Format-Security-plus-Study-Guide

SYO-601: CompTIA Security+ Study Guide with Practice Questions & Labs Third Edition www.ipspecialist.net 1 Document Control Proposal Name : CompTIA Security+ Document Edition : Third Edition Document Release Date : 27th September 2021 Reference : SYO-601 Copyright © 2021 IPSpecialist LTD. Registered in England and Wales Company Registration No: 10883539 Registration Office at: Office 32, 19-21 Crawford Street, London W1H 1PJ, United Kingdom www.ipspecialist.net All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without the written permission from IPSpecialist LTD, except for the inclusion of brief quotations in a review. Feedback: If you have any comments regarding the quality of this book, or otherwise alter it to better suit your needs, you can contact us through email at info@ipspecialist.net Please make sure to include the book’s title and ISBN in your message. 2 About IPSpecialist IPSPECIALIST LTD. IS COMMITTED TO EXCELLENCE AND DEDICATED TO YOUR SUCCESS. Our philosophy is to treat our customers like family. We want you to succeed, and we are willing to do everything possible to help you make it happen. We have the proof to back up our claims. We strive to accelerate billions of careers with great courses, accessibility, and affordability. We believe that continuous learning and knowledge evolution are the most important things to keep re-skilling and up-skilling the world. Planning and creating a specific goal is where IPSpecialist helps. We can create a career track that suits your visions as well as develop the competencies you need to become a professional Network Engineer. We can also assist you with the execution and evaluation of your proficiency level, based on the career track you choose, as they are customized to fit your specific goals. We help you STAND OUT from the crowd through our detailed IP training content packages. Course Features:  Self-Paced Learning  Learn at your own pace and in your own time  Covers Complete Exam Blueprint  Prep-up for the exam with confidence  Case Study Based Learning  Relate the content with real-life scenarios  Subscriptions that Suits You  Get more and pay less with IPS subscriptions  Career Advisory Services  Let the industry experts plan your career journey  Virtual Labs to test your skills  With IPS vRacks, you can evaluate your exam preparations  Practice Questions  Practice questions to measure your preparation standards  On Request Digital Certification  On request digital certification from IPSpecialist LTD. 3 About the Authors: This book has been compiled with the help of multiple professional engineers who specialize in different fields, e.g., Networking, Security, Cloud, Big Data, IoT, etc. Each engineer develops content in his/her own specialized field, which is then compiled to form a comprehensive certification guide. About the Technical Reviewers: Nouman Ahmed Khan AWS-Architect, CCDE, CCIEX5 (R&S, SP, Security, DC, Wireless), CISSP, CISA, CISM, Nouman Ahmed Khan is a Solution Architect working with a major telecommunication provider in Qatar. He works with enterprises, mega-projects, and service providers to help them select the best-fit technology solutions. He also works as a consultant to understand customer business processes and helps select an appropriate technology strategy to support business goals. He has more than fourteen years of experience working in Pakistan/Middle-East & the UK. He holds a Bachelor of Engineering Degree from NED University, Pakistan, and an M.Sc. in Computer Networks from the UK. Abubakar Saeed Abubakar Saeed has more than twenty-five years of experience managing, consulting, designing, and implementing large-scale technology projects, extensive experience heading ISP operations, solutions integration, heading Product Development, Pre-sales, and Solution Design. Emphasizing adhering to Project timelines and delivering as per customer expectations, he always leads the project in the right direction with his innovative ideas and excellent management skills. Dr. Fahad Abdali Dr. Fahad Abdali is a seasoned leader with extensive experience managing and growing software development teams in high-growth start-ups. He is a business entrepreneur with more than 18 years of experience in management and marketing. He holds a Bachelor's Degree from NED University of Engineering and Technology and a Doctor of Philosophy (Ph.D.) from the University of Karachi. Mehwish Jawed Mehwish Jawed is working as a Senior Research Analyst. She holds a Master's and Bachelors of Engineering degree in Telecommunication Engineering from NED University of Engineering and Technology. She also worked under the supervision of HEC Approved supervisor. She has more than three published papers, including both conference and 4 journal papers. She has a great knowledge of TWDM Passive Optical Network (PON). She also worked as a Project Engineer, Robotic Trainer in a private institute and has research skills in the field of communication networks. She has both technical knowledge and industry-sounding information, which she utilizes effectively when needed. She also has expertise in cloud platforms, as in AWS, GCP, Oracle, and Microsoft Azure. Ayesha Sheikh Ayesha Sheikh is a professional technical content writer. She holds a Bachelor’s Degree in Computer Engineering from Sir Syed University of Engineering & Technology. She has hands-on experience on SDN (Software Defined Network), Java, .NET development, machine learning, PHP, Artificial Intelligence, Python, and other programming and development platforms as well as Database Management Systems like SQL, Oracle, and so on. She is an excellent research analyst and is capable of performing all her tasks in a fast and efficient way. 5 Free Resources: For Free Resources: Please visit our website and register to access your desired Resources Or contact us at: info@ipspecialist.net Career Report: This report is a step-by-step guide for a novice who wants to develop his/her career in the field of computer networks. It answers the following queries:       What are the current scenarios and future prospects? Is this industry moving towards saturation, or are new opportunities knocking at the door? What will the monetary benefits be? Why get certified? How to plan, and when will I complete the certifications if I start today? Is there any career track that I can follow to accomplish the specialization level? Furthermore, this guide provides a comprehensive career path towards being a specialist in networking and highlights the tracks needed to obtain certification. IPS Personalized Technical Support for Customers: Good customer service means helping customers efficiently, in a friendly manner. It is essential to be able to handle issues for customers and do your best to ensure they are satisfied. Providing good service is one of the most important things that can set our business apart from the others of its kind. Excellent customer service will result in attracting more customers and attain maximum customer retention. IPS offers personalized TECH support to its customers to provide better value for money. If you have any queries related to technology and labs, you can simply ask our technical team for assistance via Live Chat or Email. 6 Our Products Study Guides IPSpecialist Study Guides are the ideal guides to developing the hands-on skills necessary to pass the exam. Our Study Guides cover the official exam blueprint and explain the technology with real-life case study-based labs. The content covered in each Study Guide consists of individually focused technology topics presented in an easy-to-follow, goaloriented, step-by-step approach. Every scenario features detailed breakdowns and thorough verifications to help you completely understand the task and associated technology. We extensively used mind maps in our Study Guides to visually explain the technology. Our Study Guides have become a widely used tool to learn and remember information effectively. vRacks Our highly scalable and innovative virtualized lab platforms let you practice the IPSpecialist Study Guide at your own time and your own place as per your convenience. Exam Cram Our Exam Crams notes are a concise bundling of condensed notes of the complete exam blueprint. It is an ideal and handy document to help you remember the most important technology concepts related to the certification exam. Practice Questions IP Specialists' Practice Questions are dedicatedly designed from a certification exam perspective. The collection of these questions from our Study Guides is prepared keeping the exam blueprint in mind, covering not only important but necessary topics as well. It is an ideal document to practice and revise your certification. 7 Content at a glance Chapter 01: Threats, Attacks, and Vulnerabilities ............................ 29 Chapter 02: Architecture and Design ............................................... 147 Chapter 03: Implementation ............................................................. 252 Chapter 04: Operations and Incident Response ............................. 344 Chapter 05: Governance, Risk, and Compliance ............................. 446 Answers .............................................................................................. 522 Acronyms ...........................................................................................536 References ......................................................................................... 548 About Our Products.......................................................................... 560 8 Table of Contents Chapter 01: Threats, Attacks, and Vulnerabilities ............................ 29 Technology Brief................................................................................................................ 29 An Overview of Social Engineering Techniques .............................................................. 29 Spam ................................................................................................................................30 Credential Harvesting .................................................................................................... 33 Mind Map........................................................................................................................ 35 Malware Concepts .............................................................................................................. 35 Ransomware....................................................................................................................36 Trojan ..............................................................................................................................36 Command and Control...................................................................................................38 Lab 1-01: HTTP RAT Trojan ........................................................................................... 42 Cryptography Attacks ....................................................................................................... 56 Mind Map........................................................................................................................58 Web Application Attacks ...............................................................................................58 Privilege Escalation.........................................................................................................58 Injections........................................................................................................................ 60 Structured Query Language (SQL) ............................................................................... 60 Session Replay Attack .................................................................................................... 66 Resource Exhaustion ..................................................................................................... 66 Pass the Hash ................................................................................................................. 67 Mind Map....................................................................................................................... 67 Network Attacks ................................................................................................................ 67 Wireless Network Concepts.............................................................................................. 68 Evil Twin ........................................................................................................................ 69 Layer 2 attacks .................................................................................................................... 73 Address Resolution Protocol (ARP) Poisoning ............................................................. 73 Media Access Control (MAC) Flooding ......................................................................... 73 9 Domain Name System (DNS) ........................................................................................74 Domain hijacking ...............................................................................................................74 Distributed Denial-of-Service (DDoS) .......................................................................... 75 How Distributed Denial-of-Service Attacks Work ...................................................... 76 Operational Technology (OT) .......................................................................................... 76 Malicious Code or script execution ............................................................................... 77 Macros and Visual Basic for Application (VBA) .............................................................. 78 Mind Map....................................................................................................................... 78 Threat Actors ..................................................................................................................... 79 Insider Threat ................................................................................................................. 81 Hacktivists ...................................................................................................................... 81 Script Kiddies ................................................................................................................. 82 Hacker ............................................................................................................................ 82 Threat Actor Attributes ......................................................................................................83 Internal/External ............................................................................................................83 Level of Sophistication .................................................................................................. 84 Resources/Funding ........................................................................................................ 84 Intent/Motivation .......................................................................................................... 84 Vectors ............................................................................................................................... 84 Wireless.............................................................................................................................. 84 Email ...................................................................................................................................85 Social Media ....................................................................................................................85 Mind Map....................................................................................................................... 92 Vulnerability Assessment .................................................................................................. 92 Weak Configurations..................................................................................................... 94 Improper or Weak Patch Management............................................................................ 96 Operating System (OS) ................................................................................................. 96 Data Exfiltration ............................................................................................................ 99 Mind Map...................................................................................................................... 100 Threat Hunting ................................................................................................................. 100 10 Vulnerability Scanning ...................................................................................................... 101 Lab 1-01: Installing and Using Vulnerability Assessment Tool ........................................ 101 Web 2.0 ......................................................................................................................... 128 Web App Threats .......................................................................................................... 128 SIEM (Security Information and Event Management) ............................................... 130 Review Reports .............................................................................................................. 131 User Behavior Analysis .................................................................................................. 131 Log Aggregation.............................................................................................................132 Mind Map....................................................................................................................... 133 Penetration Testing ....................................................................................................... 133 Rules of Engagement .................................................................................................... 136 Lateral Movement .........................................................................................................137 Privilege Escalation........................................................................................................137 Persistence .....................................................................................................................137 Cleanup ......................................................................................................................... 138 Pivoting ......................................................................................................................... 138 Exercise Types ............................................................................................................... 140 White Team ................................................................................................................... 141 Purple Team ................................................................................................................... 141 Mind Map...................................................................................................................... 142 Practice Question ............................................................................................................. 143 Chapter 02: Architecture and Design ............................................... 147 Technology Brief............................................................................................................... 147 The Significance of Security Ideas in a Business Setting ................................................ 148 Security Overview ......................................................................................................... 148 Configuration Management ......................................................................................... 148 Internet Protocol Schema ............................................................................................ 149 Data Sovereignty .............................................................................................................. 150 Data Protection ................................................................................................................ 150 Data Loss Prevention .................................................................................................... 150 11 Masking ......................................................................................................................... 150 Encryption..................................................................................................................... 150 At Rest ........................................................................................................................... 150 In Transit/Motion .......................................................................................................... 151 In Processing .................................................................................................................. 151 Tokenization .................................................................................................................. 151 Rights Management ...................................................................................................... 151 Hardware Security Module (HSM) ...................................................................................152 Geographical Considerations ............................................................................................153 Cloud Access Security Broker (CASB) ..............................................................................153 Response and Recovery Controls......................................................................................155 Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection ....................... 156 Hashing ............................................................................................................................. 156 API Considerations ............................................................................................................157 Site Resiliency ................................................................................................................... 158 Hot Site ......................................................................................................................... 158 Cold Site ........................................................................................................................ 158 Warm site ...................................................................................................................... 158 Deception and Disruption ............................................................................................... 158 Honeypots ..................................................................................................................... 159 Honeyfiles ..................................................................................................................... 159 Honeynets ..................................................................................................................... 159 Lab 2-01: Configuring Honeypot on Windows Server 2016 ....................................... 159 DNS Sinkhole ................................................................................................................ 163 Mind Map...................................................................................................................... 164 Virtualization and Cloud Computing Concepts ............................................................. 164 What is Cloud Computing, and how does it work? .................................................... 164 Cloud Service Providers ............................................................................................... 170 On-Premises vs. Off-Premises ..................................................................................... 170 Fog Computing ............................................................................................................. 170 12 Edge Computing ........................................................................................................... 170 Thin Client ..................................................................................................................... 171 Containers ...................................................................................................................... 171 Microservices/API ........................................................................................................ 172 Infrastructure as Code .................................................................................................. 172 Serverless architecture ................................................................................................. 174 Services Integration ...................................................................................................... 174 Resource Policies ...........................................................................................................175 Transit Gateway .............................................................................................................175 Virtualization .................................................................................................................175 VM Escape Protection ...................................................................................................175 Mind Map...................................................................................................................... 176 Secure Application Development, Deployment, and Automation Concepts ............... 176 Environment ................................................................................................................. 176 Provisioning and De-Provisioning ............................................................................... 178 Integrity Measurement ................................................................................................. 179 Secure Coding Techniques ........................................................................................... 179 Open Web Application Security Project (OWASP).................................................... 180 Software Diversity.......................................................................................................... 181 Automation/Scripting ................................................................................................... 181 Elasticity ........................................................................................................................ 182 Scalability ...................................................................................................................... 182 Version Control ............................................................................................................ 182 Mind Map...................................................................................................................... 183 Summarize Authentication and Authorization Design Concepts ................................. 183 Authentication Methods .............................................................................................. 185 Technologies ................................................................................................................. 186 Authentication Applications ........................................................................................ 189 AAA (Authentication, Authorization, and Accounting) Framework ........................ 193 Multi-Factor Authentication ........................................................................................ 194 13 Gaining Access .................................................................................................................. 197 Cloud vs. On-Premises Requirements ......................................................................... 198 Mind Map...................................................................................................................... 199 Implementation of Cybersecurity Resilience .................................................................. 199 Redundancy .................................................................................................................. 199 Disk ............................................................................................................................... 199 Network......................................................................................................................... 201 Replication .................................................................................................................... 203 Backup Types ............................................................................................................... 204 Non-Persistence ............................................................................................................ 205 High Availability .......................................................................................................... 206 Restoration Order ........................................................................................................ 206 Diversity ....................................................................................................................... 206 Mind Map......................................................................................................................207 The Security Implications of Embedded and Specialized Systems ............................... 208 Embedded Systems ...................................................................................................... 208 Supervisory Control and Data Acquisition (SCADA)/Industrial Control System (ICS) Facilities ....................................................................................................................... 208 Internet of Things (IoT) .............................................................................................. 208 IoT Communication Models ......................................................................................... 211 Specialized .................................................................................................................... 214 Voice over IP ..................................................................................................................215 Heating, Ventilation, Air Conditioning ........................................................................215 Drones/AVs ................................................................................................................... 216 Multifunction Printer ................................................................................................... 216 Real-Time Operating System ....................................................................................... 216 Surveillance Systems .................................................................................................... 216 System on Chip ............................................................................................................. 216 Communication Considerations .................................................................................. 217 Mind Map...................................................................................................................... 218 14 The Importance of Physical Security Controls ............................................................... 218 Bollards/Barricades....................................................................................................... 219 Mantraps ....................................................................................................................... 219 Badges ...........................................................................................................................220 Alarms ...........................................................................................................................220 Signage ..........................................................................................................................220 Cameras .........................................................................................................................220 Industrial Camouflage .................................................................................................. 221 Personnel ...................................................................................................................... 221 Locks ............................................................................................................................. 222 USB Data Blocker ......................................................................................................... 222 Lighting ......................................................................................................................... 222 Fencing .......................................................................................................................... 222 Fire Suppression ........................................................................................................... 222 Sensors .......................................................................................................................... 222 Visitor Logs ................................................................................................................... 223 Faraday Cages ............................................................................................................... 223 Air Gap .......................................................................................................................... 223 The Demilitarized Zone (DMZ) ................................................................................... 223 Protected Cable Distribution ....................................................................................... 224 Secure Areas .................................................................................................................. 224 Secure Data Destruction ..............................................................................................226 Mind Map...................................................................................................................... 227 The Basics of Cryptographic Concepts ............................................................................228 Cryptography ................................................................................................................228 Types of Cryptography .................................................................................................228 Digital Signatures .........................................................................................................229 Key Length .................................................................................................................... 230 Key Stretching............................................................................................................... 230 Salting............................................................................................................................ 230 15 Hashing ..........................................................................................................................231 Key Exchange ................................................................................................................ 232 Elliptic-Curve Cryptography ........................................................................................ 233 Perfect Forward Secrecy ............................................................................................... 234 Quantum ....................................................................................................................... 234 Blockchain..................................................................................................................... 234 Cipher Suites ................................................................................................................. 235 Symmetric vs. Asymmetric........................................................................................... 235 Lightweight Cryptography ........................................................................................... 239 Steganography .............................................................................................................. 239 Mind Map...................................................................................................................... 241 Homomorphic Encryption ........................................................................................... 247 Common Use Cases ...................................................................................................... 247 Limitations .................................................................................................................... 247 Mind Map..................................................................................................................... 248 Practice Question ............................................................................................................ 249 Chapter 03: Implementation ............................................................. 252 Implement Secure Protocols ............................................................................................ 252 Protocols ........................................................................................................................... 252 Secure Real-time Protocol (SRTP) ............................................................................... 252 NTP................................................................................................................................ 252 S/MIME ......................................................................................................................... 253 SSL/TLS ......................................................................................................................... 253 FTPS .............................................................................................................................. 253 LDAP ............................................................................................................................. 253 SSH ................................................................................................................................ 253 DHCP ............................................................................................................................ 253 Secure File Transfer Protocol (SFTP) .......................................................................... 254 Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP) ..... 266 Mind Map......................................................................................................................267 16 Implement Host or Application Security Solutions .......................................................267 Endpoint Protection .....................................................................................................267 Boot Integrity ............................................................................................................... 269 Application Security .....................................................................................................270 Hardening ..................................................................................................................... 271 Self-Encrypting Drive (SED)/ Full-Disk Encryption (FDE) ........................................ 273 Hardware Root of Trust ............................................................................................... 273 Trusted Platform Module (TPM) ................................................................................. 273 Sandboxing ................................................................................................................... 273 Mind Map...................................................................................................................... 274 Implement Secure Network Designs ............................................................................... 274 Load Balancing ............................................................................................................. 274 Network Segmentation ................................................................................................ 275 Network-based Intrusion Detection System (NIDS)/Network-based Intrusion Prevention System (NIPS) ............................................................................................279 Firewall .......................................................................................................................... 283 Firewall Architecture ................................................................................................... 286 Types of Firewall .......................................................................................................... 290 Access control list (ACL) .............................................................................................. 293 Route security Quality of service (QoS) ...................................................................... 293 Implications of IPv6 ..................................................................................................... 293 Port Spanning/Port Mirroring .................................................................................... 294 Monitoring Services ..................................................................................................... 294 File Integrity Monitors ................................................................................................ 294 Mind Map......................................................................................................................295 Wireless Security Settings ................................................................................................295 Cryptographic Protocols ..............................................................................................295 Authentication Protocols ............................................................................................ 296 Methods ........................................................................................................................297 Installation Considerations ......................................................................................... 298 17 Mind Map..................................................................................................................... 299 Implement Secure Mobile Solutions .............................................................................. 299 Connection Methods and Receivers ........................................................................... 299 Mobile Device Management (MDM) .......................................................................... 301 Mobile Devices.............................................................................................................. 305 Enforcement and Monitoring ...................................................................................... 305 Deployment Models .....................................................................................................308 Mind Map..................................................................................................................... 309 Cybersecurity Solutions to the Cloud............................................................................. 309 Cloud Security Controls .............................................................................................. 309 Network..........................................................................................................................312 Compute........................................................................................................................ 314 Solutions ........................................................................................................................315 Cloud-native controls vs. third-party solutions .......................................................... 316 Mind Map...................................................................................................................... 318 Implement Identity and Account Management Controls .............................................. 318 Identity .......................................................................................................................... 318 Account Types .............................................................................................................. 319 Account Policies ........................................................................................................... 320 Mind Map...................................................................................................................... 322 Implement Authentication and Authorization Solutions .............................................. 322 Authentication Management ....................................................................................... 322 Authentication .............................................................................................................. 324 Access Control Schemes ............................................................................................... 328 Mind Map...................................................................................................................... 330 Implement Public Key Infrastructure.............................................................................. 330 Public Key Infrastructure (PKI) ................................................................................... 330 Types of certificates ...................................................................................................... 335 Certificate Formats ....................................................................................................... 337 Concepts........................................................................................................................ 338 18 Mind Map......................................................................................................................340 Practice Questions............................................................................................................ 341 Chapter 04: Operations and Incident Response ............................. 344 Introduction......................................................................................................................344 Appropriate Tools to Assess Organization Security .......................................................344 Network Reconnaissance and Discovery .....................................................................344 File Manipulation ......................................................................................................... 355 Shell and Script Environments .................................................................................... 357 Packet Capture and Replay .......................................................................................... 358 Lab 4-01: Introduction to Wireshark ........................................................................... 359 Forensics ....................................................................................................................... 362 Mind Map......................................................................................................................364 Importance of Policies, Processes, and Procedures for Incident Response .................. 365 Incident Response Plans .............................................................................................. 365 Incident Response Process ........................................................................................... 365 Exercises ........................................................................................................................ 367 Attack Frameworks.......................................................................................................368 Stakeholder Management ............................................................................................ 375 Communication Plan.................................................................................................... 375 Continuity of Operations Planning (COOP)............................................................... 375 Incident Response Team .............................................................................................. 376 Retention Policies ......................................................................................................... 376 Mind Map...................................................................................................................... 377 Appropriate Data Source to Support an Incident Investigation .................................... 377 Vulnerability Analysis .................................................................................................. 377 Lab 4-02: Installing and Using a Vulnerability Assessment Tool ..............................386 Lab 4-03: Vulnerability Scanning using the Nessus Vulnerability Scanning Tool ... 405 Analyze Vulnerability Scan Results ............................................................................. 417 Appropriate Solutions/Recommendations to Remediate the Discovered Vulnerabilities............................................................................................................... 419 19 SIEM DashBoard .......................................................................................................... 420 Log Files ........................................................................................................................ 422 syslog/rsyslogs/syslog-ng ............................................................................................. 425 Journalctl ....................................................................................................................... 425 nxlog .............................................................................................................................. 425 Bandwidth monitors .................................................................................................... 426 Metadata ...................................................................................................................... 426 Netflow .......................................................................................................................... 427 Protocol Analyzer Output ........................................................................................... 428 Mind Map..................................................................................................................... 429 Use of Mitigation Techniques or Controls to Secure an Environment ........................ 429 Reconfigure Endpoint Security Solution .................................................................... 429 Configuration Changes.................................................................................................430 Isolation ........................................................................................................................ 431 Containment ................................................................................................................. 431 Segmentation ................................................................................................................ 432 SOAR ............................................................................................................................. 432 Mind Map...................................................................................................................... 433 The Key Aspect of Digital Forensics ................................................................................ 433 Documentation/Evidence ............................................................................................ 433 Acquisition .................................................................................................................... 435 On-Premises vs. Cloud .................................................................................................438 Integrity........................................................................................................................ 440 Preservation ................................................................................................................. 440 E-discovery ................................................................................................................... 440 Data recovery ................................................................................................................ 441 Non-repudiation ........................................................................................................... 441 Strategic Intelligence/ CounterIntelligence (CI) ........................................................ 441 Mind Map..................................................................................................................... 442 Practice Questions............................................................................................................443 20 Chapter 05: Governance, Risk, and Compliance ............................. 446 Introduction..................................................................................................................... 446 GRC Concepts .............................................................................................................. 446 Why GRC? .................................................................................................................... 446 Functions Supported by GRC...................................................................................... 447 Analyze Risks Associated with Cloud Infrastructure .................................................... 448 Risk Assessment/Analysis ........................................................................................... 448 Cloud Attack Vectors .................................................................................................. 448 Virtualization Rısks ..................................................................................................... 450 Counter-Measure Strategies........................................................................................ 450 Security Controls .............................................................................................................. 451 Physical and Environmental Protection ...................................................................... 451 System and Communication Protection ..................................................................... 452 Category of Security Control ........................................................................................ 452 Types of Security Control ............................................................................................. 453 Mind Map..................................................................................................................... 454 Importance of Applicable Regulations, Standards, or Frameworks that Impact Organizational Security Posture. .................................................................................... 454 Regulations, Standards, and Legislation .................................................................... 454 Benchmarks/Secure Configuration Guides ................................................................ 466 Mind Map..................................................................................................................... 470 Importance of Policies to Organizational Security ........................................................ 470 Policies ......................................................................................................................... 470 Personnel Security ........................................................................................................ 471 Diversity of Training Techniques ............................................................................... 479 Third-Party Risk Management.................................................................................... 479 Data ...............................................................................................................................483 Credential Management System ................................................................................. 487 Credential Policies ....................................................................................................... 488 Organizational Policies ............................................................................................... 