section that is marked below.
Here is the scan result. The result is shown in multiple colors. The red represents Critical
Vulnerability. The Orange one is for High, Yellow is for Medium, Green is for Low, and
Blue is for Info.
123
Chapter 01: Threats, Attacks, and Vulnerabilities
Now, click on ‘Vulnerability’ next to the ‘Host’ option. And here, you are going to see
the vulnerabilities that have been found. Click any of that.
You can see the description of a particular vulnerability as well as a solution for it.
124
Chapter 01: Threats, Attacks, and Vulnerabilities
Here are some other vulnerabilities that were found.
125
Chapter 01: Threats, Attacks, and Vulnerabilities
False Positives
In vulnerability scanning, False Positives occur when the scanner can access only a
subset of the required information, preventing it from accurately determining whether
a vulnerability exists. False positives use more than one type of scan and cross-reference.
The most common false positives occur on static web pages.
A false positive is when the system incorrectly receives a biometric sample as being a
match. Biometric sensors can sometimes make mistakes for several reasons. The
identification process looks for a match by comparing a biometric, such as a fingerprint
or iris scan, that is presented to the system to all entries in a database. This is known as
a one-to-many search. Live biometrics change as a result of climate, age, or a possible
finger injury. These threshold settings are known as False Acceptance Rates (FARs) and
False Rejection Rates (FRRs) by vendors (FRRs).
False Negatives
False negatives tend to be produced by security systems that rely exclusively on a
negative security model. Under this approach, the system allows all traffic access unless
the traffic matches a threat signature or is otherwise identified as hostile. This means
that attackers can be successful if they can conduct their attacks to not match common
threat patterns or signatures.
Log Review
Logging is an important approach to keeping everything tracked. Typically, logs are
maintained on special devices known as Log Servers. Necessary logging should be
enabled on every device to ensure every critical activity such as logging in, changes,
modifications, and deletions are recorded. Security analysts examine these logs of all
126
Chapter 01: Threats, Attacks, and Vulnerabilities
infrastructure devices and critical server systems for signs of attempted access, both
successful and unsuccessful. The last thing before leaving the system after a compromise
is clear log entries to wipe the evidence.
Credentialed vs. Non-Credentialed
Two kinds of vulnerability assessments are offered in most vulnerability management
solutions. These assessments are credentialed and non-credentialed, also known as
authenticated and unauthenticated scans.
Non-credentialed scanning tools provide a quick view of vulnerabilities by looking at
network services only. The host exposes these services. A deeper understanding of the
application is not provided in these scans, and the network is not exposed by operating
system vulnerabilities or the vulnerabilities potentially covered up by a firewall that sits
between the host and the scanner. The false hope of the system to be safe is provided,
although attackers frequently target vulnerabilities in reality. The attackers have gained
credentialed access, and the security risk is not accurately indicated. In credential
scanning, an administrator provides the scanner with credentials. The target server is
then allowed to be connected for scanning. The existence of vulnerability is then
determined with this information, and the accuracy over non-credentialed alternatives
is improved. For example, a potential issue can be corrected by an operating system
service pack, which was detected by a vulnerability scan. Before reporting a
vulnerability, the service pack installed on the system is checked by the credentialed
scan.
Intrusive vs. Non-Intrusive
A vulnerability scanner can perform an intrusive or non-intrusive test. An intrusive test
attempts to exploit a vulnerability that can cause the remote target to crash or change.
A non-intrusive test attempts to avoid causing any harm to the target. The test typically
consists of verifying the remote service version or determining whether the vulnerable
options are enabled. Intrusive tests are usually much more accurate, but they cannot be
done in a production environment. A non-intrusive test cannot determine whether or
not a service installed is vulnerable; it can only determine whether or not it is
vulnerable.
Web Applications
Observe the functionality and other parameters of Web Applications in order to identify
vulnerabilities, entry points, and server technologies that can be exploited. These
parameters are diagnosed using HTTP requests and HTTP fingerprinting techniques.
A web application works on the following layers:

Presentation Layer: The Presentation Layer is responsible for displaying and
presenting information to the user on the client end
127
Chapter 01: Threats, Attacks, and Vulnerabilities

Logic Layer: The Logic Layer is used to transform, query, edit, and otherwise
manipulate information to and from the forms

Data Layer: The Data Layer is responsible for holding data and information for
the application as a whole
Web 2.0
Web 2.0 is the World Wide Web website generation that provides dynamic and flexible
user interaction. It provides ease of use and interoperability between other products,
systems, and devices. Web 2.0 allows users to interact and collaborate with social
platforms such as social media and social networking sites. The previous generation,
i.e., web 1.0, was limited to the passive viewing of static content. Web 2.0 offers almost
all users the same freedom to contribute. The characteristics of Web 2.0 are rich in user
experience and participation, dynamic content, metadata, web standards, and
scalability.
Web App Threats
Threats to Web Application include:
















Cookie Poisoning
Insecure Storage
Information Leakage
Directory Traversal
Parameter/Form Tampering
DOS Attack
Buffer Overflow
Log Tampering
SQL Injection
Cross-Site (XSS)
Cross-Site Request Forgery
Security Misconfiguration
Broken Session Management
DMZ Attacks
Session Hijacking
Network Access Attacks
Network
A network security assessment is, basically, an audit. It is a review of your network’s
security measures meant to find vulnerabilities in your system.
128
Chapter 01: Threats, Attacks, and Vulnerabilities
Common Vulnerabilities and Exposures (CVE) A standard nomenclature for
describing security-related software flaws is provided in this standard. It is another
platform where you can find information about vulnerabilities. CVE maintains a list of
known vulnerabilities, including an identification number and description of
cybersecurity vulnerabilities.
The U.S. National Vulnerability Database (NVD) was launched by the National Institute
of Standards and Technology (NIST). The CVE entities are input to the NVD, which
automates vulnerability management, security, and compliance management using
CVE entries to provide enhanced information for each entity, for example, fixing
information, severity scores, and impact ratings. Apart from its enhanced information,
the NVD also provides advanced search features such as using an Operating System,
vendor’s name, product name, version number, and vulnerability type, severity, related
exploit range, and impact.
Figure 1-26: Common Vulnerability and Exposures (CVE)
To learn more about CVE, go to the website http://cve.mitre.org.
Common Vulnerability Scoring System (CVSS) A standardized approach for
measuring and describing the severity of flaws related to software security is provided
in this standard. The Common Vulnerability Scoring System (CVSS) assists in
identifying the key characteristics of a vulnerability and assigns a numerical score to
reflect its severity. The numerical score is then converted into a qualitative
129
Chapter 01: Threats, Attacks, and Vulnerabilities
representation (low, medium, high, and critical) to properly assess and prioritize their
vulnerability management processes.
Security
Base Score Rating
None
0.0
Low
0. 1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 10.0
Table 1-02: CVSSv3 Scoring
To learn more about CVSS-SIG, go to the website https://www.first.org.
Review of the Configuration
The review's goal is to ensure that the system is in good working order and that its
security configuration and rule sets are effective. The evaluation will be carried out with
a number of factors in mind, including corporate policies, industry best practices, and
regulatory obligations.
SIEM (Security Information and Event Management)
Security Information and Event Management (SIEM) is an industry-standard term used
to monitor and manage networks. SIEM combines two related technologies; Security
Event Management (SEM) and Security Information Management (SIM).
SEM deals with real-time monitoring and notifying the security events such as
authentication failures and intrusion events generated by the security systems. At the
same time, SIM is responsible for collecting and managing security-related log data
from firewalls, antivirus software, network routers, DNS servers, databases, and other
origins. Therefore, SIEM is referred to as System Information and Event Management,
which strengthens the effect on the whole system, particularly on security.
Some popular SIEM options include:

ArcSight Express

McAfee ESM (Enterprise Security Manager)

IBM Security QRadar

Splunk Enterprise Software or Virtual Machines
130
Chapter 01: Threats, Attacks, and Vulnerabilities

LogRhythm's appliance, Software, and Virtual Machines
Data Inputs
SIEM gathers data from antivirus events, firewall logs, and other locations; it sorts it
into categories such as malware activity and failed and successful logins. Some common
features offered by SIEM are:
Logging Device
SIEM is a centralized logging device.
Common Database
Collects data from all the devices and brings it to a single database.
Security Alerts
It can also provide security alerts as the user is getting real-time information.
Storage
The storage of SIEM is long-term.
Data Correlation
SIEM also includes additional features of data correlation.
How SIEM works
SIEM provides reports on security-related events and incidents like failed and successful
logins, malicious activities, etc. It sends alerts if analysis shows any activity runs against
predetermined rule sets and thus indicates a potential security issue.
Review Reports
SIEM is a useful tool for collecting and evaluating compliance data across an
organization's complete infrastructure. SIEM solutions may create real-time compliance
reports for PCI-DSS, GDPR, HIPPA, SOX, and other compliance requirements, easing
security management and detecting any violations early. Many of the SIEM solutions
come with pre-built, out-of-the-box add-ons that can generate automated reports
designed to meet compliance requirements.
User Behavior Analysis
User Behavior Analytics (UBA) is where the sources are variable often logs feature, but
the analysis is focused on users, user accounts, user identities, and not on, say, IP
addresses or hosts. Some forms of SIEM and DLP post-processing where the primary
source data is SIEM or DLP outputs and enhanced user identity data and algorithms
characterize these tools. So, these tools may collect logs and context data themselves or
from a SIEM and utilize various analytic algorithms to create new insight from that data.
Security Monitoring
131
Chapter 01: Threats, Attacks, and Vulnerabilities
SIEM enables centralized management of on-premise and cloud-based infrastructure.
Solutions can identify all entities of the IT environment. This enables SIEM technology
to monitor for security incidents across all connected users, devices, and applications
and classify abnormal behavior as it is detected in the network. Using customizable,
predefined correlation rules, administrators can immediately notify and take
appropriate action to mitigate the threat before it manifests into more serious security
issues.
Log Aggregation
Log management collects data from a variety of sources, including applications,
databases, networks, security, and servers, and allows you to consolidate monitored
data to avoid missing important events.
Log Collectors
In SIEMs, Log Collectors are good for application log investigations. A collector
contains a log file containing records of events that occurred in an operating system,
application, server, or from various other sources. Security analysts benefit greatly from
log files because they give a documented trail of all communications to and from each
source. When a cyber-attack happens, log files can be used to investigate and assess the
source of the assault as well as its impact on the IT infrastructure.
Security Orchestration, Automation, and Response (SOAR)
132
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-27: Security Orchestration, Automation, and Response (SOAR)
SOAR (Security Orchestration, Automation, and Response) is a set of software solutions
and tools that help businesses optimize security operations in three important areas:

Threat and vulnerability management

Incident response

Security operations automation
SOAR technologies enable organizations to collect inputs that are monitored by the
security operations team. Alerts from the SIEM system and other security technologies,
for example, where incident analysis and triage can be performed by combining human
and machine power, can help define, prioritize, and drive standardized incident
response activities. SOAR tools enable businesses to define incident analysis and
response procedures in a digital workflow format.
Mind Map
Figure 1-28: Mind Map of Security Assessments
Penetration Testing
Penetration testing is the process of hacking a system with the owner's permission to
assess security, Hack Value, Target of Evaluation (TOE), attacks, exploits, zero-day
133
Chapter 01: Threats, Attacks, and Vulnerabilities
vulnerabilities, and other components, including threats, vulnerabilities, and daisychaining. A pentester is an individual authorized by an owner to hack into a system to
perform penetration testing in the context of Ethical Hacking.
The Importance of Penetration testing
In today's fast-paced technological environment, the most common cybercrimes are
denial-of-service, identity theft, service theft, and information theft. System penetration
is used to protect a system from malicious threats by identifying vulnerabilities in the
system. Other significant benefits of penetration testing include:
Identifying and exploiting vulnerabilities in systems and security controls in the same
way that an attacker searches for and exploits vulnerabilities to circumvent security.








Recognizing threats and vulnerabilities in an organization's assets
Conducting a thorough assessment of policies, procedures, design, and architecture;
and
Implementing corrective actions before a hacker identifies and breaches security.
Determining what an attacker can gain access to in order to steal
Determining the value of information
Testing and validating security controls, as well as determining the need for any
additional protection layer
Modifying and upgrading currently deployed security architecture
Reducing IT security costs by improving Return on Security Investment (ROSI)
VAPT is essential because it protects us from damage, keeps our confidential data
private, and keeps our information hidden from prying eyes. To overcome their flaws,
every business management or network administrator must be aware of their own. We
all know networks are vulnerable, but we do not all know where or how; this is where
vulnerability assessment comes in.
It is a comprehensive study of computer and network hardware vulnerabilities. It
evaluates potential hazards and threats and develops mitigation plans for any exposure.
“Prevention is better than cure.”
Another reason for VAPT is to prevent cyber-attacks. We are well aware of hacks that
result in the loss of:
•
•
•
•
Sensitive data
Account numbers
Email addresses
Personal information
These security incidents occur on a daily basis in the world of computer networking.
This is why you should examine your network from the outside, as an attacker would.
Discover its strengths and weaknesses, and then fill the gaps. Your infrastructure may
134
Chapter 01: Threats, Attacks, and Vulnerabilities
be secure, and your servers may have strong firewall policies in place, but what about
the default configuration of peripheral devices like printers, scanners, fax machines, and
so on? They adorn your network, and their vulnerability is frequently overlooked. A
vulnerability assessment and penetration testing would reveal any issues in a matter of
seconds. Any network with users is not as secure as you may believe. Your network's
security should be your top priority. In summary, the following are the reasons for
performing VAPT:
•
•
•
•
•
To protect the network from attacks
To identify its strengths and weaknesses
To protect information from theft
To comply with data security standards
To improve the reliability and value of services
Security Audits
•Security audits are the
evaluation of security
controls. It makes sure
that controls are being
enforced and followed
properly throughout the
organization, without
any concern about the
threats and
vulnerabilities
Vulnerability
Assessments
Penetration
Testing
•Vulnerability
Assessment process is
to identify
vulnerabilities and
threats, which may
exploit and impact an
organization financially
or reputationally
•Penetration is the
process of security
assessment, which
includes security audits
and vulnerability
assessment.
Furthermore, it
demonstrates the
attack, its solution and
required remedial
actions
Figure 1-29: Mi Comparison Chart
Types of Penetration Testing
As a penetration tester may be asked to perform any of the three types of Penetration
Testing, it is critical to understand their distinctions.
The Black Box penetration test is one in which the pentester does blind or double-blind
testing. This indicates that the pentester has no prior knowledge of the system or of the
target.
Gray Box is a type of penetration testing in which the pentester has only a rudimentary
understanding of the organization's network. For example, information about the
operating system or network may be scarce.
135
Chapter 01: Threats, Attacks, and Vulnerabilities
White Box is a type of penetration testing in which the pentester knows everything
there is to know about the system and the target. Internal security teams or security
audit teams perform this type of penetration testing in order to carry out an audit.
Penetration Testing Phases
Penetration testing is a three-step procedure that includes the following steps:
1. Pre-Attack Phase
2. Attack Phase
3. Post-Attack Phase
Figure 1-30: Penetration Testing Phases
Security Testing Methodology
There are some methodological approaches to be adopted for security or penetration
testing. Industry-leading Penetration Testing Methodologies are:




Open Web Application Security Project (OWASP)
Open Source Security Testing Methodology Manual (OSSTMM)
Information Systems Security Assessment Framework (ISAF)
EC-Council Licensed Penetration Tester (LPT) Methodology
Rules of Engagement
Rules of Engagement (RoE) is an archive that documents the rules and regulations
under which a penetration tester is to engage with a client. An RoE document explains
the manner in which the pentest will be conducted. Being a professional pentester, it is
136
Chapter 01: Threats, Attacks, and Vulnerabilities
the primary task before starting any test to spell out the RoE clearly. Before you begin
the penetration test, follow the basic considerations as defined by PCI Security
Standards Council, which are:








The time window to perform and complete the testing process
The preferred method of communicating about scope and issues
The action to take if any sensitive information is disclosed during the test
Ensuring the pentesting equipment and tools do not pose a threat to the
environment
What steps would you take if you detected a previous or active compromise to
the systems being tested?
How would you deal with a legacy system with known issues with automated
scanning?
Who is permitted to engage the pentest team?
What should legal concerns be addressed?
Lateral Movement
Cyber attackers use a technique to move through a network searching for the key data
called a Lateral Movement. Many attacks happen when data is moved laterally over the
network from system to system.
Privilege Escalation
This attack-type of network intrusion takes advantage of programming errors or design
flaws to grant the attacker elevated access to the network and its associated data and
applications. A bug, design flaw, or configuration oversight in a software application or
operating system is exploited with privilege escalation to access applications or userprotected resources.
An unauthorized user will not always be provided full access to a targeted system. The
privilege escalation is essential in these circumstances. The privilege escalation is of two
types: vertical and horizontal.
Vertical Privilege Escalation
In vertical privilege escalation, higher privileges are granted to the attacker. The kernellevel operations typically assist in achieving vertical privilege escalation in which
unauthorized codes are allowed to run.
Horizontal Privilege Escalation
The attackers use the same level of privileges that have been granted.
For example, horizontal privilege escalation will be constituted when anyone’s online
banking account has gained access by some unauthorized person.
Persistence
137
Chapter 01: Threats, Attacks, and Vulnerabilities
The system needs to be continually accessed to gather data and conduct further attacks
that have been more critical to most penetration attacks. Thus, a critical part of a
penetration tester’s efforts is persistence.
Cleanup
Penetration testers use various tools and techniques as they work their way through a
client network. During the engagement, testers should document any changes they
make to the systems, and they should revisit that documentation after the test to ensure
that they have completely removed all traces of their work.
There are three major post-engagement clean-up activities:



Removing shells installed on systems
Removing all backdoors, services, daemons, rootkits, and tester-created accounts
installed during the rest
Removing any tools installed during the penetration test
These three activities serve as a jumping-off point. The basic principle that testers
should follow when performing post-engagement clean-up is to return the system to its
pre-test state.
Bug Bounty
Bug bounty programs allow testing web platforms by simulating attacks to detect and
fix vulnerabilities. It relies on independent hackers paid per vulnerability.
Pivoting
Pivot is a method that allows an attacker or penetration tester to move or flow across a
network. The first step in pivoting is gaining access to a machine, moving tools to that
machine, and remotely control them. The penetration tester then examines the system
or network using the remote machine's IP address.
Active and Passive Reconnaissance
Reconnaissance is the first step in an attacker's preparation for an assault. It involves
obtaining information about the target before launching an attack using various tools
and tactics. An attacker's task is made easier by gathering information about the target.
It aids in determining the target range for large-scale attacks.
In Passive Reconnaissance, a hacker gathers information about a target without directly
interacting with it. Searching social media for the target's information is an example of
passive reconnaissance.
Active Reconnaissance gains information by interacting with the target directly. Active
reconnaissance includes interacting with the target via calls, emails, help desks, or
technical departments.
138
Chapter 01: Threats, Attacks, and Vulnerabilities
War Driving
Kismet is a sniffer, wardriving tool, and wireless intrusion detector. WIDS is the
framework used as a wireless network and device detector.
It operates using Bluetooth interfaces, Wi-Fi interfaces, some Software Defined Radio,
and RTL-SDR (a USB Dongle) hardware.
Footprinting
The collecting of all conceivable information about the target and the targeted network
is known as fingerprinting.
Performing WHOIS Footprinting
1. Go to the URL https://www.whois.com/
Figure 1-31: WHOIS Footprinting Engine
2. A search of Target Domain
139
Chapter 01: Threats, Attacks, and Vulnerabilities
Figure 1-32: WHOIS Footprinting
Exam Tip: Standards Testing Resources
Footprinting and reconnaissance techniques and principles are usually included in
penetration testing standards.
http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf;
PenetrationTestingExecutionStandard:http://csrc.nist.gov/publications/nistpubs/800115/SP800-115.pdf;
PenetrationTestingExecutionStandard:http://csrc.nist
The
Penetration Testing Execution Standard includes a list of OSINT targets that might
assist you in compiling a list of possible OSINT targets.
Exercise Types
Security analysts must practice responding to them to respond to security events in the
most organized and efficient manner. There are some tried-and-true approaches to this.
This section will look at how team analysts, both employees, and third-party
contractors, can be organized and some well-known names for these teams.
Security posture is assessed by war game exercises in which one group attacks the
network while another attempts to defend the network. Three teams are involved in
most cybersecurity war games: red, blue, and white teams.
140
Chapter 01: Threats, Attacks, and Vulnerabilities
Red Team
The red team plays the role of attacking the force and uses reconnaissance and
exploitation tools to gain access to the protected network. The red team’s work is similar
to that of the testers during a penetration test.
Blue Team
The blue team takes on the position of Network defense, and the red team's attempted
attack puts the blue team's ability to respond to the attack to the test. Gaining access to
log data, using a SIEM, gathering information, and doing traffic and data flow analysis
are all part of this process.
White Team
The white team is a group of technicians who coordinate the exercise and act as referees,
resolving disagreements between the red and blue teams. Enforcing the rules of
engagement could be one of the white team's responsibilities, along with monitoring
the blue team's responses to the attack and noting specific approaches used by the red
team.
Purple Team
Purple refers to a philosophy in which attackers and defenders work together on the
same team. As a result, rather than a dedicated team, it should be viewed as a function.
Purple teams should not be needed in organizations where the red team / blue team
interaction is healthy and functioning effectively because the primary objective of a red
team is to develop ways to improve the blue team.
Figure 1-33: Exercise Type
141
Chapter 01: Threats, Attacks, and Vulnerabilitie
Mind Map
Figure 1-34: Mind Map of Penetration Testing
142
Chapter 01: Threats, Attacks, and Vulnerabilities
Practice Question
1. An Ethical Hacker needs which of the following to break into a system?
A.
B.
C.
D.
Training
Permission
Planning
Nothing
2. What is Gray Box Pentesting, and how does it work?
A.
B.
C.
D.
Pentesting with no knowledge
Pentesting with partial knowledge
Pentesting with complete knowledge
Pentesting with permission
3. What kind of hacker are you if you have been employed to launch an attack on a
target system in order to uncover and exploit vulnerabilities?
A. Gray Hat
B. Black Hat
C. White Hat
D. Red Hat
4. Which of the following best describes an assailant who seeks out a target in order
to attract attention to a cause?
A. Terrorist
B. Criminal
C. Hacktivist
D. Script Kiddie
5. What is the level of knowledge of a Script Kiddie?
A. Low
B. Average
C. High
D. Advanced
6. What is required for a White Box Test?
A. No knowledge
B. Some knowledge
C. Complete knowledge
D. Permission
143
Chapter 01: Threats, Attacks, and Vulnerabilities
7. Which of the following best describes a hacker who does not care if they are
caught or punished?
A.
B.
C.
D.
Hacktivist
Terrorist
Criminal
Suicide Hacker
8. Which of the following reasons necessitates a penetration test? (Select 2)
A.
B.
C.
D.
Troubleshooting network issues
Finding vulnerabilities
To perform an audit
To monitor performance
9. Hacker using their skills for both benign and malicious goals at different times are
______________.
A. White Hat
B. Gray Hat
C. Black Hat
D. Suicide Hacker
10. Vulnerability analysis is basically ____________.
A. Monitoring for threats
B. Disclosure, scope, & prioritization of vulnerabilities
C. Defending techniques from vulnerabilities
D. Security application
11. What is Black Box Testing?
A. Pentesting with no knowledge
B. Pentesting with complete knowledge
C. Pentesting with partial knowledge
D. Pentesting performed by Black Hat
12. The term “Vulnerability” refers to _______________.
A. A Virus
B. A Malware
C. An Attack
D. A Weakness
13. Using dots and slash sequences, an attacker is attempting a trial and error strategy
to get access to restricted directories. Which form of web server attack is this?
144
Chapter 01: Threats, Attacks, and Vulnerabilities
A.
B.
C.
D.
LDAP Attack
AD Attack
Directory Traversal Attack
SQL Injection
14. An attacker sends a request, allowing him to add a header response; now, he
redirects the user to a malicious website. Which type of attack is this?
A. Web Cache Poisoning
B. HTTP Response Splitting Attack
C. Session Hijacking
D. SQL Injection
15. What are the most common methods for performing Footprinting?
A. Active & Passive Footprinting
B. Pseudonymous & Passive Footprinting
C. Social & Internet Footprinting
D. Active & Social Footprinting
16. Which one of the following is the best meaning of Footprinting?
A. Collection of information about a target
B. Monitoring target
C. Tracing a target
D. Scanning a target
17. What is the purpose of Social Engineering?
A. Reveal information from human beings
B. Extract information from compromised social networking sites
C. Reveal information about social networking sites
D. Compromising social accounts
18. Cracking password with pre-computed hashes is called ___________.
A. Rainbow Table Attack
B. Brute Force Attack
C. Dictionary Attack
D. Password Guessing
19. Which of the following is used for Backdoor installation?
A. Meterpreter
B. Zero-day Exploit
145
Chapter 01: Threats, Attacks, and Vulnerabilities
C. Exploit Kits
D. Persistence
20. How can you mitigate a rainbow table attack?
A. Changing Default Password
B. Configuring Unpredictable Password
C. Password Salting
D. Password Hashing
21. Which of the following assertions is the most accurate description of the term
"malware"?
A.
B.
C.
D.
Malware is Viruses
Malware is Malicious Software
Malware is Trojans
Malware is Infected Files
146
Chapter 02: Architecture and Design
Chapter 02: Architecture and Design
Technology Brief
This chapter describes the concepts of security related to operating in an enterprise
environment. It delves into enterprise security issues such as change and configuration
management, data sovereignty, protection, and loss prevention. You will become
acquainted with hardware security modules, geographical considerations, and cloud
access security brokers.
After that, we will discuss response and recovery controls, SSL/TLS inspection, and site
resiliency. Finally, we will learn how to use honeypots, honey files, honeynets, fake
telemetry, and DNS sinkholes for deception and disruption.
We will discuss the following topics in detail in this chapter:










Define change and configuration management concepts such as diagrams,
baseline configurations, standard naming conventions, and IP schema
documentation
Describe data sovereignty, data conversion and storage in binary digital form,
and how data is governed by the country's laws where it is stored.
Describe data security issues such as data loss prevention, masking, and
encryption
Learn how hardware security modules (HSMs) play a significant role in
delivering hardened, tamper-resistant devices for generating keys, encrypting
and decrypting data, and issuing and verifying digital signatures.
Recognize geographical factors such as jurisdictions, privacy laws, import-export
restrictions, and cryptographic regulations describe the on-premises or cloudbased CASB security policy enforcement points that are established between
cloud service providers and their customers
Contrast response and recovery control as they relate to enterprise business
continuity and disaster recovery.
Describe how next-generation firewalls, WAF solutions, and other cloud-based
techniques perform SSL/TLS inspection
Explain hashing and application programming interfaces, as well as the
significance of digitally signing all API calls
Describe the various types of site resiliency, such as hot site, cold site, and warm
site solutions
Define deception and disruption techniques that use honeypots, honey tokens,
honey files, honeynets, phony telemetry, and DNS sinkholes.
147
Chapter 02: Architecture and Design
The Significance of Security Ideas in a Business Setting
Security Overview
The methods and procedures for preventing unauthorized access, disclosure, use, or
modification of data and information systems are system security. Data security ensures
that information is kept private, secure, and accessible. An organization's confidential
information and data will not be protected if it lacks security policies and suitable
security standards, placing the organization in danger. Security policies and welldefined procedures can help secure an organization's assets from unauthorized access
and disclosure.
Thanks to cutting-edge technology and platforms, millions of individuals communicate
with one another every minute in today's world. Due to various old and new threats that
exist around the world, these sixty seconds can be tremendously vulnerable and costly
to private and public businesses. The public internet is the most common and fastest
way for risks to spread over the planet. Viruses, spam, malware, and malicious routines
and scripts are all waiting to be accessed at any time. This is why security threats to a
network or system can never be entirely eliminated. It is a never-ending challenge to
design a security policy that's effective and efficient rather than a jumble of ineffective
security implementations that waste resources and expose vulnerabilities to attacks.
Configuration Management
When changes occur to a software product during its development life cycle, a
configuration management system can be put into place that allows for change control
processes to occur through automation. Software Configuration Management (SCM) is
a feature of a product that recognizes software attributes at various points in time and
performs methodical change control to maintain software integrity and traceability
throughout the software development life cycle. It establishes the need to keep track of
changes and ensures that the final delivered software contains all of the approved
changes that are supposed to be included in the release.
148
Chapter 02: Architecture and Design
Figure 2-01: Software Configuration Management
Baseline Configuration
A baseline is an agreed-upon description of a product's attributes at a specific point in
time used to define configuration management changes. A baseline is typically a single
work output or a series of work products that may be used as a reasonable comparison
point.
Standard Naming Conventions
Software configuration management is a set of processes, regulations, and technologies
that aid in the organization of developers' work. It preserves the existing state of the
software (referred to as the "baseline") while allowing developers to work on new
versions for new features or adjustments.
Internet Protocol Schema
149
Chapter 02: Architecture and Design
The IP address of the server is one of the most crucial parts of establishing a business IT
system. This data must be kept private, but it must also be accessible to others, such as
compliance officers performing audits. It is difficult to decide which stakeholders or
personnel have access to and can edit CM data.
Data Sovereignty
Data sovereignty is the perception that information has been converted and stored in
binary digital form. It is the idea that data are subject to the laws and governance
structures within the nation it is collected. The conception of data sovereignty is closely
linked with data security, cloud computing, and technological sovereignty.
Data Protection
Throughout its lifecycle, data security refers to the process of securing data from illegal
access and data corruption. Data encryption, hashing, tokenization, and key
management are all data security strategies that safeguard data across all applications
and platforms.
Data Loss Prevention
Data Loss Prevention (DLP) is a term that refers to the prevention of data loss. It
basically puts a stop to data transmission before it reaches the risk actor. The endpoint
DLP program on the computer monitors the data and prevents unauthorized access.
The DLP device monitors any confidential information, such as credit card numbers,
that should not be in clear text across the network connection. The data is monitored
by the server's DLP system, which ensures that it does not come into the hands of the
threat actor.
Masking
Data masking safeguards confidential data such as credit card numbers, Social Security
numbers, names, addresses, and phone numbers from unintended exposure, reducing
the risk of data breaches. Masking of data helps enterprises raise the level of security
and privacy assurance.
Encryption
In order for an application to be secure and usable, it must include encryption. It is
necessary to adopt and utilize a proven algorithm and codebase. For example, we can
make sure that only the sender and receiver can read clear text data using encryption.
At Rest
150
Chapter 02: Architecture and Design
Data at rest is information that is not actively traveling from one device to another or
from one network to another, such as information saved on a hard drive, laptop, flash
drive, or archived/stored in another fashion. The goal of data security at rest is to protect
idle data on any device or network. While data at rest is sometimes thought to be less
vulnerable than data in motion, attackers often regard data at rest as a more desirable
target. The security mechanisms in place to secure data in transit or at rest determine
the risk profile for data in either condition.
In Transit/Motion
Data in transit, also known as data in motion, refers to information that is actively
traveling from one area to another, such as across the internet or a private network.
Data protection in transit refers to the security of data while it is being transported from
one network to another or from a local storage device to a cloud storage device. Effective
data protection solutions for in-transit data are crucial anywhere data is moving, as data
is frequently regarded as less safe while in transit.
Modern businesses must protect sensitive data both in transit and at rest, as hackers
continue to develop new ways to breach networks and steal data.
In Processing
Data security is a set of procedures and policies designed to protect your critical
Information Technology (IT) infrastructure. All types of files, databases, accounts and
networks are examined. Effective data security relies on a combination of controls,
applications, and methods to assess the value of various datasets and implement the
most effective security policies.
Data security that is effective considers the sensitivity of diverse datasets as well as
regulatory compliance needs.
Tokenization
Tokenization is the process of transforming valuable data, such as an account number,
into a useless string of characters called a token. Tokens can be used to refer back to the
source data but not to estimate values.
Rights Management
Right Management assists in the protection of sensitive information or data by
maintaining and enforcing access and usage rights to information throughout its
lifecycle, regardless of where it is distributed.
151
Chapter 02: Architecture and Design
Hardware Security Module (HSM)
A hardware security module is a physical computing device that secures and manages
digital keys while also encrypting and decrypting data for digital signatures, strong
authentication, and other cryptographic operations. Traditionally, these modules take
the form of a plug-in card or an external device that connects directly to a computer or
network server.
Any application that uses digital keys can benefit from the use of a hardware security
module. The keys are usually extremely valuable, implying that the owner would suffer
a significant financial loss if they were compromised.
An HSM performs the following functions:
1.
2.
3.
4.
Secure cryptographic key generation on-board
Secure cryptographic key storage onboard, at least for master keys, which are the
highest level and most sensitive keys
Key management
Using cryptographic and sensitive data material to offload application servers for
comprehensive asymmetric and symmetric cryptography, such as executing
encryption or digital signature operations
HSMs manage transparent data encryption keys for databases, as well as keys for storage
devices like disks and tapes.
Figure 2-02: Hardware Security Modules
152
Chapter 02: Architecture and Design
Geographical Considerations
Prior to cloud computing's broad acceptance, defining the boundary was relatively
simple; it consisted of the computing assets on-premises to the organization and/or at
a colocation datacenter; with the seemingly ubiquitous adoption of cloud services, the
enterprise cybersecurity boundary required to be extended to include leveraged cloud
services rather than geographic locations. For example, a company may have
information assets on-premises at their corporate location but also use AWS or Azure
for additional compute and storage resources. We have heard about AWS S3 buckets
being publicly exposed on the internet, resulting in a data breach for organizations.
Cloud Access Security Broker (CASB)
When users access cloud-based resources, a cloud access security broker sits between
them and the cloud service, enforcing security regulations.
To better understand what CASB is, it is important to note that this is not the same as
the firewalls that businesses employ to monitor and filter their networks. CASBs can
shed light on strange or unusual user activity and provide cloud access control to the
company. They, unlike firewalls, provide deep visibility into cloud environments and
granular control over cloud usage.
CASBs are increasingly being used to mitigate cloud security risks, ensure compliance
with data privacy regulations, and enforce corporate security policies. They are
becoming increasingly important to organizations as employees use personal,
unmanaged devices to access corporate networks from new, dispersed locations, posing
additional cloud security risks. The concept of CASB emerged in response to the
growing need for more consistent security across multiple cloud environments, which
was exacerbated by the rise of cloud computing. CASBs enabled organizations to gain
greater visibility into what was happening in their cloud and Software-as-a-Service
(SaaS) deployments and protect all user and sensitive corporate data in these
environments.
Organizations require solutions that make protecting their data and users easier, given
blended attacks, various exploits, and obfuscation technologies that make detection
more difficult. CASBs are becoming increasingly important in protecting against
malware and phishing attacks, securing access to cloud services, and ensuring the
security of cloud applications.
153
Chapter 02: Architecture and Design
Figure 2-03: Pillars of CASBs
CASB solutions are divided into four pillars or functions that ensure the security of an
organization's cloud services:
Visibility
Organizations need to be able to see what their users are doing across all of their cloud
applications, including sanctioned and unsanctioned applications, also known as
shadow IT. A specific risk of cloud usage is an activity that occurs outside of IT controls
because the organization's data is no longer protected by its compliance, governance,
and risk policies. As a result, CASBs are critical for detecting high-risk behavior that IT
teams may miss.
A CASB solution provides comprehensive visibility of cloud application usage, including
device and location data, to assist organizations in protecting data, intellectual
property, and users. It also offers cloud discovery analysis, which allows businesses to
assess the risk of cloud services and determine whether or not to give users access to
applications.
Compliance
Organizations now have a plethora of cloud supplier options and will almost certainly
use multiple vendors for various solutions. Regardless of whether they outsource or
154
Chapter 02: Architecture and Design
manage services in-house themselves, organizations are still responsible for ensuring
regulatory compliance regarding the privacy and security of their data.
CASBs assist organizations in meeting the increasingly stringent and ever-changing
requirements of data and privacy regulations such as privacy legislation, including the
California Consumer Privacy Act (CCPA), the European Union's General Data
Protection Regulation (GDPR), and the Health Insurance Portability and Accountability
Act (HIPAA). CASBs are also necessary for meeting the security requirements of ISO
27001 and the Payment Card Industry Data Security Standard (PCI DSS).
Data Security
Organizations must ensure that sensitive data is protected even as cloud usage grows
and data loss prevention (DLP) tools are implemented. On-premises DLP solutions are
effective at protecting data, but they cannot protect cloud services.
Threat Protection
Organizations are increasingly vulnerable to outside hackers using stolen credentials
and insider attacks. As a result, businesses must be able to detect and prevent suspicious
behavior, even from authorized users.
Response and Recovery Controls
Figure 2-04: Response and Recovery Control
Response and Recovery services include:
155
Chapter 02: Architecture and Design
1.
2.
Backup and Restore
Incident Response
These services aid in the definition of procedures to be followed in the event of an
incident, including detection, reaction, and recovery activities.
The consequences of a cyber-security event can be mitigated by detecting an incident
early and responding appropriately. Honeywell's Response and Recovery services assist
users in resuming operations following an incident. The services also include backup
solution implementation and consulting to assist users in developing a formal incident
response plan.
Users can use Response and Recovery services to document incident details for future
reference and improve their ability to recover and respond quickly to future attacks.
Furthermore, these services teach employees how to report cyber security incidents.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection
The process of intercepting SSL/TLS encrypted internet communication between the
client and server is known as SSL/TLS inspection or HTTPS interception. Malicious
content could be hidden in encrypted traffic alongside your legitimate data.
The next version of the Internet Engineering Task Force (IETF) protocol standardized
it and renamed it Transport Layer Security, or TLS, after it was launched in
1999. According to the TLS specification, the differences between this protocol and SSL
3.0 are not dramatic. As a result, it is not really a question of TLS vs. SSL; rather, the two
form a constantly updated series of protocols that are often referred to as SSL/TLS.
The TLS protocol encrypts all internet traffic. Web traffic is the most prevalent if the
URL in your address begins with "HTTPS," and there is a padlock icon suggesting the
connection is secure. TLS, on the other hand, can be utilized by other programs such as
e-mail and Usenet. ad will expire in 27.
Hashing
Hashing is a mathematical process that uses a special cryptographic function to
transform one set of data into another of fixed length. The process entails using a hash
table to map data of any size to a fixed length and then storing the output data in the
digest. It is a method for converting a set of key values into a set of array indexes. To get
a range of key values, we will use the modulo operator. Consider a hash table of size 20
with the following items to be stored. Items are formatted as “(key, value).”
156
Chapter 02: Architecture and Design
Figure 2-05: Encryption and Hashing
API Considerations
API security is the safeguarding of the integrity of APIs, both those you own and those
you use. Like systems and apps, APIs are one of the most common ways for
microservices and containers to communicate. APIs are becoming increasingly
important as integration and interconnectivity become more important.
Figure 2-06: API Process
157
Chapter 02: Architecture and Design
Site Resiliency
Resilience is defined as the ability to withstand and recover from deliberate attacks,
accidents, or naturally occurring dangers or incidents. As with security, organizations
implement physical- and cyber-resilience strategies, such as having a backup power
generator.
Hot Site
A hot site is a near-instant backup of your production site, complete with personnel,
network systems, power grids, and data backups. When switching from the host site to
the backup site, there is almost no downtime. While the idea of having real-time
synchronization is appealing, it is also quite costly. You must first weigh the benefits
and decide whether they are worth the cost.
Cold Site
A chilly site is similar to keeping a spare, run-down automobile in your garage at home.
You must call a buddy to bring your other automobile to you if your car breaks down.
You and your friend may need to work out the details of getting extra keys for the car.
No matter what, it will take a long time for your new ride to arrive, so be prepared to
wait. When a disaster strikes, this translates to a site with little or no hardware set up.
Because the equipment is not set up and running, you are saving a lot of money.
However, getting your site back up and running will take a long time.
Warm site
When you visit a warm site, it is like traveling down the road with your second
automobile following closely behind. However, the car could have stopped at a few
signals and be several miles behind you; As a result, catching up to you may take some
time. Your spare car would not be as fancy as your current one (no heated seats or
satellite radio), but it has gas in the tank, and the engine works, which is all you really
need until you can get your current car repaired and running again. Similarly, a warm
site recovery implies that you have established hardware and network connections from
one site to another, but they are not the same. While you are restoring your data from
a remote backup location, your recovery will still be delayed.
Deception and Disruption
Deception technology is a type of cybersecurity defense practice that aims to deceive
attackers by disseminating a set of traps and decoys throughout a system's
infrastructure to imitate genuine assets. In contrast, disruption is a dangerous threat
caused by intentional or unintentional incidents that result in a security breach, damage
to digital devices and networks, or a network outage.
158
Chapter 02: Architecture and Design
Honeypots
Honeypots are devices or systems deployed to trap attackers attempting to gain
unauthorized access to a system or network. They are placed in a controlled setting and
are constantly watched. Honeypots are often deployed in the DMZ and configured in
the same way as servers. Any type of probe, malware, or infection will be immediately
detected as the honeypot appears to be a legitimate part of the network.
Honeyfiles
Honeyfiles are a deception-based intrusion detection mechanism. A honey file is a bait
file that is designed for hackers to open; when the file is accessed, an alert is set off. A
honey file could be a file called passwords.txt on a workstation, for example. The file's
name will attract hackers who get illegal access to the workstation, and when they open
it, an alarm will go out.
Honeynets
A honeynet is a virtual system that is basically designed to attract threat actors or
attackers and trap them. It is a group or collection of honeypots designed to look like a
real corporate network that, in reality, is fake.
Lab 2-01: Configuring Honeypot on Windows Server 2016
Machines:
--Windows Server 20 16 (VM)
--Windows 7 (VM)
Software used:
--honeypot (https://www.atomicsoftwaresolutions.com)
Procedure:
1.
2.
Open the HoneyBOT application.
Set the parameters or leave them on default.
159
Chapter 02: Architecture and Design
3.
Select Adapters.
4.
Go to a Windows 7 machine.
160
Chapter 02: Architecture and Design
5.
6.
Open Command Prompt.
Generate some traffic, for example, FTP.
7.
Go back to Windows Server 2016 and observe the logs.
8. Select the log by clicking on "Port" > "21."
161
Chapter 02: Architecture and Design
9. Right-click and go to “View Details.”
10. Right-click and go to “Reverse DNS.”
162
Chapter 02: Architecture and Design
DNS Sinkhole
In a postmortem of the WannaCry outbreak, Hutchins wrote, "A sinkhole is a server
that captures malicious traffic and prevents infected devices from being controlled by
the criminals who infected them." Security teams utilize sinkholes to attack, stop, and
collect information on infiltrating adversaries.
163
Chapter 02: Architecture and Design
Mind Map
Figure 2-07: Mind Map of Security Concepts
Virtualization and Cloud Computing Concepts
What is Cloud Computing, and how does it work?
Cloud computing is simply the process of storing data and connecting to computers via
the internet. It is the internet-based delivery of various computer services such as
servers, software, analytics, databases, and storage. Computing resources are delivered
on-demand through a cloud service platform with pay-as-you-go pricing. The
companies that are providing services are termed as “Cloud Providers.” There is a
number of cloud providers like Amazon, Google, and Azure.
Cloud Computing's Advantages
We are all aware that Cloud Computing has resulted in a significant shift in traditional
company thinking about IT resources. There are numerous advantages of using cloud
computing. Here are a few examples:
164
Chapter 02: Architecture and Design
1.
Cost
Cloud computing eliminates the capital cost of buying hardware and software
and of building and running in-house data centers – server racks, 24 hours’
electricity for power and cooling, etc.
2.
Scale Globally
Cloud computing services have the capacity to scale with elasticity. In the cloud,
it means that IT resources are provided more or less computing power, storage,
bandwidth – as per requirement and from the right place.
3.
Improve Agility and Speed
New IT resources are readily available, allowing resources to be scaled up and
down indefinitely to meet demand. This results in a significant boost in
organizational agility.
4.
Reliability
Cloud computing allows data backup, disaster recovery, and business continuity
as data can be replicated in the network of the cloud supplier on multiple
redundant sites.
5.
Security
The protection of their data is one of the main problems for any organization
regardless of its size and industry. Infringements of data and other cyber-crimes
can devastate the revenue, customer loyalty, and positioning of a company.
Cloud provides many advanced security features to strengthen the security of the
overall company. It also helps in protecting your data, application, and
infrastructure.
The Economy of Cloud Computing
In the traditional context of enterprises, where big capital expenditures are required,
the cloud is the most cost-effective solution to transition to a pay-as-you-go model.
Cloud reduces the Capital Expenditure (CapEx) cost and also gives some other benefits.
With Cloud Computing, you should move toward Operational Expenditure (OpEx).
VMs, App Services, and other Azure services are mostly priced on an hourly basis. There
is also consumption-based pricing, which is dependent on the number of times a
function is executed, the number of times a resource is used per second, or both. Azure
Function is an example of consumption-based pricing.
EXAM TIP:
165
Chapter 02: Architecture and Design
Capital Expenditure (CapEx) is the expenditure to maintain or acquiring fixed assets by
spending money. This includes land, equipment, etc.
Operational Expenditure (OpEx) is the cost of a product or a system that is running on
a day-to-day basis like electricity, printer papers, etc.
Technical Terms
To comprehend Cloud Computing, you must first comprehend a few technical phrases.
1. High Availability (HA) - It is the core of cloud computing. In traditional server
environments, companies own a large amount of hardware, and the workload is limited
to this hardware capacity. In case of extra load, capacity cannot be increased whereas,
sometimes this hardware seems extra for the workload. You do not own any of the
hardware in the cloud, and addition in servers is just a click away. By replacing the failed
server with a new one, you can achieve high availability for your servers as soon as it
fails. The number of VMs you set up to eventually cover in case one goes down
determines how well HA works.
2. Fault Tolerance - For resilience in the cloud, fault tolerance is also an important
factor. Fault tolerance gives you zero downtime. Fault tolerance refers to the fact that if
there is a fault on the Azure side, it is promptly mitigated by Azure.
3. Disaster Recovery (DR) – Used in case of any catastrophic disaster like a cyberattack. If such an occurrence occurs, there is a plan in DR to recover your business from
these essential systems or restore regular operations. DR has designated time to recover
and a recovery point.
4. Scalability - In cloud computing, scalability means adding or removing the resources
in an easy and quick way as per demand. It is important in such a situation where you
do not know the actual number of resources that are needed. Auto-scaling is an
approach for scalability depending on your requirement by defining the threshold
1.
2.
Elasticity refers to the ability to dynamically expand or contract network
resources in response to autonomous working load changes and maximizes
resource use. This can contribute to overall cost savings for services.
Agility - The ability to react rapidly and efficiently to changes in the business
environment is known as agility. The ability to quickly design, test, and deploy
business-driven software applications is often called agility. Instead of providing
and managing services, Cloud Agility lets them concentrate on other issues such
as security, monitoring, and analysis.
EXAM TIP:
166
Chapter 02: Architecture and Design
From the exam perspective, one must be familiar with all the terms like HA, Fault
Tolerance, DR, Elasticity, Scalability, and Agility.
Cloud Models
We know that all clouds are not the same, and not every business requirement for cloud
computing is the same. So, in order to meet the requirements, different models, types,
and services have been used. Firstly, you have to decide how the cloud service is being
applied by finding out the cloud deployment type or Architecture. The cloud computing
services are divided into the following basic models: IaaS, PaaS, Xaas, SaaS, public,
community, hybrid, and private. These are also known as a stack in cloud computing
because each of them is built on top of another. Let’s discuss each of them.
Infrastructure as a Service (IaaS)
It gives you a basic IT infrastructure for Cloud IT like VMs, Data Storage, Networks, OS
on a pay-as-you-go model.
Platform as a Service (PaaS)
Cloud computing platforms that provide an on-demand environment to build, test, and
Platform as a Service deliver and manage software applications. PaaS is designed to
facilitate the fast development of web or mobile apps for developers without setting or
maintaining the underlying server, storage, network, and database infrastructure
needed for development.
Software as a Service (SaaS)
Both servers and code are taken over by cloud providers. Cloud providers host and
maintain the applications and underlying infrastructure for SaaS and handle updates
such as software upgrades and security patches. Users link the app over the Internet,
usually through their phones, tablets, or PC’s web browsers.
167
Chapter 02: Architecture and Design
Figure 2-08: IaaS, PaaS, and SaaS Overview
Anything as a Service (XaaS)
Anything as a Service refers to a broad category of cloud computing and remote access
services. It acknowledges the vast number of products, tools, and technologies that are
now delivered as a service to users via the internet.
EXAM TIP:
IaaS – Servers, storage, and networking
PaaS – Servers, storage, networking, and management tools
SaaS – A complete application like Office 365
Serverless - No need for server; there is a single function that is hosted, deployed, and
managed on its own
168
Chapter 02: Architecture and Design
Figure 2-09: Types of Cloud Computing
Figure 2-10: Public, Private and Hybrid Cloud
Community
169
Chapter 02: Architecture and Design
A community cloud is a cloud service paradigm that provides a cloud computing
solution to a small number of people or businesses while being administered and
managed by a single entity and secured collaboratively by all participating organizations
or a third-party managed service provider.
Cloud Service Providers
Cloud service providers host cloud computing-based infrastructure and platform
services for customers using their own data centers and compute resources. Cloud
services are typically priced through a variety of pay-as-you-go subscription models.
MSP/MSSP stands for Managed Service Provider/Managed Security Service
Provider
A managed security service provider provides outsourced monitoring and
administration of security devices and systems. Common services include managed
firewalls, intrusion detection, virtual private networks, vulnerability testing, and antiviral protection. A managed service provider is a company that manages a customer's
IT infrastructure and/or end-user systems remotely, typically on a proactive and
subscription basis. ASPs concrete the way for cloud computing and companies that offer
remote support for customers' IT infrastructure.
On-Premises vs. Off-Premises
Cloud monitoring solutions are classified into two types: off-premise and on-premises
services. Off-premise solutions are typically delivered as a hosted service and are
licensed on a monthly subscription basis. On-premise cloud monitoring solutions rely
on software that is installed on virtual or physical servers that you manage.
Fog Computing
Fog computing is a decentralized computing infrastructure that distributes data,
processing, storage, and applications between the data source and the cloud. Fog
computing, like edge computing, brings the benefits and power of the cloud closer to
the point where data is created and acted upon.
Edge Computing
Edge computing is the computational processing of sensor data away from centralized
nodes and close to the network's logical edge toward individual data sources. It is a
distributed IT network architecture that enables mobile computing for data generated
locally.
170
Chapter 02: Architecture and Design
Figure 2-11: Edge Computing
Thin Client
A thin client is a computer that uses resources from a central server rather than a local
hard drive. Thin clients operate by connecting remotely to a server-based computing
environment, which stores the majority of applications, sensitive data, and memory.
Containers
In cloud computing, a Container is a method of virtualizing an operating system. This
allows the user to interact with a program and its dependencies using isolated resource
procedures. The application's code can be systematically bundled with configurations
and dependencies.
171
Chapter 02: Architecture and Design
Figure 2-12: Container and Hypervisor Architecture
Microservices/API
Microservices are a design approach for building cloud applications. Each application is
built as a collection of services, each of which runs in its own process and communicates
via APIs. Microservices architecture is a method of building applications that has
become a best practice over time.
Figure 2-13: Micro Service Architecture
Infrastructure as Code
Software-Defined Networking (SDN)
172
Chapter 02: Architecture and Design
SDN is a networking approach that uses software-based controllers or application
programming interfaces to communicate with underlying hardware infrastructure and
direct network traffic.
While network virtualization enables organizations to segment different virtual
networks within a single physical network or connects devices on different physical
networks to form a single virtual network, software-defined networking enables a new
method of controlling data packet routing through a centralized server.
Figure 2-14: SDN Architecture
Software-Defined Visibility (SDV)
Software-Defined Visibility is equivalent to Software-Defined Networking in terms of a
visibility infrastructure. SDV combines visibility's broad reach with an automation
173
Chapter 02: Architecture and Design
framework. Network switches and routers form the physical network or Layer 2-3 data
plane in an SDN infrastructure.
Serverless architecture
Serverless computing is a critical component of current cloud computing. It is a PaaS at
its most extreme. The infrastructure required for running code with serverless apps is
automatically offered, scaled, and managed by the cloud service provider. By removing
the requirement for developers to manage infrastructure, the serverless architecture
allows them to build applications faster.
EXAM TIP: It is critical to note that "serverless" does not imply that no virtual
machines are used. It simply means that the VM running your code is not explicitly
allocated to you, which means that you do not manage them. Your code is moved to
the VM, it is executed, and then it is moved off.
Benefits of a Serverless Model
No Infrastructure Management: Use fully managed infrastructure - developers can
avoid administrative tasks and concentrate on the core business logic. You simply
deploy the code with a serverless platform, and it runs with great availability.
Dynamic Scalability: The infrastructure can automatically scale up and down within
seconds to match any workload requirements for serverless computing.
Time to Market is Reduced: Serverless applications reduce the dependencies of
operations on each development cycle, increasing the agility of development teams to
produce more features in less time.
More Efficient Use of Resources: Shifting to serverless technology allows companies
to reduce TCO and resource reallocation to speed up the pace of innovation.
Services Integration
Cloud integration is a set of tools and technologies that connects various applications,
systems, repositories, and IT environments for real-time data and process exchange.
The benefits of service integration are:
1.
2.
3.
4.
5.
6.
7.
Improved operational efficiency
Increased flexibility and scalability
Faster time-to-market
Better internal communication
Improved customer service, support, and retention
Increased competitive edge
Reduced operational costs and increased revenue
174
Chapter 02: Architecture and Design
Resource Policies
Policies and Mechanisms for Cloud Resource Management Allocating resources for
individual instances is referred to as capacity allocation. An instance is a service
activation on behalf of a cloud user. Finding resources that are subject to several global
optimization restrictions needs a broad search.
Transit Gateway
A transit gateway is a network transit hub that connects your Virtual Private Clouds
(VPCs) and on-premises networks. Inter-Region peering connects transit gateways
using the AWS Global Infrastructure as your cloud infrastructure expands globally. Your
information is automatically encrypted and is never sent over the public internet.
Virtualization
Virtualization is a technique for creating a virtual ecosystem of storage devices and the
server operating system. In such cases, virtualization allows users to use multiple
machines that share a single physical instance of any resource.
Virtual Machine (VM)
A virtual machine is a digital representation of a real computer. Virtual machine
software is capable of running programs and operating systems, storing data,
connecting to networks, and performing other computing functions, but it requires
regular maintenance such as updates and system monitoring.
VMsprawl Avoidance
VM sprawl occurs when an administrator can no longer properly supervise and manage
all of the virtual machines on a network. This can happen when many VMs are put up
for use by various departments in quickly growing networks.
VM Escape Protection
A virtual machine escape is a security exploit that allows a hacker/cracker to gain access
to the primary hypervisor and the virtual machines it creates. Virtual machine escape
allows a user to bypass the hypervisor-created, manage guest OS boundary, and gain
access to the top-tier virtualization layer.
175
Chapter 02: Architecture and Design
Mind Map
Figure 2-15: Mind Map of Cloud Computing Concepts
Secure Application Development, Deployment, and Automation Concepts
Environment
Development
Software is created through a series of steps that include obtaining requirements,
planning, designing, coding, testing, and support. These responsibilities are carried out
according to the process model that the team members have defined.
Two of these are addressed in more detail below.
Waterfall Model
The Waterfall Model is one of the application development frameworks, which is a
“sequential design process.” In this process, each step is taken sequentially; that is, the
second step follows the completion of the first, the third step follows the completion of
the second, and so forth. The Waterfall model can be implemented in multiple ways,
but they all follow similar steps.
176
Chapter 02: Architecture and Design
The following are some of the most common pros and cons of the Waterfall model:
Pros
Cons
It is a sequential approach
Developers are unable to make changes to prior
steps; hence, each step is definitive.
Emphasizes methodical A fault in instructions can result in havoc as the
record-keeping
and project depends upon the initial input and
documentation
instruction
Clients know what
expected at every step
is Only at the end of the sequence is the test carried
out
Strong
documentation Change implementation can be a nightmare for
results in less hassle
developers
Table 1-01: Pros and Cons of the Waterfall Model
A common framework for application development:
Figure 2-16: The Waterfall Model
Agile Model
In the Agile Model, no sequential path is followed. Instead, multiple tasks are performed
simultaneously in development. One advantage of the Agile model is that it is simple to
make modifications, i.e., the Agile model's development process is continuous.
The following are the two main types of Agile development:
1.
2.
Scrum
Extreme Programming (XP)
177
Chapter 02: Architecture and Design
Some of the most common advantages and disadvantages of the Agile model are as
follows:
Pros
Cons
It is a team-based approach
Mismanagement could lead toward code
sprints with no ends
It allows us to make changes
The final project could be completely
different from a planned project
Testing can be done at any point It is impossible to identify who is
along the process.
working on what from the outside.
Simultaneous testing helps
launching a project quickly
in
Lack of emphasis on documentation
Table 2-02: Pros and Cons of the Agile Model
Test
Software testing determines if a software product satisfies the expected requirements
and ensures that it is free of defects. It comprises putting software/system components
to the test with manual or automated techniques in order to assess one or more
properties of interest.
Staging
Staging is the final stage of the deployment process before it is released to Production.
Staging is the final dress rehearsal before the project is handed over to Production. For
software testing, a staging environment (stage) is a near-exact replica of a production
environment. Staging environments are created to test codes, builds, and updates in a
production-like environment prior to application deployment.
Production
Production is the last environment in your software development process. The work is
ready to be made public, and only the most thoroughly tested code should be included.
Quality Assurance (QA)
Quality assurance helps identify errors and flaws in software code and design
throughout the development process to save time and money. It ensures that the final
product is competitive, secure, and performs its expected functions smoothly.
Provisioning and De-Provisioning
178
Chapter 02: Architecture and Design
Provisioning is the process of making IT systems available to customers. Depending on
your organization's needs, provisioning can be defined at the network, server,
application, and user levels:
1.
Network provisioning entails creating a network that users, servers, and
devices can access. Network provisioning is used in the telecommunications
industry, for example, to provide wireless solutions to customers.
2.
Server provisioning is the process of configuring a server for use on a network.
This could entail building a new machine. This includes setting up physical gear,
installing and configuring software, and connecting to networks and storage in a
data center.
Application provisioning is a technology that allows you to manage your
infrastructure.
3.
4.
Creating, updating, and removing rights and permissions to a company's apps as
part of the process of managing digital identities, files, networks, systems, and
resources, is known as user provisioning.
Deprovisioning is the process of withdrawing user access to software and network
services. Simply put, it is the inverse of provisioning and occurs when employees change
roles or leave a company.
Both provisioning and de-provisioning are important in securing IT systems and
applications, but effective and automated user provisioning should be at the top of any
organization's priority list if it wants to improve its security posture.
Integrity Measurement
Integrity measurement is a technique to enable a party to query the integrity status of
software running on a platform, e.g., through attestation challenges.
Secure Coding Techniques
The following secure coding techniques are used in the software development process:
Normalization
The process of restructuring data in a database so that it meets two basic standards is
known as normalization. There is no data redundancy; everything is kept in one place.
Data dependencies are understandable.
Stored Procedures
Stored Procedures are programs that are written to perform one or more DML
operations on a database. It is simply a collection of SQL statements that accept input
179
Chapter 02: Architecture and Design
in the form of parameters, perform some task, and may or may not return a value.
Parameters are used to provide information to the Procedure.
Obfuscation/Camouflage
Obfuscation is the process of making something difficult to understand. Programming
code is frequently obfuscated to protect intellectual property or trade secrets and
prevent an attacker from reverse engineering a proprietary software program. One
method of obfuscation is to encrypt some or all of a program's code.
Code Reuse/Dead Code
The practice of reusing existing code for a new function or piece of software is known
as code reuse. However, in order to reuse code, it must be of high quality. That means
it must be safe, secure, and dependable.
A section of a program's source code executed but whose output is never used in another
computation is called dead code. Dead code wastes both computation time and
memory.
Server-Side vs. Client-Side Execution and Validation
Client-side validation is used to validate and display form-level errors, whereas serverside validation is used to validate and display field-level errors. Client-side validation is
dependent on JavaScript and may be disabled in some browsers, resulting in invalid data
being saved, whereas server-side validation is extremely secure.
Memory Management
Software Development Kits (SDKs) and Third-Party Libraries Are Used
A third-party library is one in which the most recent version of the code is not
maintained and hosted by Moodle. "Mustache. PHP" is an example.
There are currently three SDKs available: iOS, Android, and Javascript. The iOS SDK
uses the keychain to secure key material, whereas the Keystore is used by the Android
SDK. This encrypts and safeguards the tokens against unauthorized use. When you use
the ForgeRock SDKs, you get all of these best practices for free.
Data Exposure
Data exposure occurs when information is left exposed in a database or server for
anybody to see. When system and application configuration details are left unprotected
online, sensitive data can be exposed.
Open Web Application Security Project (OWASP)
The Open Web Application Security Project specifies the number of general buffer
overflow prevention strategies. These are some of them:
180
Chapter 02: Architecture and Design
1.
2.
3.
4.
5.
6.
7.
8.
Auditing of code (automated or manual)
Bounds checking, the use of dangerous functions, and group standards are all
covered in developer training.
Non-executable stacks — This is something that many operating systems
support in some fashion.
StackShield, StackGuard, and Libsafe are examples of compiler tools.
Safe functions – Use strncat instead of strcat, strncpy instead of strcpy, etc.
Use strncat instead of strcat, strncpy instead of strcpy, and so on.
Patches — Make sure your web and application servers are adequately patched
and stay on top of bug reports for apps that your code relies on.
Periodically scan your application with one or more of the commonly available
scanners that look for buffer overflow flaws in your server products and your
custom web applications
Software Diversity
Software diversity is a research area concerned with the understanding and engineering
of diversity in the context of software.
Automation/Scripting
Script automation is the process of leveraging existing scripts with automation software
to deliver automation in a managed framework without the need for future custom
script development and maintenance.
Automated Courses of Actions
A scripting system can be assumed as a best friend for all the professionals who believe
in effective technical work as it provides an automated course of action to save time. The
importance of Scripts and Automation can be seen by the fact that it is specified by the
National Institute of Standard and Technology Special publication in the 800-53 series.
Continuous Monitoring
Continuous monitoring is an essential process in automation. A good continuous
monitoring program is adaptable and includes highly reliable, relevant, and effective
controls in dealing with potential threats. A continuous monitoring program's goal is to
determine whether the entire set of planned, required, and deployed security controls
within an information system or inherited by the system remain effective over time in
the face of the inevitable changes that occur.
Continuous Validation
As time changes, the system becomes outdated. We first design and configure the
system in a way that it should perform for what it has been designed for, along with the
validation of configuration against security standards. For the timely up-gradation of
181
Chapter 02: Architecture and Design
configuration, a method called automated testing can be used to resolve issues that may
include multiple configuration management.
Integration that is Ongoing
Continuous Integration (CI) is a development method in which developers integrate
code into a shared repository on a regular basis, preferably many times per day. An
automated build and automated tests can then be used to validate each integration.
Revision control, build automation, and automated testing are a few examples.
Continuous Delivery
Continuous delivery is a software development method that involves automatically
preparing code changes for production deployment. Continuous delivery enables
developers to automate testing beyond unit tests, allowing them to validate application
updates across multiple dimensions before releasing them to customers.
Continuous Deployment
Continuous Deployment (CD) is a software release process that employs automated
testing to determine whether or not changes to a codebase are correct and stable
enough for immediate autonomous deployment to a production environment. Over
time, the software release cycle has evolved.
Elasticity
Increasing the capacity of a system to handle the workload by using additional hardware
to scale up space is called an Elasticity. In other words, Elasticity is the capacity to
dynamically extend or minimize network resources to respond to autonomous working
load adjustments and optimize the use of resources. This can contribute to overall cost
savings for services.
Scalability
Scalability means the addition or removal of the resources in an easy and quick way as
per demand. It is important in such a situation where you do not know the actual
number of resources that are needed. Auto-scaling is an approach for scalability
depending on your requirement by defining the threshold.
Version Control
Version control tracks changes and can also revert back to see what changes have been
made. This version control feature is used in multiple software, as well as in the
Operating System, cloud-based files, and wiki software. It is also significant from the
standpoint of security because it highlights required changes in terms of time.
182
Chapter 02: Architecture and Design
Mind Map
Figure 2-17: Mind Map of Automation Concepts
Summarize Authentication and Authorization Design Concepts
Any technology service with IT applications that control the access of data from illegal
users is very important to provide a secure environment. In addition, it is also very
critical to find which user access which part of the infrastructure. Both authentication
and authorization are two major steps for ensuring network security. Authentication is
a way of finding out whether the user exists in the database or not. Once the user is
found from the database user ID and password, the next step is to ensure how many
services that user has the right to access.
Authentication
Authentication is a process that uses a database user ID and password to identify a user.
For example, if a user wants to use the Yahoo mail service, they cannot just access it
easily by opening the Yahoo mail page. The user must have a valid ID and password to
log in to the Yahoo mail page, and then they will be able to use its services such as view
183
Chapter 02: Architecture and Design
Newsbeat, send an email, etc. In short, Authentication confirms the validity of the user
by using its ID and password for the desired application.
Authorization
After authentication, the authorization procedure is carried out. When the user is
authenticated, then the next step is to find which kind of data access is available for the
authenticated user. For example, an Azure user is restricted to use limited Azure
resources and services such as SQL Database, Virtual Network, or Virtual Machine. If
that Azure user tries to use those resources for which he/she is not authorized, Azure
will not give access to that resources. Likewise, if a diabetes person visits an online
shopping app, the Azure service has the profile of the diabetes person. According to his
profile, he is only allowed to purchase sugar-free items. That’s is, a person is authorized
to buy only sugar-free items.
The process of identity service is clearly shown in the scenario defined in Figure 2-18.
Figure 2-18: Process of Identity Management
Authentication vs. Authorization
Authentication and authorization have very few differences. The summarized table
shows the difference between these two entities.
Authentication
Authorization
The first step toward accessing resources
A person can be authorized only when its
authentication has been done
A way to verify the customer or user’s Authorization allows authenticated users
identity
to access a file, database, mail, etc.
Normally, a user can be authenticated Controls user access
using a user ID and password
184
Chapter 02: Architecture and Design
Factor-based authentication is usually Authorization is the granular part of
preferred for security purposes
identity services
Table 2-03: Authentication vs. Authorization
EXAM TIP:
Authentication is the process of verification of users using user ID and password.
Authorization is the method of providing the rights to authenticated users.
Authentication Methods
Directory Services
Instead of maintaining individual local login accounts, you can use an external
authentication directory service (also known as an enterprise directory or
authentication login domain) to provide a single sign-on for groups of users. Fills in
their user name (typically, the Common-Name attribute, CN). Enters their login
information. The RADIUS (Remote Authentication Dial-In User Service) protocol is a
widely used authentication technique. TACACS+ (Terminal Access Controller Access
Control System Plus) is similar to RADIUS, but it is used on Unix networks. RADIUS
uses UDP (User Datagram Protocol), whereas TACACS+ uses TCP (Transmission
Control Protocol).
Federation
Federation is a system that grants access to other users who may not have local login. It
means a single token is given to the user who is entrusted or authenticated across
various systems, just like in SSO (Single Sign-On). A federated network is created by
third parties so that users can log in with separate credentials, for example, Facebook
credentials, Twitter credentials, etc. Before establishing a federated network, the third
party has to create a trust-based relationship.
185
Chapter 02: Architecture and Design
Figure 2-19: Example of Federation
Attestation
Attestation is an indication that makes something obvious. It means to certify in an
official capacity in the case of security, specifically security programs. Attestations and
certifications are used by the industry to assess your security defenses.
Technologies
Time-Based One-Time Password (TOTP)
A time-based one-time password is generated by a computer algorithm that uses the
current time as a source of uniqueness. A TOTP is a one-time passcode generated by an
algorithm that includes the current time of day as one of its authentication factors.
Time-based one-time passwords are widely used for two-factor authentication and are
gaining popularity among cloud application providers.
186
Chapter 02: Architecture and Design
Figure 2-20: TOTP
HMAC-Based One-Time Password (HOTP)
HOTP is an acronym that stands for Hash-based Message Authentication Code
(HMAC). In layman's terms, the HMAC-based One-time Password Algorithm (HOTP)
is an event-based OTP with a counter as the moving factor in each code. The moving
factor is incremented based on a counter each time the HOTP is requested and
validated. The generated code is valid until you actively request another one, at which
point the authentication server validates it. When the code is validated and the user
gains access, the OTP generator and the server are synced. Yumiko's Yubikey is an
example of a HOTP-based OTP generator.
187
Chapter 02: Architecture and Design
Figure 2-21: HOTP
Short Message Service (SMS)
Mobile devices that support SMS texting can be used for authentication using One Time
Password (OTP) and Challenge/Response (CR or Y/N). Because it is vulnerable to manin-the-middle attacks, it is a less secure form of strong authentication. SMS OTP sends
a one-time password to the user's phone via SMS.