489 21 Mind Map......................................................................................................................493 Risk Management Processes and Concepts ....................................................................493 Threat Assessment....................................................................................................... 494 Risk Types .................................................................................................................... 494 Risk Management Strategies ....................................................................................... 495 Risk Monitoring ........................................................................................................... 496 Analyze Risks Associated with Cloud Infrastructure................................................. 496 Disaster ......................................................................................................................... 502 Business Impact Analysis ............................................................................................. 502 MindMap....................................................................................................................... 505 Privacy and Sensitive Data Concepts in Relation to Security ........................................ 505 Organizational consequences of privacy breaches ..................................................... 505 Notifications of Breaches ............................................................................................ 506 Data Types .................................................................................................................... 507 Privacy Enhancing Technologies ................................................................................ 508 Roles and Resposnibilities ............................................................................................. 511 Information Lifecycle ....................................................................................................512 Privacy Impact Assessment ...........................................................................................513 Terms of Agreement ......................................................................................................513 Privacy Notice/ Privacy Policy ......................................................................................513 Mind Map...................................................................................................................... 514 Data Security and Privacy Practices ................................................................................ 514 Data Destruction and Media Sanitization ................................................................... 514 Data Sensitivity Labelling and Handling ..................................................................... 516 Data Retention ...............................................................................................................517 Legal and Compliance ...................................................................................................517 Mind Map...................................................................................................................... 518 Practice Questions............................................................................................................ 519 Answers .............................................................................................. 522 Chapter 01: Threats, Attacks, and Vulnerabilities .......................................................... 522 22 Chapter 02: Architecture and Design .............................................................................. 525 Chapter 03: Implementation ............................................................................................ 528 Chapter 04: Operations and Incident Response ............................................................. 530 Chapter 05: Governance, Risk, and Compliance ............................................................. 533 Acronyms ...........................................................................................536 References ......................................................................................... 548 About Our Products.......................................................................... 560 23 CompTIA Certification: Security + About this Certifications This certification covers all the information you need to pass the CompTIA Security+ Exam that is SY0-601. The workbook is designed to take a practical approach to learn with reallife examples and case studies.        Covers complete CompTIA Security+ SY0-601 blueprint Summarized content Case Study based approach Downloadable vRacks Practice Questions 100% pass guarantee Mind maps CompTIA Certifications CompTIA certification helps to establish and build your IT career. It benefits you in various ways, either seeking certification to have a job in IT or want to upgrade your IT career with a leading certification, that is, CompTIA certification. Figure 1. CompTIA Certifications Pathway 24 CompTIA Certification: Security + About Security+ Certification The purpose of this certification is to make you a better IT Security Tech. All the essential principles for network security are covered in this Security+ certification. The skills or techniques you will learn when you obtain the Security+ certificate:       Configuring a secure network for protection against threats, malware, etc. Identification of vulnerabilities in a network and provision of proper mitigation techniques. Knowledge of the latest threats that harm your system intelligently. Implementation of secure protocols and appropriate security checks and the establishment of end-to-end host security. Implementation of access and identity management controls to have your data in legal hands. Ability to use encryption, configuring wireless security for information safety purposes. Figure 2. CompTIA Security Certifications Pathway About the CompTIA Security+ Exam      Exam Number: SY0-601 CompTIA Security+ Duration: 90 minutes Number of Questions: Maximum 90 Types of Questions: Multiple choice & performance-based Passing Marks: 750 The CompTIA Security+ Exam (SY0-601) is a 90-minute qualifying exam with a maximum of 90 questions for the CompTIA certification. The CompTIA Security+ Exam certifies the 25 CompTIA Certification: Security + successful applicants with the awareness and skills needed to configure and install the systems to secure the networks, devices, & applications. This exam measures your ability to accomplish the following technical tasks:      Attacks, Threats, and Vulnerabilities (24%) Architecture and Design (21%) Implementation (25%) Operation and Incident Response (16%) Governance, Risk, and Compliance (14%) How to become Security+ certified? Step 1: Choose a certification: Explore what is available and choose an IT certification that will benefit you in accomplishing your career target. To study various IT career tracks and to choose the best certification for yourself, you can use the “CompTIA Career Roadmap.” CompTIA has four core IT certifications: IT Fundamental, A+, Network+, and Security+ that examine your knowledge from entry to the expert level. If you have the skills to secure a network & deter hackers and want to become a highly efficient IT Security Tech, CompTIA Security+ is the right type of certification. Step 2: Learning & Training: Exam preparation can be done through self-study with textbooks, practice exams, and online classroom programs. However, this course provides you with all the information and offers complete assessments in one place to help you pass the CompTIA Security+ Exam. IPSpecialist provides full support to the candidates in order for them to pass the exam. Step 3: Familiarization with Exam: A great suggestion is to first understand what you are training for. For that, we are providing you not only the exam objectives but practice questions too, in order to give you a thorough idea about your final exam of certification. Step 4: Register & Take Exam for Certification: After all the learning process, the next step is to take your test. Certification exams are offered at different locations all over the world. To register for an exam, contact the authorized test delivery partner of CompTIA, contact Pearson VUE. The following are the steps for registration and scheduling an exam: 1. Buy the exam voucher from here, “Buy a certification exam voucher.” 2. Find and visit a testing center, “testing center.” 3. Create a Pearson VUE account & Schedule your exam. Here is a link for that “Create a Pearson VUE testing account and schedule your exam.” 26 CompTIA Certification: Security + 4. You will receive a confirmation email having testing information after the registration process. 5. You are ready for the test. Step 5: Results: After you complete an exam at an authorized testing center, you will get immediate, online notification of your pass or fail status. If you have passed the exam, a congratulatory email will be forwarded to you with guidelines to access your record. Make sure to keep a record of the email address you used for the registration and score report with an exam registration number. This information is required to log in to your certification account. The CompTIA Security+ certification exam will verify the successful candidate has the knowledge and skills required to:     Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions Monitor and secure hybrid environments, including cloud, mobile, and IoT Operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance Identify, analyze, and respond to security events and incidents This is equivalent to two years of hands-on experience working in a security/systems administrator job role. Recommended Knowledge                Compare and contrast different types of social engineering techniques. Analyze potential indicators to determine the type of attack. Analyze potential indicators, associated with application attacks. Analyze potential indicators, associated with network attacks. Explain different threat actors, vectors, and intelligence sources. The security concerns associated with various types of vulnerabilities. Summarize the techniques used in security assessments. The techniques used in penetration testing. The importance of security concepts in an enterprise environment. Summarize virtualization and cloud computing concepts. Summarize secure application development, deployment, and automation concepts. Summarize authentication and authorization design concepts. Implement cybersecurity resilience. The security implications of embedded and specialized systems. The importance of physical security controls. 27 CompTIA Certification: Security +                     The basics of cryptographic concepts. Implement secure protocols. Implement host or application security solutions. Implement secure network designs. Install and configure wireless security settings. Implement secure mobile solutions. Apply cybersecurity solutions to the cloud. Implement identity and account management controls Implement authentication and authorization solutions. Implement public key infrastructure. Use the appropriate tool to assess organizational security. The importance of policies, processes, and procedures for incident response. Given an incident, utilize appropriate data sources to support an investigation. Given an incident, apply mitigation techniques or controls to secure an environment. Explain the key aspects of digital forensics. Compare and contrast various types of controls. The importance of applicable regulations, standards, or frameworks that impact organizational security posture. The importance of policies to organizational security. Summarize risk management processes and concepts. Explain privacy and sensitive data concepts in relation to security. All the required information is included in this course. Domain Percentage Domain 1 Attacks, Threats, and Vulnerabilities 24% Domain 2 Architecture and Design 21% Domain 3 Implementation 25% Domain 4 Operation and Incident Response 16% Domain 5 Governance, Risk, and Compliance 14% 28 Chapter 01: Threats, Attacks, and Vulnerabilities Chapter 01: Threats, Attacks, and Vulnerabilities Technology Brief In this chapter, we will discuss the basic concepts of social engineering and how it works. This technique is different from other information-stealing techniques that have been discussed. All the tools and techniques used for hacking a system looked at so far are technical and require a deep understanding of Networking, Operating Systems, and other domains. Social Engineering is a non-technical technique for obtaining information. It is one of the best common techniques because it is easy to use. This is because humans are very careless and are prone to making mistakes. There are several components to security, but humans are the most important component. All security measures depend upon the human being. If a user is careless about securing his/her login credentials, all security architectures will fail. Spreading awareness, training, and briefing users about social engineering, social engineering attacks, and the impact of their carelessness will help to strengthen security from endpoints. This chapter will provide an overview of social engineering concepts and types of social engineering attacks. Here, you will learn how different social engineering techniques work, what insider threats are, how an attacker impersonates someone on social networking sites, and how all of these threats can be mitigated. Let's start with social engineering concepts. This chapter will discuss the concept of wireless networks, threats and vulnerabilities, attacks on wireless technologies, and some defense techniques. An Overview of Social Engineering Techniques Social Engineering is the art of extracting sensitive information from people. Social Engineers play with human psychology and trick people into sharing their valuable information. In Information Security, footprinting through social engineering is done for gathering information such as:        Credit card information Usernames and passwords Security devices and technology information Operating System information Software information Network information IP address and name server’s information 29 Chapter 01: Threats, Attacks, and Vulnerabilities There are different ways to perform social engineering. The different types of social engineering techniques are as follows: Phishing In the process of Phishing, emails sent to a targeted group contain messages that look legitimate. The recipient clicks the link as provided in the email, assuming that it is a legitimate link. Once the reader clicks the link, it redirects the user to a fake webpage that looks like an official website. For example, the recipient may be redirected to a fake bank webpage that then asks for sensitive information. Similarly, clicking on the link may download a malicious script onto the recipient’s system to fetch information. Smishing Smishing is an alternative type of phishing attack that tricks unsuspecting victims into handing over sensitive data via fraudulent SMS messages. This form of phishing is less common in the corporate world than spear phishing and vishing but could become more of a threat as we see an increase in the use of bring-your-own-device (BYOD) in work environments. Vishing Vishing is an attack-type related to phishing since it attempts to trick and persuade victims to reveal sensitive data over a social engineering attack. A victim may receive a pre-recorded message on their phone which specifies that there has been suspicious activity on their credit card, financial account, or other bank accounts. The victim is told to call a definite telephone number, where he must key in identification information. The identification information is commonly the connected PIN, account number, or/and password value. The victim thinks this information is being sent to a trusted source, as in their bank. However, it is being recorded by an attacker who intends to use it for fraudulent purposes. When calls are made using VoIP, authorities find it difficult to track because packets might pass through many different switches around the world instead of the circuit switching employed by traditional telephone lines. Spam Spamming is usually against the law, so the spammers do not want the traffic to appear as if it came from their equipment. They will look for mail servers on the Internet or within enterprise DMZs that have loosely configured relaying systems and utilize them to deliver spam. If a mail server's relays are set to "wide open," the mail server can receive any message and send it to any intended recipient. Antispam features, which are complete layer features, must be activated on mail servers. A company's mail server should only receive mail intended for its domain and should not forward communications to other dubious mail servers or domains. 30 Chapter 01: Threats, Attacks, and Vulnerabilities Spam over Internet Messaging (SPIM) Instant messaging spam (SPIM) or Spam over Internet Messaging is a type of spamming that practices instant messengers for this malicious action. Though this kind of spamming is not as common as e-mail spamming, it is certainly increasing over time. The fact that firewalls are incapable of blocking SPIM has made it more attractive for spammers. One technique to prevent SPIM is to enable the option of receiving immediate messages only from a known list of users. Spear Phishing A spear-phishing attack is a phishing attack that is crafted to trick a specific target and not a large generic group of people. Spear phishing targets individuals. If somebody distinguishes your particular likes, political motives, shopping habits, etc., the attacker can craft an attack directed only at you. If an attacker sends a spoofed e-mail that seems to have come from the mother with the subject line of “Emily’s Birthday Pictures” and an e-mail attachment, that will most likely think it came from the mother and open the file which will then infect the system. These generalized attacks take more time for the hacker to craft as unique information has to be assembled about the target, but they are more successful because they are more convincing. Dumpster Diving The process of looking for treasure in the trash is known as Dumpster Diving. This technique is old but quite effective. It consists of accessing the target's trash such as trash, printer, user desk, company trash to find phone bills, contact information, financial information, source codes, and other helpful material. Shoulder Surfing In Shoulder Surfing, information is collected by standing behind a target when he is dealing with sensitive information. Using this technique, passwords, account numbers, or other secret information can be gathered, depending upon the carelessness of the target. Pharming It is a form of cyber-attack in which a user is forwarded to a malicious website created by the attacker. Usually, this type of redirection happens without users’ acceptance or knowledge. 31 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-01: Software Pharming Has Become Increasingly Popular in Recent Years Tailgating Tailgating is a technique in which an unauthorized person gains access to a restricted area by following the authorized person. Tailgating is easy when using Fake IDs and following the target closely while crossing checkpoints Whaling In a whaling attack, an attacker selects some "big fish" in a company (CEO, CFO, COO, CSO) and targets them because they have access to some of the firm's most sensitive data. The attack has been fine-tuned to maximize the chances of success. Identity Fraud Stealing information about the identity of another person is known as Identity fraud. Anyone with malicious intent may steal your identity by gathering documents such as utility bills and personal and other significant information and creating a new ID card to impersonate someone. This information may also be used to confirm the fake identity and then take advantage of it. 32 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-02: Processes of Identity Theft Credential Harvesting Credential Harvesting is also known as password harvesting. The attacker sends the victim a captivating message, typically an email containing a tenable subject and a hyperlink or maybe an attachment, leading to a sign-in page associated with a legitimate service that the victim is known to use. The most common are Google Drive, Office 365, and Dropbox. Once the victim logs in, their credentials are hijacked. The attacker uses those credentials to access another system aligned with their objectives. Reconnaissance Reconnaissance is a primary preparation phase for the attacker to prepare for an attack by gathering data or information about the target before launching an attack by using 33 Chapter 01: Threats, Attacks, and Vulnerabilities different techniques and tools. Gathering information about the target creates it easier for an attacker. It helps to identify the target range for large-scale attacks. In passive Reconnaissance, a hacker obtains information about the target without directly interacting with the target. An example of passive reconnaissance includes searching social media to obtain the target’s information. Active Reconnaissance is obtaining knowledge by connecting directly with the target. Interacting with the target via emails, calls, the help desk, or technical departments are examples of active reconnaissance. Hoax This type of threat is where an organization is warned of a particular problem and then asked for money to solve or remove it. These types of threats can be sent through email, through Facebook posts, or tweets; the aim is to make money by fooling others. Impersonation Impersonation is a social engineering approach that uses people. Impersonation is the act of impersonating someone or something. Impersonation, here, implies pretending to be a legitimate user or pretending to be an authorized person. This impersonation may be either face-to-face or through a communication channel such as email or telephone communication, etc. Personal impersonation is identity theft carried out by an attacker when he/she has enough personal information about an authorized person. An attacker impersonates a legitimate user by providing the legitimate user’s personal information (either collected or stolen). Impersonating a technical support agent and asking for credentials is another method of impersonation for gathering information. 34 Chapter 01: Threats, Attacks, and Vulnerabilities Mind Map Figure 1-03: Mind Map of Social Engineering Techniques Malware Concepts The term malware is an umbrella term that describes a wide variety of potentially risky software. This malicious software is particularly designed to gain access to target machines, steal information, and harm the target system. Any software designed with the malicious intention that allows damaging, disabling, or limiting the control of the authorized owner and passing control of a target system to a malware developer or attacker, or allows any other malicious intent, can be considered malware. Viruses, Worms, Keyloggers, Spywares, Trojans, Ransomware, and other harmful software are among the many varieties of malware. Malware is now the most hazardous threat on the planet. Typical viruses and worms use outdated methodologies, whereas modern malware is designed to attack cutting-edge equipment, making it more deadly. How can Malware enter into your system? Malware takes advantage of the weaknesses and vulnerabilities in the operating system or the vulnerabilities introduced by accidentally clicking on the malicious links. A malware program starts running before the malware deploys itself on the system. How to keep malware away?    Make sure to keep Operating Systems up to date. Update all the Applications. Avoid clicking unnecessary or malicious links. 35 Chapter 01: Threats, Attacks, and Vulnerabilities  Use Anti-Virus / Anti-Malware software. Ransomware Ransomware is a malware program that restricts access to system files and folders by encrypting them. Some types of ransomware may lock the system as well. Once the system is encrypted, it requires a decryption key to unlock it and its files. An attacker then demands a ransom payment before providing the decryption key to remove restrictions. Online payments using digital currencies that are difficult to trace, like Ukash and Bitcoin, are used for ransoms. Ransomware is usually deployed by using Trojans. One of the finest examples of ransomware is the WannaCry Ransomware attack. Following are the most common and widely known types of ransomware:      Cryptobit Ransomware CryptoLocker Ransomware CryptoDefense Ransomware CryptoWall Ransomware Police-themed Ransomware Examples of Ransomware:  Crypto-Locker Trojan Any Malicious Program misleading the user about its actual intention is classified as a Trojan. Social Engineering normally spreads Trojans. The determination or most common use of Trojan programs are:          Creating a Backdoor Gaining Unauthorized Access Stealing Information Infecting Connected Devices Ransomware Attacks Using Victims for Spamming Using Victims as Botnet Downloading other Malicious Software Disabling Firewalls Trojans Types  Command Shell Trojans Command Shell Trojans are proficient as long as remote control of the command shell of a victim. The trojan server of command shell Trojan such as Netcat is installed on the target machine. The trojan server will open the port for command shell connection to 36 Chapter 01: Threats, Attacks, and Vulnerabilities its client application, installed on the attacker's machine. This Client-Server based Trojan delivers access to the Command line.  Defacement Trojans An attacker can access, change, and extract information from any Windows program using the Defacement Trojan. To leave their imprint, the attacker frequently replaces the string, graphics, and logos using this information. The attacker defaces applications using User-Styled Custom Application (UCA). Website defacement is very popularly known; it is similar to the concept of applications running on the target machine.  HTTP/HTTPS Trojans HTTP and HTTPS Trojans get across the firewall and execute on the target computer. After execution, they construct an HTTP/ HTTPS tunnel to interact with the attacker from the victim's PC.  Botnet Trojans The amount of hacked systems is referred to as a botnet (zombies). These infected systems are not restricted to a single LAN; they could be found all around the world. The Command and Control Center is in charge of these botnets. These botnets are used to carry out attacks like Denial of Service (DoS), spamming, and so on.  Proxy Server Trojans Trojan-Proxy Server is a stand-alone virus program that can transform your computer into a proxy server. The Proxy Server Trojan allows the attacker to utilize the victim's computer as a proxy by enabling the proxy server on the victim's PC. This method is used to launch further attacks while keeping the true source of the attack hidden.  Remote Access Trojans (RAT) RAT (Remote Access Trojan) permits the attacker to get remote desktop access to a victim's machine by permitting a Port that allows the GUI access to the remote system. RAT consist of a back door for maintaining administrative access and control over the victim. Using RAT, an attacker can monitor a user's activity, access confidential data and information, take screenshots, record audio and video by a webcam, alter files and format drives, etc. How to prevent this malware?    You must examine the software before installing it. Install only what is trusted. You must have a backup of your data. You must update the antivirus software and operating system. Trojan Construction Kit Trojan Construction Kit permits attackers to create their specific Trojans. These customized Trojans can be more dangerous for the target and the attacker if it backfires 37 Chapter 01: Threats, Attacks, and Vulnerabilities or is not executed appropriately. These modified Trojans created by using construction kits can avoid detection from viruses and Trojan scanning software. Some Trojan Construction Kits are:  Dark Horse Trojan Virus Maker  Senna Spy Generator  Trojan Horse Construction Kit  Pyrogenic mail Trojan Construction Kit  Pandora's Box Worms Different Viruses, Worms are capable of replicating themselves. This ability of worms makes them spread on a resident system very rapidly. Worms are propagating in many different forms since the 1980s. Some kinds of evolving worms are very destructive and responsible for devastating DoS attacks. It can move without human action or interference inside the computer or network. They spread and take over the system speedily. A well-known virus can be filtered over a next-generation intrusion prevention system or firewall. Example of worm:     Sobig worm of 2003 SQL Slammer worm of 2003 2001 attacks of Code Red and Nimba 2005 Zotob worm Command and Control The adversary establishes a two-way communication or command channel with its C2 server during the Command and Control (C2) phase. The adversary owns and manages this C2 server, which is used to relay commands to compromised machines. Adversaries can change the victim's searches and commands from afar. C2 channels have the following characteristics:    Victim opens two-way communication channel towards C2 Mostly, the C2 channel is on the web, DNS, or email C2 queries encoded commands Security defenders have one last chance in this kill chain to detect and stop the assault by blocking the C2 channel. An adversary cannot issue orders to the victim if the C2 channel is immediately disabled. Some strategies for security teams to guard against C2 communication are as follows:   Collect and block C2 IoC via Threat Intelligence or Malware analysis Need proxies for all types of traffic (HTTP, DNS) 38 Chapter 01: Threats, Attacks, and Vulnerabilities   DNS Sink Holing and Name Server Poisoning Monitoring network sessions Bots A bot is a piece of software that allows you to control a target remotely and perform predetermined activities. It has the ability to run automatic scripts via the internet. Bots are sometimes known as Web Robots or Internet Bots. Chatterbots and live chats are examples of bots that can be used for social purposes. Furthermore, they can also be used for malicious purposes in the form of malware. Hackers use malware bots to gain complete authority over a computer. Logic Bomb A Logic Bomb virus is aimed to persist in a sleep mode or waiting for the state until the end of a pre-determined period, or an event or action occurs. When the condition is met, it triggers the virus to exploit and perform the intentional task. These logic bombs are difficult to detect, as they cannot be detected in sleep mode, and once they are detected, it is too late. Spyware Spyware is software designed for gathering information about a user’s interaction by a system, such as login credentials, email address, and other details, without informing the user of the target system. Mostly, spyware is used for tracking a user’s internet interactions. The information obtained is sent to a remote destination. Spyware hides its processes and files to avoid detection. The most common types of spyware are:  Adware  System Monitors  Tracking Cookies  Trojans Features of Spyware There are several spyware tools available on the internet providing several advanced features such as:          Tracking users such as keylogging Monitoring user’s activity such as websites visited Recording conversations Blocking applications and services Remote delivery of logs Tracking email communication Recording removable media communication like USB Voice recording Video recording 39 Chapter 01: Threats, Attacks, and Vulnerabilities   Tracking location (GPS) Mobile tracking Keyloggers Keystroke logging, keylogging, or keyboard capturing is monitoring or recording actions performed by any user. For example, consider a PC with a keylogger for any purpose, such as monitoring a user. Each key pressed by the user will be logged by this tool. Keyloggers can be either hardware or software. The major purpose of using keyloggers is monitoring: copying data to the clipboard, capturing screenshots by the user, and screen logging by capturing a screenshot at every action. Figure 1-04: Different Types of Keyloggers Types of Keystroke Loggers  Software Keyloggers Software-based Keyloggers perform their function by logging actions to steal information from the target machine. Software-based keyloggers are either remotely installed or sent by an attacker to a user, and the user may then accidentally execute the application. Software keyloggers include:     Application Keyloggers Kernel Keyloggers Hypervisor-based Keyloggers Form Grabbing-based Keyloggers  Hardware Keyloggers Hardware-based Keyloggers are physical hardware or keyloggers that are installed on hardware by physically accessing the device. Firmware-based keyloggers require physical access to the machine to load the software into BIOS or keyboard hardware 40 Chapter 01: Threats, Attacks, and Vulnerabilities such as a key grabber. A USB is a physical device that needs to be installed in line with the keyboard. Hardware keyloggers are further classified into the following types:    PC/BIOS Embedded Keyloggers Keyloggers Keyboard External Keyloggers Hardware Keyloggers Hardware Keyloggers Website KeyGrabber USB http://www.keydemon.com/ KeyGrabber PS/2 http://www.keydemon.com/ VideoGhost http://www.keydemon.com/ KeyGrabber Nano Wi-Fi http://www.keydemon.com/ KeyGrabber Wi-Fi Premium http://www.keydemon.com/ KeyGrabber TimeKeeper http://www.keydemon.com/ KeyGrabber Module http://www.keydemon.com/ KeyGhost USB Keylogger http://www.keyghost.com/ KeyCobra Hardware Keylogger (USB and http://www.keycobra.com/ PS2) Table 1-01: Keylogging Hardware Devices Anti-Keyloggers Anti-Keyloggers are application software that guarantees protection against keylogging. This software excludes the threat of keylogging by providing SSL protection, keylogging protection, clipboard logging protection, and screen logging protection. Some AntiKeylogger software is listed below:    Zemana Anti-Keylogger ( https://www.zemana.com ) Spyshelter Anti-Keylogger ( https://www.spyshelter.com ) Anti-Keylogger ( http://anti-keyloggers.com ) How to prevent this malware?    Update anti-virus software Use the exfiltration process Set up firewall rules for the file transfer from a system 41 Chapter 01: Threats, Attacks, and Vulnerabilities  Use keylogger scanner Remote access Trojans (RATs) Remote Access Trojans (RATs) are malicious programs running on systems and allowing intruders to remotely access and use a system. They mimic legitimate remote control programs used for remote administration but are used for sinister purposes instead of helpful activities. Several RAT programs are available to the hacker (Back Orifice, SubSeven, Netbus, and others). Once the RAT is loaded on the victim’s system, the attacker can download or upload files, send commands, monitor user behaviors, install zombie software, activate the webcam, take screenshots, alter files, and use the compromised system as he pleases. Lab 1-01: HTTP RAT Trojan Case Study: Using HTTP RAT Trojan, create an HTTP Remote Access Trojan (RAT) server on a Windows 7 machine (10.10.50.202). When a Trojan file is executed on the remote machine (in our case, Windows Server 2016 with the IP address 10.10.50.211), it will create remote access to Windows Server 2016 on Windows 7. Configuration and Procedure: Go to a Windows 7 machine and run the HTTP RAT Trojan. 1. Uncheck “send a notification with IP address to mail.” 2. Configure Port. 3. Click “Create.” 42 Chapter 01: Threats, Attacks, and Vulnerabilities In the default directory where the application is installed, see a new executable file. Forward this file to the victim’s machine. 4. Log in to the victim’s machine (in our case, Windows Server 2016) and run the file. 5. Check the task manager for a running process; you will see an HTTP Server task is in process. 43 Chapter 01: Threats, Attacks, and Vulnerabilities 6. Go back to Windows 7. 7. Open a Web browser. 8. Go to the IP address of the victim’s machine; in our case, 10.10.50.211. The HTTP connection is open from the victim’s machine. You can check running processes and browse drives. You can also check the computer information of the victim by using this tool. 9. Click “Running Processes.” 44 Chapter 01: Threats, Attacks, and Vulnerabilities In the above output, the “running process” of the victim’s machine is shown. 10. Click “Browse.” The output shows drives. 11. Click “Drive C.” 45 Chapter 01: Threats, Attacks, and Vulnerabilities Output showing C drive. 12. Click “Computer Information.” The output shows computer information. 13. To terminate the connection, click “Stop_httpRat.” 46 Chapter 01: Threats, Attacks, and Vulnerabilities 14. Refresh the browser. The connection is successfully terminated. 15. Go to Windows Server 2016 and check the running processes. 47 Chapter 01: Threats, Attacks, and Vulnerabilities The HTTP server process is terminated. Rootkits A collection of software designed to distribute privileged access to a remote user over the targeted system is referred to as RootKits. Typically, rootkits are the group of malicious software deployed after an attack. Once an attacker has administrative access to the target system and can maintain privileged access for the future, it creates a backdoor for the attacker. Rootkits frequently mask the existence of its software that helps to avoid detection. Rootkits Types  Application Level Rootkits 48 Chapter 01: Threats, Attacks, and Vulnerabilities Application Level of Rootkits accomplishes manipulation of standard application files and change of the behavior of the current application with an injection of codes.  Kernel-Level Rootkits  The kernel is the core of an OS. Kernel-Level Rootkits are created by adding additional codes (malicious) or replacing the original Operating System kernel sections. Hardware/Firmware Level Rootkits Hardware/Firmware Level Rootkits are the type of rootkits that hide in hardware such as the hard drive, network interface card, system BIOS that are not inspected for integrity. These rootkits are built into chipsets and are used to recover stolen computers, delete data, or render them useless. Furthermore, rootkits raise privacy and security concerns due to undetectable spying.  Hypervisor Level Rootkits  Hypervisor Level Rootkits exploit hardware features like AMD-V (Hardwareassisted virtualization technologies) or Intel VT, which hosts the target OS as a virtual machine. Boot Loader Level Rootkits Bootloader Level Rootkits (Bootkits) replace a legitimate boot loader with a malicious one, enabling the Bootkits to activate before an OS run. Rootkits are a serious threat to system security as they can infect startup codes such as the Master Boot Record (MBR), Volume Boot Record (VBR), or boot sector. They can be used to attack full disk encryption systems and hack encryption keys and passwords. Rootkit Tools     Avatar Necurs Azazel ZeroAccess Backdoor It involves deploying a Backdoor on an organization’s computer to gain unauthorized access to the private network. Some other types of IoT attacks include:   Eavesdropping Sybil Attack 49 Chapter 01: Threats, Attacks, and Vulnerabilities       Exploit Kits Man-in-the-Middle Attack Replay Attack Forged Malicious Devices Side-Channel Attack Ransomware Attack Password attacks Passwords should never be sent or stored in plaintext. Most operating systems and applications run passwords through hashing algorithms, which generate hash values, also known as message digest values. The following practices should be followed to properly protect an environment against password attacks: • Passwords should not be sent in cleartext. • Encryption algorithms or hashing functions should be used to encrypt the passwords. • One-time password tokens should be used. • Difficult-to-guess passwords should be used. • Change passwords regularly. • An Intrusion Detection System (IDS) to detect suspicious behavior should be used. • Dictionary-cracking tools should be used to find weak passwords that users have chosen. • Make use of special characters, numbers, and upper- and lowercase letters. Password Attacks Types Password attacks are classified as one of three types: 1. 2. 3. 4. Spraying Dictionary Brute force Rainbow tables 5. Plaintext/unencrypted Dictionary Attack In a Dictionary Attack, a password-cracking application is used along with a dictionary file. This dictionary file contains the entire dictionary or a list of known and common words that can be used to try to recover a password. It is the most basic type of password cracking, and systems that use strong, unique, and alphanumeric passwords are usually not vulnerable to dictionary attacks. 50 Chapter 01: Threats, Attacks, and Vulnerabilities Exam Tip: L0phtCrack is a password recovery and auditing application. It is used to test the strength of passwords and, on occasion, to recover lost Microsoft Windows passwords using a dictionary, brute-force, hybrid attacks, and rainbow tables. Brute Force Attack A Brute Force Attack attempts to recover a password by trying every possible combination of characters. Each combination pattern is tried until the password is accepted. Brute forcing is the most common and basic technique for uncovering passwords. Online: The usage of proxy servers to provide internet anonymity has grown in popularity over time. Some people use it to keep their surfing habits hidden from others, allowing them to have more personal freedom and privacy. The same functionality is used by attackers to ensure that their activities cannot be traced back to their local computers. The following are some of the most popular online services:      Google Earth Google Map Bing Map Wikimapia Yahoo Map Offline: It is common for hackers to first determine whether an intrusion detection system (IDS) is present on the network they intend to attack. If one exists, the attacker may use a denial-of-service attack to bring it down. These activities aim to either disable the IDS or distract network and security personnel so that they are busy chasing the wrong packets while the real attack occurs. Rainbow Table The Rainbow Table is a table that contains every possible password and has performed all of the calculations. It is also known as a "pre-built set of hashes." The password can be determined in a few seconds by matching up the hashes, but it does not work with salted hashes. Using a rainbow table to compare passwords is an example of an offline attack. Every possibility To generate a rainbow table, every possible combination of characters is computed for the hash. The attacker captures the target's password hash and compares it to the rainbow table when a rainbow table contains all possible precomputed hashes. 51 Chapter 01: Threats, Attacks, and Vulnerabilities The Rainbow table has the advantage of having all hashes precomputed. As a result, it only takes a few moments to compare and reveal the password. A rainbow table's limitation is that it takes a long time to generate a rainbow table by computing all hashes. The utilities you can use to generate rainbow tables are winrtgen, GUI-based generator, rtgen, and command-line tool. The following hashing formats are supported:  MD2  MD4  MD5  SHA1  SHA-256  SHA-384  SHA-512 and more hashing types Exercise Open Winrtgen application, Click Add table button table. to add a new Rainbow As needed, choose Hash, Minimum length, Maximum length, and another property. 52 Chapter 01: Threats, Attacks, and Vulnerabilities Choose a Charset value; possibilities include Alphabets, Alphanumeric, and various character combinations, as indicated in the diagram below. Click Benchmark Button to Estimate Hash Speed, Step Speed, Table PreComputation time, and other parameters. Click Ok to proceed. 53 Chapter 01: Threats, Attacks, and Vulnerabilities Click Start to Compute. Compiling all hashes will take a long time. 54 Chapter 01: Threats, Attacks, and Vulnerabilities Once completed, the Window Table can be found in the directory. Plaintext/Unencrypted The attacker has encrypted data as well as plain text in this type of attack. The plain text assists an attacker in breaking the cryptography, and it is referred to as a "crib." Physical attacks Physical attacks involve breaching the physical security that protects information systems. It can be as simple as walking into a building and sitting down at a computer system in a facility with low physical security or public access. Here is a list of some of the different types of physical assaults:      Malicious universal Serial Bus (USB) cable Malicious flash drive Card cloning Skimming 55 Chapter 01: Threats, Attacks, and Vulnerabilities Supply Chain Attacks A supply chain attack is a cyber-attack that seeks to harm an organization by focusing on less secure supply chain elements. Supply chain testing is typically directed at companies and organizations that the client organization wishes to examine to determine whether suppliers have adequate security controls in place. It is common practice to request audit and assessment documentation from suppliers. Cloud-based vs. On-premises Attacks Cloud-based Cloud-based DLP is used by many organizations, which is between the users and the internet. Every bit that goes through the DLP tool means it watches every bit of network traffic. Everything takes place in the cloud, and no hardware or software is required for this purpose. Cloud-based systems Cloud Computing is an advancement in architecture where computing devices are outsourced to a third party. By renting a virtual machine hosted by a trusted third party, cloud computing eliminates the need for on-premises devices. This type of remote computing improves efficiency, performance, scalability, and security. There are three types of cloud computing models. Cloud Computing Service Types The three types of cloud computing services are as follows: ● Infrastructure-as-a-Service (IaaS) ● Platform-as-a-Service (PaaS) ● Software-as-a-Service (SaaS) On-premises It is a type of model that uses the same legacy IT infrastructure and runs cloud resources within its own data center. It is also called the private cloud to provide dedicated resources while maintaining total control and ownership of the environment. Cryptography Attacks Cryptography attacks are intended to recover an encryption key. Once an attacker obtains the encryption key, they can decrypt all messages. Weak encryption algorithms are vulnerable to cryptographic attacks. Cryptanalysis is the process of identifying flaws in a code, encryption algorithm, or key management scheme. It can be used to either strengthen or decrypt a cryptographic algorithm. Birthday A type of cryptographic attack that takes its function and exploits it through the birthday problem in probability theory states that there is a 50% chance that two people 56 Chapter 01: Threats, Attacks, and Vulnerabilities share the same birthday in a class of 23 students. The following equation can be used in mathematics: 1.25 k 1/2 k = the size of the set of possible values Collisions Collision refers to the hash collision that means two different plaintexts have the same hash value. This is a rare condition that should not exist in a hash algorithm. The hashing process accepts an infinite number of inputs and produces a finite number of outputs. Consider the following scenario: an attacker discovers a hash collision between a legitimate and an altered document. The attacker can now easily fool the target while remaining undetected. Figure 1-05: Hash Collision Downgrade The use of some weak cryptographic algorithm instead of a strong algorithm may result in a downgrade attack. For example, a downgrade attack was used in 1995 with web servers. 57 Chapter 01: Threats, Attacks, and Vulnerabilities Mind Map Figure 1-06: Mind Map of Potential Indicators Web Application Attacks Other web application related attacks include:        Cookie Tampering DoS Attack SQL Injection Session Hijacking Cross-Site Request Forgery (CSRF) Attack Cross-Site Scripting (XSS) Attack Buffer Overflow Privilege Escalation This network intrusion assault takes use of programming faults or design defects to give the attacker enhanced access to the network and its data and applications. A design flaw, bug, or configuration oversight in a software application or operating system is exploited with privilege escalation to access applications or user-protected resources. An unauthorized user will not always be provided full access to a targeted system. The privilege escalation is essential in these circumstances. The privilege escalation is of two types: vertical and horizontal. Privilege Escalation is further more classified into two types: 1. Horizontal Privileges Escalation 58 Chapter 01: Threats, Attacks, and Vulnerabilities 2. Vertical Privileges Escalation Horizontal Privileges Escalation In Horizontal Privileges Escalation, an attacker tries to take command of the privileges of another user with the same set of privileges on their account. Horizontal privileges escalation occurs when attackers attempt to access the same set of resources allowed for a particular user. Consider an example of horizontal privileges escalation where you have an Operating System with multiple users, including an Administrator having full privileges, User A and User B, and so on, with limited privileges for running applications only (so not allowed to install or uninstall any application). Each user is given the same level of access. User A gains access to User B by exploiting any weakness or vulnerability. User A can now control and access User B's account. Escalation of Vertical Privileges In order to escalate privileges to a higher level, an attacker must first get access to the system in Vertical Privileges Escalation. Vertical privilege escalation occurs when an attacker tries to gain access, most commonly to the administrator account. Higher privileges grant the attacker access to sensitive information and install, modify, and delete files and programs such as viruses and Trojans. Privilege Escalation Using DLL Hijacking Applications need Dynamic Link Libraries (DLL) to run executable files. Most applications search for DLL in directories in the Windows Operating System rather than using a fully qualified path. Taking advantage of this legitimate DLL replaces malicious DLL. Malicious DLLs are renamed legitimate DLLs. These malicious DLLs replace legitimate DLLs in the directory; the executable file will load malicious DLL from the application directory instead of the real DLL. 59 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-07: Vertical Privilege Escalation Cross-site Scripting The acronym for Cross-site scripting is XSS. A cross-site scripting attacker conducts a scripting attack by sending a crafted link containing a malicious script. The script will be executed when the user clicks on this malicious link. This script could be programmed to extract Session IDs and send them to the attacker. An attacker performs a Cross-site Scripting Attack by sending a crafted link with a malicious script. When the user clicks the malicious link, the script is executed. This script might be coded to extract and send the session IDs to the attacker. Cross-site Request Forgery Attack A Cross-site Request Forgery (CSRF) attack is the process of obtaining a legitimate user’s session ID and exploiting the active session with the trusted website to perform malicious activities. Injections In an Injection Attack, the system accepts data from a user without any validation. Untrusted input is supplied to a program. An interpreter processes it as part of a command that alters the execution of the program. Injection attacks are of four types:     Structured Query Language (SQL) Dynamic-Link Library (DLL) Lightweight Directory Access Protocol (LDAP) Extensible Markup Language (XML) Structured Query Language (SQL) SQL Injection Attacks use SQL websites or web applications. They rely on the strategic injection of malicious code or script into existing queries. This malicious code is drafted to reveal or manipulate data stored in the tables within the database. It is a powerful and dangerous attack that finds vulnerabilities in a website or application. The concept of SQL injection is to inject commands to reveal sensitive information from the database, which results in a high-profile attack. It is used to add, modify, and delete data in the database. Dynamic Link Library (DDL) DLL (Dynamic Link Library) injection is the process of inserting a library into a program that contains a specific vulnerability. DLL injection also provides a point of entry for 60 Chapter 01: Threats, Attacks, and Vulnerabilities threat actors. Applications need Dynamic Link Libraries (DLL) to run executable files. Most applications search for DLL in directories in the Windows Operating System rather than using a fully qualified path. Taking advantage of this legitimate DLL replaces malicious DLL. Malicious DLLs are renamed legitimate DLLs. These malicious DLLs replace legitimate DLLs in the directory; the executable file will load malicious DLL from the application directory instead of the real DLL. Figure 1-08: Dynamic-Link Library Injection Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) acronym for Lightweight Directory Access Protocol LDAP is a free and open internet protocol. The LDAP is a protocol for accessing and maintaining hierarchical and logical distributed directory information services. A directory service is useful because it allows users, systems, networks, and service information to be shared across the network. LDAP provides a centralized location for storing usernames and passwords. To validate users, applications and services connect to the LDAP server. THE CLIENT STARTED an LDAP session sending an operation request to the Directory System Agent (DSA) via TCP port 389. The communication between client and server uses Basic Encoding Rules (BER). Directory services using LDAP include:      Active Directory Open Directory Oracle iPlanet Novell eDirectory OpenLDAP Pointer/Object Dereference Dereferencing a pointer is the process of inquiring about the value stored in the memory addressable by the pointer. The program may dereference a null pointer, resulting in a 61 Chapter 01: Threats, Attacks, and Vulnerabilities Null Pointer Exception. Null pointer errors are typically caused by a breach of one or more programmer assumptions. The attacker may use the resulting exception to circumvent security logic or cause the application to reveal debugging information useful in planning future attacks. Directory Traversal Directory Traversal Attack is a type of attack in which an attacker attempts using a trial and error method to access restricted directories by applying dots and slash sequences. Through accessing the directories outside the root directory, the attacker can reveal sensitive information about the system. Access to web content should be controlled properly for running a secure web server. Directory traversal is an HTTP attack in which restricted directories are allowed, and the commands are executed outside the root directory of the web server’s commands. This vulnerability can also exist in the web application code or the web server software itself. A directory traversal attack is simple to carry out if you know where to look for any default files and folders on the system and have access to a web browser. The main levels of security mechanisms for web servers are:   Access Control Lists (ACLs) Root directory Access Control Lists These are used in the authorization process. A web server’s administrator uses this list of users or groups authorized to access, execute, or modify particular files on the server and other access rights. Root Directory It is a directory on the server file system to which users are confined: they can access nothing above this root. For example, if the default root directory were C:\Inetpub\wwwroot, access to C:\Windows is not possible, but access to any other directories under the root directory is possible. Users are prevented from accessing any files on the server through the root directory. The prevented file may include the /etc/passwdfile on Linux/UNIX platforms and C:\WINDOWS/system32/win.ini on Windows platforms. Opening an Opportunity to an Attacker This vulnerability allows stepping out of the root directory. Also, other parts of the file system can be accessed. The attacker can view the restricted files, which could help provide more information to further compromise the system. 62 Chapter 01: Threats, Attacks, and Vulnerabilities An attacker can use a system vulnerable to directory traversal to exit the root directory and access other parts of the file system. It may allow the attacker to view restricted files, which may provide him/her with additional information to further compromise the system. Access depends on what the user has been permitted to access in the system. Directory Traversal Vulnerabilities Check A Web Vulnerability Scanner is used to check whether a website and web applications are vulnerable to directory traversal attacks. In this scan, the entire website is automatically checked for directory traversal vulnerabilities. Further, a report on existing vulnerabilities and how to fix them is generated. As well as directory traversal vulnerabilities, SQL injection, cross-site scripting, and other web vulnerabilities are also checked. Preventing Directory Traversal Attacks The first step is to ensure that the latest version of your web server software is installed and all patches have been applied. Secondly, user input is filtered effectively, which includes the data that is known to the user. Only the data entered in the field will be submitted to the server. Buffer Overflow One of the most common types of operating system attacks is a buffer overflow. It has something to do with software exploitation attacks. A buffer overflow occurs when a program or application lacks well-defined boundaries, such as restrictions or predefined functional areas regarding the amount of data it can handle or the type of data inputted. It causes Denial-of-Service (DoS) problems, rebooting, gaining unrestricted access, and freezing. What causes it to happen?    Owing to an overabundance of data in the buffer memory When a program or process attempts to write more data to a fixed-length block of memory (a buffer) Coding errors The impact of buffer overflow is that it provides an entry point for threat actors as well as causing the system to crash or abort the program. How to prevent it? Open Web Application Security Project (OWASP) defines some general techniques to prevent buffer overflows include: 63 Chapter 01: Threats, Attacks, and Vulnerabilities      Code auditing (manual or automated) Developer training – bounds checking, use of unsafe functions, and group standards Non-executable stacks – many operating systems support this in some way Compiler tools – StackShield, StackGuard, and Libsafe, among others Safe functions -Use strncat instead of strcat, strncpy instead of strcpy, and so on. Patches – Keep your web and application servers fully patched, and keep an eye out for bug reports relating to applications on which your code depends. Scan your application regularly with one or more widely available scanners that look for buffer overflow flaws in your server products and custom web applications. Race Conditions When a computing system is forced to perform two or more operations simultaneously, the condition is called a race condition. The system was designed to handle tasks in a specific sequence. A time gap between the moment a service is initiated and the moment a security control takes effect is beneficial for the technique. The race condition comes either with untrusted processes causing interference or a trusted process causing interference; the attack depends on multithreaded applications. In a race condition, different processes can interfere with each other without having proper control. This vulnerability is also referred to as Time of Check/Time of Use or TOC/TOU attacks. How a Race Condition Attack Takes Place Race condition attack shows the vulnerability when dealing with web applications, networking environments, and file systems. Its target list includes an access control list, financial ledger, payroll or human resources database, transactional system, or another data repository. In this attack, there is a very small window of opportunity available for attackers to exploit. This attack offers some unintended consequences, but still, they are difficult to be detected. Anatomy of a Race Condition Flaw An application or database updating, i.e., numbers, names, and the most current state of information, may result in a race condition attack because, during the update process, the database is not completely rewritten. The update then results in a gap that can last less than a second or up to a few minutes and makes the system unprotected. This gap period allows an attacker to send queries for compromising the system, and a race condition attack result. 64 Chapter 01: Threats, Attacks, and Vulnerabilities Impact of a Race Condition Attack After compromising the system with a race condition attack, it becomes possible to steal data, alter, manipulate, and insert malicious code, make changes to privileges, and deactivate security controls. Error Handling Encountering errors and exceptions in an application is common and needs to be handled securely. One attack methodology forces an error to move applications from normal to exceptional handling. If the exception handling is incorrect, it can lead to a wide range of disclosures. For example, SQL errors disclose data elements and structures. RPC (Remote Procedure Call) errors can disclose sensitive information such as server, filename, path, and programmatic errors, such as stack element or line number on which an exception occurred. Lack of Error Handling The error message includes sensitive information about its users, environment, and associated data. The error information provided by the server may be used to launch a more focused attack. For example, a path traversal weakness exploitation in any application produces the complete pathname of the installed application, which may provide a way to find the proper number of and sequences to navigate to the targeted file. The query logic and even passwords or other sensitive information used within the query are revealed with an error message, which may be used for a later attack or private information stored in the server. The implementation of an architectural security tactic causes this weakness. Example of Error Handling The function “Get User Bank Account” retrieves a bank account object from a database using the specified username and account number to query the database. An error message is generated and written to a log file when a SQL Exception occurs while querying the database. Sensitive information about the database query is included in the error message that exposes the table name and column names used in the database. This information simplifies other attacks, such as SQL injection, to access the database directly. Error Handling Implementation Ensure that error messages only contain information relevant to the intended audience and no one else. The messages must strike a balance between being too cryptic and being insufficiently cryptic. They are not required to reveal the methods used to determine the error. Such detailed information can be used to improve the original attack's chances of success. 65 Chapter 01: Threats, Attacks, and Vulnerabilities If errors must be tracked in some detail, capture them in log messages, but consider what might happen if attackers can view them. Passwords, for example, should never be recorded in any form. Avoid inconsistent messaging that could accidentally reveal internal states to an attacker, such as whether a username is valid or not. Exceptions should be handled internally, and errors containing potentially sensitive information should not be displayed to the user. Overly Verbose Error Handling The risk may also be presented with overly verbose error handling routines. The detailed explanation of the inner workings of code invites an attacker to exploit the code. For example, an error message appearing on a website may contain details of the SQL query by which the table structure is determined and assist in carrying out an attack. Improper Input Handling As we move toward web-based applications, errors have shifted from buffer overflow to input handling issues. Improper Input Handling is the primary cause of an injection attack, memory overflow, or structure error. Allowing invalid inputs can be disastrous. When handling input, trust no one and handle all of it properly. The impact of improper input handling is the increase of the attacker’s privilege level. Replay Attack In a Replay Attack, an attacker captures packets using a packet sniffer tool. After capturing packets, relevant information such as passwords is extracted. An attacker gains access to the system by generating replay traffic with the injection of extracted information. Session Replay Attack Another technique for session hijacking is the Session Replay Attack. Attackers steal the authentication token intended for the server from users and use it to replay the request to the server, resulting in unauthorized access to the server. Resource Exhaustion When the system lacks all of the resources required for the function to function, this is referred to as resource exhaustion. A system failure is the result of this type of vulnerability. Memory Leak When memory is allocated during program execution and never unassigned after use, it eventually consumes all available memory, causing the system or application to crash. 66 Chapter 01: Threats, Attacks, and Vulnerabilities Secure sockets layer (SSL) stripping Secure Sockets Layer (SSL) is a newer VPN technology that operates at a higher layer in the OSI model than the VPN protocols previously discussed. It protects HTTP traffic by working at the transport and session layers of the network stack. Because most online browsers already have SSL capability, deployment and compatibility difficulties are low. • Works at the transport layer and protects mainly web-based traffic • Granular access control and configuration are available • Easy deployment since SSL is already embedded into web browsers • Can only protect a small number of protocol types, thus is not an infrastructure-level VPN solution Pass the Hash A Pass the Hash (PtH) attack is an exploit in which an attacker captures a hashed username and password or other credentials and uses the hash directly without cracking it. This attack bypasses the standard authentication layers that require a clear text password and directly enters the portion of authentication that uses the hash password. Mind Map Figure 1-09: Mind Map of Application Attacks Network Attacks The Cisco NGIPS Solution offers comprehensive network visibility, automation, security intelligence, and next-generation protection. To detect emerging sophisticated network 67 Chapter 01: Threats, Attacks, and Vulnerabilities attacks, it employs the most advanced and effective intrusion prevention capabilities. It continuously collects network information, such as operating system information, file, and application information, device and user information. This data assists NGIPS in determining network maps and host profiles, providing context for making better decisions about intrusive events. A replay attack is a type of network attack in which legitimate data transmission is maliciously or fraudulently repeated to gain unauthorized access. Wireless Wireless networks are a very common and popular technology. Because of the ease and mobility of the wireless network, it has been replacing the installation of wired networks. Using wireless networks increases not only mobility but also flexibility for end-users. One more advantage of wireless technology is that it helps connect remote areas where wired technology is difficult to implement. In the early days of wireless technology, the network was not secure enough to protect information. However, many encryption techniques are used nowadays to secure wireless communication channels. Wireless Network Concepts A wireless network is a type of computer network that can send and receive data over a wireless medium such as radio waves. The primary benefit of this type of network is the lower cost of wires and devices and the ease of installation compared to the complexity of wired networks. Wireless communication is typically based on radio communication. Depending on the requirements, different frequency ranges are used for various types of wireless technology. Cell phone networks, satellite communications, microwave communications, and other wireless networks are the most common examples. Personal, Local, and Wide Area Networks are common applications for these wireless networks. The most common types of Wireless networks are:  Evil Twin  Rogue Access Point  Bluesnarfing  Bluejacking  Disassociation  Jamming  Radio Frequency Identifier (RFID)  Near-Field Communication (NFC)  An Initialization Vector (IV) 68 Chapter 01: Threats, Attacks, and Vulnerabilities Evil Twin In an Evil Twin attack, an attacker facilitates a fraudulent Wi-Fi access point or any other radio device that appears legitimate but is set up to compromise wireless communication. An evil twin attack may be used to steal passwords and other credentials without user knowledge. An attacker creates an evil twin with internet devices and smartphones or some open source software by creating an easy access hotspot and placing the device near the target with a strong signal. Rogue Access Point A Rogue Access Point Attack is a technique whereby a legitimate wireless network is replaced with a rogue access point, usually with the same SSID. The user assumes the rogue access point as the legitimate access point and connects to it. Once a user is connected to the rogue access point, all traffic will direct through it, and the attacker can sniff the packet to monitor activity. Bluesnarfing Bluesnarfing is another technique in which attackers steal information from Bluetoothenabled devices. In Bluesnarfing, attackers exploit the security vulnerabilities of Bluetooth software, access Bluetooth-enabled devices, and steal information such as contact lists, text messages, email, etc. Bluejacking In a Bluejacking attack, someone sends an unsolicited message to a Bluetooth-enabled device. Bluejackers search for a receiving device (phone, PDA, tablet PC, or laptop) and then send data to the ISP. Often, the Bluejacker attempts to send someone else their business card, which will be added to the victim's address book contact list. Someone sends an unsolicited message to a Bluetooth-enabled device in a Bluejacking attack. Bluejackers look for a receiving device (PDA phone, tablet PC, or laptop) before sending data to the ISP. Often, the Bluejacker will try to send their business card to someone else, which will be added to the victim's address book contact list. Note: Bluesnarfing is unauthorized access from a wireless device through a Bluetooth connection. It permits access to a calendar, contact list, e-mails, and text messages, and on some phones, users can copy pictures and private videos. Jamming A Jamming Attack uses signals to prevent devices from communicating with each other as well as with the server. 69 Chapter 01: Threats, Attacks, and Vulnerabilities Radio Frequency Identifier (RFID) Radio-Frequency Identification (RFID) uses the electromagnetic field and refers to a technology whereby a reader reads digital data encoded in labels or tags via radio waves. It is used to automatically classify and track tags attached to objects or to gain access to a secured area. Radio-Frequency Identification (RFID) is a data communication technology that uses radio waves. An electronic tag is embedded in an object and can be identified and communicated using a reader. The tag includes an integrated circuit for storing and processing data, modulating and demodulating an RF signal, and performing other specialized functions. The reader includes an antenna for receiving and transmitting signals. For access control purposes, this technology can be integrated into smart cards or other mobile transport mechanisms. Theft is a common RFID security issue. RFID (Radio Frequency Identification) attacks include a variety of techniques such as:     Data Capture Spoof the Reader Denial of Service Decryption of Communication Near Field Communication (NFC)    It is commonly used when the communication is between the mobile device and a device that is nearby. They are commonly used in the payment system. Also used to help with other wireless technologies like, it is used to help the pairing process for Bluetooth, also used as an identity system where one can identify themselves using the phone. Some of the security concerns with NFC are as follows:     It is a wireless network (although short-range), but someone with an antenna can capture and listen to the conversation. Someone could jam the frequency and attack through denial of service. There is also a concern about replay attacks. If an NFC device is lost, it could be a major security issue because the person who stole the device will use that NFC instead of the legitimate user. Initialization Vectors (IV) Vectors of Initiation Initialization vectors (IVs) are random values used with algorithms to prevent patterns from forming during the encryption process. They are used in 70 Chapter 01: Threats, Attacks, and Vulnerabilities conjunction with keys and do not need to be encrypted before being sent to their destination. If no IVs are used, two identical plaintext values encrypted with the same key will produce the same ciphertext. Giving attackers these types of patterns can make it easier for them to break the encryption method and discover the key. For example, if we have the plaintext value “See Spot run” twice in our message, we must ensure that, despite the presence of a pattern in the plaintext message, no pattern is created in the resulting ciphertext. As a result, the algorithm employs both the IV and the key to increase the randomness of the encryption process. In the below figure, as shown, the sender and receiver must have the same key to generate the same keystream. Figure 1-10: Initialization Vectors (IV) Note: Fig: The sender and receiver must have the same key to generate the same keystream. Man-in-the-Middle Attack A Man-in-the-Middle Attack is the form of attack in which an attacker involves himself in the communication between other nodes. A MITM attack is defined as an attacker inserting himself/herself into a conversation between a user and another user or server by sniffing packets and generating MITM or Replay traffic. Some utilities for attempting Man-in-the-Middle (MITM) attacks are as follows:    SSL Strip Burp Suite Browser Exploitation Framework (BeEF) 71 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-11: MITM Attack Man-in-the-Browser In Man-in-the-Browser, the attacker first infects the victim's machine using a Trojan. The Trojan installs malicious code on the victim’s machine in an extension that modifies the browser's configuration upon boot. Once a user logs in to a website, the URL is checked against a known list of the targeted websites. The event handler registers the event upon detection. Using a DOM interface, an attacker can extract and modify the values when the user clicks the button. The browser will send the form to the webserver with the modified entries. Because the browser displays the original transaction details, the user is unable to identify any interception. Figure 1-12: Man-in-the-Browser 72 Chapter 01: Threats, Attacks, and Vulnerabilities Layer 2 attacks Layer 2 uses the concept of VLANs or Private VLANs (PVLAN) to separate the traffic of two or more networks. The common layer 2 addresses Resolution Protocol (ARP) poisoning, Media Access Control (MAC) Flooding, MAC cloning, and so on. Address Resolution Protocol (ARP) Poisoning ARP is a stateless protocol that ensures communication within a broadcast domain by resolving the IP address to MAC address mapping. It is in charge of mapping L3 to L2 addresses. The ARP protocol ensures that IP addresses and MAC addresses are bound together. The switch can study the associated MAC address information from the reply of the specific host by broadcasting the ARP request with an IP address. If there is no map or the map is unknown, the source will be broadcast to all nodes. Only the node with a coordinating MAC address for that IP will respond to the demand with the MAC address mapping packet. The switch will feed the MAC address and its connection port information into its fixed length CAM table. Figure 1-13: Address Resolution Protocol (ARP) Poisoning Operation As shown in Figure 1-13, the source generates an ARP query by broadcasting the ARP packet. A node with the MAC address that the query is destined for will reply only to the packet. If CAM table entries are full, the frame is flooded out of all ports (other than the port on which the frame was received). This also occurs when the frame's destination MAC address is the broadcast address. The MAC flooding technique is used to turn a switch into a hub, in which the switch starts broadcasting every packet. In this scenario, each user can catch the packets, even those not intended. Media Access Control (MAC) Flooding 73 Chapter 01: Threats, Attacks, and Vulnerabilities MAC flooding is a technique in which an attacker sends random MAC addresses mapped with random IP to overflow the storage capacity of a CAM table. A switch then acts as a hub because a CAM table has a fixed length. It will now broadcast the packet on all ports, which helps an attacker sniff the packet with ease. A Unix/Linux utility, known as “macof,” offers MAC flooding. Using macof, a random source MAC and IP can be sent to an interface. Domain Name System (DNS) Domain Name System (DNS) includes DNS Poisoning, Cybersquatting, Domain Hijacking, and Domain Snipping. An attacker may try to spoof by poisoning the DNS server or cache. The credentials of internal users. The common Domain Name System (DNS) attack includes:  Domain hijacking  DNS poisoning  Universal resource locator (URL) redirection  Domain reputation Domain hijacking Theft of a cloud service domain name is referred to as domain hijacking. Similarly, Phishing scams can redirect users to a bogus website. DNS hijacking is a type of attack in which the threat actor gains access to the Domain registration and controls the traffic flow. Poisoning by DNS DNS poisoning is also referred to as DNS spoofing. In a DNS Poisoning attack, the threat actor modifies the DNS server so that when a user visits a website, it directs them to the incorrect site (a malicious site) that they did not intend to visit (or to the site, they were not going). DNS poisoning is accomplished by replacing the DNS configuration from a target's web browser. All web queries are directed to a malicious proxy server controlled by the attacker, redirecting traffic to malicious sites. There is a distinction to be made between Hijacking and Poisoning. Spoofing involves poisoning the DNS server's cache, whereas Hijacking involves hacking the router's DNS settings or planting malware. A DNS server updates its database if it receives a false entry. DNS servers maintain a cache in which this entry is updated to provide quick query resolution to improve performance. This poisonous false entry in DNS translation continues until the cache expires. Attackers use DNS poisoning to direct traffic to servers and computers owned or controlled by the attackers. 74 Chapter 01: Threats, Attacks, and Vulnerabilities How to prevent it?     Do not go to every website you come across. Create a password that is as strong as possible. Make use of anti-malware software. Being proactive can also keep you safe from cyber-attacks. Universal Resource Locator (URL) redirection Redirects are the exploitable vulnerabilities to steal user sessions. Destination URLs are passed by the web applications and then redirected at the end of their operation. Distributed Denial-of-Service (DDoS) DDoS is similar to Denial-of-Service in that an attacker generates fake traffic. In a Distributed DoS attack, multiple compromised systems attack a target to cause a denial of service. Botnets are used for carrying out a DDoS attack. A Denial-of-Service (DoS) attack on a system or network results in either denial of service or services, a reduction in functions and operation of that system, prevention of legitimate users accessing the resources. In short, a DoS attack on a service or network makes it unavailable for legitimate users. The DoS attack technique is to generates huge traffic to the target system requesting a specific service. This unexpected amount of traffic overloads the system’s capacity and either result in a system crash or unavailability. Figure 1-14: Denial-of-Service Attack 75 Chapter 01: Threats, Attacks, and Vulnerabilities Common symptoms of DoS attacks are as follows: • • • • • Slow performance Increase in spam emails Unavailability of a resource Loss of access to a website Disconnection of a wireless or wired internet connection How Distributed Denial-of-Service Attacks Work Usually, establishing a connection consists of a few steps in which a user sends a request to a server to authenticate it. The server returns with authentication approval, and the user acknowledges that approval. Then, the connection is established and allowed onto the server. During a denial-of-service attack process, an attacker sends several authentication requests to the server. These requests have fake return addresses, meaning the server cannot find a user to send authentication approval. The server usually waits more than a minute before closing the session. By continuously sending requests, the attacker causes many open connections on the server, resulting in the denial of service. Application A Distributed-Denial-of-Service Attack, as defined earlier, is intended to make the target’s services unavailable. Using a Distributed-DOS attack, all IoT devices, IoT gateways, and application servers can be targeted, and flooding requests toward them can result in a denial of service. Operational Technology (OT) Operational Technology is a broad term that covers the operational network of an organization, usually based on Industrial Control Systems (ICS). ICS refers to a control system based on devices, systems, and controls used for the operation or function of an automated industrial process. Different nature of industries utilizes different types of industrial controls having different functions with different protocols. ICS is used in almost every industrial sector, such as manufacturing, transportation, energy, aviation, and many more. The most common ICSs are Supervisory Control and Data Acquisition (SCADA) systems and Distributed Control Systems (DCS). Operational technology is defined by the National Institute of Standards and Technology as "programmable systems" or “devices that interact with the physical environment." These systems/devices detect or cause a direct change through monitoring and/or controlling equipment, processes, and events. Industrial control 76 Chapter 01: Threats, Attacks, and Vulnerabilities systems, building management systems, fire control systems, and physical access control mechanisms are examples of such systems. Figure 1-15: Overview of OT Environment Malicious Code or script execution Malicious Code is the most common attack in which a file containing malicious code stored in a USB runs when the user clicks on it. It then activates and installs some viruses such as a logic bomb or downloads other malware from the internet. The common Malicious Code or script execution are as follows:      PowerShell Python Bash Macros Virtual Basic for Applications (VBA) PowerShell PowerShell is a command-line shell and related scripting language that gives adversaries access to almost everything in Windows. Python Python is cross-platform, meaning it is run on Linux/Windows as long as it is installed on the operating system. It is an easily readable scripting language that uses .py file extensions. It uses block identification (tabs or white spaces) for group statements, and its second and third version is not backward compatible. bash A bash script is created as, place #! /bin/bash at the top of the file. From the current directory, execute the script as, /script name, and any parameters of anyone’s choice 77 Chapter 01: Threats, Attacks, and Vulnerabilities could be passed. The #! /path/to/interpreter is found while the shell is executing a script. Macros and Visual Basic for Application (VBA) Macros are programs that are typically used with Microsoft Office products and are written in Word Basic, Visual Basic, or VBScript. Macros help users automate actions that they would otherwise have to do manually. Instead of performing each action separately, users can create a series of activities and common tasks to perform when a button is clicked. A macro virus is a platform-independent virus built in one of these macro languages. They infect and proliferate in documents and templates. Macro viruses are common because they are simple to create, and widely used software such as Microsoft Office makes heavy use of macros. A Macro Virus is a kind of virus specially designed for Microsoft Word, Excel, and other applications using Visual Basic for Application (VBA). Macro languages help automate and create a new process used abusively by running on a victim's system. Mind Map Figure 1-16: Mind Map of Potential Indicators in Network Attacks 78 Chapter 01: Threats, Attacks, and Vulnerabilities Threat Actors One of the roles of information security professionals is to proactively define their organization’s systems and data. It, like any defensive strategy, necessitates knowledge of the adversary's tactics and motivations. CompTIA's Security+ Exam is intended to assess candidates' knowledge of the various types of threat actors and their characteristics. Adversary Tier When a company performs a black-box penetration test, one of the first questions it asks is, "Who would attack us and why?" Answering that question can assist management in making decisions about how a penetration test will be conducted, what techniques will be considered in the engagement, the scope of the test, and who will conduct it. Threat actors are frequently rated based on their capabilities. For example, script kiddies and casual hackers use pre-built tools to conduct their attacks, and most organizations consider their attacks to be nuisance-level threats. However, as you continue down the threat actors' adversary tiers as shown below Figure. The likelihood of a successful attack and compromise increases as professional hackers organized crime. The nationstate–level attackers such as Advanced Persistent Threats (APTs) enter your threat radar, which means that you should prepare for a breach and plan consequently. Each of these potential adversaries is likely to have a different goal in mind: hacktivists may want to make a political or social statement, whereas black hats and organized crime are more likely to be profit-driven. APT actors are typically focused on the goals of a nation-state, with other attacks motivated by different objectives. Figure 1-17: Adversary Tier 79 Chapter 01: Threats, Attacks, and Vulnerabilities Advance Persistent Threats (APT) Advance Persistent Threats are the most sophisticated threats for an organization. These threats require significant expertise and resources along with the combination of multiple attack vectors. They further require extended foothold and adoption of security controls placed in the target organization to evade and continually exfiltrate the information or achieve motives. Moreover, these threats pursue their objective over an extended period. Figure 1-18: Advance Persistent Threats NIST defines advanced persistent threat characteristics as: Consisting of Multi-Attack-Stage APT tactics, including pre-requisites and post-conditions Pursuing its objectives repeatedly over an extended period of time Stealth between the individual attack steps Adapting to defenders’ efforts to resist it Grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor 7. Determined to maintain the level of interaction desirable to execute its objectives 8. Concerned with what data are exfiltrated and how 1. 2. 3. 4. 5. 6. A successful APT attack can be extremely beneficial for threat actors because of its sophistication and targeted nature. There could be extreme political objectives targeting 80 Chapter 01: Threats, Attacks, and Vulnerabilities military, defense, and other sensitive government bodies if state-sponsored. In smaller scope, APTs can be significant for competitive outcomes. Insider Threat One of the greatest dangers that associations face is insider threats. These incorporate the accidental loss of information of on-screen characters who take data or bargain frameworks. In a large number of these cases, the loss of information could have been relieved or anticipated with powerful penetration testing. However, very few associations know about the advantages of penetration testing and are making themselves open to ruptures. An insider can also misuse a system within a corporate network. Users are termed “Insiders” and have different privileges and authorization power to access and grant the network resources. Figure 1-19: Insider Threat Hacktivists Hacktivists draw attention to the target to deliver a message or promoting an agenda. The expression hacktivism, which joins hack and activism, refers to the utilization of PCs and some other IT framework or system to discuss and continue a political issue, advance free speech, and support human rights. Hacktivism is fundamentally deciphered by society as the transposition of a challenge and the common noncompliance into the internet. Hacktivism is the utilization of innovation to express dispute. From a security point of view, there are two schools of thought: One considers hacktivists cybercriminals to be arraigned; the other, despite being aware of the hazard 81 Chapter 01: Threats, Attacks, and Vulnerabilities they speak up for, is a voice to listen to. It has definite effects on society with web clients' propensities, business security, and government strategies. Script Kiddies A Script Kiddie, or "skiddie," is somebody who needs to have software understanding and uses existing programs to dispatch an attacker. They are most likely to only use prebuilt attack tools and techniques. More advanced attackers will customize existing tools or even build new tools and techniques to compromise a target. Frequently, a script kiddie will utilize these projects without knowing how they work or what they do. For instance, imagine a youngster getting their first PC. The kid watches a motion picture about hacking and, after that, downloads a duplicate of Kali Linux. They start playing with different projects while hunting down online instructional exercises. They might think of it as just a web troll because of their absence of experience. Note: Script kids lack the necessary skills to carry out specific attacks without their tools on the Internet and through friends. Because these people do not necessarily understand how the attacks are carried out, they are likely unaware of the extent of damage they can cause. Criminal Syndicates A Criminal investigation deals with an allegation of criminal misconduct and violation of federal, state, or local criminal codes. A criminal investigation occurs when a crime has been committed, and you work with a law enforcement agency to convict the alleged committer. It is common to gather evidence for a court of law and share the defense evidence in such a case. As strong evidence is a key feature of this type of investigation, using this method to gather information is useful for presenting in a court of law. Hacker A hacker can steal information or data such as financial information, business data, personal data, credit card information, username, and password from a system to which they do not have authorized access. An attacker gains access by gaining unauthorized control of the system through various techniques and tools. They have exceptional skills and abilities in developing software and the exploration of both software and hardware. Hacking can be done for various reasons, the most common of which are for fun, money, thrills, or a personal vendetta. 82 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-20: Different Types of Hackers Google Play Hack Ibrahim Balic, a Turkish hacker, hacked Google Play twice. He accepted responsibility for the Google Play attack and claimed to be the mastermind behind the Apple Developer site attack. He discovered a flaw in the Android operating system while testing vulnerabilities in Google's Developer Console. He tested the flaw twice to ensure that it truly existed and then used the results of his vulnerability testing to create an Android application that exploited the flaw. Users were unable to download applications, and developers could not upload their applications when the developer's console crashed. Competitors The competitors in the organization are significant threat actors. They may attack with multiple goals in mind, such as corrupting or stealing data or bringing someone's system down. Competitive intelligence gathering is a method of gathering information, analyzing it, and compiling statistics on competitors. The process of gathering competitive intelligence is non-interfering because it gathers information through resources such as the internet, the target organization's website, advertisements, press releases, Annual Reports, Product Catalogues, analyst reports, and agents and distributors. Threat Actor Attributes Internal/External 83 Chapter 01: Threats, Attacks, and Vulnerabilities Internal threat actors have a significant advantage over external threat actors. They have a limited approach to the system compared to the user, but this gives them the strength to continue their attack. On the other hand, external threat actors must go through an additional step to first gain access to the targeted system. Level of Sophistication The higher a threat actor's skill level, the better he or she will lead and plan attacks. Strong skills result in using the simplest methods, which is directly related to the level of sophistication. Resources/Funding A criminal organization has a large team and budget to continue operations for an extended period. Advanced Persistence Threats necessitate significant resources to engage in these types of actions, so long-term resources that large organizations or states can manage are desired. Intent/Motivation The motivation or intention behind any attack can be simple or complex. For example, the threat actor may simply wish to carry out a technique or steal something valuable. Vectors Vectors can be categorized as follows:        Direct access Wireless Email Supply chain Social media Removable media Cloud Wireless Wireless networks are a very common and popular technology. Because of the ease and mobility of the wireless network, it has been replacing the installation of wired networks. Using wireless networks increases not only mobility but also flexibility for end-users. One more advantage of wireless technology is that it helps connect remote areas where wired technology is difficult to implement. In the early days of wireless technology, the network was not secure enough to protect information. However, many encryption techniques are used nowadays to secure wireless communication channels. 84 Chapter 01: Threats, Attacks, and Vulnerabilities Email A major risk factor is the email system. Therefore, the DLP appliance is used by many organizations that monitor, track and filter all the inbound and outbound emails. Supply Chain In September 2015, the researchers found that many Cisco routers are infected by a malicious firmware called “SYNful Knock.” This malicious firmware allows the threat actor to gain backdoor access to the infrastructure devices, creating trust issues. End users realized that they require vendors in the supply chain who they can rely on to know where this hardware is coming from. They must also ensure that these critical devices are not connected to the Internet before security is implemented. It is always useful to verify in some way that the hardware and the firmware inside of that hardware are secure. Social Media Social media is indeed a blessing, but it easily applies some questions to the system regarding security. Valuable information must be kept secure from the public sphere as much as possible. Every company should have some secure boundaries for the marketing strategies they follow. Removable Media In a high-security organization, users should minimize or eliminate the use of removable media, including any removable storage devices that rely on USB or other connection methods. It can minimize malicious files coming into the network from the outside and data leaving the company on tiny storage mechanisms. Cloud Cloud-based DLP (Data Loss Prevention) is used by many organizations between users and the internet. Every bit that goes through the DLP tool means it watches every bit of network traffic. Everything takes place in the cloud, and no hardware or software is required for this purpose. Real-World Scenario Background Scams involving executive impersonation are on the rise, costing firms billions of dollars each year. These crimes can target and victimize organizations of all sizes. Challenge A company’s email is compromised or spoofed by using social engineering to assume the identity of the CEO, company attorney, executive, or a trusted vendor or customer. 85 Chapter 01: Threats, Attacks, and Vulnerabilities Criminals greatly understand the victim’s normal business practices as a part of their homework. The executive impersonation scams are categorized as variations of the FBI's Business Email Compromise (BEC) scam. BEC is defined to be a sophisticated scam targeting businesses that work with foreign suppliers and/or businesses that regularly perform wire transfer payments. The legitimate business email accounts are compromised to carry out the scam. The unauthorized funds are transferred through social engineering or computer intrusion techniques. This being said, what are the challenges we face, and how to resolve the issue? To resolve this issue, we may consider two scenarios: Scenario #01 Data Theft: One or more of the victim company’s executives’ email addresses are compromised in a data theft scenario. An associate employee responsible for handling payroll or another company employee’s Personal Identifiable Information (PII) is connected using the executive’s email address. Employees in Human Resources, Finance, Payroll, or Audit are the targeted individuals. The executive’s request often expresses an urgent need for payroll or other PII data. The crime has recently ramped up due to tax season and the associated urgency to get tax returns completed. Scenario #02 Executive EFT and Wire Transfer Request What appears to be the executive as the initiator of the request is involved in this scenario. A hacked or spoofed email address is involved in requesting if the executive's email account is compromised. In many of the cases that took place, the criminals hacked into the email system, and the normal business process for EFT transfer is determined. The criminals then send the fraudulent executive email to the company’s employees. The respective employee is responsible for handling the EFT process and requests that the EFT be made to a customer, vendor, or financial institution. The executive is targeted with an email in a variation of the executive wire transfer scam that appears to be from a trusted party; vendor, customer, or foreign supplier. The prior successful EFTs that have been completed in the past are matched with the email. Also, 86 Chapter 01: Threats, Attacks, and Vulnerabilities the faxes or phone calls corresponding to past legitimate requests are involved in many cases. Figure 1-21: Typical Scenarios in Executive Impersonation Scams Solution How to Protect a Company? The security awareness training, called the Executive Impersonation Fraud, is a crime that can help to reduce risk. A fundamental part of security awareness training is awareness of new crimes and scams in the news. The likelihood that your company will be victimized is greatly reduced by ensuring that the employees know about this scam. Following are some key points that are used to head off these types of scams: * Strong internal prevention processes and procedures should be required for every company while dealing with all EFT requests. These crimes could be prevented from occurring by a simple, direct confirmation phone call * All EFT requests should be held with strict external verification procedures for some time * Any request for sensitive data or EFT transfers involving secrecy or quick action should be viewed as suspect. * On the suspect’s email messages, use the “Forward” option instead of “Reply” or “Reply All.” The likelihood of using the legitimate email address from the address book is increased by forwarding the message to the sender. A spoofed address from the original email is not used in this case * Information posted on the company’s websites and social media’s sites should be restricted and reviewed, and the details of individuals’ job duties and the organizational structure of the company should be provided 87 Chapter 01: Threats, Attacks, and Vulnerabilities *Always be aware of the account changes for suppliers while establishing the relationship. A backup authentication method should be arranged that is separate from email to avoid interception by the hacker * An alternative backup method is utilized to authenticate and verify a request before sending funds or data *Ongoing security awareness training should be provided for employees to keep them updated on the latest security scams Mail services are configured with SPF and DMARC.3 to block spoofed emails from being allowed into an organization Conclusion: The growth of innovative technology and its evolving threats needs to be monitored as impersonation scams are increasing. The banking Trojan targets need to be analyzed. The possibility for an organization to be a victim can be reduced by understanding how these crimes are committed and the various variations and vectors of attacks. Threat Intelligence sources Open-source intelligence can also be referred to as open-source threat intelligence. The term "OPSIT" refers to intelligence data gathered from open or public sources and is primarily used in law enforcement, national security, and business intelligence. One of the most important decisions is where to apply one's resources in the complex environment of cybersecurity defenses. Threat intelligence collects information from multiple sources that allows a system to focus on its defenses against potential threat actors. Open Source Intelligence (OSINT) Open Source Intelligence (OSINT) uses open-source tools to gather statistics from widely accessible sources and then analyze them to decide or take some action. OSINT may be damaging when hackers use it to get knowledge about an organization. Data from sources that are publicly available are included in OSINT. Information outside a technology-centric organization is also included in it. Closed/Proprietary ‘Proprietary’ is something that is owned and controlled by an individual or organization. Therefore, proprietary data is something that is confined to a business for competitive use. Proprietary labeled data can be shared with a group of users other than a competitor. The label of proprietary alerts the group not to further share that proprietary data. For protecting proprietary data, the laws of secrecy, copyright, patent are used. 88 Chapter 01: Threats, Attacks, and Vulnerabilities Vulnerability databases The U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST). The CVE entities are input to the NVD, which automates vulnerability management, security, and compliance management using CVE entries to provide enhanced information for each entity, for example, fixing information, severity scores, and impact ratings. Apart from its enhanced information, the NVD also provides advanced search features such as using an Operating System, vendor’s name, product name, version number, and vulnerability type, severity, related exploit range, and impact. Dark web Cyber attackers sell credit and debit card details on the Dark Web – their motive is clear profit. Financial motivations are among the greatest reasons for targeting individuals and organizations. It is no surprise that, according to Juniper Networks, cybercrime is estimated to become $2.1 trillion by 2019. Indicators of compromise IOCs known as Indicators of compromise are “pieces of forensic data, such as data or information found in system log entries or files, that identify potentially malicious activity on a system or network.” Compromise indicators assist information security, and IT professionals detect data breaches, malware infections, and other threat actors. Organizations can detect attacks and act rapidly to prevent breaches or limit the damage by stopping attacks in the early stages by monitoring for indicators of compromise. Automated Indicator Sharing (AIS) The Automated Indicator Sharing (AIS) capability of the Cybersecurity and Infrastructure Security Agency (CISA) enables the real-time exchange of machinereadable cyber threat indicators and defensive measures to help protect AIS community members and, ultimately, reduce the prevalence of cyberattacks. Trusted Automated eXchange of Indicator Information (STIX)/Structured Threat Information eXpression (STIX) (TAXII) TAXII (Trusted Automated eXchange of Indicator Information) is the core transport mechanism for cyber threat information represented in STIX. Through TAXII services, organizations can share cyber threat information in a secure and automated manner. The STIX and TAXII communities work closely to ensure that they continue to provide a full stack for sharing threat intelligence. 89 Chapter 01: Threats, Attacks, and Vulnerabilities Predictive Analysis Predictive analytics software applications employ variables that can be measured and analyzed to forecast the likely behavior of people, machines, and other entities. Predictive analytics has a wide range of applications. For example, when pricing and issuing auto insurance policies, an insurance company is likely to consider potential driving safety variables such as age, gender, location, type of vehicle, and driving record. Threat Maps Threat Mapping is another term for Vulnerability Mapping. It entails identifying weaknesses in an environment, design flaws, and other security concerns that can misuse an operating system, application, or website. Misconfigurations, default configurations, buffer overflows, operating system flaws, open services, and so on are examples of vulnerabilities. To scan a network for vulnerabilities, network administrators and pen testers can use a variety of tools. Vulnerabilities are classified into three categories based on their threat level: low, medium, and high. Furthermore, they can be classified as either local or remote exploit ranges. File/Code Repositories Code repositories serve primarily as a central storage location for developers' source code. Code repositories such as GitHub, Bitbucket, and SourceForge also provide version control, bug tracking, web hosting, release management, and communications functions that support software development. Code repositories are wonderful collaborative tools that facilitate software development, but they also have security risks of their own. To overcome this, developers must carefully design access controls only to allow read and/or write access to authorized users. Research Sources The Research phase includes collecting information about a target organization. It may be collected through dumpster diving, scanning an organization’s website, finding information on the internet, gathering information from employees, etc. Vendor Websites Third-party users, such as vendors, consultants, and contractors, require access to information and related systems in order to perform their job functions. Information security begins with screening, confidentiality, and non-disclosure agreements. Academic Journals The term "vulnerability" is commonly used in the social sciences and policy-making, health and social care services, and social work to refer to a wide range of groups or individuals, but it has rarely been ideally defined or analyzed. The aim is to analyze and clarify the concept for social work research critically. It is also important to recognize the temporal, situational, relational, and structural nature of vulnerability. 90 Chapter 01: Threats, Attacks, and Vulnerabilities Vulnerability Feed Vulnerability management solutions, like any technology product, require care and feeding. Regular maintenance of the vulnerability scanner should be conducted to ensure the vulnerability feeds and the scanning software remain up to date. Request for Comments (RFC) A Request for Comments (RFC) is a formal document drafted by the Internet Engineering Task Force (IETF) that describes the specifications for a particular technology. Once an RFC is ratified, it becomes a formal standards document. Conferences To maximize the effectiveness of disaster recovery procedures, a training and awareness campaign is beneficial. Occasionally, technical teams will gain disaster recovery knowledge while attending training classes or conferences on the technology. But it is also essential to train in disaster recovery procedures and policies for the organization. Adversary Tactics, Techniques, and Procedures (TTP) Tactics, Techniques, and Procedures (TTP) describe a method of analyzing an APT's operation or can be used to profile a specific threat actor. Tactics refer to how an adversary chooses to carry out his attack from start to finish. Finally, the organizational approach of the attack is defined by the threat actor's procedures. To understand and fight the enemy, one must first understand the attacker's Tactics, Techniques, and Procedures (TTP). Knowing an adversary's tactics can help predict upcoming attacks and detect those in the early stages. Understanding the Techniques used during the campaign allows the organization to identify its blind spots and implement countermeasures ahead of time. Finally, analyzing the adversary's procedures can help to understand what the adversary is looking for within the target's infrastructure. TTP described within this research is meant to show the complexity of the life-cycle rather than provide an exhaustive list. Furthermore, it is demonstrated that attackers can use readily available tools to carry out certain stages of the attack, allowing them to focus on the tactical aspect rather than developing tools. 91 Chapter 01: Threats, Attacks, and Vulnerabilities Mind Map Figure 1-22: Mind Map of Threat actors Vulnerability Assessment Vulnerability is a weak point or loophole in any system or network that attackers can exploit to gain access to the system. Any vulnerability can be used as an entry point to their target. Vulnerability assessment is the process of examining, identifying, and analyzing a system's or application's ability to withstand any threat, including security processes running on the system. Vulnerability assessment allows you to identify system flaws, prioritize vulnerabilities, and estimate the need for and effectiveness of any additional security layer. Types of Vulnerability Assessment Following are the types of vulnerability assessment: 92 Chapter 01: Threats, Attacks, and Vulnerabilities 1. 2. 3. 4. 5. 6. 7. 8. Active Assessment Passive Assessment Host-based Assessment Internal Assessment External Assessment Network Assessment Wireless Network Assessment Application Assessment Network Vulnerability Assessment Methodology A network vulnerability assessment examines the potential for an attack and vulnerabilities in a network. The phases of a Network Vulnerability Assessment are as follows: Figure 1-23: Network Vulnerability Assessment Methodology Acquisition The Acquisition phase compares and reviews previously identified laws, vulnerabilities, and procedures related to network vulnerability assessment. Identification Interaction with customers, employees, administration, or other people involved in network architecture design during the Identification phase to gather technical information. 