SMS OTP sends a one-time password to the user's phone via SMS. The user is
approved after entering the OTP into their login authentication.

SMS Challenge-Response sends a question to the user's phone via SMS, asking if
the authorization attempt is approved. If the user replies with "Yes,"
authentication is complete, and the user is logged in. If the user responds with
"No," authentication fails, and the user cannot log in.
188
Chapter 02: Architecture and Design
Figure 2-22: SMS
Token Key
A security token (sometimes called an authentication token) is a small hardware device
that allows the owner to access a network service. The device could be in the form of a
smart card or embedded in a commonplace object like a key fob. Security tokens add an
extra layer of assurance by using two-factor authentication: the user has a Personal
Identification Number (PIN) that authorizes them as the owner of that specific device;
the device then displays a number that uniquely identifies the user to the service,
allowing them to log in. Each user's identification number is changed on a regular basis,
usually every five minutes or so.
Static Codes
Static authentication makes use of a single authenticator (e.g., static password). This
type of authentication only protects against attacks where an imposter is unable to
obtain the authenticator.
Authentication Applications
The Application Authentication dialogue allows users to enter their credentials and
store them in the application server password cache, so they are not prompted the next
time they run an application on that application server. Setting up Application
Authentication. Domains in Microsoft Windows.
Push Notifications
Notification via Push Authentication enables user authentication by sending a push
notification directly to a secure application on the user's device, alerting them to an
189
Chapter 02: Architecture and Design
authentication attempt. Users can view authentication details and approve or deny
access with the click of a button.
Phone Call
Mobile or phone call authentication is the process of verifying a user's identity using a
mobile device and one or more authentication methods for secure access. One-time
passwords via phone apps or SMS messages.
Smart Card Authentication
Smart Card Authentication is a method of authenticating users into enterprise resources
such as workstations and applications by utilizing a physical card in conjunction with a
smart card reader and software on the workstation. The smart card stores a user's public
key credentials as well as a personal identification number, which serves as the secret
key for the smart card's authentication. A smart card improves security because it
cannot be used to obtain user information (such as a PIN) by tampering with it.
Biometrics
Biometric authentication is a method of security that uses a person's unique biological
characteristics to verify that they are who they say they are. Biometric authentication
systems compare physical or behavioral characteristics to data in a database that has
been verified and confirmed to be authentic. Numerous biometric factors are used for
controlling access, including fingerprint, voice recognition, retinal scanner, facial
recognition, and iris scanner.
Fingerprint
Fingerprint recognition, the most popular biometric to date, can use a variety of
approaches to classification based on minutiae, which are reproductions of epidermal
friction skin ridges found on the palm side of the fingers and thumbs, the palms, and
soles of the feet. We can use them for authentication because of the following
fundamental principles:



A fingerprint will not change over the course of a person's life.
Fingerprints have general ridge patterns that allow them to be classified
systematically.
A fingerprint is unique because no two fingers have ever been found to have
identical ridge characteristics.
190
Chapter 02: Architecture and Design
Figure 2-23: Fingerprint
Retina
The most secure method of authenticating identity is retina-based identification. By
acquiring an internal body image, the retina/choroid of a willing person who must
cooperate in a way that would be difficult to counterfeit, retinal identification provides
true identification of the person.
Iris
Parts of the human eye are depicted in the image below.
Figure 2-24: Iris
191
Chapter 02: Architecture and Design
The iris is the colored tissue that surrounds the pupil of the eye and is made up of
intricate patterns with numerous furrows and ridges.
Facial
The system uses a digital video camera to capture face images, which are then analyzed
to determine facial characteristics such as the distance between the eyes, nose, mouth,
and jaw edges.
Voice
Voice verification systems are distinct from voice recognition systems. The process of
recognizing what someone says is known as voice recognition, whereas the process of
determining who is saying it is known as voice verification.
Vein
Palm vein authentication is a vein pattern authentication technology that uses the
biometric feature of palm veins. Because palm vein patterns exist beneath human skin,
copying or stealing someone's palm vein pattern is extremely difficult. This means that
forgery is extremely difficult under normal circumstances.
Gait Analysis
One of the most well-known biometrics for secretly recognizing people is gait
recognition-based authentication. It recognizes a person based on a sequence of images
received. Gait is a physiological feature of humans. A video camera that captures videos
of human subjects walking within its field of view serves as the sensor for a gait-based
biometric system. After that, the raw sensor video is processed to extract relevant
features that can be used for recognition.
Efficacy Rates
Even when the data is encrypted, storing biometric data on a device – such as the
iPhone's TouchID or Face ID – is thought to be safer than storing it with a service
provider. This risk is similar to that of a password database, in which hackers can breach
the system and steal data that is not properly secured.
False Acceptance or False Accept Rate
A false acceptance occurs when an illegal subject is accepted as legitimate. Suppose an
organization's biometric control generates a high number of false rejections. In that
case, the overall control may have to reduce the system's accuracy by reducing the
amount of data it collects when authenticating subjects. When data points are reduced,
the organization runs the risk of increasing the False Acceptance Rate (FAR). The
organization is vulnerable to an unauthorized user gaining access. This is also referred
to as a Type II error.
192
Chapter 02: Architecture and Design
The False Rejection or False Reject Rate
When an authorized subject is rejected as unauthorized by the biometric system, this is
referred to as a false rejection. False rejections are also referred to as Type I errors. False
rejections frustrate authorized users, reduce productivity due to poor access conditions,
and necessitate the expenditure of resources to revalidate authorized users.
Crossover Error Rate
The Crossover Error Rate (CER) denotes the point at which the false Reject Rate (FRR)
and false accept rate are both equal. CER is also referred to as the Equal Error Rate
(EER). The crossover error rate describes a biometric system's overall accuracy.
Figure 2-25: CER
Exam Tip: A false accept is more dangerous than a false reject. Most organizations
would rather reject genuine subjects than accept impostors. Type II errors (FARs) are
more harmful than Type I errors (FRRs). Because two is larger than one, you will recall
that FAR errors are more serious than FRRs.
AAA (Authentication, Authorization, and Accounting) Framework
The AAA (Authentication, Authorization, and Accounting) framework is the base of
network security. The process of identifying ourselves by providing ID and password
when we log into some account goes through this AAA framework.
193
Chapter 02: Architecture and Design
Authentication
The part of the framework deals with the authentication of any person who claims to be
authorized. For that, the person generally provides ID and password and usually other
additional authentication data.
Authorization
Once the identification process is completed, the authorization part will figure out what
the person can access or access to the sources.
Accounting
Accounting keeps the record of the following things:




A person who logs in
Login time
What data is delivered and received
Log out time
Multi-Factor Authentication
MFA (Multi-Factor Authentication) is a layer-based authentication method that uses
multiple forms of authentication. This means that attackers will be unable to get access
even if an individual is compromised. MFA is recommended by default. It is a feature of
AAD that allows you to authenticate users in several ways. MFA is needed in
organizations that have a large number of users, devices, and resources. To avoid any
collapse, extra security is required for protection and efficient throughput.
How MFA Works?
MFA is a method of user authentication that involves several processes. The first step is
to use a user ID and password to validate the user. The user's phone will be sent a code
for additional verification in the second phase. Biometric verification is the third step.
This is an optional step.
For example, a user wants to log in to the online booking web app. A large number of
people are already accessing that web application due to its efficient throughput and
fast response. Using MFA, the simplest way to use the application requires the user to
put user ID and password for verification. A user's ID and password have been entered
successfully. The second step of MFA verification is to confirm the user’s credentials
from the database by sending code on the user's phone. A combination of numbers in
the form of code is sent to the user’s phone to confirm the user. When the user gets the
code, they are required to put the code in the given area to confirm the validity. Once
the code is entered, the authentication of the user is complete. Another way to
authenticate the user is Fingerprint verification, but this step is only needed for highly
194
Chapter 02: Architecture and Design
advanced security purposes. The following figure shows the layer-based services offered
by MFA.
Figure 2-26: Multi-Factor Authentication
EXAM TIP
Multi-Factor Authentication provides the combined version of authentication that
results in an advanced level of security and protection.
In a AAA authentication mechanism, a user is asked for multi-factor authentication like
who you are, what you have, what do you know, what do you do, and etc. These additional
items may have a cost combined with them.
Something You Are
Biometric Authentication: Biometric authentication, like a fingerprint, does not
actually keep your real fingerprint. Instead, it keeps a mathematical representation of
your biometrics. The mathematical values used for biometric representation are
complex to modify because these biometric values are unique.
195
Chapter 02: Architecture and Design
Something You Have
Smart Card: These cards are inserted into the computer, and usually, these cards are
combined with a Personal Identification Number or PIN so that if some unauthorized
person may get access to your card, he may have to provide that additional information
or PIN.
USBToken: Another method of authenticating is the use of a USB Token. When
authentication is required, a specific certificate is stored on the USB and used.
Hardware and Software Token: This token generates synchronized pseudo-random
codes for authentication purposes.
Your Phone: Messages or codes are sent to the phone, and then those messages or codes
are used for authentication purposes.
Something You Know
Password: The most common way of authentication is a password. The password is a
secret word, code, or character that is known to the only person who created that
password.
PIN: PIN is abbreviated as Personal Identification Number. These PINs are usually asked
us when we use an ATM that is generally a 4-digit code used for authentication.
Pattern: A pattern is also a type of authentication. These types of patterns are seen on
the mobile phone lock screen nowadays commonly.
Figure 2-27: Password and Pattern Authentication
Somewhere You Are
Your Location: A useful method of authentication that is based on your geographical
location. In this type of authentication, when a person logs in to a system, they have to
provide the details of where they are, and the process of the transaction only completes
if that person is in that particular location.
IP Address: Another way to authenticate where the person is, is through an IP address.
It does not provide accurate geography but can help to some extent.
196
Chapter 02: Architecture and Design
Mobile Device Location: Mobile devices provide accurate geographical location as
compared to others through GPS (Global Positioning System).
Something You Can Do
Handwriting Analysis: Handwriting and signatures are another way to authenticate
who the person is.
Typing Technique: Typing technique is also used to determine the person because
every person has some kind of typing pattern.
Identity and Access Services
Gaining Access:
To gain access to network resources, credentials are needed that are first investigated
by the AAA server. For example, consider a client wants to get access to the resources
of a network, and he is authenticating through a VPN concentrator. The client first
requests the VPN concentrator to get access. This request contains authentication
credentials such as username/password. VPN Concentrator authenticates the
connection request through the AAA server. If the credentials are matched, AAA
approves the authentication. After validating the authentication credentials, the
connection is established.
Figure 2-28: Access Gaining Process
There are many protocols that are used by the AAA server for this authentication
process:
197
Chapter 02: Architecture and Design
RADIUS (Remote Authentication Dial-in User Service)
RADIUS is a popular protocol for authentication. It supports numerous devices or
networks other than dial-in networks. The services of RADIUS can be used to centralize
for a single authentication for various systems like Routers, Switches, Firewall, etc. The
services of RADIUS are almost available for every Operating System.
TACACS (Terminal Access Controller Access Control System)
It is a remote protocol for authentication that is typically needed to control access to
dial-up lines.


XTACACS: It is abbreviated as Extended TACACS. It is created with new features
induced by Cisco. It is only for Cisco devices as it is Cisco proprietary and supports
accounting and auditing too.
TACACS+: It is an authentication protocol developed by Cisco and released as a
standard open beginning in 1993. TACACS+ is an entirely new protocol and is not
compatible with its predecessors. TACACS+ encrypts all the information mentioned
above and therefore does not have the vulnerabilities present in the RADIUS
protocol.
The properties of RADIUS and TACACS+ are summarized and compared in this table.
L4 Protocol
TACACS+
RADIUS
TCP port 49
UDP ports.
1812/1645 for authentication
1813/1646 for accounting
Encryption
Encrypts full payload of Encrypts passwords only
each packet
Observations
Proprietary to Cisco,
very granular control of
authorization, separate
implementation of AAA
Open Standard, robust, great accounting
features, less granular authorization
control.
Another
protocol
named
DIAMETER may replace RADIUS in the
near future with enhanced capabilities
Table 2-04: Comparison of RADIUS and TACACS+
Cloud vs. On-Premises Requirements
On-Premises: A type of model that uses the same legacy IT infrastructure and runs
cloud resources within its own data center. It is also called the private cloud for its ability
to provide dedicated resources while maintaining total control and ownership of the
environment.
198
Chapter 02: Architecture and Design
Cloud: A type of model in which a third party makes computing resources for the public
over the internet. Cloud-based applications are fully deployed and run on the cloud.
There is no need to set up and maintain your own cloud servers in-house.
Mind Map
Figure 2-29: Mind Map of Authentication & Authorization Design Concepts
Implementation of Cybersecurity Resilience
Redundancy
In a cyber-system, redundancy means creating multiple resources that perform the
same function and can be replaced if the primary system resources fail.
Geographic Dispersal
As digital transformation and hyper-convergence open unintended doors to risks,
vulnerabilities, attacks, and failures, a cyber-resilience strategy becomes increasingly
important for your company. A cyber-resilience strategy can assist your company in
reducing risks, financial impact, and reputational damage.
Disk
Redundant Array of Inexpensive Disks (RAID) Levels
RAID stands for Redundant Array Independent Disks. It is used to increase the
reliability of storage disks. It takes data that is commonly stored on a disk and sends it
to many others, keeping the data stored in various places. RAID also increases the speed
of data recovery because multiple disks are busy recovering data rather than a single
disk.
199
Chapter 02: Architecture and Design
The following are some often used terminology in relation to RAID:



Striping: data is spread over several drives.
Mirroring: data is replicated across several disks.
Parity is also known as a checksum. Parity is a determined value that is used to
recreate data mathematically.
Various RAID levels are offered to fulfill the requirements of different applications. The
following table lists the RAID modes available on several StarTech.com products:
RAID Description
mod
e
RAID Striped disks
0
Operation
Advantages
Disadvantage
s
Recover
y
The data is
uniformly
distributed
across two or
more disks
Largest size
and quickest
speed
No
redundancy
RAID Mirrored
1
disks
The
information
on two or
more drives is
the same
Data is
distributed
evenly among
two or more
disks, as well
as a parity
drive
The data is
uniformly
distributed
among three
or more disks.
The parity is
divided
between the
disks
Four or more
drives are
striped to
Data will not
be lost if a
single drive
fails
The slowest
and smallest
disk limits
speed and size
For sequential
read/write
operations,
high speeds
are required
Multiple
simultaneous
instructions
provide poor
performance
Large size,
quick speed,
and
redundancy
are all
advantages
Parity reduces
the entire
array size
Array
failure
occurs
when
one or
more
drives
fail
For
recovery,
only one
drive is
required
A single
drive
failure
will
cause the
system to
rebuild
The
system
will
rebuild if
a single
drive
fails
RAID-2 is
larger and
faster than
RAID-1, and it
There is no
parity
RAID Set of stripes
3
with special
parity
RAID Disks with
5
distributed
parity that
are striped
RAID 1+0; Mirrored
10
Subset with
Stripes
200
In a
mirrored
set, only
Chapter 02: Architecture and Design
create two
mirrors
JBOD Just a Bunch
Of Disks
Big
Clon
e
Concatenatio
n or spanning
RAID 1 +
Spare
The operating
system can
access any
number of
drives
independentl
y.
Data is
written to the
first drive
until it is full,
then to the
next drive(s)
until it or
they are full
Two
drives
contain
identical data,
and one drive
is in use for
rebuilding in
case
of
a
primary array
failure
has more
redundancy
than RAID-0
Software RAID Hardware
modes are
RAID may
available
outperform
software RAID
one drive
can fail
Creates a large
and
straightforwar
d array
No
N/A
When one of
the drives in a
RAID-1 array
fails, the array
continues to
function
normally
The spare
drive is not
accessible to
the user
N/A
redundancy
Only one
drive is
needed
for
recovery
Table 2-05: Available RAID Modes
Multipath
Device-Mapper Multipathing (DM-Multipath) combines multiple I/O paths between
server nodes and storage arrays into a single device. These I/O paths are physical SAN
connections that may consist of multiple cables, switches, and controllers.
Network
Load Balancers
Load Balancer takes the load and distributes it among various resources without the
user being informed. The load balancer is able to provide fault tolerance and has very
fast convergence.
201
Chapter 02: Architecture and Design
A load balancer is something that takes the load of traffic and distributes it among
multiple resources or servers. This process of distributing load is invisible to the user. A
benefit of the load balancer is that it provides fault tolerance.
Scheduling
It is the scheduling algorithm on the basis of which the load balancer determines how
to distribute the traffic load among various internal servers. There are many different
scheduling algorithms; some of them are discussed below.
Affinity
The affinity is the characteristic of a load balancer, which means that for a particular
application or user, the load balancer will use the same server.
Round Robin
Round Robin is the kind of schedule in which every new request is sent over to the next
server in a cycle or rotation, and all these requests are forwarded in equal amounts
despite server load. The modified Round-Robin scheme involves a weight factor that
considers servers load and other principles when forwarding the request to the next
server in turn.
Active-Passive
In an active-passive load balancing scheme, there are two load balancers, one for doing
active balancing, and another load balancer passively observes the system and functions
when the primary load balancer fails.
Active-Active
In the active-active type of load balancing scheme, both the load balancer are active
means both of them are sharing the duty of load balancing.
Network Interface Card Teaming
Network Interface Card (NIC) teaming is a common method of grouping physical
network adapters in order to improve performance and redundancy. The primary
advantages of NIC teaming are load balancing (redistributing traffic across networks)
and failover (ensuring network continuity in the event of system hardware failure)
without the requirement for multiple physical connections.
Power
Uninterruptible Power Supply (UPS)
The ability to remotely monitor the devices, as well as their uninterruptible power
supply, has opened them up to external networks. Naturally, a UPS that lacks a network
card or other means of remote access is not directly vulnerable to a cyber-attack.
202
Chapter 02: Architecture and Design
Generator
The power control system is critical in ensuring that power is available in response to
customer demand. An imbalance in supply and demand can cause system frequency
instability, jeopardizing the power system's operational security. A central control
scheme is commonly used in traditional power systems, with a single control center that
collects information from and sends control commands to all agents. However, such a
central control architecture is no longer appropriate for today's power systems.
Geographically dispersed distributed generators, for example, are increasingly being
integrated into the power grid. Because of the requirement for plug and plug operation,
these are not suitable for coordination by central control. Central control is also
inapplicable in microgrid operations, where distributed generators must supply power
in island mode. Distributed control is preferred over central control because of its
dependability, scalability, and flexibility. Local controllers in distributed control, on the
other hand, have access to both local and neighbor information, making them
vulnerable to cyber-attack. By launching FDI attacks, a malicious entity can disrupt data
exchange between neighboring local controllers.
Managed Power Distribution Units
Advanced power distribution units, or PDUs, give system administrators more control
options, protect circuitry, and optimize energy allocation. Alarm thresholds aid in risk
mitigation by providing real-time warnings of potential circuit overloads. These
metering devices include both floor-mounted power distribution units for converting
raw power into lower-capacity feeds and smaller devices for distributing power within
racks with multiple appliance connections. Some power distribution units have LANnetwork access, allowing administrators to control electrical loads and schedule
shutdowns from afar. Power distribution units assist in balancing costs in order to meet
energy management targets.
Replication
Storage Area Network
A storage area network (SAN) is a specialized high-speed network or subnetwork that
links and presents many servers with shared pools of storage devices. A distinct,
dedicated, highly scalable, high-performance network designed to interface a number
of servers to an array of storage devices is provided by SAN technology, which fulfills
advanced business storage demands. After that, the storage can be arranged and
handled as tiers or pools.
VM
VM is basically a virtual machine. Supported Linux distributions are CentOS, Oracle
Linux, RHEL, Debian, OpenSUSE, SUSE LES, and Ubuntu. There are six types of VMs
203
Chapter 02: Architecture and Design
with 28 families. There is a set amount of Memory, vCPUs, and Temporary Storage. You
can also attach additional data disks to these VMs. Pricing is based on per-minute
billing. Reserved VMs are also available for significant discounts like you can get
discounts up to 72% on a pay-as-you-go model.
Backup Types
Backup utilities help you through unexpected disruptions in the system like the system's
failure, when it gets infected, and at the time of data loss. At Such crucial times, the
backed-up utilities become lifesavers. Having a backup of everything serves as the key
factor in the disaster recovery of any organization. Backup can be made to tape, disk,
optical drive, etc. For database backup, replication (online duplication) can be used.
Full
In order to back up files in an OS, there are various strategies that can be followed. One
of them is a full backup. Every time the backup process is performed, every single file is
copied sequentially in the full backup.
Incremental
In the incremental backup, those files are copied that have been modified since the last
time an incremental backup is performed.
Snapshot
Using snapshots is common to the backup operating system. A snapshot is a replicate
of virtual machines at a definite moment in time. A snapshot is generated by replicating
the files that keep the virtual machine.
Differential
Differential backup only backs up the changes and modifications that are done after the
last backup.
Tape
Tape backup is the practice of copying data from a primary storage device to a tape
cartridge on a regular basis so that it can be recovered in the event of a hard disk crash
or failure. Tape backups can also be used to restore data to storage devices when
necessary.
Disk
Hard disk storage has grown in popularity as it has become more affordable. Hard disks
are typically simple to use, widely available, and easily accessible. On the other hand,
hard disk backups are low-tolerance mechanical devices that can be damaged more
easily than tapes, particularly during transport. External hard disks can be connected
using local interfaces such as SCSI, USB, FireWire, or eSATA, as well as longer-distance
204
Chapter 02: Architecture and Design
technologies such as Ethernet, iSCSI, or Fibre Channel. Some disk-based backup
systems support data deduplication, whether via Virtual Tape Libraries or otherwise,
and can reduce the amount of disk storage capacity consumed by daily and weekly
backup data.
Network-attached storage
Network-Attached Storage (NAS) is a type of dedicated file storage that allows multiple
users and diverse client devices to access data from a centralized disk capacity. NAS
devices provide infrastructure for centralizing storage and supporting tasks such as
archiving and backup and a cloud tier.
Cloud
Cloud backup, also known as online backup or remote backup, is a method of storing a
copy of a physical or virtual file or database in a secondary, off-site location in the event
of equipment failure or disaster. A third-party service provider typically hosts the
secondary server and data storage systems, charging the backup customer a fee based
on storage space or capacity used, data transmission bandwidth, number of users,
number of servers, or number of times data is accessed.
Image
Image Backups are exactly what they sound like: a backup of your entire operating
system, including files, executable programs, and OS configurations. Professional
backup solutions will automatically create full or incremental images of the hard drive.
Online vs. Offline
Online backup storage is typically the most accessible type of data storage, with restores
starting in milliseconds. An example of an online backup is an internal hard disk or a
disk array (possibly connected to a SAN). This type of storage is convenient and quick,
but it is vulnerable to being deleted or overwritten, whether by accident, malicious
intent, or in the aftermath of a data-deleting virus payload.
Off-line storage necessitates some kind of direct action to gain access to the storage
media, such as inserting a tape into a tape drive or plugging in a cable. Because the data
is inaccessible to any computer except during the brief periods when it is written or read
back, it is largely immune to online backup failure modes.
Offsite Storage
Having an off-site backup is one of the best options. Off-site backup means that all the
data is copied and stored on some other site (other than your building). It also mitigates
the risk of backup loss.
Non-Persistence
205
Chapter 02: Architecture and Design
A system is said to be non-persistence when the changes made in it are not permanent.
Making the system non-persistence secures it from certain malware as the files,
applications, or programs installed in it are not permanent because the changes made
in its configuration are not saved.
Revert to a Known State
The capability of an operating system to snapshot any virtual machine is understood as
reverting to a known state. Most of the operating systems have this capability as a builtin program. This option is mainly found in Microsoft office, where the system creates a
restore point by default before the update processes.
Last Known-Good Configuration
The last-known-good configuration to a known configuration can also be defined as
getting back to a known state. For example, you can use this option if you make any
incorrect configuration to your system and you want to get back to the older state.
Live Boot Media
A bootable system known as live boot media is concluded to an optical disk or USB,
which is specially designed to be bootable from the media. This is used to boot the
system from an external operating system.
High Availability
High availability is the ability of a system to maintain a space for data and operational
services regardless of any disrupting events (faults). High availability has the same goal
as fault tolerance along with the availability of data and services.
Scalability
A design that makes a system accommodate more load by using additional hardware or
sources is known as scalability. This term is commonly used in server farms and
database clusters because these two mostly face scaling issues due to workload.
Restoration Order
During the process of application recovery, it is required to consider what applications
have higher priority because all the applications do not have the same priority. Such as
customer-facing applications or the application dealing with the billing process are of
higher priority.
The priority list of application restoration should be well defined by the management
of the corporation. This order of restoration list is changeable, which means the
management can change the order based on its priority.
Diversity
206
Chapter 02: Architecture and Design
Vendors
When you have multiple suppliers, it creates vendor diversity and reduces the risk from
a particular supplier. Relying on a single vendor increases the risk factor. For example,
if you have two firewalls from two different vendors, it reduces risk and adds diversity
because you can turn to the other firewall in case something happens to one firewall or
if the firewall contains flaws.
Controls
Control diversity is also important because it provides layered security that helps in
generating the desired result.
Administrative Control
Administrative control is by all means necessary. Administrative control includes all the
policies and procedures that are required to be followed by everyone in order to
maintain security.
Technical Control
Technical control is also essential to ensure that the hardware and software we use are
hardened or not. Active Directory authentication, firewall, and disk encryption are all
parts of technical control.
Mind Map
Figure 2-30: Mind Map of Cybersecurity Resilience
207
Chapter 02: Architecture and Design
The Security Implications of Embedded and Specialized Systems
Embedded Systems
An embedded system is a system that uses an embedded operating system, and the user
does not have any direct access to that operating system, and it is simply accessed
through the user interface. One of the impacts associated with this embedded system is
that if it is not updated or patched, it can develop hidden vulnerabilities in the system.
Raspberry Pi
The Raspberry Pi is a low-cost, credit-card-sized computer that connects to a computer
monitor or TV and operates with a standard keyboard and mouse. It is a little capable
device that allows people of all ages to experiment with computing and learn to program
in languages such as Scratch and Python.
Field-Programmable Gate Array
A Field-Programmable Gate Array (FPGA) is an integrated circuit that a customer or a
designer can configure after it has been manufactured – hence the term "fieldprogrammable." FPGAs are useful for prototyping ASICs or processors. The FPGA is
reprogrammed until the ASIC or processor design is bug-free, at which point production
of the final ASIC can resume. This FPGA method is used by Intel to prototype new ASIC
chips.
Arduino
An embedded system is a combination of hardware and software that must be in sync
with one another. The Arduino is an open-source computer hardware/software
platform for creating digital devices and interactive objects that can sense and control
the physical world around them.
Supervisory Control and Data Acquisition (SCADA)/Industrial Control System
(ICS) Facilities
SCADA abbreviates as “Supervisory Control and Data Acquisition System.” It is a process
used to control the system that is automated in a cyber-physical environment like a
traffic light, energy networks, water plants, refineries, environmental controls, building
automation manufacturing plants, etc. SCADA contains its own smart components,
each of which is an example of an embedded system.
SCADA is also known by different other names like Industrial Control System (ICS) and
Distributed Control System (DCS); these variations depend on the configuration and
industry.
Internet of Things (IoT)
208
Chapter 02: Architecture and Design
The world is rapidly moving towards automation. The need for automated devices
where we have control of daily tasks at our fingertips is increasing day by day. As we all
know, there is a performance and productivity difference between manual and
automated processes, and moving toward the interconnection of things will process
even faster. The term "things" refers to machines, appliances, vehicles, sensors, and
many other devices. An example of automation through the Internet of Things is a
CCTV camera in a building capturing an intrusion and immediately generating an alert
on client devices at their remote location. Similarly, we can connect devices over the
internet to communicate with other devices.
IoT technology requires a unique identity. IP addresses, especially IPv6 addresses,
provide each device with a unique identity. Planning and deploying IPv4 and IPv6 over
a complex network topology necessitates careful consideration of sophisticated tactics
and methodologies. Each network node in IP version 4 is given a 32-bit address for
identification; however, in IP version 6, each node is given a 128-bit address for unique
identification. IPv6 is an advanced version of IPv4 that can accommodate the emerging
popularity of the internet, the increasing number of users and devices, and
advancements in networking. Advanced IP addresses are required to be taken into
account IP addresses that guarantee efficiency, reliability, and scalability in the overall
network model.
Figure 2-31: IoT Workflow
How does the Internet of Things Work?
IoT devices can use IoT gateways to communicate with the internet or communicate
with the internet directly. The integration of controlled equipment, a logic controller,
209
Chapter 02: Architecture and Design
and advanced programmable electronic circuits make them capable of communicating
and being controlled remotely.
The architecture of IoT depends on five layers, as follows:
1.
2.
3.
4.
5.
Application Layer
Middleware Layer
Internet Layer
Access Gateway Layer
Edge Technology Layer
Figure 2-32: IoT Architecture





The Application Layer is responsible for delivering data to users. This is a user
interface for controlling, managing, and commanding these IoT devices
The Middleware Layer is for device and information management
The Internet Layer is responsible for endpoint connectivity
The Access Gateway Layer is responsible for protocol translation and messaging
The Edge Technology Layer covers IoT capable devices
IoT Technologies and Protocols
Wireless Communication
Wired
Short Range
Medium
Range
Long Range
Bluetooth Low
Energy (BLE)
Ha-Low
Low-Power
Wide Area
210
Operating
System
Communication
Ethernet
RIOT OS
Chapter 02: Architecture and Design
Networking
(LPWAN)
Light-Fidelity
(Li-Fi)
LTEAdvanced
Near Field
Communication
(NFC)
Very Small
Aperture
Terminal
(VSAT)
Multimedia over
Coax Alliance
(MoCA)
ARM
mbed OS
Cellular
Power-Line
Communication
(PLC)
Real Sense
OS X
Radio
Frequency
Identification
(RFID)
Ubuntu
Core
Wi-Fi
Integrity
RTOS
Table 2-06: IoT Technologies and Protocols
IoT Communication Models
IoT devices can communicate with other devices in several ways. The following are some
of the IoT communication models.
Device-to-Device Model
The Device-to-Device Model is a basic IoT communication model in which two devices
communicate with each other without interfering with any other device.
Communication between these two devices is established using communication
mediums such as a wireless network. An example of a device-to-device communication
model can be a mobile phone user and a Wi-Fi printer. The user can connect a Wi-Fi
printer using a Wi-Fi connection and send commands to the printer. These devices are
independent of the vendor. A vendor’s mobile phone can communicate with the
wireless printer of a different manufacturer due to interoperability. Similarly, any home
appliance connected with wireless remote control through a medium, such as Wi-Fi,
Bluetooth, NFC, or RFID, is an example of the device-to-device communication model.
211
Chapter 02: Architecture and Design
Figure 2-33: D2D Communication Model
Device-to-Cloud Model
The Device-to-Cloud Model is another IoT device communication model in which IoT
devices directly communicate with the application server. Consider a real-life scenario
in which a residence has several security sensors installed, such as motion detectors,
cameras, temperature sensors, and so on. The application server, which can be hosted
locally or in the cloud, is directly connected to these sensors. The application server
facilitates communication between various devices.
Similarly, Device-to-Cloud communication scenarios are found in a manufacturing
environment where different sensors communicate with the application server.
Application servers process data, perform predictive maintenance, execute required and
remediation actions to automate processes, and accelerate production.
Figure 2-34: Device to Cloud Communication Model
Device-to-Gateway Model
The Device-to-Gateway model is similar to the device-to-cloud model. IoT gateway
devices collect data from sensors and send it to the remote application server. This
212
Chapter 02: Architecture and Design
gateway can provide security and other functionality, such as data or protocol
translation. In addition, there is a consolidation point where the data being transmitted
can be controlled.
Figure 2-35: Device to Gateway Communication Model
Back-End Data-Sharing Model
The Back-end Data-sharing Model is an advanced model in which devices communicate
with the application servers. This scenario is used in a collective partnership between
different application providers. The Back-end Data sharing model extends the deviceto-cloud model to a scalable scenario where sensors are accessed and controlled by
multiple authorized third parties.
Figure 2-36: Back End Data Sharing Model
213
Chapter 02: Architecture and Design
The devices that are comprised of the Internet of Things or the Smart devices have taken
the world’s market by storm. Anything that contains a microcontroller seems to be
connected to the web so that it can be controlled remotely.
Wearable Technology: The use of smart devices that are wearable has majorly
increased. These wearable technologies include everything from smartwatches to step
counters to health monitors and more. As these devices are connected to the person,
they can track the person's location. The security concern that arises from the usage of
these wearable gadgets is the data/information stored and who can access that
data/information.
Home Automation: The driving factor behind the IoT movement is Home
Automation.
Home automation or smart home is a system in which every device is connected to the
internet and is controlled through the internet like doorbells, lights, fans, AC, TV, Door
Locks, etc.
These IoT devices are smart devices, and they know when we are home and when we
are not. If someone can gain access to this home automation system, it means they have
potentially gained access to the entire house.
Figure 2-37: Home Automation
Specialized
Medical systems
Embedded systems are also used for Medical purposes like heart monitors or insulin
pumps. The security concern related to these medical devices is that how the kernel is
patched in case the vulnerabilities are found because the medical devices are designed
and manufactured for a static system that does not require updating and patching. In
214
Chapter 02: Architecture and Design
case if the changes are made, then it will force towards a lengthy, time-consuming,
expensive requalification process. Therefore, it is recommended by most of the
manufacturers not to connect the medical devices to the outside network (isolate the
device), which in reality is not possible.
Note: In 2017, nearly half a million pacemakers were recalled for a software vulnerability
that allows the hacker to gain access to the device and make changes to the performance
characteristics of these devices. The good news related to this security issue is that
without removing the device, it can be patched, but it requires a doctor's visit to install
the new firmware.
Vehicles
Some current embedded system trends in automobiles include airbags, event data
recorders, anti-lock brake systems, cruise control, rain-sensing wipers, emission
control, traction control, automatic parking, in-vehicle entertainment, backup collision
sensors, navigation systems, and tire-pressure monitors.
Aircraft
The embedded systems are also inside the Aircraft or Unmanned Ariel Vehicles (UAV).
Flight Control System (FCS) and Air Traffic Control (ATC) are two primary control
systems of an airplane consisting of different components and embedded systems. Some
of the security issues arise when somebody performs Denial of Service (D0S) and creates
some interference to disturb the communication. Not only would it damage the aircraft,
but it would also be dangerous for the people on the ground.
Smart meters
A smart meter is an electronic device that records data such as electric energy
consumption, voltage levels, current, and power factor. Smart meters transmit data to
consumers for a better understanding of their consumption habits and electricity
suppliers for system monitoring and customer billing.
Voice over IP
Voice over IP (VoIP) is a method of converting your voice into a digital signal,
compressing it, and transmitting it over the internet. The call is set up between all
participants by a VoIP service provider. The digital data is then decompressed into the
sound you hear through your handset or speakerphone at the receiving end.
Heating, Ventilation, Air Conditioning
Heating, Ventilating, and Air Conditioning (HVAC) is an acronym for heating,
ventilation, and air conditioning. A complex system designed by the HVAC system
expert and installed in large buildings or enterprises. It is not a standalone unit; it is
usually integrated with other components within the infrastructure. A centralized PC is
215
Chapter 02: Architecture and Design
responsible for managing all these HVAC units that include making heating and cooling
decisions for data centers and workspace.
HVAC systems are usually not built keeping security in mind, and this leads to difficulty
in recovering from the infrastructure’s DOS.
Drones/AVs
Autonomous flight and position control are provided by a fully functional integrated
GPS system. The small-footprint drone can fly into small spaces, hover, capture video
images, and transmit real-time data to the user. While drones can be used for a variety
of purposes, including recreation, photography, commercial, and military use, their two
primary functions are flight and navigation. Drones fly thanks to a power source, such
as a battery or fuel, rotors, propellers, and a frame.
Multifunction Printer
An MFP (Multi-Function Product/Printer/Peripheral), All-in-One (AIO), or MultiFunction Device (MFD) is an office machine that combines the functionality of multiple
devices into one, allowing for a smaller footprint in a home or small business setting or
centralized document management/distribution/production in a large-office setting. A
typical MFP can function as one or more of the following devices: email, fax,
photocopier, printer, and scanner.
Real-Time Operating System
Real-Time Operating System (RTOS) is the system in which the processing must occur
in real-time and where the data cannot be queued for significant time-length. The RTOS
is designed for such types of system
RTOS is designed and programmed for a specific purpose. The scheduling algorithm in
RTOS deals with the time collision. However, RTOS generally processes each input as
received or within a specific time, defined as ‘response time.’ Mostly, the multi-tasking
system lacks real-time processing. Therefore, the RTOS, instead of handling multiple
tasks, emphasizes the thread in processing.
Surveillance Systems
Embedded system security is a proactive approach to safeguarding software running on
embedded systems from attack. An embedded system is a hardware component that
can be programmed and has a minimal operating system and software. Embedded
systems are created to carry out specific functions or functions.
Surveillance systems are an important part of keeping your home or business safe.
Wireless home security cameras to sophisticated alarm systems that alert law
enforcement at the first sign of trouble is examples of these systems.
System on Chip
216
Chapter 02: Architecture and Design
System on a Chip, or SoC, is one of the most popular embedded systems these days.
Multiple activities take place on a single piece of a silicon chip. That is, multiple
components run on a single chip. The whole process mainly relies on the chip, including
the functioning of peripheral devices.
For Example: In Raspberry Pi 2, the Broadcom chip is the SoC, then this chip is an
interface that gets you to the network USB interfaces or HDMI video interface.
Low power consumption and efficient designs are why SOCs are very common in the
markets. As far as the implication of security on the SOC-based system is concerned, all
the security issues are handled by the system and not by the specifics of SOC aspects.
Communication Considerations
5G
5G refers to the fifth generation of mobile networks. After 1G, 2G, 3G, and 4G networks,
it is a new global wireless standard. 5G enables a new type of network capable of
connecting virtually everyone and everything, including machines, objects, and devices.
Narrow-Band
Narrowband data communication and telecommunications tools, technologies, and
services use a smaller set or band of frequencies in the communication channel. These
use a channel frequency that is considered flat or a smaller number of frequency sets.
Baseband Radio
A twisted-pair subscriber loop that transmits voltage pulses between the serving central
office or access node and the user is known as a baseband digital loop. The pulses are
shaped for optimal transmission on twisted pairs and represent the values of bits or
groups of bits.
Subscriber Identity Module (SIM) Cards
SIMs (Subscriber Identity Modules) can be valuable evidence in and of themselves. They
contain a large amount of data and should be collected and analyzed.
There are a couple of numbers on the SIM that will be of particular interest. The
International Mobile Subscriber Identity (IMSI) is the first (IMSI). The Integrated
Circuit Card Identifier is the second (ICC-ID). The IMSI identifies a subscriber's account
information and services. The ICC-ID is the serial number found on the SIM card. The
SIM can include the following information:




Subscriber identification (IMSI)
Service provider
Card identity (ICC-ID)
Language preferences
217
Chapter 02: Architecture and Design





Phone location when powered off
User’s stored phone numbers
Numbers dialed by the user
SMS text messages (potentially)
Deleted SMS text messages (potentially)
A processor (CPU), RAM, Flash-based nonvolatile memory, and a crypto-chip are SIM
cards' individual components. They are present in all phones but are more common in
GSM, iDEN, and Blackberry handsets.
Zigbee
Zigbee is a wireless mesh network standard for low-cost, low-power devices in wireless
control and monitoring applications. Low-latency communication is provided by
Zigbee. Zigbee chips are frequently combined with radios and microcontrollers.
A radio transceiver is used by Zigbee smart devices to communicate with one another.
The chip operates on the IEEE 802.15. 4 protocol at 2.4 GHz, which is the same frequency
band as Wi-Fi and Bluetooth. A Zigbee message can also be copied and forwarded from
one device to the next.
Mind Map
Figure 2-38: Mind Map of Security Implications of Embedded Systems
The Importance of Physical Security Controls
When it comes to safeguarding anything, physical security is always the first priority. It
is also regarded as the first layer of protection in the field of information security.
218
Chapter 02: Architecture and Design
Physical security encompasses safeguarding against man-made threats like theft,
damage, and unwanted physical access, as well as natural disasters like rain, dust, power
outages, and fire.
Figure 2-39: Physical Security Measures
Physical security is essential to prevent stealing, tampering, damage, theft, and a variety
of other physical attacks. Fences, guards, CCTV cameras, intruder monitoring systems,
burglar alarms, and deadlocks are used to secure the premises and assets. Authorized
individuals should only access important files and papers. These files should not be left
at an unsecured location, even within an organization. Functional areas must be
separated and biometrically protected. Continuous or frequent monitoring such as
monitoring wiretapping, computer equipment, HVAC, and firefighting systems should
also be done.
Bollards/Barricades
A bollard is a short post that is used to direct traffic and protect against vehicle
intrusions. Bollards can be designed and installed to withstand significant vehicle
impacts, but they can also be used as decorative or aesthetically pleasing barriers. Many
bollards serve as decorative elements in the design of buildings and landscapes.
Mantraps
The implementation of a mantrap is an approach to oppose tailgating. A mantrap
contains two doors closely spaced together. Opening and closing of these doors are set
up in a way that only one door is open at a time. These doors are usually secure with
card/pin authentication. It eliminates the risk of tailgating and piggybacking.
219
Chapter 02: Architecture and Design
Badges
These security badges are intended to identify, validate, and implement the appropriate
security measures and features that govern how a company monitors, controls, restricts,
and protects its resources. At the very least, the security badge will include an
individual's photo and identification number.
Alarms
The function of an alarm is to alert the operator about any abnormal condition or
activity. If a company has too many alarm conditions, then the operator will not react
to the condition as desired. Tuning an alarm will provide accurate, useful, and desired
information.
Signage
Physical security entails the use of multiple layers of interconnected systems, such as
CCTV surveillance, security guards, protective barriers, locks, access control, perimeter
intrusion detection, deterrent systems, fire protection, and other systems designed to
protect people and property.
Cameras
Motion Recognition
For several years, physical security professionals have been drawn to the concept of
video motion detection. Significant advancements in image processing dedicated
hardware, image analysis algorithms, and software have accelerated the successful
application of video motion detection systems to a wide range of physical security
applications. Potential benefits claimed included increased benefits from existing video
surveillance systems, automatic detection, improved performance over human
observers, and cost-effectiveness.
Object Detection
Any security camera with Deep Learning Vision can detect any object you can think of.
The ability of artificial intelligence-powered security cameras to detect fast-moving
objects such as cars is one of their strengths.
Closed-Circuit Television (CCTV)
CCTV serves as a visual deterrent to unauthorized entry, theft, and violence. It can be
used to cover the Site access points, such as internal access to higher security zones and
perimeter access to specific physical assets or work areas.
The advantages of CCTV may include the ability to:

Keep an eye on event-triggered alarms
220
Chapter 02: Architecture and Design


Use it in conjunction with a Security Alarm System (SAS) to assist those
responsible for responding to the alarm
Use it in conjunction with an access control system to aid personal identification
for remote site entry control (suspicious package detection)
A CCTV system, on the other hand, can be an expensive investment. Ongoing
monitoring, maintenance, and support costs may be prohibitively expensive.
Industrial Camouflage
Camouflage is also known as Obfuscation, means “to hide the obvious meaning of
observation.” Camouflage is added to the system so that it becomes hard to be exploited
and understood by any attacker.
The Camouflage works well for data names or other such exposed elements, but it does
not work well for code construction. Camouflage code is not just hard to read but nearly
impossible to read, and an example of such code is the ticking time bomb. The basic
question that arises is that how it functions if someone needs the code to figure out how
it works or in case if any modification is needed if it stops working. These are some of
the reasons which are not considered good for the construction of code.
Figure 2-40: Code Camouflage Example
Personnel
Guards
Access control is the selective restriction of access to a location or other resource in the
fields of physical security and information security. Individuals, computer programs,
and even the computers that process the data must all be authorized.
Robot Sentries
Surveillance literally means "to watch from above," and surveillance robots are used to
monitor people's behavior, activities, and other changing information for the purpose
of managing, directing, or protecting one's assets or position.
221
Chapter 02: Architecture and Design
Two-Person Integrity/Control
The two-man rule is pretty straightforward when it comes to the data center and
information security. It refers to a situation in which two people must work together to
complete a task. The term is said to have military origins, referring to a process
instituted by the United States government decades ago for nuclear weapon launch: two
different people had two different keys, and each had to use their key at the same time
to initiate any kind of action.
Locks
Unauthorized access to information and physical assets can be deterred or delayed by
locks. On the other hand, Locks are only as strong as the fittings and hardware that
surround them. When choosing locks, consider the level of protection you require from
doors and frames.
USB Data Blocker
USB blocking is a data loss prevention technique that aids in data security. Untrusted
devices can be blocked from using USB ports using this method. Companies can use a
USB blocker or USB lockdown software to prevent unauthorized portable storage
devices from accessing endpoints. More information on USB security can be found.
Lighting
Proper lighting is an important aspect of physical security. Intruders can easily execute
illicit operations in dimly lit or unlit areas without risk of being recognized or
monitored. Internal and external lights are both necessary to detect any unwanted
activity and for additional security reasons.
Fencing
Fencing is referred to as a physical barrier around any secure area. It basically prevents
the free movement of unauthorized visitors around secure areas. Multiple types of the
fence like a perimeter fence, chain link fence, the Anti-scale fence is used outside of the
building. A chain-link fence can also be used inside of the building to prevent
networking gear, servers, & sensitive items from unauthorized access.
Fire Suppression
Fire suppression systems devices can detect fire, respond accordingly. They can be
portable, manual, or automatic.
Sensors
The critical spots in a network contain sensors. These sensors gather information from
the network devices. These may be integrated into the router, firewall, and switches,
etc. or might be built-in within the network.
222
Chapter 02: Architecture and Design
The information that the sensor gathers varies from system to system. For instance,
authentication logs information is going to be different from database transaction logs
or web server access logs, etc.
Motion Detection
The most common type of active motion detector employs ultrasonic sensor
technology, in which sound waves are emitted to detect the presence of objects.
Microwave sensors (which emit microwave radiation) and tomographic sensors are also
available (which transmit and receive radio waves).
Noise Detection
When sound waves strike the sound sensor, a thin piece of material called a diaphragm
vibrates (similar to how your eardrum vibrates when hearing sound). The sensor
converts the diaphragm's vibration into an electrical signal sent to the LEGO brick,
which recognizes that a sound has been heard. Noise sensors do not record audio. They
monitor changes in your home's noise level.
Visitor Logs
A visitor logbook is a useful tool for keeping track of who comes and goes from your
office. It is a record book that keeps track of the visitors on site, their identity, the
company they represent, who they came to see, the reason for their visit, contact
information, time in and time out.
Faraday Cages
A faraday cage serves as a protective shield against electromagnetic radiation from the
outside world or prevents electromagnetic energy radiated by the cage's internal
components from escaping.
Air Gap
The logical or physical separation of a network from all other networks is called Air gap,
designed to prevent unauthorized transfer of data to or from the network. However, the
flaw behind this air gap logic is that the data can be moved by other means like a USB
drive, and this unauthorized bypassing of the air gap is called “Sneakernet.”
The Demilitarized Zone (DMZ)
An IOS zone-based firewall is a specific set of rules that may help to mitigate mid-level
security attacks in environments where security is implemented via routers. In Zonebased Firewalls (ZBF), device interfaces are placed in different unique zones (inside,
outside, or DMZ), and then policies are applied to these zones. Naming conventions for
zones must be easy to understand in order to be helpful when it comes to
troubleshooting.
223
Chapter 02: Architecture and Design
ZBFs also use stateful filtering, which means that if the rule is defined to permit
originating traffic from one zone to another zone, for example, DMZ, then return traffic
is automatically allowed. Policies that allow traffic in both directions can be used to
enable traffic from separate zones.
One of the advantages of applying policies on zones rather than interfaces is that
whenever new changes are required at the interface level, policies are applied
automatically simply by removing or adding to an interface in a particular zone.
ZBF may use the following set of features in its implementation:
●
●
●
●
●
Stateful Inspection
Packet Filtering
URL Filtering
Transparent Firewall
Virtual Routing Forwarding (VRF)
The following Figure illustrates the scenario explained above:
Figure 2-41: Cisco IOS Zone-based Firewall Scenario
Protected Cable Distribution
The Protected Distribution or Protected Cabling is needed to protect the cable from
physical damage and avoid communication failure during cable installation. It
safeguards the cable between systems physically from physical hazards like tapping &
interception.
Secure Areas
224
Chapter 02: Architecture and Design
Vault1
A vault provides essential security and maybe your last line of defense against attacks
or unforeseen disasters such as floods, fires, and earthquakes. There is no such thing as
a typical vault. Vaults are created to meet the specific needs of the business owner. Let
suppose a bank vault is safe to keep money, valuables, records, and documents. Like a
safe, it is intended to protect its contents from theft, unauthorized use, fire, natural
disasters, and other threats. Modern vaults can be outfitted with a variety of alarms and
anti-theft devices.
Safe
Safes are physical storage devices that prevent unauthorized access to the content it
contains. Safes are of various shapes, sizes, and costs. They are not considered perfect.
They are rated on the basis of how long they can protect or secure content from fire or
theft, and the cost of the safe is directly proportional to the rating, i.e., better ratinghigh cost.
Hot Aisle
The hot aisle is enclosed by a Hot Aisle Containment System (HACS), allowing the rest
of the data center to function as a large cold-air supply into the servers and floor power
equipment. It is best if we take a step back and take a moment to better understand
what you have got in place and to go over your needs. Between the two, we see that hot
aisle containment is the most popular choice for raised floor Datacenters in new build
situations. In short, hot aisle containment consists of a physical barrier that directs hot
exhaust airflow back to the AC return and utilizes the natural process of ‘warm air rising'
to improve efficiency. By adjusting temperature, the higher the heat returned to the AC
coils, the greater the efficiency.
Figure 2-42: Hot Aisle
225
Chapter 02: Architecture and Design
Cold Aisle
A physical barrier that allows supply air to pool inside the cold aisle is one type of
containment. The cold air in the aisle is encased by a Cold Aisle Containment System
(CACS), allowing the rest of the data center to become a large hot-air return plenum.
This "lid" maintains a consistent and predictable air temperature at the server inlet.
Figure 2-43: Cold Aisle
Exam Tip: It should be noted that if the data center is cold aisle contained, any 3-phase
UPSs and floor PDUs must be considered for room cooling.
Secure Data Destruction
It is important to destroy the data that is no longer in use because that data or
information can be discovered and used by criminals in malicious activities like identity
theft, social engineering, etc. Criminals use dumpster diving for this purpose because
its value is well known to criminals.
For every organization, it is vital to have effective demolition and destruction policies
and associated procedures. The following are some methods of data destruction.
Burning
A method of destruction, which is regarded as a gold method, is referred to as Burning.
The data/media is carried out in a form that the fire can demolish, and then it is burned.
This is the process that is irreversible and makes the data be lost permanently.
226
Chapter 02: Architecture and Design
Shredding
Shredding, also referred to as physical destruction, is the method of splitting things into
small chunks and then mixing, making the reassembling impossible or difficult.
Everything that might be advantageous or useful to a criminal or dumpster diver should
be shredded.
Pulping
A process of recombining a paper into a new paper by suspending the paper fiber in
liquid. Once the paper is shredded, the pulping process erases the ink by bleaching, and
then those shredded pieces are recombined into new paper. This way, the layout of the
old paper is completely destroyed.
Pulverizing
Breaking things by external force into unusable pieces (that cannot be reconstructed) is
known as Pulverizing, also referred to as ‘Physical Process of Destruction.’ It is used for
hard disk drives like items. Encryption is the modern approach to pulverizing. In this
method, the owner encrypts the drive’s data and destroys the key. This process makes
the data non-recoverable depending on the strength of encryption.
Degaussing
The files on a magnetic storage device can be destroyed magnetically, i.e., using a
magnetic field; this method is known as degaussing. This is a safe technique for
degaussing the data or media. In this method, the magnetic particles get realigned by
discarding the organized format that displayed the data.
Third-Party Solutions
Third-party solutions are also known as Service-based Solutions that offer security and
auditing services to a network. These solutions can be hosted either inside or outside
the network. These third-party solutions are allowed to access and monitor the internal
network, so they carry a security risk.
Mind Map
227
Chapter 02: Architecture and Design
Figure 2-44: Mind Map of Importance of Physical Security Control
The Basics of Cryptographic Concepts
Cryptography
Cryptography is a technique of encrypting clear text data into scrambled code. The
encrypted data is then sent over a public or private network toward its destination to
ensure confidentiality. At the destination, the encrypted data, known as "Ciphertext," is
decoded and processed. To prevent key breaking, strong encryption keys are utilized.
Cryptography's goal is to provide not only confidentiality but also integrity,
authenticity, and non-repudiation.
Types of Cryptography
Symmetric Cryptography
Symmetric Key Cryptography is the oldest and most widely used cryptography
technique in the domain of cryptography. Symmetric ciphers use the same secret key
for the encryption and decryption of data. The most widely used symmetric ciphers are
AES and DES.
228
Chapter 02: Architecture and Design
Figure 2-45: Symmetric Cryptography
Asymmetric Cryptography/Public Key Cryptography
Unlike Symmetric Ciphers, in Asymmetric Cryptography, two keys are used. Everyone
publicly knows one key, while the other key is kept secret and is used to encrypt data
by the sender; hence, it is also called Public Key Cryptography. Each sender uses its
secret key (also known as a Private Key) for encrypting its data before sending it. The
receiver uses the respective sender’s public key to decrypt the data. RSA, DSA, and the
Diffie-Hellman Algorithm are popular examples of asymmetric ciphers. Asymmetric key
cryptography delivers confidentiality, integrity, authenticity, and non-repudiation
using public and private key concepts. The private key is only known by the owner itself,
whereas the public key is issued by Public Key Infrastructure (PKI), where a trusted
Certificate Authority (CA) certifies the ownership of key pairs.
Figure 2-46: Asymmetric Cryptography
Digital Signatures
229
Chapter 02: Architecture and Design
A Digital Signature is a technique to evaluate the authenticity of digital documents as
the signature authenticates the authenticity of a document. A digital signature confirms
the author of the document, date, and time of signing and authenticates the content of
the message.
There are two categories of digital signature:
1. Direct Digital Signature
2. Arbitrated Digital Signature
Direct Digital Signature
Direct Digital Signatures involve only the sender and receiver of a message, assuming
that the receiver has the sender's public key. The sender may sign the entire message or
hash it with the private key and send it toward the destination. The receiver decrypts it
using the public key.
Arbitrated Digital Signature
The job of the "Trusted Arbiter" in Arbitrated Digital Signatures is to validate the signed
messages, insert the date, and then send the message to the recipient. It necessitates a
sufficient amount of confidence and can be implemented using public or private keys.
Key Length
The length of a key is equal to the number of bits in the key of an encryption algorithm.
A short key length indicates a lack of security. The key length determines the maximum
number of combinations required to break an encryption algorithm. There are two to
the nth power (2n) possible keys if a key is n bits long.
Key Stretching
Key stretching techniques are used to make a potentially weak key, usually a password
or passphrase, more secure against brute-force attacks by increasing the resources (time
and possibly space) required to test each possible key. Key stretching can be done in a
variety of ways.
Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) are two common key
stretching techniques: Bcrypt, which is based on the Blowfish block cipher, is used to
protect passwords stored in the shadow password file on many Unix and Linux
distributions.
Salting
Salting is the process of adding additional characters to the password to create a oneway function. This addition of characters makes it more difficult for the password to
reverse the hash. A major advantage or primary function of password salting is that it
helps to defeat dictionary and pre-computed attacks.
230
Chapter 02: Architecture and Design
Consider the following example: one of the hashed values is of the password without
salting, while another hashed value is of the same password with salting.
Without Salting:
With Salting:
23d42f5f3f66498b2c8ff4c20b8c5ac826e47 146
87dd36bc4056720bd4c94e9e2bd 165c299446287
Adding a lot of random characters in a password makes it more complex and hard to
reverse.
Hashing
One-way Hashing condenses a message into an irreversible fixed-length value or hash.
A cryptographic hash function takes the Plain text as an input and returns a fixed-size
string. This string is called a hash value, message digest, digital fingerprint, digest, or
checksum.
Hash Algorithm
The Hash Algorithm has various names for one-way encryption, message digest, and
hash function. It is used to compute a fixed-length hash value based on the original
plain text. Using hash value, the original cannot be changed even with the knowledge
of hash function. A hash value is a unique number that is created from a sequence of
text using a mathematical formula. It is usually faster than encryption techniques.
The main purpose of the hash algorithm is to provide a digital fingerprint to any type of
data in order to assure that information has not been changed during the transmission
and provide a measure of information integrity. The hash algorithm is typically used for
two purposes:


Digital certificate
Data integrity check
Some of the hash algorithms that are commonly used are as follows:
Message Digest (MD)



MD2
MD4
Md5
Secure Hash Algorithm (SHA)

SHA1
Message Digest (MD): MD Algorithm is a sequence of byte-oriented cryptographic
hash functions that generates 128 bits (fixed length) hash value from a random length
input.
231
Chapter 02: Architecture and Design
Message Digest 2 (MD2): It was developed in 1989 by Ronald Rivest. It was produced
and enhanced for an 8-bit system having insufficient memory, for example, Smart Card.
The message is augmented initially to assure that its length is divisible by 16, and then
a 16-byte checksum is affixed to the message. The rising value is proceeded to figure out
a hash value.
Message Digest 4 (MD4): Ronald Rivest also developed in 1989 for a 32-bit system or
machine. It was identical to MD2 but specially designed for faster processing in
programs. In MD4, the message is first augmented to assure that its length in bits plus
64 is divisible by 512, and then 64 bit of the original message length is linked in series to
the message.
Message Digest 5 (MD5): It was developed in 1991 by Ronald Rivest as an improved
version of the MD4 algorithm and was specially designed to overcome the weaknesses
in the MD4 algorithm and ensure stronger security. MD5 is continuous to survive in
spite of several weaknesses, but algorithmically it is not highly secure due to analytical
attacks and possible collision that can be found in less than 1 hour.
Secure Hash Algorithm (SHA): SHA is a type of Hash algorithm that produces 160-bit
output. It was developed by National Security Agency (NSA) and declared as U.S govt.
Standard. SHA is more secure than MD5, but its processing is slower than MD5. This
algorithm, also known as SHA0, was published in 1993, and after two years, SHA1 was
introduced.
Secure Hash Algorithm 1 (SHA1): Most generally used algorithm that gives 160-bit
hash value as an output. It is recognized to be the replacement to the MD5 algorithm
and employed broadly in multiple applications and protocols such as TLS, SSL, PGP,
SSH, S/MIME, and IPsec. Four modifications SHA224, SHA256, SHA384, and SHA512,
which are jointly called SHA2, have now been introduced. These modifications are
illustrated in RFC4634 and can produce 224, 256, 384, or 512-bit length hash values. The
cryptographer has noted attacks on both SHA1 and SHA0. However, no attacks have
been noted on SHA 2 yet.
Key Exchange
Key exchange (also known as the key establishment) is a cryptographic method in which
cryptographic keys are exchanged between two parties to allow the use of a
cryptographic algorithm. Diffie Hellman (DH) is the algorithm that was introduced by
Stanford University professor Martin Hellman and a graduate student Whitfield Diffie
in 1976. DH protocol, also known as key exchange protocol, is a public key distributing
system that uses the Asymmetric Key Cryptography method. DH permits two end-users
that have no previous knowledge of each other to create a shared key over an insecure
communication channel, and that secret key can be used to encrypt subsequent
232
Chapter 02: Architecture and Design
messages using a symmetric key algorithm. DH algorithm is only used for secret key
exchange and not for digital signatures and authentication.
Figure 2-47: Key Exchange
Elliptic-Curve Cryptography
Elliptic Curve Cryptography (ECC) is a key-based data encryption technique. For
decryption and encryption of web traffic, ECC relies on pairs of public and private keys.
ECC is frequently mentioned in conjunction with the Rivest–Shamir–Adleman (RSA)
cryptographic algorithm.
Elliptic curves can be used for encryption, digital signatures, pseudo-random number
generators, and other purposes. They are also used in several integer factorization
algorithms with cryptographic applications, such as Lenstra elliptic curve factorization.
233
Chapter 02: Architecture and Design
Perfect Forward Secrecy
Forward Secrecy (FS), also known as Perfect Forward Secrecy (PFS), is a feature of
specific key agreement protocols that gives assurances that session keys will not be
compromised even if long-term secrets are used in the session key exchange are
compromised.
Quantum
Quantum cryptography is a technology that secures the distribution of symmetric
encryption keys by utilizing quantum physics. It is more accurately known as quantum
key distribution (QKD). It works by sending photons, which are light's "quantum
particles," across an optical link.
Communications
Quantum communication is an application of quantum physics closely related to
quantum information processing and teleportation. Its most intriguing application is
the use of quantum cryptography to protect information channels from eavesdropping.
Post-Quantum
The goal of post-quantum cryptography is to prepare for the era of quantum computing
by updating existing mathematical-based algorithms and standards. Terms to be aware
of: Post-quantum cryptography refers to algorithms that are thought to be capable of
defending against a quantum computer attack.
Ephemera
Ephemeral keys are just short-lived keys within a key establishment protocol and not a
specific type of key. They are usually not directly trusted because they are generated on
the fly. To name a single other application, ECIES may employ an ephemeral private
key.
Blockchain
Asymmetric-key algorithms and hash functions are the two types of cryptographic
algorithms used in blockchains. Hash functions are used to provide each participant
with the functionality of a single view of the blockchain. As a hash function, blockchains
typically employ the SHA-256 hashing algorithm.
The blockchain benefits from cryptographic hash functions in the following ways:



The avalanche effect occurs when a small change in the data results in a
significantly different output.
Uniqueness – Each input produces a distinct output.
Deterministic – If any input is passed through the hash function, the output will
always be the same.
234
Chapter 02: Architecture and Design


Rapidity – The output can be generated in a very short period of time.
Reverse engineering is not possible, which means we cannot generate the input
from the output and the hash function.
Public Ledgers
Blockchain is a type of public ledger that consists of a series (or chain) of blocks on
which transaction details are recorded after appropriate authentication and verification
by network participants.
Cipher Suites
A cipher suite is a collection of algorithms that aid in the security of a network
connection. To exchange a key between two devices, the key exchange algorithm is
used. This key is used to encrypt and decrypt messages between two machines. To
encrypt the data being sent, the bulk encryption algorithm is used.
Stream
A stream cipher encrypts plaintext messages by combining an encryption algorithm
with a stream of pseudorandom cipher digits (keystream). Each bit of the message is
encrypted with the corresponding keystream digit one by one. Stream ciphers are
typically used when both speed and simplicity are required.
Block
A block cipher uses a deterministic algorithm and asymmetric key to encrypt data in
blocks. Most encryption methods, like stream ciphers, encrypt bits one by one (stream
ciphers). Block ciphers, on the other hand, use a predetermined length key to encrypt
128-bit blocks.
Symmetric vs. Asymmetric
Symmetric Key Cryptography
Symmetric Key Cryptography is the oldest and most widely used cryptography
technique in the domain of cryptography. Symmetric ciphers use the same secret key
for the encryption and decryption of data. It is also known as a secret key or pre-shared
key algorithm.
Example: A block cipher takes a 128-bit block of plain text and returns a corresponding
128-bit block of ciphertext.
Symmetric Key Cryptography Algorithm: Following are some Symmetric Key
Cryptographic Algorithm:
Data Encryption Algorithm (DES): Most common symmetric algorithm designed by
IBM in the 1970s. DES uses a 56-bit key to encrypt a 64-bit datagram block. It is no
longer considered secure due to the reason that its keys’ size is too small.
235
Chapter 02: Architecture and Design
Triple-DES (3DES): It is an enhanced version of DES. It uses up to three 56 bit keys and
makes three encryption and decryption passes over the same datagram block. It is
mainly derived to enlarge the key length to 168 bits (Three 56-bit keys). In short, it
encrypts a 64-bit datagram block using three 56-bit keys (168-bit key).
Advanced encryption standard (AES): It is also known as ‘Rijndael’ and was
introduced by NIST in 2001. The most important feature of the AES algorithm is that it
can use variable block length and key length. Any combination of key lengths 128, 192,
256 bits and block length 128, 192, 256 bits can be used.
Asymmetric Key Cryptography
Unlike Symmetric Ciphers, two keys are used. One key is publicly known to everyone,
while another key is kept secret and is used to encrypt the data by the sender. Hence, it
is also called Public Key Cryptography. Each sender uses its secret key (also known as a
private key) for encrypting its data before sending it. The receiver uses the respective
public key of the sender to decrypt the data. RSA, DSA, and Diffie-Hellman Algorithm
are popular examples of asymmetric ciphers. Asymmetric Key Cryptography delivers
Confidentiality, Integrity, Authenticity & Non-Repudiation by using the Public and
Private key concepts. The private key is only known by the owner itself. In contrast, the
Public key is issued by using Public Key Infrastructure (PKI), where a trusted
Certification Authority (CA) certifies the ownership of key pairs.
Asymmetric Key Cryptography is also known as a Public-key algorithm and was
announced publically in 1976. It uses a two-key pair; one key is for the encryption of
plain text, and the other is for the decryption of ciphertext. Contrary to the symmetric
algorithm, the asymmetric algorithm requires no secret key sharing to securely
communicate over an insecure channel. It is commonly used in digital certification and
key management.
Asymmetric Key Cryptography Algorithm
Some asymmetric key algorithms are as follows:
RSA Algorithm: RSA is named after the initials of three MIT mathematicians
Ron Rivest, Adi Shamir, and Leonard Adleman, who developed this algorithm and was
publically described in 1976. As it is an asymmetric algorithm, which means it uses two
keys that are public and private. The public key is given to everyone, while the private
key is kept secret.
Example: A user sends its public key to the server and requests for some data. The
server will encrypt the data using the user’s public key and send the encrypted data to
the user. The user will receive the data and decrypt it.
It is the most widely used algorithm for key exchange, digital signature, and message
encryption. There are various standards of the RSA algorithm, and all of them use
236
Chapter 02: Architecture and Design
variable-size block lengths and key lengths. The standards are RC1, RC2, RC3, RC4, RC5,
and RC6.
Diffie Hellman (DH): This algorithm was introduced by Stanford University professor
Martin Hellman and a graduate student Whitfield Diffie in 1976. DH protocol, also
known as key exchange protocol, is a public key distributing system that uses the
Asymmetric Key Cryptography method. DH permits two end-users that have no
previous knowledge of each other to create a shared key over an insecure
communication channel, and that secret key can be used to encrypt subsequent
messages using a symmetric key algorithm. DH algorithm is only used for secret key
exchange and not for digital signatures and authentication.
Digital Signature Algorithm (DSA): Digital Signature Algorithm was introduced by
National Institute for Standards and Technology (NIST) in 1991 for (Digital Signature
Standard) DSS use, and it is also a Federal Information Processing Standards (FIPS)
standard for digital signature. It is mainly used for a digital signature to assure message
authentication.
Public-Key Cryptography Standard (PKCS): It is a collection of interoperable publickey cryptography standards and guidelines. It was developed and published by RSA
Data Security Inc.
PKCS Standards:
Name
Description
PKCS
#1
RSA
Cryptography
Standard
Description of RSA Public and Private key’s properties
and format
PKCS
#2
Withdrawn
Withdrawn and merged into PKCS #1. Covered RSA
Encryption of message digests
PKCS
#3
Diffie-Hellman
Allows two end-users with no previous knowledge of
Key Agreement each other to create a shared secret key over an
Standard
insecure communication path
PKCS
#4
Withdrawn
Withdrawn and merged into PKCS #1. Covered RSA
key syntax
PKCS
#5
Password-based
Encryption
Standard
Defined in RFC 8018 and PBKDF2
237
Chapter 02: Architecture and Design
PKCS
#6
Extended
Describes extensions to the old X.509 v1 certificate
Certificate Syntax specification, obsolete by X.509 v3
Standard
PKCS
#7
Cryptographic
Used to sign or encrypt messages under a PKI and also
Message Syntax used for certificate dissemination
Standard
PKCS
#8
Private-key
Information
Syntax Standard
It is used to carry private certificate key pairs, both
encrypted and unencrypted
PKCS
#9
Selected
Attribute Type
It describes the selected attribute type for use in
PKCS#6 (extended certificates), PKCS#7 (digitally
signed messages), PKCS#8 (private key information),
and PKCS #10 (certificate signing request)
PKCS
#10
Certification
Defines the pattern of messages sent to a Certification
Request Standard Authority to demand certification of a public key
PKCS
#11
Cryptographic
Token Interface
PKCS
#12
Personal
Defines a file format typically used to keep private keys
Information
with leading public-key certificates, protected with a
Exchange Syntax password-based symmetric key
Standard
PKCS
#13
Elliptic
Curve Apparently abandoned
Cryptography
Standard
PKCS
#14
Pseudo-random
Number
Generation
A Pseudorandom Number Generator (PRNG) is an
algorithm that generates a sequence of numbers that
are not truly random
PKCS
#15
Cryptographic
Token
Information
Format Standard
It defines a standard allowing users of cryptographic
tokens to identify themselves to applications,
independent
of
the
application’s
cryptoki
implementation (PKCS #11) or another API
An API is defining a generic interface to cryptographic
tokens. Used in Single Sign-on, Public Key
Cryptography & Disk encryption
Table 2-07: PKCS Standards
Note: A cryptographic key is called ephemeral if it is generated for each execution of a
key establishment process. In some cases, ephemeral keys are used more than once
238
Chapter 02: Architecture and Design
within a single session (e.g., in broadcast applications) where the sender generates only
one ephemeral key pair per message and the private key is combined separately with
each recipient's public key.
Lightweight Cryptography
Lightweight cryptography is an encryption type with a small computational footprint
and/or a low computational complexity. Its goal is to broaden the applications of
cryptography to constrained devices, and it is currently undergoing international
standardization and guidelines compilation.
Steganography
Steganography is a technique for hiding sensitive information in an ordinary message
to ensure confidentiality. A legitimate receiver extracts hidden information at the
destination. To maintain confidentiality and integrity, steganography employs
encryption. It also conceals encrypted data to avoid detection. The purpose of
steganography is to conceal information from a third party. An attacker may use this
technique to conceal information such as source codes, plans, and any other sensitive
information in order to transfer it undetected.
Classification of Steganography
Technical and Linguistic Steganography are the two types of steganography. Technical
Steganography is the concealment of information using methods such as invisible ink,
microdots, and others.
Figure 2-48: Classification of Steganography
239
Chapter 02: Architecture and Design
Types of Steganography
Steganography comes in a variety of forms, some of which are listed below:








Whitespace Steganography
Image Steganography
Image Steganography
Document Steganography
Video Steganography
Audio Steganography
Folder Steganography
Spam/Email Steganography
240
Chapter 02: Architecture and Design
Mind Map
Figure 2-49: Mind Map
White Space Steganography
White Space Steganography is a technique for hiding information in a text file using
extra blank space covering the file that is inserted between words. Using LZW and
Huffman compression methods, the size of the message is decreased.
Lab 2-02: Steganography
In the directory where Snow Tool is installed, create a text file with some data.
Go to “Command Prompt.”
Change the directory to run the “Snow” tool.
241
Chapter 02: Architecture and Design
Type the command:
Snow –C –m “text to be hide” –p “password” <Sourcefile> <Destinationfile>
As shown above, the source file is a Hello.txt file. The destination file will be an exact
copy of the source file containing hidden information.
Go to the directory. You will have a new file, HelloWorld.txt. Open the file.
The new file contains exactly the same text as the original file, with no hidden
information. This file can be sent to the intended recipient.
Recovering Hidden Information
On destination, the receiver can reveal information by using the command:
Snow –C –p “password 123” HelloWorld.txt
242
Chapter 02: Architecture and Design
The file has been decrypted, as shown in the above figure, and it contains hidden
information that was encrypted in the previous section.
Image Steganography
Hidden information in image formats such as PNG, JPG, BMP, and others can be kept
in Image Steganography. The basic idea behind image steganography is that the tool
replaces redundant bits of the image in the message. This replacement is done in such
a way that the human eye cannot detect it. You can perform image steganography by
applying different techniques such as:



Least significant Bit Insertion
Masking and Filtering
Algorithm and Transformation
Tools for Image Steganography


OpenStack
QuickStego
Lab 2-03: Image Steganography using QuickStego
1. Open the QuickStego application.
243
Chapter 02: Architecture and Design
2. Upload an image. This image is termed Cover, as it will hide the text.
3. Enter text or upload a text file.
244
Chapter 02: Architecture and Design
4. Click the “Hide Text” button.
5. Save image.
This saved image containing hidden information is called a Stego Object.
245
Chapter 02: Architecture and Design
Recovering Data from Image Steganography using QuickStego
1. Open “QuickStego.”
2. Click “Get Text.”
3. Open and compare both images.
The left image is without hidden text; the right image is with hidden text.
246
Chapter 02: Architecture and Design
Steganalysis is the use of steganography techniques to discover or retrieve hidden
information from suspected information. Steganalysis inspects any image for encrypted
data. Accuracy, efficiency, and noisy samples are the main challenges faced by
steganalysis for detecting encrypted data.
Figure 2-50: Steganalysis Methods
Homomorphic Encryption
Homomorphic encryption is a type of encryption that enables users to perform
computations on encrypted data without first decrypting it. This enables data to be
encrypted before being sent to commercial cloud environments for processing, all while
remaining encrypted.
Common Use Cases
Data integrity, entity authentication, data origin authentication, and non-repudiation
are now supported by cryptography. The following section delves more into the use of
symmetric algorithms for data confidentiality, authentication, and integrity and Cipher
Block Chaining and Cipher Feedback modes.
Limitations
Speed
The cloud computing environment has dramatically reduced the time and cost of new
IT services, thus increasing the speed at which organizations can access IT resources.
Weak keys
A weak key is a key that causes the cipher to behave in an unfavorable manner when
used with a specific cipher. Nonetheless, it is desirable for a cipher to have no weak keys.
A cipher with a flat, or linear, key space is one that has no weak keys.
247
Chapter 02: Architecture and Design
Mind Map
Figure 2-51: Mind Map
248
Chapter 02: Architecture and Design
Practice Question
1. Symmetric Key Cryptography requires __________________.
A. Same Key for Encryption & Decryption
B. Different Keys for Encryption & Decryption
C. Public Key Cryptography
D. Digital Signatures
2. AES & DES are the examples of _______________________.
A. Symmetric Key Cryptography
B. Asymmetric Key Cryptography
C. Public Key Cryptography
D. Stream Ciphers
3. The cipher that encrypts the plain text one by one is known as ________________.
A. Block Cipher
B. Stream Cipher
C. Mono-alphabetic Ciphers
D. Polyalphabetic Ciphers
4. The process of identifying flaws, design flaws, and security concerns in a network,
Operating System, applications, or website is known as pentesting.
______________.
A.
B.
C.
D.
Enumeration
Vulnerability Analysis
Scanning Networks
Reconnaissance
5. Which of the following is a phase of the Vulnerability Assessment Life Cycle?
A. Creating Baseline
B. Vulnerability Assessment
C. Risk Assessment
D. Remediation
6. Which of the following does not qualify as a Vulnerability Scanning tool?
A. Nessus
B. GFI LanGuard
C. Qualys Scan
D. Wireshark
249
Chapter 02: Architecture and Design
7. Which of the following does not constitute a Non-Electronic / Non-Technical
Password Attack?
A. Shoulder Surfing
B. Social Engineering
C. Dumpster Diving
D. Dictionary Attack
8. Bob attempts to crack a password using a list of known and common phrases until
the password is accepted. What type of attack is this?
A. Brute Force Attack
B. Default Password
C. Dictionary Attack
D. Password Guessing
9. An attacker attempts every possible combination of alphanumeric characters to
crack the password. Which of the following password cracking methods is this?
A. Brute Force Attack
B. Default Password
C. Dictionary Attack
D. Password Guessing
10. The process of adding characters to a password to make it a one-way function is
known as ______________.
A.
B.
C.
D.
Password Encryption
Password Hashing
Password Padding
Password Salting
11. Cracking password with pre-computed hashes is called ___________.
E. Rainbow Table Attack
F. Brute Force Attack
G. Dictionary Attack
H. Password Guessing
12. Which of the following is used for Backdoor installation?
E. Meterpreter
F. Zero-day Exploit
G. Exploit Kits
H. Persistence
250
Chapter 02: Architecture and Design
13. How can you mitigate a rainbow table attack?
E. Changing Default Password
F. Configuring Unpredictable Password
G. Password Salting
H. Password Hashing
14. Which of the following does not constitute an Open Source Web Server
architecture?
A. Apache
B. NGINX
C. Lighttpd
D. IIS Web Server
15. An attacker is attempting to gain access to restricted directories through trial and
error using dots and slash sequences. What kind of web server attack is it?
E. LDAP Attack
F. AD Attack
G. Directory Traversal Attack
H. SQL Injection
16. An attacker sends a request, allowing him to include a header response; now, he
can easily redirect the user to a malicious website. Which type of attack is this?
E. Web Cache Poisoning
F. HTTP Response Splitting Attack
G. Session Hijacking
H. SQL Injection
17. A piece of software created to solve a problem is referred to as _________________.
A.
B.
C.
D.
Hotfix
Patch
Bugs
Update
18. Which of the following is a Patch Management Tool?
A. Microsoft Baseline Security Analyzer
B. Microsoft Network Monitor
C. Syshunt Hybrid
D. SolarWinds SIEM Tool
251
Chapter 03: Implementation
Chapter 03: Implementation
Implement Secure Protocols
Protocols
Secure Real-time Protocol (SRTP)
▪
▪
▪
▪
▪
SRTP stands for Secure Real-Time Transport Protocol (Secure RTP).
It is the secure version of RTP.
The secure version of RTP is seen with other VOIP, but it adds encryption, using
AES to ensure that all the videos and audios are confidential.
It includes authentication integrity and replays protection by having HMACSHA1 (Hash-based message authentication code using SHA1) as a hashing
function.
With this in place, the user knows that they are receiving the original audio and
video. Nobody is sitting in the middle of the path listening to the conversation.
Domain Name System Security Extension (DNSSEC)
DNSSEC stands for Domain Name System Security Extensions; DNS protocol extensions
require cryptographic authentication for authoritative DNS server responses. Its goal is
to protect against techniques used by hackers to direct computers to malicious websites
and servers.
NTP
NTP is a network time protocol used to synchronize the clocks across the hosts and
network devices. The NTP is a vital protocol, as directory services, network devices, and
hosts rely on clock settings for login purposes and logging to record events
synchronizing the time system logs arrive at Syslog servers, NTP aids in event
correlation. NTP uses UDP port number 123, and its whole communication is according
to coordinated universal time (UTC).
The term stratum describes the distance between the NTP server and the device in NTP.
It is just like the TTL number that decreases every hop a packet passes by. Stratum value,
starting from one, increases with every leap. For example, if we see stratum number 10
on the local router, the NTP server is nine hops away. Securing NTP is also an essential
aspect as the attacker may change time in the first place to mislead the forensic teams
who investigate and correlate the events to find the root cause of the attack.
▪
It is used to synchronize all the devices that are connected to the network.
252
Chapter 03: Implementation
▪
It has been around since 1985 but does not have any security feature, and it is
seen that threat actors find a way to use it in denial of service attacks.
▪
NTPsec is a new protocol that is created to make NTP more secure.
▪
This more secure version of the NTP protocol started around June 2015.
▪
In NTPsec, the code base of NTP is updated, and all the vulnerabilities are
patched.
S/MIME
▪
Secure/Multipurpose Internet Mail Extension.
▪
This protocol allows the user to sign and encrypt the information that is being
used digitally.
▪
It has to be initially configured as the PKI is required or at least a way to manage
keys to provide public and private keys to be used in S/MIME communication.
SSL/TLS
▪
SSL stands for Secure Socket Layer, and TLS stands for Transport Layer Security.
▪
TLS is an updated version of SSL.
▪
SSL uses a combination of Symmetric and Asymmetric encryption to provide
confidentiality.
FTPS
▪
It stands for File Transfer Protocol Secure, i.e., FTP over SSL.
▪
It is not SFTP (SSH FTP), where SSH is used instead of SSL.
LDAP
▪
It stands for Lightweight Directory Access Protocol.
▪
It is a protocol for reading and writing directories over an IP network.
▪
It uses an ITU standard that is X.500 and uses TCP/IP.
▪
By enabling LDAPS, it can be made more secure.
▪
It is another way to implement SASL (Simple Authentication and Security Layer).
SSH
▪
It stands for Secure Shell.
▪
It is an encrypted terminal communication.
DHCP
▪
It stands for Dynamic Host Control Protocol.
253
Chapter 03: Implementation
▪
It does not include any built-in security.
▪
There is no secure version of DHCP.
Secure File Transfer Protocol (SFTP)
▪
Secure File Transfer Protocol, also known as SSH File Transfer Protocol, is a
network protocol that allows users to access, transfer, and manage files on
remote systems.
▪
Businesses can use SFTP to securely transfer billing data, funds, and data
recovery files.
Simple Network Management Protocol, version 3 (SNMPv3)
For safe configuration and control activities, secure SNMPv3 management is a vital
enabler technology. SNMPv3 enables authentication and privacy and view-based access
control and remote configuration for security and logical contexts.
Hypertext Transfer Protocol over SSL/TLS (HTTPS)
TLS-enabled HTTP Protocol SSL is commonly referred to as SSL. Still, it uses TLS, which
has improved security, patched vulnerabilities, and added additional hashing, key
exchange, and encryption methods.
IPSec
IPsec stands for IP security. For security and logical contexts, SNMPv3 provides
authentication and privacy and view-based access control and remote configuration.
IPsec's strength comes in its flexibility to support a variety of protocols and algorithms.
It also contains new encryption and hashing protocol advances. The primary goal of
IPsec is to offer CIA (Confidentiality, Integrity, and Authentication) for virtual networks
in today's networks. IPsec makes sure the above purposes are in action when a packet
enters a VPN tunnel and reaches the other end.
● Confidentiality: IPsec uses encryption protocols, namely AES, DES, and 3DES,
to provide confidentiality.
● Integrity: IPsec uses hashing protocols (MD5 and SHA) for providing integrity.
Hashed Message Authentication (HMAC) is also used for checking data integrity
● Authentication Algorithms: RSA digital signatures and Pre-Shared Keys (PSK)
are two methods used for authentication purposes.
Components of IPsec
254
Chapter 03: Implementation
Components of IPsec include:
●
●
●
●
●
IPsec Drivers
Internet Key Exchange (IKE)
Internet Security Association Key Management Protocol
Oakley
IPsec Policy Agent
Note: In the IPSec protocol suite, Internet Key Exchange (IKE) is a protocol that is used
to create Security Associations (SA). It uses X.509 certificate for authentication. The
Diffie–Hellman (DH) key exchange protocol is a secure technique of exchanging
cryptographic keys over a public channel. These keys are further used to encrypt or
decrypt packets.
Figure 3-01: IPSec Architecture
Modes of IPsec
There are two working modes of IPsec; tunnel and transport mode. Each has its features
and implementation procedures.
IPsec Tunnel Mode
Being the default mode set in Cisco devices, tunnel mode protects the entire IP packet
from the originating machine. It means that another packet is generated with a new IP
header for every original packet and is sent to the untrusted network and the VPN peer.
Tunnel mode is commonly used in cases involving Site-to-Site VPNs, where two secure
IPsec gateways are connected over the public internet using an IPsec VPN connection.
Consider the following diagram:
255
Chapter 03: Implementation
This shows IPsec Tunnel Mode with an Encapsulating Security Protocol (ESP) header:
Figure 3-02: IPsec Tunnel Mode with an ESP Header
Similarly, when Authentication Header (AH) is used, the new IP packet format will be:
Figure 3-03: IP IPsec Tunnel Mode with an AH Header
IPsec Transport Mode
In transport mode, the IPsec VPN secures the data field or payload of the originating IP
traffic using encryption, hashing, or both. New IPsec headers encapsulate only the
payload field while the original IP headers remain unchanged. Tunnel mode is used
when original IP packets are the source and destination address of secure IPsec peers.
For example, securing a router's management traffic is a perfect example of IPsec VPN
implementation using transport mode. For configuration, both tunnel and transport
modes are defined in the configuration transform set. These will be covered in the lab
scenario of this section.
This diagram shows IPsec Transport Mode with an ESP header:
Figure 3-04: IPsec Transport Mode with an ESP Header
Similarly, in the case of AH:
256
Chapter 03: Implementation
Figure 3-05: IPsec Transport Mode with an AH Header
Note: IPsec (Internet Protocol Security) is a set of protocols that provide secure private
communication across IP networks. IPsec protocol allows the system to establish a
secure tunnel with a peer security gateway.
Case Study: In this lab, we will learn how to configure IPSEC site-to-Site VPN on
routers. We already know that IPSEC is used to transmit data securely over an
unsecured network. Here, R1 and R2 are participating in IPSEC peers. Therefore, these
two routers are required to be configured to support IPSEC site-to-site VPN for the
traffic transmitting from their LANs. We have used two routers (R1 and R2), two
switches (SW3 and Sw4), and two Virtual PCs (VPC5 and VPC6).
Figure 3-06: Router and Switch Connection
Let's start the lab.
The following are screenshots to help you understand how to configure and verify the
IPsec site-to-site VPN.
Step 1: Configure all the devices in the topology
Assign IP address with Subnet mask and gateway to virtual PCs. The IP assigned to VPC5
is 192.168.1.2/24, and the gateway is 192.168.1.1.
257
Chapter 03: Implementation
The IP address assigned to VPC6 is 192.168.2.2/24, and the gateway is 192.168.2.1.
Now, assign an IP address to all the interfaces of Router 1 and Router 2, as shown on the
next page.
258
Chapter 03: Implementation
259
Chapter 03: Implementation
Step 2: ISAKMP Policy
Configure the parameters that will be used for the IKE phase 1 tunnel.
Step 3: Transform Set
Configure the parameters that will be used for the IKE phase 2 tunnel.
Step 4: ACL-Access Control List
Now, we will create an ACL to define what traffic will be sent over the Virtual Private
Network.
Step 5: Crypto Map
260
Chapter 03: Implementation
Using the previous parameters, configure and define the Crypto map.
Step 6: Crypto Map Implementation
Apply the crypto map to an interface.
Configuring Router 2
Now, repeat the above configuration steps on Router 2
Step 1. ISAKMP Policy
261
Chapter 03: Implementation
Step 2: Transform Set
Step 3: ACL-Access Control List
Step 4: Crypto Map
Step 5: Crypto Map Implementation
Verification (Test and Verify IPSEC Configuration)
Ping VPC6 and gateway from VPC5 to check and verify the connectivity.
262
Chapter 03: Implementation
Now, Ping VPC5 and gateway from VPC6.
263
Chapter 03: Implementation
Now for verification, use the command crypto isakmp policy on both routers. It will
show you the encryption algorithm we have configured and other details, as shown in
the screenshot.
Now, TEST and VERIFY the IPsec configuration on R1 as well.
Also, use the show crypto isakmp sa and show crypto ipsec sa command for
verification.
264
Chapter 03: Implementation
265
Chapter 03: Implementation
Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP)
For safe configuration and control activities, secure SNMPv3 management is a vital
enabler technology. SNMPv3 enables authentication and privacy and view-based access
control and remote configuration for security and logical contexts.
266
Chapter 03: Implementation
IMAP and POP send your username, password, and all message contents in plain text.
As a result, they can be easily intercepted. IMAP and POP, on the other hand, support
SSL encryption, which is similar to that seen on encrypted websites and is potentially
wholly safe.
Use cases
Email and web
A significant risk factor is the email system. Therefore, the DLP appliance is used by
many organizations that monitor, track, and filter all the inbound and outbound emails.
Web servers provide a link between clients and web pages. They are susceptible to
attacks as they are open to the internet. Therefore, the proper setting of external-facing
applications is the key to avoid unnecessary risk. For web servers, several reliable and
prescriptive sources of instruction are available to support administrators to protect and
secure the application properly.
Time Synchronization
Every device has its clock, and if the user wants to synchronize all the devices to a single
watch, then a standard protocol is required: NTP (Network Time Protocol). It allows all
the appliances to synchronize all these clocks to one single clock automatically. It is a
flexible and accurate method.
Mind Map
Figure 3-07: Mind Map of Secure Protocols
Implement Host or Application Security Solutions
Endpoint Protection
267
Chapter 03: Implementation
Endpoint security (also known as endpoint protection) refers to solutions that address
security flaws in network devices and protect them from attacks, unintentional data
leakage caused by human error, or zero-day exploits.
Antivirus
Antivirus software is designed to prevent, detect, and remove malware infections on
individual computing devices, networks, and information technology systems.
Antivirus software, which was initially designed to detect and remove viruses from
computers, can protect against many threats, including keyloggers, browser hijackers,
Trojan horses, worms, rootkits, and spy, adware, botnets, and ransomware.
Anti-malware
One of the most effective tools for protecting the computer and personal information is
an anti-malware program. An anti-malware program guards the computer against
malware such as spyware, adware, and worms. It scans the system for any malicious
software that has managed to infiltrate the system.
Endpoint Detection and Response
Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection and
Response (ETDR), is a comprehensive endpoint security solution that combines
continuous real-time monitoring and data collection with rules-based automated
response and analysis capabilities.
An EDR security system's primary functions are as follows:
▪
▪
▪
▪
Monitor and collect endpoint activity data that could indicate a threat.
Analyze this information to identify threat patterns.
Respond to identified threats automatically to remove or contain them and
notify security personnel.
Forensic and analysis tools are used to investigate identified threats and look for
suspicious activity.
DLP
DLP is an acronym for Data Loss Prevention. It stops the data before the threat actor
receives it. The endpoint DLP tool on the computer observes the data and prevents its
unauthorized access. DLP appliance on the network connection constantly looks at all
the confidential information like credit card numbers that should not be cleartext. The
DLP system on the server watches the data and prevents it from getting into the hands
of the threat actor.
268
Chapter 03: Implementation
Next-Generation Firewall (NGFW)
NGFW is a relatively new term used for the latest firewalls with advanced feature sets.
This kind of firewall provides in-depth security features to mitigate known threats and
malware attacks. An example of next-generation firewalls is the Cisco ASA series with
FirePOWER services. NGFW delivers complete visibility into network traffic users,
mobile devices, Virtual Machines (VM) to VM data communication, etc.
Host-based Intrusion Prevention System (HIPS)
The Host Intrusion Prevention System (HIPS) detects suspicious activity on a single
host by analyzing events on that host. HIPS solutions defend the host against known
and unknown malicious attacks from the network and application layers.
Host-based Intrusion Detection System (HIDS)
A host-based intrusion detection system is an application that monitors a computer or
network for suspicious activity, which can include both external intrusions and internal
misuse of resources or data.
Host-based firewall
A host-based firewall is a type of firewall software that runs on a single computer or
device linked to a network. These types of firewalls provide granular protection for
individual hosts against viruses and malware and control over the spread of these
harmful infections throughout the network.
Boot Integrity
Boot Security/Unified Extensible Firmware Interface (UEFI)
Like the BIOS (Basic Input Output System), the Unified Extensible Firmware Interface
(UEFI) is a piece of firmware that runs when the computer starts up. On the other hand,
UEFI is positioned to replace BIOS because it is a more current solution that solves
many of the latter's restrictions.
UEFI defines a new method for communicating between operating systems and
platform firmware, providing a lightweight BIOS alternative that uses only the
information required to launch the OS boot process. Furthermore, UEFI provides
enhanced computer security features and backward compatibility with most existing
BIOS systems.
Measured Boot
Measured Boot is a method in which each of the software layers in the device's booting
sequence measures the layer above it and extends the value in a designated PCR. e.g.,
BIOS measures various Bootloader components and stores the results in PCRs 0-7.
269
Chapter 03: Implementation
Boot Attestation
Secure Boot is a method that checks that the system boot loader is signed with a
cryptographic key that a database has authorized in the firmware. Secure key storage
and remote attestation are not required for boot path validation.
Application Security
Injection attacks (SQL-Injections), Cross-Site Scripting (XSS), Session Hijacking, and
other web assaults are all protected by a WAF. A company's application security is
considerably improved when using a WAF in conjunction with a network firewall.
Input Validations
Input validation is the process of checking input received by an application for
conformity with a standard set inside the application. It might be as basic as inputting
a parameter or as complicated as using regular expressions or business logic to validate
data.
Hypertext Transfer Protocol (HTTP) Headers
HTTP headers allow the client and server to send additional data with an HTTP request
or response. An HTTP header comprises its case-insensitive name, a colon (: ), and its
value. Whitespace preceding the value is ignored.
Code Signing
Code signing verifies the publisher's identity and ensures that the code has not been
updated since it was signed. Certificates issued with signed software are required for
users to assess whether the software is valid before installing it.
Blacklisting and Whitelisting are the methods for controlling/managing the
applications of the Operating System.
▪
▪
Application Blacklisting: It is a method that determines which application(s)
should not be allowed to run on the machine.
Application Whitelisting: The opposite of blacklisting is whitelisting that
determines which application(s) should be allowed to run on the machine.
Microsoft uses two methods that are part of OS to control the use of applications to
their specified users. These methods are:
▪
Software Restrictive Policies: This is a primary mode used by the machine and
not by the users. It allows significant control over the application, executable
files, and scripts and is employed through group policies.
User Account Level Control: Used by the enterprise to control over who can access
and use installed software. It is enforced through AppLocker and allows which users can
use which application and programs.
270
Chapter 03: Implementation
Secure Coding Practices
Secure coding standards govern the coding practices, techniques, and decisions made
by software developers. They want to make sure that developers write code that
minimizes security flaws. Development tasks are typically solved in a variety of ways,
with varying degrees of complexity.
Static Code Analysis
Static Application Security Testing (SAST), also known as static analysis, is a testing
methodology that analyses source code to identify security flaws that make your
organization's applications vulnerable to attack. SAST inspects an application before it
is compiled. It is also referred to as white box testing.
Manual Code Review
The process of reading source code line by line to identify potential vulnerabilities is
known as manual secure code review. It is a time-consuming process that necessitates
skill, experience, perseverance, and patience.
Dynamic Code Analysis
The study of how the code behaves during execution is the foundation of dynamic code
analysis. While code analysis produces secure code, other issues, such as changes in the
system build, must also be considered to have a closed system.
Fuzzing
Fuzzing, also known as fuzz testing, is an automated software testing technique that
involves feeding a computer program with invalid, unexpected, or random data. The
program is then checked for crashes, failed built-in code assertions, and potential
memory leaks.
Hardening
Application hardening, also known as application shielding, is the process of adding
layers of security to applications to protect them from IP theft, misuse, vulnerability
exploitation, tampering, or even repackaging by malicious individuals.
Open Ports and Services
Applications and services use open ports, and they, like any other piece of code, may
contain vulnerabilities or bugs. The more applications and services that use open ports
for Internet communication, the more likely it is to have a vulnerability that can be
exploited.
Disk Encryption
Data encryption is a security method in which information is encoded and can only be
accessed or decrypted by a user who has the appropriate encryption key. Encrypted
271
Chapter 03: Implementation
data, also known as ciphertext, appears scrambled or unreadable to anyone or entity
who gains unauthorized access.
OS
The operating system serves as the interface between the physical hardware and the
application. Configuration guide from all the significant operating systems
manufacturers is available on the CIS platform.
Patch Management
Patch management is the process of software and application patch up-gradation,
including installing patches, acquiring, and testing. All Operating Systems require an
update and have different methods to keep their systems up to date.
There is a hierarchy that the vendor follows for software updates:
▪
Hotfix: A minor software update usually designed to discover problems
produced and released quickly. For example, buffer overflow.
▪
Patch: Refers to more significant updates as compared to Hotfix. It can address
several problems. Patches not only include enhancement or additional
capabilities, but they can also fix bugs.
▪
Service Pack: An extensive collection of Hotfixes and Patches, rolled in one
single package that makes the system up to date at once, is called Service Pack.
It saves users from downloading further updates.
Patch Management Lifecycle
Figure 3-08: The Lifecycle of Patch Management
272
Chapter 03: Implementation
Self-Encrypting Drive (SED)/ Full-Disk Encryption (FDE)
Full-disk encryption and self-encrypting drives encrypt and decrypt data written to and
read from the disk. FDE is appropriate for laptops, which are highly vulnerable to data
loss or theft. However, FDE is not appropriate for the most common risks encountered
in datacenter and cloud environments.
FDE/SED has the following advantages:
▪
▪
▪
The most straightforward method of deploying encryption
Applications, databases, and users can all see through it.
Hardware-based encryption with high performance
Hardware Root of Trust
A hardware root of trust serves as the foundation for all security operations of a
computing system. It stores the keys used for cryptographic functions and allows for a
secure boot process. It is inherently trustworthy, so it must be secured by design.
Trusted Platform Module (TPM)
TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely
store authentication artifacts, i.e., PC or laptop.
Sandboxing
To execute code in an environment that isolates the target system and the code from
direct contact is called Sandboxing. Sandbox is used for the execution of unverified and
untrusted code. Sandbox works like a virtual machine and can mediate several system
interactions like accessing memory, network access, and another program, device, and
file system. Sandbox offers protection, and its level of protection depends upon isolation
level.
273
Chapter 03: Implementation
Mind Map
Figure 3-09: Mind Map of Host or Application Security Solutions
Implement Secure Network Designs
Load Balancing
Load balancing is the process of distributing network or application traffic among
numerous servers in a server farm in a systematic and effective manner. Each load
balancer lies between clients and backend servers, receiving and distributing requests
to any server that can handle them.
Active/Active
A network of independent processing nodes, each with access to a shared replicated
database, allowing all nodes to participate in a single application, is known as an
active/active system. Two or more processing nodes are connected via a redundant
communications network in the application network.
Active/Passive
An active network has at least one voltage or current source that can continuously
supply energy to the network. An active source is not present in a passive network.
There are no electromotive force sources in passive networks. They are made up of
passive components such as resistors and capacitors.
274
Chapter 03: Implementation
Virtual IP
Virtual IP addresses are those that are not tied to specific machines. As a result, they
can switch between nodes in a Content Gateway cluster. On the same Subnet, it is
common for a single device to represent multiple IP addresses.
Network Segmentation
Virtual Local Area Network (VLAN)
By dividing workstations into different isolated LAN segments, VLANs enable network
administrators to limit access to a specified group of users automatically.
Administrators do not need to reconfigure the network or change VLAN groups when
users relocate their workstations.
DMZ
DMZ stands for Demilitarized Zone. It is the region between a trusted internal network
and an untrusted network.
Figure 3-10: DMZ (Demilitarized Zone)
It functions as a buffer region between the internet and the internal network. The idea
is to secure the internal network and not allow direct access from the internet to the
trusted internal network by directly forcing the user to make at least one hop in the
DMZ before accessing internal network information.
The servers directly accessed from the outside (untrusted zone) should be placed in
DMZ like Remote access server, Web server, External email server, etc. Similarly, all the
other standard servers like a Database server, DNS, File server, Print server, application
server, etc., should be placed in the internal network for security purposes.
275
Chapter 03: Implementation
East-West Traffic
East-West traffic refers to the flow of traffic within a data center. East-West traffic
indicates data flow among devices within a datacenter based on the most commonly
deployed topology of systems within the datacenter.
Extranet
There are some trusted third parties to whom we want to lend access to the resources
inside the internal network. A private DMZ, called 'Extranet,' is created to lend access
to trusted third parties.
The extranet is separate from the internal network and provides access to the outside
of the company. Authentication credentials are required from the user to gain access to
the resources. This additional authentication helps to allow only authorized users to
access the resources.
Intranet
A private network that is only accessible from within it and not from the outside world.
Essential resources or important internal documents are placed on an intranet. Access
is granted only to organizational users (company employees), with no other users
allowed/permitted access to those resources.
Zero Trust
Zero Trust is a strategic initiative that aims to eliminate the concept of trust from an
organization's network architecture to help prevent successful data breaches. The goal
of Zero Trust is not to make a system trustworthy but rather to eliminate trust.
Virtual Private Network (VPN)
A virtual private network, or VPN, is an encrypted Internet connection that connects a
device to the web. The encrypted connection aids in the safe transmission of sensitive
data.
The responsibilities of a VPN include managing the following security network design:
▪ Always-on
▪ Split tunnel vs. full tunnel
▪ Remote access vs. site-to-site
▪ IPSec
▪ SSL/TLS
▪ HTML5
▪ Layer 2 Tunneling Protocol (L2TP)
276
Chapter 03: Implementation
Network Access Control (NAC)
NAC is an acronym for Network Access Control. With NAC, the traffic flow from inside
or outside the network is controlled. Access control is based on different rules like user
type, location, application, etc. One of the advantages of access control is that it can be
enabled or disabled easily.
Agent and Agentless
In agent-based network access control, the code is kept on the host system for
activation, and it runs at the time of connection. Agentless network access control is
integrated with Windows Active Directory. In agentless access control, checks are
performed during login & log out, and it cannot be scheduled.
Out-of-Band Management
Out-of-band management in systems management entails using management
interfaces (or serial ports) to manage and network equipment. Out-of-band
management enables the network operator to set trust boundaries for accessing the
management function and applying it to network resources.
Port Security
Enabling Port Security will also mitigate against these attacks by limiting the port to
learning a maximum number of MAC addresses, configuring violation actions, aging
time, etc.
Broadcast Storm Prevention
Storm control prevents broadcast storms from disrupting LAN interfaces. When
broadcast packets flood the Subnet, they cause excessive traffic and degrade network
performance. Errors in the protocol stack or network configuration can result in a
broadcast storm.
Bridge Protocol Data Unit (BPDU) Guard
A BPDU is a data message sent across a local area network to detect loops in network
topologies. Guard functionality protects edge ports from malicious attacks. When a
malicious attacker sends a BPDU over the edge port, it causes unnecessary STP to occur.
Dynamic Host Configuration Protocol (DHCP) Snooping
DHCP is allocating the IP address dynamically so that these addresses are assigned
automatically and can be reused when hosts do not need them. Round Trip time is the
measurement of time from discovering the DHCP server up to obtaining the leased IP
address. RTT can be used to determine the performance of DHCP. Using UDP
broadcast, a DHCP client sends an initial DHCP-Discover packet because it initially
277
Chapter 03: Implementation
does not have information about the network they are connected to. The DHCP server
replies to the DHCP-Discover packet with a DHCP-Offer Packet offering the
configuration parameters. The DHCP client will send a DHCP-Request packet destined
for the DHCP server requesting configuration parameters. Finally, the DHCP server will
send the DHCP-Acknowledgement packet containing configuration parameters.
DHCPv4 uses two different ports:
•
•
UDP port 67 for server
UDP port 68 for client
Figure 3-11: Mi IPv4 DHCP Requests
A DHCP Relay Agent forwards the DHCP packets from server to client and client to
server. The relay agent helps the communication by forwarding requests and replies
between clients and servers. When receiving a DHCP message, the relay agent generates
a new DHCP request including default gateway information and the Relay-Agent
information option (Option-82) and sends it to a remote DHCP server. When the Relay
Agent gets the reply from the server, it removes Option 82 and forwards it back to the
client.
The working of the relay agent and the DHCPv6 server is the same as the IPv4 relay
agent and DHCPv4 server. The DHCP server receives the request and assigns the IP
address, DNS, lease time, and other necessary information to the client, whereas the
relay server forwards the DHCP messages
Figure 3-12: IPv6 DHCP Requests
278
Chapter 03: Implementation
DHCPv6 uses two different ports:
•
•
UDP port 546 for clients
UDP port 547 for servers
Media Access Control (MAC) Filtering
MAC (Media Access Control) filtering limits access to specific devices on the network.
Typically, it is used to keep neighbors out or ensure that only the people of a company
can connect to the network. The disadvantage of MAC filtering is that it is easy to
circumvent.
Network appliances
The Network Appliance includes the following components in security network design
for managing the network
▪
▪
▪
▪
Jump servers
Proxy servers
Forward
Reverse
Network-based Intrusion Detection System (NIDS)/Network-based Intrusion
Prevention System (NIPS)
Network Intrusion Detection
It is used to track traffic in real-time at specific points on a network. It investigates
protocol actions at the application, transport, and network levels. The study and
identification of network traffic patterns are based on a database of known assaults.
NIDS's behavioral, anomaly, and signature-based monitoring and detection improve
network security.
Functions of NID
▪
▪
▪
▪
The primary function of NID is to filter out the IP Address of the intruder by
configuring the firewall.
It launches a separate program to handle the event.
It can terminate the TCP session by forging a TCP FIN packet to force a
connection to complete.
It sends an entry to the system log file.
Network Intrusion Prevention
It is an "inline" NIDS that can terminate TCP connections and can discard packets.
279
Chapter 03: Implementation
Functions of NIPS
It can identify malicious packets using the following methods:
▪
▪
▪
▪
▪
Pattern Matching
Stateful Matching
Protocol Anomaly
Statistical Anomaly
Traffic Anomaly
It can also provide flow data protection through:
▪
▪
Monitoring full application flow content
Re-assembling whole packets
Difference between NIDS and NIPS
The significant difference between NIDS and NIPS is in their location:
▪
▪
NIPS would be located 'inline' on the firewall to allow NIPS to take action more
quickly against the attack.
NIDS has sensors that monitor traffic entering and leaving the firewall and report
back to the central device for analysis.
It is the basic working of the Intrusion Prevention System (IPS). The placement of the
sensor within a network differentiates the functionality of IPS over the IDS. When the
sensor is placed in line with the network, i.e., the common in/out of a specific network
segment terminates on the hardware or logical interface of the sensor and goes out from
the sensor's second hardware or logical interface. Every packet will be analyzed and pass
through the detector only if it contains anything malicious. By dropping the malicious
traffic, the trusted network or a segment can be protected from known threats and
attacks. However, the inline installation and inspection of traffic may result in a slighter
delay. IPS may also become a single point of failure for the whole network. If 'fail-open
mode is used, the good and malicious traffic will be allowed in case of any failure within
the IPS sensor. Similarly, if 'fail-close' mode is configured, the whole IP traffic will be
dropped in case of the sensor's failure.
280
Chapter 03: Implementation
Figure 3-13: Inline Deployment of IPS Sensor
If a sensor is installed in the position shown below, a copy of every packet will be sent
to the sensor to analyze any malicious activity.
Figure 3-14: Sensor Deployment as IDS
In other means, the sensor, running in promiscuous mode, will perform the detection
and generate an alert if required. As the normal traffic flow is not disturbed, no end-toend delay will be introduced by implementing IDS. The only downside of this
configuration is that IDS will not stop malicious packets from entering the network
because IDS is not controlling the overall traffic path.
This table summarizes and compares various features of IDS and IPS.
Feature
IPS
Positioning
Not in-line with the
In-line with the network. Every packet goes
network. Receives a copy
through it.
of every packet.
Mode
In-line/Tap
Delay
Introduces delay because every packet is Do not introduce delay
analyzed before being forwarded to the because it is not in line
destination.
with the network.
Point
failure
IDS
Promiscuous
Yes. If the sensor is down, it may drop as
well as malicious traffic from entering the No impact on traffic as
of
network, depending on one of the two IDS is not in line with the
modes configured on it, namely fail-open network.
or fail-close.
281
Chapter 03: Implementation
Yes. By dropping the malicious traffic,
Ability
to attacks can be readily reduced on the
mitigate an network. If deployed in TAP mode, then it
attack?
will receive a copy of each packet but
cannot mitigate the attack.
IDS cannot directly stop
an attack. However, it can
assist
some
in-line
devices like IPS to drop
specific traffic to stop an
attack.
Can you do
packet
Yes. Can modify the IP traffic according to
manipulatio a defined set of rules.
n?
No. As IDS receives
mirrored traffic, so it can
only
perform
the
inspection.
Table 3-01: IDS/IPS Comparison
Signature-based
A signature detects an anomaly by looking for some specific string or behavior in a single
packet or stream of packets
Heuristic/Behavior
The Heuristic Intrusion Detection and Prevention System (HIDPS) is a system that can
intelligently check for malicious behavior from a program that is either inside or trying
to access the system. The nature of the program determines whether access is given or
revoked.
HSM
HSM provides facilities for Cryptographic functions like hashing, encryption, etc. It
manages and stores keys in a secure location by keeping the backup of the key. To
restrict access to the key that HSM secures, it has a technique called tamper protection
technique.
It is a peripheral device that is usually "attached through USB or a network connection."
282
Chapter 03: Implementation
Figure 3-15: Hardware Security Module
Sensors and Collectors
The critical spots in a network contain sensors and collectors. These sensors and
collectors gather information from the network devices. They may be integrated into
the router, firewall, switches, etc., or built-in within the network.
The information that the sensor gathers varies from system to system. For instance,
authentication logs information will differ from database transaction logs or web server
access logs, etc.
Difference between Sensor and Collector
When the sensor provides the raw data, the collector converts this raw data into logical
information or the information that makes sense.
Aggregators
In modern networking, an aggregator is a device or service provider that can combine
multiple disparate circuits or carrier services into a single, simple-to-use, easy-tomanage course. To put it another way, an aggregator can make your job as a network
provider/manager easier.
Firewall
The primary function of using a dedicated firewall at the edge of a corporate network in
isolation. A firewall prevents the internal LAN from having a direct connection with the
internet or the outside world. This isolation is carried out by but is not limited to:
● A Layer 3 device using an Access List for restricting the specific type of traffic
on any of its interfaces
● A Layer 2 device using the concept of VLANs or Private VLANs (PVLAN) for
separating the traffic of two or more networks
● A dedicated host device with the installed software. This host device, also
acting as a proxy, filters the desired traffic while allowing the remaining traffic
Although the features above provide isolation in some sense, the following are reasons
for preferring a dedicated firewall appliance (either in hardware or in software) in
production environments:
Risks
Access by
Untrusted
Entities
Protection by firewall
Firewalls try to categorize the network into different portions. One
portion is the trusted portion of internal LAN. Public internet
interfaces are seen as an untrusted portion. Similarly, servers
accessed by untrusted entities are placed in a particular segment
283
Chapter 03: Implementation
known as a Demilitarized Zone (DMZ). By allowing only specific
access to these servers, like port 90 of the web server, firewalls hide
the functionality of a network device, making it difficult for an
attacker to understand the physical topology of the network.
Deep Packet
Inspection
and Protocol
Exploitation
One of the exciting features of a dedicated firewall is its ability to
inspect traffic at more than just IP and port levels. By using digital
certificates, Next-Generation Firewalls that are available today can
check traffic up to layer 7. A firewall can also limit the number of
established as well as half-open TCP/UDP connections to mitigate
DDoS attacks.
Access
Control
By implementing local AAA or by using ACS/ISE servers, the
firewall can permit traffic based on AAA policy.
Anti-virus
and
By integrating IPS/IDP modules with a firewall, malicious data can
Protection
be detected and filtered at the edge of the network to protect endfrom Infected users.
Data
Table 3-02: Firewall Risk Mitigation Features
Although a firewall provides excellent security features, any misconfiguration or bad
network design may have serious consequences, as discussed in the table above.
Another important deciding factor when deploying a firewall in the current network
design is whether the current business objectives can bear the following limitations:
● Misconfiguration and Its Consequences: The primary function of a firewall is to
protect network infrastructure in a more elegant way than a traditional layer 3/2
device. Depending on the vendor and their implementation techniques, many
features need to be configured for a firewall to work correctly. Some of these features
may include Network Address Translation (NAT), Access-Lists (ACL), AAA base
policies, and so on. Misconfiguration of any of these features may result in leakage
of digital assets, which may impact the business financially. In short, complex
devices like firewalls require deep insight and knowledge of equipment and the
general deployment approach.
● Applications and Services Support: Most firewalls use different techniques to
mitigate advanced attacks. For example, NATing, one of the most commonly used
firewalls, reduces reconnaissance attacks. When network infrastructure is used to
support custom-made applications, it may be necessary to re-write the whole
application to work correctly under the new network changes.
284
Chapter 03: Implementation
● Latency: Just as implementing NATing on a route adds some end-to-end delay, a
firewall, along with heavy processing demands, can add a noticeable delay to the
network. Applications like Voice Over IP (VOIP) may require a particular
configuration to deal with this.
Another essential factor to be considered when designing a network infrastructure's
security policies is using the layered approach instead of relying on a single element.
For example, consider the following scenario:
Figure 3-16: Positioning a Firewall in a Production Environment
The previous figure shows a typical Small Office Home Office (SOHO) scenario and
mid-sized corporate environments where several routers and switches support the
whole network infrastructure. If the edge firewall is the focal point of security
implementation, any slight misconfiguration may result in high-scale attacks. In
general, a layered security approach is followed, and packets pass through multiple
security checks before hitting the intended destination.
The position of a firewall varies in different designs. In some scenarios, it is placed on
the corporation's perimeter router, while in other formats, it is placed at the edge of the
network, as shown in figure 141. Apart from the position, it is good practice to
implement layered security. Some features, such as unicast reverse path forwarding,
access-lists, etc., are enabled on the perimeter router. Features such as deep packet
inspection and digital signatures are matched on the firewall. If everything looks good,
the packet is allowed to hit the intended destination address.
Network layer firewalls permit or drop IP traffic based on Layer 3 and 4 information. A
router with an access list configured on its interfaces is a typical example of a network
layer firewall. Although they operate very fast, network layer firewalls do not perform
deep packet inspection techniques or detect malicious activity.
285
Chapter 03: Implementation
Apart from acting as the first line of defense, network layer firewalls are also deployed
within internal LAN segments for enhanced layered security and isolation.
Firewall Architecture
Bastion Host
A Bastion Host is a computer system placed between public and private networks. It is
intended to be a crossing point through which traffic passes. The system is assigned
specific roles and responsibilities. A bastion host has two interfaces, one connected to
the public network and a private network.
Figure 3-17: Posi Bastion Host
Screened Subnet
Screened Subnet can be set up with a firewall with three interfaces. These three
interfaces are connected with the internal Private Network, Public Network, and
Demilitarized Zone (DMZ). In this architecture, each zone is separated by another zone
hence any compromise of one zone will not affect another.
Figure 3-18: Screened Subnet
286
Chapter 03: Implementation
Multi-homed Firewall
A Multi-homed Firewall is two or more networks where each interface is connected to
its network. It increases the efficiency and reliability of a network. A firewall with two
or more interfaces allows further subdivision.
Figure 3-19: Multi-Homed Firewall
Demilitarized Zone (DMZ)
An IOS zone-based firewall is a specific set of rules that may help to mitigate mid-level
security attacks in environments where security is implemented via routers. In ZoneBased Firewalls (ZBF), device interfaces are placed in different unique zones (inside,
outside, or DMZ), and policies are applied to these zones. Naming conventions for zones
must be easy to understand to be helpful when it comes to troubleshooting.
ZBFs also use stateful filtering, which means that if the rule is defined to permit
originating traffic from one zone to another zone, for example, DMZ, then return traffic
is automatically allowed. Traffic from different zones can be authorized using policies
permitting traffic in each direction.
One of the advantages of applying policies on zones rather than interfaces is that
policies are applied automatically simply by removing or adding to an interface in a
particular zone whenever new changes are required at the interface level.
ZBF may use the following set of features in its implementation:
●
●
●
●
●
Stateful Inspection
Packet Filtering
URL Filtering
Transparent Firewall
Virtual Routing Forwarding (VRF)
This figure illustrates the scenario explained above:
287
Chapter 03: Implementation
Figure 3-20: Cisco IOS Zone-based Firewall Scenario
Stateless Firewall
Initially, the firewalls analyze data packets to see if they match the particular rules and
then decide how to forward or drop the packets accordingly. This type of packet filtering
is referred to as stateless filtering. This type of filtering does not care either a packet is
part of an existing data flow or not. Each packet is analyzed individually based solely on
the values of specific parameters in the packet header. It is somehow similar to ACLs
packet filtering.
A stateless firewall monitors network traffic and restricts or blocks packets based on
static values like source and destination addresses. They are not aware of data flows and
traffic patterns.
A stateless firewall filter, sometimes also known as an Access Control List (ACL), does
not state-fully analyze traffic and is unaware of a communication path. The primary
purpose of a stateless firewall filter is to use packet filtering to enhance security. Packet
filtering lets you take the decision and actions based upon the policies you applied.
Stateless firewalls are faster and can perform better under heavier traffic loads.
The stateless firewall works like a packet filter. It does not keep track of the currently
active session. It looks at the traffic going by, and then compare it to a list of access
control and then either allows or restricts traffic to flow.
288
Chapter 03: Implementation
Figure 3-21: Stateless Firewall
Figure 3-22: Stateless Firewall-Traffic Blocking
Stateful Firewall
Stateful firewalls analyze the state of connections in data flows during packet filtering.
They explore whether the packet belongs to an existing flow of data or not. Stateful
firewalls can see traffic streams from one end to another. They know about the
communication paths, applying different IP Security (IPsec) functions such as
encryption and tunneling. Stateful firewalls let you know about other TCP connections
or port states either open, open sent, synchronized, acknowledged, or established.
Stateful firewalls are better at identifying unauthorized access from somewhere.
Operation
A stateful firewall can maintain the state of every connection, either incoming or
outgoing, through the firewall and thus replace long configuration lines. When the
traffic wants to go out through a firewall, the packet will be first matched against a
firewall rules list to check whether the packet is allowed or not. If this packet type is
allowed to go out through the firewall, then the process of stateful filtering will begin.
Usually, a stateful firewall uses the traffic that is using the Transport Control Protocol
(TCP). TCP is stateful, to begin with because TCP maintains a track of its connections
289
Chapter 03: Implementation
by using source and destination address, port number, and IP flags. A three-way
handshake will form an association (SYN, SYN-ACK, ACK), and a two-way exchange
(FIN, ACK) will sum up the connection. This process makes keeping track of the
connection's state easier.
State-full is a bit intelligent firewall. It keeps track of the flow of traffic and remembers
the 'state' of the session. It only allows the good traffic to flow.
Figure 3-23: Stateful Firewall
Difference between Stateless and Stateful Firewall
Stateless Firewall
Stateful Firewall
No session
Session
No login
Login
No basket
Basket
Static Content
Dynamic Content
Table 3-03: Difference between Stateless and Stateful Firewall
Application-Aware Security Device
As the name implies, it filters the traffic based on the application, a modern firewall
technique. It is also named Application Layer Gateway, State-full Multilayer Inspection,
and Deep Packet Inspection.
Types of Firewall
Packet Filtering Firewall
A Packet Filtering Firewall includes access lists to permit or deny traffic based on layer
three and layer four information. Whenever a packet hits an ACL configured layer three
device's interface, it checks for a match in an ACL (starting from the first ACL line).
290
Chapter 03: Implementation
Using an extended ACL in the Cisco device, the following information can be used to
match traffic:
●
●
●
●
●
Source Address
Destination Address
Source Port
Destination Port
Some extra features like TCP established sessions
This table outlines the advantages and disadvantages of using packet filtering
techniques:
Advantages
Disadvantages
Cannot mitigate IP spoofing attacks. An
attacker can compromise the digital
Ease of implementation by using a
assets by spoofing the IP source address
permit and deny statements
to one of the permit statements in the
ACL
Less CPU intensive than deep packet Difficult to maintain when ACL's size
inspection techniques
grows
Configurable on almost every Cisco Cannot implement filtering based on
IOS
session states
In scenarios in which dynamic ports are
Even a mid-range device can perform used, a range of ports will be required
ACL based filtering
to be opened in ACL, which malicious
users may also use
Table 3-04: Advantages and Disadvantages of Packet Filtering Techniques
Circuit-level Gateway Firewall
A Circuit-level Gateway Firewall operates at the session layer of the OSI model. It
captures the packet to monitor the TCP Handshake to validate whether the sessions are
legitimate. Packets forwarded to the remote destination through a circuit-level firewall
appear to be originated from the gateway.
Application-level Firewall
An Application-level Firewall can work at layer three up to layer 7 of the OSI model.
Usually, a specialized or open-source software running on a high-end server acts as an
intermediary between client and destination address. As these firewalls can operate up
to layer 7, it is possible to control moving in and out of more granular packets. Similarly,
291
Chapter 03: Implementation
it becomes challenging for an attacker to get the topology view of a trusted network
because the connection request terminates on Application/Proxy firewalls.
Some of the advantages and disadvantages of using application/proxy firewalls are:
Advantages
Disadvantages
Granular control over traffic is possible As proxy and application, firewalls run
by using information up to layer 7 of the in software. A very high-end machine
OSI model
may be required to fulfill the
computational requirements
The indirect connection between end Just like NAT, not every application
devices make it very difficult to has support for proxy firewalls, and few
generate an attack
amendments may be needed in the
current application architecture
Detailed logging is possible as every Other software may be required for the
session involves the firewall as an logging feature, which takes extra
intermediary
processing power
Any commercially available hardware Along with computational power, high
can be used to install and run proxy storage may be required in different
firewalls on it
scenarios
Table 3-05: Advantages and Disadvantages of Application/Proxy Firewalls
Stateful Multilayer Inspection-based Firewalls
As the name suggests, this saves the state of current sessions in a table known as a
stateful database. Stateful inspection and firewalls using this technique typically deny
any traffic between trusted and untrusted interfaces. Whenever an end-device from a
trusted interface wants to communicate with some destination address attached to the
untrusted interface of the firewall, it will be entered in a stateful database table
containing layer three and layer two information. The following table compares different
features of stateful inspection-based firewalls.
Advantages
Disadvantages
Helps in filtering Unable to mitigate application-layer attacks
unexpected traffic
It
can
be Except for TCP, other protocols do not have wellimplemented on a defined state information to be used by the firewall
broad
range
of
routers and firewalls
292
Chapter 03: Implementation
Can
help
in
mitigating denial of
service
(DDoS)
attacks
Some applications may use more than one port for a
successful operation. An application architecture
review may be needed to work after deploying the
stateful inspection-based firewall.
Table 3-06: Advantages and Disadvantages of Stateful Inspection-based Firewalls
Transparent Firewalls
Most of the firewalls discussed above work on layer three and beyond. Transparent
firewalls work precisely like the techniques mentioned above, but the firewall's
interfaces are layer 2 in nature. IP addresses are not assigned to any interface – think of
it as a switch with ports assigned to some VLAN. The only IP address assigned to the
transparent firewall is for management purposes. Similarly, as there is no extra hop
between end devices, the user will not be aware of any new additions to the network
infrastructure, and custom-made applications may work without any problem.
Next Generation (NGFW) Firewalls
NGFW is a relatively new term used for the latest firewalls with advanced feature sets.
This kind of firewall provides in-depth security features to mitigate known threats and
malware attacks. An example of next-generation firewalls is the Cisco ASA series with
FirePOWER services. NGFW delivers complete visibility into network traffic users,
mobile devices, Virtual Machines (VM) to VM data communication, etc.
Personal Firewalls
A Personal Firewall is also known as a desktop firewall. It helps to protect end-users
personal computers from general attacks from intruders. Such firewalls appear to be a
significant security line of defense for users who are constantly connected to the
internet via DSL or cable modem. Personal firewalls help by providing inbound and
outbound filtering, controlling internet connectivity to and from the computer (both in
a domain-based and workgroup mode), and alerting the user of any intrusion attempts.
Access control list (ACL)
A series of rules through which the firewall determines whether to allow or restrict the
traffic flow. It can also be called the group of variables (tuples) or security policies.
Route security Quality of service (QoS)
Quality of Service (QoS) is a network technology collection that ensures a network can
run high-priority applications and traffic despite limited network capacity reliably. It is
accomplished by QoS technologies, which provide differentiated handling and capacity
allocation to specific flows in network traffic.
Implications of IPv6
293
Chapter 03: Implementation
End-to-end encryption is possible with IPv6. As used in modern VPNs, encryption and
integrity-checking are standard components in IPv6, available for all connections and
supported by compatible devices and systems. As IPv6 becomes more widely used, manin-the-middle attacks will become much more difficult.
IPv6 also allows for more secure name resolution. The Secure Neighbor Discovery
(SEND) protocol can provide cryptographic confirmation that a host is who it claims to
be at the time of connection. Address Resolution Protocol (ARP) poisoning and other
naming-based attacks are made more difficult as a result. An attacker can easily redirect
traffic between two legitimate hosts and manipulate the conversation using IPv4. It is
made difficult by IPv6.
Port Spanning/Port Mirroring
Port mirroring is a straightforward notion. One port is reserved while configuring a
switch. The switch is then configured to "reflect" all traffic passing through that reserved
port. As mentioned earlier, when the switch processes a packet, it is copied and sent to
whatever is linked to the port. On a network switch, port mirroring sends a copy of
network packets seen on one switch port (or an entire VLAN) to a network monitoring
connection on another switch port.
Port Taps
The two most frequent methods for network traffic access used for data monitoring and
security analysis are network TAP (Test Access Point) and SPAN (port mirroring).
Monitoring Services
The collection, analysis, and escalation of indicators and alerts to detect and respond to
breaches on computer networks are known as network security monitoring. Proactive
network searches for security data and "hunting" for suspicious behavior are common
aspects of network security monitoring solutions.
File Integrity Monitors
As a member of the CIA trinity, file integrity refers to the processes and
implementations to protect data from unauthorized alterations, such as cyber-attacks.
The integrity of a file indicates whether it has been tampered with by unauthorized
users after it was generated, while it was being stored, or while it was being retrieved.
294
Chapter 03: Implementation
Mind Map
Figure 3-24: Mind Map of Secure Network Design
Wireless Security Settings
The use of wireless networks has dramatically increased, and therefore, the security of
the protocols used in a wireless network has become a vital determinant to observe
safety. Its security can be ensured through the implementation of encryption.
Cryptographic Protocols
Cryptographic protocols refer to the cryptographic methods and their implementation
to assure various vendors' equipment interoperability.
All can have a secure wireless communication channel by configuring WPA and WPA 2
encryption that permits only people with a password to communicate.
WiFi Protected Access II (WPA2)




Wi-Fi protected access to version 2
It is modern wireless encryption and was introduced in 2004.
It uses AES (Advanced Encryption Standard) for encryption that replaced RC4.
Also, it involves CCMP (Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol) that replaced TKIP.
295
Chapter 03: Implementation
WiFi Protected Access III (WPA3)

The most recent iteration of common wireless network security is WPA3 (Wi-Fi
Protected Access 3).

Even when a simple password is provided, WPA3 provides higher security than
the WPA2 authentication mechanism.
Counter-mode/CBC-MAC Protocol (CCMP)



Uses 128-bit keys and encrypts in 128-bit block size.
Its services include Data confidentiality, Access control, and Authentication.
For data confidentiality, it uses AES.
Simultaneous Authentication of Equals (SAE)


For Mesh Networks, a Secure Password-Based Key Exchange is used.
The technique produces a cryptographically strong shared secret that can secure
other data, such as network communication. Passive, active, and dictionary
attacks are all resistant to SAE.
Authentication Protocols
Extensible Authentication Protocol (EAP)



It stands for Extensible Authentication Protocol.
It also serves as a framework for creating various types of authentication.
WPA and WPA2 also use five various EAP types for authentication on wireless
networks.
Protected Extensible Application Protocol (PEAP)



It stands for Protected Extensible Authentication Protocol.
It was developed by Microsoft, Cisco, and RSA for secure authentication.
In PEAP, EAP is encapsulated into a tunnel (TLS tunnel). The encryption
certificate is on the server-side, and all the EAP communication is sent over this
TLS tunnel.
EAP-FAST



One of the EAP types is EAP-FAST. It stands for EAP Flexible Authentication via
Secure Tunneling.
Cisco proposed it as a replacement of LEAP (Lightweight EAP) protocol that was
used with WEP.
It is a more secure protocol.
296
Chapter 03: Implementation
EAP-TLS



It stands for EAP-Transport Layer Security or EAP over Transport Layer Security.
EAP-TLS is a common way for encrypting web server traffic and authentication
methods, and it is used widely.
Common advantages include Strong security & support for various wireless
network types.
EAP-TTLS


It stands for EAP-Tunneled Transport Layer Security.
It functions almost the same as EAP-TLS, as the server authenticates to the client
with a certificate. Still, the client-side authentication is tunneled in this protocol
that permits the use of legacy authentication protocols such as PAP, CHAP, MSCHAP, etc.
IEEE 802.1x



A standard of authentication is commonly referred to as “Port-based NAC
(Network Access Control).”
Access is not granted until the authentication process is completed.
Over wireless, IEEE 802.1x uses either EAP-based protocol or IEEE 802.11i.
RADIUS Federation


As the name implies, RADIUS Federation simply means using RADIUS with the
federation.
Federation permits a member of one company to authenticate to another
company’s network using standard credentials; no separate credentials are
needed for visiting a distinct network.
Methods
For configuring wireless access points, there are various authentication methods
available.
PSK vs. Enterprise vs. Open System
An open system without any set security means no password is needed for
authentication in an available system. PSK is commonly named WPA-PSK because it
uses WPA2 encryption with a secret key. It stands for Pre-Shared Key. It needs to be
securely shared among users.
There are various security problems in organizations associated with using a shared key,
and WPA Enterprise helps reduce those problems. It authenticates all the users
individually with an authentication server.
297
Chapter 03: Implementation
WPS
It stands for Wi-Fi /Protected setup that was initially called ‘Simple Wi-Fi config.’ Using
WPS, there are various ways of authentication such as; Using an 8-digit PIN that is
configured on the access point (add that PIN to the mobile device), Pushing a button
on the access point, NFC-Near Field Communication (bring mobile near the access
point).
Captive Portal
Another authentication method for wireless networks is a captive portal. A pop-up that
you see when you open a browser and asks you for credentials. It is known as a captive
portal.
Installation Considerations
Site surveys
Site surveys are used to determine the number and location of access points (APs)
required for a facility to achieve full and efficient wireless coverage. Signal interference
and outside access flaws that unauthorized users could access can also be detected
through surveys.
Heat maps
A wireless heat map is a visual representation of the condition of wireless network signal
coverage across a specific area that can assist network engineers in visualizing wireless
network coverage, identifying dead zones, adjusting, and improving range in the
wireless network environment.
WiFi analyzers
The Wi-Fi Analyzer app, which has been named one of the 15 most useful Android apps,
one of The Best Apps for Fixing Your Wifi, and featured in The NY Times Wirecutter –
The Best Wi-Fi Router, allows users to optimize their current Wi-Fi network by
examining surrounding networks, identifying crowded.
Channel overlays
Peer-to-peer networks, IP networks, and virtual Local Area Networks are examples of
overlay networks (VLANs). Because their IP addresses identify endpoints, the Internet,
which employs layer-3 IP addressing, is an overlay network.
Controller and access point security
In 802.11 wireless deployments, the central node is the Access Point (AP). It is the
connection point between the wired and wireless networks, where all wireless clients
connect and exchange data.
298
Chapter 03: Implementation
Mind Map
Figure 3-25: Mind Map of Secure Network Design
Implement Secure Mobile Solutions
Security for mobile devices needs a multi-layered approach as well as a financial
commitment to enterprise solutions. Some of the primary vital elements are described
below:
Connection Methods and Receivers
The following are some ways that one can use to connect portable technology:
Cellular Network
▪
▪
▪
Through this, our cell phones can communicate over a vast network separated
into sectors called cells.
An antenna in mobile phones can communicate to the antenna that may be in
the local areas.
There are various security concerns with this, i.e., Traffic monitoring, Location
tracking, Wide access to mobile devices.
Wi-Fi
▪
▪
Another common way to connect devices is through Wi-Fi.
We have to make sure that every data that is being sent or received is encrypted.
299
Chapter 03: Implementation
▪
If the data is not encrypted, a man-in-the-middle and denial-of-service attack
risk will increase.
Standard
Frequency
Modulation
Speed
802.11a
5 GHz
OFDM
54 Mbps
802.11b
2.4 GHz
DSSs
11 Mbps
802.11g
2.4 GHz
OFDM, DSSS
54 Mbps
802.11n
2.4 - 5 GHz
OFDM
54 Mbps
802.16 (WiMAX)
10 - 66 GHz
OFDM
70-1000 Mbps
Bluetooth
2.4 GHz
1 – 3 Mbps
Table 3-07: Wireless Network Speed Comparison
Near Field Communication (NFC)
▪
▪
▪
It is commonly used when the communication is between the mobile device and
a device that is nearby.
Commonly used in the payment system.
It is also used to help with other wireless technologies, like supporting the
pairing process for Bluetooth. It is also used as an identity system where one can
identify themselves using the phone.
Some of the security concerns with NFC are as follows:
▪
▪
▪
▪
It is a wireless network (although short-range), but someone with an antenna
can capture and listen to the conversation.
Someone could jam the frequency and attack through denial of service.
There is also a concern about replay attacks.
If an NFC device is lost, it could be a significant security issue because the person
who stole the device will use that NFC instead of the legitimate user.
IR (Infrared)
▪
▪
In modern times, it is used in phones, tablets, and smart-watches to control IR
devices.
It could also be used for file transfer.
USB (Universal Serial Bus)
▪
▪
▪
Most standard mobile device connections.
It uses the physical wired connection.
It is more secure than wireless protocol.
300
Chapter 03: Implementation
Bluetooth
▪
▪
▪
Bluetooth allows for an automatic and wireless connection, but it can also expose
data to interception, providing a considerable security concern.
Hackers regularly use Bluetooth to send malicious files and viruses.
The best way to reduce the risk is to turn off the Bluetooth of the device.
Point-to-point
Point-to-point encryption secures (encrypts) payment card data from the time of
capture, such as when a card payment terminal scans the card until it reaches the secure
decryption endpoint. The fundamental characteristic of P2PE Solutions is point-topoint encryption.
Point-to-multipoint
Point-to-multipoint communication is a type of one-to-many communication in which
many paths from a single point to multiple points are available. This technique is
commonly used in wireless communications with a large number of end destinations or
end-users.
Global Positioning System (GPS)
▪
▪
▪
The GPS (Global Positioning System) is a "constellation" of around 30 satellites
that orbit the Earth and allow anyone with a terrestrial receiver to pinpoint their
location. The location precision for most equipment is between 100 and 10
meters.
The Global Positioning System (GPS) was developed to help military and civilian
users pinpoint their exact location.
It is based on the utilization of Earth-orbiting satellites that supply data that
enables the measurement of the distance between the satellites and the user.
RFID
RFID (Radio Frequency Identification) attacks include multiple attacks like:
▪
▪
▪
▪
Data Capture
Spoof the Reader
Denial of Service
Decryption of Communication
Mobile Device Management (MDM)
The primary purpose of implementing Mobile Device Management (MDM) is to deploy,
maintain, and monitor mobile devices that make up the BYOD solution. Devices may
include laptops, smartphones, tablets, notebooks, or any other electronic device that
can be moved outside the corporate office to home or some public place and then gets
connected to the corporate office by some means.
301
Chapter 03: Implementation
Some of the functions provided by MDM are:
▪
▪
▪
▪
▪
Enforcing a device to be locked after certain login failure attempts.
Enforcement of firm password policy for all BYOD devices.
MDM can detect any attempt at hacking BYOD devices and then limit the
network access of these affected devices.
Enforcing confidentiality by using encryption as per the organization's policy.
Administration and implementation of Data Loss Prevention (DLP) for BYOD
devices. It helps to prevent any data loss due to the end user's carelessness.
Application management
Application management is a difficult task. Not all applications are safe, and some are
malicious, which is a rising security issue.
Content management
A management challenge is to check and update the whitelist constantly.
Remote wipe
▪
▪
▪
Remote wipe is the security requirement of the security administrator. It
removes all the data from the mobile device, often managed by Mobile Device
Management.
It secures the data from unauthorized access if the device is lost, so it is essential
to back up some private data.
It needs to be configured ahead of time.
Figure 3-26: Remote Wiping
Geofencing
Geofencing is a location-based approach that allows a physical location to be given
virtual boundaries. These virtual perimeters can be shown on a map and used to initiate
actions or alerts when people enter, exit, or remain in the region.
302
Chapter 03: Implementation
Geolocation
Geolocation is the process of identifying and tracking the location of linked electronic
devices using location technologies such as GPS or IP addresses. Geolocation is widely
used to track and monitor people's movements and locations because these devices are
frequently carried on their person.
Some of the critical points of Geolocation are:
▪
▪
▪
▪
▪
Based on GPS or signals triangulation or other techniques, geo-locate the device.
In case a mobile device is lost, you can easily track where it is.
However, this can also be used for an evil purpose, like someone could know
precisely where you are or be able to track where you happen to be, based on the
mobile device's location.
The mobile device allows you to enable or disable this feature.
It is usually managed through Mobile Device Manager.
Screen locks
▪
▪
▪
A key security feature of any mobile device is to have that device lock its access.
Allows access to the device if the passcode or password is known.
The password can either be Numeric or Alphanumeric. You can set an option
through the mobile device manager and set it as the requirement to access any
data in the device.
▪ You can also decide what to do with the device on which password is entered
wrong too many times.
▪ You get to choose what that lockout policy might be. Like;
Erase the data on the device.
▪
Slow down the process to prevent brute force attacks.
Push notifications
Push notifications are messages delivered directly to a user's mobile device. They can
appear on the lock screen or at the upper part of a mobile device. An app publisher can
only send a push notification if the user has the app installed.
Passwords and pins
The PIN or password is used as the Key to decrypt data stored on an encrypted mobile
device. A Personal Identification Number (PIN) is a numerical code used in many
computerized financial transactions. Payment cards are often allocated unique
identification numbers, which may be required to complete a purchase.
A password is a string of characters used to validate a user's identity during the
authentication process. Passwords are often used in conjunction with a username and
are intended to be known only by the user to access a device, application, or website.
303
Chapter 03: Implementation
Passwords come in many shapes and sizes and can include letters, numbers, and special
characters.
Biometrics
▪
▪
▪
▪
An intelligent way to set security control on the mobile device.
The user can use face or fingerprint to gain access, but this is not the most secure
option.
It is much more secure to use a password or passcode rather than biometric
security.
It is turned on and off through MDM (Mobile Device Management).
Context-aware authentication
Context-aware authentication is a little beyond two-factor authentication. There, the
user can check another type of access to the device that can help to determine if the
device is in the hands of the right person. It may not qualify as the only type of
authentication, but it could be another security check.
The decisions are made upon the following factors:
▪
▪
▪
Where the user logs typically in.
Where the user is typically frequent (GPS).
Another device that may be paired (Bluetooth).
Containerization
▪
▪
▪
▪
Containerization is implemented where it is difficult for the user to maintain
both personal and business data.
Security management is complex for someone who uses a mobile phone for
corporate use at work and after work; it is used as a personal phone.
Containerization helps to separate an organization's data and application from
the user's personal data and application.
It creates a virtual container for company data that can also help wipe all the
organization's data if someone leaves the organization instead of wiping all the
mobile device data, keeping personal data secure.
Storage segmentation
▪
▪
▪
One technique to protect firm data on mobile devices is to use storage
segmentation.
It encrypts data and stores it in a secure region of the user's device. Access to this
segregated region is usually encrypted and requires authentication.
By isolating traffic, segmentation can increase performance, reduce congestion,
compartmentalize communication concerns like broadcast storms, and improve
security.
304
Chapter 03: Implementation
Full device encryption
▪
▪
▪
▪
Full device encryption is a popular method used by people these days.
No one could gain access to the encrypted data in case the device is lost.
It is handled in different ways by different devices and different operating
systems. For example: In Android, the encryption is configured from strong to
most substantial level to the mobile device.
Therefore, it is suggested and advised not to forget the passcode and keep a
backup of all the data and passcode because if the passcode is lost, the user will
not be able to gain access to the mobile data.
Mobile Devices
MicroSD HSM
A hardware security module in the shape of a microSD card is known as a MicroSD
HSM. It offers encryption, key generation and key life cycle management, digital
signature, authentication, and other cryptographic capabilities, all of which are powered
by hardware-based crypto engines.
MDM/Unified Endpoint Management (UEM)
Mobile device management software allows IT managers to regulate, secure, and
enforce policies on smartphones, tablets, and other endpoints. Unified Endpoint
Management (UEM) refers to the use of MDM to control PCs.
Mobile Application Management (MAM)
MAM (Mobile Application Management) is software that secures and allows IT to
handle enterprise applications on end users' corporate and personal cellphones and
tablets. On the same device, it also separates corporate apps and data from confidential
material.
SEAndroid
Security Enhancements for Android (SEAndroid) is a security solution for Android that
finds and fixes significant flaws. SEAndroid improves data isolation between programs
by regulating Inter-Process Communication (IPC) between apps and system services.
Enforcement and Monitoring
Third-party application stores
They are typically installed as application packages over the USB interface on Android
devices or as IPA files on jailbroken iOS devices. By using a computer, these packages
are often downloaded through third-party program stores like Amazon, Getjar,
Mobogenie, Slide, and Appbrain.
305
Chapter 03: Implementation
Rooting/jailbreaking
To "jailbreak" a phone means to give the owner complete access to the operating
system's root and all of its functions. Rooting is a phrase used to describe eliminating
restrictions from an Android phone or tablet, similar to jailbreaking.
Sideloading
Installing an application on a mobile device without utilizing the device's official
application distribution method is known as sideloading. Third-party apps may have
not been scanned for Malware and are therefore pirated.
Custom firmware
Firmware is software that controls and configures the hardware components of a
platform. Many of the protections required to secure the device and operating system
are set up by firmware. Configuring hardware security settings, verifying boot, and
handing over to the operating system are all part of this process.
Carrier unlocking
Unlocking your phone entails removing the carrier lock that prevents many devices
from running on competing for cellular networks. After opening it, you can bring your
phone to a carrier on a suitable network and sign on to their services.
Firmware Over-the-Air (OTA) updates
The method of remotely upgrading the code on an embedded device is known as overthe-air firmware updates. After a device has been deployed in the field, install new
software features to increase functionality over time. A wireless technique of sending
new software or firmware to mobile phones and tablets is known as over-the-air
updating. The OTA update can be done in two ways: automatically or manually.
Camera use
Tracking, bugging, monitoring, eavesdropping, and recording conversations and text
messages on mobile phones are all part of cellphone surveillance (also known as
cellphone spying). It also includes the tracking of people's movements using mobile
phone signals when phones are turned on.
Following are some examples of the camera types:







Box Camera
Dome Camera
PTZ Camera
Bullet Camera
IP Camera
Day/Night Camera
Thermal (FLIR) Camera
306
Chapter 03: Implementation

Camera
USB On-The-Go (USB OTG)
USB On-the-Go (OTG) allows two USB devices to communicate without the need for a
computer. OTG introduces the Dual-Role Device (DRD), which may serve as both a host
and a peripheral. The fact that a host and peripheral can swap roles if necessary is part
of the charm of OTG.
Recording microphone
A microphone is an electronic device that converts sound waves in the air into electronic
signals or records them on a medium. Microphones are used in various audio recording
devices for multiple applications, including communications, music, and voice
recording.
GPS tagging
The location services linked with your computer system, network, or mobile devices
perform geotagging. To track the position of their subscribers, most social networks and
related services employ some type of geotagging. It allows users to add their current
location to their articles and updates.
WiFi direct/ad hoc
Wi-Fi Direct (also known as peer-to-peer or P2P) enables your software to swiftly locate
and interact with neighboring devices over a longer distance than Bluetooth allows. WiFi peer-to-peer APIs would allow applications to connect to adjacent devices without a
network or hotspot requirement.
Tethering
Tethering uses a mobile device (such as a smartphone) as a modem to link another
device to the Internet, such as a laptop or another mobile phone. To do this, the phone
must be capable of using mobile data. Tethering is one way to make a mobile hotspot
(an ad hoc wireless access point).
Hotspot
A hotspot is a physical site where individuals can connect to the Internet via a Wireless
Local Area Network (WLAN) using a router connected to an Internet service provider,
generally utilizing Wi-Fi. These locations are commonly called "Wi-Fi hotspots" or "WiFi connections." Hotspots are physical locations where users may connect their mobile
devices to the Internet wirelessly, such as smartphones and tablets. A hotspot can be
found in private or public venues, such as a coffee shop, hotel, airport, or even an airline.
While many public hotspots provide free wireless connectivity through an open
307
Chapter 03: Implementation
network, others charge a fee. You will discover how to connect a mobile device to a WiFi hotspot later in the tutorial.
Payment methods
Mobile payment is a cash payment made with a portable electronic device such as a
tablet or cell phone for a product or service. Mobile payment systems, such as PayPal
and Venmo, can also be used to send money to friends and family members.
Deployment Models
Bring Your Device (BYOD)
▪
▪
▪
▪
BYOD stands for Bring Your Device or Bring Your Own Technology.
One of the most common ways for Mobile Device Deployment.
Employees own the device, bring their phones into the workplace, and use them
simultaneously for corporate and personal use.
The device needs to meet the requirement of the company.
The challenge concerning the security is that it is difficult to manage these devices
because it contains both corporative and personal information/data.
Corporate-Owned Personally Enabled (COPE)
▪
▪
▪
▪
It stands for Corporate Own, Personally Enabled.
The company purchases the device, and it is used for both personal and corporate
use.
The organization usually keeps control of the device through a centralized
mobile device, and it is managed similarly as the company manages laptops and
desktop computers.
Everything stored is under the preview of the company.
Choose Your Device (CYOD)
CYOD is an employee provisioning model in which an employer lets employees choose
their own mobile devices from a limited set of possibilities. With this strategy, it is also
easier to protect its data from both external and internal dangers.
Corporate-Owned - Virtual Desktop Infrastructure (VDI)
▪
▪
▪
▪
▪
▪
It is the most popular mobile deployment model.
It stands for Virtual Desktop Infrastructure/Virtual Mobile Infrastructure.
Applications are separated from the mobile devices that the employees use.
Data and applications are running on the remote server, and the employees are
simply using their mobile device as a window into that application.
Data is securely stored in the centralized area and not on the mobile device.
No data will be lost if the device is lost.
308
Chapter 03: Implementation
▪
▪
The application is written once for the VMI platform, and everyone can access it
through that platform.
The application is managed centrally, and no need to update all devices.
Mind Map
Figure 3-27: Mind Map of a Secure Network Design
Cybersecurity Solutions to the Cloud
Cloud Security Controls
Cloud Security
Cloud Computing Security refers to the security implementation and deployment of a
system to prevent security threats. Cloud security includes control policies, deployment
of security devices such as application firewalls and Next-Generation IPS devices, and
strengthening the cloud computing infrastructure. It also has actions at the service
provider end as well as the user end.
Cloud Security Control Layers
Application Layer
Several security mechanisms, devices, and policies provide support at different cloud
security control layers. At the application layer, web application firewalls are deployed
to filter traffic and observe its behavior. Similarly, Systems Development Life Cycle
(SDLC), Binary Code Analysis, and Transactional Security provide security for online
transactions, script analysis, etc.
Information
309
Chapter 03: Implementation
Different policies are configured to monitor data loss to provide confidentiality and
integrity of information communicated between Client and server. These policies
include Data Loss Prevention (DLP) and Content Management Framework (CMF). Data
Loss Prevention (DLP) is a feature that prevents information from leaking from the
network. Traditionally information may include a company or organization's
confidential, proprietary, financial, and other sensitive information. The Data Loss
Prevention feature also ensures compliance with rules and regulations using Data Loss
Prevention policies to prevent users from intentionally or unintentionally sending out
confidential information.
Management
Security regarding cloud computing management is performed through different
approaches such as Governance, Risk Management, Compliance (GRC), Identity and
Access Management (IAM), and Patch and Configuration management. These
approaches help to control and manage secure access to resources.
Network Layer
There are solutions available to secure the network layer in cloud computing, such as
deploying Next Generation IDS/IPS devices, Next-Generation Firewalls, DNSSec, AntiDDoS, OAuth, and Deep Packet Inspection (DPI). The Next Generation Intrusion
Prevention System, known as NGIPS, is one of the most efficient and proactive
components in the Integrated Threat Security Solution. NGIPS secures a network's
complex infrastructure by providing a solid security layer with deep visibility, increased
security intelligence, and advanced protection against emerging threats.
Cisco's NGIPS provides deep network visibility, automation, security intelligence, and
next-level protection. It uses the most advanced and effective intrusion prevention
capabilities to catch emerging sophisticated network attacks. It continuously collects
information regarding the network, including Operating System information, file and
application information, device and user information, etc. This information helps
NGIPS map the network maps and host profiles, providing contextual information to
make better decisions about intrusive events.
Trusted Computing
Validating each hardware and software component from the end entity to the root
certificate establishes the Root of Trust (RoT). Its goal is to ensure that only trustworthy
software and hardware may be utilized while still allowing for flexibility.
Computer and Storage
Cloud computing and storage can be secured by implementing Host-based Intrusion
Detection or Prevention Systems HIDS/HIPS. Examples of these are Configuring
Integrity Check, File System Monitoring and Log File Analysis, Connection Analysis,
310
Chapter 03: Implementation
Kernel Level Detection, Encrypting the Storage, etc. Host-based IPS/IDS is typically
deployed to protect a specific host machine, and it works strictly with the machine's
Operating System Kernel. It creates a filtering layer to filter out any malicious
application call to the OS.
Physical Security
Physical security is always a priority for securing anything. As it is also the first layer
OSI model, any security configuration will not be effective if a device is not physically
secure. Physical security includes protection against artificial attacks such as theft,
damage, and unauthorized physical access and the environmental impact such as rain,
dust, power failure, fire, etc.
High Availability Across Zones
High Availability (HA) refers to systems that are reliable enough to operate without
interruption. They've been thoroughly tested and may include redundant components.
The term "high availability" refers to systems that provide high operational performance
and quality over a long period.
The ability of computing infrastructure to continue to function even if some of its
components fail is referred to as high availability. The number "nine" is often used to
indicate a high level of Availability. "Five nines," for example, denotes a system that is
operational 99.999 percent of the time.
Resource policies
A cybersecurity policy offers guidelines for activities, including email attachment
encryption and social media usage restrictions. Cyberattacks and data breaches can be
expensive; thus, cybersecurity standards are crucial.
Secrets management
Secrets management refers to the tools and processes used to manage digital
authentication credentials (secrets) such as passwords, keys, APIs, and tokens for usage
in applications, services, privileged accounts, and other sensitive parts of the IT
ecosystem.
Integration and auditing
A security audit is a method of evaluating the security of a company's information
system by analyzing how well it meets a set of criteria. These audits are the three
fundamental types of security diagnostics, together with vulnerability assessments and
penetration testing.
311
Chapter 03: Implementation
Storage
The Storage Security Audit is a professional, methodical assessment and verification of
storage infrastructure security and information management procedures. A third party
or an internal audit function performs it.
Permissions
Permissions to read, write, and delete files on a computer are granted to a user or an
application. Access permissions can be assigned to a specific client or server and
directories within that system, programs, and data files.
Encryption
The use of encryption for data in transit and on storage media is referred to as storage
encryption. Data is encrypted as it travels to storage devices like hard disks, tape drives,
and the libraries and arrays that house them.
Replication
The process of transferring data from one location to another is known as data
replication. In a disaster, the technology allows an organization to have up-to-date
copies of its data. Reproduction can occur on a storage area network, a local area
network, or a vast area network, and in the cloud.
High Availability
High Availability refers to an architecture in which one or more servers run parallel with
the main one. The other servers are operational in this situation and share the burden
with the primary server. A continuously operating storage system is known as HighAvailability Storage (HA storage). Redundancy is a key element of high-availability
storage because it allows data to be stored in multiple locations and removes Single
Points of Failure (SPOF).
Network
Virtual networks
A virtual network uses software to connect virtual machines and devices, regardless of
their location. In addition, network adapters and physical Network Interface Cards
(NICs) are used to link computers and servers to the network. These and other tasks are
shifted to software by virtual networking.
Public and private subnets
"Send all outgoing traffic (anything to the CIDR block 0.0. 0.0/0) via this internet
gateway," says a routing table for a public subnet. A private subnet either does not allow
outward traffic to the Internet or includes a route that says, "All outbound traffic must
go via this NAT gateway."
312
Chapter 03: Implementation
Let consider the major components of the configuration for public and private subnets
as depicted in the diagram below.
Figure 3-28: Public and Private Subnets
This scenario's configuration contains the following:
1. A VPC had an IPv4 CIDR block size of /16 (for example, 10.0.0.0/16). There are
65,536 private IPv4 addresses available as a result of this.
2. A public subnet with an IPv4 CIDR block size of /24 (for example, 10.0.0.0/24).
It gives you 256 unique IPv4 addresses. A public subnet has a route to an
internet gateway and is coupled with a routing table.
3. A private subnet with an IPv4 CIDR block size of /24 (for example, 10.0.1.0/24).
It gives you 256 unique IPv4 addresses.
4. A doorway to the Internet. It establishes a connection between the VPC and the
Internet as well as other AWS services.
5. Instances in the subnet range with private IPv4 addresses (examples: 10.0.0.5,
10.0.1.5). It allows them to communicate with one other as well as other VPC
instances.
6. Elastic IPv4 addresses, which are public IPv4 addresses that allow them to be
reached via the Internet, are assigned to instances in the public subnet. Instead
313
Chapter 03: Implementation
of Elastic IP addresses, public IP addresses can be assigned to the cases at
launch.
7. A NAT gateway with an Elastic IPv4 address of its own. Through the NAT
gateway, instances on the private subnet can transmit IPv4 queries to the
Internet (for example, for software updates).
8. The public subnet is coupled with a custom route table. This route table
includes an entry that allows instances in the subnet to communicate over IPv4
with some other cases in the VPC and an admission that enables subnet-models
to communicate directly with the Internet.
9. It is the main route table for the private subnet. The route table includes an
entry that allows instances in the subnet to communicate over IPv4 with some
other cases in the VPC and an admission that will enable models in the subnet
to connect over IPv4 with the Internet via the NAT gateway.
Segmentation
Reasons for segmentation are as follows:
Security: The user should not communicate directly to the database server.
Performance: High bandwidth application.
Compliance: Mandated segmentation (PCI compliance).
Physical Segmentation
In physical segmentation, the devices are physically divided.
Logical Segmentation
In logical segmentation, the devices are logically divided into different segments, such
as configuring VLANs.
API inspection and integration
API security is a broad phrase that refers to procedures and technologies that protect
application program interfaces from malicious attacks or misuse (API). APIs, or
application programming interfaces, make software development and innovation easier
by allowing apps to communicate data and functionality securely. APIs have become a
target for hackers since they are essential for designing web-based interactions.
Compute
Security groups
User accounts, computer accounts, and other groups are grouped into security groups.
Various built-in accounts and security groups in the Windows Server operating system
are set up with the proper rights and permissions to execute specific activities.
314
Chapter 03: Implementation
Dynamic resource allocation
Dynamic resources, like a forklift, travel along with a predetermined path network and
can deliver entities between locations. They may also be required to process entities in
many places, such as an operator executing multiple jobs.
Instance awareness
A virtual server instance from a public or private cloud network is referred to as a "cloud
instance." In cloud instance computing, a single piece of hardware is turned into
software that runs on several computers. A cloud server can easily be relocated from
one physical machine to another without causing any downtime.
Virtual Private Cloud (VPC) Endpoint
A VPC endpoint enables private connections between your VPC and AWS services that
are supported, as well as VPC endpoint services offered by AWS PrivateLink. To
communicate with resources in the service, instances in your VPC do not require public
IP addresses. Virtual devices are VPC endpoints.
Container security
Container security refers to using security tools and rules to protect a container, its
application, and its performance against cyber security threats, such as those posed by
infrastructure, software supply chain, system tools, system libraries, and runtime.
Solutions
Cloud Access Security Broker (CASB)
By integrating CASB, you can make security policies work in the cloud. It can be
implemented as client software, local security appliances, or a cloud-based security
solution. CASB provides Visibility, Compliance, threat prevention, and data security.
Application security
OWASP stands for Open Web Application Security Project. OWASP provides unbiased
and practical information about computer and internet applications. According to
OWASP, the top 10 mobile threats are:
OWASP Top 10 Mobile Risks (2016)
OWASP Top 10 Mobile Risks
(2014)
Improper Platform Usage
Weak Server-Side Controls
Insecure Data Storage
Insecure Data Storage
Insecure Communication
Insufficient
Protection
315
Transport
Layer
Chapter 03: Implementation
Insecure Authentication
Unintended Data Leakage
Insufficient Cryptography
Poor
Authorization
Authentication
Insecure Authorization
Broken Cryptography
Client Code Quality
Client-Side Injection
Code Tampering
Security Decisions Via Untrusted
Inputs
Reverse Engineering
Improper Session Handling
Extraneous Functionality
Lack of Binary Protections
and
Table 3-08: OWASP Top 10 Mobile Risks
Next-generation Secure Web Gateway (SWG)
A Next-Generation Secure Web Gateway (NG SWG) is a new cloud-native solution for
protecting businesses against sophisticated cloud-based threats and data dangers. It is
the natural next step after the secure web gateway, commonly known as a web proxy or
filter.
Firewall considerations in a cloud environment
Like a regular firewall, a cloud firewall is a security solution that filters out potentially
dangerous network traffic. Cloud firewalls, unlike traditional firewalls, are hosted in the
cloud. This cloud-based firewall delivery paradigm is also known as firewall-as-a-service
(FWaaS).
Traditional firewalls build a virtual barrier around an organization's internal network,
while cloud-based firewalls form a barrier surrounding cloud platforms, infrastructure,
and applications. Cloud firewalls can also protect On-premise infrastructure.
Cloud-native controls vs. third-party solutions
Customers frequently inquire about whether they should utilize cloud-native security
measures or third-party solutions. Of course, the answer is not simple. When asked
what "third-party security solutions" means, most people say they want to use their
existing on-premise security measures. After all, using current tools gives you a sense of
security.
Who is in charge of cloud security?
Customers regularly ask if they should use third-party security solutions or cloud-native
security measures. Of course, the Key is not straightforward. Most people answer they
wish to use their existing on-premise security measures when asked what "third-party
security solutions" entails. Using modern tools, after all, provides you a sense of security.
316
Chapter 03: Implementation
The following are the obligations of the cloud provider:
▪
▪
▪
▪
The cloud provider's physical facilities, software, network, and hardware are all
protected
Security at the server level, i.e., protection against attacks that affect the entire
cloud server
Assuring that their systems are always up to date and that they have all of the
essential updates installed
Providing services and contingencies for company continuity in the event of an
accident or system breakdown
Table 3-09: Comparison between the Native Security Tools Offered by the Cloud Service Providers and
Cloud Control
317
Chapter 03: Implementation
Mind Map
Figure 3-29: Mind Map of Cybersecurity Solutions to the Cloud
Implement Identity and Account Management Controls
Identity
Identity management and access control are controlling access to organizational
resources to keep systems and data secure. As a vital component of your security
architecture, it can help validate your users' identities before granting them proper
access to workplace systems and information.
Identity Provider (IdP)
A service that saves and manages digital identities is known as an Identity Provider
(IdP). These services are used by businesses to link their staff or users to the resources
they require. They allow you to manage access by adding or deleting rights while
maintaining strict security.
Certificates
The purpose of an Identity Certificate is similar to a root certificate except that it
provides the public Key and identity of a client's computer or device. An excellent
example of this is a client router or web server that wishes to make SSL connections
with other peers.
318
Chapter 03: Implementation
Signed Certificate vs. Self-signed Certificate
Self-signed Certificates and Signed Certificates from a Certificate Authority (CA)
provide security in the same way. Communication using these types of certificates is
protected and encrypted by high-level security. The presence of a Certificate Authority
implies that a trusted source has certified the transmission. Signed Security Certificates
are purchased, whereas Self-signed Certificates can be configured to optimize cost. A
third-party Certificate Authority (CA) requires domain ownership verification and other
verification to issue a certificate.
Tokens
The token generator generates pseudorandom tokens that are used along with various
authentication methods.
SSH keys
An SSH key is a network protocol access credential for the SSH (secure shell). This
authenticated and encrypted secure network protocol is employed for remote
communication between machines on an unsecured open network. Remote file
transmission, network administration, and remote operating system access are all
possible with SSH.
Smart cards
These cards are inserted into the computer. Usually, these cards are combined with a
Personal Identification Number or PIN. If some unauthorized person may access your
card, he may have to provide that additional information or PIN.
Account Types
User account
It is a type of account that is most common among users and associated with a single
person. It allows limited access to the operating system. The user account assigns each
user a particular identification number. Multi-users can use the same computer to
access their resources only by using a User Account, which keeps each user's data secure
from another unauthorized user. By using the User Account, multi-user can log in to
the same computer and but they can only access their resources.
Shared and generic accounts/credentials
As the name suggests, this account can be used by more than one person. For example,
some operating systems allow users to log in to a guest account (Guest Login). The
shared understanding is difficult to manage because it is hard to identify the person
logging in. If the shared account password is changed, then everyone needs to be
notified that the password is changed, which brings complexity to the management of
319
Chapter 03: Implementation
the password. It is recommended to use a User account on the system rather than
Shared Account.
Guest accounts
User accounts are necessary for any system. The operating system includes several
different users' accounts. These users are assigned additional privileges. The system
administrator may have to enable or disable default user account such as guest accounts
and modify the credentials of root accounts.
If you disable a guest account, it means you have created a limit on people accessing
your system. By disabling interactive login for the account used as a service, the only
actual user can log in interactively to the operating system.
Service accounts
The operating system or services of the operating system using an internal account is
referred to as Service Account. It is used to run a database or web server and used only
on the local computer; no user can log in interactively. Different types of access
permission can be set up for various services when using Service Account, meaning
database and web server rights may vary. Some of the services accounts require a
username and password, and some do not.
Account Policies
Password complexity
To make the solid and unrecognizable password, one must use a combination of
uppercase letters and lowercase letters, numbers, and symbols and must belong (that
can easily be remembered). The organizations can set rules for password requirements
like the password must be of a 12-character length and must contain uppercase and
lowercase letters plus at least one number and symbol.
Password history
The number of unique new passwords that must be connected with a user account
before an old password can be reused is determined by the Enforce password history
policy setting. Users can change their password as many times as they need to reuse
their original password if you do not specify a minimum password age.
Password reuse
Password reuse is a big security problem in every organization. Many users want to keep
their account passwords the same as long as they can. The longer a password is used for
a given account, the more likely it is that an attacker will be able to brute force it out.
320
Chapter 03: Implementation
Network location
A network location is a profile with a set of network and sharing options applied to the
network to which you are connected. Features like file and printer sharing, network
discovery, and others may be enabled or blocked depending on the network location
allocated to your active network connection.
Geotagging
Geotagging is used in the Accounting Policies image result. Users can utilize geotagging
to find a range of location-specific information from their devices. For example, by
inputting latitude and longitude coordinates into a proper image search engine,
someone can see images taken near a specific location.
Time-based logins
Period-based authentication is a standard method of granting access to an area by
recognizing a person at an entrance and opening the barrier at a predetermined time.
It has no bearing on the person's ability to remain in the admitted area after going over
the barrier
Access policies
Different permission levels are associated with the Publisher and Advertiser accounts
that users have access to. These are the permissions: Owner - Has full write access to
the history and can manage Users with various access levels.
Account permissions
Different permission levels are associated with the Publisher and Advertiser accounts
that users have access to. These are the permissions: Owner - Has full write access to
the history and can manage Users with various access levels.
Account audits
Internal audit accounting is a procedure that focuses on reducing risk and identifying
cost-cutting opportunities. Audit accountants can also be independent specialists that
conduct external audits of a company's financial statements.
Impossible travel time/risky login
A risky login is a calculation that determines the likelihood of an identity being stolen.
Administrators can use this risk score signal to decide whether or not to enforce
administrative regulations. Users must have previously registered for a self-service
password reset before triggering the user risk policy.
Lockout
Account lockout means that the account is temporarily blocked due to incorrect
password entry too many times. Automatic Lockout is very common on most systems.
321
Chapter 03: Implementation
Disablement
Account disablement policies specify what happens to accounts when employees leave
permanently or for a while. Most regulations require administrators to disable the
report as quickly as possible to prevent ex-employees from accessing it.
Mind Map
Figure 3-30: Mind Map of Account Management Controls
Implement Authentication and Authorization Solutions
Authentication Management
In addition to the standard authentication techniques of login/password,
authentication management enables the development of connection processes utilizing
authentication mechanisms using physical tokens (smart cards, USB keys, RFID
badges), biometrics, or mobile phones.
Password keys
A key is a piece of information that may be used to lock and unlock cryptographic
functions like encryption, authentication, and authorization. An interactive technique
for two or more parties to establish cryptographic keys based on one or more parties'
knowledge of a password is called a password-authenticated key agreement method.
Password vaults
A password vault, often known as a password manager, is a tool that securely saves and
encrypts usernames and passwords for various applications. A single login and password
322
Chapter 03: Implementation
are required to access the password vault. Google or Apple may store your password
information in certain instances.
Trusted Platform Module (TPM)
Replacing and formatting the existing hard drive will not be enough to provide security
to it. It is better to take advantage of the built-in Trusted Platform Module (TPM), an
embedded security chip that stores encrypted keys, passwords, and digital certificates.
Different services can use the TPM chip even without the cost of this service. When you
use the TPM with a BIOS-level Administrator password and a User password required
at power-on, the system becomes virtually useless to a thief.
A piece of hardware that is in charge of handling all the cryptographic functions. TPM
contains persistent memory that comes with unique keys. It also has versatile memory
that stores configuration information, storage keys, or other different types of data. TPM
is password protected (requires authentication for gaining access), and there is no
chance of dictionary attack on TPM.
Figure 3-31: Internal components of TPM
323
Chapter 03: Implementation
Hardware Security Module (HSM)
It manages and stores keys in a secure location by keeping the backup of the Key. HSM
provides facilities for Cryptographic functions like hashing, encryption, etc. To restrict
access to the Key that HSM secures, it has a technique called the tamper protection
technique.
It is a peripheral device that is usually "attached through USB or a network connection."
Figure 3-32: Hardware Security Module
Knowledge-based authentication
Knowledge-based authentication, or KBA, is a type of authentication that aims to
establish the identity of someone using a service like a financial institution or a website.
It is a type of authentication that aims to verify that the individual giving identifying
information is, in fact, that person. KBA, as the name implies, is based on the
individual's knowledge.
Authentication
The part of the framework deals with the authentication of any person who claims to be
authorized. For that, the person generally provides ID and password and usually other
additional authentication data.
EAP
▪
▪
▪
It stands for Extensible Authentication Protocol.
It also serves as a framework for creating various types of authentication.
WPA and WPA2 also use five various EAP types for authentication on wireless
networks.
324
Chapter 03: Implementation
Challenge Handshake Authentication Protocol (CHAP)
CHAP is the abbreviated form of Challenge Authentication Protocol. For delivering
credentials over the network, it uses an encrypted challenge. A three-way arrangement
is used by CHAP for authentication that is:
1. The Client sends credentials to the server, and in response, the server sends an
encrypted challenge to the Client.
2. The Client responds to the challenge with a hash by combining the password and
the challenge.
3. The server compares its database information (it is hash) with the soup it has
received. If both matches, the user's authentication is correct and authorized to
communicate over the network.
Figure 3-33: CHAP Authentication Process
The challenge and response mechanism happens multiple times during the connection
without the user being aware of it.
CHAP Authentication Commands
Configuring Hostname
Router(config)#hostname R1
Configuring
remote
router R1(config)# username
hostname for incoming requests
password <password>
<remote_username>
PPP Encapsulation Command
R1(config-if)#encapsulation ppp
PPP Authentication with PAP
R1(config-if)#ppp authentication chap
PPP Debugging Command
R1#debug PPP authentication
Table 3-10: CHAP Authentication Commands
Password Authentication Protocol (PAP)
PAP is abbreviated as Password Authentication Protocol. Used in old systems (mostly
legacy systems) and not popular these days. PAP is a weak authentication method
because no encryption method is used, which means all the information delivered is in
cleartext. Analog dial-up lines do not need encryption because it is impossible for
someone to sit somewhere between the communication path to seize data.
325
Chapter 03: Implementation
Figure 3-34: PAP Authentication Process
Basic Commands for PAP authentication
Configuring Hostname
Router(config)#hostname R1
Configuring remote router hostname R1(config)# username
for incoming request
password <password>
<remote_username>
PPP Encapsulation Command
Router(config-if)#encapsulation PPP
PPP Authentication with PAP
Router(config-if)#ppp authentication pap
PPP Debugging Command
Router#debug PPP authentication
Table 3-11: PAP Authentication Commands
802.1X
▪
▪
▪
A standard of authentication is commonly referred to as "Port-based NAC
(Network Access Control)."
Access is not granted until the authentication process is completed.
Over wireless, IEEE 802.1x uses either EAP-based protocol or IEEE 802.11i.
RADIUS (Remote Authentication Dial-in User Service)
RADIUS is a popular protocol for authentication. It supports numerous devices or
networks other than dial-in networks. The services of RADIUS can be used to centralize
for a single authentication for various systems like Routers, Switches, Firewall, etc. The
benefits of RADIUS are almost available for every Operating System.
Single sign-on (SSO)
It is a feature that allows one-time authentication. Users do not have to type ID and
Password every time they want to access a device or account or connect to a service. It
saves a lot of time for the users. In Windows, there is Kerberos to accomplish Single
sign-on.
326
Chapter 03: Implementation
Security Assertions Markup Language (SAML)
SAML is an authentication and authorization method that is an open standard. The user
is authenticated through a third party for achieving entry to local sources. Shibboleth
software is an example of SAML. Modern mobile networks do not have SAML because
it was not created for mobile devices that are its major weakness.
Terminal Access Controller Access Control System Plus (TACACS+)
It is an authentication protocol developed by Cisco and released as a standard open
beginning in 1993. TACACS+ is an entirely new protocol and is not compatible with its
predecessors. TACACS+ encrypts all the information mentioned above and therefore
does not have the vulnerabilities present in the RADIUS protocol.
This table summarizes and compares the unique features of RADIUS and TACACS+.
TACACS+
RADIUS
UDP ports
L4 Protocol
TCP port 49.
1812/1645 for authentication
1813/1646 for accounting
Encryption
Encrypts full payload of
Encrypts only passwords
each packet
Observations
Open Standard, robust, great accounting
Proprietary to Cisco,
features, less granular authorization
very granular control of
control. Another protocol named
authorization, separate
DIAMETER may replace RADIUS soon
implementation of AAA.
with enhanced capabilities.
Table 3-12: Comparison of RADIUS and TACACS+
OAuth
OAuth was introduced by Google, Twitter, and other parties. It serves as an
authorization to
what resources a user can gain.
OAuth
is usually observed to
be used by Facebook, Google, etc. It is not a protocol for authentication and just
provides authorization between applications. OAuth is combined with OpenID
Connect (handles SSO), and then OAuth decides what resources a user may gain.
OpenID
OpenID Connect is a cross-platform authentication protocol based on the OAuth 2.0
family of standards. It enables clients of various types to conduct sign-in processes and
receive verifiable assertions about the identity of signed-in users, including browserbased JavaScript and native mobile apps.
327
Chapter 03: Implementation
Kerberos
The latest and the most trusted method of authentication is Kerberos. In Kerberos, you
only need to authenticate once, which means it is an SSO (no need to re-authenticate
every time for access gaining) method. It also prevents man-in-the-middle or replays
attacks by allowing mutual authentication between the server and the Client. Kerberos
was first introduced in 1980 by MIT. Microsoft started using this in Windows 2000, and
now it has been made compatible with all Windows systems.
For protecting Kerberos, use extensive cryptography.
How Kerberos Works
The Client provides a Ticket Granting Ticket to a Ticket Granting Service. The Ticket
Granting Service then provides Service Ticket to the Client. All the services on the
network are then authenticated through the Service Ticket. It means the user gains
access by simply showing the ticket behind the scene, and he does not have to be reauthenticated by putting ID and password again and again.
Figure 3-35: Kerberos Working Mechanism
Only the devices that are compatible with the Kerberos can use Kerberos
authentication. Other types of systems that are not Kerberos friendly can use LDAP,
RADIUS, or TACACS for authentication purposes.
Access Control Schemes
Attribute-Based Access Control (ABAC)
In the ABAC model, accessing the resources is allotted to the user depending upon the
policies collectively with the attributes. It is also considered the Next Generation
Model of authorization because many different attributes determine a user's type of
328
Chapter 03: Implementation
access. These attributes may include who is accessing (Role), from where is accessing
(Location), what is being accessed (Resource), and when is it being accessed (Time).
Role-based access control
The role-based access control model offers access based on the role of users in the
organization like CEO, manager, director, team leader, etc. The kind of access depends
on the user's part.
The administrator is responsible for allowing access to the users according to their
designated roles. The RBAC will enable users to gain access implicitly. For example,
if some type of access is provided to the team leader, then by becoming part of the team
leader group, a group member can also enjoy the rights of the team leader. Windows
group is used in Windows Operating System for providing role-based access control.
Rule-based access control
In a rule-based access control model, the administrator creates a set of rules. These rules
describe the limits and restrictions to access. A firewall is one of the rule-based access
control models we are familiar with. Example of management is: "Only the people in
Pakistan can gain access to the web page," "the web form can only be accessed through
explorer browser," "the web form can only be accessed between 4 to 8 pm", etc.
MAC
The operating system describes the limit on how much a user can access the resources
based on security clearance level. Each object that somebody requires to access is
assigned a label (confidential label, private label, etc.). Then users are provided with
some rights decided by the administrator, which the users cannot change. Through
these rights, a user can determine what they can access. Some users may access
confidential resources; some may access personal resources, and so on.
Discretionary Access Control (DAC)
Commonly used in most operating systems. It is a type of model in which the owner
decides who can access the object or what access the user can gain. The owner can also
modify access at any time.
The advantage of DAC: Flexible Model. The owner can quickly determine who can
gain access and modify the access control whenever he wants to.
The disadvantage of DAC: Security is weak. The whole system's security depends upon
the security settings made by the owner. For example, suppose you create a spreadsheet,
and as an owner, you decide who can access the objects of the file and what objects of
the file. You can modify the settings when required.
329
Chapter 03: Implementation
Conditional access
When you utilize Conditional Access rules, you can apply the proper access controls
when they're needed while staying out of your users' way when they are not. After the
first-factor authentication is complete, Conditional Access restrictions are
implemented.
Privilege access management
Privileged Access Management (PAM) is an information security (infosec) system that
protects identities with particular access or capabilities. Like all other information
security solutions, PAM relies on a mix of people, processes, and technology.
Filesystem permissions
Permissions on files determine which users are allowed to execute certain operations
on a file. Permissions on files are an essential aspect of any resistance plan. Only a
portion of public systems is open to the public. At the very least, attackers must be
prevented from modifying system files without permission. Furthermore, file
permissions on internal systems promote the best practices of least privilege and least
access, reducing the damage caused by insider attacks.
Mind Map
Figure 3-36: Mind Map of Authorization and Authentication Solutions
Implement Public Key Infrastructure
Public Key Infrastructure (PKI)
Key management is one of the most challenging aspects of cryptography. Traditional
cryptography approaches employ symmetric-key cryptography, in which the same key
is used for encryption and decryption. The secure transmission of the Key from one user
330
Chapter 03: Implementation
to another is complex. If an unauthorized person has access to the Key, they can read,
decrypt, and alter all data.
In 1976, PKI was introduced by Whitfield Diffie and Martin Hellman to solve key
management issues. Every user obtains two keys in public-key cryptography, i.e.
▪
▪
Public – Can be published to see or use by the user
Private – Always kept secret
In public-key cryptography, no secret or private Key is shared or transmitted, and all
the communication involves is only through the public Key. Hence, the sharing of the
secret fundamental problem in Symmetric Key Cryptography was solved using Public
Key cryptography.
In Public Key Cryptography, the initial message is encrypted by the sender using the
receiver's Public Key, and then they decrypt that message using their own private key.
Figure 3-37: Public Key Cryptography
The following are the features of Public Key Cryptography:
▪
▪
▪
It is efficient.
It is secure.
It is scalable for a large number of users.
PKI Components
It describes all the procedures, policies, & people that are required to manage Digital
certificates. It encapsulates the process to create, manage to revoke, and distribute these
certificates.
A PKI is a set of hardware, software, people, policies, and procedures needed to create,
manage, distribute, use, store, and revoke digital certificates and manage public-key
encryption. It permits users of an unsecured network to securely money and exchange
data over the use of a private and a public cryptographic key pair that has been obtained
through a trusted authority. The public key infrastructure delivers for a digital
certificate that can detect an individual or an enterprise and directory services that can
store and, when necessary, revoke the certificates.
331
Chapter 03: Implementation
PKI ties public keys with the characters of individuals, applications, and associations.
This "binding" is kept up by issuing and administering digital certificates by a Certificate
Authority (CA).
▪
▪
▪
▪
PKI Certificate Authority (CA): The CA is a secure third party that issues PKI
certificates to substances and individuals after checking their identity. It signs
these certificates are utilizing its private key.
Certificate database: The certificate database stores all certificates endorsed by
the CA.
PKI certificate: Certificates contain a substance's or individual's public key, its
motivation, the CA that approved and issued the certificate, the date extends
amid which the certificate can view as valid, and the algorithm utilized to create
the signature.
Certificate store: The certificate store resides on a local PC and stores issued
certificates and private keys.
Use of PKI
The use of PKI is server identification certificates. SSL requires a PKI certificate on the
server to prove its identity confidentially to the Client. Every HTTPS web server
connection uses SSL and, as such, uses PKI. This web page focuses on client-side PKI
applications that employ end-user PKI certificates rather than server certificates. Clientside applications of PKI consist of categories are:
▪
▪
▪
Authentication
Digital signatures
Encryption
332
Chapter 03: Implementation
Operations of PKI:
Figure 3-38: PKI Operation
▪
▪
▪
Alex initially requests a certificate from the CA. The CA authenticates Alex and
stores Alex's PKI certificate in the certificate database.
Alex communicates with Bob using his PKI certificate.
Bob communicates with the trusted CA using the CA's Public Key. The CA refers
to the certificate database to validate Alex's PKI certificate.
Key management
The creation of a key is the first step in Key Management. The management of keys
starts with the generation of a key. By using the proper cipher, keys with the requested
strength are generated. After that, the certificate is generated where a public key is
333
Chapter 03: Implementation
allocated to a user or device. Sequentially, it is distributed to the particular user and
stored to prevent it from any unauthorized access. In case unauthorized gain access to
the certificate, then these certificates are revoked or replaced. If the credentials are not
withdrawn, there is an expiry date, so the essential management process begins when
the certificate expires.
The Certificate Authority (CA)
Certificate authority initiates with a single CA, and all the certificates are generated from
that single authority. In some organizations, the Hierarchical structure is used that
consists of Root CA and Intermediate CA.
Intermediate CA
The SSL Certificate's signer/issuer is the Intermediate Certificate. The Intermediate
Certificate's signer/issuer is the Root CA Certificate. Once the Intermediate CA runs,
and the load is distributed, the Root certificate gets offline for protection.
Registration Authority (RA)
A Registration Authority is a firm or organization that receives and validates digital
certificates and public/private key pair requests. The key public infrastructure includes
a Registration Authority (RA) PKI.
Certificate Revocation List (CRL)
A certificate revocation list lists digital certificates that have had their issuing certificate
authority revoke them before their actual or assigned expiration date. To avoid
tampering, the CA signs the CRL file.
Certificate attributes
The use of a Digital Certificate to identify a user, machine, or device before giving access
to a resource, network, application, or other resource is known as certificate-based
authentication. It is common to use it in conjunction with more traditional techniques
like username and password when it comes to user authentication.
Online Certificate Status Protocol (OCSP)
Using the Online certificate status protocol, the browser can check certificate
revocation or the certificate's status. The message is usually sent to the OCSP Responder
through HTTP (HyperText Markup Language). Not all applications or browsers support
the OCSP protocol.
Certificate Signing Request (CSR)
It is easy to have a digital signature by the certification authority. The process starts
with the pair of key creations. One is a private key that is kept on the website, and the
other is a public key that is sent to the certification authority to be digitally signed. This
334
Chapter 03: Implementation
process is called Certificate Signing Request (CSR). The certification authority performs
some checks, and after that sign, the certificate and sometimes provides additional
features.
CN
The Distinguished Name's characteristic value, also known as the Fully Qualified
Domain Name (FQDN), is the Common Name (CN) DN. It usually consists of the Host
Domain Name and looks like "www.digicert.com" or "digicert.com."
Subject alternative name
It is a certificate that supports various domains in the same certificate. It is an X.509
standard extension and permits you to put a subject alternative name extension and list
out all the DNS names (additional identification information) linked with the
certificate.
Expiration
Using the same password for a long time opens paths for hackers to hack passwords
through brute force attacks. For this reason, many organizations force users to change
their passwords after a certain amount of time. In case of password loss, the password
recovery method helps to reset the password. There is a formal procedure for recovering
the password to ensure that the authentic person is recovering the password.
Types of certificates
Various kinds of certificates are used for different purposes. Some of them are as follows:
Wildcard
A Wildcard Domain Certificate can be applied to any domain and all the names
associated with it. So, the name of the server is not a piece of matter. The main aim is
the replacement of the asterisk (*).
Example: There are an asterisk and a period that a wildcard notation contains the
domain name.
*.domainname.com
* replacement – ftp.domainname.com, vpn.domainname.com, IPS.domainname.com.
Subject alternative name
A certificate that supports various domains in the same certificate. It is an X.509
standard extension and permits you to put a subject alternative name extension and list
out all the DNS names (additional identification information) linked with the
certificate.
335
Chapter 03: Implementation
Code signing
Code Signing Certificates are used by software developers to digitally sign apps, drivers,
and software programs as a way for end-users to verify that the code they receive has
not been altered or compromised by a third party. They include your signature, your
company's name, and, if desired, a timestamp.
Self-signed
The certificate is not required to be signed by the Certificate Authority (Public). This
internal certificate is signed by the same person bearing the certificate. For this, the
person creates their certificate authority that issues digitally signed certificates.
This certificate is used for the webserver that is only for an internal network of the
company. In this way, the person does not have to pay for any external certification
authority. These certificates are then installed on every device or web server within a
network. Then, every person who connects to the webserver will see the Internal
Certification Authority signature certificate.
Machine/computer
The certificate is used to allow and manage devices for communication on the network.
The purpose of this certificate is the authentication of devices. It means that only
authenticated devices can communicate over the web.
For that, certificates signed by the certification authority are placed on the devices, so
if any unauthorized person tries to connect to the network using a VPN, they will not
be allowed to communicate over the web because that particular person will not be
certified.
Email
The type of certificate that is usually attached with the email. The email certificate
permits us to send the email securely by encrypting the information to the other user.
To encrypt the data, it uses a recipient's Key (public) and allows only the receiver to
decrypt the information in the email.
This certificate can also be used as a Digital signature. If you do not want to encrypt the
information, you can digitally sign it through an Email Certificate.
User
It is a type of certificate usually assigned to a single user or an individual. Generally, it
is integrated into a smart card or digital access card.
Example: ID card
336
Chapter 03: Implementation
Root
A public certificate is assigned to the Root CA, and its purpose is to identify the Root
CA. Everything initiates with a Root certificate in PKI infrastructure. It is a Root
certificate that issues an intermediate certificate or another certificate.
In public key infrastructure, the root certificate is the most essential. If somebody gains
access to this root certificate private key, it will generate its certificate for any interest.
Domain validation
The person having a DV certificate has some control over the DNS domain associated
with the SSL.
Extended validation
The certificate receiving person is passed through some additional checks by the
certificate authority. If a person dies all the reviews, then that person gets an EV
certificate. The web owner's organization name appears in green color on the address
bar of the web, which is certified with an EV certificate.
Figure 3-39: Extended Validation Certificate
Certificate Formats
Distinguished Encoding Rules (DER)
The DER format is a binary representation of the ASCII PEM Certificate Format. This
format allows for storing a single certificate (it does not include the Certificate Chain's
Private Key). They are files in binary format.
Privacy Enhanced Mail (PEM)
PEM (privacy-enhanced mail) is specified through a series of RFCs (Request for
Comments) that establish methods and formats for ensuring email authenticity and
confidentiality. The term "privacy-enhanced mail" is frequently used interchangeably
with the term "secure email."
Personal information exchange (PFX)
A PFX file is a PKCS#12 certificate that contains the certificate, the intermediate
authority certificate required for the certificate's trustworthiness, and the certificate's
Private Key. Consider it a repository for everything you will need to deploy a certificate.
337
Chapter 03: Implementation
.cer
A CER file is a security file that confirms the validity of a website and is issued by a thirdparty Certificate Authority such as VeriSign or Thwate. It is placed on a webserver to
verify the legitimacy of a specific website hosted there.
P12
A digital certificate using PKCS#12 (Public Key Cryptography Standard #12) encryption
is stored in a p12 file. It is used to transfer personal private keys and other sensitive
information in a portable format. Various security and encryption programs employ P12
files.
P7B
P7B is a web service authentication security certificate file. There is no private key in
P7B files, only a basic certificate in ASCII Base64 format. Files in the P7B format can be
converted to PEM or PFX formats. Users and devices are identified and authenticated
using P7B papers.
Concepts
Online vs. offline CA
The infrastructure of a public key relies on trust, and typically this trust is provided by
the Certification Authority (CA). However, a compromised CA is a bad thing, and this
also creates trust issues with the Certificate Authority.
The Intermediate Certificate is the signer/issuer of the SSL Certificate. The Root CA
Certificate is the signer/issuer of the Intermediate Certificate. Once the Intermediate
CA runs and the load is distributed, the Root certificate gets offline for protection.
Stapling
As discussed above, the OCSP depends upon CA. It is the responsibility of CA to respond
to all the OCSP requests of the clients. In addition, if the numbers of devices that the
CA has to check are large, this creates scalability. In this case, OCSP Stapling is
implemented. In OCSP Stapling, the device that holds certificate can verify their status
and provide revocation status. This information is received from the appliance directly
rather than CA, and the knowledge of the group is stored on the server of the certificate
holder.
The OCSP status or the revocation is stapled into the TSL or SSL handshake, and a
digitally signed note by the certification authority is present with the OCSP stapled
information.
338
Chapter 03: Implementation
Pinning
The purpose of the Certificate pinning is to prevent the man-in-the-middle attack.
Certificate pinning is used when the server's certificate has been hard-coded into the
application by the application itself. In this case, the application communicates to the
server and receives a copy of the certificate to compare them. If both of them match,
then it means that the person is directly corresponding to the server. If the certificate
does not match, then a decision is made by the application accordingly. It shows an
error message that the certificate does not check, or it may shut it down.
Trust model
A trust model is a set of criteria that ensures the validity of digital certificates used by
CEF eDelivery components. Many trust models based on various trust anchor types and
regulations are available to produce, administer, distribute, store, and revoke digital
certificates.
Key escrow
Key escrow means a third party may have access to your Private Key or the decryption
key along with the backup of that Key. It can be employed by some organizations or
businesses where the employee's information or partner's data needs to be accessed or
decrypted.
Certificate chaining
As mentioned above, a single certificate authority is not a good idea. However,
hierarchical structures, having multiple levels within them, are preferable. All the
connections between different certificate authorities are known as Chain of Trust. The
certificates between Root CA and other Intermediate CA are listed in the Chain of Trust.
The chain of trust initiates with an SSL certificate (part of the webserver) and ends with
the Root certificate. In between, there is a certification authority that assigns the
certificate. The certificates between SSL certificate and Root CA are called "Intermediate
Certificate or Chain Certificate."
339
Chapter 03: Implementation
Figure 3-40: Certificate Chaining
The web server requires the configuration with an appropriate chain. It is common to
configure an SSL certificate and add an Intermediate certificate between Root CA and
SSL certificate.
Mind Map
Figure 3-41: Mind Map of Data Destruction & Disposal Methods
340
Chapter 03: Implementation
Practice Questions
1. Which of the following is not a type of Open Source Web Server architecture?
A. Apache
B. NGINX
C. Lighttpd
D. IIS Web Server
2. An attacker is attempting a trial and error method to access restricted directories
using dots and slash sequences. Which type of web server attack is this?
A. LDAP Attack
B. AD Attack
C. Directory Traversal Attack
D. SQL Injection
3. An attacker sends a request, which allows him to add a header response; now, he
redirects the user to a malicious website. Which type of attack is this?
A. Web Cache Poisoning
B. HTTP Response Splitting Attack
C. Session Hijacking
D. SQL Injection
4. Update that is specially designed to fix the issue for a live production environment
is called __________________.
A. Hotfix
B. Patch
C. Bugs
D. Patch Management
5. A piece of software developed to fix an issue is called _________________.
A. Hotfix
B. Patch
C. Bugs
D. Update
6. Jailbreaking refers to _________________________.
A. Root access to a device
B. Safe mode of a device
C. Compromising a device
D. Exploiting a device
341
Chapter 03: Implementation
7. When an iOS device is rebooted, it will no longer have a patched kernel and may
stick in a partially started state. Which type of Jailbreaking is performed on it?
A. Tethered Jailbreaking
B. Semi-Tethered Jailbreaking
C. Untethered Jailbreaking
D. Userland Exploit
8. Official Application store for Blackberry platform is ________________.
A. App Store
B. App World
C. Play Store
D. Play World
9. Which of the following is the most appropriate solution if an administrator is
required to monitor and control mobile devices running on a corporate network?
A. MDM
B. BYOD
C. WLAN Controller
D. WAP
10. An attack, which denies the services, and resources become unavailable for
legitimate users is known as _________.
A. DoS Attack
B. Application Layer Attack
C. SQL Injection
D. Network Layer Attack
11. DoS attack in which flooding of the request overloads web application or web server
is known as _______________.
A. SYN Attack / Flooding
B. Service Request Flood
C. ICMP Flood Attack
D. Peer-to-Peer Attack
12. DoS Attack focused on hardware sabotage is known as ________________.
A. DoS Attack
B. DDoS Attack
C. PDoS Attack
D. DRDoS Attack
342
Chapter 03: Implementation
13. DoS Attack, in which intermediary and secondary victims are also involved in the
process of launching a DoS attack, is known as _____________.
A. DRDoS
B. PDoS
C. DDoS
D. Botnets
343
Chapter 04: Operation and Incident Response
Chapter 04: Operations and Incident Response
Introduction
Incident Response (IR) development and review services ensure that you have a welldefined strategy for responding to an incident that potentially impacts your
organization.
We use your existing toolsets, data sources, and supplemental solutions introduced as
part of the engagement to achieve the essential environmental visibility during IR
engagements. Our team can receive current and historical situational awareness by
having full access across network, endpoint, logs, and other data sources, ensuring a
holistic view of any potential threat acting within the environment.
We then devise a complete remediation strategy based on a thorough understanding of
the identified dangers and their associated actions. This comprises tactical and strategic
recommendations for removing threat actors from your environment successfully, as
well as the formation of a baseline for future threat-related operations.
Appropriate Tools to Assess Organization Security
For many enterprise organizations, administering risk assessments requires building an
efficient cyber threat management system. The visibility gained from these assessments
provides insight that helps guide high-level cybersecurity decisions, creating them a
valuable plus for organizations of all sizes.
Network Reconnaissance and Discovery
Security experts use command-line tools every day for network discovery and
reconnaissance. As a result, you must be familiar with them in order to pass the
Security+ exam.
Tracert/Traceroute
The “Tracert/Traceroute” command allows mapping an entire path between two devices
to know what routes may be between point A and point B. This uses the tracert
command for Windows and the traceroute command for Linux/Unix/macOS. The
information displayed by the traceroute command is received by the router on the
network via ICMP “Time to Live Exceeded” error message.
You can easily send the packet out to the network, and those packets will cause the
routers to create an error message and send that back. The traceroute command uses
those error messages to build the route.
344
Chapter 04: Operation and Incident Response
Tracert options are available in all Operating Systems as a command line feature. Visual
traceroute, graphical, and other GUI-based traceroute applications are also available.
Traceroute or Tracert command traces the path information from source to destination
in the hop by hop manner. The result includes all hops between source and destination.
The development also provides latency between these hops.
Traceroute Analysis
Consider an example in which an attacker is trying to get network information by using
Tracert. After observing the following result, you can identify the network map.
10.0.0. 1 is the first hop, which means it is the gateway. The Tracert result of 200. 100.50.3
shows 200. 100.50.3, which is another interface of the first hop device, whereas
connected IP includes 200. 100.50.2 and 200. 100.50. 1.
192. 168.0.254 is the next to last hop 10.0.0. 1. It can either be connected to 200. 100.50.
1 or 200. 100.50.2 to verify and trace the following route.
345
Chapter 04: Operation and Incident Response
192.168.0.254 is another interface of the network device, i.e., 200.100.50.1 is connected
next to 10.0.0.1.
192.168.0.1, 192.168.0.2 and 192.168.0.3 are connected directly to 192.168.0.254.
346
Chapter 04: Operation and Incident Response
192.168.10.254 is another interface of the network device, i.e., 200. 100.50.2 connected
next to 10.0.0.1 192.168.10.1, 192.168.10.2, and 192.168.10.3 are connected directly to
192.168.10.254.
Traceroute Tools
Traceroute tools have been listed below:
Traceroute Tools
Path Analyzer Pro
Visual Route
Troute
3D Traceroute
Website
www.pathanalyzer.com
www.visualroute.com
www.mcafee.com
www.d3tr.de
Table 4-01: Traceroute Tools
nslookup/dig
Nslookup