93 Chapter 01: Threats, Attacks, and Vulnerabilities Analysis The information gathered is reviewed in the Analysis phase. It entails the following steps: • Reviewing information • Analyzing the results of earlier recognized vulnerabilities • Risk assessment • Vulnerability and risk analysis • Evaluating the effectiveness of existing security policies Evaluation The Evaluation phase includes: • Inspection of identified vulnerabilities • Identification of flaws, gaps in an existing network, and required security considerations in a network design • Determination of security controls required to resolve issues and vulnerabilities • Identification of the required modification and upgrades Generating Reports Reports are written during the Reporting phase to document the security event and to present to higher authorities such as a security manager, board of directors, or others. This documentation will also come in handy for future inspections. These previously gathered reports are also required for auditing and penetration testing. When changes to the security mechanism are required, these reports aid in designing the security infrastructure. These reports are typically stored in central databases. Reports include the following information: • • • • • Tasks completed by each member of the team Methods and tools used Findings Recommendations Gathered information Zero-day Attacks There are flaws in many operating systems and applications. People are working hard to find those flaws before the hacker does. In a zero-day attack, the attacker discovers previously unknown vulnerabilities and exploits them before security patches are available. It means that a zero-day attack takes advantage of vulnerabilities that are unknown to everyone except the attacker. Weak Configurations 94 Chapter 01: Threats, Attacks, and Vulnerabilities Weak configuration is a vulnerability that prevents the system from meeting all of its security objectives. The type of vulnerability allows attackers to gain access and raises their privilege level. Unsecure protocols Examples of insecure protocols are Telnet and the early versions of SNMP (v1 and v2c). Insecure protocols allow attackers and hackers to easily have access to your data and even to remote controls. Open permissions Another most common mistake over the internet is the permission issue; it happens when a file is shared over the internet, and it is not protected with the righteous permissions, and anyone can access that file and use it in a way that is not protected supported. Therefore, permission and permission logs should be audited actively for such behavior in order to keep the network secure. Error Error and Exception encounter in an application is common, and it needs to be handled in a secure manner. One of the attack methodologies forces an error to move applications from normal to exceptional handling. If the exception handling is improper, it can lead to a wide range of disclosure. For example, SQL errors disclose data elements and data structure. Sensitive information like server, filename, and path can be disclosed by RPC (Remote Procedure Call) error, and programmatic error can disclose information like stack element or line number on which exception occurred. Weak encryptions Weak encryptions may be used during the data transmission between the server and other systems. It can be either weak encryption or no encryption at all. Default Setting As no security against default settings can make the system vulnerable, default settings must be secured from the start. This type of vulnerability, like weak configuration, allows attackers to enter and advance their privilege level. Open Ports and Services The Metasploit Framework allows you to automate the discovery and exploitation process while also providing you with the tools you need to perform the manual testing phase of a penetration test. Metasploit Pro can be used to scan for open ports and services, exploit vulnerabilities, pivot deeper into a network, collect evidence, and generate test results reports. A honeypot, for example, is a computer set up on the network as a sacrificial lamb. The system is not locked down, and all ports and services are open. This is done to divert a potential attacker to this computer rather than 95 Chapter 01: Threats, Attacks, and Vulnerabilities attacking legitimate production systems on a network. Because the honeypot contains no real company information, it will not be compromised if and when it is attacked. Improper or Weak Patch Management Patch management is the process of software and application patch up-gradation, including installing patches, acquiring, and testing. All Operating Systems require an update and have different methods for the users to keep their systems up to date. “The process of discovering, purchasing, installing, and verifying fixes for systems and products is known as patch management. Patches are used to resolve bugs in software and firmware that affect security and functionality.” Firmware Software instructions are stored in Read-Only Memory (ROM) or a Programmable Read-Only Memory (PROM) chip. Operating System (OS) An Operating System is an interface (system software) to make hardware functional. It is an intermediary between applications and computer hardware. Windows, macOS, ChromeOS, BlackBerry, Linux are the common and popular operating systems. Figure 1-24: Working of an Operating System Types of Operating System Some types of Operating systems are discussed below:  Network Operating System: 96 Chapter 01: Threats, Attacks, and Vulnerabilities The network components use the network Operating System to provide computation and configuration portions for networking. Every networking equipment vendor has its own operating system like Cisco has IOS, Juniper has Junos, etc.  Server Operating System: The “Server Operating System bridges the gap between a running application on the server and server hardware.” Windows Operating system and Linux Operating System are two examples of Server operating systems. Windows Operating System has a commanding lead in the market due to its Active Directory Technology and built-in Hyper-V capability.  Workstation Operating System: The Workstation Operating System provides functional working space and the graphical interface for a user to interact with the system and its different applications. Windows are commonly seen in the role of Workstation Operating System due to the reason of a high level of user interaction with the workstations.  Appliance Operating System: Special-purpose appliances typically have their own operating systems. These are the special-purpose operating systems for usual vendor-specific appliances designed to perform specific functions only considering economics portability and functionality.  Kiosk: Kiosks are machines that are usually set up with auto-login in a browser. The OS in Kiosk is locked down to minimal functionality to prevent users from making any configuration changes.  Mobile Operating System: A type of Operating system that is optimized for mobile hardware. The Mobile Operating System is categorized into two main types; Google’s Android OS and Apple’s iOS. These Operating Systems are optimized to both Device capability and Desired functionality. Application Application management is a challenge. Not all applications are secure, and some are malicious, which is a rapidly growing security concern is. How do Web Applications Work? A web application functions in two steps; - front-end - back-end. 97 Chapter 01: Threats, Attacks, and Vulnerabilities Users’ requests are handled by the front-end, where the user interacts with the web pages. Services are communicated to the user from the server through buttons and other controls on the web page. All processing is controlled and processed on the back-end. Server-side languages include:       Ruby on Rails PHP C# Java Python JavaScript Client-side languages include:    CSS JavaScript HTML Web applications work on the following layers:    Presentation Layer: This is responsible for displaying and presenting information to the user on the client end. Logic Layer: This is used to transform, query, edit, and otherwise manipulate information to and from forms. Data Layer: This is responsible for holding data and information for the application as a whole. Legacy Platforms Virtual machines do a good job of serving legacy applications. A legacy application may simply be incompatible with newer hardware and/or operating systems. Even if it does, it may underutilize the server, so consolidating several applications makes sense. Without virtualization, this may be difficult because such applications are not typically written to coexist within a single execution environment. Impacts When an incident or risk occurs, it creates an impact on an organization. The impact can be a financial gain or instability, reputational rise and fall, Data loss, data breaches, Data exfiltration, Identity theft, Availability loss, and much more. Data Loss One of the most common potential threats that makes cloud security vulnerable is data loss. Data loss can occur through either intentional or unintentional means. Massive data loss, whether on a large or small scale, is disastrous and costly. Breach of Data 98 Chapter 01: Threats, Attacks, and Vulnerabilities Data Breaches are the most common threats to every platform. Improper encryption or loss of encryption keys may result in data modification, erasing, theft, or misuse. Data Exfiltration It is the process when data from a network is taken in an unauthorized way and used against the law. It is a security threat when someone can easily copy or retrieve data from inside of a network and take it outside as their own. Identity Theft Personal impersonation is identity theft when an attacker has enough personal information about an authorized person. An attacker impersonates a legitimate user by providing the legitimate user’s personal information (either collected or stolen). Impersonating a technical support agent and asking for credentials is another way to impersonate and gather information. Financial The final arbiter of all work is ‘Finance' that helps us to manage a score. The gain can be measured by profit and loss through unmitigated threats. When impacts overreach the predicted costs linked with the planned residual risks, it turns into an issue and impacts profit. Reputation One of the essential values in marketing is Reputation. Junky history or shoddy record ruins the company’s reputation and costs the company in client base and revenue. For example, nobody wants to give up personal information or contract with a bank with a junky history Availability Loss Availability loss includes flooding and denial-of-service attacks that prevent legitimate users from connecting or accessing the wireless network. Availability loss can be carried out by authentication flooding, ARP poisoning, de-authentication attacks, disassociation attack, etc. 99 Chapter 01: Threats, Attacks, and Vulnerabilities Mind Map Figure 1-25: Mind Map of Types of Vulnerabilities Threat Hunting Threat hunting is closely interconnected to penetration testing but serves a different and distinct purpose. Threat hunters, like penetration testers, try to put themselves in the attacker's shoes and imagine how hackers might try to circumvent an organization's security controls. What these two disciplines do with this information differs. While penetration testers try to evaluate an organization's security controls by testing them in the same way that an attacker would, threat hunters use the attacker mindset to search the organization's technology infrastructure for artifacts of a successful attack. They consider what a hacker might do and what type of evidence they might leave behind before going in search of that evidence. Threat hunting is based on the “presumption of compromise,” a cybersecurity philosophy. This approach assumes that attackers have already successfully breached an organization and searched for evidence of successful attacks. When threat hunters identify a potential compromise, they enter incident-handling mode, attempting to contain, eliminate, and recover from the compromise. In order to correct deficiencies, they also conduct a post-mortem analysis of the factors that contributed to the 100 Chapter 01: Threats, Attacks, and Vulnerabilities compromise. Another similarity between penetration testing and threat hunting is postevent remediation: organizations use the output of both processes in similar ways. Intelligence Fusion Threat actors are very clever and intelligent; they stalk their targets and use various methods of identity theft such as email phishing and eavesdropping. Once they have obtained the identity, they attempt to gain access to the system or network in order to do whatever they want. Threat Feeds Thread management solutions, like any technology product, require care and feeding. Regular maintenance of the vulnerability scanner should be conducted in order to ensure the vulnerability feeds and the scanning software remain up to date. Vulnerability Scanning Various tools have made finding vulnerabilities in an existing environment very easy in this age of modern technology and advancement. Different tools, automated as well as manual, are available to help find vulnerabilities. Vulnerability Scanners are automated utilities specially developed to detect vulnerabilities, weaknesses, problems, and loopholes in operating systems, networks, software, and applications. These scanning tools thoroughly inspect scripts, open ports, banners, running services, configuration errors, and other areas. These vulnerability scanning tools include:       Nessus OpenVAS Nexpose Retina GFI LanGuard Qualys FreeScan, etc. These tools are used by security experts to inspect running software and applications to find risks and vulnerabilities and by attackers to find out loopholes in an organization's operating environment. Lab 1-01: Installing and Using Vulnerability Assessment Tool Main Objective: In this lab, you will learn how to set up and operate a vulnerability assessment tool. Vulnerability scanning can be done with a variety of tools. The one I am going to install and use is “Nessus.” 101 Chapter 01: Threats, Attacks, and Vulnerabilities Go to the browser and type ‘Nessus Home.’ Click on the Nessus home link that has been marked below. This is going to take you to the Nessus registration page. You need to register in order to get the activation code, which you are going to need to activate Nessus. 102 Chapter 01: Threats, Attacks, and Vulnerabilities For registration, you need to put in your first name, last name, email address. Check the checkbox and click on register. Now to download Nessus, click on the download link. 103 Chapter 01: Threats, Attacks, and Vulnerabilities Select the Operating system on which you are going to install Nessus. Here, we will be installing it on Windows 8 machine (64 bit). Therefore, we will download the first link, which is for the 64-bit version of Windows. Now read the agreement and click on “I Agree.” Save the file to a computer. 104 Chapter 01: Threats, Attacks, and Vulnerabilities Download and install the software. 105 Chapter 01: Threats, Attacks, and Vulnerabilities Click "Next" after selecting "I agree." Now, if you want to change the file destination, you can change it by clicking on the ‘change’ button or else just click “Next.” 106 Chapter 01: Threats, Attacks, and Vulnerabilities Now, click on the “Install” button. 107 Chapter 01: Threats, Attacks, and Vulnerabilities Once you click ‘install,’ the installation process will start. 108 Chapter 01: Threats, Attacks, and Vulnerabilities The installation is complete. Click ‘Finish.’ 109 Chapter 01: Threats, Attacks, and Vulnerabilities It is installed now, and you are going to see this window. Just click on ‘Connect via SSL.’ 110 Chapter 01: Threats, Attacks, and Vulnerabilities Click on the ‘Advanced’ option. 111 Chapter 01: Threats, Attacks, and Vulnerabilities Now, click on ‘Proceed to localhost.’ 112 Chapter 01: Threats, Attacks, and Vulnerabilities You now have to create an account for the Nessus server. Here, you are going to choose a login name and password and make sure you remember it because this is what you are going to use to log in to Nessus from now on. After inserting the username and password, click on the ‘Continue’ button. 113 Chapter 01: Threats, Attacks, and Vulnerabilities Now choose the scanner type that you want. Here, we have selected the first one, which is ‘Home, professional or manager.’ 114 Chapter 01: Threats, Attacks, and Vulnerabilities Now, go to the email, copy the activation code that was forwarded to you and paste it here. Click ‘Continue.’ After that, you are going to see this ‘Initializing’ window. It is basically fetching all the plugins for Nessus, and this can take about 15 to 20 minutes. Once all the plugins are installed, this Window will appear, and this is what Nessus looks like. The first thing you have to do now is to create a policy. So, click on ‘Policies.’ 115 Chapter 01: Threats, Attacks, and Vulnerabilities Then, click on ‘Create new policy.’ You have a variety of scanner options here. We are going to perform a 'Basic Network Scan.' To do so, select Basic network scan from the drop-down menu. This window will now be visible to you. You must name the policy here. You can call it whatever you like; for example, we can call it 'Basic Scan.' 116 Chapter 01: Threats, Attacks, and Vulnerabilities In the basic setting, you have another setting option that is the ‘Permission’ setting. Here, you have two options, one is ‘No Access,’ and the other is ‘Can Use.’ Leave it as default and click on the ‘Discovery’ option. Here, you have to choose the Scan Type. Either you want to scan common ports, all ports, or you want to customize it. After selecting your desired option, click on ‘Assessment.’ 117 Chapter 01: Threats, Attacks, and Vulnerabilities Here, you are going to see three scanning options; choose whatever you want and then click on ‘Report.’ 118 Chapter 01: Threats, Attacks, and Vulnerabilities In this window, you have multiple options, and you can see that some of them are marked as ‘checked’ by default. For now, you can leave it as default, but if you want to change some settings, you can change it according to your need. In the ‘advanced’ setting option, you have three options to choose from. Select any of them and click on the ‘Credentials’ button. Here, we are going to choose ‘Windows' if using Windows or ‘SSH’ if using Mac or Linux. 119 Chapter 01: Threats, Attacks, and Vulnerabilities Go ahead and insert your credentials and authentication method. If you have a domain, you can insert that; in this case, we do not, so we are going to leave it blank. Check the below boxes and click on the ‘Save’ button at the bottom. And that is it. The policy has been created. Now in order to scan, you have to click on the ‘Scan’ button up on top. Click on the ‘Create a new scan’ option. Go to the ‘User Defined’ option. Click on ‘Basic Scan.’ 120 Chapter 01: Threats, Attacks, and Vulnerabilities To name this Scan, we are going to label it as ‘Basic Scan,’ the same as the policy name. You can also add a description if you want. Select the folder where you want to save a scan and, at last, insert the IP address of the target. You can insert the target in different ways. Example: 192.168.1.1, 192.168.1.1/24, & test.com 121 Chapter 01: Threats, Attacks, and Vulnerabilities You can also schedule your scan. For this, click on ‘Enabled,’ select the frequency, start time, and time zone. 122 Chapter 01: Threats, Attacks, and Vulnerabilities If you want to get a notification, you can add your email address. After doing all the settings, click on the ‘Save’ button. Here, you can see that the scanning process has started. Once the process is completed, you can see the result by clicking on the section that is marked below. Here is the scan result. The result is shown in multiple colors. The red represents Critical Vulnerability. The Orange one is for High, Yellow is for Medium, Green is for Low, and Blue is for Info. 123 Chapter 01: Threats, Attacks, and Vulnerabilities Now, click on ‘Vulnerability’ next to the ‘Host’ option. And here, you are going to see the vulnerabilities that have been found. Click any of that. You can see the description of a particular vulnerability as well as a solution for it. 124 Chapter 01: Threats, Attacks, and Vulnerabilities Here are some other vulnerabilities that were found. 125 Chapter 01: Threats, Attacks, and Vulnerabilities False Positives In vulnerability scanning, False Positives occur when the scanner can access only a subset of the required information, preventing it from accurately determining whether a vulnerability exists. False positives use more than one type of scan and cross-reference. The most common false positives occur on static web pages. A false positive is when the system incorrectly receives a biometric sample as being a match. Biometric sensors can sometimes make mistakes for several reasons. The identification process looks for a match by comparing a biometric, such as a fingerprint or iris scan, that is presented to the system to all entries in a database. This is known as a one-to-many search. Live biometrics change as a result of climate, age, or a possible finger injury. These threshold settings are known as False Acceptance Rates (FARs) and False Rejection Rates (FRRs) by vendors (FRRs). False Negatives False negatives tend to be produced by security systems that rely exclusively on a negative security model. Under this approach, the system allows all traffic access unless the traffic matches a threat signature or is otherwise identified as hostile. This means that attackers can be successful if they can conduct their attacks to not match common threat patterns or signatures. Log Review Logging is an important approach to keeping everything tracked. Typically, logs are maintained on special devices known as Log Servers. Necessary logging should be enabled on every device to ensure every critical activity such as logging in, changes, modifications, and deletions are recorded. Security analysts examine these logs of all 126 Chapter 01: Threats, Attacks, and Vulnerabilities infrastructure devices and critical server systems for signs of attempted access, both successful and unsuccessful. The last thing before leaving the system after a compromise is clear log entries to wipe the evidence. Credentialed vs. Non-Credentialed Two kinds of vulnerability assessments are offered in most vulnerability management solutions. These assessments are credentialed and non-credentialed, also known as authenticated and unauthenticated scans. Non-credentialed scanning tools provide a quick view of vulnerabilities by looking at network services only. The host exposes these services. A deeper understanding of the application is not provided in these scans, and the network is not exposed by operating system vulnerabilities or the vulnerabilities potentially covered up by a firewall that sits between the host and the scanner. The false hope of the system to be safe is provided, although attackers frequently target vulnerabilities in reality. The attackers have gained credentialed access, and the security risk is not accurately indicated. In credential scanning, an administrator provides the scanner with credentials. The target server is then allowed to be connected for scanning. The existence of vulnerability is then determined with this information, and the accuracy over non-credentialed alternatives is improved. For example, a potential issue can be corrected by an operating system service pack, which was detected by a vulnerability scan. Before reporting a vulnerability, the service pack installed on the system is checked by the credentialed scan. Intrusive vs. Non-Intrusive A vulnerability scanner can perform an intrusive or non-intrusive test. An intrusive test attempts to exploit a vulnerability that can cause the remote target to crash or change. A non-intrusive test attempts to avoid causing any harm to the target. The test typically consists of verifying the remote service version or determining whether the vulnerable options are enabled. Intrusive tests are usually much more accurate, but they cannot be done in a production environment. A non-intrusive test cannot determine whether or not a service installed is vulnerable; it can only determine whether or not it is vulnerable. Web Applications Observe the functionality and other parameters of Web Applications in order to identify vulnerabilities, entry points, and server technologies that can be exploited. These parameters are diagnosed using HTTP requests and HTTP fingerprinting techniques. A web application works on the following layers:  Presentation Layer: The Presentation Layer is responsible for displaying and presenting information to the user on the client end 127 Chapter 01: Threats, Attacks, and Vulnerabilities  Logic Layer: The Logic Layer is used to transform, query, edit, and otherwise manipulate information to and from the forms  Data Layer: The Data Layer is responsible for holding data and information for the application as a whole Web 2.0 Web 2.0 is the World Wide Web website generation that provides dynamic and flexible user interaction. It provides ease of use and interoperability between other products, systems, and devices. Web 2.0 allows users to interact and collaborate with social platforms such as social media and social networking sites. The previous generation, i.e., web 1.0, was limited to the passive viewing of static content. Web 2.0 offers almost all users the same freedom to contribute. The characteristics of Web 2.0 are rich in user experience and participation, dynamic content, metadata, web standards, and scalability. Web App Threats Threats to Web Application include:                 Cookie Poisoning Insecure Storage Information Leakage Directory Traversal Parameter/Form Tampering DOS Attack Buffer Overflow Log Tampering SQL Injection Cross-Site (XSS) Cross-Site Request Forgery Security Misconfiguration Broken Session Management DMZ Attacks Session Hijacking Network Access Attacks Network A network security assessment is, basically, an audit. It is a review of your network’s security measures meant to find vulnerabilities in your system. 128 Chapter 01: Threats, Attacks, and Vulnerabilities Common Vulnerabilities and Exposures (CVE) A standard nomenclature for describing security-related software flaws is provided in this standard. It is another platform where you can find information about vulnerabilities. CVE maintains a list of known vulnerabilities, including an identification number and description of cybersecurity vulnerabilities. The U.S. National Vulnerability Database (NVD) was launched by the National Institute of Standards and Technology (NIST). The CVE entities are input to the NVD, which automates vulnerability management, security, and compliance management using CVE entries to provide enhanced information for each entity, for example, fixing information, severity scores, and impact ratings. Apart from its enhanced information, the NVD also provides advanced search features such as using an Operating System, vendor’s name, product name, version number, and vulnerability type, severity, related exploit range, and impact. Figure 1-26: Common Vulnerability and Exposures (CVE) To learn more about CVE, go to the website http://cve.mitre.org. Common Vulnerability Scoring System (CVSS) A standardized approach for measuring and describing the severity of flaws related to software security is provided in this standard. The Common Vulnerability Scoring System (CVSS) assists in identifying the key characteristics of a vulnerability and assigns a numerical score to reflect its severity. The numerical score is then converted into a qualitative 129 Chapter 01: Threats, Attacks, and Vulnerabilities representation (low, medium, high, and critical) to properly assess and prioritize their vulnerability management processes. Security Base Score Rating None 0.0 Low 0. 1 - 3.9 Medium 4.0 - 6.9 High 7.0 - 8.9 Critical 9.0 - 10.0 Table 1-02: CVSSv3 Scoring To learn more about CVSS-SIG, go to the website https://www.first.org. Review of the Configuration The review's goal is to ensure that the system is in good working order and that its security configuration and rule sets are effective. The evaluation will be carried out with a number of factors in mind, including corporate policies, industry best practices, and regulatory obligations. SIEM (Security Information and Event Management) Security Information and Event Management (SIEM) is an industry-standard term used to monitor and manage networks. SIEM combines two related technologies; Security Event Management (SEM) and Security Information Management (SIM). SEM deals with real-time monitoring and notifying the security events such as authentication failures and intrusion events generated by the security systems. At the same time, SIM is responsible for collecting and managing security-related log data from firewalls, antivirus software, network routers, DNS servers, databases, and other origins. Therefore, SIEM is referred to as System Information and Event Management, which strengthens the effect on the whole system, particularly on security. Some popular SIEM options include:  ArcSight Express  McAfee ESM (Enterprise Security Manager)  IBM Security QRadar  Splunk Enterprise Software or Virtual Machines 130 Chapter 01: Threats, Attacks, and Vulnerabilities  LogRhythm's appliance, Software, and Virtual Machines Data Inputs SIEM gathers data from antivirus events, firewall logs, and other locations; it sorts it into categories such as malware activity and failed and successful logins. Some common features offered by SIEM are: Logging Device SIEM is a centralized logging device. Common Database Collects data from all the devices and brings it to a single database. Security Alerts It can also provide security alerts as the user is getting real-time information. Storage The storage of SIEM is long-term. Data Correlation SIEM also includes additional features of data correlation. How SIEM works SIEM provides reports on security-related events and incidents like failed and successful logins, malicious activities, etc. It sends alerts if analysis shows any activity runs against predetermined rule sets and thus indicates a potential security issue. Review Reports SIEM is a useful tool for collecting and evaluating compliance data across an organization's complete infrastructure. SIEM solutions may create real-time compliance reports for PCI-DSS, GDPR, HIPPA, SOX, and other compliance requirements, easing security management and detecting any violations early. Many of the SIEM solutions come with pre-built, out-of-the-box add-ons that can generate automated reports designed to meet compliance requirements. User Behavior Analysis User Behavior Analytics (UBA) is where the sources are variable often logs feature, but the analysis is focused on users, user accounts, user identities, and not on, say, IP addresses or hosts. Some forms of SIEM and DLP post-processing where the primary source data is SIEM or DLP outputs and enhanced user identity data and algorithms characterize these tools. So, these tools may collect logs and context data themselves or from a SIEM and utilize various analytic algorithms to create new insight from that data. Security Monitoring 131 Chapter 01: Threats, Attacks, and Vulnerabilities SIEM enables centralized management of on-premise and cloud-based infrastructure. Solutions can identify all entities of the IT environment. This enables SIEM technology to monitor for security incidents across all connected users, devices, and applications and classify abnormal behavior as it is detected in the network. Using customizable, predefined correlation rules, administrators can immediately notify and take appropriate action to mitigate the threat before it manifests into more serious security issues. Log Aggregation Log management collects data from a variety of sources, including applications, databases, networks, security, and servers, and allows you to consolidate monitored data to avoid missing important events. Log Collectors In SIEMs, Log Collectors are good for application log investigations. A collector contains a log file containing records of events that occurred in an operating system, application, server, or from various other sources. Security analysts benefit greatly from log files because they give a documented trail of all communications to and from each source. When a cyber-attack happens, log files can be used to investigate and assess the source of the assault as well as its impact on the IT infrastructure. Security Orchestration, Automation, and Response (SOAR) 132 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-27: Security Orchestration, Automation, and Response (SOAR) SOAR (Security Orchestration, Automation, and Response) is a set of software solutions and tools that help businesses optimize security operations in three important areas:  Threat and vulnerability management  Incident response  Security operations automation SOAR technologies enable organizations to collect inputs that are monitored by the security operations team. Alerts from the SIEM system and other security technologies, for example, where incident analysis and triage can be performed by combining human and machine power, can help define, prioritize, and drive standardized incident response activities. SOAR tools enable businesses to define incident analysis and response procedures in a digital workflow format. Mind Map Figure 1-28: Mind Map of Security Assessments Penetration Testing Penetration testing is the process of hacking a system with the owner's permission to assess security, Hack Value, Target of Evaluation (TOE), attacks, exploits, zero-day 133 Chapter 01: Threats, Attacks, and Vulnerabilities vulnerabilities, and other components, including threats, vulnerabilities, and daisychaining. A pentester is an individual authorized by an owner to hack into a system to perform penetration testing in the context of Ethical Hacking. The Importance of Penetration testing In today's fast-paced technological environment, the most common cybercrimes are denial-of-service, identity theft, service theft, and information theft. System penetration is used to protect a system from malicious threats by identifying vulnerabilities in the system. Other significant benefits of penetration testing include: Identifying and exploiting vulnerabilities in systems and security controls in the same way that an attacker searches for and exploits vulnerabilities to circumvent security.         Recognizing threats and vulnerabilities in an organization's assets Conducting a thorough assessment of policies, procedures, design, and architecture; and Implementing corrective actions before a hacker identifies and breaches security. Determining what an attacker can gain access to in order to steal Determining the value of information Testing and validating security controls, as well as determining the need for any additional protection layer Modifying and upgrading currently deployed security architecture Reducing IT security costs by improving Return on Security Investment (ROSI) VAPT is essential because it protects us from damage, keeps our confidential data private, and keeps our information hidden from prying eyes. To overcome their flaws, every business management or network administrator must be aware of their own. We all know networks are vulnerable, but we do not all know where or how; this is where vulnerability assessment comes in. It is a comprehensive study of computer and network hardware vulnerabilities. It evaluates potential hazards and threats and develops mitigation plans for any exposure. “Prevention is better than cure.” Another reason for VAPT is to prevent cyber-attacks. We are well aware of hacks that result in the loss of: • • • • Sensitive data Account numbers Email addresses Personal information These security incidents occur on a daily basis in the world of computer networking. This is why you should examine your network from the outside, as an attacker would. Discover its strengths and weaknesses, and then fill the gaps. Your infrastructure may 134 Chapter 01: Threats, Attacks, and Vulnerabilities be secure, and your servers may have strong firewall policies in place, but what about the default configuration of peripheral devices like printers, scanners, fax machines, and so on? They adorn your network, and their vulnerability is frequently overlooked. A vulnerability assessment and penetration testing would reveal any issues in a matter of seconds. Any network with users is not as secure as you may believe. Your network's security should be your top priority. In summary, the following are the reasons for performing VAPT: • • • • • To protect the network from attacks To identify its strengths and weaknesses To protect information from theft To comply with data security standards To improve the reliability and value of services Security Audits •Security audits are the evaluation of security controls. It makes sure that controls are being enforced and followed properly throughout the organization, without any concern about the threats and vulnerabilities Vulnerability Assessments Penetration Testing •Vulnerability Assessment process is to identify vulnerabilities and threats, which may exploit and impact an organization financially or reputationally •Penetration is the process of security assessment, which includes security audits and vulnerability assessment. Furthermore, it demonstrates the attack, its solution and required remedial actions Figure 1-29: Mi Comparison Chart Types of Penetration Testing As a penetration tester may be asked to perform any of the three types of Penetration Testing, it is critical to understand their distinctions. The Black Box penetration test is one in which the pentester does blind or double-blind testing. This indicates that the pentester has no prior knowledge of the system or of the target. Gray Box is a type of penetration testing in which the pentester has only a rudimentary understanding of the organization's network. For example, information about the operating system or network may be scarce. 135 Chapter 01: Threats, Attacks, and Vulnerabilities White Box is a type of penetration testing in which the pentester knows everything there is to know about the system and the target. Internal security teams or security audit teams perform this type of penetration testing in order to carry out an audit. Penetration Testing Phases Penetration testing is a three-step procedure that includes the following steps: 1. Pre-Attack Phase 2. Attack Phase 3. Post-Attack Phase Figure 1-30: Penetration Testing Phases Security Testing Methodology There are some methodological approaches to be adopted for security or penetration testing. Industry-leading Penetration Testing Methodologies are:     Open Web Application Security Project (OWASP) Open Source Security Testing Methodology Manual (OSSTMM) Information Systems Security Assessment Framework (ISAF) EC-Council Licensed Penetration Tester (LPT) Methodology Rules of Engagement Rules of Engagement (RoE) is an archive that documents the rules and regulations under which a penetration tester is to engage with a client. An RoE document explains the manner in which the pentest will be conducted. Being a professional pentester, it is 136 Chapter 01: Threats, Attacks, and Vulnerabilities the primary task before starting any test to spell out the RoE clearly. Before you begin the penetration test, follow the basic considerations as defined by PCI Security Standards Council, which are:         The time window to perform and complete the testing process The preferred method of communicating about scope and issues The action to take if any sensitive information is disclosed during the test Ensuring the pentesting equipment and tools do not pose a threat to the environment What steps would you take if you detected a previous or active compromise to the systems being tested? How would you deal with a legacy system with known issues with automated scanning? Who is permitted to engage the pentest team? What should legal concerns be addressed? Lateral Movement Cyber attackers use a technique to move through a network searching for the key data called a Lateral Movement. Many attacks happen when data is moved laterally over the network from system to system. Privilege Escalation This attack-type of network intrusion takes advantage of programming errors or design flaws to grant the attacker elevated access to the network and its associated data and applications. A bug, design flaw, or configuration oversight in a software application or operating system is exploited with privilege escalation to access applications or userprotected resources. An unauthorized user will not always be provided full access to a targeted system. The privilege escalation is essential in these circumstances. The privilege escalation is of two types: vertical and horizontal. Vertical Privilege Escalation In vertical privilege escalation, higher privileges are granted to the attacker. The kernellevel operations typically assist in achieving vertical privilege escalation in which unauthorized codes are allowed to run. Horizontal Privilege Escalation The attackers use the same level of privileges that have been granted. For example, horizontal privilege escalation will be constituted when anyone’s online banking account has gained access by some unauthorized person. Persistence 137 Chapter 01: Threats, Attacks, and Vulnerabilities The system needs to be continually accessed to gather data and conduct further attacks that have been more critical to most penetration attacks. Thus, a critical part of a penetration tester’s efforts is persistence. Cleanup Penetration testers use various tools and techniques as they work their way through a client network. During the engagement, testers should document any changes they make to the systems, and they should revisit that documentation after the test to ensure that they have completely removed all traces of their work. There are three major post-engagement clean-up activities:    Removing shells installed on systems Removing all backdoors, services, daemons, rootkits, and tester-created accounts installed during the rest Removing any tools installed during the penetration test These three activities serve as a jumping-off point. The basic principle that testers should follow when performing post-engagement clean-up is to return the system to its pre-test state. Bug Bounty Bug bounty programs allow testing web platforms by simulating attacks to detect and fix vulnerabilities. It relies on independent hackers paid per vulnerability. Pivoting Pivot is a method that allows an attacker or penetration tester to move or flow across a network. The first step in pivoting is gaining access to a machine, moving tools to that machine, and remotely control them. The penetration tester then examines the system or network using the remote machine's IP address. Active and Passive Reconnaissance Reconnaissance is the first step in an attacker's preparation for an assault. It involves obtaining information about the target before launching an attack using various tools and tactics. An attacker's task is made easier by gathering information about the target. It aids in determining the target range for large-scale attacks. In Passive Reconnaissance, a hacker gathers information about a target without directly interacting with it. Searching social media for the target's information is an example of passive reconnaissance. Active Reconnaissance gains information by interacting with the target directly. Active reconnaissance includes interacting with the target via calls, emails, help desks, or technical departments. 138 Chapter 01: Threats, Attacks, and Vulnerabilities War Driving Kismet is a sniffer, wardriving tool, and wireless intrusion detector. WIDS is the framework used as a wireless network and device detector. It operates using Bluetooth interfaces, Wi-Fi interfaces, some Software Defined Radio, and RTL-SDR (a USB Dongle) hardware. Footprinting The collecting of all conceivable information about the target and the targeted network is known as fingerprinting. Performing WHOIS Footprinting 1. Go to the URL https://www.whois.com/ Figure 1-31: WHOIS Footprinting Engine 2. A search of Target Domain 139 Chapter 01: Threats, Attacks, and Vulnerabilities Figure 1-32: WHOIS Footprinting Exam Tip: Standards Testing Resources Footprinting and reconnaissance techniques and principles are usually included in penetration testing standards. http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf; PenetrationTestingExecutionStandard:http://csrc.nist.gov/publications/nistpubs/800115/SP800-115.pdf; PenetrationTestingExecutionStandard:http://csrc.nist The Penetration Testing Execution Standard includes a list of OSINT targets that might assist you in compiling a list of possible OSINT targets. Exercise Types Security analysts must practice responding to them to respond to security events in the most organized and efficient manner. There are some tried-and-true approaches to this. This section will look at how team analysts, both employees, and third-party contractors, can be organized and some well-known names for these teams. Security posture is assessed by war game exercises in which one group attacks the network while another attempts to defend the network. Three teams are involved in most cybersecurity war games: red, blue, and white teams. 140 Chapter 01: Threats, Attacks, and Vulnerabilities Red Team The red team plays the role of attacking the force and uses reconnaissance and exploitation tools to gain access to the protected network. The red team’s work is similar to that of the testers during a penetration test. Blue Team The blue team takes on the position of Network defense, and the red team's attempted attack puts the blue team's ability to respond to the attack to the test. Gaining access to log data, using a SIEM, gathering information, and doing traffic and data flow analysis are all part of this process. White Team The white team is a group of technicians who coordinate the exercise and act as referees, resolving disagreements between the red and blue teams. Enforcing the rules of engagement could be one of the white team's responsibilities, along with monitoring the blue team's responses to the attack and noting specific approaches used by the red team. Purple Team Purple refers to a philosophy in which attackers and defenders work together on the same team. As a result, rather than a dedicated team, it should be viewed as a function. Purple teams should not be needed in organizations where the red team / blue team interaction is healthy and functioning effectively because the primary objective of a red team is to develop ways to improve the blue team. Figure 1-33: Exercise Type 141 Chapter 01: Threats, Attacks, and Vulnerabilitie Mind Map Figure 1-34: Mind Map of Penetration Testing 142 Chapter 01: Threats, Attacks, and Vulnerabilities Practice Question 1. An Ethical Hacker needs which of the following to break into a system? A. B. C. D. Training Permission Planning Nothing 2. What is Gray Box Pentesting, and how does it work? A. B. C. D. Pentesting with no knowledge Pentesting with partial knowledge Pentesting with complete knowledge Pentesting with permission 3. What kind of hacker are you if you have been employed to launch an attack on a target system in order to uncover and exploit vulnerabilities? A. Gray Hat B. Black Hat C. White Hat D. Red Hat 4. Which of the following best describes an assailant who seeks out a target in order to attract attention to a cause? A. Terrorist B. Criminal C. Hacktivist D. Script Kiddie 5. What is the level of knowledge of a Script Kiddie? A. Low B. Average C. High D. Advanced 6. What is required for a White Box Test? A. No knowledge B. Some knowledge C. Complete knowledge D. Permission 143 Chapter 01: Threats, Attacks, and Vulnerabilities 7. Which of the following best describes a hacker who does not care if they are caught or punished? A. B. C. D. Hacktivist Terrorist Criminal Suicide Hacker 8. Which of the following reasons necessitates a penetration test? (Select 2) A. B. C. D. Troubleshooting network issues Finding vulnerabilities To perform an audit To monitor performance 9. Hacker using their skills for both benign and malicious goals at different times are ______________. A. White Hat B. Gray Hat C. Black Hat D. Suicide Hacker 10. Vulnerability analysis is basically ____________. A. Monitoring for threats B. Disclosure, scope, & prioritization of vulnerabilities C. Defending techniques from vulnerabilities D. Security application 11. What is Black Box Testing? A. Pentesting with no knowledge B. Pentesting with complete knowledge C. Pentesting with partial knowledge D. Pentesting performed by Black Hat 12. The term “Vulnerability” refers to _______________. A. A Virus B. A Malware C. An Attack D. A Weakness 13. Using dots and slash sequences, an attacker is attempting a trial and error strategy to get access to restricted directories. Which form of web server attack is this? 144 Chapter 01: Threats, Attacks, and Vulnerabilities A. B. C. D. LDAP Attack AD Attack Directory Traversal Attack SQL Injection 14. An attacker sends a request, allowing him to add a header response; now, he redirects the user to a malicious website. Which type of attack is this? A. Web Cache Poisoning B. HTTP Response Splitting Attack C. Session Hijacking D. SQL Injection 15. What are the most common methods for performing Footprinting? A. Active & Passive Footprinting B. Pseudonymous & Passive Footprinting C. Social & Internet Footprinting D. Active & Social Footprinting 16. Which one of the following is the best meaning of Footprinting? A. Collection of information about a target B. Monitoring target C. Tracing a target D. Scanning a target 17. What is the purpose of Social Engineering? A. Reveal information from human beings B. Extract information from compromised social networking sites C. Reveal information about social networking sites D. Compromising social accounts 18. Cracking password with pre-computed hashes is called ___________. A. Rainbow Table Attack B. Brute Force Attack C. Dictionary Attack D. Password Guessing 19. Which of the following is used for Backdoor installation? A. Meterpreter B. Zero-day Exploit 145 Chapter 01: Threats, Attacks, and Vulnerabilities C. Exploit Kits D. Persistence 20. How can you mitigate a rainbow table attack? A. Changing Default Password B. Configuring Unpredictable Password C. Password Salting D. Password Hashing 21. Which of the following assertions is the most accurate description of the term "malware"? A. B. C. D. Malware is Viruses Malware is Malicious Software Malware is Trojans Malware is Infected Files 146 Chapter 02: Architecture and Design Chapter 02: Architecture and Design Technology Brief This chapter describes the concepts of security related to operating in an enterprise environment. It delves into enterprise security issues such as change and configuration management, data sovereignty, protection, and loss prevention. You will become acquainted with hardware security modules, geographical considerations, and cloud access security brokers. After that, we will discuss response and recovery controls, SSL/TLS inspection, and site resiliency. Finally, we will learn how to use honeypots, honey files, honeynets, fake telemetry, and DNS sinkholes for deception and disruption. We will discuss the following topics in detail in this chapter:           Define change and configuration management concepts such as diagrams, baseline configurations, standard naming conventions, and IP schema documentation Describe data sovereignty, data conversion and storage in binary digital form, and how data is governed by the country's laws where it is stored. Describe data security issues such as data loss prevention, masking, and encryption Learn how hardware security modules (HSMs) play a significant role in delivering hardened, tamper-resistant devices for generating keys, encrypting and decrypting data, and issuing and verifying digital signatures. Recognize geographical factors such as jurisdictions, privacy laws, import-export restrictions, and cryptographic regulations describe the on-premises or cloudbased CASB security policy enforcement points that are established between cloud service providers and their customers Contrast response and recovery control as they relate to enterprise business continuity and disaster recovery. Describe how next-generation firewalls, WAF solutions, and other cloud-based techniques perform SSL/TLS inspection Explain hashing and application programming interfaces, as well as the significance of digitally signing all API calls Describe the various types of site resiliency, such as hot site, cold site, and warm site solutions Define deception and disruption techniques that use honeypots, honey tokens, honey files, honeynets, phony telemetry, and DNS sinkholes. 147 Chapter 02: Architecture and Design The Significance of Security Ideas in a Business Setting Security Overview The methods and procedures for preventing unauthorized access, disclosure, use, or modification of data and information systems are system security. Data security ensures that information is kept private, secure, and accessible. An organization's confidential information and data will not be protected if it lacks security policies and suitable security standards, placing the organization in danger. Security policies and welldefined procedures can help secure an organization's assets from unauthorized access and disclosure. Thanks to cutting-edge technology and platforms, millions of individuals communicate with one another every minute in today's world. Due to various old and new threats that exist around the world, these sixty seconds can be tremendously vulnerable and costly to private and public businesses. The public internet is the most common and fastest way for risks to spread over the planet. Viruses, spam, malware, and malicious routines and scripts are all waiting to be accessed at any time. This is why security threats to a network or system can never be entirely eliminated. It is a never-ending challenge to design a security policy that's effective and efficient rather than a jumble of ineffective security implementations that waste resources and expose vulnerabilities to attacks. Configuration Management When changes occur to a software product during its development life cycle, a configuration management system can be put into place that allows for change control processes to occur through automation. Software Configuration Management (SCM) is a feature of a product that recognizes software attributes at various points in time and performs methodical change control to maintain software integrity and traceability throughout the software development life cycle. It establishes the need to keep track of changes and ensures that the final delivered software contains all of the approved changes that are supposed to be included in the release. 148 Chapter 02: Architecture and Design Figure 2-01: Software Configuration Management Baseline Configuration A baseline is an agreed-upon description of a product's attributes at a specific point in time used to define configuration management changes. A baseline is typically a single work output or a series of work products that may be used as a reasonable comparison point. Standard Naming Conventions Software configuration management is a set of processes, regulations, and technologies that aid in the organization of developers' work. It preserves the existing state of the software (referred to as the "baseline") while allowing developers to work on new versions for new features or adjustments. Internet Protocol Schema 149 Chapter 02: Architecture and Design The IP address of the server is one of the most crucial parts of establishing a business IT system. This data must be kept private, but it must also be accessible to others, such as compliance officers performing audits. It is difficult to decide which stakeholders or personnel have access to and can edit CM data. Data Sovereignty Data sovereignty is the perception that information has been converted and stored in binary digital form. It is the idea that data are subject to the laws and governance structures within the nation it is collected. The conception of data sovereignty is closely linked with data security, cloud computing, and technological sovereignty. Data Protection Throughout its lifecycle, data security refers to the process of securing data from illegal access and data corruption. Data encryption, hashing, tokenization, and key management are all data security strategies that safeguard data across all applications and platforms. Data Loss Prevention Data Loss Prevention (DLP) is a term that refers to the prevention of data loss. It basically puts a stop to data transmission before it reaches the risk actor. The endpoint DLP program on the computer monitors the data and prevents unauthorized access. The DLP device monitors any confidential information, such as credit card numbers, that should not be in clear text across the network connection. The data is monitored by the server's DLP system, which ensures that it does not come into the hands of the threat actor. Masking Data masking safeguards confidential data such as credit card numbers, Social Security numbers, names, addresses, and phone numbers from unintended exposure, reducing the risk of data breaches. Masking of data helps enterprises raise the level of security and privacy assurance. Encryption In order for an application to be secure and usable, it must include encryption. It is necessary to adopt and utilize a proven algorithm and codebase. For example, we can make sure that only the sender and receiver can read clear text data using encryption. At Rest 150 Chapter 02: Architecture and Design Data at rest is information that is not actively traveling from one device to another or from one network to another, such as information saved on a hard drive, laptop, flash drive, or archived/stored in another fashion. The goal of data security at rest is to protect idle data on any device or network. While data at rest is sometimes thought to be less vulnerable than data in motion, attackers often regard data at rest as a more desirable target. The security mechanisms in place to secure data in transit or at rest determine the risk profile for data in either condition. In Transit/Motion Data in transit, also known as data in motion, refers to information that is actively traveling from one area to another, such as across the internet or a private network. Data protection in transit refers to the security of data while it is being transported from one network to another or from a local storage device to a cloud storage device. Effective data protection solutions for in-transit data are crucial anywhere data is moving, as data is frequently regarded as less safe while in transit. Modern businesses must protect sensitive data both in transit and at rest, as hackers continue to develop new ways to breach networks and steal data. In Processing Data security is a set of procedures and policies designed to protect your critical Information Technology (IT) infrastructure. All types of files, databases, accounts and networks are examined. Effective data security relies on a combination of controls, applications, and methods to assess the value of various datasets and implement the most effective security policies. Data security that is effective considers the sensitivity of diverse datasets as well as regulatory compliance needs. Tokenization Tokenization is the process of transforming valuable data, such as an account number, into a useless string of characters called a token. Tokens can be used to refer back to the source data but not to estimate values. Rights Management Right Management assists in the protection of sensitive information or data by maintaining and enforcing access and usage rights to information throughout its lifecycle, regardless of where it is distributed. 