Lookup information from DNS servers like IP addresses, Cache times, canonical
names, etc.
Dig


It stands for Domain Information Grouper
More advanced domain information
ipconfig/ifconfig
Determines TCP/IP and network adapter information and some additional IP details. In
Windows, the command used is “ipconfig” whereas, in Linux and Mac, the command
used is “ifconfig.”
Tcpdump
Captures packets from the command line.
Nmap
Nmap, in a nutshell, offers Host discovery, Port discovery, Service discovery. Operating
system version information. Hardware (MAC) address information, Service version
detection, Vulnerability & exploit detection can be found using Nmap scripts (NSE).
Using Windows or Linux command prompt, enter the following command:
nmap –sP –v <target IP address>
347
Chapter 04: Operation and Incident Response
Upon successful response from the targeted host, if the command successfully finds a
live host, it returns a message indicating that the IP address of the targeted host is up
along with the Media Access Control (MAC) address and the network card vendor.
Apart from ICMP Echo Request packets and using ping sweep, nmap also offers a quick
scan. Enter the following command for quick scan: nmap –sP –PE –PA<port numbers> <starting IP/ending IP>
For example:
nmap –sP –PE –PA 21,23,80,3389 <192.168.0.1-50>
Figure 4-01: Nmap
ping/pathping
In windows, a command is merged together with the functionality of ping and
traceroute to create a single command called pathping.
Pathping will run a traceroute to a destination IP address to determine what routes may
be in between your local devices and the one you are running as part of pathping.
348
Chapter 04: Operation and Incident Response
Figure 4-02: ping/pathping
hping
hping may be a command-line-minded transmission control protocol/IP packet
assembler/analyzer. The interface is impressed by the ping (8) operating system
command. However, hping is not solely able to send ICMP echo requests.
Hping is accustomed send massive volumes of TCP traffic at a target whereas spoofing
the supply information science address, creating it seem random or perhaps originating
from a particular user-defined source.
netstat
Netstat stands for “Network statistics.” It can be used in many different operating
systems.
349
Chapter 04: Operation and Incident Response
Figure 4-03(a): netstat
350
Chapter 04: Operation and Incident Response
Figure 4-03(b): netstat
netcat

It is used to read or write information to or from the network (open a port and
send or receive some traffic).
Multiple functions



Listens to a port number.
Scans ports and sends data to the port.
Transfers data.
IP scanners
IP scanner is a cmd tool to scan the network for IP addresses. This usually uses a number
of different techniques to identify and then display the devices and port numbers on
your systems.
351
Chapter 04: Operation and Incident Response
ARP
ARP stands for Address Resolution Protocol, which is a stateless protocol used within a
broadcast domain to ensure communication by resolving the IP address to MAC address
mapping. It is in charge of L3 to L2 address mappings. ARP protocol provides the
binding of IP addresses and MAC addresses. By broadcasting the ARP request with an
IP address, the switch can learn the associated MAC address information from the reply
of the specific host. In the event that there is no map or the map is unknown, the source
will send a broadcast to all nodes. Only the node with a coordinating MAC address for
that IP will answer the demand with the MAC address mapping packet. The switch will
feed the MAC address and its connection port information into its fixed length CAM
table.
Figure 4-04: ARP Operations
As shown in Figure 112, the source generates an ARP query by broadcasting the ARP
packet. A node with the MAC address that the query is destined for will reply only to
the packet. The frame is flooded out of all ports (other than the port on which the frame
was received) if CAM table entries are full. This also happens when the destination MAC
address in the frame is the broadcast address. The MAC flooding technique is used to
turn a switch into a hub, in which the switch starts broadcasting each and every packet.
In this scenario, each user can catch the packets, even those not intended.
ARP Spoofing Attack
In ARP spoofing, an attacker sends forged ARP packets over a Local Area Network
(LAN). In this case, the switch will update the attacker's MAC Address with the IP
address of a legitimate user or server. Once an attacker's MAC address is learned,
together with the IP address of an authentic user, the switch will start forwarding the
352
Chapter 04: Operation and Incident Response
packets to the attacker, assuming that it is the MAC of the user. Using an ARP Spoofing
attack, an attacker can steal information by extracting it from the packet intended for a
user over LAN that it received. Apart from stealing information, ARP spoofing can be
used for:









Session Hijacking
Denial-of-Service Attack
Man-in-the-Middle Attack
Packet Sniffing
Data Interception
Connection Hijacking
VoIP Tapping
Connection Resetting
Stealing Passwords
Figure 4-05: ARP Spoofing Attack
Route
The route command is used to view the device’s routing table and help to find the best
possible way in which the packets will go.
353
Chapter 04: Operation and Incident Response
Figure 4-06: Route
Curl
The curl command stands for “Client URL” “Uniform Resource Locator.” This command
refers to a URL that you can use to access the web pages, perform FTP, or receive emails.
This allows you to grab the raw data from different sites and display it on the terminal
screen.
The harvester
There is a fantastic amount of information that can be obtained free from public
websites. Such information is referred to as Open-Source Intelligence or OSINT. There
are many tools available to allow you to gather information from OSINT sites. To do
this, one way is to use the harvester tool. This allows collecting many different kinds of
information from many different kinds of sites. It allows gathering information from
sources like google, bing, or LinkedIn. It also provides DNS brute force to identify DNS
354
Chapter 04: Operation and Incident Response
services that may be publicly available but can find a host that may not be automatically
identified in a DNS server.
For example, you can find a VPN server or email server running some of the brute-force
tasks within a harvester.
Sniper
Sniper is the reconnaissance tool that integrates different reconnaissance tools into one
framework to provide one set of queries and outputs for all different functions. There
are many ways to configure the way sniper runs; some of these are very intrusive, and
others are specifically built to run in a stealth mode.
Scanless
One of the problems you may find when performing a pot scan is that your device is
easily identified as the scan source. To handle this, you can run a scan from a different
host that will act as a proxy for port scanning, and the utility that does this function is
called scanless. It includes support for many different services.
Dnsenum
The dnsenum command will enumerate DNS information from a DNS server. There is
a great deal of information you can gather and many hosts you can identify from that
DNS server. However, there are also hosts that you can find using a number of different
techniques, and dnsenum allows you to do this.
Nessus
The Nessus is one of the most popular vulnerability scanners because of its very large
database. They can easily find many different known vulnerabilities. Nessus is the
scanning tool that has extensive reporting help to identify vulnerabilities. It also helps
to resolve the vulnerabilities on the system.
Cuckoo
Cuckoo is s sandbox that is specifically written to run the programs inside and identify
any malware. This virtualized environment can consist of many different operating
systems, including Windows, Linux, macOS, and Android. It can perform API calls to
identify what the application is sending network traffic
File Manipulation
File management tools are utility package that manages files of the system. Since files
are a vital part of the system, all the info is held on within the files. Therefore, this utility
software facilitates browsing, searching, arranging, noticing information, and quickly
previewing the system files.
355
Chapter 04: Operation and Incident Response
head
The head command is used to see the top part of the file. There are multiple viewing
options available that help to view the file differently. For example, to view the first five
lines of the file, you can run the following command:
head -n 5 syslog
tail
The tail command is used to view the last portion of a file. The syntax of head and tail
commands are similar. For example, to view the last five lines of a file, run the following
command:
tail –n 5 syslog
cat
Cat is short for concatenate. Concatenating a file means that you would either view the
contents of files to the screen or link multiple files together to create a large file.
grep
The grep command allows us to find any bit of text that we require in the file, and we
can also search through multiple files at one time. For example, finding the pattern that
failed within a file called auth.log runs the following command:
grep failed auth.log
chmod
the chmod command allows changing the mode of the file system object. In this context,
the term mode means to change it to either read (r), write (w), or execute (x). You can
do set the mode commonly by setting the binary patterns or octal notation within an
individual file.
#
Permission
rwx
7
Read, Write, and Execute
rwx
6
Read and Write
rw-
5
Read and Execute
r–x
4
Read only
r--
3
Write and Execute
-wx
2
Write only
-w-
1
Execute only
--x
356
Chapter 04: Operation and Incident Response
0
none
--Table 4-02: Permissions
logger
The logger is responsible for adding the additional information into the system log in
that operating system, commonly a file syslog.
Shell and Script Environments
SSH (Secure Shell)
The Secure Shell Protocol, or SSH protocol, is a protocol for establishing secure remote
connections. It is a safe replacement for insecure protocols like Telnet, rlogin, and FTP.
SSH is used for remote login as well as other protocols like FTP and SCP (Secure Copy
Protocol) (SCP). Because it operates through SSH, SFTP (SSH File Transfer Protocol) is
widely used for secure file transfer. The SSH protocol operates on a client-server
architecture, with the SSH client connecting to the SSH server over an insecure network
over a secure SSH channel.
The Secure Shell (SSH) protocol is made up of three main parts:

The Transport Layer Protocol [SSH-TRANS] provides server authentication,
confidentiality, and integrity. It may optionally also provide compression. The
transport layer will typically run over a TCP/IP connection but might also be
used on top of any other reliable data stream.

The User Authentication Protocol [SSH-USERAUTH] establishes a connection
between the client and the server. It uses the transport layer protocol to operate.

The [SSH-CONNECT] Connection Protocol divides the encrypted tunnel into
many logical channels. It uses the user authentication protocol to operate.
PowerShell
For working with Windows, one of the more advanced shells available is called
Windows PowerShell. PowerShell is commonly used by system administrators on
Windows devices to control each and every aspect of the Window operating system.
Running a script inside o PowerShell has .ps1 file extension.
You can also run scripts inside a PowerShell, manipulate everything related to Windows
operating system or run certain scripts in a standalone executable mode as well.
EXAM TIP: PowerShell is a remarkably powerful tool for doing any type of
administration task on a Windows operating system. The system administrator will be
responsible for the applications running inside of Windows.
357
Chapter 04: Operation and Incident Response
Python
Python is a popular scripting language that works across many different operating
systems. The Python files have a .py file extension. Python is available in Linux, macOS,
and Windows. It is well supported across the entire industry primarily because it has
the flexibility to do much more things inside the operating system. Although, the
primary emphasis of Python is based around automation and orchestration of cloudbased systems.
OpenSSL
OpenSSL is a set of utilities and a library that lets you manage SSL and TLS certificates
in your systems. You must create X.509 certificates if you are establishing a Certificate
Authority (CA) within your organization. Users will send the Certificate Signing
Requests (CSRs), and you will be in charge of managing the Certificate Revocation List
(CRLs). This can be accomplished using OpenSSL's utilities.
OpenSSL also includes cryptographic libraries that can be used to conduct hashing
operations on a variety of hashing methods. You can also use OpenSSL's built-in
encryption and decryption features.
Packet Capture and Replay
Full packet capture tools permit security engineers to record and reproduce all the
traffic on the network. This permits the validation of IDS/IPS alerts and the validation
of things that NetFlow or log knowledge is showing.
Tcpreplay
When you have captured the packets, you can quickly look at the information present
inside the protocol docker like Wireshark. You can also reply to this information back
onto the network using a utility called tcpreplay. This allows you to take information
and send it to the network using a network interface card so that other devices on the
network can see the network traffic. It is a great way to test security devices. It checks
the IPS signatures and firewall rules to see if the information you are sending through
the network will be allowed or denied access at the firewall.
Tcpreplay can also send a large amount of information across the network to test for
monitoring tools.
Tcpdump
If you are working on the system at the command prompt, you may have a graphical
front end that you can use with WireShark. Instead of using the Wireshark, you can use
tcpdump to do the same function. It captures packets from the command line, displays
358
Chapter 04: Operation and Incident Response
packets onto the screen, and writes them in the files. This is often included in many
different Linux distributions that help to work with tcpdump capabilities easily.
Wireshark
Wireshark is the most extensively used Network Protocol Analyzer tool in the
commercial, governmental, non-profit, and educational sectors. It is a free, open-source
program that runs natively on Windows, Linux, MAC, BSD, Solaris, and other systems.
TShark, a terminal version of Wireshark, is also available.
Lab 4-01: Introduction to Wireshark
Procedure:
Open Wireshark to capture the packets.
Click Capture > Options to edit capture options.
359
Chapter 04: Operation and Incident Response
Here, you can enable or disable a promiscuous mode on an interface. Configure the
Capture Filter and click the Start button.
Click Capture > Capture Filter to select Defined Filters. You can add the filter by
clicking the Add button.
360
Chapter 04: Operation and Incident Response
Follow the TCP Stream in Wireshark
Working on TCP-based protocols can be very helpful by using the “Follow TCP Stream”
feature.
This helps to examine the data from a TCP stream in the way that the application layer
sees it. Perhaps you are looking for passwords in a Telnet stream.
361
Chapter 04: Operation and Incident Response
Examine the data from the captured packet.
Filters in Wireshark
Following are the Wireshark filters for filtering the output.
Operator Function
Example
==
Equal
ip.addr == 192.168.1.1
eq
Equal
tcp.port eq 23
!=
Not equal
ip.addr != 192.168.1.1
ne
Not equal
ip.src ne 192.168.1.1
contains
Contains specified value
http contains "http://www.ipspecialist.net"
Table 4-03: Wireshark Filters
Forensics
Our forensic investigation identifies pertinent evidence for incident responders,
network engineers, on-site security teams, human resources, and legal teams, allowing
you to successfully negotiate technical, legal, and public relations requirements.
dd
On the IBM mainframe, dd refers to the data definition that was transformed between
ASCII and EBCDIC. You can use dd to make a bit-by-bit copy of anything on a drive or
in a directory. This would be incredibly beneficial if you needed to save the data for
further study.
The command to create a disk image is:
362
Chapter 04: Operation and Incident Response
dd if=/dev/sda of=/tmp/sda-image.img
And, the required command to restore from an image is:
dd if=/tmp/sda-image.img of=/dev/sda
Memdump
The memdump command will send all of the information and system memory to a
specific location on your computer. Because much third-party forensics software can
read memory dump files and readily identify or discover information that may be saved
in the memory file, this is particularly valuable after the fact.
You can commonly store the memory dump files outside the system; memdump can be
used in conjunction with netcat, stunnel, openssl, etc.
WinHex
WinHex is a third-party editor that can display the dump files in their original format.
Hexadecimal mode is used to display all data. This will assist you in retrieving and
editing data from a file, memory, disk, or other location.
WinHex also has disk cloning capabilities, which allow you to copy all of the data from
a file and save it as an image file or copy it to a different storage device. Additionally,
WinHex makes it simple to do secure wipes, ensuring that all data in the file is
completely deleted and cannot be recovered using third-party programs.
FTK Imager
FTK Imager is a Windows executable that can mount a hard drive, image drives and
perform file operations. This is also supported by a large number of additional forensics
tools. This program aids in the capturing of data and the use of image files in other
programs on various operating systems. This program can also read encrypted disks. It
may also convert the files to a standard format like dd, expert witness, etc.
Autopsy
The Autopsy software performs digital forensics on data stored on storage devices or in
picture files. It also allows you to see and restore data from these devices. It can search
through a downloaded file, check the device's internet history, view email messages,
identify databases, and view graphical files, among other things.
Exploitation Frameworks
Exploitation frameworks are tools that may be used to design unique attacks. They allow
you to quickly build attack types and add extra tools for detecting vulnerabilities. These
are widely used frameworks that allow you to add modules to your system and use them.
For instance, metasploit, the social engineer toolkit, and so forth.
363
Chapter 04: Operation and Incident Response
Password crackers
Performing vulnerability tests against the system or going through it with forensics tools
may result in the discovery of password files or information, including password hashes.
You can use a brute force attack to find those passwords if you have that knowledge. A
password cracker can be used to accomplish this. Password crackers is an online
tracking tool that can perform multiple requests to a device.
Data sanitization
Data sanitization eliminates all data and transforms it into a format that contains no
useable information. This is typically done to clean the entire drive in preparation for
future use.
Note: There is no way to restore the drive once it has been removed from the data
sanitization tool unless you have a backup that has been irreversibly erased.
Mind Map
Figure 4-07: Mind Map
364
Chapter 04: Operation and Incident Response
Importance of Policies, Processes, and Procedures for Incident Response
Incident Response Plans
An incident response setup ensures that the correct personnel and procedures should
effectively cope with a threat in the event of a security breach. Having an event response
plan ensures that a structured investigation will occur to supply a targeted response to
contain and correct the threat.
Incident Response Process
As a Security Professional, you will be responsible for responding to security events that
occur in the organizations. Events may include a user clicking an email attachment and
execute malware. The malware then starts communicating with other services and
sending information outside of the organization.
The security incidents that occur in the organization require some type of response by
the security professional in the organization. The incident response team often
responds to the type of incidents. The team is the group of people that have been
specifically trained to deal with these circumstances. The team may include the IT
management for your security department, compliance officers, technical staff to help
troubleshoot, and users in the community for help in these situations.
NIST SP800-61
NIST stands for National Institute of Standard and Technology in the US and has
created a document to help understand handling the security incidents. This document
is NIST special publication 800-61 revision two titled “Computer Security Incident
Handling Guide.” This provides information about the entire lifecycle when you are
handling the security incidents. This includes:








Preparation
Detection
Analysis
Isolation and Containment
Eradication
Recovery
Reconstitution
Lesson Learned
Preparation
The key to handling the security incidents properly is to make preparation. This
includes the communication method, the choice of the right people, and processes,
including hardware and software used when an incident occurs.
365
Chapter 04: Operation and Incident Response
There will also be a need to have documentation of the organization’s network that
defines data location for security reasons. There is also a need to prepare to clean the
operating system and application images for the mitigation process.
The policies and procedures should be prepared that will apply when the security
incident occurs.
Detection
To be able to respond to the security incident, you should know that how the incident
occur. There are different ways to monitor and identify security incidents. This is a big
challenge because the organization receives several different types of attacks. There are
always some security tools available that will prevent the majority of these types of
attacks. Also, the security incidents often include different devices and operating
systems to identify legitimate threats.
Sometimes, the organization may also prefer to use incident precursors that help to
predict where a particular area of the network may receive a security breach.
Isolation and Containment
When you identify some malicious software or some type of breach, the best approach
is to isolate and contain that particular security incident.
Instead of malicious software, you can use a sandbox. The sandbox is an isolated
operating system that is specifically designed to run the software. This environment can
be completely deleted after performing the analysis so that you can easily be assured
that the malware is not present outside the sandbox.
Sometimes, the sandbox does not provide the perfect analysis of malware. Some
malware can recognize when running in a sandbox and perform differently in a
sandbox-like an open network. Some malware recognizes when you lose connectivity to
the internet. Therefore, you can isolate that system; it begins deleting the files or
damaging the operating system.
Eradication
Once you identified that an incident has occurred and identified that where the
malware exists in the system. You should recover that system. The first required step is
to eradicate the malware and remove it from that system to recover the system.
Sometimes, this includes completely deleting assets from the system, recovering all stuff
from known backup, and fixing the vulnerabilities that caused the incident to occur the
first time.
Recovery
After doing the process of eradication, use backup to restore the system’s assets quickly.
After retrieving the system assets, rebuild the entire system from scratch. And, lastly,
366
Chapter 04: Operation and Incident Response
you should lock down the perimeter of networks to stop the attack before it enters the
private network.
Reconstitution
On large networks, the reconstitution process can be very difficult and time-consuming.
A phased-based approach runs very slowly and takes a couple of months for recovery.
The plan of the reconstitution process should be efficient, start with quick, high-value
security changes. The quick changes may include sending patches to the systems,
modify the firewall to prevent a certain type of traffic from entering your network, etc.
Lessons learned
Once the incident is over, you can look at what processes worked and did not work
during an incident. You can also schedule the post-incident meeting where everyone
shares the experience that occurred during the process.
Exercises
Security incidents are usually after the fact that one has already occurred. However,
most of the work should be done before an incident occurs in the environment. You can
do several things before an incident occurring that can help with the planning process.
This required step is to perform exercises. This includes the testing process and
workflow that should be used when an incident occurs. These can be scheduled once or
twice a year to alert everyone about what they will have to do during an incident.
The organization should use the well-defined rules of engagement when performing
these exercises and monitor that nothing is affecting the production network.
In rare cases, some security incidents take a week or a month to resolve. However, to
perform an exercise, you have limited time.
Tabletop
The tabletop exercise entails putting everything together and conducting a full-scale
test of a specific security incident. This performance can be seen from beginning to end.
This disaster exercise will take a long time to complete, as well as a significant amount
of money and resources.
Instead of doing any task, the tabletop exercise refers to discussion with members about
the processes in the organization. You should define where and how the process and
procedure problems should be resolved before an actual incident occurs.
Walkthroughs
The walkthroughs allow you to test all the processes and procedures, not only with the
organization's management but also with the individual that will respond to the
367
Chapter 04: Operation and Incident Response
particular incident. This may include all of the different parts of the organization, and
you should all the available tools.
This exercise process allows us to go through every process and procedure and identify
the actual faults and missing steps by applying the concepts from the tabletop exercise.
Simulations
Many organizations perform ongoing simulations where they will visualize that how a
particular event has occurred. Some examples include phishing attacks, password
requests, and data breaches.
For example, to test the simulated event “Phishing attack,” the following steps are
required:



Going phishing
o Create a phishing email attack
o Send to the actual user community
o See who bites
Test internal security
Test the users
Attack Frameworks
Within an organization, a security professional is responsible for protecting the
network. The professional may find multiple attacks experience by an organization. It
is difficult to keep track of the exact type of attacks that have occurred and how you, as
a professional, can protect yourself against these attacks.
When the attack is occurring, your response must maintain and gather the ongoing
reconnaissance. The main challenge with this is that the attackers use several methods
in multiple ways. You should understand the attacks, determine if you are at risk in the
organization, and then use appropriate mitigation.
MITRE ATT&CK
One place to begin gathering the data information is through the MITRE ATT&CK
framework. This comes from the MITRE Corporation. They primarily support US
governmental agencies.
Using this framework, you can identify broad categories of attacks, identify points of
intrusion, and identify security techniques that can help you block any future attack.
Some tactics of the MITRE ATT&CK for ICS matrix are shown in Figure 4-08.
368
Chapter 04: Operation and Incident Response
Figure 4-08: Tactics of MITRE ATT&CK
The Diamond Model of Intrusion Analysis
The useful framework that is typically used when an intrusion occurs is called Diamond
Model. The intelligence community of the federal US government designed the
Diamond Model of intrusion analysis.
For further detail, you can visit the given URL
369
Chapter 04: Operation and Incident Response
https://apps.dtic.mil/docs/citation/ADA586960
The above-mentioned guide is focused on helping you understand the intrusion that
has been occurred in the environment.
The Diamond Model of intrusion analysis uses scientific principles and applies them
towards intrusion analysis. These may include measurement, repeatability, testability.
These are the focus of this Diamond Model.
Consider a scenario in which an attacker has deployed a capability against a victim via
infrastructure. The diamond model can assist in determining the relationship between
all of those different domains as well as gathering the necessary information and
documents to resolve this intrusion.
Figure 4-09: The Diamond Model of Intrusion Analysis
The adversary in the above diamond model is an attacker, which is what the attacker
uses (this could be malware, hacker tool, etc.). The infrastructure will describe what was
used to gain access (e.g., IP address, domain name, email addresses, etc.). A victim is a
person or asset on the network that is used. The diamond model defines the relationship
between each one.
Cyber Kill Chain
Lockheed Martin developed the Cyber Kill Chain framework. It is an intelligence-driven
defense model for identifying, detecting, and preventing cyber intrusion by
understanding the adversary tactics and techniques during the complete intrusion
cycle. This framework helps to identify and enhance the visibility into a cyber-attack. It
also helps blue teams in understanding the tactics of APT’s. There are seven steps of the
Cyber Kill Chain.
370
Chapter 04: Operation and Incident Response
1.
2.
3.
4.
5.
6.
7.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objectives
Figure 4-10: Cyber Kill Chain
Reconnaissance
Reconnaissance is the beginning stage of the cyber kill chain. The adversaries, in this
planning phase, collect information about the target by using different techniques. This
information gathering helps the adversaries profile the target and helps understand
which vulnerability will lead them to meet their objectives. Following are some
reconnaissance techniques:






Information gathering via social networking platforms
Social engineering
Information gathering via search engines
Email address harvesting
Network scanning
WHOIS searches / DNS queries
For security teams, it is very difficult to identify and detect reconnaissance. Adversaries
can collect enough information about the target without any active connection.
However, to discover internet-facing servers, open ports, running services, and other
required information, adversaries need to build an active connection with the target. If
371
Chapter 04: Operation and Incident Response
security teams identify reconnaissance activity, it can help them reveal the intent and
subsequent actions. Organizations should have a strict policy regarding information
disclosure on public and social forums. Security teams should monitor and timely
respond if any confidential or even relevant information that adversaries can misuse is
publicly posted. Following are some behaviors the security team should monitor to
identify reconnaissance activities:




Website visitors log
Internal scanning activities
Port scanning on public-facing servers
Vulnerability scanning on public-facing servers
Weaponization
After the collection of sufficient information about the target, adversaries prepare the
operation in the Weaponization phase. Weaponization may include preparing an
exploit for an identified target's vulnerability or developing a malicious payload.
Following are some preparation techniques used by adversaries to weaponize
themselves:




Preparing a weaponizer or obtaining one from private channels
Preparing decoy documents (file-based exploits) for victims
Command and Control (C2) implantation
Compilation of backdoor
Security defenders cannot detect weaponization as the payload is not yet delivered.
However, it is an essential phase for defenders; they can keep their security controls
harden against advanced tactics and techniques of malware. Mostly, security teams
conduct malware analysis and reverse engineering, which helps them identify different
techniques of malware development and dropping techniques. In this way, security
teams prepare the most durable and resilient defense. Following are some blue team
techniques to counter:




Conducting malware analysis for trending malware
Building detection rules for weaponizers
Intelligence collection about new campaigns, IoCs
Correlation of artifacts with APT campaigns
Delivery
After all the preparation and weaponization, in the delivery phase, adversaries launch
the attack by conveying the malware or weaponized payload prepared specially for the
target. Following are some common methodologies of launching an attack:


Phishing emails
Malware on a USB stick
372
Chapter 04: Operation and Incident Response


Direct exploitation of web servers
Via compromised websites
This is an important phase for security defenders to identify, detect, and block the
delivery operation. Security teams monitor incoming and outgoing traffic, analyze
delivery mediums, and monitor public-facing servers to detect and block delivery.
Following are some actions for security teams to detect delivery of malware:





Monitoring Emails Campaigns
Leverage weaponizer artifacts to detect new malicious payloads at the point of
entry
Monitoring suspicious networks communications
Monitoring alerts, detections on security controls
Building signature-based detection rules
Exploitation
Exploitation is the phase in which an adversary gains access to the victim. To gain
access, the adversary needs to exploit a vulnerability. As the adversary already has
probably collected the information about the vulnerabilities in the reconnaissance
phase and has already been prepared in the weaponization, the adversary can exploit
the victim by using any of the following techniques:






Exploiting any software, hardware, or human vulnerability
Using exploit code
Exploiting operating system vulnerability
Exploiting application vulnerability
Victim triggered exploitation via phishing email
Click Jacking
To counter the exploitation phase, security teams should follow the traditional security
measures, but they also need to understand new tactics and techniques and harden
assets to prevent exploitation. Following are some key measures for security defenders
to counter exploitation:







User Awareness Training
Phishing Drill Exercises for Employees
Periodic Vulnerability assessment
Penetration testing
Endpoint Hardening
Secure coding
Network Hardening
Installation
373
Chapter 04: Operation and Incident Response
After successful exploitation, the adversary moves next to the installation phase. It
establishes persistency at the victim either by installing a backdoor or opening a
connection from the victim towards C2. This way, the adversary can maintain access for
lateral movements. Following are some ways of maintaining the access activities:



Installation of web shell
Installation of backdoor
Adding auto run keys
Security defenders use different security controls such as HIPS, EDR, AV engines to
detect block installation of backdoors. Security teams should monitor the following to
detect installations:






Suspicious application using administrator privileges
Endpoint process auditing
Suspicious file creations
Registry changes
Auto run keys
Security control alerts
Command and Control
The adversary establishes a two-way communication or command channel with its C2
server during the Command and Control (C2) phase. The adversary owns and manages
this C2 server, which is used to send commands to infected hosts. Adversaries can
change the victim's searches and commands from afar. C2 channels have the following
characteristics:



Victim opens two-way communication channel towards C2
Mostly, the C2 channel is on the web, DNS, or email
C2 queries encoded commands
This is the last chance in this death chain for security defenders to notice and block the
assault by blocking the C2 channel. If the C2 channel is blocked immediately, an
adversary cannot issue commands to the victim. Some strategies for security teams to
guard against C2 communication are as follows:




Collect and block C2 IoC via Threat Intelligence or Malware analysis
Require proxies for all types of traffic (HTTP, DNS)
DNS Sink Holing and Name Server Poisoning
Monitoring network sessions
Actions on Objectives
The adversary has a victim with persistent access to the C2 server at this point. The
adversary can now complete the tasks. What will the opponent do? That is contingent
374
Chapter 04: Operation and Incident Response
on his intentions. At this point, the enemy has access to CKC7. The following are some
various adversary intentions or possible next steps in this phase:







Collection of credentials from infected machines
Privilege Escalation
Lateral movement in the network
Data exfiltration
Data corruption
Data modification
Destruction
At this stage, Security defenders must detect the adversary as earliest as possible. Any
delay in detection at this stage can cause a severe impact. Security teams should be wellprepared and ready to respond in this stage to lower the impact. Following are some
preparations for security defenders:




Immediate incident response playbooks
Incident readiness
Incident response team with SMEs
Communication and incident escalation point of contacts
Stakeholder Management
An IT department usually has IT customers with applications, data, and other technical
resources that the IT department manages. These are the stakeholders in the
organizations. When something is not working properly, the stakeholder will identify
and resolve the problem. It is a good way to maintain a satisfactory relationship with
the stakeholder. You can involve them in the planning process for certain types of
security events.
If an event occurs, you can bring the stakeholders and involved them in the resolution
process. Most of this relationship built with them does not occur when an event
happens. It occurs before the event.
Communication Plan
Many of the problems during a high-stress event can be mitigated by simply having
good communication; when you plan for a security event, the first step to get your
contact list together is to inform everyone. In the organization, this could be the
CIO/head of information security/internal response teams.
You are also required to involve people, not in the IT organization, such as human
resources, public affairs, legal department, etc. However, you are also required to get in
touch with external sources such as the owner of data, federal or state authorities, etc.
Continuity of Operations Planning (COOP)
375
Chapter 04: Operation and Incident Response
You must have a plan in place to complete your role in the event of a disaster or security
incident. Continuity of operations planning, or COOP, is frequently required. This is
frequently done ahead of time before a calamity strikes.
Incident Response Team
Inside the organization, you should have some trained professionals to respond to
security incidents. These professionals made the incident response team efficiently deal
with the problem and determine what type of events require a response, such as virus
infection, ransomware, or DDoS.
The incident response team is not a separate department in the organization. Instead,
it contains a group of people that come together in a committee if an incident occurs.
This team is specifically responding to any incidents that occur. They provide the
analysis of what is occurring and what must be done to resolve it and provide the
reporting containing the information to make the network stronger for the next
incident.
Retention Policies
If you are involved in a security incident, the first main step is to identify how much
data is affected. The organization should have backups of the data.
During the security incident, the organization must protect data location and amount
of data. It should have copies of the information both at internal and external places.
Some organizations are also required to store a certain type of information for a certain
amount of time. This regulatory compliance may affect financial organizations or the
organizations that deal with a certain type of data.
The organization may also use some policies to make a backup available for operational
problems—for example, accidental deletion or disaster recovery.
376
Chapter 04: Operation and Incident Response
Mind Map
Figure 4-11: Mind Map
Appropriate Data Source to Support an Incident Investigation
Vulnerability Analysis
The scanning process includes vulnerability analysis. It is a crucial aspect of the hacking
process. This chapter will go through the definition of vulnerability assessment, the
stages of vulnerability assessment, the different types of assessments, the tools, and a
few other key points.
The Concept of Vulnerability Assessment
The discovery of vulnerabilities in an environment is a vital duty for a penetration tester.
Vulnerability assessment includes identifying environmental problems, design faults,
and other security concerns that could lead to the misuse of an operating system,
application, or website.
Misconfigurations, default configurations, buffer overflows, Operating System
weaknesses, Open Services, and other vulnerabilities are among them. Network
administrators and pentesters can use a variety of technologies to scan for
vulnerabilities in a network. The threat level of any discovered vulnerabilities is
377
Chapter 04: Operation and Incident Response
classified into three categories: low, medium, and high. They can also be classified as a
certain exploit range, such as local or remote.
Vulnerability Assessment
Vulnerability Assessment can be defined as examining, discovering, and identifying
weaknesses in systems and applications and evaluating the implemented security
measures. The security measures deployed in systems and applications are evaluated to
identify the effectiveness of the security layer to withstand attacks and exploitations.
Vulnerability assessment also helps to recognize the vulnerabilities that could be
exploited, any need for additional security layers, and information that can be revealed
using scanners.
Types of Vulnerability Assessment

Active Assessment: Active Assessment includes actively sending requests to the
live network and examining the responses. In short, it is a process of assessment
that requires probing the targeted host

Passive Assessment: Packet sniffing is commonly used in passive assessments
to find vulnerabilities, running services, open ports, and other data. The targeted
host, on the other hand, is not involved in the assessment process.

External Assessment: External Assessment is a process of assessment carried
out from a hacker’s point of view to discover vulnerabilities and exploit them
from the outside. Outside of the network refers to how a potential attacker could
cause a threat to a resource. External network vulnerability assessment identifies
how someone could cause a threat to your network or systems from outside of
your network

Internal Assessment: This is another method for spotting flaws. Internal
assessments include scanning the internal network and infrastructure for
vulnerabilities. Internal network vulnerability assessments are typically based on
IT industry best practices and technical implementation instructions from the
Department of Defense (DoD). During the internal assessment, there are
misconfigurations, flaws, policy non-compliance vulnerabilities, patching
difficulties, and other concerns. An internal network assessment is concerned
with securing network infrastructure.
378
Chapter 04: Operation and Incident Response
Figure 4-12: Vulnerability Assessment Types
Vulnerability Assessment Life Cycle
The Vulnerability Assessment life cycle consists of the following phases:
Creating a Baseline
The vulnerability assessment life cycle begins with the creation of a baseline. A pentester
or network administrator conducting an assessment determines the characteristics of
the corporate network, applications, and services at this phase. They compile a list of all
resources and assets, which aids in the management and prioritization of the evaluation.
In addition, the pentester maps the infrastructure and learns about the security
controls, policies, and standards in place at the company. Additionally, the baseline aids
in the efficient planning of the process, scheduling tasks, and managing tasks according
to priority levels.
Vulnerability Assessment
The Vulnerability Assessment phase focuses on the assessment of the target. This phase
includes examining and inspecting security measures such as physical security, security
policies, and controls. This phase evaluates the target for misconfigurations, default
configurations, faults, and other vulnerabilities by probing each component individually
or using assessment tools. Once the scanning is complete, the findings are ranked in
terms of their priority level. At the end of this phase, the vulnerability assessment report
shows all detected vulnerabilities, scope, and priority.
379
Chapter 04: Operation and Incident Response
Figure 4-13: Vulnerability Assessment Life Cycle
Risk Assessment
Risk Assessment includes scoping identified vulnerabilities and their impact on the
corporate network or an organization.
Remediation
The Remediation phase includes remedial action in response to the detected
vulnerabilities. High-priority vulnerabilities are addressed first because they can cause
a huge impact.
Verification
The Verification phase ensures that all vulnerabilities in an environment are eliminated.
Monitor
The Monitoring phase includes monitoring the network traffic and system behaviors for
any further intrusion.
Annualized Loss Expectancy (ALE) is the product of Annual Rate of Occurrence (ARO)
and Single Loss Expectancy (SLE), i.e., mathematically expressed as:
ALE = ARO * SLE
While performing quantitative risk assessment, ALE estimation defines the cost of any
protection or countermeasure to protect an asset. SLE defines the loss value of a single
incident, whereas ARO estimates the frequency – how often a threat successfully
380
Chapter 04: Operation and Incident Response
exploits a vulnerability. Exposure Factor (EF) is the subjective potential percentage of
loss to a specific asset if a specific threat is realized.
SLE = EF * AV
Real-World Scenario: An organization is approximating the cost of replacement and
recovery operations. The maintenance team reported that the hardware costs $300,
which needs to be replaced once every three years. A technician charges $ 10 per hour
for maintenance; it takes 14 hours to completely replace the hardware and install the
software. The EF (Exposure Factor) is one (100 %). Calculating the Single Loss
Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annualized Loss Expectancy
(ALE) is a need for quantitative risk analysis.
Calculation:
Asset Value (AV)
=
$300 + (14 * $ 10) = $440
Single Loss Expectancy (SLE)
=
EF * AV = 1 * $440 = $440
Annual Rate of Occurrence (ARO)
=
1/3 (Once in every three year)
Annual Loss Expectancy (ALE)
=
SLE * ARO = 1/3 * $440 = $ 146.6
Vulnerability Assessment Solutions
Product-based Solution Vs. Service-based Solution
Product-based solutions are deployed within the corporate network of an organization
or a private network. These solutions are usually dedicated to internal (private)
networks.
Third-party solutions that provide security and auditing services to a network are
known as service-based solutions. These solutions can be hosted on-premises or in the
cloud. These third-party solutions provide a security concern since they can access and
monitor the internal network.
Tree-based Assessment Vs. Inference-based Assessment
Tree-based Assessment is an assessment approach in which an auditor follows different
strategies for each component of an environment. For example, consider a scenario of
an organization's network on which different machines are live—the auditor may use a
different approach for Windows-based machines and a different approach for Linuxbased servers.
Inference-based Assessment is another approach to assessing vulnerabilities depending
on the inventory of protocols in an environment. For example, if an auditor finds a
protocol using an inference-based assessment approach, they will look for ports and
services related to that protocol.
381
Chapter 04: Operation and Incident Response
Best Practice for Vulnerability Assessment
To acquire effective results, the following are some recommended stages for
vulnerability assessment. These recommended practices for vulnerability assessment
must be followed by a network administrator or auditor.

Before starting any vulnerability assessment tool on a network, the auditor must
understand the complete functionality of that assessment tool. This will help in
selecting the appropriate tool for extracting the desired information.

Make sure that the assessment tool does not cause any sort of damage or render
services unavailable while running on a network..

Be specific about the scan’s source location to reduce the focus area.

Run a scan frequently for identifying vulnerabilities.
Vulnerability Scanning Tools
Various tools have made detecting vulnerabilities in an existing environment relatively
straightforward in this era of current technology and innovation. There are a variety of
automatic and manual tools available to assist you in finding vulnerabilities.
Vulnerability Scanners are automated utilities specially developed to detect
vulnerabilities, weaknesses, problems, and loopholes in an Operating System, network,
software, and applications. Scripts, open ports, banners, running services, configuration
errors, and other areas are all thoroughly examined by these scanning tools.
The following are some of the vulnerability scanning tools:

Nessus





OpenVAS
Nexpose
Retina
GFI LanGuard
Qualys FreeScan, etc.
Security experts do not only use these tools to find any risks and vulnerabilities in
running software and applications but are also used by attackers to find any loopholes
in an organization's operating environment.
1.
Nessus
Nessus Professional Vulnerability Scanner is the most comprehensive vulnerability
scanner software powered by Tenable Network Security. This scanning product focuses
on vulnerabilities and configuration assessment. By using this tool, you can customize
and schedule scans and extract reports.
382
Chapter 04: Operation and Incident Response
2.
GFI LanGuard
GFI LanGuard is a network security and patch management software that performs
virtual security consultancy. This product offers:






Patch Management for Windows®, Mac OS®, and Linux®
Path Management for third-party applications
Vulnerability scanning for computers and mobile devices
Smart network and software auditing
Web reporting console
Tracking latest vulnerabilities and missing updates
383
Chapter 04: Operation and Incident Response
3.
Qualys FreeScan
Qualys FreeScan tool offers Online Vulnerability scanning. It provides a quick snapshot
of the security and compliance posture of a network and web, along with
recommendations. Qualys FreeScan tool is effective for:
 Network Vulnerability scans for server and App
 Patches
 OWA SP Web Application Audits
 SCAP Compliance Audits
Go to http://www.qualys.com to purchase this vulnerability scanning tool or register for
the trial version and try to perform a scan. Qualys offers a Virtual Scanner to scan the
local network, which can be virtualized on any virtualization hosting environment. The
figure below shows the results of a vulnerability scan performed on a targeted network.
384
Chapter 04: Operation and Incident Response
Vulnerability Scanning Tools for Mobiles
Following is a list of vulnerability scanning tools for mobiles:
Application
Website
Retina CS for Mobile
http://www.byondtrust.com
Security Metrics Mobile Scan
http://www.securitymetrics.com
Nessus Vulnerability Scanner
http://www.tenable.com
Table 4-04: Vulnerability Scanning Tools for Mobiles
385
Chapter 04: Operation and Incident Response
Figure 4-14: Secuirty Metrics Mobile Scan
Lab 4-02: Installing and Using a Vulnerability Assessment Tool
Main Objective: In this lab, you will learn how to install and use a vulnerability
assessment tool. There are many tools available for vulnerability scanning. The one we
will be installing and using is Nessus.
Go to the browser and type Nessus Home. Click on the Nessus home link, as marked
below.
386
Chapter 04: Operation and Incident Response
This will take you to the Nessus registration page. You need to register in order to get
the activation code, which you are going to need to activate Nessus.
For registration, you need to put in your first name, last name, and email address. Check
the checkbox and click on Register.
Now to download Nessus, click on the download link.
387
Chapter 04: Operation and Incident Response
Select the Operating System on which you are going to install Nessus. Here, we will
install it on Windows 8 machine (64 bit); therefore, we will download the first link for
the 64-bit version of Windows.
Now read the agreement, click on I Agree, and save the file to your computer.
388
Chapter 04: Operation and Incident Response
Download and install the software.
Select I Agree and click Next.
389
Chapter 04: Operation and Incident Response
If you want to change the file destination, click on the Change button or just click Next.
Click the Install button.
390
Chapter 04: Operation and Incident Response
The installation process will now start.
The installation is complete. Click Finish.
391
Chapter 04: Operation and Incident Response
When you see this window, click on Connect via SSL.
Click on the Advanced option.
392
Chapter 04: Operation and Incident Response
Now click on Confirm Security Exception to proceed to localhost.
Now you have to create an account for the Nessus server. Here, you will choose a login
name and password – make sure you remember it because this is what you will use to
393
Chapter 04: Operation and Incident Response
log in to Nessus from now on. After inserting your username and password, click the
Continue button.
Now choose the scanner type that you want. Here, we have selected the first one, which
is Home, Professional, or Manager.
Go to the email, copy the activation code that was forwarded to you and paste it here.
Then, click Continue.
394
Chapter 04: Operation and Incident Response
After that, you are going to see the Initializing window. It fetches all the plugins for
Nessus, which can take about 15 to 20 minutes.
Once all the plugins are installed, a window will appear. This is what Nessus looks like.
Now, the first thing you have to do is create a policy. Click on Policies.
Now click on Create a new policy.
Here, you have multiple scanner options available. What we are going to do now is
Basic Network Scan. So for this, click on the Basic Network Scan option.
395
Chapter 04: Operation and Incident Response
When you see this window, you have to name the policy. You may name it anything you
want; for now, we will name it Basic Scan.
In basic settings, you have another setting option that is the Permission setting. In this,
you have two options: one is No Access, and the other is Can Use. Here, we are going
to leave it as default. Now click the Discovery option.
396
Chapter 04: Operation and Incident Response
Here, you have to choose the Scan Type. You can either choose to scan common ports,
all ports, or customize it. After selecting your desired option, click on Assessment.
Here, you will see three scanning options. Choose whichever you want and then click
on Report.
397
Chapter 04: Operation and Incident Response
In this window, you have multiple options, and you can see that some of them are
‘checked’ by default. We will leave it as default, but if you want to change some settings,
you may change them according to your needs.
Here in the Advanced setting option, you have three options to choose from. Select any
of them and click on the Credentials button.
398
Chapter 04: Operation and Incident Response
Here, we are going to select “Windows” as we are using Windows OS. However, if you
have Mac or Linux, then you have to select SSH.
Go ahead and insert your credentials and authentication method. If you have a domain,
you may insert that (optional). Check the boxes and click the Save button.
And that is it; the policy has been created. Now in order to scan, you have to click on
the Scan button at the top of the page.
399
Chapter 04: Operation and Incident Response
Click on the Create a new scan option.
Go to the User Defined option. Click on Basic Scan.
400
Chapter 04: Operation and Incident Response
Now, name this scan. We are going to name it Basic Scan – the same as the policy name.
You can also add a description if you want.
Select the folder where you want to save a scan, and finally, insert the IP address of the
target.
You may insert the target in different ways. For example, 192. 168. 1. 1, 192. 168. 1. 1/24,
and test.com.
401
Chapter 04: Operation and Incident Response
You can also schedule your scan. For this, click on Enabled, then select the frequency,
start time, and Time zone.
If you want to get a notification, you can add your email address. After configuring all
the settings, click on the Save button.
402
Chapter 04: Operation and Incident Response
Here, you can see that the scanning process has started. Once the scanning process is
complete, you can see the results by clicking on the section that is marked below.
Below is the scan result. The result is shown in multiple colors. The red represents the
Critical Vulnerability, the orange is for High, yellow is for Medium, green is for Low,
and blue is for Info.
403
Chapter 04: Operation and Incident Response
Now, click on the Vulnerability next to the Host option. Here you will see the
vulnerabilities that have been found. Click on any one of them.
You can see the description of a particular vulnerability as well as a solution for it.
404
Chapter 04: Operation and Incident Response
Here are some other vulnerabilities that were found.
405
Chapter 04: Operation and Incident Response
Lab 4-03: Vulnerability Scanning using the Nessus Vulnerability Scanning Tool
Case Study: In this case, we will scan a private network of 10.10.10.0/24 for
vulnerabilities using a vulnerability scanning tool. This lab is performed on a Windows
10 virtual machine using the Nessus vulnerability scanning tool. You can download this
tool from Tenable’s website: https://www.tenable.com/products/nessus/nessusprofessional.
Configuration:
1. Download and install the Nessus vulnerability scanning tool.
2. Open a web browser.
3. Go to the URL http://localhost:8834
4. Click on the Advanced button.
406
Chapter 04: Operation and Incident Response
5. Proceed to Add Security Exception.
6. Click Confirm Security Exception.
407
Chapter 04: Operation and Incident Response
7. Enter Username and Password of your Nessus Account (You have to register to
create an account to download the tool from the website).
408
Chapter 04: Operation and Incident Response
8. The following dashboard will appear.
9. Go to the Policies tab and click Create New Policy.
10. In Basic Settings, set the name of the policy.
409
Chapter 04: Operation and Incident Response
11. Go to Settings > Basics > Discovery to configure discovery settings.
12. Configure port scanning settings under the Port Scanning tab.
410
Chapter 04: Operation and Incident Response
13. Under the Report tab, configure settings as per your requirements.
14. Under the Advanced tab, configure parameters.
411
Chapter 04: Operation and Incident Response
15. Now go to the Credentials tab to set credentials.
412
Chapter 04: Operation and Incident Response
16. Enable/disable desired plugins.
17. Check whether the policy is successfully configured or not.
18. Go to Scan > Create New Scan.
413
Chapter 04: Operation and Incident Response
19. Enter the name for a new scan.
20. Enter target address.
414
Chapter 04: Operation and Incident Response
21. Go to My Scan, select your created scan and launch it.
22. Observe the status to check if the scan has successfully started or not.
415
Chapter 04: Operation and Incident Response
23. Upon completion, observe the result.
24. Click on the Vulnerabilities tab to observe the detected vulnerabilities. You can
also check other tabs like Remediation, Notes, and History to get more details
about the history, issues, and remediation actions.
25. Go to the Export tab to export the report and select the required format.
416
Chapter 04: Operation and Incident Response
26. The below figure is displaying a preview of the exported report in PDF format.
417
Chapter 04: Operation and Incident Response
Note: Nessus is a proprietary network vulnerability scanner developed by Tenable that
uses the Common Vulnerabilities and Exposures architecture for easy cross-linking
between compliant security tools. Nessus employs the Nessus Attack Scripting
Language (NASL), a simple language defining individual threats and potential attacks.
Vulnerability Assessment Reports
Vulnerability Assessment reports help security teams in addressing the weaknesses and
discovered vulnerabilities. VA reports outline all discovered vulnerabilities, weaknesses,
security flaws within a network and its connected devices. VA reports should also
contain remediation, recommendations, and countermeasures to address the outlined
security issues. The VA process consists of two phases, vulnerability scanning and VA
reporting. Following are the critical elements of a VA report:





Scope of the Vulnerability Assessment: Scope should define the approved
scanning tools, version information, Hosts, Subnets, and Ports information to be
scanned.
Executive summary of the report
Detailed information about existing vulnerabilities on each target
Severity level of each vulnerability, i.e., High, Medium, Low
Correlation of discovered vulnerabilities with Vulnerability frameworks, such as
CVSS
Analyze Vulnerability Scan Results
Asset Categorization
We use public, private, limited, and secretive analyses to structure the assets. The ability
to classify an organization's assets aids in the identification of its vulnerabilities and
their impact on the broader organizational process. Consider the following example:
Public
There is no risk to the organization with a public analysis if it is disclosed but does
present a risk if it is not modified or accessible.
Private
A private analysis poses some risk to the organization if a competitor has it or it is
modified or unavailable.
Restricted
This is informationally restricted to a small number of users and may cause serious
disruption to business operations.
Confidential
418
Chapter 04: Operation and Incident Response
If the information is made public, it has a tremendous impact on the company and its
clients. Personal Identifiable Information (PII), Protected Health Information (PHI), or
Payment Card Information are examples of this type of data (PCI).
It can also be divided into groups based on individuals, applications, servers, and places.
Adjudication
The goal of the adjudication process after a vulnerability scan is to determine the value
and legitimacy of the scan result. It assesses and ranks vulnerabilities according to the
risk they provide to the organization. The Common Vulnerability Scoring System
(CVSS) is one of the most common methods.
Common Vulnerability Scoring System
The Common Vulnerability Scoring System aids in the diagnosis of a vulnerability's
main characteristics and generates a numerical score indicating the severity of the
vulnerability. To assist organizations in correctly assessing and prioritizing their
vulnerability management process, the numerical score can be translated into a
qualitative representation (low, medium, high, or critical).
Security
Base Score Rating
None
0.0
Low
0.1 - 3.9
Medium
4.0 - 6.9
High
7.0 - 8.9
Critical
9.0 - 10.0
Table 4-05: CVSSv3 Scoring
False Positives
In vulnerability scanning, False Positives occur when the scanner can access only a
subset of the required information, preventing it from accurately determining whether
a vulnerability exists. False positives use more than one type of scan and cross-reference.
The most common false positives occur on static web pages.
A false positive is when the system incorrectly receives a biometric sample as being a
match. Biometric sensors can sometimes make mistakes for several reasons. A
biometric, such as a fingerprint or iris scan, is submitted to the system, and it is
compared to all entries in a database for a match. A one-to-many search is what this is
called. Live biometrics change due to climate, age, or a possible injury on a finger.
419
Chapter 04: Operation and Incident Response
Vendors refer to these threshold settings as False Acceptance Rates (FARs) and False
Rejection Rates (FRRs).
Prioritization of Vulnerabilities
The majority of these vulnerabilities are considered high or critical based on the
industry-standard CVSS. Vulnerability Management strategies allow them to respond
to the growing number of threats of the digital age. We find the Vulnerability
Prioritization within these strategies.
Vulnerability Prioritization represents one of the key reasons for the Vulnerability
Management process.
The Benefits of Vulnerability Prioritization
There are several benefits of Vulnerability Prioritization; Few are as follows:
Faster and more effective responses: Among the enormous volume of vulnerabilities
that affect one organization, there are trivial numbers compared to others. By
prioritizing the most important threats, the security team avoids wasting time on
solving less significant problems.
Better use of resources: Vulnerability prioritization allows organizations to use their
resources more intelligently. Whether referring to security professionals or vulnerability
scanners, companies can invest in useful resources without worrying about wasting time
and money addressing minor threats.
Lack of Best Practices
Each tetwork and running service rtype equires best practices to be followed while
planning, deploying, and functioning. These best practices help the administrator to
control and monitor the network and running services with ease. Best practices for
wired networks may differ from the recommendations suggested for wireless networks.
Similarly, applications and software services running on different operating systems and
servers are recommended with different best practices. Several worldwide standard
organizations manage and govern standards and policies for organizations providing
services across the globe. These best practices are based on past experiences and
consider disclosed vulnerabilities detected threats and industry experts'
recommendations.
Appropriate Solutions/Recommendations
Vulnerabilities
to
Remediate
the
Discovered
The following are five recommendations for implementing controls that will help
organizations maintain a regularly configured environment that is secure against known
vulnerabilities.
420
Chapter 04: Operation and Incident Response
Threat Monitoring Process
Your security staff must stay up to date on these risks. They accomplish this by
examining vendor notifications of threats, patches, and system updates and receiving
information from US CERT, which is always up to current with the most recent
information. Vulnerability remediation management must address any dangers
discovered by the team.
Regularly assess your vulnerability
This is not something you do once and never think about again. Because the evaluation
is merely a snapshot of your position at a certain point in time, it can alter if new
vulnerabilities are discovered. As a result, you must ensure that you create a structured
program with clearly defined roles and duties that focus on developing and maintaining
good performance.
Set up and stick to a set of baseline setups
Using documented configurations and applicable standards, standardize the
configuration of similar technology assets inside your firm. Your security team must
document all baseline configurations in your environment, keep these documents up to
date, and ensure that they are integrated into your system build process and enforced
throughout.
Remediate vulnerabilities
This is the process of assessing the vulnerabilities you have discovered, assigning risk to
them, preparing responses to them, and then logging any activities taken to mitigate
the vulnerabilities you have discovered. Finding flaws and doing nothing about them is
pointless and leaves your company vulnerable to a variety of attacks.
Patch vulnerabilities
Vulnerability and patch management is best handled in the following manner:




You must have processes in place to discover and confirm vulnerabilities utilizing
relevant tools and services that will help you detect suspected or confirmed
threats to your organization.
The next step is to examine your findings in order to comprehend the hazards
fully. How can you put the right measures in place to cope with them if you do
not have a true understanding?
After you have completed your analysis, you will be required to address the
issues.
Once you have put your "repair" in place, you will be required to rescan or retest
it to make sure the effectiveness.
SIEM DashBoard
421
Chapter 04: Operation and Incident Response
SIEM stands for Security Information and Event Management. This is usually a logging
information device from any different resources on the network and consolidating all of
those logs back to one single reporting tool. SIEM allows you to analyze the data to
create security alerts and real-time information about what is happening on the network
right now since you can collect all the information and aggregate it into a single place
and create long-term storage to easily create some extensive reports over a long period
of time.
Figure 4-15: SIEM Dashboard
Sensors
A SIEM can collect data from a variety of sources. You can collect the log files for a
particular operating system, such as Windows or Linux, and have them forwarded to a
central SIEM database. Switches, routers, firewalls, and other devices all have log files.
You can also use third-party sensors that follow the standards, such as NetFlow that
provide information about traffic flows across the network.
Sensitivity
It is almost overwhelming when you consolidate all of the information from so many
different devices into a single database and then read through the database to find the
information that you can use; therefore, it is important to use a SIEM to parse the data
and put the information into different categories (like information, urgent, warning,
etc.).
Trends
As all the gathered information over a very long time, you can see the change that
identifies the change over time. You can also see a spike whenever a particular security
event occurs, or network utilization is less than normal.
422
Chapter 04: Operation and Incident Response
Alerts
SIEM also features intelligence that can interpret the collected data, look for specifics,
and offer you proactive alarms and alerts. You could then use the data in the SIEM to
build reports and view additional information about the occurrence.
Correlation
You can also begin correlating different data types into a standard set of information.
For example, you can view the relationship between source and destination IP
addresses, user, source type, and other information gathered from the log files.
Log Files
Several devices connected to the networking infrastructure can provide you with
feedback about the things that may be occurring on the network. This includes switches,
routers, firewalls, VPN concentrators, and other devices.
An example is shown in Figure 4-15. This is a switch log file that contains information
about the interfaces. The switch's security information is also defined in this file. For 60
seconds, all TCP SYN traffic destined for the local system is immediately blocked. The
receiving logs may provide this type of information.
Figure 4-16: Log Files
Network
The log file may define the routing updates, authentication issues, and network security
issues in terms of networking information.
System
When you see the log files on the operating system, you will see extensive information
and must include the information about the operating system. The files and the
applications are running on that OS.
The information about the program configuration, the system, and forwarded events is
also included in the security events area of Windows. The operating system can keep an
eye out for security or authentication events and log everything. Because these
operating system log files contain so much data, you will need a way to filter it. Massive
events are kept in a log file on the event viewer. Fortunately, Event Viewer includes a
variety of options that allow you to filter the data in a variety of ways.
423
Chapter 04: Operation and Incident Response
Application
Many applications also keep their own log files. You will find the application log
information in the "Event Viewer” under application log-in windows. For Linux/macOS,
it is present under /var/log.
Security
The security log files provide detailed security-related information. You have many
devices that gather the security details to easily see what traffic flows have been allowed
or blocked through the network. You can also view any exploits that may have been
attempted.
You would see if any of the URL categories have been blocked by the firewall or proxy
or DNS sinkhole traffic, telling you what devices attempted to connect to a known
malicious location.
Most of the log and security details are created on the security devices connected to the
network, such as intrusion prevention systems, firewalls, or proxies. This can provide
detailed security information about every single traffic flow going through the network.
Firewall
The firewall logs can give information about traffic flows that may be allowed or
blocked. It also provides information on what IPv6 packets have been blocked on the
network. It also provides information on website access that has been denied.
Web
If you have a web server, you have an extensive log that defines exactly who is connected
to the website server and what pages they can view. It also defines the information
occurring, especially if someone is trying to access non-existent files or files associated
with known vulnerabilities.
DNS
A Domain Name Server can provide information about what queries have been made
against the DNS server. You can view the IP address of the request, and many log files
will store the fully qualified domain name for the request.
Since you have full control of your DNS server, you can block any attempts to resolve a
known malicious site. You can then use that list to identify the potentially infected
device, and then you can clean those devices and remove them to focus your network.
Authentication
The process of validation is called Authentication. TWhen a client requests a resource
request, thewebserver has to verify a user's identity in the authentication process This
way, user credentials are supplied, and the webserver validates them—the
424
Chapter 04: Operation and Incident Response
authentication attack targets and attempts to exploit the authentication process for the
user’s identity. Un-authenticated hackers can gain network access by exploiting these
vulnerabilities. Credentials of the user include name, user ID, and password to verify
the identity of a user. The system determines whether the credentials are rightly used.
The system authenticates user identity via login passwords in public and private
networks. A user’s identity is simply determined by what they know, what they have, or
what they are. The verification of at least two or all the three authentication factors is
essential for security. Authentication has different factors that include:
Single-factor Authentication
The simplest authentication method depends on a simple password. A system such as a
website or a network grants access using the verified credentials’ identity. Login
credentials are the most common examples of single-factor authentication for which
only a password and user name are required.
Two-factor Authentication
A two-step verification process requires a username, password, and something only the
user knows to guarantee tecurity such as an ATM pin. With an additional piece of
confidential information along with a username and password, any attempt to steal
valuable data becomes more difficult.
Multi-Factor Authentication
This authentication method uses two or more levels of security from the independent
categories of authentication to grant access to a system. The factors must be
independent of each other to remove any existing vulnerabilities in the system.
Multiple-factor authentication is used by banks, law enforcement agencies, and
financial organizations to protect their applications and data from threats.
The types of attacks that are considered authentication attacks are as follows:
Attack types
Brute Force
Attack description
Allows an intruder or attacker to predict a person's user name,
credit card number, password, or cryptographic key using an
automatic procedure of trial and error
Insufficient
Authentication
Allows an attacker to access a website comprising content that
is sensitive or functions without having to authenticate with
the website
Weak
Password Permits an intruder or attacker to access a website that offers
Recovery
them the ability to illegally obtain, change, or recover another
Validation
user's password
425
Chapter 04: Operation and Incident Response
Table 4-06: Authentication Attacks
Dump Files
The memory dump files are those that can create on-demand. You can take a single
application using task manager and Windows and create a dump file that will store
everything in memory associated with the application into a single file. This file is
normally created when working with technical support to resolve an application
problem and send that memory dump file to the developer to try to locate and resolve
that issue.
The dump files can be easily created from Windows Task Manager
VoIP and Call Managers
Although, most of the environments you are working in have moved from the
traditional plain old telephone system, running over analog phone lines to voiceover IP
and digital packets.
The call manager log includes the inbound and outbound call information and security
information.
Session Initiation Protocol (SIP) Traffic
Voiceover IP protocols, such as Session Initiation Protocol, can provide detailed log
information (SIP). It sets up the phone call and messages so that you can monitor the
call setup, management, and teardown. You will also be able to see information on
inbound and outbound traffic.
syslog/rsyslogs/syslog-ng
Syslog is a common way for transmitting log files from a single device to a centralized
database. This is built into the SIEM (Security Information and Event Manager). It is a
centralized log server that collects logs from all of the devices and consolidates them.
Journalctl
If you are managing the Linux operating system, there are many different logs available
on that device. Some of them are specific to the operating system itself, and some of the
logs are created by the demons running on the system or application.
There is a standard format for storing system logs on Linux in a special binary format.
This optimizes the storage area and allows to query the information very fast. However,
you are not able to see it with a text editor because of binary formatting.
Fortunately, Linux has a utility called “journalctl.” It allows to query information present
in the system journal and provide output on what may be present there.
nxlog
426
Chapter 04: Operation and Incident Response
nxLog is a multiplatform log collection and centralization solution that includes log
enrichment and forwarding capabilities.
nxLog may be used as a single tool to process all of the different types of logs that your
company generates. Various sources, such as files, databases, Unix domain sockets,
network connections, and other sources, can be used to collect logs.
Bandwidth monitors
One of the first statistics you want to gather from log files is information on the
bandwidth. This is a fundamental network statistic that shows the percentage of the
network that has been used over time. There are different ways to gather these metrics:
Simple Network Management Protocol (SNMP), NetFlow, sFlow, IPFIX, etc. You can
also use a protocol analyzer through the software agent that is running on a particular
device.
EXAM TIP: Bandwidth monitoring is always good to qualify that you have the
bandwidth available to transfer information for the application because if the
bandwidth has been exceeded and you are running out of the available space on the
network, then none of the applications will perform properly.
Metadata
Metadata is data that describe other types of data. It contains within the files that are
using on the device.
Email
If you send and receive an email, there is metadata within the email messages you
normally do not see. The information is present in the email message's header; the
information defines which servers are used to transfer the email from one point to
another.
Mobile
In terms of phones, there is an extensive amount of metadata that could be stored. For
example, if you take a picture or store video on the mobile device, it could be kept in
that metadata, the type of phone used to take a picture ,or the GPS location where the
picture was taken.
Web
If you are using a web browser to connect to the webserver, then metadata will be
transferred back and forth there.
For example, you could send your operating system information, the type of browser
you are using, and the IP address you are sending it from.
427
Chapter 04: Operation and Incident Response
File
You can store files or documents in Microsoft Office; you may find the metadata inside
that document that shows the name, address, contact number, title, and other
identifying information.
Netflow
NetFlow is a standardized way for collecting network information from switches,
routers, and other network devices. NetFlow data is frequently pooled into a single
NetFlow server, from which you may examine data from all of your devices through a
single administration console.
NetFlow is a well-known standard that makes it simple to collect data from devices
made by a variety of different manufacturers. Bring all of the data back to a single central
NetFlow server.
The NetFlow architecture is an architecture that separates the probe from the collector.
The architecture may have a different number of devices, such as individual NetFlow
probes or the NetFlow capability built into the network device that it is using.
These probes are either sitting inline within the network traffic or receiving a copy of
the network traffic, and all the other details are exported to a central NetFlow collector
where you can easily create different reports.
Figure 4-17: NetFlow
428
Chapter 04: Operation and Incident Response
sFlow
One of the difficulties with collecting network traffic and developing metrics based on
the discussions taking place on the network is that it can consume a lot of resources,
especially if you run a very high-speed network. Sampled Flow (sFlow) is used to balance
the available resources with the demand to examine more statistics on the network. This
allows viewing the selected portion of the network traffic to gather metrics.
Because of the lower resources required for sFlow, you can embed this capability in a
number of infrastructure devices.
IPFIX
IPFIX is the industry standard for exporting IP flow data. It is also regarded as a new
NetFlow version. It was made with NetFlow v9 in mind (version 9). This gives us more
freedom in terms of what data we gather and what information is sent to a centralized
server. The functionality is similar to the NetFlow, except you can customize exactly
what kind of data you receive from those collectors.
Protocol Analyzer Output
Protocol analyzers are commonly used to diagnose complex application problems since
they capture every bit of data from the network and explain what is happening across
those specific network channels.
Wireless networks and wide area networks can also benefit from the protocol analyzer.
This analyzer gives you precise information about unknown traffic, packet filtering, and
security control, as well as a plain-language description of the application data.
429
Chapter 04: Operation and Incident Response
Mind Map
Figure 4-18: Mind Map
Use of Mitigation Techniques or Controls to Secure an Environment
Reconfigure Endpoint Security Solution
Endpoints refer to the devices that are using day today to do the jobs. This includes a
desktop computer, laptops, tablets, smartphones, etc.
There are multiple ways available to exploit these devices. The endpoint is a critical
piece of security. These devices should be protected from malware, operating system,
or vulnerabilities. The IT security team is responsible for monitoring all these devices,
and they are constantly watching for alerts and alarms that can let them know when
something usually might be happening on the endpoint.
Application Whitelisting
One security control is to define that what applications are allowed or not allowed on a
particular endpoint. When the user downloads any software from a third-party website
and software has some malware, the IT security team can create a more secure and
stable environment. by providing control of the applications running on the endpoint
430
Chapter 04: Operation and Incident Response
One approach on how to implement this type of control is through the use of an
approved list. That means that the IT security team would create a list of approved
applications and allow them to run only that application on the endpoint.
Application Blacklisting
Another way to implement the control is to have a blocklist or deny list. The blocklist
contains the applications that are specifically be prevented from running on the
particular endpoint. This means that the users are allowed to install the application
unless that application is listed in the deny list. It is very common for anti-virus or antimalware to have their own deny list, and if the user tries to launch that application, the
anti-malware software will prevent that application from running.
Quarantine
If the endpoint security software recognizes an application that seems to have malicious
software, it can remove that from the system and place it into a quarantine area. This
can be a folder on the existing system where no applications are allowed to run.
Configuration Changes
Secure configuration refers to the security precautions taken when developing and
installing computers and network equipment in order to reduce cyber vulnerabilities.
One of the most prevalent security flaws that criminal hackers attempt to exploit is
security misconfigurations more than 96% of the time. Internal penetration tests
frequently meet a network or service misconfiguration, according to recent research
from Rapid 7.
Firewall rules
The latest generation of firewall allows you to allow or deny certain applications from
traversing the network. The firewall allows access to a Microsoft SQL Server application;
however, deny access to a web application. The firewall rules are most commonly used
to manage application flows and block dangerous applications.
Mobile Device Manager (MDM)
The Mobile Device Manager (MDM) can allow or deny access to mobile devices. The
MDM allows the IT security administrator to set policies on all of the mobile devices
and always protect the devices from malicious software.
Data Loss Prevention (DLP)
The DLP’s role is to identify and block the transfer of any personally identifiable
information. When someone is trying to transfer personal records, social security, or
anything that is sensitive, it could be blocked by DLP.
431
Chapter 04: Operation and Incident Response
Content Filter/URL Filter
The Uniform Resource Locator (URL) can be used as a security control. If anyone tries
to visit malicious sites, the URL can block access to that particular location. And, if
anyone is trying to access a known location, the URL will allow access to those sites as
well. Many of the URL filters can also be integrated with third-party blocklists. These
blocklists are constantly updated and can provide a real-time blocking of known
malicious sites.
Update or revoke certificates
A Certificate Revocation List, or CRL, is used to verify that a digital certificate is still
valid. Before connecting VPN tunnels, VPN appliances employ CRLs to check for invalid
certificates. The certificate is validated during phase 1 discussions when using digital
certificates with VPNs.
The appliance tries to retrieve a CRL via LDAP (Lightweight Directory Access Protocol)
or HTTP (Hypertext Transfer Protocol), which is defined inside the CA certificate if no
CRL has been loaded into the VPN. Many VPN appliances additionally let you choose
an address to which the CRL should be sent.
Isolation
The concept of isolation is one where you can move a device into an area with limited
or no access to other resources. Isolation is a key strategy, especially when trying to fight
with malicious software or software constantly trying to communicate back to a
command and control location.
The isolation concept is often used when someone is trying to connect to the network
and does not have the correct security posture on their device. Perhaps, they have not
updated to the latest antivirus signatures. Therefore, the devices will be put on a
separate remediation VLAN that would give them access to update the signature. Once
those signatures are updated, they are then allowed access to the rest of the network.
You can also implement process isolation. If you identify a process running on the
device that seems suspicious, you can disallow any access from that process to the rest
of the network. Therefore, the user will still be able to communicate using the normal
trusted applications.
Containment
Containment inhibits or logs harmful behaviors in an application that is constantly
changing based on containment criteria. Every application is executed in its own
sandbox, with only limited access to the operating system and other processes.
This means that if the computer is compromised with ransomware, the malware could
infect that specific program.
432
Chapter 04: Operation and Incident Response
The containment can be reactive because once some machine identifies ransomware,
you can change the security event, disable administrative shares, remote management,
local account access, and also change the local administrator password.
Segmentation
Network segmentation helps protect against data breaches, ransomware attacks, and
other cybersecurity threats. In a correctly segmented network, groups of end devices
such as servers and workstations have only the connectivity required for legitimate
business use. This limits the potential of ransomware to spread or an attacker pivot from
one system to another.
SOAR
SOAR stands for Security Orchestration, Automation, and Response (SOAR). SOAR
platforms are a set of security software solutions and applications that allow you to
browse and collect data from various sources. SOAR solutions then evaluate this
disparate data using a combination of human and machine learning to comprehend and
prioritize incident response actions.
An administrator can use SOAR to connect numerous third-party products and make
them function together. Runbooks serve as the foundation for the integration.
Runbooks
A runbook contains explicit instructions on how to do a certain task. It also includes
extensive instructions on how to reset a password, create a website certificate, and
backup application data, among other things.
Playbooks
Playbooks can be made by combining the runbooks. A playbook is a more detailed
description of what to do if a specific event occurs.
For example, if you want to recover from ransomware, you will need a playbook that
lays out all of the procedures you will need to do to get rid of the ransomware.
433
Chapter 04: Operation and Incident Response
Mind Map
Figure 4-19: Mind Map
The Key Aspect of Digital Forensics
Digital Forensics describes the process of collecting and protecting information that is
usually related to the same type of security event. This covers many different techniques
for gathering data across many types of digital devices. It also describes different
methods used for protecting that information once you have retrieved it.
Documentation/Evidence
RFC 3227 is the guideline for evidence collection and archiving. It is a great best practice
to get what is involved with the digital forensics process. This RFC describes three
phases for the digital forensics process the acquisition of data, the analysis of that data,
and reporting of that data.
Legal hold
Legal hold is a legal technique to prevent relevant information requested by legal
counsel. It describes what type of data needs to be preserved for later use. The data
434
Chapter 04: Operation and Incident Response
copied for this legal hold is often stored in a separate repository, and it is referred to as
Electronically Stored Information or ESI. These legal holds may ask for many different
kinds of information and many types of applications, and the information is stored for
a certain amount of time or maybe of indefinite hold.
When you receive the legal hold and have the responsibility to gather and maintain the
data, you will preserve all of the information.
Video
Another good source of information to gather is from video. Video can provide
information external to the computer and network.
For example, you can capture the screen information and other details around the
system that normally would not be captured through other means.
Admissibility
Not all data can be used in a legal environment, and the laws are different depending
on where you may be. The important part of the collected data is w set of standards that
aallowthe data to be used in the legal environment.
Legal authorization
If you are authorized to gather the information, the data itself is protected. In other, the
network administrator may complete the access to that data.
Procedures and tools
The correct tools are used the correct way. You should use the best practices for tools
and procedures that you follow.
Laboratories
If the laboratories use the data, the proper scientific principles should be used to analyze
the evidence.
Chain of Custody
To verify that no changes occur to the collected data, you require documentation that
maintains the integrity. This documentation is called a chain of custody.
It is common to have a catalog that labels and documents everything collected into a
central database. You can also use hashes during the collection process to easily verify
the data you are looking at is the same data that was collected.
Timelines of Sequence of Events
As time goes on, the important information is to document the time zone information
associated with the device that you are examining.
Timestamps
435
Chapter 04: Operation and Incident Response
Different file systems store timestamps differently.
FAT: If you are using the File Allocation Table file system, all of the timestamps are
stored in the local time on that file system.
NTFS: If the device was storing the information in a file system using NTFS, the
timestamps are stored in Greenwich Mean Time (GMT).
Time offset
The time offsets can be different depending on the operating system you are using, the
file system in place, or the device
Tags
Reports
When all the data is collected, there is a need to analyze and report exactly what
occurred during that security event. The report should start with a summary providing
a high-level overview of what occurred during the security event.
There should also be detailed documentation describing how the data was collected,
the analysis performed on that data, the inferences, and the conclusion gathered based
on that analysis.
Event Logs
Event logs provide a wealth of information because they store details about the
operating system, the security events, and the applications running in the operating
system.
Interviews
Interviews will allow you to ask questions and get information about what a person saw
when a particular security event occurred.
Acquisition
Order of Volatility
When collecting data from a system, one challenge you have when collecting data from
a system is that some of the data is more volatile than others. Certain data will be stored
on the system for an extended period of time, while other data may only be available for
a few minutes. Therefore, you need to start collecting the data with the information that
is more volatile and less volatile. The order of volatility is shown in Figures 4-20.
436
Chapter 04: Operation and Incident Response
Figure 4-20: Order of Volatility
Disk
There is a great deal of information stored on a system’s hard drive or SSD. If you want
to learn the best way to gather the information for forensics, the first step is to prepare
the drive to be imaged. You can power down the system so that nothing can be written
to that drive, and you can also easily remove the storage drive from the system.
After that, you will connect the drive to a device specifically designed for imaging. These
are the handling systems designed with the right protection so that nothing on that
drive can be altered. You will then copy all of the data on the drive.
Random-Access Memory (RAM)
The important source of data is the information in memory. This can be difficult to
gather, not only because the information changes constantly; however, capturing the
information from memory can change a portion of that memory.
There are also third-party tools available that can provide memory dump. They will take
everything in the system's active memory and copy it to a separate system or a separate
connected device.
You can also gather as much as you can from the memory because some of the
information is never written to a storage drive. The important data like browsing keys,
clipboard information, encryption keys, and command history may be found in
memory; however, they do not display on the storage drive itself.
Swap/pagefile
A swap or pagefile is a temporary storage region in current operating systems. These
pagefiles have slightly different operating systems depending on whatever operating
system you use.
437
Chapter 04: Operation and Incident Response
In many places, the swap drive is a section of the storage device that may be used to
swap data out of random access memory and free up space for other applications to run.
A piece of an application is contained in the swap. You can transfer an application that
is not currently in use to active memory and store it on a local drive temporarily. As a
result, the application should run smoothly.
Note: The swap also collects information from active RAM and contains data
comparable to the RAM dump.
OS
The files and data present on the operating systems can help to understand the security
events. The operating system also contains information like a number of logged-in
users, open ports on devices, currently running processes, and attached devices.
If you investigate the malware infection or ransomware installation, then the attached
devices from the operating system can provide important information during the
analysis.
Device
There are several tools available for collecting the same type of information from a
mobile device. There are capture methods available, that you could either use a backup
file that was previously made from that device, or you cannot directly be connected to
the device, usually over USB, and create a new image from the device.
Inside of the mobile device, you can easily find information about the phone call,
contact, text message, email data, images, movies, etc.
Firmware
With some security events, you may have noticed that the firmware of a device has been
modified. The firmware implementation is specific to the platforms. The attackers gain
access to the device and install the updated and hacked version of the firmware. Getting
access to the firmware may help understand how the device was exploited, the firmware
functionality, and the real-time data sent to and from the device.
Snapshot
When working with virtual machines, you can easily get details from the snapshot. The
snapshot is like an image of the virtual machine.
Taking the snapshots starts with the original image that will act as a full backup of the
system. It is common to then take subsequent snapshots of the virtual machine.
Especially when you change and update the VM due to any reason, you will be required
to take every updated snapshot.
438
Chapter 04: Operation and Incident Response
To restore the virtual machine from the snapshots, you will be required to use the
original snapshot with all the incremental snapshots (updated version).
Cache
The operating system and applications can speed themselves up through the use of a
cache. A cache is a temporary storage area designed to speed up the performance of an
application or an operating system.
There are many different kinds of cache, including CPU cache, disk cache, the cache for
a browser, and cache connected to the network.
The cache often contains very specialized data.
CPU cache – It contains all the data specified on the operation of a single CPU.
Browser cache – It only contains the URLs of the location visiting with some browser
page components, including text, images, etc.
The cache is usually writing information that was queried originally so that if the other
query was made that was identical, you can simply go to the cache instead of performing
the query against the original service.
Network
The network contains a wealth of information. You can see all of the different
connections made over the network.
The networks are useful for the inbound and outbound session with the device's
operating system and application traffic.
In large environments, extensive packet captures occurring, and storage of large
amounts of data is sent across the network. There might also be smaller packet captures
available on the security devices like firewalls, Intrusion Prevention System (IPS), etc.
Artifacts
The artifacts are the things stored in a log. It may be a flash memory, prefetch cache
files, information stored in the recycle bin, and the information that you are storing in
the browser.
Note: Bookmarks and log-in records are also considered artifacts.
On-Premises vs. Cloud
We have discussed the digital forensics process with devices that would be in the
possession. It can be a computer, laptop, mobile device, etc.
To perform digital forensics in the cloud, complexities are added concerning cloud
technologies. The technical challenges become wide as the devices are located in
another facility somewhere in the cloud. It is also very difficult to associate the cloud439
Chapter 04: Operation and Incident Response
based data to one specific user. As many people access the cloud-based service
simultaneously, picking out an individual’s piece of data adds extra complexities to the
forensics process.
The legal issues are also associated with cloud-based data, especially since the rules and
regulations around the data can be of different types due to your location in the world.
Right-to-Audit Clauses
Before you work to get access to cloud-based data for forensics purposes, it would be
valuable to have already created an agreement on how the data could be accessed.
Therefore, working for a cloud provider or a business partner will be very useful to
qualify how the data should be shared, and outsourcing would work.
The right to audit clauses in the agreement will permit knowing where the data is being
held, how the data is being accessed over the internet, and what security features may
be in place to protect the data.
As the initial contract with the cloud provider is being created, the right to clause can
be added to specify how to create a security audit of that data.
Regulatory/Jurisdiction
The technology behind cloud computing is evolving rapidly, and the legal system is
trying to make changes with the technology. That is why forensics professionals need
to work with the legal team. Very different regulations may bind the data in a different
jurisdiction.
In cloud-based applications, the data can be located in a completely different country.
In a particular case, the physical location of the data center may determine the legal
jurisdiction for that data.
Data Breach Notification Laws
Another concern is that notification laws associated with data breaches are called data
breach notification laws. Many states and countries have laws and regulations stating,
“if any consumer data happens to be breached, then the consumer must be informed of
that situation.
These notification laws can be different depending on the location of where the data
would be stored. If there is a cloud-based application, then the data will be storing
information from all countries into a single database, and a breach of that data may have
a broad impact on who gets notified.
The notification requirement varies depending on the geography. There may be rules
and regulations regarding the type of breached data, who needs to be notified if a breach
occurs, how quickly you get notify, etc.
440
Chapter 04: Operation and Incident Response
Integrity
Hashing
When you are collecting data for evidence, you want to be sure that nothing will change
with your collected information. One way to ensure this is to create a hash of that data.
This is a way to cryptographically verify that what you have collected will be exactly the
same as what you will examine later.
Checksums
A relatively simple integrity check can be done with checksum. This is commonly done
with network communication to ensure that the information you have sent from one
side of the network to the other has shown up without any type of corruption. This is
not designed to replace a hash. However, it provides a simple integrity check that may
be useful in certain situations.
Provenance
The source of the data is called provenance. This provides the documentation of where
this data originated. It is also useful to have a chain of custody for data handling. This
also provides an opportunity to take advantage of newer blockchain technologies that
can provide more detailed information tracking.
Preservation
It is very important when working with data as evidence that you can preserve the
information and verify that nothing has changed with the information while it has been
stored.
Additionally, you should manage the collection process from mobile devices. The live
collection of data becomes an important skill. Data is converted into an encrypted form,
making it difficult to collect after powering down.
The gathering of information requires the best practices to ensure the admissibility of
data legally. This will be useful, especially if the data will be used later for some reason.
E-discovery
There is a legal mechanism used to gather information called discovering. When this
mechanism applies to digital technologies, it is referred to as Electronic discovery (Ediscovery). This process gathers the data. Hence there is no need to examine or analyze
the information. For data, you are simply required to search from the list of information
that is being requested.
The process of E-discovery often works in conjunction with digital forensics. For
example, with E-discovery, you will obtain the storage drive and provide that to the
authorities. The authorities will then look for that drive and notice the information on
441
Chapter 04: Operation and Incident Response
that drive is smaller than expected. At that point, you will bring in some digital forensics
experts that can examine the drive and attempt to recover any data that have been
deleted.
Data recovery
Recovering missing processes can be a complex process. There is no single way to
recover the data. The recovery requires extensive training and expertise to find the best
way for data recovery.
The exact process of data recovery may be based on:




Deleted files on the drive
Hidden files
Hardware and software corruption
Damaged storage device
Non-repudiation
Non-repudiation is the process of proving the data integrity and the origin of data. With
this process, you know who sent the data; however, you have high confidence of exactly
who sent that information. This means that the only person who could have sent the
data is the original sender.
There are two ways to providing non-repudiation:
Message Authentication Code (MAC) – With MAC, the two parties that are
communicating back and forth are the two that can verify that non-repudiation.
Digital Signature – Anyone who has access to the public key of the person who wrote
the information can verify that they can use it.
EXAM TIP: With MAC, the two parties can verify non-repudiation. In contrast,
the non-repudiation can be publicly verified in the digital signature.
Strategic Intelligence/ CounterIntelligence (CI)
Gathering evidence can also be done by using strategies intelligence, also known as
counterintelligence. This is when you are focusing on the domain and gathering threat
information about that domain. This is useful when finding out business information,
geographic information, or details about a specific country.
You can also gather much of this information from threat reports that you crate
internally or information gathered from a third party. There might also be some other
data sources, especially with Open Source Intelligence (OSIT), that provide some
additional information as well.
442
Chapter 04: Operation and Incident Response
Strategies intelligence also helps to determine the threat landscape based on the trends.
If you are the subject of someone’s strategy intelligence, you may want to prevent that
intelligence from occurring, and instead, you should perform the strategy
counterintelligence. With CI, you could easily identify someone trying to gather
information and attempt to disrupt that process. CI also helps to gather threat
information on foreign intelligence operations.
Mind Map
Figure 4-21: Mind Map
443
Chapter 04: Operation and Incident Response
Practice Questions
1. Which of the following commands is used to determine the network adapter
information?
A. ipconfig
B. Nmap
C. hping
D. curl
2. Which of the following methods is used to gather the network statistics?
A. Metadata
B. Data Recovery
C. NetFlow
D. None of the above
3. Which of the following is a temporary storage area?
A. Swap
B. Firmware
C. Snapshot
D. Cache
4. Which of the following defines a set of security software solutions and applications to
browse and collect data from different sources?
A. Evidence
B. SOAR
C. E-Discovery
D. File manipulation
5. Which of the following has cryptographic libraries to perform hashing functions?
A. SSH
B. CLI
C. PowerShell
D. OpenSSL
6. Which of the following is the stateless protocol that ensures the binding of IP and MAC
addresses?
A. TCP
B. ARP
C. FTP
D. SMNP
444
Chapter 04: Operation and Incident Response
7. Which of the following allows and denies access to the mobile device?
A. MDM
B. DLP
C. URL Filter
D. All of the above
8. Which of the following is used to troubleshoot complex application problems?
A. Log Files
B. SIEM Dashboard
C. Protocol Analyzer Output
D. Metadata
9. Which of the following store an application that seems to have malicious software?
A. Application Whitelisting
B. Application Blacklisting
C. Cache
D. Quarantine
10. Which of the following is the legal mechanism to gather information from electronic
devices?
A. E-discovery
B. Data recovery
C. Non-repudiation
D. None of the above
11. How many ways are there to provide non-repudiation?
A. Three
B. Two
C. Four
D. Five
12. Which of the following allows to perform analysis of data for security alerts and realtime information?
A. SOAR
B. Acquisition
C. Forensics
D. SIEM
13. How many types of vulnerability assessment are there?
445
Chapter 04: Operation and Incident Response
A. Two
B. Four
C. Three
D. Five
14. Which of the following is a third-party editor tool that provides a raw representation
of dump files?
A. WinHex
B. FTK Imager
C. Autopsy
D. Memdump
15. Which of the following attack framework apply security techniques to block future
attacks?
A. Cyber Kill Chain
B. The Diamond Model of Intrusion
C. MITRE ATT&CK
D. None of the above
446
Chapter 05: Governance, Risk, and Compliance
Chapter 05: Governance, Risk, and Compliance
Introduction
The Governance, Risk, and Compliance (GRC) is a combined collection of potentials
that allows the organizations and companies to reliably achieve ethical management,
minimizing the risk of failures and ensuring the organization is complying with state
requirements.
GRC Concepts
Governance
The governance is about how an organization has to be run in an efficient and
responsible manner, and they report their policy to all stakeholders. Processes and goals
of the organization have to be aligned.
Compliance
Compliance is an integral part of GRC, which demonstrably meets the applicable rules
and regulations.
Risk
Identify all risks through risk management and register the related management
measures and then report on these.
Figure 5-01: GRC Concepts
Why GRC?
The importance of embedding GRC in an organization can have to do with whether the
organization wants to:

Steer performance
447
Chapter 05: Governance, Risk, and Compliance



Improve the quality of products and services
Prevent damage
The controlled and structured environment
Functions Supported by GRC
The different functions supported by the GRC platform are summarized in table 5-01.
Functions
Description
Vendor Management
It includes the vendor selection on a risk
basis with relationship management and
compliance monitoring
Policy Management
Defines the workflow and policy lifecycle
that can help to review, change, and
archive policies to authoritative sources
Risk & Compliance Management
Defines the workflow, reporting, analysis,
and remediation of risks that will help the
organizations to understand and deal with
risks
Business Continuity
Recovery Management
Plan/Disaster Integrate the functionality of Business
Continuity Plan and Disaster Recovery for
an organization to perform a Business
Impact Analysis to minimize the risk of
failures and improve the value of business
processes
The incident, Threat, and Vulnerability These
include
the
consolidate
Management
vulnerabilities and patch information from
the security intelligence providers to better
explore the vulnerability results
Asset Management
Handle the system, databases, applications,
and infrastructure assets to key the
business processes for better compliance,
business continuity, and disaster recovery
tasks
Table 5-01: Functions Supported by GRC
448
Chapter 05: Governance, Risk, and Compliance
Analyze Risks Associated with Cloud Infrastructure
A cloud-based system should be managed and approached as other outsourced
platforms, with the same types of concerns, risks, and audit/governance prerequisites
as an external hosting environment. Eventually, all risks related to a Cloud
infrastructure must be customized for their individual needs. Risks to consider include:





Policy and organization Risks
Loss of governance
Provider lock-in
Compliance challenges
Provider exit
Risk Assessment/Analysis
A major risk in a Cloud environment is the sanitization of data. In a traditional data
center, physical media can be destroyed to guarantee data destruction, which is not
possible in a Cloud environment, so concepts of overwriting and cryptographic erasure
are highly used. Data protection is the security of system images within a Cloud
environment. The images themselves are just files on a file system without any physical
partition of servers, shared with the possibility of malware being injected into an image
even when it is not running; their security becomes essential in a Cloud environment,
where the Cloud provider bears sole duty for assurance.
Cloud service providers have a generally huge innovation scale, which influences risk.
This one result relies upon the circumstance. considerations include:



Larger scale platforms require more technical skills to manage
Shifts control of technical risks toward the cloud service provider
Consolidation of Cloud and IT infrastructure leads to the consolidation of points
of failure.
Cloud Attack Vectors
In Cloud Computing, the following are the most common attacks used by an attacker
to extract sensitive information such as credentials or gain unauthorized access. Cloud
Computing Attacks include:








Service Hijacking using Social Engineering Attacks
Session Hijacking using XSS Attack
Domain Name System (DNS) Attack
SQL Injection Attack
Wrapping Attack
Service Hijacking using Network Sniffing
Session Hijacking using Session Riding
Side Channel Attack or Cross-guest VM Breaches
449
Chapter 05: Governance, Risk, and Compliance


Cryptanalysis
Dos / DDoS Attacks
Service Hijacking using Social Engineering Attacks
The attacker may try to guess the password using Social Engineering tactics.
Unauthorized access to sensitive information is gained as a result of social engineering
assaults, depending on the privilege level of the affected user.
Service Hijacking using Network Sniffing
Using Packet Sniffing tools by placing himself in the network, an attacker can capture
sensitive information such as passwords, session ID, cookies, and other web servicerelated information such as UDDI, SOAP, and WSDL
Session Hijacking using XSS Attack
By launching Cross-Site Scripting (XSS), the attacker can steal cookies by injecting
malicious code into the website.
Session Hijacking using Session Riding
Session hijacking is the goal of session riding. An attacker could take advantage of this
flaw by trying cross-site request forgery. By tracking the user to click on a malicious link,
the attacker exploits presently active sessions to execute requests such as data
alteration, data erasure, online transactions, and password change.
Domain Name System (DNS) Attacks
DNS poisoning, cybersquatting, domain hijacking, and domain snipping are examples
of DNS attacks. An attacker could try to fake by poisoning the DNS server or cache in
order to gain internal user credentials. Theft of the Cloud service domain name is known
as domain hijacking. Phishing scams can also lead to consumers being led to a bogus
website.
Side-Channel Attacks or Cross-Guest VM Breaches
Side-Channel Attacks or Cross-Guest VM Breach is an attack that requires the
deployment of a malicious virtual machine on the same host. For example, deploying a
malicious VM co-resident of the target VM will result in resource sharing. An attacker
can extract cryptographic keys. Similarly, the attacker can also exploit shared high-level
cache memory to launch side-channel attacks. A malicious insider or an attacker can do
the installation by impersonating a legitimate user.
Similarly, other attackers are also vulnerable to Cloud Computing, such as SQL Injection
attacks (injecting malicious SQL statements to extract information), Cryptanalysis
Attacks (weak or obsolete encryption), Wrapping attacks (duplicating the body of a
message), Denial-of-Service (DoS), and Distributed Denial-of-Service (DDoS) Attacks.
450
Chapter 05: Governance, Risk, and Compliance
Virtualization Rısks
Virtualization can expand the security of IT because it is easier to set up the correct
network access controls between machines.
A Layered-based approach in virtualization also raises some risks that are not found in
the traditional server-based model. Compromising the hypervisor layer will also
compromise the hosted virtual machines because the hypervisor is an authoritative
layer over the hosts. As the hypervisor is hosting all the VMs on it, it is a single point of
failure resulting in a denial of services. Any unauthorized access to the hypervisor can
result in operational changes, access restrictions, service hijacking, and much more.
Similarly, installation of obsolete or unpatched, or pre-configured virtual machines can
also increase the risk in a virtual environment. Additionally, some virtual environments
are over-allocated, resulting in an exhaust of resources.
Another risk of server virtualization is called “Resource Abuse,” where one guest (or
tenant) is over-using the physical resources, in this manner keeping alternate guests of
the resources required to run their workloads. This is also called the “noisy neighbor”
issue. The hypervisor may have the capacity to limit the over usage of a guest, but the
administrator must consider restricting a large number of visitors on a single host. Few
guests mean you are not saving money sufficiently.

Numerous guests mean you risk performance issues.
With virtual servers, it becomes easy to clone, replicate, snapshot, and stop images.
However, there are benefits of using virtual servers, with a probability of new risks. It
can prompt enormous sprawl or proliferation of server images that need to be stored
somewhere. This can become difficult to manage, and it represents a security risk.
Counter-Measure Strategies
Cloud computing faces the same difficulties as other networks and infrastructures that
use the internet; there are numerous ways in which counter-measures can avert the
risks and threats that are manageable against cloud security.
There are various counter-measures that can be executed in the cloud infrastructure.
These include:







Access Management
Centralized Directory
Role-based Access Control
Privileged User and Access Management
User Access Certifications
Identity and Access Reporting
Separation of Duties
451
Chapter 05: Governance, Risk, and Compliance
Other counter-measures are conventional in order to prevent the use of attacks that
include better techniques for transforming sensitive data over public cloud
deployments. More significantly, cloud servers need improved data portability and
protection from external threats. This includes creating an identity and access
management guidance. Encryption should be increasingly unique and secure to protect
files and other user data. Better encryptions permit better methods in storage,
provisions for security, acquisitions of data, and information from service providers and
vendors that support regulations, dimensions, and opportunities in the cloud.
Cloud environments are of high availability in nature with redundancy, rapid elasticity,
and auto-scaling. This architectural plan makes the maintenance, patching, and
isolation of hosts in case of a conceivable security breach much easier because they can
be removed from production pools. It also allows for scanning, updating, and making
configuration changes without impacting the customer and users of a system or
application, consequently reducing this risk to availability.
Security Controls
In order to protect a sound security policy and overall governance, the cloud security
professional must concentrate on some different areas, as discussed in this section.
Physical and Environmental Protection
The word physical and environmental security refers to measures taken to ensure the
safety and security of infrastructure against natural disasters, environmental effects,
human attacks. While the access and technologies used with a cloud infrastructure offer
a single set of services to customers, covered it is all is a classic data center model. While
in most cases on a much larger scale. Because a cloud is a system that is accessible over
broad networking, such as the public Internet, physical protection should also extend
to those systems that are used to access the cloud.
The physical assets in the concrete data center include servers, physical racks, power
distribution units, cooling units, as well as real physical facilities and the auxiliary
systems located on the premises, for example, power conduits, battery backups, fuel
tanks, generators. Outside the Datacenter property, there are still further physical
devices and infrastructure that are essential to the cloud security professional. These
include the power and network conduits that the data center depends on, as well as the
endpoints of access for the users and customers, for example, workstation, laptops, and
mobile devices.
Examples of relevant controls based upon one or more regulations:

Procedures and policies recognized for maintaining safe and secure working
environments; including, offices, facilities, rooms, and secure areas
452
Chapter 05: Governance, Risk, and Compliance


Restricted physical access of users and support personnel to information assets
and functions
Physical security perimeters such as fences, guards, barriers, walls, and so on
Protecting Datacenter Facilities
Datacenters are essential to have a redundant, multi-layered way to deal with user
access control. Controls are requisite to be at the facilities level, the computer floor level,
and at the data center/facility staff level to guard against risk.
System and Communication Protection
Cloud computer run on physical systems that use services need protection. A number
of these services are:







Hypervisor
Volume Management
Storage Controller
IP Address Management
Identity Service
VM Image Service
Management Databases
Other factors to consider for system and communication security include:



Detecting and logging of security events
Responsibilities of protecting the Cloud: Cloud provider is responsible for
underlying software and hardware regardless of the cloud service model.
Including knowing where the responsibility among cloud service providers and
cloud customers
Automation of configuration
Category of Security Control
The security controls are categorized at different levels:



Technical
Management
Operational
Technical – This category covers the access control that can authenticate onto different
resources present on the network. Additionally, it defines audit, accountability, system,
and communication protection.
Management – It includes managing different aspects of risk like security assessment,
how you provide authorization to different resources that exist in the network,
planning, risk management, service, system acquisition, program management, etc.
453
Chapter 05: Governance, Risk, and Compliance
Operational – This category is more important in terms of hardware and software
mechanisms that can be used to manage and protect the information and information
systems. It also defines how do you handle the changes that occur in configuration
management, how you can protect the resources physically, etc. In short, these controls
are designed, configured, implemented monitored at the technology level.
Types of Security Control
Deterrent Control
A Deterrent Control serves to inhibit the attacker by reducing the possibility of success
from the viewpoint of the attacker.
Preventive Control
Preventive Control refers to the prevention of specific action from occurring.
For example, Firewall
Detective Control
Detective Control helps to detect a physical security breach. It alerts the operator to
specific conditions and acts during an event.
Corrective Control
Corrective Control is an attempt to reduce the amount of damage and is used after an
event. For example, ‘Backup’ helps the rapid restoration of operation.
Compensating Control
To directly address the threat when there is no control available, one thing needed to
meet the requirement is ‘Compensating Control.’ For example, the ‘Fire suppression
System’ that do not stop fire damage but can limit fire damage.
Technical Control
When some form of technology is used to address the physical security issue, it is
referred to as a ‘Technical Control.’ For example, Biometrics.
Administrative Control
Limiting the security risks through policies and procedures is known as ‘Administrative
Control.’ For example: Giving instructions to a security guard.
Physical Control
Physical Control refers to restricting specific physical activity from occurring. For
example, Mantrap prevents tailgating. It basically restricts the accidental operating and
specific human interaction with a system.
454
Chapter 05: Governance, Risk, and Compliance
Mind Map
Figure 5-02: Mind Map
Importance of Applicable Regulations, Standards, or Frameworks that Impact
Organizational Security Posture.
The regulatory frameworks are the set of policies defined by the platform to meet the
regulatory requirements. These rules should be followed by organizations, businesses,
and companies to strengthen security, improve processes and capabilities.
EXAM TIP: The Language Understanding (LUIS) can work with text as well as with
audio for a single file cohesive result.
Regulations, Standards, and Legislation
455
Chapter 05: Governance, Risk, and Compliance
The regulations defined in the security system refer to the directives with information
that should be followed by the organizations and companies to protect their
information from cyberattacks like Denial of Service (DoS), unauthorized access, etc.
The standards are the things with guidelines and requirements for the product, services,
and system. The legislation is the set of rules defined by the cybersecurity administrative
to do any task. All systems are mandatory to follow them.
Some of the common cybersecurity regulations include:
General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the biggest European Union
legislation giving ordinary people and precedented control over how your data is
collected, used, and forced companies to justify everything they do with it. It has a huge
effect on businesses outside the EU, including the US.
As everything moves their future towards the digital domain, the massive collection of
sensitive data requires strict and protected regulations from holding them.
Any type of data that can identify you with your name, contact details, username, IP
address, and location is required by the GDPR. The organizations will have to prove that
they have a lawful reason for holding the particular kind of data
Why is it needed?
Before smartphones, a massive amount of sensitive information was collected from the
sources like Google and Facebook. GDPR gives organizations guidelines on what they
can and cannot do with personal data. It also makes them gives users more clarity over
the kind of data being used and how companies will use it.
National, Territory, State Laws
Information security breaches in the past two decades necessitated the creation of new
legal and regulatory frameworks and changes to current legal and regulatory
frameworks to include security related to compliance needs across several countries.
Due to the worldwide nature of internet services, cross-border information interchange,
and electronic commerce services, the need to comply with regulatory and legislative
frameworks has expanded dynamically. The following are some key legal and legislative
phrases in the field of information security.
Legislative and Regulatory Compliance
The legal system that relies on common law is known as a common law legal system,
and it is based on court rulings. Common law is followed in countries such as the United
Kingdom, the United States, Canada, Australia, South Africa, India, Malaysia, Singapore,
and Hong Kong.
456
Chapter 05: Governance, Risk, and Compliance
In general, the common law establishes three categories:
1. Regulatory law: Administrative law is another name for it. It is concerned with
the rules and regulations of the government's administrative agencies. The
legislative statute, also known as statutory law, is a legal system established by
the legislative part of the government.
2. Criminal law: It is concerned with the breaking of government laws. A legal
system founded on religious beliefs is known as religious law—for example,
Islam, Hindu, and Christian laws.
3. Civil law: It deals with litigation brought by private individuals. Civil laws, in
contrast to common law, are a legal system based on codified law. Civil laws are
followed in countries such as France, Germany, and others.
Privacy Requirements in Compliance
Privacy is the protection of Personally Identifiable Information (PII) or Sensitive
Personal Information (SPI) that can be used to identify a person in context with a group
or individual.
National Institute of Standards and Technology (NIST)
The National Institute of Standards and Technology (NIST) is releasing guidance to
protect the privacy of Personally Identifiable Information (PII). Personally Identifiable
Information (PII) is defined as follows by NIST special publication 800-122:
1. Any information that can be used to find out the individual’s identity, such as his
name, social security number, date, and birthplace, or biometric records.
2. Any information which belongs to an individual, such as medical, educational,
financial, and employment information.
Privacy Laws
Privacy laws deal with protecting and preserving the rights of an individual’s privacy.
Privacy laws in the U.S include the following:



Health Insurance Portability and Accountability Act (HIPAA)
Financial Services Modernization Act (GLB), 15 U.S. Code: 6801-6810
Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal
Regulations, Part 313
In the UK, they include the following:


Data Protection Act 1998 (United Kingdom)
Data Protection Directive (European Union)
457
Chapter 05: Governance, Risk, and Compliance
Legal & Regulatory Issues
Legal and regulatory issues will be bundled together with information compromise that
could result in civil or criminal liability for a company.
The issues listed below may have legal or regulatory ramifications.
Cyber Crime - Cybercrime refers to criminal activities carried out across
communication networks such as the Internet, telephone, radio, satellite, and mobile
networks.
Cyber Terrorism – It is a sort of cybercrime that targets computers and computer
networks, and it is usually premeditated. The main goal of these attacks could be to
injure people on the basis of social, ideological, religious, political, or other factors.
Cyber Stalking Cyber stalking is a sort of cybercrime in which the offender uses the
Internet and other electronic tools to harass or frighten the victim.
Information Warfare - Information warfare is a sort of cybercrime that aims to disrupt
adversaries, such as organizations and institutions, in order to obtain a competitive
advantage. False propaganda, for example, or web page defacement, to name a few
examples.
Denial-Of-Service (DoS) Attack or Distributed Denial-Of-Service (DDoS) - DoS /
DDoS attacks are cybercrimes where websites of any user's computer systems are made
inaccessible using multiple services request to overload the web and application servers.
Payment Card Industry Data Security Standards (PCI DSS)
To determine security controls, a variety of standards are available. PCI-DSS (Payment
Card Industry Data Security Standard) is an industry-specific security standard. Other
standards include OCTAVE®, ISO 17799/27002, and COBIT, which are more widely
used.
The Payment Card Industry Data Security Standard (PCI-DSS) is a multi-layered
security standard that includes requirements for security management, policies,
procedures, network architecture, software design, and other critical protective
measures. This widely adopted standard aims to assist enterprises in protecting
customer account data in a proactive manner. The Payment Card Industry Security
Standards Council produced the PCI-DSS security standard (PCI-SSC). American
Express, Discover, Master Card, Visa, and other credit card companies are represented
on the council. PCI-DSS aims to protect credit cards by forcing merchants who use them
to follow certain security precautions.
The core principles of PCI-DSS are:
458
Chapter 05: Governance, Risk, and Compliance






Build and Maintain a Secure Network and System
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Center for Internet Security (CIS)
The Center for Internet Security (CIS) is a major security control that guides the global
community in securing the internet. It is a non-profit organization that harnesses the
worldwide IT community's capacity to protect private and public enterprises from cyber
threats. Global standards and accepted best practices for safeguarding IT systems and
data from the most ubiquitous assaults are accessible controls and benchmarks. The
volunteer, a global community of IT experts, keeps these tried-and-true principles up to
date.
NIST Risk Management Framework
Managing and controlling the risk is one of the major goals of businesses, particularly
in the information security program. Risk management gives the vehicle for maintaining
the balance between resources, compliance, and security. Organizations should be able
to protect their information assets by establishing and creating an efficient risk
management program, considering the organization’s environment, threats, resources,
and sensitivity of its data.
The NIST Risk Management Framework (RMF) process is defined in NIST 800-37 r2
(Risk Management Framework for Information Systems and Organizations). It provides
a comprehensive, flexible, repeatable, and measurable 7-step process that any
organization can use to manage information security and privacy risk for organizations
and systems, as well as links to a suite of NIST standards and guidelines to aid in the
implementation of risk management programs to meet the Federal Information Security
Modernization Act's (FISMA) requirements
459
Chapter 05: Governance, Risk, and Compliance
Figure 5-03: The 7-Step Process of NIST RMF
The main purpose of each step required in the Risk Management Framework is
summarized in table 5-02.
Step #
Step name
Purpose
1.
Prepare
It holds all the essential activities to help prepare
all the levels that an organization required to
measure its security and privacy risk
2.
Category
The steps find all the disastrous effects in terms of
loss of confidentiality, integrity, availability of the
system, information processes, etc. It is also
responsible for informing the organizational risk
management processes and tasking about these
effects
3.
Select
It selects, documents, and pile up all the necessary
controls to safeguard the corresponding risk faced
by the system and organization
4.
Implement
This step implements all the necessary controls for
security and privacy
5.
Assess
This step is responsible for ensuring that all the
controls are implemented correctly, operating as
planned and create the desired results required to
460
Chapter 05: Governance, Risk, and Compliance
meet the security and privacy requirements for the
system and the organization
6.
Authorize
It provides the responsibility features if the
security and privacy risk based on the operation of
a system is allowed
7.
Monitor
It maintains the current situational information
regarding the security and privacy posture of the
system and organization to accept the risk
management based findings
Table 5-02: Purpose of Steps in RMF
EXAM TIP: The Risk Management Framework process can also be useful to the
new provisioning systems and technologies (e.g., IoT, control systems), etc.
NIST Cybersecurity Framework
Today, data is the most valuable asset, which is the reason why security has become the
highest priority-based agenda. The data breaches and security failures introduce risk
and require national and economic security. Therefore, the US issued an executive to
develop a Cybersecurity Framework to help reduce the cyber risk
Also, the NIST Cybersecurity Framework combines the industry standards with best
practices to help the systems and organizations manage and monitor their cybersecurity
risk (threats, vulnerabilities, and impacts). The designed framework also helps to reduce
the risks by utilizing the customized measures.
The usage of the Cybersecurity Framework is shown in Figure 5-02. According to the
information technology research company, the Cybersecurity Framework is used by
30% of the US organization because of its response and recovery feature against
cybersecurity incidents.
461
Chapter 05: Governance, Risk, and Compliance
Percentage of US Organzations
Cybersecuirty Framework Usage
2012
2015
2020
50
30
2
Years
Figure 5-04: Cybersecurity Framework Usage
Note: The NIST Cybersecurity Framework, which was launched in early 2014, was
created by the private sector and the US government. In the “Cybersecurity
Enhancement Act of 2014,” Congress confirmed this initiative as a NIST obligation.
According to the US Chamber of Commerce,
“The NIST Framework has proved that the designed framework has incorporated into
cybersecurity recommendations including auto manufacturers, the chemical industry,
communication, transportation, and corporate directors.”
Why Cybersecurity Framework (CSF)?
The Cybersecurity Framework will help organizations and systems better understand,
manage, and reduce their cybersecurity risks. It will assist in determining which
activities are most important to assure critical operations and service delivery in turn
that will help in prioritizing investments and maximize the impact of each spend money
on cybersecurity.
It shifts from compliance to action and specifies outcomes by providing a common
language to address cybersecurity risk management. It is especially helpful in
communicating inside, outside the organization that includes improving
communication awareness and among IT planning and operating units as well as senior
executives of organizations.
462
Chapter 05: Governance, Risk, and Compliance
The Cybersecurity Framework allows you to assess where you are now and where you
need to go. It may be adopted in stages or to varying degrees, making it more appealing
to businesses.
Built-in maturity models in the framework eliminate the need for extra maturity models
on top of the Cybersecurity Framework.
CSF Components
The NIST Cybersecurity Framework consists of three main components, namely:



Core implementation tiers
Framework profiles
Framework core
CSF Components
Core
implementation
tiers
Framework profiles
Framework core
Figure 5-05: CSF Components
Core implementation tiers – It explains how an organization manages cybersecurity
risk and the extent to which risk management methods display important features.
Framework profiles – The profiles are an organization's unique arrangements of
organizational requirements and goals, as well as an asset against the framework core's
covered outcomes.
Framework core – Assists organizations in monitoring and reducing their
Cybersecurity risks in a way that complements their existing Cybersecurity and risk
management processes.
International Standard Organization (ISO)
The International Organization for Standardization (ISO) is a global standard-setting
organization made up of representatives from various national standards bodies. The
organization, which was founded on the 23rd of February 1947, develops and publishes
international technical, industrial, and commercial standards.
463
Chapter 05: Governance, Risk, and Compliance
ISO 27001
As the risk associated with cyberattacks and data breaches continues to increase,
information security has become a critical issue for every business. An effective
approach should help defend against both external attacks and common internal threats
such as incidents breaches and human error.
The international standard ISO 27001 specifies the requirements for an Information
Security Management System (ISMS). Through risk management, this systematic
approach of people procedures and technology assists you in protecting and managing
all of your organization's information.
ISO 27002
The information technology security technique ISO 27002 relates to. It outlines
organizational information security standards and an information security management
code of practice for information security controls, including control selection,
implementation, and management while taking into account the organization's
information security risk environment (s).
It is intended for usage by companies that want to:



Select controls within the process of implementing an Information Security
Management System based on ISO 27001
Implement commonly accepted information security controls
Develop their own information security management guidelines
ISO 27701
The International Organization for Standardization (ISO) and International ElectroTechnical Commission (IEC) are organizations that globally develop and maintain their
standards. The ISO/IEC 2700 1:20 13 standard ensures that an information security
management system is implemented, maintained, and improved. This standard is a
revised edition (second) of ISO/ISE 27001:2005, which was first published in 2005. The
following major aspects of information security are covered by ISO/IEC 27001:2013:





Implementing and maintaining security requirements
Information security management processes
Assurance of cost-effective risk management
Status of information security management activities
Compliance with laws
ISO 31000
Organizational risk can have ramifications in terms of financial performance,
professional reputation, and environmental safety. As a result, efficiently managing risk
aids firms in operating smoothly in an uncertain environment.
464
Chapter 05: Governance, Risk, and Compliance
The ISO 31000 standard lays forth general concepts and standards for businesses to
follow when dealing with risks. Any organization, regardless of size, activity, or sector,
can use it. It can also assist organizations in increasing the possibility of meeting goals,
improving the identification of opportunities and threats, and effectively allocating and
using resources for risk management.
SSAE SOC
The teams that analyze the security procedures should be aware of the output and
reporting capabilities for the data. Any information that is of important consideration
must be reported to the management teams immediately so that they are alert of
possible risks or harm. Depending on their roles and responsibilities, the information
sent to management teams may move via several levels.
The kind of reports that must be used depends on the type of auditing that is being
done. A Service Organization Control (SOC) report is required by the American
Statement on Standards for Attestation Engagements (SSAE) 16 audit, for example.
There are two types of SOC1 reports:
SOC 1 Type 1
The findings of an audit, as well as the completeness and correctness of the documented
controls, systems, and facilities, are outlined in this report. Type 1 reports are concerned
with the systems of a service organization. It also includes reporting on the control's
adequacy for achieving the goal.
SOC 1 Type 2
The Type 1 report is included, as well as information on the effectiveness of the
procedures and controls in place for the near future. Type 2 reports are focused on the
systems of service organizations and include a report on whether the control is running
properly to fulfill its goal.
SOC 2
A SOC 2 audit examines a service organization's non-financial reporting controls in
relation to the Trust Services Criteria, which include the system's security, availability,
processing integrity, confidentiality, and privacy.
SOC 2 Type 1
The type 1 audit reports are placed in operation at a specified point in time.
SOC 2 Type 2
This type autotests the effectiveness of the controls over a period of time.
465
Chapter 05: Governance, Risk, and Compliance
SOC 3
This report includes general audit results as well as a certification level for datacenters.
These reports are for users or clients who require control security, process integrity and
confidentiality, and availability assurance. SOC3 reports can be freely exchanged and
publicized.
Cloud Security Alliance
The Cloud Security Alliance is a non-profit organization whose mission is to encourage
the implementation of best practices for providing security assurance in Cloud
Computing and educating people about how Cloud Computing may assist protect other
types of computing.
The Cloud Security Alliance (CSA) was founded in 2008, and its first product was
"Security Guidance for Critical Areas of Focus in Cloud Computing." In 2009, CSA
became a corporation in Nevada and received US Federal 501(c)(6) non-profit status.
Membership
The Cloud Security Alliance has a network of chapters worldwide that are separate legal
entities from the CSA but operate within guidelines set by the CSA.
Note: Individuals who are interested in cloud computing and have the experience to
assist in making it more secure receive a complimentary individual membership based
on a minimum level of participation.
CSA Cloud Controls Matrix (CCM)






Provides a fundamental security principle to guide Cloud vendors and to assist
prospective cloud customers in assessing the entire security risk of a cloud
provider.
The CSA CCM is aligned to the Cloud Security Alliance guidance in 13 domains.
Customized relationship to important industry security standards, guidelines,
and controls frameworks such as the ISACA COBIT, ISO 27001/27002, PCI, NIST,
Jericho Forum, and NERC CIP
CCM provides organizations with the needed structure, in detail and clarity, and
related information security tailored into the Cloud industry.
It provides operational risk management and standardized security and seeks to
normalize security expectations, cloud taxonomy, and terminology.
It has the following versions:
o Cloud Control Matrix v3.0.1
o Cloud Control Matrix v3
o Cloud Control Matrix v1.4
o Cloud Control Matrix v1.3
o Cloud Control Matrix v1.2
466
Chapter 05: Governance, Risk, and Compliance
o Cloud Control Matrix v1.1
o Cloud Control Matrix v1.0
CSA Reference Architecture
The Enterprise design is a technique and a collection of tools that alter security,
enterprise architects, and risk management professionals to leverage a standard set of
solutions that fulfill their common must be ready to assess wherever their internal IT
and cloud suppliers are in terms of security capabilities and to arrange a roadmap to
fulfill the protection wants of their business.
BUSINESS
OPERATION
SUPPORT
SERVICES
(BOSS)
INFORMATION
TECHNOLOGY
OPERATION &
SUPPORT (ITOS)
PRESENTATION
SERVICES
APPLICATION
SERVICES
SECURITY &
RISK
MANAGEMENT
INFORMATION
SERVICES
INFRASTRUCTURE
SERVICES
(SABSA)
(ITIL)
(TOGAF)
(Jericho)
Table 5-03: CSA Reference Architecture
Benchmarks/Secure Configuration Guides
When the operating systems, database servers, web servers, or other technologies are
installed, they are far away from the secure configuration. Systems with a default
configuration are not secure. Some guidelines are needed to keep everything safe and
secure.
Platform-Specific Guide
The platform-specific guide is the finest guide that comes from the manufacturer. This
guide includes all the essential principles regarding installation, configuration, and
sometimes operations as well.
1. Web Server
Web servers provide a link between clients and web pages. They are susceptible to
attacks as they are open to the internet. Therefore, the proper setting of external-facing
applications is the key to avoid unnecessary risk. For web servers, several reliable and
prescriptive sources of instruction are available to support administrators to properly
protect and secure the application.
Web Server Concepts
467
Chapter 05: Governance, Risk, and Compliance
A Web Server is a program that hosts websites based on both hardware and software. It
delivers files and other content on a website over Hypertext Transfer Protocol (HTTP).
As the use of the internet and intranet has increased, web services have become a major
part of the internet. They are used for delivering files, email communication, and other
purposes. Web servers support different types of application extensions, whereas all of
them support HTML for basic content delivery. Web servers can be differentiated by
security model, operating system, and other factors.
Open Source Web Server Architecture
Open source web server architecture is a web server model in which an open-source
web server is hosted on either a web server or a third-party host over the internet. The
most popular and widely used open-source web server are:





Apache HTTP Server
NGINX
Apache Tomcat
Lighttpd
Node
Figure 5-06: Open Source Web Server Architecture
IIS Web Server Architecture
468
Chapter 05: Governance, Risk, and Compliance
The Internet Information Services (IIS) service is a Windows-based request processing
architecture. IIS 7.x is the most recent version. Windows Process Activation Services
(WAS), Web Server Engine, and Integrated Request Processing Pipelines are all part of
the design. IIS contains multiple components that are responsible for several functions
such as listening to the request, managing processes, reading configuration files, etc.
Components of IIS
Components of IIS include:




Protocol Listener: Protocol listeners are responsible for receiving protocolspecific requests. They forward these requests to IIS for processing and then
return responses to requestors.
HTTP.sys: The HTTP protocol stack is a kernel-mode device driver that
implements the HTTP listener (HTTP.sys). HTTP.sys is in charge of listening for
HTTP requests, sending them to IIS for processing, and then providing the
results to client browsers.
World Wide Web Publishing Service (WWW Service)
Windows Process Activation Service (WAS)
In the previous version of IIS, World Wide Web Publishing Service (WWW Service)
handles the functionality, whereas in version 7 and later, WWW Service and WAS
service are used. These services run svchost.exe on the local system and share the same
binaries.
Figure 5-07: IIS Web Server Architecture
2. Operating System
469
Chapter 05: Governance, Risk, and Compliance
The operating system serves as the interface between the physical hardware and the
application. Configuration guide from all the significant operating system
manufacturers is available on the CIS platform.
3. Application Server
The application server resides between the back-end database and the webserver. It is
sometimes called Middleware. A proper configuration guide for application servers is
available at CIS and STIGs.
4. Network Infrastructure Device
Network infrastructure devices include routers, switches, firewalls, concentrators, and
any other devices that are required for the network to function effectively. Configuring
these devices correctly is difficult but vital because any failure can compromise the
security of the data being handled.
General Purpose Guide
CIS control is a first-rate general-purpose guide that comprises 20 common security
control sets. The framework maintained by the Center for Internet Security can be
found on this link: https://www.cisecurity.org/controls/
470
Chapter 05: Governance, Risk, and Compliance
Mind Map
Figure 5-08: Mind Map
Importance of Policies to Organizational Security
Policies
Policies can be documented and articulate in a formal manner the desired or required
systems and operations standards for any IT system or organization. They are crucial
for implementing an effective data security strategy. Typically, they act as the
connectors that hold many parts of the data security together across both technical and
non-technical elements. The failure to implement and utilizes policies in cloud-based
computing or non-cloud-based computing would likely become in different parts or
isolation of activities, efficiently operating as standalone and leading to multiple
duplication and limited standardization.
The policies designed for organizational security consist of several rules and procedures
that can be imposed by operations of an organization to protect and manage critical and
sensitive data.
471
Chapter 05: Governance, Risk, and Compliance
Personnel Security
Personnel security policies apply to those who work for the company, including
employees, contractors, consultants, and users.
The following policies are included in these policies:




Screening processes to validate security requirements
Understanding their security responsibilities
Understanding their suitability to security roles
Reducing the risk of theft, fraud, or the misuse of facilities
General Concepts
Acceptable Use Policies (AUPs)
The Acceptable Use Policies (AUPs) are those policies that describe the right usage of
the organization’s resources (like computers, the Internet, and Network). These policies
are described by the organization, as they should be concerned about any personal use
of these resources that do not serve the organization.
Job Rotation
Job rotation, also known as a rotation of duties or responsibilities, aids an organization
in reducing the risk of a single employee having too many rights. Rotation of
responsibilities simply means that no one individual performs important functions or
obligations for a long period of time. An accountant, for example, might move from
payroll to accounts payable, then accounts receivable. The major purpose of job rotation
is to reduce the amount of time that one individual spends on one task. This reduces
the possibility of mistakes or malevolent actions going undiscovered. Job rotation can
also be used to cross-train team members to reduce the impact of an unplanned
absence.
Mandatory Vacations
Mandatory vacations are a part of employee ship and a requirement in some
organizations. On mandatory vacations, the employees are required to take a vacation
for a certain period of time during the year.
In some organizations, employees are forced to take mandatory vacations, and in case
if they do not want to, the organization becomes cautious of the possibility of them
being involved in any illegal activity or fraud. Therefore, mandatory vacations, in some
way, helps the organization to discover illegal activities of employees. Thus, the policy
may prove to be a security protection mechanism at times.
472
Chapter 05: Governance, Risk, and Compliance
Separation of Duties
Implementing the separation of duties principle ensures that no one person can
complete all required tasks for a business process or function. Separation of duties is
also a part of the business policy. Separation of duties is divided into two types, i.e., Split
Knowledge and Dual Control. Split knowledge refers to the separation of duties in which
no single person has all the information needed to perform a specific task. Rather, it is
split into two arsons. It means that each person has half of a safe combination.
Another type is Dual Control that requires both persons to be present at the same time
for performing a specific task. Both persons have their secret keys. (they do not have to
disclose their secret keys with each other). Secure access will require both keys at a time.
Least Privilege
The least privilege is considered a significant principle in the management of the
account. The principle allows the user to have only the rights and permission that are
necessary for them to perform their task or accomplish their objective, and no extra
rights are given to the user. By limiting the access rights of objects (user, process, or
application), the administrator can also limit the cause of harm and malware.
Clean Desk
As one of the very effective business security policies, the Clean Desk policy enforces
that when an employee leaves their desk, it should be when the person leaves the desk,
it should be clean and clear, i.e., PC should be shut down properly, and no paperwork
should be left on the desk. In short, employees should clean their desks before leaving
the office, so no one can see any of their information. It is an efficient security policy for
the one who deals with sensitive data.
Background Checks
A background check is also called pre-employment screening. A background check is
performed by the organization to check if the person they are hiring is trustworthy and
verify if their provided information is authentic or not. This basically provides all the
necessary information to the HR members so that they can make the right decision.
Exit Interview
In terms of security, an exit interview can be a powerful tool for gathering information
when an employee leaves the organization. This also includes termination of all the
accounts and collection of mobile devices supplied to the employee at the time of hiring.
Non-Disclosure Agreement (NDA)
The purpose of the Non-Disclosure Agreement (NDA) is to protect confidential
information that is disclosed, shared, received, or exchanged with customers, suppliers,
473
Chapter 05: Governance, Risk, and Compliance
and other parties. Therefore, an NDA should be used when individuals or companies
enter:



Consulting Engagements
Service Agreements
Strategic Alliance
A person can either construct a free-standing confidentiality agreement, depending
on the circumstances. An NDA binds a recipient to keep secret information from
being revealed to a third party or the general public. The following are examples of
confidential information:







Business and marketing plans, strategies, and programs
Financial budgets, projections, and results
Employee or contractor list and records
Business methods, operating, and production procedures
Technical, engineering, scientific research, development, methodology, devices,
and processes
Trade secrets and unpublished patent applications
Software development tools and documentation
Social Media Analysis
Social media analytics is the process of tracking, collecting, and analyzing data from
social networks and media channels. With the right tools, you can easily analyze and
track the social performance of the products and companies,
On-Boarding
On-Boarding refers to the hiring of new personnel in the organization. For account
management, the administrator needs to have an agreement and AUC (Acceptable Use
Policy) to be signed by the onboarding member. After the agreement signing step, the
administrator creates an account of the new member and puts him in an appropriate
access control group according to their requirement.
Off-Boarding
Prior to on-boarding, off-boarding refers to the removal of personnel from the
organization or group, or team. When the member is off-boarded, some proper steps
should be followed by the administrator; that is, the off-boarding personnel’s account
should be disabled (not deleted), and they should be removed from the access group.
Perform Routine Audits
Routine Auditing allows the administrator to check or to assure that the account
policies are being followed by everyone. It means that the administrator will check the
validation of all the accounts of the users and ensure if all members are in their
474
Chapter 05: Governance, Risk, and Compliance
respective groups. Routine auditing is necessary because of the timely On-Boarding and
Off-Boarding of the members. Some audits are automatic that automatically generate a
list of alerts.
Auditing
Auditing can be categorized into two main types; one is Permission Auditing, and the
second is Usage Auditing.


Permission Auditing-Type of auditing to ensure that every user has legit
permission or only the permission they need. It also assures that all the users are
in a proper group.
Usage Auditing-Type of auditing to assure that all the resources are being used
correctly and to review how and where the files are being stored and if the system
is secure.
User Training
Users are fundamental elements in the security defense of an organization. Users also
serve as a significant reason behind vulnerabilities. Therefore, it is necessary to have a
strong security defense that can be achieved by enforcing user training programs for
guiding the users to recognize between safe and unsafe computing behavior.
Gamification
Gamification is the use of game mechanics and game thinking to have interactions with
users in finding issues and inspiring them by introducing parts of competition and
reward.
Capture the Flag
A cybersecurity capture the flag may be a team-based competition during which
participants use cybersecurity tools and techniques to search out hidden clues or “flags.”
The team that locates the foremost flags throughout the event wins. These events are
usually beginner-level and open to the public.
Phishing Campaigns
A phishing campaign is an associate email scam designed to steal personal info from
victims. Cybercriminals use phishing, the fallacious plan to acquire sensitive
information comparable to master card details and login credentials, by disguising as a
trustworthy organization or prestigious person in email communication.
Phishing
The Phishing process is a technique in which a fake email that looks like an authentic
email is sent to a target host. When the recipient opens the link, he is enticed to provide
information. Typically, readers are redirected to fake web pages that resemble an official
475
Chapter 05: Governance, Risk, and Compliance
website. Because of the resemblance, the user provides sensitive information to a fake
website believing that it is an official website.
Spear Phishing
Spear Phishing is a type of phishing that focuses on a target. This is a targeted phishing
attack on an individual. Spear phishing generates a higher response rate compared to a
random phishing attack.
SMS Phishing
SMS phishing, also called Smishing, is the act of sending a short message to try to gain
sensitive information or installing malware like Trojan without the user’s knowledge.
The malware captures and transmits all the stored data such as credit card numbers,
bank account details, and other data like username, password, and email account. SMS
phishing occurs when a cell phone receives an SMS from a fake person or entity. Thus,
a user can easily ignore an SMS phishing attack.
Voice Phishing
The words phishing and voice create an attack known as Vishing. Instead of using
traditional attacks, fishers use an internet telephone service (VoIP) where, even if you
do not answer the phone call, the attacker can leave a voice message provoking a
response. A phone call can be from someone pretending to be from a charitable
organization, debt collection department, or healthcare department, or it can be a call
telling you that you have won a prize and demand money to collect it. The attacker's
aim is to collect sensitive information such as bank details, so they can access your
account or steal your identity.
Whaling
Whaling is a targeted attack at the senior management of a company, such as the CFO,
CEO, or other executives who have full access to sensitive data. Attackers use formal
emails and websites to make the communication appear as legitimate as possible.

Phishing Simulation – Phishing simulations guarantee your workers will find
and avoid phishing or social engineering threats. These styles of interactive
phishing tests can be a region of any security awareness training initiative and
permit your organization to check user information with a real-world scenario.
Phishing simulations add a robust dimension to awareness campaigns and
facilitate the method of coaching your legion of cyber experts
Computer-Based Training
Computer-based training is an automated pre-built training that will be doing in the
time that you schedule into your computer. This training generally includes video,
476
Chapter 05: Governance, Risk, and Compliance
audio, Q&A, and some games. Instead of using the proper training room, it gives the
same training environment as other platforms provide.
Role-Based Training
Role-based Access Control (RBAC) governs how information on a system is accessed
based on the subject's role. Role-based or task-based access restrictions describe a
subject's capacity to access an object in terms of his or her role or assigned tasks. Groups
are frequently used to achieve (role-BAC). Users do not have discretion over which
groups of objects they are authorized to access, and they are unable to move objects to
other subjects, making RBAC a sort of non-discretionary access control. RBAC is widely
used in businesses and is considered an industry-standard practice.
A bank, for example, may employ loan officers, tellers, and managers. As illustrated in
Figure 5-09, administrators can create a group called Loan Officers, add the user
accounts of each loan officer to it, and then provide suitable privileges to the group. If
the company recruits a new loan officer, administrators simply add the new loan
officer's account to the Loan Officers group, and the new employee is given the same
permissions as the existing loan officers in the group. Tellers and managers would be
subjected to comparable procedures by administrators.
Figure 5-09: Role-Based Access Control
477
Chapter 05: Governance, Risk, and Compliance
Role-based Awareness Training
Data Owner
One of the roles for which the training is offered is “Data Owner.” This designated post
is of executive level and has the responsibilities of administrating data and application.
System Administrator
The system administrator is the one who administrates the operation of the system.,
The responsibilities of a system administrator include modifying product access
privileges for other members, changing the operational roles of members, and
inviting/removing members to/from an organization. An organization can have more
than one administrator.
System Owner
A system owner is the one who purchases the subscription. A system owner has all the
privileges, including buying, upgrading, downgrading, and canceling subscriptions.
Also, modifying product access privileges and removing/inviting members from/to an
organization comes under his authority.
User
The users are those who have the least privilege access to the applications. As the name
implies, the users are the application users. Users can be categorized into two types
which are as follows:

Privileged User
A user who has a higher level of rights and permission is known as a “Privilege User.”
This may be an area manager or the one who creates a report. Someone has permission
to do a wider range of tasks. A database administrator is also an example of a privileged
user who needs database function access but not to all servers or operating system
options.

Executive User
A user who is holding the responsibility of overall application use and operation. He is
responsible for making a decision related to the usage of data or
applications.
NDA
NDA stands for Non-Disclosure Agreement that is a standard document of a
corporation that sets the boundaries of information and secret material of the company.
This agreement is responsible for controlling the disclosure of any secret or confidential
information to an unauthorized person or party.
478
Chapter 05: Governance, Risk, and Compliance
On-boarding
An important element when on-boarding a workforce is to assure that the workforce
must understand and be aware of its responsibilities related to securing information and
assets of the company.
Continuing Education
Advancement in technology and security is a continuous process. Therefore, proper
training and education are required for retaining skilled personnel in security. To
modify the skill set of the security personnel, the “Continuing Education” programs help
a lot.
Adverse Actions
When employees break the rules or policies, they face disciplinary action. The following
are the two sorts of adverse actions:

Zero Tolerance
When staff breach the rules or do not follow the regulations correctly, they will be
treated with zero tolerance. One of the benefits of this move is that the company
maintains a code of conduct, which leads to improved performance. There is also a
downside to this action, that is, the organization may lose an outstanding long-term
employee due to a single mistake under strict rules.

Discretionary Action
Adverse issues are examined by adopting the rule that is “violation will be punished
through a variety of HR actions including termination.” This is more challenging for the
management of the organization to figure out the correct adverse action. This action
offers flexibility to the valuable workforce member who made uncharacteristic mistakes.
General Security Policies
Social Media Network/Application
In today’s world, where everyone is connected to each other socially, the organization
needs social media policies for security purposes that establish a balance between the
company’s requirements and social media.
These policies represent the company’s requirements and expectations (company’s code
of conduct). It is part of social media policy that the confidential information of the
company should not be shared on social media, and it is the personal responsibility of
each employee to put only the information on social media that the company approves.
Personal Email
The policies that are used for a business email account by the company are known as
Personal Email Policies. Some companies allow their corporate email account for both
479
Chapter 05: Governance, Risk, and Compliance
personal and business use. Typically, business email addresses are for official use only.
All the policies related to the use of a business email account must be documented
properly.
Diversity of Training Techniques
IT security strategies for any organization that involves multiple security technologies
and devices are commonly referred to as Defense in depth. Defense in depth is an
assortment of multiple devices and security technologies in order to strengthen
security.
Vendor Diversity
When you have multiple suppliers, it creates vendor diversity and reduces the risk from
a particular supplier. Relying on a single vendor increases the risk factor. For example,
if you have two firewalls from two different vendors, it reduces risk and adds diversity
because you can turn to the other firewall in case something happens to one firewall or
if the firewall contains flaws.
Control Diversity
Control diversity is also significant since it provides tiered security, which aids in the
production of the desired outcome.
Administrative Control
Administrative control is by all means necessary. Administrative control includes all the
policies and procedures that are required to be followed by everyone in order to
maintain security.
Technical Control
Technical control is also essential to ensure that the hardware and software we use are
hardened or not. Active Directory authentication, firewall, and disk encryption are all
parts of technical control.
Third-Party Risk Management
The risk management framework used by third parties is identical to the risk
management framework used by a business internally. A third-party contract ensures
cost-effective and impartial outcomes. Both the organization and the third party must
be prepared and understand their roles, responsibilities, and restrictions well. Both
sides can assure effective productivity if they work together. Confidential information
should only be shared with identified personnel by third parties.
Key Challenges in Third-Party Risk Management


Increases the complexity of third-party network & it is management
Risk of failure to manage regulatory compliances
480
Chapter 05: Governance, Risk, and Compliance



Additional Cost for monitoring third-parties
Lack of collaboration among parties
Risk of information/data leakage
Minimum security requirements
Before acquiring services, having any agreement, or starting any process with the third
party, the organization must have to evaluate the agreed criteria, capabilities, roles,
responsibilities, limitations, and risks of the third parties.



The third-party assessor must be certified in Information Security Management
System (in accordance with ISO/IEC 27001: 2005).
Third parties should be willing to comply with the organization’s security
policies & procedures.
Third parties should have certified personnel in information security areas
(organizations should check the accuracy of third-party assessor’s
qualifications).
Key Components of Third-Party Risk Management Framework
Following are the key components of the Third-Party Risk Management (TPRM)
Framework.










Planning & Processes Definition
Segmentation & Screening
Qualification
Security & Permissions
Workflows
Risk Mitigation
Continuous Monitoring
Reports & Dashboard
Centralized Repository
Alert & Notification
Vendors
If you are a part of the company, then you are certainly required to connect with thirdparty vendors. These could be people that are providing the payroll for the organization,
customer relationship management, email marketing, etc. In each one of these
relationships, the company’s data will be shared with a third party. You will be required
to use the cloud-based service for sharing purposes.
From the security perspective, the understanding of the risk associated with providing
the data to the third party is very important. For simplification, you can categorize the
481
Chapter 05: Governance, Risk, and Compliance
risk for each individual vendor and then apply the security policies and procedure that
helps to protect against the highest risk vendors.
Supply Chain
In September 2015, the researchers found that many Cisco routers were infected by a
malicious firmware called “SYNful Knock.” This malicious firmware allows the threat
actor to gain backdoor access to the infrastructure devices, which creates trust issues.
End users realized that they need vendors in the supply chain that they can trust, so
they know exactly where this hardware is coming from. They also need to check and
make sure that these very critical devices are not connected to the Internet before
security is in place. It is always useful to verify in some way that the hardware and the
firmware inside of that hardware are secure.
Supply-Chain Management
It is crucial for organizations to consider the implications of non-secure software
beyond their corporate boundaries. The ease with which software components with
uncertain development processes can be combined to produce new applications has
built a complex and highly dynamic software supply chain (API management).
We utilize software that is being developed by a third party or accessed with or through
third-party libraries to enable or create functionality without having a clear
understanding of the origins of the software. This typically leads to a situation where
there is complex and highly dynamic software interaction taking place between and
among more than one service and system within an organization and between
organizations via Cloud.
This supply chain provides agility in the rapid development of applications to meet
customer’s demands. Therefore, it is important to assess all codes and services for
accurate and secure functioning, no matter where they are sourced.
Business Partners
Your organization may have a third party that you have work with very closely as a
business partner. There may be a direct network connection between your corporate
network and the network on the business partner side. Because of this relatively open
path, there could be significant security concerns that have to be addressed.
During communication with business partners, it is often difficult to identify malicious
activity. This monitor this behavior, there are some policies required to use. These
defined policies focus on what best practices are required for the connection between
your organization and business partner. The policies also handle the data between the
organizations and also provide the way to how to deal with Intellectual Property (IP).
482
Chapter 05: Governance, Risk, and Compliance
Service Level Agreement (SLA)
A Service Level Agreement (SLA) is a contract between a company and a third-party
vendor. The SLA outlines performance expectations and, in many cases, contains
consequences if the vendor fails to satisfy them. Many businesses, for example, rent
servers using cloud-based services. A vendor offers access to the servers and ensures
that they are operational. An SLA can be used by the organization to specify availability,
such as with the fewest possible interruptions. Keep in mind that while working with
third parties, a company should have a thorough understanding of its expectations and
ensure that the SLA addresses these criteria.
Interoperability Agreement
To provide products and services, every organization needs to work with a third party.
It is important to make an agreement before handling sensitive data of your
organization to a third party. The question that arises is why an organization would
share its sensitive data with a third party. One reason might be that the organization
may need a third party that provides web hosting, firewall management, or payroll
services to your organization.
ISA
ISA stands for Interconnection Security Agreement. A type of agreement that takes
place between the organization and the interconnected IT system. The requirements of
the security that are associated with the interconnection are documented in the ISA
agreement. The document is detailed with all the legitimate plans of action about how
the connection will be established, maintained, and disconnected by the two parties.
MOU/MOA
A Memorandum of Understanding (MOU) is a contract that can be bilateral or
multilateral, meaning it is between two or more parties. It is a form of agreement
between two or more parties that includes a "series of desired actions" aimed at
achieving a common objective.
Measurement System Analysis (MSA)
Measurement System Analysis (MSA) can be a structured procedure that we have a
tendency to use to assess the flexibility of a measuring system to produce sensible
quality data.
Master Service Agreement (MSA)
The terms that an organization will employ for future work are defined in a Master
Services Agreement (MSA). This simplifies ongoing engagements and SOWs because
the overall MSA is referenced in the SOW, eliminating the need to renegotiate terms.
483
Chapter 05: Governance, Risk, and Compliance
MSAs are common when organizations anticipate working together over a period of
time or when a support contract is created.
Business Partnership Agreement (BPA)
A Partnership Agreement defines as a contract between one or a lot of businesses or
people who are selecting to run a business together. Usually, every member can rouse
the initial business contributions corresponding to capital, intellectual property, real
property, or producing area to secure their valuable assets from cyber-attacks.
Note: Partnership Agreements outline the initial contribution and future contributions
that are expected of the partners.
End of Life (EOL) System
An 'End of Life system' is one that no longer functions or performs as planned. End-oflife systems can be caused by a variety of factors, including a lack of vendor support or
incompatibility with other system features. Because the vendor no longer assists it with
patches and updates, this vulnerability makes the system easy to target for an attacker.
End of Support (EOS)
EOS happens once software system updates, patches, and different styles of support are
no longer offered, leading to software changing into liable to future security
vulnerabilities.
Data
Classification
Data classification aids in the implementation of appropriate and effective security
procedures and controls to effectively secure information assets. The primary goal of
data categorization is to define the level of confidentiality, integrity, and availability
protection that each type of dataset requires. It is not a smart approach to consider
confidentiality as the only part of data security without also classifying the data. Data
classification aids in defining the Confidentiality, Integrity, and Availability
requirements (CIA).
484
Chapter 05: Governance, Risk, and Compliance
Figure 5-10: Security, Functionality, & Usability Triangle
The Level of Security in a System is a measurement of the system's security,
functionality, and usability. The Security, Functionality, and Usability triangle refers to
these three elements. Consider a ball in this triangle; if the ball is centered, it means all
three components are stronger. On the other hand, if the ball is closer to security, it
means the system is consuming more resources for security and feature, function, and
Usability requires attention. A secure system must provide strong protection along with
offering all services, features, and usability to the user.
The simplicity with which a high level of security is implemented has a direct impact on
the level of functionality and usability. With a drop in performance, the system becomes
less user-friendly. When designing an application or deploying security in a system,
security specialists must ensure that the application is functional and easy to use. The
triangle's three components must be balanced.
Data Classification Procedures
The processes required for proper data classification are outlined below:
1. Define classification levels.
2. Identify the criteria that determine the classification of data.
3. Identify data owners who are responsible for classifying data.
4. Identify the data custodians who are responsible for maintaining data and its
security level.
5. Indicate the security controls or protection mechanisms required for each
classification level.
6. Document any exceptions to the previous classification issues.
7. Indicate the methods that can be used to transfer custody of the information to
a different data owner.
485
Chapter 05: Governance, Risk, and Compliance
8. Establish a mechanism for reviewing classification and ownership on a regular
basis. Notify the data custodian of any modifications.
9. Indicate procedures for declassifying the data.
10. Integrate these issues into the security-awareness program so all employees
understand how to handle data at different classification levels.
Classifications Levels
There are no set guidelines for categorizing data levels. Here are a few different levels
of data classification.
1. Data classification for commercial businesses.
2. Data classification for the military.
Each classification should have its own set of handling requirements and procedures for
accessing, using, and destroying data.
Classification
Definition
Public
Disclosure is not welcome, but it
would not cause an adverse
impact on the company or
personnel
Sensitive
It requires higher than the
normal assurance of accuracy
and completeness
Private
The personal information for use
within a company
Confidential
For use within the company
Unclassified
Data is not sensitive or classified
Sensitive but
classified
Secret
Minor secret
Top secret
If disclosed, it could cause
serious damage to national
security
If disclosed, it could be crucial
damage to national security
486
Example
Upcoming
projects
Application
Commercial
business
Financial
information
Commercial
business
Human
resource
information
Trade secrets
Programming
code
Recruiting
information
Medical data
Commercial
business
Commercial
business
Military
Military
Military
Deployment
Military
plans for troops.
Spy
satellite Military
information
Chapter 05: Governance, Risk, and Compliance
Espionage data
Table 5-04: Commercial Business and Military Data Classifications
Governance
Data governance is the capability inside a corporation to assist shield for top-quality
data throughout the lifecycle. Data integrity, data security, availability, and consistency
are all part of this. It also involves people, procedures, and technology that help to
change how information is handled within the organization.
Data in Media
The physical protection of equipment, as well as the security needs relating to the media
where the data is stored, are both addressed by assets retained in the form of digital
media.
Additional security procedures are required for storage media such as hard disks,
backup tapes, and CDs to ensure the security of the data they carry. Controls should
ensure that data is not disclosed or modified by an unauthorized person.
Consider the following controls for media security:

Storage controls are the most common way to secure data on storage mediums,
including hard disks, magnetic tapes, and CDs. Encrypted keys should be used
to protect this consideration. When backup media is stored offshore, further
security precautions are required.
 Maintenance is a process that is carried out on a regular basis to guarantee that
the data stored on the storage medium is not corrupted or damaged. Media
handling methods should be used to assure maintenance.
 Usage instructions should be provided properly to users and operators to
handle the media.
 Media usage should comply with the established policies and procedures.
 Formatting the media is used to destroy data. Formatting may not totally
remove all data in a single session. For total data deletion, some of the standards
recommend formatting the media seven times.
Data in Hardware
Stealing is one of the most common threats that need to be addressed for personal
computers, laptops, or media protection.
To avoid being stolen, the following controls should be considered:

Cable locks are used to physically secure PCs and laptop computers. These locks
prevent the computer or laptop from being detached and stolen.
487
Chapter 05: Governance, Risk, and Compliance

Port protection ensures that unauthorized workers cannot access media
sharing devices such as CD-ROMs, floppy drives, USB, Wi-Fi ports, printers, and
scanners. The goal of port protection is to prevent unauthorized users from
downloading and transferring confidential information on a portable medium.
 Switches are used to prevent a malicious user from powering on/off the systems.
 BIOS checks help in password protection during the boot-up process so that
access to the operating system is controlled.
 Encryption secures folders and data, preventing unauthorized access and
change. Information can also be shared using encryption techniques via an
unsafe communication connection.
Data with Personnel
The information in the minds of people, employees, managers, and other related
individuals should also be secured. It can be secured and protected by training the
individuals about the risk and impact of disclosure of any information on an
organization. Individuals should avoid discussing confidential or personally identifiable
information in public areas, social networking platforms, unofficial organizations, or
exchanging information through publicly available channels as part of their social
engineering awareness and countermeasures.
Credential Management System
When SSO is not available, a credential management system centralizes the handling
of credentials. These solutions often enhance the capability of a standard directory
service's default capabilities. A credential management system, for example, might
maintain account passwords automatically, even if the accounts are in a third-party,
public cloud, or an on-premises directory service. Users can frequently check out
accounts for administrative needs using credential management systems. To prevent
the un-authentication process, the management system encrypts the credentials.
Consider an example of a Credential Manager tool within a Windows system. Users
enter their credentials into the Credential Manager, and the operating system collects
them and submits them automatically as needed. Users enter the URL, login, and
password when utilizing this for a website. When the user visits the website later, the
Credential Manager knows the URL and immediately delivers the credentials.
An organization's risk level rises when it has multiple methods and unmanaged
applications. When a single credential management system is implemented, it usually
improves efficiency and security.
When it comes to credential security, credential management is required. Instead of
being stored on the client, the credential should be stored on the server. Also,
credentials should not be transferred over the network in clear text (they should be
encrypted).
488
Chapter 05: Governance, Risk, and Compliance
Credential Policies
We can use username, password, and other credentials as a critical part of our data
security strategy. Without the proper credential management, the data would be
accessible to anyone. It is remarkable then how often the implementation of passwords
might be on a system. On several occasions, run an application that stores the password
as part of the application. This is unquestionably not a secure method of credential
management. Rather, all of the credentials must be stored on the server.
Personnel
In terms of privacy perspective, everyone wants to log into the system securely with
their personnel accounts. This is an account that is not shared with anyone, and the
only person who could be logging in with this account is the single owner of that
account.
One of the important security policies associated with these user accounts is that the
user does not have privileged access to the operating system.
Third-Party
The third-party accounts use to log into the external system. This is common when
accessing cloud-based systems which do not require the authentication method to
access the database.
This type of account is required when someone is logging into the cloud platform for
payroll, enterprise resource planning, etc. The business partners or vendors that log into
the local computer system usually use this account.
Note: The third-party accounts used by someone outside of the organization and could
be connected to the network from anywhere on the internet. In both of these situations,
it is mandatory to use some additional security features like authentication.
Devices
Sometimes, we need to define some additional credential policies for mobile devices by
deploying device certificates. This will easily identify that the device is a trusted piece
of hardware and the one that has already been validated by the security team. All those
security standards are managed through the Mobile Device Manager (MDM). MDM
provides a uniform set of policies for all mobile devices.
Account Types
User Account - This is a type of account that is most common among users and
associated with a single person. It allows limited access to the operating system. Each
user is assigned a particular identification number by the user account. Multi-users can
use the same computer for accessing their resources only by using a User Account,
which also keeps each user’s data secure from another unauthorized user. This means
489
Chapter 05: Governance, Risk, and Compliance
that by using the User Account, multi-user can log in to the same computer and but
they can only access their own resources.
Shared Account - As the name suggests, this account can be used by more than one
person. For example, some operating systems allow the user to log in to a guest account
(Guest Login). The shared account is difficult to manage because it is hard to identify
the person logging in. If the password of the shared account is changed, then everyone
needs to be notified that the password is changed, and this brings complexity to the
management of the password. It is recommended to use a User account on the system
rather than Shared Account.
Service Account - The operating system or services of the operating system use an
internal account that is referred to as Service Account. It is used to run a database or
web server. Used only on the local computer, and no user can log in interactively.
Different types of access permission can be set up for various services when using
Service Account, which means database and web server rights may vary from each other.
Some of the services accounts require a username and password, and some do not.
Privileged Account - Also known as Root account or an administrator. Generally, these
accounts can access the complete operating system. If you have to install application or
device drivers or have to manage hardware, then you need to log in to Privileged
Account.
Organizational Policies
Change Management
One of the key processes on which to focus in for improvement is change management.
Changes during a product’s life cycle can cause a lot of chaos if not treated properly and
appropriately. Changes can interrupt the development, testing, and release of products.
An organization should have a change control process that includes documenting and
understanding a change before attempting to implement it.
Request Control
The request control provides an organized framework for users to request changes,
managers to do cost-benefit analyses, and developers to prioritize actions.
Change Control
The change control process is used by developers to regenerate the situation
encountered by the user and analyze the appropriate changes to fix the situation. It also
provides an organized framework within which multiple developers can create and test
a solution before moving into a production environment.
As we know, documentation is always needed when we make configuration changes in
the future. Therefore, these documents should be changed with the system changes. In
490
Chapter 05: Governance, Risk, and Compliance
this section, we will discuss documenting the reasons for the change, change requests,
approval processes, maintenance windows, notifications, and final documentation of
the changes.
Document Reason for a Change
Every change in a network should be properly documented. Although, it is not an easy
duty to update the document concerning any changes that occur in the network. For
this, many organizations hire people to perform the responsibility. Some use software
to update the track.
Change Request
A change should start its process as a change request. This request will move through
various stages of the approval process and should include certain parts of information
that will guide those tasked by approving or denying it.
Configuration Procedures
The particular steps required to implement the change and the particular devices
involved should be detailed. Complete documentation must be produced and
submitted with a formal report to the change management board.
Rollback Process
Change is always fraught with risk. Before any changes are made, strategies for reversing
the modifications and recovering from any negative consequences of the changes
should be in place. Before implementing the modifications, those making them must be
fully educated on the rollback methods and demonstrate a thorough grasp of the
changes.
Potential Impact
One of the advantages of going through this procedure is that it can indicate systems
that need to be watched more closely for their reaction to the change as it happens.
Notification
When all systems that may be affected by the change are identified, system owners
should be notified of all changes that could potentially affect them.
Approval Process
The actual approval process will depend on the organization. Some organizations may
approve with a verbal statement of the change, while others may require
documentation. The main factor is that the change should reflect the company's overall
goals regarding network connectivity, disaster recovery, fault tolerance, security, and so
on.
Maintenance Window
491
Chapter 05: Governance, Risk, and Compliance
During the execution of modifications, a maintenance window is the amount of time a
system will be offline or unavailable. All affected systems should be reviewed for their
criticality in supporting mission-critical operations before this window of time is
specified.
Authorized Downtime
When the time required to make the change has been compared to the maximum
allowable downtime, a system may suffer, and the optimum time for the change is
identified, and thus the authorized downtime can be specified. These amounts help
reach a final decision on when the change will be made.
Notification of Change
When the change has been completed and sufficient time has passed for issues to
manifest themselves, all affected members should be notified that the change is
complete. At that time, these affected members can continue to monitor the situation
for any residual problems.
Documentation
The procedure is not finished until all of the paperwork is completed. In this case, the
following items should be updated to reflect the network's current state:



Network configurations
Additions to network
Physical location changes
Release Control
Once the changes are finalized, they must go through the release control procedure to
be approved for release. Before deploying the new software to production, ensure that
any code included as a programming help during the change process, such as debugging
code and backdoors, is deleted.
Asset Management
A general approach to operational information security requires organizations to focus
on systems as well as the people, data, and media. Systems security is another vital
component of operational security, and there are specific controls that can greatly help
system security throughout the system's lifecycle. Asset management can be separated
into two categories, each of which is briefly detailed below:
Configuration Management
Basic configuration management is responsible for activities such as preventing
superfluous services, deleting unwanted programs, enabling security features like
492
Chapter 05: Governance, Risk, and Compliance
firewalls, antivirus, and intrusion detection and prevention systems, and establishing
security and audit logs.
Baselining - The process of obtaining a snapshot of the current system security
configuration is known as security baselining. Baselining is a simple way to capture the
current security configuration of a system, which can be incredibly useful for
responding to a possible security event.
Vulnerability Management - Vulnerability management refers to regularly identifying
vulnerabilities, evaluating vulnerabilities, and taking steps to mitigate risks associated
with vulnerabilities. It is not possible to eliminate all the risks; similarly, it is also not
possible to eliminate all the vulnerabilities. However, an effective vulnerability
management program helps an organization that ensures regular evaluating
vulnerabilities and mitigating the vulnerabilities that represent the greatest risks.
493
Chapter 05: Governance, Risk, and Compliance
Mind Map
Figure 5-11: Mind Map
Risk Management Processes and Concepts
Risk management can also be called the “Decision Making Process.” All the components
like threat assessment, risk assessment, and security implementation approach
arranged within the process of business management describe the risk management
494
Chapter 05: Governance, Risk, and Compliance
Threat Assessment
An organized interpretation of threat that encounters a firm is known as Threat
assessment. Threats cannot be changed; however, the way it affects can be changed.
Therefore, threats are necessary to figure out.
Environment
The Environment is one of the biggest sources of threat to the system. There is a variety
of sources that cause an environmental change like weather, storm, flood, lightning, etc.
These environmental changes disrupt the normal operation of the system and increase
risk. To overcome this situation, make the system resilient so that it mitigates the risk
sources and reduces impacts on the enterprise.
Manmade
As the name implies, manmade threats are those threats caused by the action of a
person. These threats are the result of both the adverse action of the attacker and
accidents by the users. Therefore, appropriate control against intended and unintended
actions is necessary to deal with the risk of the system.
Risk Types
The risk can define the identifiable assets that could be affected by an attack. Several
types of risk can define, identify the threats and expose the disruption of service.
External Threat
The risk can occur from the external side of an organization where a hacker group tries
to access the data or might be a former employee of an organization.
Internal Threat
The risk could also be presented inside the organization. It might be the employees who
are coming to work every day or any partner. Some disgruntled employees have access
to the internals of the network. They can easily use this access to create a security event.
Legacy Systems
If you do not pay attention to the assets of your network, then those assets could be
used against you. The legacy system normally runs the outdated operating systems, and
the manufacturer no longer supports older software that you might find in your
network.
There may be significant security concerns with the software that is running on those
systems. As these devices become older, it becomes more difficult and complex to find
security patches.
495
Chapter 05: Governance, Risk, and Compliance
Multi-party
Sometimes, security breaches may involve more than one entity. It could be your
organization, and many others are involved because all of your networks are connected
in the same way.
In May of this year, the American Medical Collection Agency was a prime illustration of
this. This company handled debt collection for a variety of companies, and they suffered
a data breach that affected 24 million people. This collection agency was in charge of 23
different healthcare groups. As a result, one data breach impacted 23 additional
companies, forcing them to notify their consumers that their information had been
exposed.
Intellectual Property (IP) Theft
IP theft can be significant if an organization has a lot of IPs, such as an idea, inventions,
and creative expressions. Third parties could gain access to the intellectual property
through no fault. It could be that people have a mistake in how they set up permissions
in the cloud, and all of that information is available to the world.
It is also possible that someone is actively hacking your system to find this Intellectual
Property (IP) or someone inside the company who has access.
Software Compliance/Licensing
Another risky area of concern is software compliance in the organization and how you
are handle the application licensing. You should purchase a proper license according to
your organization's requirements. The unneeded license in the organization creates
some hurdles, such as:



The operational risk with too few licenses
The financial risk with budgeting and over-allocated licenses
Legal risk if proper licensing is not followed
Risk Management Strategies
Acceptance
Risk can be accepted. Risk acceptance is the practice of accepting the specific risk,
typically based on an organizational decision that may also weigh the cost versus the
benefits of dealing with the risk in another way.
Avoidance
It is possible to escape danger. Risk avoidance is the process of devising a plan to avoid
the occurrence of the risk in the issue.
496
Chapter 05: Governance, Risk, and Compliance
Transference
It is possible to transfer risk. The activity of passing on risk to another entity, such as an
insurance company, is known as risk transfer.

Cybersecurity Insurance - Cybersecurity insurance is intended to mitigate
losses from a spread of cyber incidents, as well as knowledge breaches, business
interruption, and network damage.
Mitigation
The majority of the development approaches covered in the preceding section include
a way for performing a risk analysis of the current development cycle. When a risk has
been recognized, a strategy for mitigating that risk should be devised. Furthermore, it
can document causes of risk that might be ignored or not addressed during a certain
phase of the development process.
Risk Monitoring
Risk monitoring is a continuous process that tracks and evaluates the levels of risk in an
organization. Along with monitoring itself, the discipline tracks evaluate the
effectiveness of risk management strategies. The findings that are produced by risk
monitoring processes can be used to assist in creating new strategies and updating
previous strategies that may have proved to be ineffective.
The objective of risk monitoring is to constantly track the risks that occur and the
effectiveness of the responses that are implemented by an organization. Monitoring can
help to ascertain whether the suitable policies were adopted, whether new risks can now
be identified, or whether the old strategies to do with these risks are still valid.
Monitoring is most important because the risk is not static.
Analyze Risks Associated with Cloud Infrastructure
A cloud-based system should be managed and approached as other outsourced
platforms, with the same types of concerns, risks, and audit/governance prerequisites
as an external hosting environment. Eventually, all risks related to a Cloud
infrastructure must be customized for their individual needs. Risks to consider include:





Policy and Organization Risks
Loss of Governance
Provider Lock-in
Compliance challenges
Provider Exit
497
Chapter 05: Governance, Risk, and Compliance
Risk Register
The risk register is something that contains the list of all the risks linked with the system
and all the information regarding those risks; for example, their Types to arrange them,
Mitigation factor, Possibility of occurrence, Impact to a business, etc.
Risk Matrix/Heat Map
Risk must communicate in a straightforward and easy-to-understand manner. It may
also be necessary to share risk information with others outside the organization. The
organization must agree on a set of risk management KPIs in order to be successful.
Using a risk scorecard is recommended. The impact and probability of each risk are
assessed separately, and then the outcomes are joined to give an indication of exposure
using a five-level scale in each of these quantities:





Minimal
Low
Moderate
High
Maximum
This enables a clear and simple graphical representation of project risks.
Likelihood
Minimal
Low
Moderate High Critical
1
2
3
4
5
A (almost certain)
H
H
E
E
E
B (likely)
M
H
H
E
E
C (possible)
L
M
H
E
E
D (unlikely)
L
L
M
H
E
E (rare)
L
L
M
H
H
Table 5-05: Risk Scorecard
Note:
E = Extreme Risk: Immediate action required to mitigate the risk or decide if not to
proceed.
H = High Risk: Action must be taken to compensate for the risk.
M= Moderate Risk: Action must be taken to monitor the risk.
L = Low Risk: Routine acceptance of the risk
498
Chapter 05: Governance, Risk, and Compliance
Risk Control Assessment
After detecting and identifying the risk, a risk heat map will be created to identify how
this risk will affect the organization. After that, the cybersecurity requirement will be
created around the identified risk. You can also determine the gaps that may be in the
security posture; this can require a formal audit to have someone in every aspect of the
organization. After identifying the gaps, you can easily build the security control that
would fill in all those risky areas.
The risk control assessment also determines if existing controls are compliant or noncompliant.
Note: Make plans to bring all of the security systems into the compliant domain.
Risk Control Self-Assessment
In a smaller organization, you may be able to do a self-assessment to be able to find the
gaps in the security posture.
Risk Awareness
Risk awareness is like a constantly changing battlefield. There is a constant change with
the type of risk that you have to prepare for, and there is also a new risk that is emerging
all the time. The amount of information on existing and newer threats are almost
overwhelming, and it takes constant study to stay up to date allows you to manage the
defense.
Note: Understanding how to recognize the security risk events and protect against
them is the responsibility of individuals.
Inherent Risk
Inherent risk is the risk that exists in the absence of security control. This means that
when there is no external influence, the system will experience a certain amount of risk.
In some models that describe inherent risk, you would also include your existing
security controls.
Residual Risk
The reason a company implements counter-measures is to reduce its overall risk to an
acceptable level. As no system or environment is 100 percent secure, which means there
is always some risk left over to deal with. This is called residual risk.
The residual risk is the combination of inherent risk that exist and the effectiveness of
security controls. After combining, you can add a firewall to provide additional security
controls that will then allow calculating the residual risk. Some models of residual risk
include some additional security controls that would add on top of what is already
existing.
499
Chapter 05: Governance, Risk, and Compliance
Control Risk
Control risk, also called internal control risk, is when the current internal control cannot
detect or fail to protect against significant error.
Risk Appetite
The type or the amount of risk that an organization is prepared to pursue, take or retain
is called Risk Appetite. An organization's risk appetite is its willingness to tolerate risk
within the environment. If a company is highly risk-averse, it may choose to run scans
more regularly to reduce the period between when a vulnerability is discovered and
when it is discovered by a scan.
Regulations that Affect Risk Posture
There are several constant sets of threats that you have to keep track of. From an IT
perspective, there is an extensive number of regulations affecting cybersecurity. Many
of these regulations are associated with protecting someone’s critical, sensitive, and
financial information.
Several regulations describe the disclosure of information breaches.


HIPAA – Health Insurance Portability and Accountability Act is a board
regulation that covers many different areas. From the risk and security
perspective, it provides the privacy of patient records. The record includes the
information from other sources, storage requirements, network security, and
how to protect the information against threats.
GDPR – General Data Protection Regulation, European Union-based data
protection, and privacy regulation. It ensures that personal data must be
protected and managed for privacy.
Risk Assessment
The process of determining potential risk based on mathematical and statistical design
is called risk assessment. For measuring the risk assessment value, any of the methods
can be adopted by the user. A simple technique is to calculate ALE (Annualized Loss
Expectancy) that generates the financial value of impact, and its calculation starts with
the measurement of SLE (Single Loss Expectancy).
Risk Assessment Types
There are two main types of risk assessment.
Qualitative - To subjectively figure out the impact of an action which affects a business
or program is known as “Qualitative Risk Assessment. Experienced and expert
judgments are needed to perform this assessment.
500
Chapter 05: Governance, Risk, and Compliance
Risk Factor
Impact
Annualized Rate
of Occurrence
Cost of
Controls
Overall Risk
Legacy
Windows
Clients
Medium
Low
Medium
Low
Untrained Staff
High
Medium
High
Medium
No Anti-Virus
Software
Medium
Low
Medium
Low
Table 5-06: Qualitative Risk Assessment
Quantitative - To objectively figure out the impact of an action which affects a business
or program is known as “Quantitative Risk Assessment.” In order to perform this
assessment, the use of models and metrics are involved commonly.
Likelihood of Occurrence
The “Likelihood of Occurrence,” which can be quantitative or qualitative, is the
probability of a specific danger occurring. When qualitatively stated, the likelihood of
recurrence is usually described on an annual basis in order to compare it to other yearly
measurements. It is utilized to generate rank-order results if it is described
quantitatively.
Supply Chain Assessment
All the organizations are required to look at not only the risk linked to a system but the
risk enclosed in a system. The process of exploration and identification of these risks is
known as “Supply Chain Assessment.”
Impact
When an incident or risk occurs, it creates an impact on an organization. The impact
can be a financial gain or instability, reputational rise and fall, and much more.




Financial gain/loss
Variation in reputation
Unavailability
Degradation
Some IT systems are used in the healthcare industry. As a result, any system malfunction
can result in the victim's damage or death. This loss or injury to life is an issue that the
substitute will not be able to remedy. To avoid impact, it is therefore vital to ensure that
the system is very unnecessary.

Property
501
Chapter 05: Governance, Risk, and Compliance
Unmitigated risks result in property damage. Property damage to an organization’s
property or other’s property and environmental damage caused due to the toxic release
in an industrial setting are all those damages that are caused by IT security failure.

Safety
“Protection against risk, danger, or injury” is how safety is defined. Safety concerns (as
a result of failure) increase losses and can cause work interruptions. Because computers
are now involved in every part of business, they can have an impact on safety.

Finance
The final arbiter of all work is 'Finance,' which assists us in keeping track of a score.
Profit can be used to quantify gain, whereas unchecked threats can be used to assess the
loss. When consequences exceed the projected costs associated with the planned
residual risks, it becomes a problem and has a negative impact on earnings.

Reputation
One of the essential values in marketing is Reputation. Junky history or shoddy record
ruins the company’s reputation and costs the company in client base and revenue. For
example, nobody wants to give up personal information or contract with a bank with a
junky history
Asset Value
The amount of money that is required to equate the value of an asset is known as ‘’Asset
Value.’’ The term Asset Value is commonly used with the term exposure factor for the
determination of SLE.
Single Loss Expectancy (SLE)
SLE refers to the loss value that is expected from an event. The mathematical formula
for calculating SLE is as follows:
SLE = asset value × exposure factor
The determination of the amount of loss of a resource is called the Exposure factor, or
we can say it is a measurement of the risk level of an asset (how much it is at risk).
Asset=Resource
Annualized Loss Expectancy (ALE)
ALE is determined by multiplying SLE and ARO after SLE has been calculated; the
mathematical formula is as follows:
ALE= SLE * ARO
Where;
502
Chapter 05: Governance, Risk, and Compliance
ARO stands for Annualized Rate of Occurrence, and it refers to the period of time the
event is supposed to take place in a year.
Annualized Rate of Occurrence (ARO)
The ARO is the amount of time the event takes to occur in a year or less; it can also be
called “events frequency in a standard year.”
For example: If the event is taking place twice in 15 years, then the ARO is 2/15
Disaster
When talking about the risk of an organization, the disaster is also necessary to discuss.
There are different types of disaster can be possible when handling the security risk.
Environmental
The environmental disaster threats could be a tornado, hurricane, earthquake, or severe
weather.
Person-made
There are some person-made threats possible. This may include human intent,
negligence, or error. These types of threats could also include severe disasters like arson,
crime, civil disorder, fires, riots, etc.
Internal and External
The disaster types can also be categorized in terms of internal and external threats.
The internal threats tend to be from the employees present in the organization.
The external threats come from outside of the organization.
Business Impact Analysis
The process of determining the source and relative impact value of a risk element is
known as business impact analysis. It also refers to the document that outlines the
sources of risk as well as the procedures for mitigating them.
Recovery Time Objective (RTO)
RTO stands for Recovery Time Objective, and it is the objective time for resuming
operations after an incident has occurred, as the name implies. More efforts and
coordination are required for a shorter RTO. As a result, the costs are higher. This word
is frequently used in disaster recovery and business continuity activities.
Recovery Point Objective (RPO)
RPO stands for Recovery Point Objective, which is defined as the time period that
represents the maximum period of acceptable data loss. It determines the backup
503
Chapter 05: Governance, Risk, and Compliance
frequency essential for preventing unacceptable data loss. The RPO answers how much
data loss is affordable.
Mean Time to Repair (MTTR)
Mean Time to Repair is the time required to repair a given failure. Mathematically,
MTTR is formulated below:
MTBF = Σ (start of downtime – start of uptime) / number of failures
Availability is defined as the time in which the system performs its intended function.
Its mathematical formula is as follows, and it is defined in terms of percentage.
Availability = MTBF / (MTBF + MTTR)
Mean Time Between Failure (MTBF)
Mean Time Between Failure (MTBF) is a measure of a system's reliability, and its
expression describes the average time between failures. MTBF is defined
mathematically as the arithmetic means of system failures, which is written as:
MTBF = Σ (start of downtime – start of uptime) / number of failures
Functional Recovery Plans
All businesses must prepare processes to develop IT disaster recovery plans within the
event IT systems to ensure the continuity of the business. The recovery procedures
should aim at restoring data, applications, and hardware in time to fulfill the
requirements of the recovery of business functions.
Single Point of Failure
The Single point of failure is defined as any of the system’s components whose
breakdown or flaw could result in the entire system’s breakdown. For example:


Fine for a small firm
A single connection to the internet
Disaster Recovery (DR) and Business Continuity (BC)
Most organizations cannot afford to be unable to perform their business processes for a
very long period. The tolerable downtime can be measured in minutes, hours, or days,
depending on the unique company. In some noncritical sectors, days may be acceptable.
Consequently, the organization needs such a plan that process regardless of what
happens around us. As introduced in the previous chapter, business continuity is the
term used to describe the processes enacted by an organization to ensure that its vital
business processes remain unaffected or can be quickly restored by experiencing a
serious incident.
504
Chapter 05: Governance, Risk, and Compliance
Disaster Recovery Sites
When a disaster strikes, it is usually too late to begin the response method. As a result,
catastrophe recovery sites must be constructed. There are numerous choices for
constructing a disaster recovery site, including a hot site, a warm site, and a cold site.
Disaster Recovery Plan (DRP)
After a human-caused or natural disaster, a Disaster Recovery Plan (DRP) is the process
of regaining access to data, hardware, and software needed to continue crucial business
activities (such as storm, flood, tornado, etc.). DRP's major goal is to quickly restore or
recover essential parts or elements of the business following a disaster or other incident.
DRP is part of a larger process known as business continuity planning.
The below steps can be used to build a disaster recovery plan:




Plan for an unexpected scenario: Form a team, perform a Business Impact
Analysis (BIA) for your technologies, identify a budget and figure out which
business processes are mission-critical.
Review your technologies: Set the recovery time objective and recovery point
objective, develop a technology plan, review vendor support contracts, and
create or review disaster recovery plans.
Build the communication plan: Finalize who needs to be contacted, figure out
primary and alternative contact methods, and ensure that everybody can work,
possibly from a backup location.
Coordinate with external entities: Communicate with external units such as
the police department, government agencies, partner companies, and the
community.
Mission Essential Functions
The security squad can use the important mission function to correctly build up
defenses for securing systems and data in a way that corresponds to the related risk. It
also ensures that service will be restored.
Identification of Critical Systems
The identification of the critical system is used in continuity planning to figure out what
you need to protect as part of the plan. The first step would be to make a list of all the
critical systems and identify the different processes running inside an organization.
After that, list down all of the business processes, including the accountability system,
manufacturing application, VoIP. It is also important to associate the tangible and
intangible assets and resources with the business processes.
505
Chapter 05: Governance, Risk, and Compliance
Site Risk Assessment
Site risk assessments are the chance evaluations that have been adjusted to a particular
location ad as they contain important data for that specific extend. Site-specific risk
assessment takes into consideration the reallocation and sort of extending and address
as it were the important dangers.
MindMap
Figure 5-12: MindMap
Privacy and Sensitive Data Concepts in Relation to Security
This section of the chapter focuses on the data privacy and sensitivity of data in terms
of security.
Organizational consequences of privacy breaches
The organizational consequences of privacy breaches include:
506
Chapter 05: Governance, Risk, and Compliance
Reputation damage
During every step of the information life cycle, there is a potential for a data breach.
One consequence of the data breach is damage to one’s reputation. If the organization
is not trusted to store the data then, it could have a negative impact on how other
organization might view. Additionally, there is also a negative impact on the products
and services.
Identity theft
One of the major concerns is that the data can be used for identity theft and easily taking
advantage of other people’s private information. If the data gets into the hands of a third
party, then it is an organizational responsibility to have a public disclosure. This activity
will create some credit monitoring costs. This will constantly monitor your
organization’s data.
Fines
There are some fines and lawsuits associated with the data breach.