151 Chapter 02: Architecture and Design Hardware Security Module (HSM) A hardware security module is a physical computing device that secures and manages digital keys while also encrypting and decrypting data for digital signatures, strong authentication, and other cryptographic operations. Traditionally, these modules take the form of a plug-in card or an external device that connects directly to a computer or network server. Any application that uses digital keys can benefit from the use of a hardware security module. The keys are usually extremely valuable, implying that the owner would suffer a significant financial loss if they were compromised. An HSM performs the following functions: 1. 2. 3. 4. Secure cryptographic key generation on-board Secure cryptographic key storage onboard, at least for master keys, which are the highest level and most sensitive keys Key management Using cryptographic and sensitive data material to offload application servers for comprehensive asymmetric and symmetric cryptography, such as executing encryption or digital signature operations HSMs manage transparent data encryption keys for databases, as well as keys for storage devices like disks and tapes. Figure 2-02: Hardware Security Modules 152 Chapter 02: Architecture and Design Geographical Considerations Prior to cloud computing's broad acceptance, defining the boundary was relatively simple; it consisted of the computing assets on-premises to the organization and/or at a colocation datacenter; with the seemingly ubiquitous adoption of cloud services, the enterprise cybersecurity boundary required to be extended to include leveraged cloud services rather than geographic locations. For example, a company may have information assets on-premises at their corporate location but also use AWS or Azure for additional compute and storage resources. We have heard about AWS S3 buckets being publicly exposed on the internet, resulting in a data breach for organizations. Cloud Access Security Broker (CASB) When users access cloud-based resources, a cloud access security broker sits between them and the cloud service, enforcing security regulations. To better understand what CASB is, it is important to note that this is not the same as the firewalls that businesses employ to monitor and filter their networks. CASBs can shed light on strange or unusual user activity and provide cloud access control to the company. They, unlike firewalls, provide deep visibility into cloud environments and granular control over cloud usage. CASBs are increasingly being used to mitigate cloud security risks, ensure compliance with data privacy regulations, and enforce corporate security policies. They are becoming increasingly important to organizations as employees use personal, unmanaged devices to access corporate networks from new, dispersed locations, posing additional cloud security risks. The concept of CASB emerged in response to the growing need for more consistent security across multiple cloud environments, which was exacerbated by the rise of cloud computing. CASBs enabled organizations to gain greater visibility into what was happening in their cloud and Software-as-a-Service (SaaS) deployments and protect all user and sensitive corporate data in these environments. Organizations require solutions that make protecting their data and users easier, given blended attacks, various exploits, and obfuscation technologies that make detection more difficult. CASBs are becoming increasingly important in protecting against malware and phishing attacks, securing access to cloud services, and ensuring the security of cloud applications. 153 Chapter 02: Architecture and Design Figure 2-03: Pillars of CASBs CASB solutions are divided into four pillars or functions that ensure the security of an organization's cloud services: Visibility Organizations need to be able to see what their users are doing across all of their cloud applications, including sanctioned and unsanctioned applications, also known as shadow IT. A specific risk of cloud usage is an activity that occurs outside of IT controls because the organization's data is no longer protected by its compliance, governance, and risk policies. As a result, CASBs are critical for detecting high-risk behavior that IT teams may miss. A CASB solution provides comprehensive visibility of cloud application usage, including device and location data, to assist organizations in protecting data, intellectual property, and users. It also offers cloud discovery analysis, which allows businesses to assess the risk of cloud services and determine whether or not to give users access to applications. Compliance Organizations now have a plethora of cloud supplier options and will almost certainly use multiple vendors for various solutions. Regardless of whether they outsource or 154 Chapter 02: Architecture and Design manage services in-house themselves, organizations are still responsible for ensuring regulatory compliance regarding the privacy and security of their data. CASBs assist organizations in meeting the increasingly stringent and ever-changing requirements of data and privacy regulations such as privacy legislation, including the California Consumer Privacy Act (CCPA), the European Union's General Data Protection Regulation (GDPR), and the Health Insurance Portability and Accountability Act (HIPAA). CASBs are also necessary for meeting the security requirements of ISO 27001 and the Payment Card Industry Data Security Standard (PCI DSS). Data Security Organizations must ensure that sensitive data is protected even as cloud usage grows and data loss prevention (DLP) tools are implemented. On-premises DLP solutions are effective at protecting data, but they cannot protect cloud services. Threat Protection Organizations are increasingly vulnerable to outside hackers using stolen credentials and insider attacks. As a result, businesses must be able to detect and prevent suspicious behavior, even from authorized users. Response and Recovery Controls Figure 2-04: Response and Recovery Control Response and Recovery services include: 155 Chapter 02: Architecture and Design 1. 2. Backup and Restore Incident Response These services aid in the definition of procedures to be followed in the event of an incident, including detection, reaction, and recovery activities. The consequences of a cyber-security event can be mitigated by detecting an incident early and responding appropriately. Honeywell's Response and Recovery services assist users in resuming operations following an incident. The services also include backup solution implementation and consulting to assist users in developing a formal incident response plan. Users can use Response and Recovery services to document incident details for future reference and improve their ability to recover and respond quickly to future attacks. Furthermore, these services teach employees how to report cyber security incidents. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection The process of intercepting SSL/TLS encrypted internet communication between the client and server is known as SSL/TLS inspection or HTTPS interception. Malicious content could be hidden in encrypted traffic alongside your legitimate data. The next version of the Internet Engineering Task Force (IETF) protocol standardized it and renamed it Transport Layer Security, or TLS, after it was launched in 1999. According to the TLS specification, the differences between this protocol and SSL 3.0 are not dramatic. As a result, it is not really a question of TLS vs. SSL; rather, the two form a constantly updated series of protocols that are often referred to as SSL/TLS. The TLS protocol encrypts all internet traffic. Web traffic is the most prevalent if the URL in your address begins with "HTTPS," and there is a padlock icon suggesting the connection is secure. TLS, on the other hand, can be utilized by other programs such as e-mail and Usenet. ad will expire in 27. Hashing Hashing is a mathematical process that uses a special cryptographic function to transform one set of data into another of fixed length. The process entails using a hash table to map data of any size to a fixed length and then storing the output data in the digest. It is a method for converting a set of key values into a set of array indexes. To get a range of key values, we will use the modulo operator. Consider a hash table of size 20 with the following items to be stored. Items are formatted as “(key, value).” 156 Chapter 02: Architecture and Design Figure 2-05: Encryption and Hashing API Considerations API security is the safeguarding of the integrity of APIs, both those you own and those you use. Like systems and apps, APIs are one of the most common ways for microservices and containers to communicate. APIs are becoming increasingly important as integration and interconnectivity become more important. Figure 2-06: API Process 157 Chapter 02: Architecture and Design Site Resiliency Resilience is defined as the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring dangers or incidents. As with security, organizations implement physical- and cyber-resilience strategies, such as having a backup power generator. Hot Site A hot site is a near-instant backup of your production site, complete with personnel, network systems, power grids, and data backups. When switching from the host site to the backup site, there is almost no downtime. While the idea of having real-time synchronization is appealing, it is also quite costly. You must first weigh the benefits and decide whether they are worth the cost. Cold Site A chilly site is similar to keeping a spare, run-down automobile in your garage at home. You must call a buddy to bring your other automobile to you if your car breaks down. You and your friend may need to work out the details of getting extra keys for the car. No matter what, it will take a long time for your new ride to arrive, so be prepared to wait. When a disaster strikes, this translates to a site with little or no hardware set up. Because the equipment is not set up and running, you are saving a lot of money. However, getting your site back up and running will take a long time. Warm site When you visit a warm site, it is like traveling down the road with your second automobile following closely behind. However, the car could have stopped at a few signals and be several miles behind you; As a result, catching up to you may take some time. Your spare car would not be as fancy as your current one (no heated seats or satellite radio), but it has gas in the tank, and the engine works, which is all you really need until you can get your current car repaired and running again. Similarly, a warm site recovery implies that you have established hardware and network connections from one site to another, but they are not the same. While you are restoring your data from a remote backup location, your recovery will still be delayed. Deception and Disruption Deception technology is a type of cybersecurity defense practice that aims to deceive attackers by disseminating a set of traps and decoys throughout a system's infrastructure to imitate genuine assets. In contrast, disruption is a dangerous threat caused by intentional or unintentional incidents that result in a security breach, damage to digital devices and networks, or a network outage. 158 Chapter 02: Architecture and Design Honeypots Honeypots are devices or systems deployed to trap attackers attempting to gain unauthorized access to a system or network. They are placed in a controlled setting and are constantly watched. Honeypots are often deployed in the DMZ and configured in the same way as servers. Any type of probe, malware, or infection will be immediately detected as the honeypot appears to be a legitimate part of the network. Honeyfiles Honeyfiles are a deception-based intrusion detection mechanism. A honey file is a bait file that is designed for hackers to open; when the file is accessed, an alert is set off. A honey file could be a file called passwords.txt on a workstation, for example. The file's name will attract hackers who get illegal access to the workstation, and when they open it, an alarm will go out. Honeynets A honeynet is a virtual system that is basically designed to attract threat actors or attackers and trap them. It is a group or collection of honeypots designed to look like a real corporate network that, in reality, is fake. Lab 2-01: Configuring Honeypot on Windows Server 2016 Machines: --Windows Server 20 16 (VM) --Windows 7 (VM) Software used: --honeypot (https://www.atomicsoftwaresolutions.com) Procedure: 1. 2. Open the HoneyBOT application. Set the parameters or leave them on default. 159 Chapter 02: Architecture and Design 3. Select Adapters. 4. Go to a Windows 7 machine. 160 Chapter 02: Architecture and Design 5. 6. Open Command Prompt. Generate some traffic, for example, FTP. 7. Go back to Windows Server 2016 and observe the logs. 8. Select the log by clicking on "Port" > "21." 161 Chapter 02: Architecture and Design 9. Right-click and go to “View Details.” 10. Right-click and go to “Reverse DNS.” 162 Chapter 02: Architecture and Design DNS Sinkhole In a postmortem of the WannaCry outbreak, Hutchins wrote, "A sinkhole is a server that captures malicious traffic and prevents infected devices from being controlled by the criminals who infected them." Security teams utilize sinkholes to attack, stop, and collect information on infiltrating adversaries. 163 Chapter 02: Architecture and Design Mind Map Figure 2-07: Mind Map of Security Concepts Virtualization and Cloud Computing Concepts What is Cloud Computing, and how does it work? Cloud computing is simply the process of storing data and connecting to computers via the internet. It is the internet-based delivery of various computer services such as servers, software, analytics, databases, and storage. Computing resources are delivered on-demand through a cloud service platform with pay-as-you-go pricing. The companies that are providing services are termed as “Cloud Providers.” There is a number of cloud providers like Amazon, Google, and Azure. Cloud Computing's Advantages We are all aware that Cloud Computing has resulted in a significant shift in traditional company thinking about IT resources. There are numerous advantages of using cloud computing. Here are a few examples: 164 Chapter 02: Architecture and Design 1. Cost Cloud computing eliminates the capital cost of buying hardware and software and of building and running in-house data centers – server racks, 24 hours’ electricity for power and cooling, etc. 2. Scale Globally Cloud computing services have the capacity to scale with elasticity. In the cloud, it means that IT resources are provided more or less computing power, storage, bandwidth – as per requirement and from the right place. 3. Improve Agility and Speed New IT resources are readily available, allowing resources to be scaled up and down indefinitely to meet demand. This results in a significant boost in organizational agility. 4. Reliability Cloud computing allows data backup, disaster recovery, and business continuity as data can be replicated in the network of the cloud supplier on multiple redundant sites. 5. Security The protection of their data is one of the main problems for any organization regardless of its size and industry. Infringements of data and other cyber-crimes can devastate the revenue, customer loyalty, and positioning of a company. Cloud provides many advanced security features to strengthen the security of the overall company. It also helps in protecting your data, application, and infrastructure. The Economy of Cloud Computing In the traditional context of enterprises, where big capital expenditures are required, the cloud is the most cost-effective solution to transition to a pay-as-you-go model. Cloud reduces the Capital Expenditure (CapEx) cost and also gives some other benefits. With Cloud Computing, you should move toward Operational Expenditure (OpEx). VMs, App Services, and other Azure services are mostly priced on an hourly basis. There is also consumption-based pricing, which is dependent on the number of times a function is executed, the number of times a resource is used per second, or both. Azure Function is an example of consumption-based pricing. EXAM TIP: 165 Chapter 02: Architecture and Design Capital Expenditure (CapEx) is the expenditure to maintain or acquiring fixed assets by spending money. This includes land, equipment, etc. Operational Expenditure (OpEx) is the cost of a product or a system that is running on a day-to-day basis like electricity, printer papers, etc. Technical Terms To comprehend Cloud Computing, you must first comprehend a few technical phrases. 1. High Availability (HA) - It is the core of cloud computing. In traditional server environments, companies own a large amount of hardware, and the workload is limited to this hardware capacity. In case of extra load, capacity cannot be increased whereas, sometimes this hardware seems extra for the workload. You do not own any of the hardware in the cloud, and addition in servers is just a click away. By replacing the failed server with a new one, you can achieve high availability for your servers as soon as it fails. The number of VMs you set up to eventually cover in case one goes down determines how well HA works. 2. Fault Tolerance - For resilience in the cloud, fault tolerance is also an important factor. Fault tolerance gives you zero downtime. Fault tolerance refers to the fact that if there is a fault on the Azure side, it is promptly mitigated by Azure. 3. Disaster Recovery (DR) – Used in case of any catastrophic disaster like a cyberattack. If such an occurrence occurs, there is a plan in DR to recover your business from these essential systems or restore regular operations. DR has designated time to recover and a recovery point. 4. Scalability - In cloud computing, scalability means adding or removing the resources in an easy and quick way as per demand. It is important in such a situation where you do not know the actual number of resources that are needed. Auto-scaling is an approach for scalability depending on your requirement by defining the threshold 1. 2. Elasticity refers to the ability to dynamically expand or contract network resources in response to autonomous working load changes and maximizes resource use. This can contribute to overall cost savings for services. Agility - The ability to react rapidly and efficiently to changes in the business environment is known as agility. The ability to quickly design, test, and deploy business-driven software applications is often called agility. Instead of providing and managing services, Cloud Agility lets them concentrate on other issues such as security, monitoring, and analysis. EXAM TIP: 166 Chapter 02: Architecture and Design From the exam perspective, one must be familiar with all the terms like HA, Fault Tolerance, DR, Elasticity, Scalability, and Agility. Cloud Models We know that all clouds are not the same, and not every business requirement for cloud computing is the same. So, in order to meet the requirements, different models, types, and services have been used. Firstly, you have to decide how the cloud service is being applied by finding out the cloud deployment type or Architecture. The cloud computing services are divided into the following basic models: IaaS, PaaS, Xaas, SaaS, public, community, hybrid, and private. These are also known as a stack in cloud computing because each of them is built on top of another. Let’s discuss each of them. Infrastructure as a Service (IaaS) It gives you a basic IT infrastructure for Cloud IT like VMs, Data Storage, Networks, OS on a pay-as-you-go model. Platform as a Service (PaaS) Cloud computing platforms that provide an on-demand environment to build, test, and Platform as a Service deliver and manage software applications. PaaS is designed to facilitate the fast development of web or mobile apps for developers without setting or maintaining the underlying server, storage, network, and database infrastructure needed for development. Software as a Service (SaaS) Both servers and code are taken over by cloud providers. Cloud providers host and maintain the applications and underlying infrastructure for SaaS and handle updates such as software upgrades and security patches. Users link the app over the Internet, usually through their phones, tablets, or PC’s web browsers. 167 Chapter 02: Architecture and Design Figure 2-08: IaaS, PaaS, and SaaS Overview Anything as a Service (XaaS) Anything as a Service refers to a broad category of cloud computing and remote access services. It acknowledges the vast number of products, tools, and technologies that are now delivered as a service to users via the internet. EXAM TIP: IaaS – Servers, storage, and networking PaaS – Servers, storage, networking, and management tools SaaS – A complete application like Office 365 Serverless - No need for server; there is a single function that is hosted, deployed, and managed on its own 168 Chapter 02: Architecture and Design Figure 2-09: Types of Cloud Computing Figure 2-10: Public, Private and Hybrid Cloud Community 169 Chapter 02: Architecture and Design A community cloud is a cloud service paradigm that provides a cloud computing solution to a small number of people or businesses while being administered and managed by a single entity and secured collaboratively by all participating organizations or a third-party managed service provider. Cloud Service Providers Cloud service providers host cloud computing-based infrastructure and platform services for customers using their own data centers and compute resources. Cloud services are typically priced through a variety of pay-as-you-go subscription models. MSP/MSSP stands for Managed Service Provider/Managed Security Service Provider A managed security service provider provides outsourced monitoring and administration of security devices and systems. Common services include managed firewalls, intrusion detection, virtual private networks, vulnerability testing, and antiviral protection. A managed service provider is a company that manages a customer's IT infrastructure and/or end-user systems remotely, typically on a proactive and subscription basis. ASPs concrete the way for cloud computing and companies that offer remote support for customers' IT infrastructure. On-Premises vs. Off-Premises Cloud monitoring solutions are classified into two types: off-premise and on-premises services. Off-premise solutions are typically delivered as a hosted service and are licensed on a monthly subscription basis. On-premise cloud monitoring solutions rely on software that is installed on virtual or physical servers that you manage. Fog Computing Fog computing is a decentralized computing infrastructure that distributes data, processing, storage, and applications between the data source and the cloud. Fog computing, like edge computing, brings the benefits and power of the cloud closer to the point where data is created and acted upon. Edge Computing Edge computing is the computational processing of sensor data away from centralized nodes and close to the network's logical edge toward individual data sources. It is a distributed IT network architecture that enables mobile computing for data generated locally. 170 Chapter 02: Architecture and Design Figure 2-11: Edge Computing Thin Client A thin client is a computer that uses resources from a central server rather than a local hard drive. Thin clients operate by connecting remotely to a server-based computing environment, which stores the majority of applications, sensitive data, and memory. Containers In cloud computing, a Container is a method of virtualizing an operating system. This allows the user to interact with a program and its dependencies using isolated resource procedures. The application's code can be systematically bundled with configurations and dependencies. 171 Chapter 02: Architecture and Design Figure 2-12: Container and Hypervisor Architecture Microservices/API Microservices are a design approach for building cloud applications. Each application is built as a collection of services, each of which runs in its own process and communicates via APIs. Microservices architecture is a method of building applications that has become a best practice over time. Figure 2-13: Micro Service Architecture Infrastructure as Code Software-Defined Networking (SDN) 172 Chapter 02: Architecture and Design SDN is a networking approach that uses software-based controllers or application programming interfaces to communicate with underlying hardware infrastructure and direct network traffic. While network virtualization enables organizations to segment different virtual networks within a single physical network or connects devices on different physical networks to form a single virtual network, software-defined networking enables a new method of controlling data packet routing through a centralized server. Figure 2-14: SDN Architecture Software-Defined Visibility (SDV) Software-Defined Visibility is equivalent to Software-Defined Networking in terms of a visibility infrastructure. SDV combines visibility's broad reach with an automation 173 Chapter 02: Architecture and Design framework. Network switches and routers form the physical network or Layer 2-3 data plane in an SDN infrastructure. Serverless architecture Serverless computing is a critical component of current cloud computing. It is a PaaS at its most extreme. The infrastructure required for running code with serverless apps is automatically offered, scaled, and managed by the cloud service provider. By removing the requirement for developers to manage infrastructure, the serverless architecture allows them to build applications faster. EXAM TIP: It is critical to note that "serverless" does not imply that no virtual machines are used. It simply means that the VM running your code is not explicitly allocated to you, which means that you do not manage them. Your code is moved to the VM, it is executed, and then it is moved off. Benefits of a Serverless Model No Infrastructure Management: Use fully managed infrastructure - developers can avoid administrative tasks and concentrate on the core business logic. You simply deploy the code with a serverless platform, and it runs with great availability. Dynamic Scalability: The infrastructure can automatically scale up and down within seconds to match any workload requirements for serverless computing. Time to Market is Reduced: Serverless applications reduce the dependencies of operations on each development cycle, increasing the agility of development teams to produce more features in less time. More Efficient Use of Resources: Shifting to serverless technology allows companies to reduce TCO and resource reallocation to speed up the pace of innovation. Services Integration Cloud integration is a set of tools and technologies that connects various applications, systems, repositories, and IT environments for real-time data and process exchange. The benefits of service integration are: 1. 2. 3. 4. 5. 6. 7. Improved operational efficiency Increased flexibility and scalability Faster time-to-market Better internal communication Improved customer service, support, and retention Increased competitive edge Reduced operational costs and increased revenue 174 Chapter 02: Architecture and Design Resource Policies Policies and Mechanisms for Cloud Resource Management Allocating resources for individual instances is referred to as capacity allocation. An instance is a service activation on behalf of a cloud user. Finding resources that are subject to several global optimization restrictions needs a broad search. Transit Gateway A transit gateway is a network transit hub that connects your Virtual Private Clouds (VPCs) and on-premises networks. Inter-Region peering connects transit gateways using the AWS Global Infrastructure as your cloud infrastructure expands globally. Your information is automatically encrypted and is never sent over the public internet. Virtualization Virtualization is a technique for creating a virtual ecosystem of storage devices and the server operating system. In such cases, virtualization allows users to use multiple machines that share a single physical instance of any resource. Virtual Machine (VM) A virtual machine is a digital representation of a real computer. Virtual machine software is capable of running programs and operating systems, storing data, connecting to networks, and performing other computing functions, but it requires regular maintenance such as updates and system monitoring. VMsprawl Avoidance VM sprawl occurs when an administrator can no longer properly supervise and manage all of the virtual machines on a network. This can happen when many VMs are put up for use by various departments in quickly growing networks. VM Escape Protection A virtual machine escape is a security exploit that allows a hacker/cracker to gain access to the primary hypervisor and the virtual machines it creates. Virtual machine escape allows a user to bypass the hypervisor-created, manage guest OS boundary, and gain access to the top-tier virtualization layer. 175 Chapter 02: Architecture and Design Mind Map Figure 2-15: Mind Map of Cloud Computing Concepts Secure Application Development, Deployment, and Automation Concepts Environment Development Software is created through a series of steps that include obtaining requirements, planning, designing, coding, testing, and support. These responsibilities are carried out according to the process model that the team members have defined. Two of these are addressed in more detail below. Waterfall Model The Waterfall Model is one of the application development frameworks, which is a “sequential design process.” In this process, each step is taken sequentially; that is, the second step follows the completion of the first, the third step follows the completion of the second, and so forth. The Waterfall model can be implemented in multiple ways, but they all follow similar steps. 176 Chapter 02: Architecture and Design The following are some of the most common pros and cons of the Waterfall model: Pros Cons It is a sequential approach Developers are unable to make changes to prior steps; hence, each step is definitive. Emphasizes methodical A fault in instructions can result in havoc as the record-keeping and project depends upon the initial input and documentation instruction Clients know what expected at every step is Only at the end of the sequence is the test carried out Strong documentation Change implementation can be a nightmare for results in less hassle developers Table 1-01: Pros and Cons of the Waterfall Model A common framework for application development: Figure 2-16: The Waterfall Model Agile Model In the Agile Model, no sequential path is followed. Instead, multiple tasks are performed simultaneously in development. One advantage of the Agile model is that it is simple to make modifications, i.e., the Agile model's development process is continuous. The following are the two main types of Agile development: 1. 2. Scrum Extreme Programming (XP) 177 Chapter 02: Architecture and Design Some of the most common advantages and disadvantages of the Agile model are as follows: Pros Cons It is a team-based approach Mismanagement could lead toward code sprints with no ends It allows us to make changes The final project could be completely different from a planned project Testing can be done at any point It is impossible to identify who is along the process. working on what from the outside. Simultaneous testing helps launching a project quickly in Lack of emphasis on documentation Table 2-02: Pros and Cons of the Agile Model Test Software testing determines if a software product satisfies the expected requirements and ensures that it is free of defects. It comprises putting software/system components to the test with manual or automated techniques in order to assess one or more properties of interest. Staging Staging is the final stage of the deployment process before it is released to Production. Staging is the final dress rehearsal before the project is handed over to Production. For software testing, a staging environment (stage) is a near-exact replica of a production environment. Staging environments are created to test codes, builds, and updates in a production-like environment prior to application deployment. Production Production is the last environment in your software development process. The work is ready to be made public, and only the most thoroughly tested code should be included. Quality Assurance (QA) Quality assurance helps identify errors and flaws in software code and design throughout the development process to save time and money. It ensures that the final product is competitive, secure, and performs its expected functions smoothly. Provisioning and De-Provisioning 178 Chapter 02: Architecture and Design Provisioning is the process of making IT systems available to customers. Depending on your organization's needs, provisioning can be defined at the network, server, application, and user levels: 1. Network provisioning entails creating a network that users, servers, and devices can access. Network provisioning is used in the telecommunications industry, for example, to provide wireless solutions to customers. 2. Server provisioning is the process of configuring a server for use on a network. This could entail building a new machine. This includes setting up physical gear, installing and configuring software, and connecting to networks and storage in a data center. Application provisioning is a technology that allows you to manage your infrastructure. 3. 4. Creating, updating, and removing rights and permissions to a company's apps as part of the process of managing digital identities, files, networks, systems, and resources, is known as user provisioning. Deprovisioning is the process of withdrawing user access to software and network services. Simply put, it is the inverse of provisioning and occurs when employees change roles or leave a company. Both provisioning and de-provisioning are important in securing IT systems and applications, but effective and automated user provisioning should be at the top of any organization's priority list if it wants to improve its security posture. Integrity Measurement Integrity measurement is a technique to enable a party to query the integrity status of software running on a platform, e.g., through attestation challenges. Secure Coding Techniques The following secure coding techniques are used in the software development process: Normalization The process of restructuring data in a database so that it meets two basic standards is known as normalization. There is no data redundancy; everything is kept in one place. Data dependencies are understandable. Stored Procedures Stored Procedures are programs that are written to perform one or more DML operations on a database. It is simply a collection of SQL statements that accept input 179 Chapter 02: Architecture and Design in the form of parameters, perform some task, and may or may not return a value. Parameters are used to provide information to the Procedure. Obfuscation/Camouflage Obfuscation is the process of making something difficult to understand. Programming code is frequently obfuscated to protect intellectual property or trade secrets and prevent an attacker from reverse engineering a proprietary software program. One method of obfuscation is to encrypt some or all of a program's code. Code Reuse/Dead Code The practice of reusing existing code for a new function or piece of software is known as code reuse. However, in order to reuse code, it must be of high quality. That means it must be safe, secure, and dependable. A section of a program's source code executed but whose output is never used in another computation is called dead code. Dead code wastes both computation time and memory. Server-Side vs. Client-Side Execution and Validation Client-side validation is used to validate and display form-level errors, whereas serverside validation is used to validate and display field-level errors. Client-side validation is dependent on JavaScript and may be disabled in some browsers, resulting in invalid data being saved, whereas server-side validation is extremely secure. Memory Management Software Development Kits (SDKs) and Third-Party Libraries Are Used A third-party library is one in which the most recent version of the code is not maintained and hosted by Moodle. "Mustache. PHP" is an example. There are currently three SDKs available: iOS, Android, and Javascript. The iOS SDK uses the keychain to secure key material, whereas the Keystore is used by the Android SDK. This encrypts and safeguards the tokens against unauthorized use. When you use the ForgeRock SDKs, you get all of these best practices for free. Data Exposure Data exposure occurs when information is left exposed in a database or server for anybody to see. When system and application configuration details are left unprotected online, sensitive data can be exposed. Open Web Application Security Project (OWASP) The Open Web Application Security Project specifies the number of general buffer overflow prevention strategies. These are some of them: 180 Chapter 02: Architecture and Design 1. 2. 3. 4. 5. 6. 7. 8. Auditing of code (automated or manual) Bounds checking, the use of dangerous functions, and group standards are all covered in developer training. Non-executable stacks — This is something that many operating systems support in some fashion. StackShield, StackGuard, and Libsafe are examples of compiler tools. Safe functions – Use strncat instead of strcat, strncpy instead of strcpy, etc. Use strncat instead of strcat, strncpy instead of strcpy, and so on. Patches — Make sure your web and application servers are adequately patched and stay on top of bug reports for apps that your code relies on. Periodically scan your application with one or more of the commonly available scanners that look for buffer overflow flaws in your server products and your custom web applications Software Diversity Software diversity is a research area concerned with the understanding and engineering of diversity in the context of software. Automation/Scripting Script automation is the process of leveraging existing scripts with automation software to deliver automation in a managed framework without the need for future custom script development and maintenance. Automated Courses of Actions A scripting system can be assumed as a best friend for all the professionals who believe in effective technical work as it provides an automated course of action to save time. The importance of Scripts and Automation can be seen by the fact that it is specified by the National Institute of Standard and Technology Special publication in the 800-53 series. Continuous Monitoring Continuous monitoring is an essential process in automation. A good continuous monitoring program is adaptable and includes highly reliable, relevant, and effective controls in dealing with potential threats. A continuous monitoring program's goal is to determine whether the entire set of planned, required, and deployed security controls within an information system or inherited by the system remain effective over time in the face of the inevitable changes that occur. Continuous Validation As time changes, the system becomes outdated. We first design and configure the system in a way that it should perform for what it has been designed for, along with the validation of configuration against security standards. For the timely up-gradation of 181 Chapter 02: Architecture and Design configuration, a method called automated testing can be used to resolve issues that may include multiple configuration management. Integration that is Ongoing Continuous Integration (CI) is a development method in which developers integrate code into a shared repository on a regular basis, preferably many times per day. An automated build and automated tests can then be used to validate each integration. Revision control, build automation, and automated testing are a few examples. Continuous Delivery Continuous delivery is a software development method that involves automatically preparing code changes for production deployment. Continuous delivery enables developers to automate testing beyond unit tests, allowing them to validate application updates across multiple dimensions before releasing them to customers. Continuous Deployment Continuous Deployment (CD) is a software release process that employs automated testing to determine whether or not changes to a codebase are correct and stable enough for immediate autonomous deployment to a production environment. Over time, the software release cycle has evolved. Elasticity Increasing the capacity of a system to handle the workload by using additional hardware to scale up space is called an Elasticity. In other words, Elasticity is the capacity to dynamically extend or minimize network resources to respond to autonomous working load adjustments and optimize the use of resources. This can contribute to overall cost savings for services. Scalability Scalability means the addition or removal of the resources in an easy and quick way as per demand. It is important in such a situation where you do not know the actual number of resources that are needed. Auto-scaling is an approach for scalability depending on your requirement by defining the threshold. Version Control Version control tracks changes and can also revert back to see what changes have been made. This version control feature is used in multiple software, as well as in the Operating System, cloud-based files, and wiki software. It is also significant from the standpoint of security because it highlights required changes in terms of time. 182 Chapter 02: Architecture and Design Mind Map Figure 2-17: Mind Map of Automation Concepts Summarize Authentication and Authorization Design Concepts Any technology service with IT applications that control the access of data from illegal users is very important to provide a secure environment. In addition, it is also very critical to find which user access which part of the infrastructure. Both authentication and authorization are two major steps for ensuring network security. Authentication is a way of finding out whether the user exists in the database or not. Once the user is found from the database user ID and password, the next step is to ensure how many services that user has the right to access. Authentication Authentication is a process that uses a database user ID and password to identify a user. For example, if a user wants to use the Yahoo mail service, they cannot just access it easily by opening the Yahoo mail page. The user must have a valid ID and password to log in to the Yahoo mail page, and then they will be able to use its services such as view 183 Chapter 02: Architecture and Design Newsbeat, send an email, etc. In short, Authentication confirms the validity of the user by using its ID and password for the desired application. Authorization After authentication, the authorization procedure is carried out. When the user is authenticated, then the next step is to find which kind of data access is available for the authenticated user. For example, an Azure user is restricted to use limited Azure resources and services such as SQL Database, Virtual Network, or Virtual Machine. If that Azure user tries to use those resources for which he/she is not authorized, Azure will not give access to that resources. Likewise, if a diabetes person visits an online shopping app, the Azure service has the profile of the diabetes person. According to his profile, he is only allowed to purchase sugar-free items. That’s is, a person is authorized to buy only sugar-free items. The process of identity service is clearly shown in the scenario defined in Figure 2-18. Figure 2-18: Process of Identity Management Authentication vs. Authorization Authentication and authorization have very few differences. The summarized table shows the difference between these two entities. Authentication Authorization The first step toward accessing resources A person can be authorized only when its authentication has been done A way to verify the customer or user’s Authorization allows authenticated users identity to access a file, database, mail, etc. Normally, a user can be authenticated Controls user access using a user ID and password 184 Chapter 02: Architecture and Design Factor-based authentication is usually Authorization is the granular part of preferred for security purposes identity services Table 2-03: Authentication vs. Authorization EXAM TIP: Authentication is the process of verification of users using user ID and password. Authorization is the method of providing the rights to authenticated users. Authentication Methods Directory Services Instead of maintaining individual local login accounts, you can use an external authentication directory service (also known as an enterprise directory or authentication login domain) to provide a single sign-on for groups of users. Fills in their user name (typically, the Common-Name attribute, CN). Enters their login information. The RADIUS (Remote Authentication Dial-In User Service) protocol is a widely used authentication technique. TACACS+ (Terminal Access Controller Access Control System Plus) is similar to RADIUS, but it is used on Unix networks. RADIUS uses UDP (User Datagram Protocol), whereas TACACS+ uses TCP (Transmission Control Protocol). Federation Federation is a system that grants access to other users who may not have local login. It means a single token is given to the user who is entrusted or authenticated across various systems, just like in SSO (Single Sign-On). A federated network is created by third parties so that users can log in with separate credentials, for example, Facebook credentials, Twitter credentials, etc. Before establishing a federated network, the third party has to create a trust-based relationship. 185 Chapter 02: Architecture and Design Figure 2-19: Example of Federation Attestation Attestation is an indication that makes something obvious. It means to certify in an official capacity in the case of security, specifically security programs. Attestations and certifications are used by the industry to assess your security defenses. Technologies Time-Based One-Time Password (TOTP) A time-based one-time password is generated by a computer algorithm that uses the current time as a source of uniqueness. A TOTP is a one-time passcode generated by an algorithm that includes the current time of day as one of its authentication factors. Time-based one-time passwords are widely used for two-factor authentication and are gaining popularity among cloud application providers. 186 Chapter 02: Architecture and Design Figure 2-20: TOTP HMAC-Based One-Time Password (HOTP) HOTP is an acronym that stands for Hash-based Message Authentication Code (HMAC). In layman's terms, the HMAC-based One-time Password Algorithm (HOTP) is an event-based OTP with a counter as the moving factor in each code. The moving factor is incremented based on a counter each time the HOTP is requested and validated. The generated code is valid until you actively request another one, at which point the authentication server validates it. When the code is validated and the user gains access, the OTP generator and the server are synced. Yumiko's Yubikey is an example of a HOTP-based OTP generator. 187 Chapter 02: Architecture and Design Figure 2-21: HOTP Short Message Service (SMS) Mobile devices that support SMS texting can be used for authentication using One Time Password (OTP) and Challenge/Response (CR or Y/N). Because it is vulnerable to manin-the-middle attacks, it is a less secure form of strong authentication. SMS OTP sends a one-time password to the user's phone via SMS.  SMS OTP sends a one-time password to the user's phone via SMS. The user is approved after entering the OTP into their login authentication.  SMS Challenge-Response sends a question to the user's phone via SMS, asking if the authorization attempt is approved. If the user replies with "Yes," authentication is complete, and the user is logged in. If the user responds with "No," authentication fails, and the user cannot log in. 188 Chapter 02: Architecture and Design Figure 2-22: SMS Token Key A security token (sometimes called an authentication token) is a small hardware device that allows the owner to access a network service. The device could be in the form of a smart card or embedded in a commonplace object like a key fob. Security tokens add an extra layer of assurance by using two-factor authentication: the user has a Personal Identification Number (PIN) that authorizes them as the owner of that specific device; the device then displays a number that uniquely identifies the user to the service, allowing them to log in. Each user's identification number is changed on a regular basis, usually every five minutes or so. Static Codes Static authentication makes use of a single authenticator (e.g., static password). This type of authentication only protects against attacks where an imposter is unable to obtain the authenticator. Authentication Applications The Application Authentication dialogue allows users to enter their credentials and store them in the application server password cache, so they are not prompted the next time they run an application on that application server. Setting up Application Authentication. Domains in Microsoft Windows. Push Notifications Notification via Push Authentication enables user authentication by sending a push notification directly to a secure application on the user's device, alerting them to an 189 Chapter 02: Architecture and Design authentication attempt. Users can view authentication details and approve or deny access with the click of a button. Phone Call Mobile or phone call authentication is the process of verifying a user's identity using a mobile device and one or more authentication methods for secure access. One-time passwords via phone apps or SMS messages. Smart Card Authentication Smart Card Authentication is a method of authenticating users into enterprise resources such as workstations and applications by utilizing a physical card in conjunction with a smart card reader and software on the workstation. The smart card stores a user's public key credentials as well as a personal identification number, which serves as the secret key for the smart card's authentication. A smart card improves security because it cannot be used to obtain user information (such as a PIN) by tampering with it. Biometrics Biometric authentication is a method of security that uses a person's unique biological characteristics to verify that they are who they say they are. Biometric authentication systems compare physical or behavioral characteristics to data in a database that has been verified and confirmed to be authentic. Numerous biometric factors are used for controlling access, including fingerprint, voice recognition, retinal scanner, facial recognition, and iris scanner. Fingerprint Fingerprint recognition, the most popular biometric to date, can use a variety of approaches to classification based on minutiae, which are reproductions of epidermal friction skin ridges found on the palm side of the fingers and thumbs, the palms, and soles of the feet. We can use them for authentication because of the following fundamental principles:    A fingerprint will not change over the course of a person's life. Fingerprints have general ridge patterns that allow them to be classified systematically. A fingerprint is unique because no two fingers have ever been found to have identical ridge characteristics. 190 Chapter 02: Architecture and Design Figure 2-23: Fingerprint Retina The most secure method of authenticating identity is retina-based identification. By acquiring an internal body image, the retina/choroid of a willing person who must cooperate in a way that would be difficult to counterfeit, retinal identification provides true identification of the person. Iris Parts of the human eye are depicted in the image below. Figure 2-24: Iris 191 Chapter 02: Architecture and Design The iris is the colored tissue that surrounds the pupil of the eye and is made up of intricate patterns with numerous furrows and ridges. Facial The system uses a digital video camera to capture face images, which are then analyzed to determine facial characteristics such as the distance between the eyes, nose, mouth, and jaw edges. Voice Voice verification systems are distinct from voice recognition systems. The process of recognizing what someone says is known as voice recognition, whereas the process of determining who is saying it is known as voice verification. Vein Palm vein authentication is a vein pattern authentication technology that uses the biometric feature of palm veins. Because palm vein patterns exist beneath human skin, copying or stealing someone's palm vein pattern is extremely difficult. This means that forgery is extremely difficult under normal circumstances. Gait Analysis One of the most well-known biometrics for secretly recognizing people is gait recognition-based authentication. It recognizes a person based on a sequence of images received. Gait is a physiological feature of humans. A video camera that captures videos of human subjects walking within its field of view serves as the sensor for a gait-based biometric system. After that, the raw sensor video is processed to extract relevant features that can be used for recognition. Efficacy Rates Even when the data is encrypted, storing biometric data on a device – such as the iPhone's TouchID or Face ID – is thought to be safer than storing it with a service provider. This risk is similar to that of a password database, in which hackers can breach the system and steal data that is not properly secured. False Acceptance or False Accept Rate A false acceptance occurs when an illegal subject is accepted as legitimate. Suppose an organization's biometric control generates a high number of false rejections. In that case, the overall control may have to reduce the system's accuracy by reducing the amount of data it collects when authenticating subjects. When data points are reduced, the organization runs the risk of increasing the False Acceptance Rate (FAR). The organization is vulnerable to an unauthorized user gaining access. This is also referred to as a Type II error. 192 Chapter 02: Architecture and Design The False Rejection or False Reject Rate When an authorized subject is rejected as unauthorized by the biometric system, this is referred to as a false rejection. False rejections are also referred to as Type I errors. False rejections frustrate authorized users, reduce productivity due to poor access conditions, and necessitate the expenditure of resources to revalidate authorized users. Crossover Error Rate The Crossover Error Rate (CER) denotes the point at which the false Reject Rate (FRR) and false accept rate are both equal. CER is also referred to as the Equal Error Rate (EER). The crossover error rate describes a biometric system's overall accuracy. Figure 2-25: CER Exam Tip: A false accept is more dangerous than a false reject. Most organizations would rather reject genuine subjects than accept impostors. Type II errors (FARs) are more harmful than Type I errors (FRRs). Because two is larger than one, you will recall that FAR errors are more serious than FRRs. AAA (Authentication, Authorization, and Accounting) Framework The AAA (Authentication, Authorization, and Accounting) framework is the base of network security. The process of identifying ourselves by providing ID and password when we log into some account goes through this AAA framework. 193 Chapter 02: Architecture and Design Authentication The part of the framework deals with the authentication of any person who claims to be authorized. For that, the person generally provides ID and password and usually other additional authentication data. Authorization Once the identification process is completed, the authorization part will figure out what the person can access or access to the sources. Accounting Accounting keeps the record of the following things:     A person who logs in Login time What data is delivered and received Log out time Multi-Factor Authentication MFA (Multi-Factor Authentication) is a layer-based authentication method that uses multiple forms of authentication. This means that attackers will be unable to get access even if an individual is compromised. MFA is recommended by default. It is a feature of AAD that allows you to authenticate users in several ways. MFA is needed in organizations that have a large number of users, devices, and resources. To avoid any collapse, extra security is required for protection and efficient throughput. How MFA Works? MFA is a method of user authentication that involves several processes. The first step is to use a user ID and password to validate the user. The user's phone will be sent a code for additional verification in the second phase. Biometric verification is the third step. This is an optional step. For example, a user wants to log in to the online booking web app. A large number of people are already accessing that web application due to its efficient throughput and fast response. Using MFA, the simplest way to use the application requires the user to put user ID and password for verification. A user's ID and password have been entered successfully. The second step of MFA verification is to confirm the user’s credentials from the database by sending code on the user's phone. A combination of numbers in the form of code is sent to the user’s phone to confirm the user. When the user gets the code, they are required to put the code in the given area to confirm the validity. Once the code is entered, the authentication of the user is complete. Another way to authenticate the user is Fingerprint verification, but this step is only needed for highly 194 Chapter 02: Architecture and Design advanced security purposes. The following figure shows the layer-based services offered by MFA. Figure 2-26: Multi-Factor Authentication EXAM TIP Multi-Factor Authentication provides the combined version of authentication that results in an advanced level of security and protection. In a AAA authentication mechanism, a user is asked for multi-factor authentication like who you are, what you have, what do you know, what do you do, and etc. These additional items may have a cost combined with them. Something You Are Biometric Authentication: Biometric authentication, like a fingerprint, does not actually keep your real fingerprint. Instead, it keeps a mathematical representation of your biometrics. The mathematical values used for biometric representation are complex to modify because these biometric values are unique. 195 Chapter 02: Architecture and Design Something You Have Smart Card: These cards are inserted into the computer, and usually, these cards are combined with a Personal Identification Number or PIN so that if some unauthorized person may get access to your card, he may have to provide that additional information or PIN. USBToken: Another method of authenticating is the use of a USB Token. When authentication is required, a specific certificate is stored on the USB and used. Hardware and Software Token: This token generates synchronized pseudo-random codes for authentication purposes. Your Phone: Messages or codes are sent to the phone, and then those messages or codes are used for authentication purposes. Something You Know Password: The most common way of authentication is a password. The password is a secret word, code, or character that is known to the only person who created that password. PIN: PIN is abbreviated as Personal Identification Number. These PINs are usually asked us when we use an ATM that is generally a 4-digit code used for authentication. Pattern: A pattern is also a type of authentication. These types of patterns are seen on the mobile phone lock screen nowadays commonly. Figure 2-27: Password and Pattern Authentication Somewhere You Are Your Location: A useful method of authentication that is based on your geographical location. In this type of authentication, when a person logs in to a system, they have to provide the details of where they are, and the process of the transaction only completes if that person is in that particular location. IP Address: Another way to authenticate where the person is, is through an IP address. It does not provide accurate geography but can help to some extent. 196 Chapter 02: Architecture and Design Mobile Device Location: Mobile devices provide accurate geographical location as compared to others through GPS (Global Positioning System). Something You Can Do Handwriting Analysis: Handwriting and signatures are another way to authenticate who the person is. Typing Technique: Typing technique is also used to determine the person because every person has some kind of typing pattern. Identity and Access Services Gaining Access: To gain access to network resources, credentials are needed that are first investigated by the AAA server. For example, consider a client wants to get access to the resources of a network, and he is authenticating through a VPN concentrator. The client first requests the VPN concentrator to get access. This request contains authentication credentials such as username/password. VPN Concentrator authenticates the connection request through the AAA server. If the credentials are matched, AAA approves the authentication. After validating the authentication credentials, the connection is established. Figure 2-28: Access Gaining Process There are many protocols that are used by the AAA server for this authentication process: 197 Chapter 02: Architecture and Design RADIUS (Remote Authentication Dial-in User Service) RADIUS is a popular protocol for authentication. It supports numerous devices or networks other than dial-in networks. The services of RADIUS can be used to centralize for a single authentication for various systems like Routers, Switches, Firewall, etc. The services of RADIUS are almost available for every Operating System. TACACS (Terminal Access Controller Access Control System) It is a remote protocol for authentication that is typically needed to control access to dial-up lines.   XTACACS: It is abbreviated as Extended TACACS. It is created with new features induced by Cisco. It is only for Cisco devices as it is Cisco proprietary and supports accounting and auditing too. TACACS+: It is an authentication protocol developed by Cisco and released as a standard open beginning in 1993. TACACS+ is an entirely new protocol and is not compatible with its predecessors. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol. The properties of RADIUS and TACACS+ are summarized and compared in this table. L4 Protocol TACACS+ RADIUS TCP port 49 UDP ports. 1812/1645 for authentication 1813/1646 for accounting Encryption Encrypts full payload of Encrypts passwords only each packet Observations Proprietary to Cisco, very granular control of authorization, separate implementation of AAA Open Standard, robust, great accounting features, less granular authorization control. Another protocol named DIAMETER may replace RADIUS in the near future with enhanced capabilities Table 2-04: Comparison of RADIUS and TACACS+ Cloud vs. On-Premises Requirements On-Premises: A type of model that uses the same legacy IT infrastructure and runs cloud resources within its own data center. It is also called the private cloud for its ability to provide dedicated resources while maintaining total control and ownership of the environment. 198 Chapter 02: Architecture and Design Cloud: A type of model in which a third party makes computing resources for the public over the internet. Cloud-based applications are fully deployed and run on the cloud. There is no need to set up and maintain your own cloud servers in-house. Mind Map Figure 2-29: Mind Map of Authentication & Authorization Design Concepts Implementation of Cybersecurity Resilience Redundancy In a cyber-system, redundancy means creating multiple resources that perform the same function and can be replaced if the primary system resources fail. Geographic Dispersal As digital transformation and hyper-convergence open unintended doors to risks, vulnerabilities, attacks, and failures, a cyber-resilience strategy becomes increasingly important for your company. A cyber-resilience strategy can assist your company in reducing risks, financial impact, and reputational damage. Disk Redundant Array of Inexpensive Disks (RAID) Levels RAID stands for Redundant Array Independent Disks. It is used to increase the reliability of storage disks. It takes data that is commonly stored on a disk and sends it to many others, keeping the data stored in various places. RAID also increases the speed of data recovery because multiple disks are busy recovering data rather than a single disk. 199 Chapter 02: Architecture and Design The following are some often used terminology in relation to RAID:    Striping: data is spread over several drives. Mirroring: data is replicated across several disks. Parity is also known as a checksum. Parity is a determined value that is used to recreate data mathematically. Various RAID levels are offered to fulfill the requirements of different applications. The following table lists the RAID modes available on several StarTech.com products: RAID Description mod e RAID Striped disks 0 Operation Advantages Disadvantage s Recover y The data is uniformly distributed across two or more disks Largest size and quickest speed No redundancy RAID Mirrored 1 disks The information on two or more drives is the same Data is distributed evenly among two or more disks, as well as a parity drive The data is uniformly distributed among three or more disks. The parity is divided between the disks Four or more drives are striped to Data will not be lost if a single drive fails The slowest and smallest disk limits speed and size For sequential read/write operations, high speeds are required Multiple simultaneous instructions provide poor performance Large size, quick speed, and redundancy are all advantages Parity reduces the entire array size Array failure occurs when one or more drives fail For recovery, only one drive is required A single drive failure will cause the system to rebuild The system will rebuild if a single drive fails RAID-2 is larger and faster than RAID-1, and it There is no parity RAID Set of stripes 3 with special parity RAID Disks with 5 distributed parity that are striped RAID 1+0; Mirrored 10 Subset with Stripes 200 In a mirrored set, only Chapter 02: Architecture and Design create two mirrors JBOD Just a Bunch Of Disks Big Clon e Concatenatio n or spanning RAID 1 + Spare The operating system can access any number of drives independentl y. Data is written to the first drive until it is full, then to the next drive(s) until it or they are full Two drives contain identical data, and one drive is in use for rebuilding in case of a primary array failure has more redundancy than RAID-0 Software RAID Hardware modes are RAID may available outperform software RAID one drive can fail Creates a large and straightforwar d array No N/A When one of the drives in a RAID-1 array fails, the array continues to function normally The spare drive is not accessible to the user N/A redundancy Only one drive is needed for recovery Table 2-05: Available RAID Modes Multipath Device-Mapper Multipathing (DM-Multipath) combines multiple I/O paths between server nodes and storage arrays into a single device. These I/O paths are physical SAN connections that may consist of multiple cables, switches, and controllers. Network Load Balancers Load Balancer takes the load and distributes it among various resources without the user being informed. The load balancer is able to provide fault tolerance and has very fast convergence. 201 Chapter 02: Architecture and Design A load balancer is something that takes the load of traffic and distributes it among multiple resources or servers. This process of distributing load is invisible to the user. A benefit of the load balancer is that it provides fault tolerance. Scheduling It is the scheduling algorithm on the basis of which the load balancer determines how to distribute the traffic load among various internal servers. There are many different scheduling algorithms; some of them are discussed below. Affinity The affinity is the characteristic of a load balancer, which means that for a particular application or user, the load balancer will use the same server. Round Robin Round Robin is the kind of schedule in which every new request is sent over to the next server in a cycle or rotation, and all these requests are forwarded in equal amounts despite server load. The modified Round-Robin scheme involves a weight factor that considers servers load and other principles when forwarding the request to the next server in turn. Active-Passive In an active-passive load balancing scheme, there are two load balancers, one for doing active balancing, and another load balancer passively observes the system and functions when the primary load balancer fails. Active-Active In the active-active type of load balancing scheme, both the load balancer are active means both of them are sharing the duty of load balancing. Network Interface Card Teaming Network Interface Card (NIC) teaming is a common method of grouping physical network adapters in order to improve performance and redundancy. The primary advantages of NIC teaming are load balancing (redistributing traffic across networks) and failover (ensuring network continuity in the event of system hardware failure) without the requirement for multiple physical connections. Power Uninterruptible Power Supply (UPS) The ability to remotely monitor the devices, as well as their uninterruptible power supply, has opened them up to external networks. Naturally, a UPS that lacks a network card or other means of remote access is not directly vulnerable to a cyber-attack. 202 Chapter 02: Architecture and Design Generator The power control system is critical in ensuring that power is available in response to customer demand. An imbalance in supply and demand can cause system frequency instability, jeopardizing the power system's operational security. A central control scheme is commonly used in traditional power systems, with a single control center that collects information from and sends control commands to all agents. However, such a central control architecture is no longer appropriate for today's power systems. Geographically dispersed distributed generators, for example, are increasingly being integrated into the power grid. Because of the requirement for plug and plug operation, these are not suitable for coordination by central control. Central control is also inapplicable in microgrid operations, where distributed generators must supply power in island mode. Distributed control is preferred over central control because of its dependability, scalability, and flexibility. Local controllers in distributed control, on the other hand, have access to both local and neighbor information, making them vulnerable to cyber-attack. By launching FDI attacks, a malicious entity can disrupt data exchange between neighboring local controllers. Managed Power Distribution Units Advanced power distribution units, or PDUs, give system administrators more control options, protect circuitry, and optimize energy allocation. Alarm thresholds aid in risk mitigation by providing real-time warnings of potential circuit overloads. These metering devices include both floor-mounted power distribution units for converting raw power into lower-capacity feeds and smaller devices for distributing power within racks with multiple appliance connections. Some power distribution units have LANnetwork access, allowing administrators to control electrical loads and schedule shutdowns from afar. Power distribution units assist in balancing costs in order to meet energy management targets. Replication Storage Area Network A storage area network (SAN) is a specialized high-speed network or subnetwork that links and presents many servers with shared pools of storage devices. A distinct, dedicated, highly scalable, high-performance network designed to interface a number of servers to an array of storage devices is provided by SAN technology, which fulfills advanced business storage demands. After that, the storage can be arranged and handled as tiers or pools. VM VM is basically a virtual machine. Supported Linux distributions are CentOS, Oracle Linux, RHEL, Debian, OpenSUSE, SUSE LES, and Ubuntu. There are six types of VMs 203 Chapter 02: Architecture and Design with 28 families. There is a set amount of Memory, vCPUs, and Temporary Storage. You can also attach additional data disks to these VMs. Pricing is based on per-minute billing. Reserved VMs are also available for significant discounts like you can get discounts up to 72% on a pay-as-you-go model. Backup Types Backup utilities help you through unexpected disruptions in the system like the system's failure, when it gets infected, and at the time of data loss. At Such crucial times, the backed-up utilities become lifesavers. Having a backup of everything serves as the key factor in the disaster recovery of any organization. Backup can be made to tape, disk, optical drive, etc. For database backup, replication (online duplication) can be used. Full In order to back up files in an OS, there are various strategies that can be followed. One of them is a full backup. Every time the backup process is performed, every single file is copied sequentially in the full backup. Incremental In the incremental backup, those files are copied that have been modified since the last time an incremental backup is performed. Snapshot Using snapshots is common to the backup operating system. A snapshot is a replicate of virtual machines at a definite moment in time. A snapshot is generated by replicating the files that keep the virtual machine. Differential Differential backup only backs up the changes and modifications that are done after the last backup. Tape Tape backup is the practice of copying data from a primary storage device to a tape cartridge on a regular basis so that it can be recovered in the event of a hard disk crash or failure. Tape backups can also be used to restore data to storage devices when necessary. Disk Hard disk storage has grown in popularity as it has become more affordable. Hard disks are typically simple to use, widely available, and easily accessible. On the other hand, hard disk backups are low-tolerance mechanical devices that can be damaged more easily than tapes, particularly during transport. External hard disks can be connected using local interfaces such as SCSI, USB, FireWire, or eSATA, as well as longer-distance 204 Chapter 02: Architecture and Design technologies such as Ethernet, iSCSI, or Fibre Channel. Some disk-based backup systems support data deduplication, whether via Virtual Tape Libraries or otherwise, and can reduce the amount of disk storage capacity consumed by daily and weekly backup data. Network-attached storage Network-Attached Storage (NAS) is a type of dedicated file storage that allows multiple users and diverse client devices to access data from a centralized disk capacity. NAS devices provide infrastructure for centralizing storage and supporting tasks such as archiving and backup and a cloud tier. Cloud Cloud backup, also known as online backup or remote backup, is a method of storing a copy of a physical or virtual file or database in a secondary, off-site location in the event of equipment failure or disaster. A third-party service provider typically hosts the secondary server and data storage systems, charging the backup customer a fee based on storage space or capacity used, data transmission bandwidth, number of users, number of servers, or number of times data is accessed. Image Image Backups are exactly what they sound like: a backup of your entire operating system, including files, executable programs, and OS configurations. Professional backup solutions will automatically create full or incremental images of the hard drive. Online vs. Offline Online backup storage is typically the most accessible type of data storage, with restores starting in milliseconds. An example of an online backup is an internal hard disk or a disk array (possibly connected to a SAN). This type of storage is convenient and quick, but it is vulnerable to being deleted or overwritten, whether by accident, malicious intent, or in the aftermath of a data-deleting virus payload. Off-line storage necessitates some kind of direct action to gain access to the storage media, such as inserting a tape into a tape drive or plugging in a cable. Because the data is inaccessible to any computer except during the brief periods when it is written or read back, it is largely immune to online backup failure modes. Offsite Storage Having an off-site backup is one of the best options. Off-site backup means that all the data is copied and stored on some other site (other than your building). It also mitigates the risk of backup loss. Non-Persistence 205 Chapter 02: Architecture and Design A system is said to be non-persistence when the changes made in it are not permanent. Making the system non-persistence secures it from certain malware as the files, applications, or programs installed in it are not permanent because the changes made in its configuration are not saved. Revert to a Known State The capability of an operating system to snapshot any virtual machine is understood as reverting to a known state. Most of the operating systems have this capability as a builtin program. This option is mainly found in Microsoft office, where the system creates a restore point by default before the update processes. Last Known-Good Configuration The last-known-good configuration to a known configuration can also be defined as getting back to a known state. For example, you can use this option if you make any incorrect configuration to your system and you want to get back to the older state. Live Boot Media A bootable system known as live boot media is concluded to an optical disk or USB, which is specially designed to be bootable from the media. This is used to boot the system from an external operating system. High Availability High availability is the ability of a system to maintain a space for data and operational services regardless of any disrupting events (faults). High availability has the same goal as fault tolerance along with the availability of data and services. Scalability A design that makes a system accommodate more load by using additional hardware or sources is known as scalability. This term is commonly used in server farms and database clusters because these two mostly face scaling issues due to workload. Restoration Order During the process of application recovery, it is required to consider what applications have higher priority because all the applications do not have the same priority. Such as customer-facing applications or the application dealing with the billing process are of higher priority. The priority list of application restoration should be well defined by the management of the corporation. This order of restoration list is changeable, which means the management can change the order based on its priority. Diversity 206 Chapter 02: Architecture and Design Vendors When you have multiple suppliers, it creates vendor diversity and reduces the risk from a particular supplier. Relying on a single vendor increases the risk factor. For example, if you have two firewalls from two different vendors, it reduces risk and adds diversity because you can turn to the other firewall in case something happens to one firewall or if the firewall contains flaws. Controls Control diversity is also important because it provides layered security that helps in generating the desired result. Administrative Control Administrative control is by all means necessary. Administrative control includes all the policies and procedures that are required to be followed by everyone in order to maintain security. Technical Control Technical control is also essential to ensure that the hardware and software we use are hardened or not. Active Directory authentication, firewall, and disk encryption are all parts of technical control. Mind Map Figure 2-30: Mind Map of Cybersecurity Resilience 207 Chapter 02: Architecture and Design The Security Implications of Embedded and Specialized Systems Embedded Systems An embedded system is a system that uses an embedded operating system, and the user does not have any direct access to that operating system, and it is simply accessed through the user interface. One of the impacts associated with this embedded system is that if it is not updated or patched, it can develop hidden vulnerabilities in the system. Raspberry Pi The Raspberry Pi is a low-cost, credit-card-sized computer that connects to a computer monitor or TV and operates with a standard keyboard and mouse. It is a little capable device that allows people of all ages to experiment with computing and learn to program in languages such as Scratch and Python. Field-Programmable Gate Array A Field-Programmable Gate Array (FPGA) is an integrated circuit that a customer or a designer can configure after it has been manufactured – hence the term "fieldprogrammable." FPGAs are useful for prototyping ASICs or processors. The FPGA is reprogrammed until the ASIC or processor design is bug-free, at which point production of the final ASIC can resume. This FPGA method is used by Intel to prototype new ASIC chips. Arduino An embedded system is a combination of hardware and software that must be in sync with one another. The Arduino is an open-source computer hardware/software platform for creating digital devices and interactive objects that can sense and control the physical world around them. Supervisory Control and Data Acquisition (SCADA)/Industrial Control System (ICS) Facilities SCADA abbreviates as “Supervisory Control and Data Acquisition System.” It is a process used to control the system that is automated in a cyber-physical environment like a traffic light, energy networks, water plants, refineries, environmental controls, building automation manufacturing plants, etc. SCADA contains its own smart components, each of which is an example of an embedded system. SCADA is also known by different other names like Industrial Control System (ICS) and Distributed Control System (DCS); these variations depend on the configuration and industry. Internet of Things (IoT) 208 Chapter 02: Architecture and Design The world is rapidly moving towards automation. The need for automated devices where we have control of daily tasks at our fingertips is increasing day by day. As we all know, there is a performance and productivity difference between manual and automated processes, and moving toward the interconnection of things will process even faster. The term "things" refers to machines, appliances, vehicles, sensors, and many other devices. An example of automation through the Internet of Things is a CCTV camera in a building capturing an intrusion and immediately generating an alert on client devices at their remote location. Similarly, we can connect devices over the internet to communicate with other devices. IoT technology requires a unique identity. IP addresses, especially IPv6 addresses, provide each device with a unique identity. Planning and deploying IPv4 and IPv6 over a complex network topology necessitates careful consideration of sophisticated tactics and methodologies. Each network node in IP version 4 is given a 32-bit address for identification; however, in IP version 6, each node is given a 128-bit address for unique identification. IPv6 is an advanced version of IPv4 that can accommodate the emerging popularity of the internet, the increasing number of users and devices, and advancements in networking. Advanced IP addresses are required to be taken into account IP addresses that guarantee efficiency, reliability, and scalability in the overall network model. Figure 2-31: IoT Workflow How does the Internet of Things Work? IoT devices can use IoT gateways to communicate with the internet or communicate with the internet directly. The integration of controlled equipment, a logic controller, 209 Chapter 02: Architecture and Design and advanced programmable electronic circuits make them capable of communicating and being controlled remotely. The architecture of IoT depends on five layers, as follows: 1. 2. 3. 4. 5. Application Layer Middleware Layer Internet Layer Access Gateway Layer Edge Technology Layer Figure 2-32: IoT Architecture      The Application Layer is responsible for delivering data to users. This is a user interface for controlling, managing, and commanding these IoT devices The Middleware Layer is for device and information management The Internet Layer is responsible for endpoint connectivity The Access Gateway Layer is responsible for protocol translation and messaging The Edge Technology Layer covers IoT capable devices IoT Technologies and Protocols Wireless Communication Wired Short Range Medium Range Long Range Bluetooth Low Energy (BLE) Ha-Low Low-Power Wide Area 210 Operating System Communication Ethernet RIOT OS Chapter 02: Architecture and Design Networking (LPWAN) Light-Fidelity (Li-Fi) LTEAdvanced Near Field Communication (NFC) Very Small Aperture Terminal (VSAT) Multimedia over Coax Alliance (MoCA) ARM mbed OS Cellular Power-Line Communication (PLC) Real Sense OS X Radio Frequency Identification (RFID) Ubuntu Core Wi-Fi Integrity RTOS Table 2-06: IoT Technologies and Protocols IoT Communication Models IoT devices can communicate with other devices in several ways. The following are some of the IoT communication models. Device-to-Device Model The Device-to-Device Model is a basic IoT communication model in which two devices communicate with each other without interfering with any other device. Communication between these two devices is established using communication mediums such as a wireless network. An example of a device-to-device communication model can be a mobile phone user and a Wi-Fi printer. The user can connect a Wi-Fi printer using a Wi-Fi connection and send commands to the printer. These devices are independent of the vendor. A vendor’s mobile phone can communicate with the wireless printer of a different manufacturer due to interoperability. Similarly, any home appliance connected with wireless remote control through a medium, such as Wi-Fi, Bluetooth, NFC, or RFID, is an example of the device-to-device communication model. 211 Chapter 02: Architecture and Design Figure 2-33: D2D Communication Model Device-to-Cloud Model The Device-to-Cloud Model is another IoT device communication model in which IoT devices directly communicate with the application server. Consider a real-life scenario in which a residence has several security sensors installed, such as motion detectors, cameras, temperature sensors, and so on. The application server, which can be hosted locally or in the cloud, is directly connected to these sensors. The application server facilitates communication between various devices. Similarly, Device-to-Cloud communication scenarios are found in a manufacturing environment where different sensors communicate with the application server. Application servers process data, perform predictive maintenance, execute required and remediation actions to automate processes, and accelerate production. Figure 2-34: Device to Cloud Communication Model Device-to-Gateway Model The Device-to-Gateway model is similar to the device-to-cloud model. IoT gateway devices collect data from sensors and send it to the remote application server. This 212 Chapter 02: Architecture and Design gateway can provide security and other functionality, such as data or protocol translation. In addition, there is a consolidation point where the data being transmitted can be controlled. Figure 2-35: Device to Gateway Communication Model Back-End Data-Sharing Model The Back-end Data-sharing Model is an advanced model in which devices communicate with the application servers. This scenario is used in a collective partnership between different application providers. The Back-end Data sharing model extends the deviceto-cloud model to a scalable scenario where sensors are accessed and controlled by multiple authorized third parties. Figure 2-36: Back End Data Sharing Model 213 Chapter 02: Architecture and Design The devices that are comprised of the Internet of Things or the Smart devices have taken the world’s market by storm. Anything that contains a microcontroller seems to be connected to the web so that it can be controlled remotely. Wearable Technology: The use of smart devices that are wearable has majorly increased. These wearable technologies include everything from smartwatches to step counters to health monitors and more. As these devices are connected to the person, they can track the person's location. The security concern that arises from the usage of these wearable gadgets is the data/information stored and who can access that data/information. Home Automation: The driving factor behind the IoT movement is Home Automation. Home automation or smart home is a system in which every device is connected to the internet and is controlled through the internet like doorbells, lights, fans, AC, TV, Door Locks, etc. These IoT devices are smart devices, and they know when we are home and when we are not. If someone can gain access to this home automation system, it means they have potentially gained access to the entire house. Figure 2-37: Home Automation Specialized Medical systems Embedded systems are also used for Medical purposes like heart monitors or insulin pumps. The security concern related to these medical devices is that how the kernel is patched in case the vulnerabilities are found because the medical devices are designed and manufactured for a static system that does not require updating and patching. In 214 Chapter 02: Architecture and Design case if the changes are made, then it will force towards a lengthy, time-consuming, expensive requalification process. Therefore, it is recommended by most of the manufacturers not to connect the medical devices to the outside network (isolate the device), which in reality is not possible. Note: In 2017, nearly half a million pacemakers were recalled for a software vulnerability that allows the hacker to gain access to the device and make changes to the performance characteristics of these devices. The good news related to this security issue is that without removing the device, it can be patched, but it requires a doctor's visit to install the new firmware. Vehicles Some current embedded system trends in automobiles include airbags, event data recorders, anti-lock brake systems, cruise control, rain-sensing wipers, emission control, traction control, automatic parking, in-vehicle entertainment, backup collision sensors, navigation systems, and tire-pressure monitors. Aircraft The embedded systems are also inside the Aircraft or Unmanned Ariel Vehicles (UAV). Flight Control System (FCS) and Air Traffic Control (ATC) are two primary control systems of an airplane consisting of different components and embedded systems. Some of the security issues arise when somebody performs Denial of Service (D0S) and creates some interference to disturb the communication. Not only would it damage the aircraft, but it would also be dangerous for the people on the ground. Smart meters A smart meter is an electronic device that records data such as electric energy consumption, voltage levels, current, and power factor. Smart meters transmit data to consumers for a better understanding of their consumption habits and electricity suppliers for system monitoring and customer billing. Voice over IP Voice over IP (VoIP) is a method of converting your voice into a digital signal, compressing it, and transmitting it over the internet. The call is set up between all participants by a VoIP service provider. The digital data is then decompressed into the sound you hear through your handset or speakerphone at the receiving end. Heating, Ventilation, Air Conditioning Heating, Ventilating, and Air Conditioning (HVAC) is an acronym for heating, ventilation, and air conditioning. A complex system designed by the HVAC system expert and installed in large buildings or enterprises. It is not a standalone unit; it is usually integrated with other components within the infrastructure. A centralized PC is 215 Chapter 02: Architecture and Design responsible for managing all these HVAC units that include making heating and cooling decisions for data centers and workspace. HVAC systems are usually not built keeping security in mind, and this leads to difficulty in recovering from the infrastructure’s DOS. Drones/AVs Autonomous flight and position control are provided by a fully functional integrated GPS system. The small-footprint drone can fly into small spaces, hover, capture video images, and transmit real-time data to the user. While drones can be used for a variety of purposes, including recreation, photography, commercial, and military use, their two primary functions are flight and navigation. Drones fly thanks to a power source, such as a battery or fuel, rotors, propellers, and a frame. Multifunction Printer An MFP (Multi-Function Product/Printer/Peripheral), All-in-One (AIO), or MultiFunction Device (MFD) is an office machine that combines the functionality of multiple devices into one, allowing for a smaller footprint in a home or small business setting or centralized document management/distribution/production in a large-office setting. A typical MFP can function as one or more of the following devices: email, fax, photocopier, printer, and scanner. Real-Time Operating System Real-Time Operating System (RTOS) is the system in which the processing must occur in real-time and where the data cannot be queued for significant time-length. The RTOS is designed for such types of system RTOS is designed and programmed for a specific purpose. The scheduling algorithm in RTOS deals with the time collision. However, RTOS generally processes each input as received or within a specific time, defined as ‘response time.’ Mostly, the multi-tasking system lacks real-time processing. Therefore, the RTOS, instead of handling multiple tasks, emphasizes the thread in processing. Surveillance Systems Embedded system security is a proactive approach to safeguarding software running on embedded systems from attack. An embedded system is a hardware component that can be programmed and has a minimal operating system and software. Embedded systems are created to carry out specific functions or functions. Surveillance systems are an important part of keeping your home or business safe. Wireless home security cameras to sophisticated alarm systems that alert law enforcement at the first sign of trouble is examples of these systems. System on Chip 216 Chapter 02: Architecture and Design System on a Chip, or SoC, is one of the most popular embedded systems these days. Multiple activities take place on a single piece of a silicon chip. That is, multiple components run on a single chip. The whole process mainly relies on the chip, including the functioning of peripheral devices. For Example: In Raspberry Pi 2, the Broadcom chip is the SoC, then this chip is an interface that gets you to the network USB interfaces or HDMI video interface. Low power consumption and efficient designs are why SOCs are very common in the markets. As far as the implication of security on the SOC-based system is concerned, all the security issues are handled by the system and not by the specifics of SOC aspects. Communication Considerations 5G 5G refers to the fifth generation of mobile networks. After 1G, 2G, 3G, and 4G networks, it is a new global wireless standard. 5G enables a new type of network capable of connecting virtually everyone and everything, including machines, objects, and devices. Narrow-Band Narrowband data communication and telecommunications tools, technologies, and services use a smaller set or band of frequencies in the communication channel. These use a channel frequency that is considered flat or a smaller number of frequency sets. Baseband Radio A twisted-pair subscriber loop that transmits voltage pulses between the serving central office or access node and the user is known as a baseband digital loop. The pulses are shaped for optimal transmission on twisted pairs and represent the values of bits or groups of bits. Subscriber Identity Module (SIM) Cards SIMs (Subscriber Identity Modules) can be valuable evidence in and of themselves. They contain a large amount of data and should be collected and analyzed. There are a couple of numbers on the SIM that will be of particular interest. The International Mobile Subscriber Identity (IMSI) is the first (IMSI). The Integrated Circuit Card Identifier is the second (ICC-ID). The IMSI identifies a subscriber's account information and services. The ICC-ID is the serial number found on the SIM card. The SIM can include the following information:     Subscriber identification (IMSI) Service provider Card identity (ICC-ID) Language preferences 217 Chapter 02: Architecture and Design      Phone location when powered off User’s stored phone numbers Numbers dialed by the user SMS text messages (potentially) Deleted SMS text messages (potentially) A processor (CPU), RAM, Flash-based nonvolatile memory, and a crypto-chip are SIM cards' individual components. They are present in all phones but are more common in GSM, iDEN, and Blackberry handsets. Zigbee Zigbee is a wireless mesh network standard for low-cost, low-power devices in wireless control and monitoring applications. Low-latency communication is provided by Zigbee. Zigbee chips are frequently combined with radios and microcontrollers. A radio transceiver is used by Zigbee smart devices to communicate with one another. The chip operates on the IEEE 802.15. 4 protocol at 2.4 GHz, which is the same frequency band as Wi-Fi and Bluetooth. A Zigbee message can also be copied and forwarded from one device to the next. Mind Map Figure 2-38: Mind Map of Security Implications of Embedded Systems The Importance of Physical Security Controls When it comes to safeguarding anything, physical security is always the first priority. It is also regarded as the first layer of protection in the field of information security. 218 Chapter 02: Architecture and Design Physical security encompasses safeguarding against man-made threats like theft, damage, and unwanted physical access, as well as natural disasters like rain, dust, power outages, and fire. Figure 2-39: Physical Security Measures Physical security is essential to prevent stealing, tampering, damage, theft, and a variety of other physical attacks. Fences, guards, CCTV cameras, intruder monitoring systems, burglar alarms, and deadlocks are used to secure the premises and assets. Authorized individuals should only access important files and papers. These files should not be left at an unsecured location, even within an organization. Functional areas must be separated and biometrically protected. Continuous or frequent monitoring such as monitoring wiretapping, computer equipment, HVAC, and firefighting systems should also be done. Bollards/Barricades A bollard is a short post that is used to direct traffic and protect against vehicle intrusions. Bollards can be designed and installed to withstand significant vehicle impacts, but they can also be used as decorative or aesthetically pleasing barriers. Many bollards serve as decorative elements in the design of buildings and landscapes. Mantraps The implementation of a mantrap is an approach to oppose tailgating. A mantrap contains two doors closely spaced together. Opening and closing of these doors are set up in a way that only one door is open at a time. These doors are usually secure with card/pin authentication. It eliminates the risk of tailgating and piggybacking. 219 Chapter 02: Architecture and Design Badges These security badges are intended to identify, validate, and implement the appropriate security measures and features that govern how a company monitors, controls, restricts, and protects its resources. At the very least, the security badge will include an individual's photo and identification number. Alarms The function of an alarm is to alert the operator about any abnormal condition or activity. If a company has too many alarm conditions, then the operator will not react to the condition as desired. Tuning an alarm will provide accurate, useful, and desired information. Signage Physical security entails the use of multiple layers of interconnected systems, such as CCTV surveillance, security guards, protective barriers, locks, access control, perimeter intrusion detection, deterrent systems, fire protection, and other systems designed to protect people and property. Cameras Motion Recognition For several years, physical security professionals have been drawn to the concept of video motion detection. Significant advancements in image processing dedicated hardware, image analysis algorithms, and software have accelerated the successful application of video motion detection systems to a wide range of physical security applications. Potential benefits claimed included increased benefits from existing video surveillance systems, automatic detection, improved performance over human observers, and cost-effectiveness. Object Detection Any security camera with Deep Learning Vision can detect any object you can think of. The ability of artificial intelligence-powered security cameras to detect fast-moving objects such as cars is one of their strengths. Closed-Circuit Television (CCTV) CCTV serves as a visual deterrent to unauthorized entry, theft, and violence. It can be used to cover the Site access points, such as internal access to higher security zones and perimeter access to specific physical assets or work areas. The advantages of CCTV may include the ability to:  Keep an eye on event-triggered alarms 220 Chapter 02: Architecture and Design   Use it in conjunction with a Security Alarm System (SAS) to assist those responsible for responding to the alarm Use it in conjunction with an access control system to aid personal identification for remote site entry control (suspicious package detection) A CCTV system, on the other hand, can be an expensive investment. Ongoing monitoring, maintenance, and support costs may be prohibitively expensive. Industrial Camouflage Camouflage is also known as Obfuscation, means “to hide the obvious meaning of observation.” Camouflage is added to the system so that it becomes hard to be exploited and understood by any attacker. The Camouflage works well for data names or other such exposed elements, but it does not work well for code construction. Camouflage code is not just hard to read but nearly impossible to read, and an example of such code is the ticking time bomb. The basic question that arises is that how it functions if someone needs the code to figure out how it works or in case if any modification is needed if it stops working. These are some of the reasons which are not considered good for the construction of code. Figure 2-40: Code Camouflage Example Personnel Guards Access control is the selective restriction of access to a location or other resource in the fields of physical security and information security. Individuals, computer programs, and even the computers that process the data must all be authorized. Robot Sentries Surveillance literally means "to watch from above," and surveillance robots are used to monitor people's behavior, activities, and other changing information for the purpose of managing, directing, or protecting one's assets or position. 221 Chapter 02: Architecture and Design Two-Person Integrity/Control The two-man rule is pretty straightforward when it comes to the data center and information security. It refers to a situation in which two people must work together to complete a task. The term is said to have military origins, referring to a process instituted by the United States government decades ago for nuclear weapon launch: two different people had two different keys, and each had to use their key at the same time to initiate any kind of action. Locks Unauthorized access to information and physical assets can be deterred or delayed by locks. On the other hand, Locks are only as strong as the fittings and hardware that surround them. When choosing locks, consider the level of protection you require from doors and frames. USB Data Blocker USB blocking is a data loss prevention technique that aids in data security. Untrusted devices can be blocked from using USB ports using this method. Companies can use a USB blocker or USB lockdown software to prevent unauthorized portable storage devices from accessing endpoints. More information on USB security can be found. Lighting Proper lighting is an important aspect of physical security. Intruders can easily execute illicit operations in dimly lit or unlit areas without risk of being recognized or monitored. Internal and external lights are both necessary to detect any unwanted activity and for additional security reasons. Fencing Fencing is referred to as a physical barrier around any secure area. It basically prevents the free movement of unauthorized visitors around secure areas. Multiple types of the fence like a perimeter fence, chain link fence, the Anti-scale fence is used outside of the building. A chain-link fence can also be used inside of the building to prevent networking gear, servers, & sensitive items from unauthorized access. Fire Suppression Fire suppression systems devices can detect fire, respond accordingly. They can be portable, manual, or automatic. Sensors The critical spots in a network contain sensors. These sensors gather information from the network devices. These may be integrated into the router, firewall, and switches, etc. or might be built-in within the network. 222 Chapter 02: Architecture and Design The information that the sensor gathers varies from system to system. For instance, authentication logs information is going to be different from database transaction logs or web server access logs, etc. Motion Detection The most common type of active motion detector employs ultrasonic sensor technology, in which sound waves are emitted to detect the presence of objects. Microwave sensors (which emit microwave radiation) and tomographic sensors are also available (which transmit and receive radio waves). Noise Detection When sound waves strike the sound sensor, a thin piece of material called a diaphragm vibrates (similar to how your eardrum vibrates when hearing sound). The sensor converts the diaphragm's vibration into an electrical signal sent to the LEGO brick, which recognizes that a sound has been heard. Noise sensors do not record audio. They monitor changes in your home's noise level. Visitor Logs A visitor logbook is a useful tool for keeping track of who comes and goes from your office. It is a record book that keeps track of the visitors on site, their identity, the company they represent, who they came to see, the reason for their visit, contact information, time in and time out. Faraday Cages A faraday cage serves as a protective shield against electromagnetic radiation from the outside world or prevents electromagnetic energy radiated by the cage's internal components from escaping. Air Gap The logical or physical separation of a network from all other networks is called Air gap, designed to prevent unauthorized transfer of data to or from the network. However, the flaw behind this air gap logic is that the data can be moved by other means like a USB drive, and this unauthorized bypassing of the air gap is called “Sneakernet.” The Demilitarized Zone (DMZ) An IOS zone-based firewall is a specific set of rules that may help to mitigate mid-level security attacks in environments where security is implemented via routers. In Zonebased Firewalls (ZBF), device interfaces are placed in different unique zones (inside, outside, or DMZ), and then policies are applied to these zones. Naming conventions for zones must be easy to understand in order to be helpful when it comes to troubleshooting. 223 Chapter 02: Architecture and Design ZBFs also use stateful filtering, which means that if the rule is defined to permit originating traffic from one zone to another zone, for example, DMZ, then return traffic is automatically allowed. Policies that allow traffic in both directions can be used to enable traffic from separate zones. One of the advantages of applying policies on zones rather than interfaces is that whenever new changes are required at the interface level, policies are applied automatically simply by removing or adding to an interface in a particular zone. ZBF may use the following set of features in its implementation: ● ● ● ● ● Stateful Inspection Packet Filtering URL Filtering Transparent Firewall Virtual Routing Forwarding (VRF) The following Figure illustrates the scenario explained above: Figure 2-41: Cisco IOS Zone-based Firewall Scenario Protected Cable Distribution The Protected Distribution or Protected Cabling is needed to protect the cable from physical damage and avoid communication failure during cable installation. It safeguards the cable between systems physically from physical hazards like tapping & interception. Secure Areas 224 Chapter 02: Architecture and Design Vault1 A vault provides essential security and maybe your last line of defense against attacks or unforeseen disasters such as floods, fires, and earthquakes. There is no such thing as a typical vault. Vaults are created to meet the specific needs of the business owner. Let suppose a bank vault is safe to keep money, valuables, records, and documents. Like a safe, it is intended to protect its contents from theft, unauthorized use, fire, natural disasters, and other threats. Modern vaults can be outfitted with a variety of alarms and anti-theft devices. Safe Safes are physical storage devices that prevent unauthorized access to the content it contains. Safes are of various shapes, sizes, and costs. They are not considered perfect. They are rated on the basis of how long they can protect or secure content from fire or theft, and the cost of the safe is directly proportional to the rating, i.e., better ratinghigh cost. Hot Aisle The hot aisle is enclosed by a Hot Aisle Containment System (HACS), allowing the rest of the data center to function as a large cold-air supply into the servers and floor power equipment. It is best if we take a step back and take a moment to better understand what you have got in place and to go over your needs. Between the two, we see that hot aisle containment is the most popular choice for raised floor Datacenters in new build situations. In short, hot aisle containment consists of a physical barrier that directs hot exhaust airflow back to the AC return and utilizes the natural process of ‘warm air rising' to improve efficiency. By adjusting temperature, the higher the heat returned to the AC coils, the greater the efficiency. Figure 2-42: Hot Aisle 225 Chapter 02: Architecture and Design Cold Aisle A physical barrier that allows supply air to pool inside the cold aisle is one type of containment. The cold air in the aisle is encased by a Cold Aisle Containment System (CACS), allowing the rest of the data center to become a large hot-air return plenum. This "lid" maintains a consistent and predictable air temperature at the server inlet. Figure 2-43: Cold Aisle Exam Tip: It should be noted that if the data center is cold aisle contained, any 3-phase UPSs and floor PDUs must be considered for room cooling. Secure Data Destruction It is important to destroy the data that is no longer in use because that data or information can be discovered and used by criminals in malicious activities like identity theft, social engineering, etc. Criminals use dumpster diving for this purpose because its value is well known to criminals. For every organization, it is vital to have effective demolition and destruction policies and associated procedures. The following are some methods of data destruction. Burning A method of destruction, which is regarded as a gold method, is referred to as Burning. The data/media is carried out in a form that the fire can demolish, and then it is burned. This is the process that is irreversible and makes the data be lost permanently. 226 Chapter 02: Architecture and Design Shredding Shredding, also referred to as physical destruction, is the method of splitting things into small chunks and then mixing, making the reassembling impossible or difficult. Everything that might be advantageous or useful to a criminal or dumpster diver should be shredded. Pulping A process of recombining a paper into a new paper by suspending the paper fiber in liquid. Once the paper is shredded, the pulping process erases the ink by bleaching, and then those shredded pieces are recombined into new paper. This way, the layout of the old paper is completely destroyed. Pulverizing Breaking things by external force into unusable pieces (that cannot be reconstructed) is known as Pulverizing, also referred to as ‘Physical Process of Destruction.’ It is used for hard disk drives like items. Encryption is the modern approach to pulverizing. In this method, the owner encrypts the drive’s data and destroys the key. This process makes the data non-recoverable depending on the strength of encryption. Degaussing The files on a magnetic storage device can be destroyed magnetically, i.e., using a magnetic field; this method is known as degaussing. This is a safe technique for degaussing the data or media. In this method, the magnetic particles get realigned by discarding the organized format that displayed the data. Third-Party Solutions Third-party solutions are also known as Service-based Solutions that offer security and auditing services to a network. These solutions can be hosted either inside or outside the network. These third-party solutions are allowed to access and monitor the internal network, so they carry a security risk. Mind Map 227 Chapter 02: Architecture and Design Figure 2-44: Mind Map of Importance of Physical Security Control The Basics of Cryptographic Concepts Cryptography Cryptography is a technique of encrypting clear text data into scrambled code. The encrypted data is then sent over a public or private network toward its destination to ensure confidentiality. At the destination, the encrypted data, known as "Ciphertext," is decoded and processed. To prevent key breaking, strong encryption keys are utilized. Cryptography's goal is to provide not only confidentiality but also integrity, authenticity, and non-repudiation. Types of Cryptography Symmetric Cryptography Symmetric Key Cryptography is the oldest and most widely used cryptography technique in the domain of cryptography. Symmetric ciphers use the same secret key for the encryption and decryption of data. The most widely used symmetric ciphers are AES and DES. 228 Chapter 02: Architecture and Design Figure 2-45: Symmetric Cryptography Asymmetric Cryptography/Public Key Cryptography Unlike Symmetric Ciphers, in Asymmetric Cryptography, two keys are used. Everyone publicly knows one key, while the other key is kept secret and is used to encrypt data by the sender; hence, it is also called Public Key Cryptography. Each sender uses its secret key (also known as a Private Key) for encrypting its data before sending it. The receiver uses the respective sender’s public key to decrypt the data. RSA, DSA, and the Diffie-Hellman Algorithm are popular examples of asymmetric ciphers. Asymmetric key cryptography delivers confidentiality, integrity, authenticity, and non-repudiation using public and private key concepts. The private key is only known by the owner itself, whereas the public key is issued by Public Key Infrastructure (PKI), where a trusted Certificate Authority (CA) certifies the ownership of key pairs. Figure 2-46: Asymmetric Cryptography Digital Signatures 229 Chapter 02: Architecture and Design A Digital Signature is a technique to evaluate the authenticity of digital documents as the signature authenticates the authenticity of a document. A digital signature confirms the author of the document, date, and time of signing and authenticates the content of the message. There are two categories of digital signature: 1. Direct Digital Signature 2. Arbitrated Digital Signature Direct Digital Signature Direct Digital Signatures involve only the sender and receiver of a message, assuming that the receiver has the sender's public key. The sender may sign the entire message or hash it with the private key and send it toward the destination. The receiver decrypts it using the public key. Arbitrated Digital Signature The job of the "Trusted Arbiter" in Arbitrated Digital Signatures is to validate the signed messages, insert the date, and then send the message to the recipient. It necessitates a sufficient amount of confidence and can be implemented using public or private keys. Key Length The length of a key is equal to the number of bits in the key of an encryption algorithm. A short key length indicates a lack of security. The key length determines the maximum number of combinations required to break an encryption algorithm. There are two to the nth power (2n) possible keys if a key is n bits long. Key Stretching Key stretching techniques are used to make a potentially weak key, usually a password or passphrase, more secure against brute-force attacks by increasing the resources (time and possibly space) required to test each possible key. Key stretching can be done in a variety of ways. Bcrypt and Password-Based Key Derivation Function 2 (PBKDF2) are two common key stretching techniques: Bcrypt, which is based on the Blowfish block cipher, is used to protect passwords stored in the shadow password file on many Unix and Linux distributions. Salting Salting is the process of adding additional characters to the password to create a oneway function. This addition of characters makes it more difficult for the password to reverse the hash. A major advantage or primary function of password salting is that it helps to defeat dictionary and pre-computed attacks. 230 Chapter 02: Architecture and Design Consider the following example: one of the hashed values is of the password without salting, while another hashed value is of the same password with salting. Without Salting: With Salting: 23d42f5f3f66498b2c8ff4c20b8c5ac826e47 146 87dd36bc4056720bd4c94e9e2bd 165c299446287 Adding a lot of random characters in a password makes it more complex and hard to reverse. Hashing One-way Hashing condenses a message into an irreversible fixed-length value or hash. A cryptographic hash function takes the Plain text as an input and returns a fixed-size string. This string is called a hash value, message digest, digital fingerprint, digest, or checksum. Hash Algorithm The Hash Algorithm has various names for one-way encryption, message digest, and hash function. It is used to compute a fixed-length hash value based on the original plain text. Using hash value, the original cannot be changed even with the knowledge of hash function. A hash value is a unique number that is created from a sequence of text using a mathematical formula. It is usually faster than encryption techniques. The main purpose of the hash algorithm is to provide a digital fingerprint to any type of data in order to assure that information has not been changed during the transmission and provide a measure of information integrity. The hash algorithm is typically used for two purposes:   Digital certificate Data integrity check Some of the hash algorithms that are commonly used are as follows: Message Digest (MD)    MD2 MD4 Md5 Secure Hash Algorithm (SHA)  SHA1 Message Digest (MD): MD Algorithm is a sequence of byte-oriented cryptographic hash functions that generates 128 bits (fixed length) hash value from a random length input. 231 Chapter 02: Architecture and Design Message Digest 2 (MD2): It was developed in 1989 by Ronald Rivest. It was produced and enhanced for an 8-bit system having insufficient memory, for example, Smart Card. The message is augmented initially to assure that its length is divisible by 16, and then a 16-byte checksum is affixed to the message. The rising value is proceeded to figure out a hash value. Message Digest 4 (MD4): Ronald Rivest also developed in 1989 for a 32-bit system or machine. It was identical to MD2 but specially designed for faster processing in programs. In MD4, the message is first augmented to assure that its length in bits plus 64 is divisible by 512, and then 64 bit of the original message length is linked in series to the message. Message Digest 5 (MD5): It was developed in 1991 by Ronald Rivest as an improved version of the MD4 algorithm and was specially designed to overcome the weaknesses in the MD4 algorithm and ensure stronger security. MD5 is continuous to survive in spite of several weaknesses, but algorithmically it is not highly secure due to analytical attacks and possible collision that can be found in less than 1 hour. Secure Hash Algorithm (SHA): SHA is a type of Hash algorithm that produces 160-bit output. It was developed by National Security Agency (NSA) and declared as U.S govt. Standard. SHA is more secure than MD5, but its processing is slower than MD5. This algorithm, also known as SHA0, was published in 1993, and after two years, SHA1 was introduced. Secure Hash Algorithm 1 (SHA1): Most generally used algorithm that gives 160-bit hash value as an output. It is recognized to be the replacement to the MD5 algorithm and employed broadly in multiple applications and protocols such as TLS, SSL, PGP, SSH, S/MIME, and IPsec. Four modifications SHA224, SHA256, SHA384, and SHA512, which are jointly called SHA2, have now been introduced. These modifications are illustrated in RFC4634 and can produce 224, 256, 384, or 512-bit length hash values. The cryptographer has noted attacks on both SHA1 and SHA0. However, no attacks have been noted on SHA 2 yet. Key Exchange Key exchange (also known as the key establishment) is a cryptographic method in which cryptographic keys are exchanged between two parties to allow the use of a cryptographic algorithm. Diffie Hellman (DH) is the algorithm that was introduced by Stanford University professor Martin Hellman and a graduate student Whitfield Diffie in 1976. DH protocol, also known as key exchange protocol, is a public key distributing system that uses the Asymmetric Key Cryptography method. DH permits two end-users that have no previous knowledge of each other to create a shared key over an insecure communication channel, and that secret key can be used to encrypt subsequent 232 Chapter 02: Architecture and Design messages using a symmetric key algorithm. DH algorithm is only used for secret key exchange and not for digital signatures and authentication. Figure 2-47: Key Exchange Elliptic-Curve Cryptography Elliptic Curve Cryptography (ECC) is a key-based data encryption technique. For decryption and encryption of web traffic, ECC relies on pairs of public and private keys. ECC is frequently mentioned in conjunction with the Rivest–Shamir–Adleman (RSA) cryptographic algorithm. Elliptic curves can be used for encryption, digital signatures, pseudo-random number generators, and other purposes. They are also used in several integer factorization algorithms with cryptographic applications, such as Lenstra elliptic curve factorization. 233 Chapter 02: Architecture and Design Perfect Forward Secrecy Forward Secrecy (FS), also known as Perfect Forward Secrecy (PFS), is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets are used in the session key exchange are compromised. Quantum Quantum cryptography is a technology that secures the distribution of symmetric encryption keys by utilizing quantum physics. It is more accurately known as quantum key distribution (QKD). It works by sending photons, which are light's "quantum particles," across an optical link. Communications Quantum communication is an application of quantum physics closely related to quantum information processing and teleportation. Its most intriguing application is the use of quantum cryptography to protect information channels from eavesdropping. Post-Quantum The goal of post-quantum cryptography is to prepare for the era of quantum computing by updating existing mathematical-based algorithms and standards. Terms to be aware of: Post-quantum cryptography refers to algorithms that are thought to be capable of defending against a quantum computer attack. Ephemera Ephemeral keys are just short-lived keys within a key establishment protocol and not a specific type of key. They are usually not directly trusted because they are generated on the fly. To name a single other application, ECIES may employ an ephemeral private key. Blockchain Asymmetric-key algorithms and hash functions are the two types of cryptographic algorithms used in blockchains. Hash functions are used to provide each participant with the functionality of a single view of the blockchain. As a hash function, blockchains typically employ the SHA-256 hashing algorithm. The blockchain benefits from cryptographic hash functions in the following ways:    The avalanche effect occurs when a small change in the data results in a significantly different output. Uniqueness – Each input produces a distinct output. Deterministic – If any input is passed through the hash function, the output will always be the same. 234 Chapter 02: Architecture and Design   Rapidity – The output can be generated in a very short period of time. Reverse engineering is not possible, which means we cannot generate the input from the output and the hash function. Public Ledgers Blockchain is a type of public ledger that consists of a series (or chain) of blocks on which transaction details are recorded after appropriate authentication and verification by network participants. Cipher Suites A cipher suite is a collection of algorithms that aid in the security of a network connection. To exchange a key between two devices, the key exchange algorithm is used. This key is used to encrypt and decrypt messages between two machines. To encrypt the data being sent, the bulk encryption algorithm is used. Stream A stream cipher encrypts plaintext messages by combining an encryption algorithm with a stream of pseudorandom cipher digits (keystream). Each bit of the message is encrypted with the corresponding keystream digit one by one. Stream ciphers are typically used when both speed and simplicity are required. Block A block cipher uses a deterministic algorithm and asymmetric key to encrypt data in blocks. Most encryption methods, like stream ciphers, encrypt bits one by one (stream ciphers). Block ciphers, on the other hand, use a predetermined length key to encrypt 128-bit blocks. Symmetric vs. Asymmetric Symmetric Key Cryptography Symmetric Key Cryptography is the oldest and most widely used cryptography technique in the domain of cryptography. Symmetric ciphers use the same secret key for the encryption and decryption of data. It is also known as a secret key or pre-shared key algorithm. Example: A block cipher takes a 128-bit block of plain text and returns a corresponding 128-bit block of ciphertext. Symmetric Key Cryptography Algorithm: Following are some Symmetric Key Cryptographic Algorithm: Data Encryption Algorithm (DES): Most common symmetric algorithm designed by IBM in the 1970s. DES uses a 56-bit key to encrypt a 64-bit datagram block. It is no longer considered secure due to the reason that its keys’ size is too small. 235 Chapter 02: Architecture and Design Triple-DES (3DES): It is an enhanced version of DES. It uses up to three 56 bit keys and makes three encryption and decryption passes over the same datagram block. It is mainly derived to enlarge the key length to 168 bits (Three 56-bit keys). In short, it encrypts a 64-bit datagram block using three 56-bit keys (168-bit key). Advanced encryption standard (AES): It is also known as ‘Rijndael’ and was introduced by NIST in 2001. The most important feature of the AES algorithm is that it can use variable block length and key length. Any combination of key lengths 128, 192, 256 bits and block length 128, 192, 256 bits can be used. Asymmetric Key Cryptography Unlike Symmetric Ciphers, two keys are used. One key is publicly known to everyone, while another key is kept secret and is used to encrypt the data by the sender. Hence, it is also called Public Key Cryptography. Each sender uses its secret key (also known as a private key) for encrypting its data before sending it. The receiver uses the respective public key of the sender to decrypt the data. RSA, DSA, and Diffie-Hellman Algorithm are popular examples of asymmetric ciphers. Asymmetric Key Cryptography delivers Confidentiality, Integrity, Authenticity & Non-Repudiation by using the Public and Private key concepts. The private key is only known by the owner itself. In contrast, the Public key is issued by using Public Key Infrastructure (PKI), where a trusted Certification Authority (CA) certifies the ownership of key pairs. Asymmetric Key Cryptography is also known as a Public-key algorithm and was announced publically in 1976. It uses a two-key pair; one key is for the encryption of plain text, and the other is for the decryption of ciphertext. Contrary to the symmetric algorithm, the asymmetric algorithm requires no secret key sharing to securely communicate over an insecure channel. It is commonly used in digital certification and key management. Asymmetric Key Cryptography Algorithm Some asymmetric key algorithms are as follows: RSA Algorithm: RSA is named after the initials of three MIT mathematicians Ron Rivest, Adi Shamir, and Leonard Adleman, who developed this algorithm and was publically described in 1976. As it is an asymmetric algorithm, which means it uses two keys that are public and private. The public key is given to everyone, while the private key is kept secret. Example: A user sends its public key to the server and requests for some data. The server will encrypt the data using the user’s public key and send the encrypted data to the user. The user will receive the data and decrypt it. It is the most widely used algorithm for key exchange, digital signature, and message encryption. There are various standards of the RSA algorithm, and all of them use 236 Chapter 02: Architecture and Design variable-size block lengths and key lengths. The standards are RC1, RC2, RC3, RC4, RC5, and RC6. Diffie Hellman (DH): This algorithm was introduced by Stanford University professor Martin Hellman and a graduate student Whitfield Diffie in 1976. DH protocol, also known as key exchange protocol, is a public key distributing system that uses the Asymmetric Key Cryptography method. DH permits two end-users that have no previous knowledge of each other to create a shared key over an insecure communication channel, and that secret key can be used to encrypt subsequent messages using a symmetric key algorithm. DH algorithm is only used for secret key exchange and not for digital signatures and authentication. Digital Signature Algorithm (DSA): Digital Signature Algorithm was introduced by National Institute for Standards and Technology (NIST) in 1991 for (Digital Signature Standard) DSS use, and it is also a Federal Information Processing Standards (FIPS) standard for digital signature. It is mainly used for a digital signature to assure message authentication. Public-Key Cryptography Standard (PKCS): It is a collection of interoperable publickey cryptography standards and guidelines. It was developed and published by RSA Data Security Inc. PKCS Standards: Name Description PKCS #1 RSA Cryptography Standard Description of RSA Public and Private key’s properties and format PKCS #2 Withdrawn Withdrawn and merged into PKCS #1. Covered RSA Encryption of message digests PKCS #3 Diffie-Hellman Allows two end-users with no previous knowledge of Key Agreement each other to create a shared secret key over an Standard insecure communication path PKCS #4 Withdrawn Withdrawn and merged into PKCS #1. Covered RSA key syntax PKCS #5 Password-based Encryption Standard Defined in RFC 8018 and PBKDF2 237 Chapter 02: Architecture and Design PKCS #6 Extended Describes extensions to the old X.509 v1 certificate Certificate Syntax specification, obsolete by X.509 v3 Standard PKCS #7 Cryptographic Used to sign or encrypt messages under a PKI and also Message Syntax used for certificate dissemination Standard PKCS #8 Private-key Information Syntax Standard It is used to carry private certificate key pairs, both encrypted and unencrypted PKCS #9 Selected Attribute Type It describes the selected attribute type for use in PKCS#6 (extended certificates), PKCS#7 (digitally signed messages), PKCS#8 (private key information), and PKCS #10 (certificate signing request) PKCS #10 Certification Defines the pattern of messages sent to a Certification Request Standard Authority to demand certification of a public key PKCS #11 Cryptographic Token Interface PKCS #12 Personal Defines a file format typically used to keep private keys Information with leading public-key certificates, protected with a Exchange Syntax password-based symmetric key Standard PKCS #13 Elliptic Curve Apparently abandoned Cryptography Standard PKCS #14 Pseudo-random Number Generation A Pseudorandom Number Generator (PRNG) is an algorithm that generates a sequence of numbers that are not truly random PKCS #15 Cryptographic Token Information Format Standard It defines a standard allowing users of cryptographic tokens to identify themselves to applications, independent of the application’s cryptoki implementation (PKCS #11) or another API An API is defining a generic interface to cryptographic tokens. Used in Single Sign-on, Public Key Cryptography & Disk encryption Table 2-07: PKCS Standards Note: A cryptographic key is called ephemeral if it is generated for each execution of a key establishment process. In some cases, ephemeral keys are used more than once 238 Chapter 02: Architecture and Design within a single session (e.g., in broadcast applications) where the sender generates only one ephemeral key pair per message and the private key is combined separately with each recipient's public key. Lightweight Cryptography Lightweight cryptography is an encryption type with a small computational footprint and/or a low computational complexity. Its goal is to broaden the applications of cryptography to constrained devices, and it is currently undergoing international standardization and guidelines compilation. Steganography Steganography is a technique for hiding sensitive information in an ordinary message to ensure confidentiality. A legitimate receiver extracts hidden information at the destination. To maintain confidentiality and integrity, steganography employs encryption. It also conceals encrypted data to avoid detection. The purpose of steganography is to conceal information from a third party. An attacker may use this technique to conceal information such as source codes, plans, and any other sensitive information in order to transfer it undetected. Classification of Steganography Technical and Linguistic Steganography are the two types of steganography. Technical Steganography is the concealment of information using methods such as invisible ink, microdots, and others. Figure 2-48: Classification of Steganography 239 Chapter 02: Architecture and Design Types of Steganography Steganography comes in a variety of forms, some of which are listed below:         Whitespace Steganography Image Steganography Image Steganography Document Steganography Video Steganography Audio Steganography Folder Steganography Spam/Email Steganography 240 Chapter 02: Architecture and Design Mind Map Figure 2-49: Mind Map White Space Steganography White Space Steganography is a technique for hiding information in a text file using extra blank space covering the file that is inserted between words. Using LZW and Huffman compression methods, the size of the message is decreased. Lab 2-02: Steganography In the directory where Snow Tool is installed, create a text file with some data. Go to “Command Prompt.” Change the directory to run the “Snow” tool. 241 Chapter 02: Architecture and Design Type the command: Snow –C –m “text to be hide” –p “password” <Sourcefile> <Destinationfile> As shown above, the source file is a Hello.txt file. The destination file will be an exact copy of the source file containing hidden information. Go to the directory. You will have a new file, HelloWorld.txt. Open the file. The new file contains exactly the same text as the original file, with no hidden information. This file can be sent to the intended recipient. Recovering Hidden Information On destination, the receiver can reveal information by using the command: Snow –C –p “password 123” HelloWorld.txt 242 Chapter 02: Architecture and Design The file has been decrypted, as shown in the above figure, and it contains hidden information that was encrypted in the previous section. Image Steganography Hidden information in image formats such as PNG, JPG, BMP, and others can be kept in Image Steganography. The basic idea behind image steganography is that the tool replaces redundant bits of the image in the message. This replacement is done in such a way that the human eye cannot detect it. You can perform image steganography by applying different techniques such as:    Least significant Bit Insertion Masking and Filtering Algorithm and Transformation Tools for Image Steganography   OpenStack QuickStego Lab 2-03: Image Steganography using QuickStego 1. Open the QuickStego application. 243 Chapter 02: Architecture and Design 2. Upload an image. This image is termed Cover, as it will hide the text. 3. Enter text or upload a text file. 244 Chapter 02: Architecture and Design 4. Click the “Hide Text” button. 5. Save image. This saved image containing hidden information is called a Stego Object. 245 Chapter 02: Architecture and Design Recovering Data from Image Steganography using QuickStego 1. Open “QuickStego.” 2. Click “Get Text.” 3. Open and compare both images. The left image is without hidden text; the right image is with hidden text. 246 Chapter 02: Architecture and Design Steganalysis is the use of steganography techniques to discover or retrieve hidden information from suspected information. Steganalysis inspects any image for encrypted data. Accuracy, efficiency, and noisy samples are the main challenges faced by steganalysis for detecting encrypted data. Figure 2-50: Steganalysis Methods Homomorphic Encryption Homomorphic encryption is a type of encryption that enables users to perform computations on encrypted data without first decrypting it. This enables data to be encrypted before being sent to commercial cloud environments for processing, all while remaining encrypted. Common Use Cases Data integrity, entity authentication, data origin authentication, and non-repudiation are now supported by cryptography. The following section delves more into the use of symmetric algorithms for data confidentiality, authentication, and integrity and Cipher Block Chaining and Cipher Feedback modes. Limitations Speed The cloud computing environment has dramatically reduced the time and cost of new IT services, thus increasing the speed at which organizations can access IT resources. Weak keys A weak key is a key that causes the cipher to behave in an unfavorable manner when used with a specific cipher. Nonetheless, it is desirable for a cipher to have no weak keys. A cipher with a flat, or linear, key space is one that has no weak keys. 247 Chapter 02: Architecture and Design Mind Map Figure 2-51: Mind Map 248 Chapter 02: Architecture and Design Practice Question 1. Symmetric Key Cryptography requires __________________. A. Same Key for Encryption & Decryption B. Different Keys for Encryption & Decryption C. Public Key Cryptography D. Digital Signatures 2. AES & DES are the examples of _______________________. A. Symmetric Key Cryptography B. Asymmetric Key Cryptography C. Public Key Cryptography D. Stream Ciphers 3. The cipher that encrypts the plain text one by one is known as ________________. A. Block Cipher B. Stream Cipher C. Mono-alphabetic Ciphers D. Polyalphabetic Ciphers 4. The process of identifying flaws, design flaws, and security concerns in a network, Operating System, applications, or website is known as pentesting. ______________. A. B. C. D. Enumeration Vulnerability Analysis Scanning Networks Reconnaissance 5. Which of the following is a phase of the Vulnerability Assessment Life Cycle? A. Creating Baseline B. Vulnerability Assessment C. Risk Assessment D. Remediation 6. Which of the following does not qualify as a Vulnerability Scanning tool? A. Nessus B. GFI LanGuard C. Qualys Scan D. Wireshark 249 Chapter 02: Architecture and Design 7. Which of the following does not constitute a Non-Electronic / Non-Technical Password Attack? A. Shoulder Surfing B. Social Engineering C. Dumpster Diving D. Dictionary Attack 8. Bob attempts to crack a password using a list of known and common phrases until the password is accepted. What type of attack is this? A. Brute Force Attack B. Default Password C. Dictionary Attack D. Password Guessing 9. An attacker attempts every possible combination of alphanumeric characters to crack the password. Which of the following password cracking methods is this? A. Brute Force Attack B. Default Password C. Dictionary Attack D. Password Guessing 10. The process of adding characters to a password to make it a one-way function is known as ______________. A. B. C. D. Password Encryption Password Hashing Password Padding Password Salting 11. Cracking password with pre-computed hashes is called ___________. E. Rainbow Table Attack F. Brute Force Attack G. Dictionary Attack H. Password Guessing 12. Which of the following is used for Backdoor installation? E. Meterpreter F. Zero-day Exploit G. Exploit Kits H. Persistence 250 Chapter 02: Architecture and Design 13. How can you mitigate a rainbow table attack? E. Changing Default Password F. Configuring Unpredictable Password G. Password Salting H. Password Hashing 14. Which of the following does not constitute an Open Source Web Server architecture? A. Apache B. NGINX C. Lighttpd D. IIS Web Server 15. An attacker is attempting to gain access to restricted directories through trial and error using dots and slash sequences. What kind of web server attack is it? E. LDAP Attack F. AD Attack G. Directory Traversal Attack H. SQL Injection 16. An attacker sends a request, allowing him to include a header response; now, he can easily redirect the user to a malicious website. Which type of attack is this? E. Web Cache Poisoning F. HTTP Response Splitting Attack G. Session Hijacking H. SQL Injection 17. A piece of software created to solve a problem is referred to as _________________. A. B. C. D. Hotfix Patch Bugs Update 18. Which of the following is a Patch Management Tool? A. Microsoft Baseline Security Analyzer B. Microsoft Network Monitor C. Syshunt Hybrid D. SolarWinds SIEM Tool 251 Chapter 03: Implementation Chapter 03: Implementation Implement Secure Protocols Protocols Secure Real-time Protocol (SRTP) ▪ ▪ ▪ ▪ ▪ SRTP stands for Secure Real-Time Transport Protocol (Secure RTP). It is the secure version of RTP. The secure version of RTP is seen with other VOIP, but it adds encryption, using AES to ensure that all the videos and audios are confidential. It includes authentication integrity and replays protection by having HMACSHA1 (Hash-based message authentication code using SHA1) as a hashing function. With this in place, the user knows that they are receiving the original audio and video. Nobody is sitting in the middle of the path listening to the conversation. Domain Name System Security Extension (DNSSEC) DNSSEC stands for Domain Name System Security Extensions; DNS protocol extensions require cryptographic authentication for authoritative DNS server responses. Its goal is to protect against techniques used by hackers to direct computers to malicious websites and servers. NTP NTP is a network time protocol used to synchronize the clocks across the hosts and network devices. The NTP is a vital protocol, as directory services, network devices, and hosts rely on clock settings for login purposes and logging to record events synchronizing the time system logs arrive at Syslog servers, NTP aids in event correlation. NTP uses UDP port number 123, and its whole communication is according to coordinated universal time (UTC). The term stratum describes the distance between the NTP server and the device in NTP. It is just like the TTL number that decreases every hop a packet passes by. Stratum value, starting from one, increases with every leap. For example, if we see stratum number 10 on the local router, the NTP server is nine hops away. Securing NTP is also an essential aspect as the attacker may change time in the first place to mislead the forensic teams who investigate and correlate the events to find the root cause of the attack. ▪ It is used to synchronize all the devices that are connected to the network. 252 Chapter 03: Implementation ▪ It has been around since 1985 but does not have any security feature, and it is seen that threat actors find a way to use it in denial of service attacks. ▪ NTPsec is a new protocol that is created to make NTP more secure. ▪ This more secure version of the NTP protocol started around June 2015. ▪ In NTPsec, the code base of NTP is updated, and all the vulnerabilities are patched. S/MIME ▪ Secure/Multipurpose Internet Mail Extension. ▪ This protocol allows the user to sign and encrypt the information that is being used digitally. ▪ It has to be initially configured as the PKI is required or at least a way to manage keys to provide public and private keys to be used in S/MIME communication. SSL/TLS ▪ SSL stands for Secure Socket Layer, and TLS stands for Transport Layer Security. ▪ TLS is an updated version of SSL. ▪ SSL uses a combination of Symmetric and Asymmetric encryption to provide confidentiality. FTPS ▪ It stands for File Transfer Protocol Secure, i.e., FTP over SSL. ▪ It is not SFTP (SSH FTP), where SSH is used instead of SSL. LDAP ▪ It stands for Lightweight Directory Access Protocol. ▪ It is a protocol for reading and writing directories over an IP network. ▪ It uses an ITU standard that is X.500 and uses TCP/IP. ▪ By enabling LDAPS, it can be made more secure. ▪ It is another way to implement SASL (Simple Authentication and Security Layer). SSH ▪ It stands for Secure Shell. ▪ It is an encrypted terminal communication. DHCP ▪ It stands for Dynamic Host Control Protocol. 253 Chapter 03: Implementation ▪ It does not include any built-in security. ▪ There is no secure version of DHCP. Secure File Transfer Protocol (SFTP) ▪ Secure File Transfer Protocol, also known as SSH File Transfer Protocol, is a network protocol that allows users to access, transfer, and manage files on remote systems. ▪ Businesses can use SFTP to securely transfer billing data, funds, and data recovery files. Simple Network Management Protocol, version 3 (SNMPv3) For safe configuration and control activities, secure SNMPv3 management is a vital enabler technology. SNMPv3 enables authentication and privacy and view-based access control and remote configuration for security and logical contexts. Hypertext Transfer Protocol over SSL/TLS (HTTPS) TLS-enabled HTTP Protocol SSL is commonly referred to as SSL. Still, it uses TLS, which has improved security, patched vulnerabilities, and added additional hashing, key exchange, and encryption methods. IPSec IPsec stands for IP security. For security and logical contexts, SNMPv3 provides authentication and privacy and view-based access control and remote configuration. IPsec's strength comes in its flexibility to support a variety of protocols and algorithms. It also contains new encryption and hashing protocol advances. The primary goal of IPsec is to offer CIA (Confidentiality, Integrity, and Authentication) for virtual networks in today's networks. IPsec makes sure the above purposes are in action when a packet enters a VPN tunnel and reaches the other end. ● Confidentiality: IPsec uses encryption protocols, namely AES, DES, and 3DES, to provide confidentiality. ● Integrity: IPsec uses hashing protocols (MD5 and SHA) for providing integrity. Hashed Message Authentication (HMAC) is also used for checking data integrity ● Authentication Algorithms: RSA digital signatures and Pre-Shared Keys (PSK) are two methods used for authentication purposes. Components of IPsec 254 Chapter 03: Implementation Components of IPsec include: ● ● ● ● ● IPsec Drivers Internet Key Exchange (IKE) Internet Security Association Key Management Protocol Oakley IPsec Policy Agent Note: In the IPSec protocol suite, Internet Key Exchange (IKE) is a protocol that is used to create Security Associations (SA). It uses X.509 certificate for authentication. The Diffie–Hellman (DH) key exchange protocol is a secure technique of exchanging cryptographic keys over a public channel. These keys are further used to encrypt or decrypt packets. Figure 3-01: IPSec Architecture Modes of IPsec There are two working modes of IPsec; tunnel and transport mode. Each has its features and implementation procedures. IPsec Tunnel Mode Being the default mode set in Cisco devices, tunnel mode protects the entire IP packet from the originating machine. It means that another packet is generated with a new IP header for every original packet and is sent to the untrusted network and the VPN peer. Tunnel mode is commonly used in cases involving Site-to-Site VPNs, where two secure IPsec gateways are connected over the public internet using an IPsec VPN connection. Consider the following diagram: 255 Chapter 03: Implementation This shows IPsec Tunnel Mode with an Encapsulating Security Protocol (ESP) header: Figure 3-02: IPsec Tunnel Mode with an ESP Header Similarly, when Authentication Header (AH) is used, the new IP packet format will be: Figure 3-03: IP IPsec Tunnel Mode with an AH Header IPsec Transport Mode In transport mode, the IPsec VPN secures the data field or payload of the originating IP traffic using encryption, hashing, or both. New IPsec headers encapsulate only the payload field while the original IP headers remain unchanged. Tunnel mode is used when original IP packets are the source and destination address of secure IPsec peers. For example, securing a router's management traffic is a perfect example of IPsec VPN implementation using transport mode. For configuration, both tunnel and transport modes are defined in the configuration transform set. These will be covered in the lab scenario of this section. This diagram shows IPsec Transport Mode with an ESP header: Figure 3-04: IPsec Transport Mode with an ESP Header Similarly, in the case of AH: 256 Chapter 03: Implementation Figure 3-05: IPsec Transport Mode with an AH Header Note: IPsec (Internet Protocol Security) is a set of protocols that provide secure private communication across IP networks. IPsec protocol allows the system to establish a secure tunnel with a peer security gateway. Case Study: In this lab, we will learn how to configure IPSEC site-to-Site VPN on routers. We already know that IPSEC is used to transmit data securely over an unsecured network. Here, R1 and R2 are participating in IPSEC peers. Therefore, these two routers are required to be configured to support IPSEC site-to-site VPN for the traffic transmitting from their LANs. We have used two routers (R1 and R2), two switches (SW3 and Sw4), and two Virtual PCs (VPC5 and VPC6). Figure 3-06: Router and Switch Connection Let's start the lab. The following are screenshots to help you understand how to configure and verify the IPsec site-to-site VPN. Step 1: Configure all the devices in the topology Assign IP address with Subnet mask and gateway to virtual PCs. The IP assigned to VPC5 is 192.168.1.2/24, and the gateway is 192.168.1.1. 257 Chapter 03: Implementation The IP address assigned to VPC6 is 192.168.2.2/24, and the gateway is 192.168.2.1. Now, assign an IP address to all the interfaces of Router 1 and Router 2, as shown on the next page. 258 Chapter 03: Implementation 259 Chapter 03: Implementation Step 2: ISAKMP Policy Configure the parameters that will be used for the IKE phase 1 tunnel. Step 3: Transform Set Configure the parameters that will be used for the IKE phase 2 tunnel. Step 4: ACL-Access Control List Now, we will create an ACL to define what traffic will be sent over the Virtual Private Network. Step 5: Crypto Map 260 Chapter 03: Implementation Using the previous parameters, configure and define the Crypto map. Step 6: Crypto Map Implementation Apply the crypto map to an interface. Configuring Router 2 Now, repeat the above configuration steps on Router 2 Step 1. ISAKMP Policy 261 Chapter 03: Implementation Step 2: Transform Set Step 3: ACL-Access Control List Step 4: Crypto Map Step 5: Crypto Map Implementation Verification (Test and Verify IPSEC Configuration) Ping VPC6 and gateway from VPC5 to check and verify the connectivity. 262 Chapter 03: Implementation Now, Ping VPC5 and gateway from VPC6. 263 Chapter 03: Implementation Now for verification, use the command crypto isakmp policy on both routers. It will show you the encryption algorithm we have configured and other details, as shown in the screenshot. Now, TEST and VERIFY the IPsec configuration on R1 as well. Also, use the show crypto isakmp sa and show crypto ipsec sa command for verification. 264 Chapter 03: Implementation 265 Chapter 03: Implementation Secure Post Office Protocol (POP)/ Internet Message Access Protocol (IMAP) For safe configuration and control activities, secure SNMPv3 management is a vital enabler technology. SNMPv3 enables authentication and privacy and view-based access control and remote configuration for security and logical contexts. 266 Chapter 03: Implementation IMAP and POP send your username, password, and all message contents in plain text. As a result, they can be easily intercepted. IMAP and POP, on the other hand, support SSL encryption, which is similar to that seen on encrypted websites and is potentially wholly safe. Use cases Email and web A significant risk factor is the email system. Therefore, the DLP appliance is used by many organizations that monitor, track, and filter all the inbound and outbound emails. Web servers provide a link between clients and web pages. They are susceptible to attacks as they are open to the internet. Therefore, the proper setting of external-facing applications is the key to avoid unnecessary risk. For web servers, several reliable and prescriptive sources of instruction are available to support administrators to protect and secure the application properly. Time Synchronization Every device has its clock, and if the user wants to synchronize all the devices to a single watch, then a standard protocol is required: NTP (Network Time Protocol). It allows all the appliances to synchronize all these clocks to one single clock automatically. It is a flexible and accurate method. Mind Map Figure 3-07: Mind Map of Secure Protocols Implement Host or Application Security Solutions Endpoint Protection 267 Chapter 03: Implementation Endpoint security (also known as endpoint protection) refers to solutions that address security flaws in network devices and protect them from attacks, unintentional data leakage caused by human error, or zero-day exploits. Antivirus Antivirus software is designed to prevent, detect, and remove malware infections on individual computing devices, networks, and information technology systems. Antivirus software, which was initially designed to detect and remove viruses from computers, can protect against many threats, including keyloggers, browser hijackers, Trojan horses, worms, rootkits, and spy, adware, botnets, and ransomware. Anti-malware One of the most effective tools for protecting the computer and personal information is an anti-malware program. An anti-malware program guards the computer against malware such as spyware, adware, and worms. It scans the system for any malicious software that has managed to infiltrate the system. Endpoint Detection and Response Endpoint Detection and Response (EDR), also known as Endpoint Threat Detection and Response (ETDR), is a comprehensive endpoint security solution that combines continuous real-time monitoring and data collection with rules-based automated response and analysis capabilities. An EDR security system's primary functions are as follows: ▪ ▪ ▪ ▪ Monitor and collect endpoint activity data that could indicate a threat. Analyze this information to identify threat patterns. Respond to identified threats automatically to remove or contain them and notify security personnel. Forensic and analysis tools are used to investigate identified threats and look for suspicious activity. DLP DLP is an acronym for Data Loss Prevention. It stops the data before the threat actor receives it. The endpoint DLP tool on the computer observes the data and prevents its unauthorized access. DLP appliance on the network connection constantly looks at all the confidential information like credit card numbers that should not be cleartext. The DLP system on the server watches the data and prevents it from getting into the hands of the threat actor. 268 Chapter 03: Implementation Next-Generation Firewall (NGFW) NGFW is a relatively new term used for the latest firewalls with advanced feature sets. This kind of firewall provides in-depth security features to mitigate known threats and malware attacks. An example of next-generation firewalls is the Cisco ASA series with FirePOWER services. NGFW delivers complete visibility into network traffic users, mobile devices, Virtual Machines (VM) to VM data communication, etc. Host-based Intrusion Prevention System (HIPS) The Host Intrusion Prevention System (HIPS) detects suspicious activity on a single host by analyzing events on that host. HIPS solutions defend the host against known and unknown malicious attacks from the network and application layers. Host-based Intrusion Detection System (HIDS) A host-based intrusion detection system is an application that monitors a computer or network for suspicious activity, which can include both external intrusions and internal misuse of resources or data. Host-based firewall A host-based firewall is a type of firewall software that runs on a single computer or device linked to a network. These types of firewalls provide granular protection for individual hosts against viruses and malware and control over the spread of these harmful infections throughout the network. Boot Integrity Boot Security/Unified Extensible Firmware Interface (UEFI) Like the BIOS (Basic Input Output System), the Unified Extensible Firmware Interface (UEFI) is a piece of firmware that runs when the computer starts up. On the other hand, UEFI is positioned to replace BIOS because it is a more current solution that solves many of the latter's restrictions. UEFI defines a new method for communicating between operating systems and platform firmware, providing a lightweight BIOS alternative that uses only the information required to launch the OS boot process. Furthermore, UEFI provides enhanced computer security features and backward compatibility with most existing BIOS systems. Measured Boot Measured Boot is a method in which each of the software layers in the device's booting sequence measures the layer above it and extends the value in a designated PCR. e.g., BIOS measures various Bootloader components and stores the results in PCRs 0-7. 269 Chapter 03: Implementation Boot Attestation Secure Boot is a method that checks that the system boot loader is signed with a cryptographic key that a database has authorized in the firmware. Secure key storage and remote attestation are not required for boot path validation. Application Security Injection attacks (SQL-Injections), Cross-Site Scripting (XSS), Session Hijacking, and other web assaults are all protected by a WAF. A company's application security is considerably improved when using a WAF in conjunction with a network firewall. Input Validations Input validation is the process of checking input received by an application for conformity with a standard set inside the application. It might be as basic as inputting a parameter or as complicated as using regular expressions or business logic to validate data. Hypertext Transfer Protocol (HTTP) Headers HTTP headers allow the client and server to send additional data with an HTTP request or response. An HTTP header comprises its case-insensitive name, a colon (: ), and its value. Whitespace preceding the value is ignored. Code Signing Code signing verifies the publisher's identity and ensures that the code has not been updated since it was signed. Certificates issued with signed software are required for users to assess whether the software is valid before installing it. Blacklisting and Whitelisting are the methods for controlling/managing the applications of the Operating System. ▪ ▪ Application Blacklisting: It is a method that determines which application(s) should not be allowed to run on the machine. Application Whitelisting: The opposite of blacklisting is whitelisting that determines which application(s) should be allowed to run on the machine. Microsoft uses two methods that are part of OS to control the use of applications to their specified users. These methods are: ▪ Software Restrictive Policies: This is a primary mode used by the machine and not by the users. It allows significant control over the application, executable files, and scripts and is employed through group policies. User Account Level Control: Used by the enterprise to control over who can access and use installed software. It is enforced through AppLocker and allows which users can use which application and programs. 270 Chapter 03: Implementation Secure Coding Practices Secure coding standards govern the coding practices, techniques, and decisions made by software developers. They want to make sure that developers write code that minimizes security flaws. Development tasks are typically solved in a variety of ways, with varying degrees of complexity. Static Code Analysis Static Application Security Testing (SAST), also known as static analysis, is a testing methodology that analyses source code to identify security flaws that make your organization's applications vulnerable to attack. SAST inspects an application before it is compiled. It is also referred to as white box testing. Manual Code Review The process of reading source code line by line to identify potential vulnerabilities is known as manual secure code review. It is a time-consuming process that necessitates skill, experience, perseverance, and patience. Dynamic Code Analysis The study of how the code behaves during execution is the foundation of dynamic code analysis. While code analysis produces secure code, other issues, such as changes in the system build, must also be considered to have a closed system. Fuzzing Fuzzing, also known as fuzz testing, is an automated software testing technique that involves feeding a computer program with invalid, unexpected, or random data. The program is then checked for crashes, failed built-in code assertions, and potential memory leaks. Hardening Application hardening, also known as application shielding, is the process of adding layers of security to applications to protect them from IP theft, misuse, vulnerability exploitation, tampering, or even repackaging by malicious individuals. Open Ports and Services Applications and services use open ports, and they, like any other piece of code, may contain vulnerabilities or bugs. The more applications and services that use open ports for Internet communication, the more likely it is to have a vulnerability that can be exploited. Disk Encryption Data encryption is a security method in which information is encoded and can only be accessed or decrypted by a user who has the appropriate encryption key. Encrypted 271 Chapter 03: Implementation data, also known as ciphertext, appears scrambled or unreadable to anyone or entity who gains unauthorized access. OS The operating system serves as the interface between the physical hardware and the application. Configuration guide from all the significant operating systems manufacturers is available on the CIS platform. Patch Management Patch management is the process of software and application patch up-gradation, including installing patches, acquiring, and testing. All Operating Systems require an update and have different methods to keep their systems up to date. There is a hierarchy that the vendor follows for software updates: ▪ Hotfix: A minor software update usually designed to discover problems produced and released quickly. For example, buffer overflow. ▪ Patch: Refers to more significant updates as compared to Hotfix. It can address several problems. Patches not only include enhancement or additional capabilities, but they can also fix bugs. ▪ Service Pack: An extensive collection of Hotfixes and Patches, rolled in one single package that makes the system up to date at once, is called Service Pack. It saves users from downloading further updates. Patch Management Lifecycle Figure 3-08: The Lifecycle of Patch Management 272 Chapter 03: Implementation Self-Encrypting Drive (SED)/ Full-Disk Encryption (FDE) Full-disk encryption and self-encrypting drives encrypt and decrypt data written to and read from the disk. FDE is appropriate for laptops, which are highly vulnerable to data loss or theft. However, FDE is not appropriate for the most common risks encountered in datacenter and cloud environments. FDE/SED has the following advantages: ▪ ▪ ▪ The most straightforward method of deploying encryption Applications, databases, and users can all see through it. Hardware-based encryption with high performance Hardware Root of Trust A hardware root of trust serves as the foundation for all security operations of a computing system. It stores the keys used for cryptographic functions and allows for a secure boot process. It is inherently trustworthy, so it must be secured by design. Trusted Platform Module (TPM) TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store authentication artifacts, i.e., PC or laptop. Sandboxing To execute code in an environment that isolates the target system and the code from direct contact is called Sandboxing. Sandbox is used for the execution of unverified and untrusted code. Sandbox works like a virtual machine and can mediate several system interactions like accessing memory, network access, and another program, device, and file system. Sandbox offers protection, and its level of protection depends upon isolation level. 273 Chapter 03: Implementation Mind Map Figure 3-09: Mind Map of Host or Application Security Solutions Implement Secure Network Designs Load Balancing Load balancing is the process of distributing network or application traffic among numerous servers in a server farm in a systematic and effective manner. Each load balancer lies between clients and backend servers, receiving and distributing requests to any server that can handle them. Active/Active A network of independent processing nodes, each with access to a shared replicated database, allowing all nodes to participate in a single application, is known as an active/active system. Two or more processing nodes are connected via a redundant communications network in the application network. Active/Passive An active network has at least one voltage or current source that can continuously supply energy to the network. An active source is not present in a passive network. There are no electromotive force sources in passive networks. They are made up of passive components such as resistors and capacitors. 274 Chapter 03: Implementation Virtual IP Virtual IP addresses are those that are not tied to specific machines. As a result, they can switch between nodes in a Content Gateway cluster. On the same Subnet, it is common for a single device to represent multiple IP addresses. Network Segmentation Virtual Local Area Network (VLAN) By dividing workstations into different isolated LAN segments, VLANs enable network administrators to limit access to a specified group of users automatically. Administrators do not need to reconfigure the network or change VLAN groups when users relocate their workstations. DMZ DMZ stands for Demilitarized Zone. It is the region between a trusted internal network and an untrusted network. Figure 3-10: DMZ (Demilitarized Zone) It functions as a buffer region between the internet and the internal network. The idea is to secure the internal network and not allow direct access from the internet to the trusted internal network by directly forcing the user to make at least one hop in the DMZ before accessing internal network information. The servers directly accessed from the outside (untrusted zone) should be placed in DMZ like Remote access server, Web server, External email server, etc. Similarly, all the other standard servers like a Database server, DNS, File server, Print server, application server, etc., should be placed in the internal network for security purposes. 