In 2016, the company “Uber” had a data breach and did not disclose it. Instead,
Uber contacted the hackers that originally stole the data and paid them $100,000.
There was a lawsuit settlement from Uber of about $148 million
In 2017, “Equifax” had a data breach when the US government fined them over
$700 million
IP Theft
In the form of Intellectual Property, many organizations contain data that they have
generated themselves (IP). If someone has access to these trade secrets, they may be
able to use them for their own gain, ultimately putting you out of business.
Notifications of Breaches
In many cases, the discovery of these data breaches occurs inside of the organization
initially.
Escalation
Internal Escalation Process


Breaches are often found by a technician
Provide a process for making those finding known
External Escalation Process


Know when to ask for assistance from external resources
Security experts can find and stop an active breach
Breaches
507
Chapter 05: Governance, Risk, and Compliance
A data breach exposes confidential, sensitive, or protected info to an unauthorized
associate person. The files in an information breach are viewed and/or shared without
permission.
Public Notification and Disclosure
Once the initial phase of the escalation process is over, the public of the data breach
needs to be informed. There are a number of security breach notification laws in almost
every geography, all 50 US states, the European Union, Australia, and almost every
country has laws regarding public disclosure. Normally, these disclosures occur
relatively. However, there may be times when criminal investigations are underway, and
it may be more important to keep that information private until the investigation is
over.
Data Types
Classification
The data can be classified into the following categories:









Public
Private
Sensitive
Confidential
Critical
Proprietary
Personally Identifiable Information (PII)
Health and financial information
Government and customer data
Public
Public data refers to the data with no restrictions. The data can be easily viewed from
any source, location, and region across the world.
Private
Private data is used to limit access to public data. This may require a Non-Disclosure
Agreement (NDA). The data are only available for internal use.
Sensitive
Sensitive data is that classified data that has to be protected and is inaccessible to
outsiders unless given specifically granted permission. The information will be in
physical or electronic form; however, sensitive data can be considered as personal
information or data.
Confidential
508
Chapter 05: Governance, Risk, and Compliance
Confidential data is very sensitive data that allow only certain people have approved
access.
Critical
Critical data is the information that organizations hold essential for success or data that
needs to be preserved for regulative purposes. For example, customer data.
Proprietary
Proprietary data is a type of sensitive data and is considered the personal property of an
organization. It can include trade secrets, passwords, or often unique data of an
organization.
Personally Identifiable Information (PII)
This type of data can be used to identify an individual with the name, date of birth,
biometric information, etc.
Health Information
Sensitive health information comes into the category of Protect Health Information
(PHI). It holds the health-related information associated with an individual—for
example, health care records, health status, payment, insurance, etc.
Financial Information
Financial information is the knowledge regarding the monetary transactions of an
individual or business. The information may include the records of a business's financial
situation. They embrace commonplace reports such as the balance sheet, financial gain
or profit, and loss statements, and income statements.
Government Data
The information holds all the records that are done by the government in terms of
policies, agreements, projects, budgets, etc.
Customer Data
Customer data includes the details about the customer with respect to certain activities
that have been done, like the name of the purchased product, pricing, discount,
customer’s biodata, location, etc.
Privacy Enhancing Technologies
The application developers may have techniques that they can use to help keep data
safe and secure. Different ways of enhancing privacy are available in the security
domain.
509
Chapter 05: Governance, Risk, and Compliance
Data minimization
One way to enhance privacy is through the use of data minimization. Whenever you
require data to perform some functions, you can use the data minimization technique.
This is included in many different regulations like HIPAA that has a “Minimum
Necessary” rule and GDPR.
These techniques also minimize some of the information like cell phone numbers or
addresses from the registration process and also limit the internal data required to
perform some organizational tasks.
Data masking
One way to protect data is to simply hide it. This is called data masking. It is a way to
obfuscate data in a way that shows data exists; however, it does not allow you to see any
of the portions of data. This technique is helpful in protecting your Personally
Identifiable Information (PII), financial details, or any other sensitive data.
The data masking process hides the data from the screen and displays only relevant
information. However, it does exist in its complete form in the database. This technique
also allows you to control what exactly you want to display on the screen by defining
certain policies and permissions.
EXAM TIP: There are multiple techniques available for data masking, such as
substituting, shuffling, encryption, masking out, etc.
Figure 5-13: Before Masking
510
Chapter 05: Governance, Risk, and Compliance
Figure 5-14: After Masking
Tokenization
Tokenization is the way of using personal data without using the actual data. This is
when we take sensitive data and replace it with a completely different bit of data (nonsensitive placeholder) that is called a token.
A token provides a way to store the data in the database according to the SSN token
number and display it on the screen with some other number. You can easily use
tokenization many times in a day like it is used in credit card processing.
EXAM TIP: Tokenization is the hashing technique, not an encryption technique.
There is no need to care about the processing, memory, CPU, and any other type of
overhead.
Figure 5-15: Tokenization
511
Chapter 05: Governance, Risk, and Compliance
Anonymization
Anonymization is the process of making it difficult to correlate anything with the
preserved data. You can anonymize data in a variety of ways, including hashing it to
make it unreadable or using masking techniques to replace actual data with asterisks.
You can even anonymize portions of the data while leaving the rest intact. This is
especially important if you wish to conduct some sort of analysis.
The fundamental disadvantage of anonymization is that it is impossible to return to the
original data. After the data has been anonymized, it is stored with the desired hashes
and masking techniques in the data.
Pseudo-anonymization
The Pseudo-anonymization technique replaces personal information with pseudonyms.
This technique can convert the data back to its original shape if you need to provide it
for other processes. There are different replacements available for data protection. You
can display the same names with different alphabets every time. This technique also
helps to maintain consistency. If you need to access some particular record, you might
have a consistent replacement for this.
EXAM TIP: Pseudo-anonymization is a data protection technique used to maintain
statistical relationships.
Roles and Resposnibilities
There are many people in an organization responsible for data. Some of them are a
technician that works at a very low level with the data. However, there are many
responsibilities in the management layer of the organization.
Data owners
At the management level, there is a data owner who is responsible for a certain set of
data. The accountability of the specific data is often handled and managed by the data
owner. The Vice President (VP) of sales owns the customer relationship data, or there
might be a treasure in charge of the financial information of the organization.
Data controllers
Separating the people who process the data from the people who control the data is a
good idea. The data controllers are in charge of the data's processing purposes and
methods.
512
Chapter 05: Governance, Risk, and Compliance
Data processor
The data processors are working on behalf of the data controllers, or sometimes this can
be a third party.
For example, the payroll process within an organization can be utilized by the payroll
department and payroll company. The payroll department would play a role as a data
controller and defines the payroll amount and timeframe whereas, the payroll company
would act as a data processor and processes payroll and stores employee information.
Data custodian/steward
Data custodian/steward is one of the additional data roles. This will be responsible for
the accuracy of the data, for keeping all the data privacy and security associated with
the data that is stored in the system. This may include a user or a group of users that
will identify or set labels associated with data. The user groups will also keep track of all
the laws and regulations associated with data so that the organization complies with all
of those roles. They are also responsible for implementing the security control for the
data and determine who has accessed that information.
Data Protection Officer (DPO)
Data Protection Officer is the higher-level manager who is responsible for the
organization’s overall data privacy policies. DPO will define the exact privacy policies
for the organization and implement the processes and procedures.
Information Lifecycle
The entire life cycle of the information consists of:
Creation and receipt
The life cycle of the information starts with the creation and receipt of the data that is
used inside the organization or received from a third party.
Distribution
After the data has been created or received, it needs to be processed. Commonly, you
would sort the data and store it in the appropriate area.
Use
After setting up and storing the data, the data will be ready to be used. The data will
probably use to make business decisions, create products and services.
Maintenance
With several data source, regular, constant monitoring and maintenance procedure is
required to retrieve the data and transfer it to other location.
513
Chapter 05: Governance, Risk, and Compliance
Disposition
When the data are successfully retrieved and transferred, you need to archive it or find
a secure way to dispose of the data.
Creation and
receipt
Disposition
Distribution
Maintenance
Use
Figure 5-16: Information Life Cycle
Privacy Impact Assessment
Privacy Impact Assessment (PIA) is an organized way of figuring out the gap between
the needed privacy act and the actual privacy act. PIA ensures the compliance of the
process and system with the existing laws and regulations. It analyzes how the PII
(Personally Identifiable Information) is gathered, secured, and used. All this
information is provided to the users in the written privacy statement.
Terms of Agreement
There are several areas where you may learn more about how a company handles data.
One of these is during the agreement's term. This is a legal agreement, and before
utilizing a service, a user must agree to these terms and conditions.
Privacy Notice/ Privacy Policy
Privacy notice or privacy policy is a separate document required on where the
organization happens to do business. This document also defines how the organization
is going to manage the data that you provided to them and also gives you options on
what you can do to help protect data, and you can contact that organization for more
information.
514
Chapter 05: Governance, Risk, and Compliance
Mind Map
Figure 2-17: Mind Map
Data Security and Privacy Practices
Data Destruction and Media Sanitization
It is important to destroy the data that is no longer in use because that data or
information can be discovered and used by criminals in malicious activities like identity
theft, social engineering, etc. Dumpster diving is used by criminals for this purpose
because its value is well known to criminals.
For every organization, it is vital to have effective demolition and destruction policies
and associated procedures. The following are some methods of data destruction and
media sanitization.
515
Chapter 05: Governance, Risk, and Compliance
Burning
A method of destruction, which is regarded as a gold method, is referred to as Burning.
The data/media is carried out in a form that can be demolished by the fire, and then it
is burned. This is the process that is irreversible and makes the data be lost permanently.
Shredding
Shredding, which is also referred to as physical destruction, is the method of splitting
things into small chunks and then mixed making the reassembling impossible or
difficult. Everything that might be advantageous to a criminal or dumpster diver should
be shredded.
Pulping
Puling is the process of recombining a paper into a new paper by suspending a paper
fiber in a liquid. Once the paper is shredded, the pulping process erases the ink by
bleaching, and then those shredded pieces are recombined into new paper. This way,
the layout of the old paper is completely destroyed.
Pulverizing
Breaking things by external force into unusable pieces (that cannot be reconstructed) is
known as Pulverizing, which is also referred to as ‘Physical Process of Destruction.’ Used
for hard disk drives like items. Encryption is the modern approach to pulverizing. In
this method, the owner encrypts the drive’s data and destroys the key. This process
makes the data non-recoverable depending on the strength of encryption.
Degaussing
The files on a magnetic storage device can be destroyed magnetically, i.e., using a
magnetic field; this method is known as degaussing. This is a safe technique for
degaussing the data or media. In this method, the magnetic particles got realigned by
discarding the organized format that displayed the data.
Purging
A process of discarding and erasing data from the storage zone permanently is known
as purging. A key expression that reflects the purging is “removing data,” which is
planned to clear up the storage zone for re-use—for example, Circular Buffer.
Wiping
Wiping is the technique of repeatedly rewriting the media in storage with a 1's and 0's
pattern series to remove all traces of the original data or media. Because it is a nondestructive procedure, it is suitable for the method. Depending on the level of data
protection, several data wiping techniques are available with different passes, such as 3,
7, or 35.
516
Chapter 05: Governance, Risk, and Compliance
Data Sensitivity Labelling and Handling
Confidential
A ‘Confidential’ labeled data on exposure to an illegitimate or unauthorized party leads
to severe harm to the corporation. The data is specified by the policy that covers detail
regarding who possesses the authority to issue the data. Software Codes, Trade Secrets,
and Product Design are all included in confidential data.
Private
A ‘Private’ labeled data on exposure to an illegitimate or unauthorized party leads to
disruption or harm to the corporation. Private data is commonly related to the personal
data that belongs to an individual or less often with the corporation. The damage level
related to the private data is less as compared to the confidential data but still
significant.
Public
A ‘Public’ labeled data can be viewed by the public and carries no protection in regards
to confidentiality. Nevertheless, protection is still required for its integrity. For example,
Press Releases, Public Web Pages, etc., are all examples of public data.
Proprietary
‘Proprietary’ is something that is owned and controlled by an individual or organization.
Therefore, proprietary data is something that is confined to a business for competitive
use.
Proprietary labeled data can be shared with a group of users other than a competitor,
and the label of proprietary is for alerting the group not to further share that proprietary
data. For protecting proprietary data, the laws of secrecy, copyright, patent are used.
PII
Personally Identifiable Information (PII) is a term that refers to data that can be used to
identify a person. It refers to the data needed to distinguish or detect an individual's
identification, such as a person's name in combination with one or more of the
following:



Social security number
Driving License number
Account number or credit card number or other identifying information that is
linked to a specific person
In other words, a set of data elements that leads to the identity of a specific individual.
PII is mostly used in online transactions. There always exists a possibility that it can be
517
Chapter 05: Governance, Risk, and Compliance
misused by any unauthorized person or miscreant. Therefore, it is necessary to protect
that personal information.
PHI
Protected Health Information (PHI) refers to an individual's health information, such
as a health care record, a payment for health treatment, insurance information, and any
other medical-care-related information. The Health Insurance Portability and
Accountability Act (HIPAA) protects personal health information.
Data Retention
Data retention refers to the storage of data logs. Another important characteristic of
data retention is to determine what data needs to be stored and for how long. Data is
retained for multiple purposes like a contractual obligation, accounting, and billing,
warranty history, etc. However, storing data for a long period of time may cause risks if
not maintained properly.
Legal and Compliance
Some of the data security and privacy actions are retained under legal requirements and
regulatory compliance. An organization must have to follow regulations and standards
to meet data security. Following are some general-sector specific regulations:



Federal Information Security Management Act (FISMA), U.S
Security of Network and Information Systems (NIS Directive), Europe
General Data Protection Regulation (GDPR), Europe
518
Chapter 05: Governance, Risk, and Compliance
Mind Map
Figure 5-18: Mind Map
519
Chapter 05: Governance, Risk, and Compliance
Practice Questions
1. What is the purpose of Governance, Risk, and Compliance?
A. Achieve Objectives
B. Address Uncertainty
C. Act with Integrity
D. All of the above
2. Which of the following privacy breaches create credit monitoring costs?
A. Fines
B. Identity Theft
C. Reputation Damage
D. None of the above
3. Which of the following provides the storage for data logs?
A. Data Retention
B. Data Roles
C. Governance
D. All of the above
4. How many roles and responsibilities are there at the management layer of the
organization?
A. Seven
B. Six
C. Five
D. Four
5. Which of the following assessment ensures the compliance of the process and system
with the existing laws and regulations?
A. Risk Assessment
B. Risk Control Assessment
C. Impact Assessment
D. Privacy Impact Assessment
6. How many categories are there for security control?
A. Four
520
Chapter 05: Governance, Risk, and Compliance
B. Three
C. Two
D. Five
7. Which of the following security control type helps to detect physical security breaches?
A. Detective
B. Technical
C. Preventive
D. Corrective
8. The information lifecycle consists of ___________ strategies.
A. Four
B. Three
C. Five
D. Two
9. Which of the following agreement is used to protect confidential information?
A. Non-Disclosure Agreement
B. Service Level Agreement
C. Business Partnership Agreement
D. Interoperability Agreement
10. Which of the following is responsible to rapidly recover the disaster?
A. Disaster Recovery Sites
B. Mission Essential Functions
C. Disaster Recovery Plans
D. Business Continuity
11. Which of the following defines the security policies concern with the people associated
with the organization?
A. Personnel Security
B. Privacy Policies
C. Role and Responsibilities
D. Organizational Policies
12. How many account types can be included in the credential policies?
521
Chapter 05: Governance, Risk, and Compliance
A. Four
B. Three
C. Two
D. Six
13. Which of the following is also called rotation of duties or rotation of responsibilities?
A. Separation of Duties
B. Social Media Analysis
C. Phishing
D. Job Rotation
14. An organized interpretation of threat that encounters a firm is called
_________________.
A. Risk Monitoring
B. Risk Assessment
C. Threat Assessment
D. Supply Chain Assessment
15. How many types of Risk assessment are there?
A. One
B. Two
C. Three
D. Four
522
Appendix A: Answers
Answers
Chapter 01: Threats, Attacks, and Vulnerabilities
1. Answer: B
Ethical Hackers always require legal permission.
2. Answer: B
Gray Box penetration testing is a sort of penetration testing in which the pentester has
very little prior knowledge of the system and no information about the targets.
3. Answer: C
White Hat Hackers always have legal permission to perform penetration testing against
a target system.
4. Answer: C
Hacktivists draw attention to the target to deliver a message or promote an agenda.
5. Answer: A
Script Kiddies have no or very low knowledge about hacking.
6. Answer: C
White Box testing requires complete knowledge of a target.
7. Answer: D
Suicide Hackers are those who aim for destruction without worrying about punishment.
8. Answer: B and C
Penetration testing is required in an environment to perform an audit, find
vulnerabilities, and exploit them to address them before an attacker reaches them.
9. Answer: B
Gray Hats are those who work for both offensively and defensively.
10. Answer: B
523
Appendix A: Answers
The process of finding, quantifying, and prioritizing (or ranking) the vulnerabilities in
a system is known as vulnerability assessment.
11. Answer: A
The Black Box is a sort of penetration testing in which the pentester is blind or doubleblind tested, meaning that the pentester has no prior knowledge of the system or
information about the target.
12. Answer: D
Vulnerability is a weak point or loophole in any system or network, which can be
exploited by an attacker.
13. Answer: C
A Directory Traversal Attack is a sort of attack in which an attacker attempts to enter
restricted directories by applying dots and slash sequences in a trial and error technique.
The attacker can divulge sensitive information about the system by accessing folders
outside the root directory.
14. Answer: B
An attacker sends a response splitting request to the server in an HTTP Response
Splitting Attack. An attacker can add the header response in this manner. As a result,
the response will be split into two parts by the server. The attacker controls the second
response, which is used to redirect the visitor to a malicious website.
15. Answer: A
Active and passive reconnaissance methods are also popular for gaining information
about the target, either directly or indirectly. This phase's ultimate purpose is to
maintain contact with the target in order to obtain information without being
recognized or warned.
16. Answer: A
Footprinting is basically the collection of every possible information regarding the
target and target network.
17. Answer: A
524
Appendix A: Answers
Social engineering is a psychological manipulation approach used in information
security. This approach is used to acquire information from persons who are interfering
with you either directly or indirectly.
18. Answer: A
Every possible combination of characters is computed for the hash to create a rainbow
table. When a rainbow table contains all possible pre-computed hashes, the attacker
captures the password hash of the target and compares it with the rainbow table.
19. Answer: D
Meterpreter is a popular backdoor of the Metasploit framework. It is used to create a
control channel for lateral access after a successful attack.
20. Answer: C
Salting a password is the process of adding an extra character to it to make it a one-way
function. The inclusion of characters makes it more difficult to reverse the hash of the
password. The primary benefit or function of password salting is to protect against
dictionary and pre-computed attacks.
21. Answer: B
Malware stands for Malicious Software and is an abbreviation for it. Malware is a blanket
term that covers a wide range of potentially harmful software. This malicious program
was created with the intent of getting access to target machines, stealing data, and
causing harm to the target system.
525
Appendix A: Answers
Chapter 02: Architecture and Design
1. Answer: A
Being the oldest and most widely used technique in the domain of cryptography,
Symmetric Ciphers use the same secret key for the encryption and decryption of data.
2. Answer: A
Being the oldest and most widely used technique in the domain of cryptography,
Symmetric Ciphers use the same secret key for the encryption and decryption of data.
The most widely used symmetric ciphers are AES and DES.
3. Answer: B
Stream Cipher is a type of symmetric-key cipher that encrypts the plain text one by one.
4. Answer: B
The process of identifying weaknesses in an environment is known as vulnerability
assessment. Among the vulnerabilities are misconfigurations, default configurations,
buffer overflows, operating system flaws, Open Services flaws, and other flaws. To scan
a network for vulnerabilities, network administrators and pentesters can use a variety
of tools.
5. Answer: A
Creating a Baseline is a pre-assessment phase of the vulnerability assessment life-cycle
in which the pentester or network administrator who is performing the assessment
identifies the nature of the corporate network, the applications, and services. The
pentester creates an inventory of all resources and assets, which helps to manage,
prioritize the assessment. Furthermore, they also map the infrastructure, learns about
the security controls, policies, and standards followed by the organization.
6. Answer: D
Wireshark is the most popular Network Protocol Analyzer tool in commercial,
governmental, non-profit, and educational environments. It is a free and open-source
tool that runs natively on Windows, Linux, MAC, BSD, Solaris, and other platforms.
7. Answer: D
526
Appendix A: Answers
Non-Electronic Attacks, also known as Nontechnical Attacks, are attacks that do not
necessitate any technical understanding or knowledge. Shoulder surfing, social
engineering, and dumpster diving can all be used to carry out this type of attack.
8. Answer: B
In Dictionary Attack, to perform password cracking, a password cracking application is
used along with a dictionary file. This dictionary file contains an entire dictionary or list
of known and common words to attempt password recovery. It is the most fundamental
type of password cracking. When systems use strong, unique, and alphanumeric
passwords, they are usually not vulnerable to dictionary attacks.
9. Answer: A
Brute Force Attack tries every possible combination of characters to recover the
password. Until the password is accepted, each combination pattern is tried. Brute
forcing is the most common and basic method for obtaining passwords.
10. Answer: D
Password salting is the process of adding extra characters to a one-way function's
password. The addition of characters makes it more difficult to reverse the hash of the
password. The primary benefit or function of password salting is to defeat dictionary
and pre-computed attacks.
11. Answer: A
Every possible combination of characters is computed for the hash to create a rainbow
table. When a rainbow table contains all possible pre-computed hashes, the attacker
captures the password hash of the target and compares it with the rainbow table.
12. Answer: D
Meterpreter is a popular backdoor of the Metasploit framework. It is used to create a
control channel for lateral access after a successful attack.
13. Answer: C
Password salting is the process of adding an extra character to a password in order to
make it a one-way function. The addition of characters makes it more difficult to reverse
the hash of the password. The major advantage or primary function of password salting
is to defeat dictionary attacks and pre-computed attacks.
527
Appendix A: Answers
14. Answer: D
Microsoft's Internet Information Services is an extensible web server designed for use
with the Windows NT operating system. HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP, and
NNTP are all supported by IIS.
15. Answer: C
Directory Traversal Attack is a type of attack in which an attacker attempts to access
restricted directories through trial and error by using dots and slash sequences. The
attacker can obtain sensitive information about the system by accessing directories
other than the root directory.
16. Answer: B
HTTP Response Splitting Attack is a technique in which an attacker sends a request to
the server for response splitting. An attacker can add the header response in this
manner. As a result, the server will split the response into two responses. The second
response is under the control of the attacker so that the user can be redirected to the
malicious website.
17. Answer: B
Patches are pieces of software that are specially designed for fixing the issue.
18. Answer: A
The Microsoft Baseline Security Analyzer is a Microsoft-powered patch management
tool for Windows. MBSA detects missing security updates as well as common security
misconfigurations.
528
Appendix A: Answers
Chapter 03: Implementation
1. Answer: D
Internet Information Services is an extensible web server created by Microsoft to be
used with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS,
SMTP and NNTP.
2. Answer: C
Directory Traversal Attack is a type of attack in which an attacker attempts using a trial
and error method to access restricted directories by applying dots and slash sequences.
By accessing the guides outside the root directory, the attacker can reveal sensitive
information about the system.
3. Answer: B
HTTP Response Splitting Attack is the technique in which an attacker sends a response
splitting request to the server. In this way, an attacker can add the header response. As
a result, the server will split the response into two answers. The second response is
under the attacker's control so that the user can be redirected to the malicious website.
4. Answer: A
A hotfix is a hot system specially designed for a live production environment where fixes
have been made outside a normal development and testing to address the issue.
5. Answer: B
Patches are pieces of software that are specially designed for fixing the issue.
6. Answer: A
Jailbreaking allows root access to an iOS device, which permits downloading unofficial
applications. Jailbreaking is famous for removing restrictions, installation of additional
software, malware injection, and software piracy.
7. Answer: A
In Tethered Jailbreaking, when the iOS device is rebooted, it will no longer have a
patched kernel. It may be stuck in a partially started state. With Tethered Jailbreaking,
a computer
must boot the device each time; i.e., the device is re-jailbroken each time. Using
Jailbreaking tool, the device is started with the patched kernel.
529
Appendix A: Answers
8. Answer: B
Blackberry App World is the official application distribution service.
9. Answer: A
The primary purpose of implementing Mobile Device Management (MDM) is to deploy,
maintain, and monitor mobile devices that make up BYOD solutions. Devices may
include laptops, smartphones, tablets, notebooks, or any other electronic device that
can be moved outside the corporate office to home or some public place and then gets
connected to the corporate office by some means.
10. Answer: A
Denial-of-Service (DoS) is an attack in which service offered by a system or a network
is denied. Services may be rejected, reducing the functionality or preventing access to
the resources even to legitimate users.
11. Answer: B
Service Request Flood is a DoS attack in which the attacker floods the request towards
a service such as a Web application or Web server until all the services are overloaded.
12. Answer: C
The Permanent Denial-of-Service Attack is the DoS attack, which instead of focusing on
the denial of services, focuses on hardware sabotage. Affected hardware by PDoS attack
become damaged and requires replacement or reinstallation of hardware. PDoS is
performed by a method known as "Phishing" that causes irreversible damage to the
hardware or "Bricking a system" by sending fraudulent hardware updates.
13. Answer: A
A Distributed-Reflection-Denial-of-Service Attack is the type of DoS attack in which
intermediary and Secondary victims are also involved in the process of launching a DoS
attack. The attacker sends requests to the intermediary victim, which redirects the
traffic towards the secondary victim. The secondary victim redirects the traffic toward
the target. The involvement of intermediary and secondary victims is for spoofing the
attack.
530
Appendix A: Answers
Chapter 04: Operations and Incident Response
1. Answer: A
Explanation: Determines TCP/IP and network adapter information and some
additional IP details. In Windows, the command used is “ipconfig” whereas, in Linux
and Mac, the command used is “ifconfig.”
2. Answer: C
Explanation: NetFlow is one of the standardized methods of gathering network
statistics from switches, routers, and other devices on the network. The NetFlow
information is usually consolidated onto a central NetFlow server, and you can view the
information across all of the devices on a single management console.
3. Answer: D
Explanation: A cache is a temporary storage area designed to speed up the performance
of an application or an operating system.
There are many different kinds of cache, including CPU cache, disk cache, cache for a
browser, and cache connected to the network.
4. Answer:
B
Explanation: SOAR stands for Security Orchestration, Automation, and Response
(SOAR). SOAR platforms are a collection of security tools and programs that let you
search and collect data from a variety of sources. SOAR systems then use a combination
of human and machine learning to understand and prioritize incident response
activities based on this heterogeneous data.
Using SOAR, an administrator can integrate multiple third-party tools and have them
all work together. The integration is based on the runbooks.
5. Answer: D
Explanation: OpenSSL is a library and a series of utilities that allow you to manage SSL
and TLS certificates into the systems. If you are building a Certificate Authority (CA)
inside the company, you must create X.509 certificates. Users will send the Certificate
Signing Requests (CSRs), and you will have to manage the certificates revocation list
(CRLs). This can be done by the utilities available in OpenSSL.
OpenSSL also includes cryptographic libraries that can be used to conduct hashing
operations on a variety of hashing methods. You can also use OpenSSL's built-in
encryption and decryption features.
6. Answer: B
531
Appendix A: Answers
Explanation: ARP stands for Address Resolution Protocol, which is a stateless protocol
used within a broadcast domain to ensure communication by resolving the IP address
to MAC address mapping. It is in charge of L3 to L2 address mappings. ARP protocol
ensures the binding of IP addresses and MAC addresses.
7. Answer: A
Explanation: The Mobile Device Manager (MDM) can allow or deny access to mobile
devices. The MDM allows the IT security administrator to set policies on all mobile
devices and always protect the devices from malicious software.
8. Answer: C
Explanation: Protocol analyzers are generally used to troubleshoot complex
application problems because they collect every bit from the network and provide a
breakdown of exactly what is going across those particular network links.
The protocol analyzer can also be used on wireless networks or wide area networks as
well. This analyzer provides detailed information such as unknown traffic, verifying
packet filtering and security control, and gives the plain-language description of the
application data.
9. Answer: D
Explanation: If the endpoint security software recognizes an application that seems to
have malicious software, it can remove that from the system and place it into a
quarantine area. This can be a folder on the existing system where no applications are
allowed to run.
10. Answer: A
Explanation: There is a legal mechanism used to gather information called discovering.
When this mechanism applies to digital technologies, it is referred to as Electronic
discovery (E-discovery). This process gathers the data. Hence there is no need to
examine or analyze the information. For data, you are simply required to search from
the list of information that is being requested.
11. Answer: B
Explanation: There are two ways to providing non-repudiation:


Message Authentication Code (MAC) – With MAC, the two parties that are
communicating back and forth are the two that can verify that non-repudiation.
Digital Signature – Anyone who has access to the public key of the person who
wrote the information can verify that they can use it.
12. Answer: D
532
Appendix A: Answers
Explanation: SIEM allows you to analyze the data to create security alerts and realtime information about what is happening on the network right now. Since you can
collect all the information and aggregate it into a single place and create long-term
storage to easily create some extensive reports over a long period of time.
13. Answer: B
Explanation: There are four types of vulnerability assessment. These are:




Active Assessment
Passive Assessment
External Assessment
Internal Assessment
14. Answer: A
Explanation: WinHex is the third-party editor tool that can provide the raw
representation of the dump files. All information is displayed in hexadecimal mode. This
will help you pull and edit information located in the file, memory, disk, etc.
WinHex also has disk cloning capabilities, which allow you to copy all of the data from
a file and save it as an image file or copy it to a different storage device. Additionally,
WinHex makes it simple to do secure wipes, ensuring that all data in the file is
completely deleted and cannot be recovered using third-party programs.
15. Answer: C
Explanation: WinHex is the third-party editor tool that can provide the raw
representation of the dump files. All information is displayed in hexadecimal mode. This
will help you pull and edit information located in the file, memory, disk, etc.
There are also disk cloning capabilities built into WinHex that help you copy all the data
from a file and store that data into the image file or copy it to a separate storage device.
Also, you can easily perform secure wipes with WinHex to ensure that all the
information that exists within the file will be completed wiped will not be recoverable
with third-party utilities.
533
Appendix A: Answers
Chapter 05: Governance, Risk, and Compliance
1. Answer: D
Explanation: The Governance, Risk, and Compliance (GRC) is a combined collection
of potentials that allows the organizations and companies to reliably achieve ethical
management, minimizing the risk of failures, and ensuring the organization complying
with state requirements.
2. Answer: B
Explanation: One of the major concerns is that the data can be used for identity theft
and easily taking advantage of other people’s private information. If the data gets into
the hands of a third party, then it is an organizational responsibility to have a public
disclosure. This activity will create some credit monitoring costs. This will constantly
monitor your organization’s data.
3. Answer: A
Explanation: Data retention refers to the storage of data logs. Another important
characteristic of data retention is to determine what data needs to be stored and for how
long. Data is retained for multiple purposes like a contractual obligation, accounting,
and billing, warranty history, etc.
4. Answer:
C
Explanation: There are five roles and responsibilities available at the management
layer of the organization.





Data Owners
Data Controllers
Data Processor
Data Custodian/Steward
Data Protection Officer (DPO)
5. Answer: D
Explanation: The Privacy Impact Assessment (PIA) is a method of determining the gap
between the required and existing privacy legislation. PIA guarantees that the process
and system comply with all applicable rules and regulations. It examines how personally
identifiable information (PII) is collected, stored, and used. The users are given all of
this information in a written privacy statement.
6. Answer: B
Explanation: The security controls are categorized at different levels:

Technical
534
Appendix A: Answers


Management
Operational
7. Answer: A
Explanation: Detective Control helps to detect a physical security breach. It alerts the
operator to specific conditions and acts during an event.
8 Answer: C
Explanation: The entire life cycle of the information consists of:





Creation and Receipt
Distribution
Use
Maintenance
Disposition
9. Answer: A
Explanation: The purpose of a Non-Disclosure Agreement (NDA) is to protect
confidential information that is disclosed, shared, received, or exchanged with
customers, suppliers, and other parties.
10. Answer: C
Explanation: Disaster Recovery Plan (DRP) is the process of recovering access to data,
hardware, and software necessary to continue critical business operations after a
human-induced or natural disaster (such as storm, flood, tornado, etc.). The main
purpose of DRP is to rapidly re-establish or recover critical areas or elements of the
business after a disaster or similar incident.
11. Answer: A
Explanation: Personnel security policies concern people associated with the
organization, such as employees, contractors, consultants, and users.
These policies involve the following:




Screening processes to validate security requirements
Understanding their security responsibilities
Understanding their suitability to security roles
Reducing the risk of theft, fraud, or the misuse of facilities
12. Answer: A
Explanation: There are four account types included in the credential policies.


User Account
Shared Account
535
Appendix A: Answers


Service Account
Privileged Account
13. Answer: D
Explanation: Job rotation, also known as a rotation of duties or rotation of
responsibilities, helps an organization to mitigate the risk associated with any individual
having too many privileges. Rotation of duties simply requires that one person does not
perform critical functions or responsibilities for an extended period of time. For
example, an accountant might move from payroll to accounts payable and then to
accounts receivable. The primary goal of job rotation is to reduce the length of one
person being in a certain job for too long minimizes the chances of errors or malicious
actions going undetected. Job rotation can also be used to cross-train members of teams
to minimize the impact of an unexpected leave of absence.
14. Answer: C
Explanation: Threat assessment is a systematic interpretation of a threat that comes
into contact with a company. Threats cannot be changed, but the way they influence
people can. As a result, threats must be identified.
15. Answer: B
Explanation: There are two main types of risk assessment.


Qualitative - To subjectively figure out the impact of an action which affects a
business or program is known as “Qualitative Risk Assessment.” Experienced and
expert judgments are needed to perform this assessment.
Quantitative - To objectively figure out the impact of an action which affects a
business or program is known as “Quantitative Risk Assessment.” In order to perform
this assessment, the use of models and metrics are involved commonly.
536
Appendix B: Acronyms
Acronyms
3DES
Triple Digital Encryption Algorithm
AAA
Authentication, Authorization, and Accounting
ABAC
Attribute-based Access Control
ACL
Access Control List AD Active Directory
AES
Advanced Encryption Standard
AES256
Advanced Encryption Standards 256bit
AH
Authentication Header AI Artificial Intelligence
AIS
Automated Indicator Sharing
ALE
Annualized Loss Expectancy
AP
Access Point
API
Application Programming Interface
APT
Advanced Persistent Threat
ARO
Annualized Rate of Occurrence
ARP
Address Resolution Protocol
ASLR
Address Space Layout Randomization
ASP
Active Server Pages
ATT&CK
Adversarial Tactics, Techniques, and Common Knowledge
AUP
Acceptable Use Policy
AV
Antivirus
BASH
Bourne Again Shell
BCP
Business Continuity Planning
BGP
Border Gateway Protocol
BIA
Business Impact Analysis
BIOS
Basic Input/Output System
BPA
Business Partnership Agreement
BPDU
Bridge Protocol Data Unit
BSSID
Basic Service Set Identifier
BYOD
Bring Your Own Device
537
Appendix B: Acronyms
CA
Certificate Authority
CAC
Common Access Card
CAPTCHA
Humans Apart
Completely Automated Public Turing Test to Tell Computers and
CAR
Corrective Action Report
CASB
Cloud Access Security Broker
CBC
Cipher Block Chaining
CBT
Computer-based Training
CCMP
Counter-Mode/CBC-MAC Protocol
CCTV
Closed-Circuit Television
CERT
Computer Emergency Response Team
CFB
Cipher Feedback
CHAP
Challenge-Handshake Authentication Protocol
CIO
Chief Information Officer
CIRT
Computer Incident Response Team
CIS
Center for Internet Security
CMS
Content Management System
CN
Common Name
COOP
Continuity of Operations Planning
COPE
Corporate-owned Personally Enabled
CP
Contingency Planning
CRC
Cyclic Redundancy Check
CRL
Certificate Revocation List
CSA
Cloud Security Alliance
CSIRT
Computer Security Incident Response Team
CSO
Chief Security Officer
CSP
Cloud Service Provider
CSR
Certificate Signing Request
CSRF
Cross-Site Request Forgery
CSU
Channel Service Unit
538
Appendix B: Acronyms
CTM
Counter-Mode
CTO
Chief Technology Officer
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
CYOD
Choose Your Own Device
DAC
Discretionary Access Control
DBA
Database Administrator
DDoS
Distributed Denial-of-Service
DEP
Data Execution Prevention
DER
Distinguished Encoding Rules
DES
Data Encryption Standard
DHCP
Dynamic Host Configuration Protocol
DHE
Diffie-Hellman Ephemeral
DKIM
Domain Keys Identified Mail
DLL
Dynamic Link Library
DLP
Data Loss Prevention
DMARC
Domain Message Authentication Reporting and Conformance
DMZ
Demilitarized Zone
DNAT
Destination Network Address Transaction
DNS
Domain Name System
DNSSEC
Domain Name System Security Extensions
DoS
Denial-of-Service
DPO
Data Protection Officer
DRP
Disaster Recovery Plan
DSA
Digital Signature Algorithm
DSL
Digital Subscriber Line
EAP
Extensible Authentication Protocol
ECB
Electronic Code Book
ECC
Elliptic-curve Cryptography
ECDHE
Elliptic-curve Diffie-Hellman Ephemeral
539
Appendix B: Acronyms
ECDSA
Elliptic-curve Digital Signature Algorithm
EDR
Endpoint Detection and Response
EFS
Encrypted File System
EIP
Extended Instruction Pointer
EOL
End of Life
EOS
End of Service
ERP
Enterprise Resource Planning
ESN
Electronic Serial Number
ESP
Encapsulating Security Payload
ESSID
Extended Service Set Identifier
FACL
File System Access Control List
FDE
Full Disk Encryption
FIM
File Integrity Monitoring
FPGA
Field Programmable Gate Array
FRR
False Rejection Rate
FTP
File Transfer Protocol
FTPS
Secured File Transfer Protocol
GCM
Galois/Counter Mode
GDPR
General Data Protection Regulation
GPG
GNU Privacy Guard
GPO
Group Policy Object
GPS
Global Positioning System
GPU
Graphics Processing Unit
GRE
Generic Routing Encapsulation
HA
High Availability
HDD
Hard Disk Drive
HIDS
Host-based Intrusion Detection System
HIPS
Host-based Intrusion Prevention System
HMAC
Hash-based Message Authentication Code
HOTP
HMAC-based One-time Password
540
Appendix B: Acronyms
HSM
Hardware Security Module
HSMaaS
Hardware Security Module as a Service
HTML
Hypertext Markup Language
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
HVAC
Heating, Ventilation, Air Conditioning
IaaS
Infrastructure as a Service
IAM
Identity and Access Management
ICMP
Internet Control Message Protocol
ICS
Industrial Control Systems
IDEA
International Data Encryption Algorithm
IDF
Intermediate Distribution Frame
IdP
Identity Provider
IDS
Intrusion Detection System
IEEE
Institute of Electrical and Electronics Engineers
IKE
Internet Key Exchange
IM
Instant Messaging
IMAP4
Internet Message Access Protocol v4
IoC
Indicators of Compromise
IoT
Internet of Things
IP
Internet Protocol
IPS
Intrusion Prevention System
IPSec
Internet Protocol Security
IR
Incident Response
IRC
Internet Relay Chat
IRP
Incident Response Plan
ISA
Interconnection Security Agreement
ISFW
Internal Segmentation Firewall
ISO
International Organization for Standardization
ISP
Internet Service Provider
541
Appendix B: Acronyms
ISSO
Information Systems Security Officer
ITCP IT
Contingency Plan
IV
Initialization Vector
KDC
Key Distribution Center
KEK
Key Encryption Key
L2TP
Layer 2 Tunneling Protocol
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
LEAP
Lightweight Extensible Authentication Protocol
MaaS
Monitoring as a Service
MAC
Media Access Control
MAM
Mobile Application Management
MAN
Metropolitan Area Network
MBR
Master Boot Record
MD5
Message Digest 5
MDF
Main Distribution Frame
MDM
Mobile Device Management
MFA
Multifactor Authentication
MFD
Multifunction Device
MFP
Multifunction Printer
MITM
Man-in-the-Middle
ML
Machine Learning
MMS
Multimedia Message Service
MOA
Memorandum of Agreement
MOU
Memorandum of Understanding
MPLS
Multiprotocol Label Switching
MSA
Measurement Systems Analysis
MSCHAP
Microsoft Challenge Handshake Authentication Protocol
MSP
Managed Service Provider
MSSP
Managed Security Service Provider
542
Appendix B: Acronyms
MTBF
Mean Time Between Failures
MTTF
Mean Time to Failure
MTTR
Mean Time to Repair
MTU
Maximum Transmission Unit
NAC
Network Access Control
NAS
Network-attached Storage
NAT
Network Address Translation
NDA
Non-disclosure Agreement
NFC
Near-field Communication
NFV
Network Function Virtualization
NGFW
Next-generation Firewall
NG-SWG
Next-generation Secure Web Gateway
NIC
Network Interface Card
NIDS
Network-based Intrusion Detection System
NIPS
Network-based Intrusion Prevention System
NIST
National Institute of Standards & Technology
NOC
Network Operations Center
NTFS
New Technology File System
NTLM
New Technology LAN Manager
NTP
Network Time Protocol
OAUTH
Open Authentication
OCSP
Online Certificate Status Protocol
OID
Object Identifier
OS
Operating System
OSI
Open Systems Interconnection
OSINT
Open-source Intelligence
OSPF
Open Shortest Path First
OT
Operational Technology
OTA
Over-The-Air
OTG
On-The-Go
543
Appendix B: Acronyms
OVAL
Open Vulnerability and Assessment Language
OWASP
Open Web Application Security Project P12 PKCS #12
P2P
Peer-to-Peer
PaaS
Platform as a Service
PAC
Proxy Auto Configuration
PAM
Privileged Access Management
PAM
Pluggable Authentication Modules
PAP
Password Authentication Protocol
PAT
Port Address Translation
PBKDF2
Password-based Key Derivation Function 2
PBX
Private Branch Exchange
PCAP
Packet Capture
PCI DSS
Payment Card Industry Data Security Standard
PDU
Power Distribution Unit
PE
Portable Executable
PEAP
Protected Extensible Authentication Protocol
PED
Portable Electronic Device
PEM
Privacy Enhanced Mail
PFS
Perfect Forward Secrecy
PGP
Pretty Good Privacy
PHI
Personal Health Information
PII
Personally Identifiable Information
PIN
Personal Identification Number
PIV
Personal Identity Verification
PKCS
Public Key Cryptography Standards
PKI
Public Key Infrastructure
PoC
Proof of Concept
POP
Post Office Protocol
POTS
Plain Old Telephone Service
PPP
Point-to-Point Protocol
544
Appendix B: Acronyms
PPTP
Point-to-Point Tunneling Protocol
PSK
Pre-shared Key
PTZ
Pan-Tilt-Zoom
PUP
Potentially Unwanted Program
QA
Quality Assurance
QoS
Quality of Service
PUP
Potentially Unwanted Program
RA
Registration Authority
RAD
Rapid Application Development
RADIUS
Remote Authentication Dial-in User Service
RAID
Redundant Array of Inexpensive Disks
RAM
Random Access Memory
RAS
Remote Access Server
RAT
Remote Access Trojan
RC4
Rivest Cipher version 4
RCS
Rich Communication Services
RFC
Request for Comments
RFID
Radio Frequency Identifier
RIPEMD
RACE Integrity Primitives Evaluation Message Digest
ROI
Return on Investment
RPO
Recovery Point Objective
RSA
Rivest, Shamir, & Adleman
RTBH
Remotely Triggered Black Hole
RTO
Recovery Time Objective
RTOS
Real-time Operating System
RTP
Real-time Transport Protocol
S/MIME
Secure/Multipurpose Internet Mail Extensions
SaaS
Software as a Service
SAE
Simultaneous Authentication of Equals
SAML
Security Assertions Markup Language
545
Appendix B: Acronyms
SCADA
Supervisory Control and Data Acquisition
SCAP
Security Content Automation Protocol
SCEP
Simple Certificate Enrollment Protocol
SDK
Software Development Kit
SDLC
Software Development Life Cycle
SDLM
Software Development Life-cycle Methodology
SDN
Software-defined Networking
SDP
Service Delivery Platform
SDV
Software-defined Visibility
SED
Self-Encrypting Drives
SEH
Structured Exception Handling
SFTP
SSH File Transfer Protocol
SHA
Secure Hashing Algorithm
S-HTTP
Secure Hypertext Transfer Protocol
SIEM
Security Information and Event Management
SIM
Subscriber Identity Module
SIP
Session Initiation Protocol
SLA
Service-level Agreement
SLE
Single Loss Expectancy
SMB
Server Message Block
S/MIME
Secure/Multipurpose Internet Mail Extensions
SMS
Short Message Service
SMTP
Simple Mail Transfer Protocol
SMTPS
Simple Mail Transfer Protocol Secure
SNMP
Simple Network Management Protocol
SOAP
Simple Object Access Protocol
SOAR
Security Orchestration, Automation, Response
SoC
System on Chip
SOC
Security Operations Center
SPF
Sender Policy Framework
546
Appendix B: Acronyms
SPIM
Spam over Internet Messaging
SQL
Structured Query Language
SQLi
SQL Injection
SRTP
Secure Real-time Transport Protocol
SSD
Solid State Drive
SSH
Secure Shell
SSID
Service Set Identifier
SSL
Secure Sockets Layer
SSO
Single Sign-on
STIX
Structured Threat Information eXpression
STP
Shielded Twisted Pair
SWG
Secure Web Gateway
TACACS+
Terminal Access Controller Access Control System
TAXII
Trusted Automated eXchange of Indicator Information
TCP/IP
Transmission Control Protocol/Internet Protocol
TGT
Ticket Granting Ticket
TKIP
Temporal Key Integrity Protocol
TLS
Transport Layer Security
TOTP
Time-based One Time Password
TPM
Trusted Platform Module
TSIG
Transaction Signature
TTP
Tactics, Techniques, and Procedures
UAT
User Acceptance Testing
UAV
Unmanned Aerial Vehicle
UDP
User Datagram Protocol
UEBA
User and Entity Behavior Analytics
UEFI
Unified Extensible Firmware Interface
UEM
Unified Endpoint Management
UPS
Uninterruptable Power Supply
URI
Uniform Resource Identifier
547
Appendix B: Acronyms
URL
Universal Resource Locator
USB
Universal Serial Bus
USB OTG USB
On-The-Go
UTM
Unified Threat Management
UTP
Unshielded Twisted Pair
VBA
Visual Basic
VDE
Virtual Desktop Environment
VDI
Virtual Desktop Infrastructure
VLAN
Virtual Local Area Network
VLSM
Variable-length Subnet Masking
VM
Virtual Machine
VoIP
Voice over IP
VPC
Virtual Private Cloud
VPN
Virtual Private Network
VTC
Video Teleconferencing
WAF
Web Application Firewall
WAP
Wireless Access Point
WEP
Wired Equivalent Privacy
WIDS
Wireless Intrusion Detection System
WIPS
Wireless Intrusion Prevention System
WORM
Write Once Read Many
WPA
WiFi Protected Access
WPS
WiFi Protected Setup
WTLS
Wireless TLS
XaaS
Anything as a Service
XML
Extensible Markup Language
XOR
Exclusive Or
XSRF
Cross-site Request Forgery
XSS
Cross-site Scripting
548
Appendix C: References
References
https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/
https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/
https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/
https://trustsds.com/downloads/white-papers/Governance-Risk-Compliance.pdf
file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20
to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf
file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20
to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf
https://www.zurichna.com/-/media/project/zwp/zna/docs/kh/tech/site-securityassessment-guide.pdf
https://www.sciencedirect.com/topics/computer-science/organizational-security
https://www.osibeyond.com/blog/it-security-policies-every-organization-must-havethem/
https://cybersecurity.att.com/blogs/security-essentials/data-governance.at-the-heartof-security-privacy-andrisk#:~:text=Data%20governance%20is%20the%20capability,security%2C%20availabili
ty%2C%20and%20consistency.
https://www.cisa.gov/cybersecurityinsurance#:~:text=Cybersecurity%20insurance%20is%20designed%20to,business%20i
nterruption%2C%20and%20network%20damage.&text=In%20recent%20years%2C%2
0the%20Cybersecurity,this%20emerging%20cyber%20risk%20area.
https://www.cisecurity.org/blog/end-of-support-software-report-list/
https://www.wwt.com/article/the-risk-of-end-of-support-eos-infrastructure-in-yourdata-center
https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag/
https://www.mass.gov/files/documents/2016/07/uo/hsn-business-partner-securityagreement.pdf
https://ctf101.org/#:~:text=Capture%20The%20Flags%2C%20or%20CTFs,building%20
nature%20and%20competetive%20aspect.
549
Appendix C: References
https://onlinedegrees.sandiego.edu/bringing-gamification-to-cyber-security-training/
https://www.synthesio.com/glossary/social-media-analysis/
https://www.skillsoft.com/course/comptia-security-analyzing-application-networkattacks-cf202d2d-86a1-4a7f-8d64-6fed4db6997e
https://www.securitymagazine.com/articles/93509-the-importance-of-acybersecurity-framework
https://suppliers.rollsroyce.com/GSPWeb/ShowProperty?nodePath=/BEA%20Repository/Global%20Supplie
r%20Portal/Section%20DocLink%20Lists/SABRe_2/Main/Column%201/Briefs%20and
%20Guidance/B3.7:%20Measurement%20Systems%20Analysis/Documents/MSA%20h
andbook//file
https://hrdqstore.com/blogs/hrdq-blog/effective-diversity-training-methods
https://www.edgepointlearning.com/blog/types-of-diversity-training/
https://terranovasecurity.com/phishing-simulation/
https://www.e-ir.info/2020/03/14/international-law-on-cyber-security-in-the-age-ofdigital-sovereignty/
https://www.upguard.com/blog/third-party-credentials-vendor-risk
https://www.iso.org/standard/54533.html
https://london.ac.uk/about-us/how-university-run/policies/information-security-andacceptable-use-policy
https://it.brown.edu/computing-policies/acceptable-use-policy
https://www.cisecurity.org/
https://cloudsecurityalliance.org/research/cloud-controls-matrix/
https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrixccm/
https://cloudsecurityalliance.org/
https://ccsk.cloudsecurityalliance.org/en?gclid=EAIaIQobChMIzMP1o9at8QIVibh3Ch1
RDAVrEAAYASAAEgIYCPD_BwE
https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa
https://www.iso.org/iso-31000-risk-management.html
https://www.pluralsight.com/courses/nist-rmfimplementing?aid=7010a000002LUv7AAG&promo=&utm_source=non_branded&utm_
medium=digital_paid_search_google&utm_campaign=XYZ_APAC_Dynamic&utm_con
550
Appendix C: References
tent=&cq_cmp=1576650374&gclid=EAIaIQobChMIxbmv1vGs8QIV5ejtCh0i1QDXEAAY
ASAAEgK3sfD_BwE
https://www.iso.org/standard/71670.html
https://www.nqa.com/en-me/certification/standards/iso-27701
https://www.nist.gov/cyberframework
https://www.nist.gov/industry-impacts/cybersecurity-framework
https://csrc.nist.gov/Projects/risk-management
https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8
http://www.iaps.com/security-overview.html
https://trustsds.com/downloads/white-papers/Governance-Risk-Compliance.pdf
file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20
to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf
file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20
to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf
https://www.zurichna.com/-/media/project/zwp/zna/docs/kh/tech/site-securityassessment-guide.pdf
https://www.beyondtrust.com/blog/entry/vulnerability-remediation-5-steps-towardbuilding-effective-process
https://www.sciencedirect.com/topics/computer-science/organizational-security
https://www.osibeyond.com/blog/it-security-policies-every-organization-must-havethem/
https://threatresearch.ext.hp.com/application-containment-endpoint-security/
https://www.varonis.com/blog/network-segmentation/
https://www.sciencedirect.com/topics/computer-science/security-configuration
https://www.tripwire.com/state-of-security/security-data-protection/securitycontrols/security-configuration-management/
https://docs.mcafee.com/bundle/endpoint-security-10.6.0-adaptive-threat-protectionclient-product-guide-windows/page/GUID-F8CE8A74-826D-41BB-9D6A9CC70C434070.html
https://www.fireeye.com/products/helix/what-is-soar.html
551
Appendix C: References
https://www.toppr.com/guides/computer-science/computer-fundamentals/utilitysoftware/file-managementtools/#:~:text=File%20management%20tools%20are%20utility,is%20stored%20in%20t
he%20files.&text=Windows%20Explorer%20is%20a%20default%20file%20managemen
t%20tool%20present%20in%20the%20system.
https://logrhythm.com/uk-uws-using-mitre-attack-in-threat-hunting-and-detectionwhite-paper/?utm_source=google&utm_medium=cpc&utm_campaign=LogRhythm__META_-_T1_-_Generics__Mitre_Att&ck&utm_term=mitre%20att%26ck&matchtype=e&utm_region=EMEA&ut
m_language=en&utm_program=EMEAcpc1&gclid=EAIaIQobChMIuYHWs9jh8QIV0IB
QBh3VTALQEAAYASAAEgLmqfD_BwE
risk#:~:text=Data%20governance%20is%20the%20capability,security%2C%20availabili
ty%2C%20and%20consistency.
https://www.varonis.com/blog/incident-response-plan/
https://www.cisa.gov/cybersecurityinsurance#:~:text=Cybersecurity%20insurance%20is%20designed%20to,business%20i
nterruption%2C%20and%20network%20damage.&text=In%20recent%20years%2C%2
0the%20Cybersecurity,this%20emerging%20cyber%20risk%20area.
https://www.cisecurity.org/blog/end-of-support-software-report-list/
https://www.wwt.com/article/the-risk-of-end-of-support-eos-infrastructure-in-yourdata-center
https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag/
https://www.mass.gov/files/documents/2016/07/uo/hsn-business-partner-securityagreement.pdf
https://ctf101.org/#:~:text=Capture%20The%20Flags%2C%20or%20CTFs,building%20
nature%20and%20competetive%20aspect.
https://onlinedegrees.sandiego.edu/bringing-gamification-to-cyber-security-training/
https://www.synthesio.com/glossary/social-media-analysis/
https://www.skillsoft.com/course/comptia-security-analyzing-application-networkattacks-cf202d2d-86a1-4a7f-8d64-6fed4db6997e
https://www.securitymagazine.com/articles/93509-the-importance-of-acybersecurity-framework
https://suppliers.rollsroyce.com/GSPWeb/ShowProperty?nodePath=/BEA%20Repository/Global%20Supplie
r%20Portal/Section%20DocLink%20Lists/SABRe_2/Main/Column%201/Briefs%20and
552
Appendix C: References
%20Guidance/B3.7:%20Measurement%20Systems%20Analysis/Documents/MSA%20h
andbook//file
https://hrdqstore.com/blogs/hrdq-blog/effective-diversity-training-methods
https://www.edgepointlearning.com/blog/types-of-diversity-training/
https://terranovasecurity.com/phishing-simulation/
https://www.e-ir.info/2020/03/14/international-law-on-cyber-security-in-the-age-ofdigital-sovereignty/
https://www.upguard.com/blog/third-party-credentials-vendor-risk
https://www.iso.org/standard/54533.html
https://london.ac.uk/about-us/how-university-run/policies/information-security-andacceptable-use-policy
https://it.brown.edu/computing-policies/acceptable-use-policy
https://www.cisecurity.org/
https://cloudsecurityalliance.org/research/cloud-controls-matrix/
https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrixccm/
https://cloudsecurityalliance.org/
https://ccsk.cloudsecurityalliance.org/en?gclid=EAIaIQobChMIzMP1o9at8QIVibh3Ch1
RDAVrEAAYASAAEgIYCPD_BwE
https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa
https://www.iso.org/iso-31000-risk-management.html
https://www.pluralsight.com/courses/nist-rmfimplementing?aid=7010a000002LUv7AAG&promo=&utm_source=non_branded&utm_
medium=digital_paid_search_google&utm_campaign=XYZ_APAC_Dynamic&utm_con
tent=&cq_cmp=1576650374&gclid=EAIaIQobChMIxbmv1vGs8QIV5ejtCh0i1QDXEAAY
ASAAEgK3sfD_BwE
https://www.iso.org/standard/71670.html
https://www.nqa.com/en-me/certification/standards/iso-27701
https://www.nist.gov/cyberframework
https://www.nist.gov/industry-impacts/cybersecurity-framework
https://www.guidepointsecurity.com/incident-response-services/
https://niccs.cisa.gov/workforce-development/cyber-security-workforceframework/digital553
Appendix C: References
forensics#:~:text=Collects%2C%20processes%2C%20preserves%2C%20analyzes,count
erintelligence%2C%20or%20law%20enforcement%20investigations.
https://www.ibm.com/security/intelligentorchestration?p1=Search&p4=43700063537908444&p5=e&gclid=EAIaIQobChMIsYWigJ
T58QIVZRoGAB37AAawEAAYASAAEgKI2_D_BwE&gclsrc=aw.ds
https://info-savvy.com/evidence-collection/
https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk
https://www.imperva.com/learn/application-security/vulnerability-assessment/
http://www.brighthub.com/computing/smb-security/articles/31234.aspx
https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore
https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/
https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/
https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/
https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8
http://www.iaps.com/security-overview.html
http://www.brighthub.com/computing/smb-security/articles/31234.aspx
https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore
https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html
https://msdn.microsoft.com/en-us/library/ff648641.aspx
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur
_c/scfdenl.html
https://www.ietf.org/rfc/rfc3704.txt
554
Appendix C: References
www.cisco.com
https://msdn.microsoft.com
www.intel.com
https://meraki.cisco.com
https://en.wikipedia.org/wiki/Computer_network
http://www.computerhistory.org/timeline/networking-the-web/
http://www.computerhistory.org/timeline/networking-the-web/
http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/
http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
#wp737141
http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf
http://www.diffen.com/difference/TCP_vs_UDP
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html
http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact
=8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F%
2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2
FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24
http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5
http://www.routeralley.com/guides/static_dynamic_routing.pdf
http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html
http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf
http://www.cisco.com/c/en/us/products/security/security-manager/index.html
http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html
https://en.wikipedia.org/wiki/Malware
555
Appendix C: References
https://en.wikipedia.org/wiki/Security_information_and_event_management
https://en.wikipedia.org/wiki/Malware
https://ikrami.net/2014/05/19/siem-soc/
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html
https://en.wikipedia.org/wiki/IEEE_802.1X
http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3
https://www.paessler.com/info/snmp_mibs_and_oids_an_overview
http://www.firewall.cx/downloads.html
https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification
http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html
https://en.wikipedia.org/wiki/Brain_(computer_virus)
Badawi, A.M.: Hand vein biometric verification prototype: A testing performance and
patterns similarity. In: International Conference on Image Processing, Computer Vision,
and Pattern Recognition, pp. 3–9 (2006)Google Scholar
Chen, Q., Defrise, M., Deconinck, F.: Symmetric phase-only matched filtering of fouriermellin transforms for image registration and recognition. IEEE Transactions on Pattern
Analysis and Machine Intelligence 16(12), 1156–1168 (1994)CrossRefGoogle Scholar
https://www.sciencedirect.com/topics/computer-science/false-acceptance-rate
https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html
https://msdn.microsoft.com/en-us/library/ff648641.aspx
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur
_c/scfdenl.html
https://www.ietf.org/rfc/rfc3704.txt
www.cisco.com
https://msdn.microsoft.com
www.intel.com
https://meraki.cisco.com
https://en.wikipedia.org/wiki/Computer_network
http://www.computerhistory.org/timeline/networking-the-web/
556
Appendix C: References
http://www.computerhistory.org/timeline/networking-the-web/
http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/
http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
#wp737141
http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf
http://www.diffen.com/difference/TCP_vs_UDP
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html
http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact
=8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F%
2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2
FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24
http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5
http://www.routeralley.com/guides/static_dynamic_routing.pdf
http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html
http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf
http://www.cisco.com/c/en/us/products/security/security-manager/index.html
http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html
https://en.wikipedia.org/wiki/Malware
https://en.wikipedia.org/wiki/Security_information_and_event_management
https://en.wikipedia.org/wiki/Malware
https://ikrami.net/2014/05/19/siem-soc/
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html
https://en.wikipedia.org/wiki/IEEE_802.1X
http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3
557
Appendix C: References
https://www.paessler.com/info/snmp_mibs_and_oids_an_overview
http://www.firewall.cx/downloads.html
https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification
http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html
https://en.wikipedia.org/wiki/Brain_(computer_virus)
https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/
https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/
https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/
https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf
http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8
http://www.iaps.com/security-overview.html
http://www.brighthub.com/computing/smb-security/articles/31234.aspx
https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore
https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html
https://msdn.microsoft.com/en-us/library/ff648641.aspx
https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur
_c/scfdenl.html
https://www.ietf.org/rfc/rfc3704.txt
www.cisco.com
https://msdn.microsoft.com
www.intel.com
https://meraki.cisco.com
https://en.wikipedia.org/wiki/Computer_network
http://www.computerhistory.org/timeline/networking-the-web/
558
Appendix C: References
http://www.computerhistory.org/timeline/networking-the-web/
http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/
http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html
#wp737141
http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf
http://www.diffen.com/difference/TCP_vs_UDP
http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html
http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf
https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact
=8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F%
2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2
FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24
http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5
http://www.routeralley.com/guides/static_dynamic_routing.pdf
http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html
http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7
http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf
http://www.cisco.com/c/en/us/products/security/security-manager/index.html
http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html
https://en.wikipedia.org/wiki/Malware
https://en.wikipedia.org/wiki/Security_information_and_event_management
https://en.wikipedia.org/wiki/Malware
https://ikrami.net/2014/05/19/siem-soc/
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html
https://en.wikipedia.org/wiki/IEEE_802.1X
http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3
559
Appendix C: References
https://www.paessler.com/info/snmp_mibs_and_oids_an_overview
http://www.firewall.cx/downloads.html
https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification
http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html
https://en.wikipedia.org/wiki/Brain_(computer_virus)
560
About Our Products
About Our Products
Other products from IPSpecialist LTD regarding CSP technology are:
AWS Certified Cloud Practitioner Study guide
AWS Certified SysOps Admin - Associate Study guide
AWS Certified Solution Architect - Associate Study guide
AWS Certified Developer Associate Study guide
AWS Certified Advanced Networking – Specialty Study guide
AWS Certified Security – Specialty Study guide
AWS Certified Big Data – Specialty Study guide
Microsoft Certified: Azure Fundamentals
Microsoft Certified: Azure Administrator
561
About Our Products
Microsoft Certified: Azure Solution Architect
Microsoft Certified: Azure DevOps Engineer
Microsoft Certified: Azure Developer Associate
Microsoft Certified: Azure Security Engineer
Microsoft Certified: Azure Data Fundamentals
Microsoft Certified: Azure AI Fundamentals
Microsoft Certified: Azure Data Engineer Associate
Microsoft Certified: Azure Data Scientist
Other Network & Security related products from IPSpecialist LTD are:

CCNA Routing & Switching Study Guide
562
About Our Products















CCNA Security Second Edition Study Guide
CCNA Service Provider Study Guide
CCDA Study Guide
CCDP Study Guide
CCNP Route Study Guide
CCNP Switch Study Guide
CCNP Troubleshoot Study Guide
CCNP Security SENSS Study Guide
CCNP Security SIMOS Study Guide
CCNP Security SITCS Study Guide
CCNP Security SISAS Study Guide
CompTIA Network+ Study Guide
Certified Blockchain Expert (CBEv2) Study Guide
EC-Council CEH v10 Second Edition Study Guide
Certified Blockchain Expert v2 Study Guide
563
Download