275 Chapter 03: Implementation East-West Traffic East-West traffic refers to the flow of traffic within a data center. East-West traffic indicates data flow among devices within a datacenter based on the most commonly deployed topology of systems within the datacenter. Extranet There are some trusted third parties to whom we want to lend access to the resources inside the internal network. A private DMZ, called 'Extranet,' is created to lend access to trusted third parties. The extranet is separate from the internal network and provides access to the outside of the company. Authentication credentials are required from the user to gain access to the resources. This additional authentication helps to allow only authorized users to access the resources. Intranet A private network that is only accessible from within it and not from the outside world. Essential resources or important internal documents are placed on an intranet. Access is granted only to organizational users (company employees), with no other users allowed/permitted access to those resources. Zero Trust Zero Trust is a strategic initiative that aims to eliminate the concept of trust from an organization's network architecture to help prevent successful data breaches. The goal of Zero Trust is not to make a system trustworthy but rather to eliminate trust. Virtual Private Network (VPN) A virtual private network, or VPN, is an encrypted Internet connection that connects a device to the web. The encrypted connection aids in the safe transmission of sensitive data. The responsibilities of a VPN include managing the following security network design: ▪ Always-on ▪ Split tunnel vs. full tunnel ▪ Remote access vs. site-to-site ▪ IPSec ▪ SSL/TLS ▪ HTML5 ▪ Layer 2 Tunneling Protocol (L2TP) 276 Chapter 03: Implementation Network Access Control (NAC) NAC is an acronym for Network Access Control. With NAC, the traffic flow from inside or outside the network is controlled. Access control is based on different rules like user type, location, application, etc. One of the advantages of access control is that it can be enabled or disabled easily. Agent and Agentless In agent-based network access control, the code is kept on the host system for activation, and it runs at the time of connection. Agentless network access control is integrated with Windows Active Directory. In agentless access control, checks are performed during login & log out, and it cannot be scheduled. Out-of-Band Management Out-of-band management in systems management entails using management interfaces (or serial ports) to manage and network equipment. Out-of-band management enables the network operator to set trust boundaries for accessing the management function and applying it to network resources. Port Security Enabling Port Security will also mitigate against these attacks by limiting the port to learning a maximum number of MAC addresses, configuring violation actions, aging time, etc. Broadcast Storm Prevention Storm control prevents broadcast storms from disrupting LAN interfaces. When broadcast packets flood the Subnet, they cause excessive traffic and degrade network performance. Errors in the protocol stack or network configuration can result in a broadcast storm. Bridge Protocol Data Unit (BPDU) Guard A BPDU is a data message sent across a local area network to detect loops in network topologies. Guard functionality protects edge ports from malicious attacks. When a malicious attacker sends a BPDU over the edge port, it causes unnecessary STP to occur. Dynamic Host Configuration Protocol (DHCP) Snooping DHCP is allocating the IP address dynamically so that these addresses are assigned automatically and can be reused when hosts do not need them. Round Trip time is the measurement of time from discovering the DHCP server up to obtaining the leased IP address. RTT can be used to determine the performance of DHCP. Using UDP broadcast, a DHCP client sends an initial DHCP-Discover packet because it initially 277 Chapter 03: Implementation does not have information about the network they are connected to. The DHCP server replies to the DHCP-Discover packet with a DHCP-Offer Packet offering the configuration parameters. The DHCP client will send a DHCP-Request packet destined for the DHCP server requesting configuration parameters. Finally, the DHCP server will send the DHCP-Acknowledgement packet containing configuration parameters. DHCPv4 uses two different ports: • • UDP port 67 for server UDP port 68 for client Figure 3-11: Mi IPv4 DHCP Requests A DHCP Relay Agent forwards the DHCP packets from server to client and client to server. The relay agent helps the communication by forwarding requests and replies between clients and servers. When receiving a DHCP message, the relay agent generates a new DHCP request including default gateway information and the Relay-Agent information option (Option-82) and sends it to a remote DHCP server. When the Relay Agent gets the reply from the server, it removes Option 82 and forwards it back to the client. The working of the relay agent and the DHCPv6 server is the same as the IPv4 relay agent and DHCPv4 server. The DHCP server receives the request and assigns the IP address, DNS, lease time, and other necessary information to the client, whereas the relay server forwards the DHCP messages Figure 3-12: IPv6 DHCP Requests 278 Chapter 03: Implementation DHCPv6 uses two different ports: • • UDP port 546 for clients UDP port 547 for servers Media Access Control (MAC) Filtering MAC (Media Access Control) filtering limits access to specific devices on the network. Typically, it is used to keep neighbors out or ensure that only the people of a company can connect to the network. The disadvantage of MAC filtering is that it is easy to circumvent. Network appliances The Network Appliance includes the following components in security network design for managing the network ▪ ▪ ▪ ▪ Jump servers Proxy servers Forward Reverse Network-based Intrusion Detection System (NIDS)/Network-based Intrusion Prevention System (NIPS) Network Intrusion Detection It is used to track traffic in real-time at specific points on a network. It investigates protocol actions at the application, transport, and network levels. The study and identification of network traffic patterns are based on a database of known assaults. NIDS's behavioral, anomaly, and signature-based monitoring and detection improve network security. Functions of NID ▪ ▪ ▪ ▪ The primary function of NID is to filter out the IP Address of the intruder by configuring the firewall. It launches a separate program to handle the event. It can terminate the TCP session by forging a TCP FIN packet to force a connection to complete. It sends an entry to the system log file. Network Intrusion Prevention It is an "inline" NIDS that can terminate TCP connections and can discard packets. 279 Chapter 03: Implementation Functions of NIPS It can identify malicious packets using the following methods: ▪ ▪ ▪ ▪ ▪ Pattern Matching Stateful Matching Protocol Anomaly Statistical Anomaly Traffic Anomaly It can also provide flow data protection through: ▪ ▪ Monitoring full application flow content Re-assembling whole packets Difference between NIDS and NIPS The significant difference between NIDS and NIPS is in their location: ▪ ▪ NIPS would be located 'inline' on the firewall to allow NIPS to take action more quickly against the attack. NIDS has sensors that monitor traffic entering and leaving the firewall and report back to the central device for analysis. It is the basic working of the Intrusion Prevention System (IPS). The placement of the sensor within a network differentiates the functionality of IPS over the IDS. When the sensor is placed in line with the network, i.e., the common in/out of a specific network segment terminates on the hardware or logical interface of the sensor and goes out from the sensor's second hardware or logical interface. Every packet will be analyzed and pass through the detector only if it contains anything malicious. By dropping the malicious traffic, the trusted network or a segment can be protected from known threats and attacks. However, the inline installation and inspection of traffic may result in a slighter delay. IPS may also become a single point of failure for the whole network. If 'fail-open mode is used, the good and malicious traffic will be allowed in case of any failure within the IPS sensor. Similarly, if 'fail-close' mode is configured, the whole IP traffic will be dropped in case of the sensor's failure. 280 Chapter 03: Implementation Figure 3-13: Inline Deployment of IPS Sensor If a sensor is installed in the position shown below, a copy of every packet will be sent to the sensor to analyze any malicious activity. Figure 3-14: Sensor Deployment as IDS In other means, the sensor, running in promiscuous mode, will perform the detection and generate an alert if required. As the normal traffic flow is not disturbed, no end-toend delay will be introduced by implementing IDS. The only downside of this configuration is that IDS will not stop malicious packets from entering the network because IDS is not controlling the overall traffic path. This table summarizes and compares various features of IDS and IPS. Feature IPS Positioning Not in-line with the In-line with the network. Every packet goes network. Receives a copy through it. of every packet. Mode In-line/Tap Delay Introduces delay because every packet is Do not introduce delay analyzed before being forwarded to the because it is not in line destination. with the network. Point failure IDS Promiscuous Yes. If the sensor is down, it may drop as well as malicious traffic from entering the No impact on traffic as of network, depending on one of the two IDS is not in line with the modes configured on it, namely fail-open network. or fail-close. 281 Chapter 03: Implementation Yes. By dropping the malicious traffic, Ability to attacks can be readily reduced on the mitigate an network. If deployed in TAP mode, then it attack? will receive a copy of each packet but cannot mitigate the attack. IDS cannot directly stop an attack. However, it can assist some in-line devices like IPS to drop specific traffic to stop an attack. Can you do packet Yes. Can modify the IP traffic according to manipulatio a defined set of rules. n? No. As IDS receives mirrored traffic, so it can only perform the inspection. Table 3-01: IDS/IPS Comparison Signature-based A signature detects an anomaly by looking for some specific string or behavior in a single packet or stream of packets Heuristic/Behavior The Heuristic Intrusion Detection and Prevention System (HIDPS) is a system that can intelligently check for malicious behavior from a program that is either inside or trying to access the system. The nature of the program determines whether access is given or revoked. HSM HSM provides facilities for Cryptographic functions like hashing, encryption, etc. It manages and stores keys in a secure location by keeping the backup of the key. To restrict access to the key that HSM secures, it has a technique called tamper protection technique. It is a peripheral device that is usually "attached through USB or a network connection." 282 Chapter 03: Implementation Figure 3-15: Hardware Security Module Sensors and Collectors The critical spots in a network contain sensors and collectors. These sensors and collectors gather information from the network devices. They may be integrated into the router, firewall, switches, etc., or built-in within the network. The information that the sensor gathers varies from system to system. For instance, authentication logs information will differ from database transaction logs or web server access logs, etc. Difference between Sensor and Collector When the sensor provides the raw data, the collector converts this raw data into logical information or the information that makes sense. Aggregators In modern networking, an aggregator is a device or service provider that can combine multiple disparate circuits or carrier services into a single, simple-to-use, easy-tomanage course. To put it another way, an aggregator can make your job as a network provider/manager easier. Firewall The primary function of using a dedicated firewall at the edge of a corporate network in isolation. A firewall prevents the internal LAN from having a direct connection with the internet or the outside world. This isolation is carried out by but is not limited to: ● A Layer 3 device using an Access List for restricting the specific type of traffic on any of its interfaces ● A Layer 2 device using the concept of VLANs or Private VLANs (PVLAN) for separating the traffic of two or more networks ● A dedicated host device with the installed software. This host device, also acting as a proxy, filters the desired traffic while allowing the remaining traffic Although the features above provide isolation in some sense, the following are reasons for preferring a dedicated firewall appliance (either in hardware or in software) in production environments: Risks Access by Untrusted Entities Protection by firewall Firewalls try to categorize the network into different portions. One portion is the trusted portion of internal LAN. Public internet interfaces are seen as an untrusted portion. Similarly, servers accessed by untrusted entities are placed in a particular segment 283 Chapter 03: Implementation known as a Demilitarized Zone (DMZ). By allowing only specific access to these servers, like port 90 of the web server, firewalls hide the functionality of a network device, making it difficult for an attacker to understand the physical topology of the network. Deep Packet Inspection and Protocol Exploitation One of the exciting features of a dedicated firewall is its ability to inspect traffic at more than just IP and port levels. By using digital certificates, Next-Generation Firewalls that are available today can check traffic up to layer 7. A firewall can also limit the number of established as well as half-open TCP/UDP connections to mitigate DDoS attacks. Access Control By implementing local AAA or by using ACS/ISE servers, the firewall can permit traffic based on AAA policy. Anti-virus and By integrating IPS/IDP modules with a firewall, malicious data can Protection be detected and filtered at the edge of the network to protect endfrom Infected users. Data Table 3-02: Firewall Risk Mitigation Features Although a firewall provides excellent security features, any misconfiguration or bad network design may have serious consequences, as discussed in the table above. Another important deciding factor when deploying a firewall in the current network design is whether the current business objectives can bear the following limitations: ● Misconfiguration and Its Consequences: The primary function of a firewall is to protect network infrastructure in a more elegant way than a traditional layer 3/2 device. Depending on the vendor and their implementation techniques, many features need to be configured for a firewall to work correctly. Some of these features may include Network Address Translation (NAT), Access-Lists (ACL), AAA base policies, and so on. Misconfiguration of any of these features may result in leakage of digital assets, which may impact the business financially. In short, complex devices like firewalls require deep insight and knowledge of equipment and the general deployment approach. ● Applications and Services Support: Most firewalls use different techniques to mitigate advanced attacks. For example, NATing, one of the most commonly used firewalls, reduces reconnaissance attacks. When network infrastructure is used to support custom-made applications, it may be necessary to re-write the whole application to work correctly under the new network changes. 284 Chapter 03: Implementation ● Latency: Just as implementing NATing on a route adds some end-to-end delay, a firewall, along with heavy processing demands, can add a noticeable delay to the network. Applications like Voice Over IP (VOIP) may require a particular configuration to deal with this. Another essential factor to be considered when designing a network infrastructure's security policies is using the layered approach instead of relying on a single element. For example, consider the following scenario: Figure 3-16: Positioning a Firewall in a Production Environment The previous figure shows a typical Small Office Home Office (SOHO) scenario and mid-sized corporate environments where several routers and switches support the whole network infrastructure. If the edge firewall is the focal point of security implementation, any slight misconfiguration may result in high-scale attacks. In general, a layered security approach is followed, and packets pass through multiple security checks before hitting the intended destination. The position of a firewall varies in different designs. In some scenarios, it is placed on the corporation's perimeter router, while in other formats, it is placed at the edge of the network, as shown in figure 141. Apart from the position, it is good practice to implement layered security. Some features, such as unicast reverse path forwarding, access-lists, etc., are enabled on the perimeter router. Features such as deep packet inspection and digital signatures are matched on the firewall. If everything looks good, the packet is allowed to hit the intended destination address. Network layer firewalls permit or drop IP traffic based on Layer 3 and 4 information. A router with an access list configured on its interfaces is a typical example of a network layer firewall. Although they operate very fast, network layer firewalls do not perform deep packet inspection techniques or detect malicious activity. 285 Chapter 03: Implementation Apart from acting as the first line of defense, network layer firewalls are also deployed within internal LAN segments for enhanced layered security and isolation. Firewall Architecture Bastion Host A Bastion Host is a computer system placed between public and private networks. It is intended to be a crossing point through which traffic passes. The system is assigned specific roles and responsibilities. A bastion host has two interfaces, one connected to the public network and a private network. Figure 3-17: Posi Bastion Host Screened Subnet Screened Subnet can be set up with a firewall with three interfaces. These three interfaces are connected with the internal Private Network, Public Network, and Demilitarized Zone (DMZ). In this architecture, each zone is separated by another zone hence any compromise of one zone will not affect another. Figure 3-18: Screened Subnet 286 Chapter 03: Implementation Multi-homed Firewall A Multi-homed Firewall is two or more networks where each interface is connected to its network. It increases the efficiency and reliability of a network. A firewall with two or more interfaces allows further subdivision. Figure 3-19: Multi-Homed Firewall Demilitarized Zone (DMZ) An IOS zone-based firewall is a specific set of rules that may help to mitigate mid-level security attacks in environments where security is implemented via routers. In ZoneBased Firewalls (ZBF), device interfaces are placed in different unique zones (inside, outside, or DMZ), and policies are applied to these zones. Naming conventions for zones must be easy to understand to be helpful when it comes to troubleshooting. ZBFs also use stateful filtering, which means that if the rule is defined to permit originating traffic from one zone to another zone, for example, DMZ, then return traffic is automatically allowed. Traffic from different zones can be authorized using policies permitting traffic in each direction. One of the advantages of applying policies on zones rather than interfaces is that policies are applied automatically simply by removing or adding to an interface in a particular zone whenever new changes are required at the interface level. ZBF may use the following set of features in its implementation: ● ● ● ● ● Stateful Inspection Packet Filtering URL Filtering Transparent Firewall Virtual Routing Forwarding (VRF) This figure illustrates the scenario explained above: 287 Chapter 03: Implementation Figure 3-20: Cisco IOS Zone-based Firewall Scenario Stateless Firewall Initially, the firewalls analyze data packets to see if they match the particular rules and then decide how to forward or drop the packets accordingly. This type of packet filtering is referred to as stateless filtering. This type of filtering does not care either a packet is part of an existing data flow or not. Each packet is analyzed individually based solely on the values of specific parameters in the packet header. It is somehow similar to ACLs packet filtering. A stateless firewall monitors network traffic and restricts or blocks packets based on static values like source and destination addresses. They are not aware of data flows and traffic patterns. A stateless firewall filter, sometimes also known as an Access Control List (ACL), does not state-fully analyze traffic and is unaware of a communication path. The primary purpose of a stateless firewall filter is to use packet filtering to enhance security. Packet filtering lets you take the decision and actions based upon the policies you applied. Stateless firewalls are faster and can perform better under heavier traffic loads. The stateless firewall works like a packet filter. It does not keep track of the currently active session. It looks at the traffic going by, and then compare it to a list of access control and then either allows or restricts traffic to flow. 288 Chapter 03: Implementation Figure 3-21: Stateless Firewall Figure 3-22: Stateless Firewall-Traffic Blocking Stateful Firewall Stateful firewalls analyze the state of connections in data flows during packet filtering. They explore whether the packet belongs to an existing flow of data or not. Stateful firewalls can see traffic streams from one end to another. They know about the communication paths, applying different IP Security (IPsec) functions such as encryption and tunneling. Stateful firewalls let you know about other TCP connections or port states either open, open sent, synchronized, acknowledged, or established. Stateful firewalls are better at identifying unauthorized access from somewhere. Operation A stateful firewall can maintain the state of every connection, either incoming or outgoing, through the firewall and thus replace long configuration lines. When the traffic wants to go out through a firewall, the packet will be first matched against a firewall rules list to check whether the packet is allowed or not. If this packet type is allowed to go out through the firewall, then the process of stateful filtering will begin. Usually, a stateful firewall uses the traffic that is using the Transport Control Protocol (TCP). TCP is stateful, to begin with because TCP maintains a track of its connections 289 Chapter 03: Implementation by using source and destination address, port number, and IP flags. A three-way handshake will form an association (SYN, SYN-ACK, ACK), and a two-way exchange (FIN, ACK) will sum up the connection. This process makes keeping track of the connection's state easier. State-full is a bit intelligent firewall. It keeps track of the flow of traffic and remembers the 'state' of the session. It only allows the good traffic to flow. Figure 3-23: Stateful Firewall Difference between Stateless and Stateful Firewall Stateless Firewall Stateful Firewall No session Session No login Login No basket Basket Static Content Dynamic Content Table 3-03: Difference between Stateless and Stateful Firewall Application-Aware Security Device As the name implies, it filters the traffic based on the application, a modern firewall technique. It is also named Application Layer Gateway, State-full Multilayer Inspection, and Deep Packet Inspection. Types of Firewall Packet Filtering Firewall A Packet Filtering Firewall includes access lists to permit or deny traffic based on layer three and layer four information. Whenever a packet hits an ACL configured layer three device's interface, it checks for a match in an ACL (starting from the first ACL line). 290 Chapter 03: Implementation Using an extended ACL in the Cisco device, the following information can be used to match traffic: ● ● ● ● ● Source Address Destination Address Source Port Destination Port Some extra features like TCP established sessions This table outlines the advantages and disadvantages of using packet filtering techniques: Advantages Disadvantages Cannot mitigate IP spoofing attacks. An attacker can compromise the digital Ease of implementation by using a assets by spoofing the IP source address permit and deny statements to one of the permit statements in the ACL Less CPU intensive than deep packet Difficult to maintain when ACL's size inspection techniques grows Configurable on almost every Cisco Cannot implement filtering based on IOS session states In scenarios in which dynamic ports are Even a mid-range device can perform used, a range of ports will be required ACL based filtering to be opened in ACL, which malicious users may also use Table 3-04: Advantages and Disadvantages of Packet Filtering Techniques Circuit-level Gateway Firewall A Circuit-level Gateway Firewall operates at the session layer of the OSI model. It captures the packet to monitor the TCP Handshake to validate whether the sessions are legitimate. Packets forwarded to the remote destination through a circuit-level firewall appear to be originated from the gateway. Application-level Firewall An Application-level Firewall can work at layer three up to layer 7 of the OSI model. Usually, a specialized or open-source software running on a high-end server acts as an intermediary between client and destination address. As these firewalls can operate up to layer 7, it is possible to control moving in and out of more granular packets. Similarly, 291 Chapter 03: Implementation it becomes challenging for an attacker to get the topology view of a trusted network because the connection request terminates on Application/Proxy firewalls. Some of the advantages and disadvantages of using application/proxy firewalls are: Advantages Disadvantages Granular control over traffic is possible As proxy and application, firewalls run by using information up to layer 7 of the in software. A very high-end machine OSI model may be required to fulfill the computational requirements The indirect connection between end Just like NAT, not every application devices make it very difficult to has support for proxy firewalls, and few generate an attack amendments may be needed in the current application architecture Detailed logging is possible as every Other software may be required for the session involves the firewall as an logging feature, which takes extra intermediary processing power Any commercially available hardware Along with computational power, high can be used to install and run proxy storage may be required in different firewalls on it scenarios Table 3-05: Advantages and Disadvantages of Application/Proxy Firewalls Stateful Multilayer Inspection-based Firewalls As the name suggests, this saves the state of current sessions in a table known as a stateful database. Stateful inspection and firewalls using this technique typically deny any traffic between trusted and untrusted interfaces. Whenever an end-device from a trusted interface wants to communicate with some destination address attached to the untrusted interface of the firewall, it will be entered in a stateful database table containing layer three and layer two information. The following table compares different features of stateful inspection-based firewalls. Advantages Disadvantages Helps in filtering Unable to mitigate application-layer attacks unexpected traffic It can be Except for TCP, other protocols do not have wellimplemented on a defined state information to be used by the firewall broad range of routers and firewalls 292 Chapter 03: Implementation Can help in mitigating denial of service (DDoS) attacks Some applications may use more than one port for a successful operation. An application architecture review may be needed to work after deploying the stateful inspection-based firewall. Table 3-06: Advantages and Disadvantages of Stateful Inspection-based Firewalls Transparent Firewalls Most of the firewalls discussed above work on layer three and beyond. Transparent firewalls work precisely like the techniques mentioned above, but the firewall's interfaces are layer 2 in nature. IP addresses are not assigned to any interface – think of it as a switch with ports assigned to some VLAN. The only IP address assigned to the transparent firewall is for management purposes. Similarly, as there is no extra hop between end devices, the user will not be aware of any new additions to the network infrastructure, and custom-made applications may work without any problem. Next Generation (NGFW) Firewalls NGFW is a relatively new term used for the latest firewalls with advanced feature sets. This kind of firewall provides in-depth security features to mitigate known threats and malware attacks. An example of next-generation firewalls is the Cisco ASA series with FirePOWER services. NGFW delivers complete visibility into network traffic users, mobile devices, Virtual Machines (VM) to VM data communication, etc. Personal Firewalls A Personal Firewall is also known as a desktop firewall. It helps to protect end-users personal computers from general attacks from intruders. Such firewalls appear to be a significant security line of defense for users who are constantly connected to the internet via DSL or cable modem. Personal firewalls help by providing inbound and outbound filtering, controlling internet connectivity to and from the computer (both in a domain-based and workgroup mode), and alerting the user of any intrusion attempts. Access control list (ACL) A series of rules through which the firewall determines whether to allow or restrict the traffic flow. It can also be called the group of variables (tuples) or security policies. Route security Quality of service (QoS) Quality of Service (QoS) is a network technology collection that ensures a network can run high-priority applications and traffic despite limited network capacity reliably. It is accomplished by QoS technologies, which provide differentiated handling and capacity allocation to specific flows in network traffic. Implications of IPv6 293 Chapter 03: Implementation End-to-end encryption is possible with IPv6. As used in modern VPNs, encryption and integrity-checking are standard components in IPv6, available for all connections and supported by compatible devices and systems. As IPv6 becomes more widely used, manin-the-middle attacks will become much more difficult. IPv6 also allows for more secure name resolution. The Secure Neighbor Discovery (SEND) protocol can provide cryptographic confirmation that a host is who it claims to be at the time of connection. Address Resolution Protocol (ARP) poisoning and other naming-based attacks are made more difficult as a result. An attacker can easily redirect traffic between two legitimate hosts and manipulate the conversation using IPv4. It is made difficult by IPv6. Port Spanning/Port Mirroring Port mirroring is a straightforward notion. One port is reserved while configuring a switch. The switch is then configured to "reflect" all traffic passing through that reserved port. As mentioned earlier, when the switch processes a packet, it is copied and sent to whatever is linked to the port. On a network switch, port mirroring sends a copy of network packets seen on one switch port (or an entire VLAN) to a network monitoring connection on another switch port. Port Taps The two most frequent methods for network traffic access used for data monitoring and security analysis are network TAP (Test Access Point) and SPAN (port mirroring). Monitoring Services The collection, analysis, and escalation of indicators and alerts to detect and respond to breaches on computer networks are known as network security monitoring. Proactive network searches for security data and "hunting" for suspicious behavior are common aspects of network security monitoring solutions. File Integrity Monitors As a member of the CIA trinity, file integrity refers to the processes and implementations to protect data from unauthorized alterations, such as cyber-attacks. The integrity of a file indicates whether it has been tampered with by unauthorized users after it was generated, while it was being stored, or while it was being retrieved. 294 Chapter 03: Implementation Mind Map Figure 3-24: Mind Map of Secure Network Design Wireless Security Settings The use of wireless networks has dramatically increased, and therefore, the security of the protocols used in a wireless network has become a vital determinant to observe safety. Its security can be ensured through the implementation of encryption. Cryptographic Protocols Cryptographic protocols refer to the cryptographic methods and their implementation to assure various vendors' equipment interoperability. All can have a secure wireless communication channel by configuring WPA and WPA 2 encryption that permits only people with a password to communicate. WiFi Protected Access II (WPA2)     Wi-Fi protected access to version 2 It is modern wireless encryption and was introduced in 2004. It uses AES (Advanced Encryption Standard) for encryption that replaced RC4. Also, it involves CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) that replaced TKIP. 295 Chapter 03: Implementation WiFi Protected Access III (WPA3)  The most recent iteration of common wireless network security is WPA3 (Wi-Fi Protected Access 3).  Even when a simple password is provided, WPA3 provides higher security than the WPA2 authentication mechanism. Counter-mode/CBC-MAC Protocol (CCMP)    Uses 128-bit keys and encrypts in 128-bit block size. Its services include Data confidentiality, Access control, and Authentication. For data confidentiality, it uses AES. Simultaneous Authentication of Equals (SAE)   For Mesh Networks, a Secure Password-Based Key Exchange is used. The technique produces a cryptographically strong shared secret that can secure other data, such as network communication. Passive, active, and dictionary attacks are all resistant to SAE. Authentication Protocols Extensible Authentication Protocol (EAP)    It stands for Extensible Authentication Protocol. It also serves as a framework for creating various types of authentication. WPA and WPA2 also use five various EAP types for authentication on wireless networks. Protected Extensible Application Protocol (PEAP)    It stands for Protected Extensible Authentication Protocol. It was developed by Microsoft, Cisco, and RSA for secure authentication. In PEAP, EAP is encapsulated into a tunnel (TLS tunnel). The encryption certificate is on the server-side, and all the EAP communication is sent over this TLS tunnel. EAP-FAST    One of the EAP types is EAP-FAST. It stands for EAP Flexible Authentication via Secure Tunneling. Cisco proposed it as a replacement of LEAP (Lightweight EAP) protocol that was used with WEP. It is a more secure protocol. 296 Chapter 03: Implementation EAP-TLS    It stands for EAP-Transport Layer Security or EAP over Transport Layer Security. EAP-TLS is a common way for encrypting web server traffic and authentication methods, and it is used widely. Common advantages include Strong security & support for various wireless network types. EAP-TTLS   It stands for EAP-Tunneled Transport Layer Security. It functions almost the same as EAP-TLS, as the server authenticates to the client with a certificate. Still, the client-side authentication is tunneled in this protocol that permits the use of legacy authentication protocols such as PAP, CHAP, MSCHAP, etc. IEEE 802.1x    A standard of authentication is commonly referred to as “Port-based NAC (Network Access Control).” Access is not granted until the authentication process is completed. Over wireless, IEEE 802.1x uses either EAP-based protocol or IEEE 802.11i. RADIUS Federation   As the name implies, RADIUS Federation simply means using RADIUS with the federation. Federation permits a member of one company to authenticate to another company’s network using standard credentials; no separate credentials are needed for visiting a distinct network. Methods For configuring wireless access points, there are various authentication methods available. PSK vs. Enterprise vs. Open System An open system without any set security means no password is needed for authentication in an available system. PSK is commonly named WPA-PSK because it uses WPA2 encryption with a secret key. It stands for Pre-Shared Key. It needs to be securely shared among users. There are various security problems in organizations associated with using a shared key, and WPA Enterprise helps reduce those problems. It authenticates all the users individually with an authentication server. 297 Chapter 03: Implementation WPS It stands for Wi-Fi /Protected setup that was initially called ‘Simple Wi-Fi config.’ Using WPS, there are various ways of authentication such as; Using an 8-digit PIN that is configured on the access point (add that PIN to the mobile device), Pushing a button on the access point, NFC-Near Field Communication (bring mobile near the access point). Captive Portal Another authentication method for wireless networks is a captive portal. A pop-up that you see when you open a browser and asks you for credentials. It is known as a captive portal. Installation Considerations Site surveys Site surveys are used to determine the number and location of access points (APs) required for a facility to achieve full and efficient wireless coverage. Signal interference and outside access flaws that unauthorized users could access can also be detected through surveys. Heat maps A wireless heat map is a visual representation of the condition of wireless network signal coverage across a specific area that can assist network engineers in visualizing wireless network coverage, identifying dead zones, adjusting, and improving range in the wireless network environment. WiFi analyzers The Wi-Fi Analyzer app, which has been named one of the 15 most useful Android apps, one of The Best Apps for Fixing Your Wifi, and featured in The NY Times Wirecutter – The Best Wi-Fi Router, allows users to optimize their current Wi-Fi network by examining surrounding networks, identifying crowded. Channel overlays Peer-to-peer networks, IP networks, and virtual Local Area Networks are examples of overlay networks (VLANs). Because their IP addresses identify endpoints, the Internet, which employs layer-3 IP addressing, is an overlay network. Controller and access point security In 802.11 wireless deployments, the central node is the Access Point (AP). It is the connection point between the wired and wireless networks, where all wireless clients connect and exchange data. 298 Chapter 03: Implementation Mind Map Figure 3-25: Mind Map of Secure Network Design Implement Secure Mobile Solutions Security for mobile devices needs a multi-layered approach as well as a financial commitment to enterprise solutions. Some of the primary vital elements are described below: Connection Methods and Receivers The following are some ways that one can use to connect portable technology: Cellular Network ▪ ▪ ▪ Through this, our cell phones can communicate over a vast network separated into sectors called cells. An antenna in mobile phones can communicate to the antenna that may be in the local areas. There are various security concerns with this, i.e., Traffic monitoring, Location tracking, Wide access to mobile devices. Wi-Fi ▪ ▪ Another common way to connect devices is through Wi-Fi. We have to make sure that every data that is being sent or received is encrypted. 299 Chapter 03: Implementation ▪ If the data is not encrypted, a man-in-the-middle and denial-of-service attack risk will increase. Standard Frequency Modulation Speed 802.11a 5 GHz OFDM 54 Mbps 802.11b 2.4 GHz DSSs 11 Mbps 802.11g 2.4 GHz OFDM, DSSS 54 Mbps 802.11n 2.4 - 5 GHz OFDM 54 Mbps 802.16 (WiMAX) 10 - 66 GHz OFDM 70-1000 Mbps Bluetooth 2.4 GHz 1 – 3 Mbps Table 3-07: Wireless Network Speed Comparison Near Field Communication (NFC) ▪ ▪ ▪ It is commonly used when the communication is between the mobile device and a device that is nearby. Commonly used in the payment system. It is also used to help with other wireless technologies, like supporting the pairing process for Bluetooth. It is also used as an identity system where one can identify themselves using the phone. Some of the security concerns with NFC are as follows: ▪ ▪ ▪ ▪ It is a wireless network (although short-range), but someone with an antenna can capture and listen to the conversation. Someone could jam the frequency and attack through denial of service. There is also a concern about replay attacks. If an NFC device is lost, it could be a significant security issue because the person who stole the device will use that NFC instead of the legitimate user. IR (Infrared) ▪ ▪ In modern times, it is used in phones, tablets, and smart-watches to control IR devices. It could also be used for file transfer. USB (Universal Serial Bus) ▪ ▪ ▪ Most standard mobile device connections. It uses the physical wired connection. It is more secure than wireless protocol. 300 Chapter 03: Implementation Bluetooth ▪ ▪ ▪ Bluetooth allows for an automatic and wireless connection, but it can also expose data to interception, providing a considerable security concern. Hackers regularly use Bluetooth to send malicious files and viruses. The best way to reduce the risk is to turn off the Bluetooth of the device. Point-to-point Point-to-point encryption secures (encrypts) payment card data from the time of capture, such as when a card payment terminal scans the card until it reaches the secure decryption endpoint. The fundamental characteristic of P2PE Solutions is point-topoint encryption. Point-to-multipoint Point-to-multipoint communication is a type of one-to-many communication in which many paths from a single point to multiple points are available. This technique is commonly used in wireless communications with a large number of end destinations or end-users. Global Positioning System (GPS) ▪ ▪ ▪ The GPS (Global Positioning System) is a "constellation" of around 30 satellites that orbit the Earth and allow anyone with a terrestrial receiver to pinpoint their location. The location precision for most equipment is between 100 and 10 meters. The Global Positioning System (GPS) was developed to help military and civilian users pinpoint their exact location. It is based on the utilization of Earth-orbiting satellites that supply data that enables the measurement of the distance between the satellites and the user. RFID RFID (Radio Frequency Identification) attacks include multiple attacks like: ▪ ▪ ▪ ▪ Data Capture Spoof the Reader Denial of Service Decryption of Communication Mobile Device Management (MDM) The primary purpose of implementing Mobile Device Management (MDM) is to deploy, maintain, and monitor mobile devices that make up the BYOD solution. Devices may include laptops, smartphones, tablets, notebooks, or any other electronic device that can be moved outside the corporate office to home or some public place and then gets connected to the corporate office by some means. 301 Chapter 03: Implementation Some of the functions provided by MDM are: ▪ ▪ ▪ ▪ ▪ Enforcing a device to be locked after certain login failure attempts. Enforcement of firm password policy for all BYOD devices. MDM can detect any attempt at hacking BYOD devices and then limit the network access of these affected devices. Enforcing confidentiality by using encryption as per the organization's policy. Administration and implementation of Data Loss Prevention (DLP) for BYOD devices. It helps to prevent any data loss due to the end user's carelessness. Application management Application management is a difficult task. Not all applications are safe, and some are malicious, which is a rising security issue. Content management A management challenge is to check and update the whitelist constantly. Remote wipe ▪ ▪ ▪ Remote wipe is the security requirement of the security administrator. It removes all the data from the mobile device, often managed by Mobile Device Management. It secures the data from unauthorized access if the device is lost, so it is essential to back up some private data. It needs to be configured ahead of time. Figure 3-26: Remote Wiping Geofencing Geofencing is a location-based approach that allows a physical location to be given virtual boundaries. These virtual perimeters can be shown on a map and used to initiate actions or alerts when people enter, exit, or remain in the region. 302 Chapter 03: Implementation Geolocation Geolocation is the process of identifying and tracking the location of linked electronic devices using location technologies such as GPS or IP addresses. Geolocation is widely used to track and monitor people's movements and locations because these devices are frequently carried on their person. Some of the critical points of Geolocation are: ▪ ▪ ▪ ▪ ▪ Based on GPS or signals triangulation or other techniques, geo-locate the device. In case a mobile device is lost, you can easily track where it is. However, this can also be used for an evil purpose, like someone could know precisely where you are or be able to track where you happen to be, based on the mobile device's location. The mobile device allows you to enable or disable this feature. It is usually managed through Mobile Device Manager. Screen locks ▪ ▪ ▪ A key security feature of any mobile device is to have that device lock its access. Allows access to the device if the passcode or password is known. The password can either be Numeric or Alphanumeric. You can set an option through the mobile device manager and set it as the requirement to access any data in the device. ▪ You can also decide what to do with the device on which password is entered wrong too many times. ▪ You get to choose what that lockout policy might be. Like; Erase the data on the device. ▪ Slow down the process to prevent brute force attacks. Push notifications Push notifications are messages delivered directly to a user's mobile device. They can appear on the lock screen or at the upper part of a mobile device. An app publisher can only send a push notification if the user has the app installed. Passwords and pins The PIN or password is used as the Key to decrypt data stored on an encrypted mobile device. A Personal Identification Number (PIN) is a numerical code used in many computerized financial transactions. Payment cards are often allocated unique identification numbers, which may be required to complete a purchase. A password is a string of characters used to validate a user's identity during the authentication process. Passwords are often used in conjunction with a username and are intended to be known only by the user to access a device, application, or website. 303 Chapter 03: Implementation Passwords come in many shapes and sizes and can include letters, numbers, and special characters. Biometrics ▪ ▪ ▪ ▪ An intelligent way to set security control on the mobile device. The user can use face or fingerprint to gain access, but this is not the most secure option. It is much more secure to use a password or passcode rather than biometric security. It is turned on and off through MDM (Mobile Device Management). Context-aware authentication Context-aware authentication is a little beyond two-factor authentication. There, the user can check another type of access to the device that can help to determine if the device is in the hands of the right person. It may not qualify as the only type of authentication, but it could be another security check. The decisions are made upon the following factors: ▪ ▪ ▪ Where the user logs typically in. Where the user is typically frequent (GPS). Another device that may be paired (Bluetooth). Containerization ▪ ▪ ▪ ▪ Containerization is implemented where it is difficult for the user to maintain both personal and business data. Security management is complex for someone who uses a mobile phone for corporate use at work and after work; it is used as a personal phone. Containerization helps to separate an organization's data and application from the user's personal data and application. It creates a virtual container for company data that can also help wipe all the organization's data if someone leaves the organization instead of wiping all the mobile device data, keeping personal data secure. Storage segmentation ▪ ▪ ▪ One technique to protect firm data on mobile devices is to use storage segmentation. It encrypts data and stores it in a secure region of the user's device. Access to this segregated region is usually encrypted and requires authentication. By isolating traffic, segmentation can increase performance, reduce congestion, compartmentalize communication concerns like broadcast storms, and improve security. 304 Chapter 03: Implementation Full device encryption ▪ ▪ ▪ ▪ Full device encryption is a popular method used by people these days. No one could gain access to the encrypted data in case the device is lost. It is handled in different ways by different devices and different operating systems. For example: In Android, the encryption is configured from strong to most substantial level to the mobile device. Therefore, it is suggested and advised not to forget the passcode and keep a backup of all the data and passcode because if the passcode is lost, the user will not be able to gain access to the mobile data. Mobile Devices MicroSD HSM A hardware security module in the shape of a microSD card is known as a MicroSD HSM. It offers encryption, key generation and key life cycle management, digital signature, authentication, and other cryptographic capabilities, all of which are powered by hardware-based crypto engines. MDM/Unified Endpoint Management (UEM) Mobile device management software allows IT managers to regulate, secure, and enforce policies on smartphones, tablets, and other endpoints. Unified Endpoint Management (UEM) refers to the use of MDM to control PCs. Mobile Application Management (MAM) MAM (Mobile Application Management) is software that secures and allows IT to handle enterprise applications on end users' corporate and personal cellphones and tablets. On the same device, it also separates corporate apps and data from confidential material. SEAndroid Security Enhancements for Android (SEAndroid) is a security solution for Android that finds and fixes significant flaws. SEAndroid improves data isolation between programs by regulating Inter-Process Communication (IPC) between apps and system services. Enforcement and Monitoring Third-party application stores They are typically installed as application packages over the USB interface on Android devices or as IPA files on jailbroken iOS devices. By using a computer, these packages are often downloaded through third-party program stores like Amazon, Getjar, Mobogenie, Slide, and Appbrain. 305 Chapter 03: Implementation Rooting/jailbreaking To "jailbreak" a phone means to give the owner complete access to the operating system's root and all of its functions. Rooting is a phrase used to describe eliminating restrictions from an Android phone or tablet, similar to jailbreaking. Sideloading Installing an application on a mobile device without utilizing the device's official application distribution method is known as sideloading. Third-party apps may have not been scanned for Malware and are therefore pirated. Custom firmware Firmware is software that controls and configures the hardware components of a platform. Many of the protections required to secure the device and operating system are set up by firmware. Configuring hardware security settings, verifying boot, and handing over to the operating system are all part of this process. Carrier unlocking Unlocking your phone entails removing the carrier lock that prevents many devices from running on competing for cellular networks. After opening it, you can bring your phone to a carrier on a suitable network and sign on to their services. Firmware Over-the-Air (OTA) updates The method of remotely upgrading the code on an embedded device is known as overthe-air firmware updates. After a device has been deployed in the field, install new software features to increase functionality over time. A wireless technique of sending new software or firmware to mobile phones and tablets is known as over-the-air updating. The OTA update can be done in two ways: automatically or manually. Camera use Tracking, bugging, monitoring, eavesdropping, and recording conversations and text messages on mobile phones are all part of cellphone surveillance (also known as cellphone spying). It also includes the tracking of people's movements using mobile phone signals when phones are turned on. Following are some examples of the camera types:        Box Camera Dome Camera PTZ Camera Bullet Camera IP Camera Day/Night Camera Thermal (FLIR) Camera 306 Chapter 03: Implementation  Camera USB On-The-Go (USB OTG) USB On-the-Go (OTG) allows two USB devices to communicate without the need for a computer. OTG introduces the Dual-Role Device (DRD), which may serve as both a host and a peripheral. The fact that a host and peripheral can swap roles if necessary is part of the charm of OTG. Recording microphone A microphone is an electronic device that converts sound waves in the air into electronic signals or records them on a medium. Microphones are used in various audio recording devices for multiple applications, including communications, music, and voice recording. GPS tagging The location services linked with your computer system, network, or mobile devices perform geotagging. To track the position of their subscribers, most social networks and related services employ some type of geotagging. It allows users to add their current location to their articles and updates. WiFi direct/ad hoc Wi-Fi Direct (also known as peer-to-peer or P2P) enables your software to swiftly locate and interact with neighboring devices over a longer distance than Bluetooth allows. WiFi peer-to-peer APIs would allow applications to connect to adjacent devices without a network or hotspot requirement. Tethering Tethering uses a mobile device (such as a smartphone) as a modem to link another device to the Internet, such as a laptop or another mobile phone. To do this, the phone must be capable of using mobile data. Tethering is one way to make a mobile hotspot (an ad hoc wireless access point). Hotspot A hotspot is a physical site where individuals can connect to the Internet via a Wireless Local Area Network (WLAN) using a router connected to an Internet service provider, generally utilizing Wi-Fi. These locations are commonly called "Wi-Fi hotspots" or "WiFi connections." Hotspots are physical locations where users may connect their mobile devices to the Internet wirelessly, such as smartphones and tablets. A hotspot can be found in private or public venues, such as a coffee shop, hotel, airport, or even an airline. While many public hotspots provide free wireless connectivity through an open 307 Chapter 03: Implementation network, others charge a fee. You will discover how to connect a mobile device to a WiFi hotspot later in the tutorial. Payment methods Mobile payment is a cash payment made with a portable electronic device such as a tablet or cell phone for a product or service. Mobile payment systems, such as PayPal and Venmo, can also be used to send money to friends and family members. Deployment Models Bring Your Device (BYOD) ▪ ▪ ▪ ▪ BYOD stands for Bring Your Device or Bring Your Own Technology. One of the most common ways for Mobile Device Deployment. Employees own the device, bring their phones into the workplace, and use them simultaneously for corporate and personal use. The device needs to meet the requirement of the company. The challenge concerning the security is that it is difficult to manage these devices because it contains both corporative and personal information/data. Corporate-Owned Personally Enabled (COPE) ▪ ▪ ▪ ▪ It stands for Corporate Own, Personally Enabled. The company purchases the device, and it is used for both personal and corporate use. The organization usually keeps control of the device through a centralized mobile device, and it is managed similarly as the company manages laptops and desktop computers. Everything stored is under the preview of the company. Choose Your Device (CYOD) CYOD is an employee provisioning model in which an employer lets employees choose their own mobile devices from a limited set of possibilities. With this strategy, it is also easier to protect its data from both external and internal dangers. Corporate-Owned - Virtual Desktop Infrastructure (VDI) ▪ ▪ ▪ ▪ ▪ ▪ It is the most popular mobile deployment model. It stands for Virtual Desktop Infrastructure/Virtual Mobile Infrastructure. Applications are separated from the mobile devices that the employees use. Data and applications are running on the remote server, and the employees are simply using their mobile device as a window into that application. Data is securely stored in the centralized area and not on the mobile device. No data will be lost if the device is lost. 308 Chapter 03: Implementation ▪ ▪ The application is written once for the VMI platform, and everyone can access it through that platform. The application is managed centrally, and no need to update all devices. Mind Map Figure 3-27: Mind Map of a Secure Network Design Cybersecurity Solutions to the Cloud Cloud Security Controls Cloud Security Cloud Computing Security refers to the security implementation and deployment of a system to prevent security threats. Cloud security includes control policies, deployment of security devices such as application firewalls and Next-Generation IPS devices, and strengthening the cloud computing infrastructure. It also has actions at the service provider end as well as the user end. Cloud Security Control Layers Application Layer Several security mechanisms, devices, and policies provide support at different cloud security control layers. At the application layer, web application firewalls are deployed to filter traffic and observe its behavior. Similarly, Systems Development Life Cycle (SDLC), Binary Code Analysis, and Transactional Security provide security for online transactions, script analysis, etc. Information 309 Chapter 03: Implementation Different policies are configured to monitor data loss to provide confidentiality and integrity of information communicated between Client and server. These policies include Data Loss Prevention (DLP) and Content Management Framework (CMF). Data Loss Prevention (DLP) is a feature that prevents information from leaking from the network. Traditionally information may include a company or organization's confidential, proprietary, financial, and other sensitive information. The Data Loss Prevention feature also ensures compliance with rules and regulations using Data Loss Prevention policies to prevent users from intentionally or unintentionally sending out confidential information. Management Security regarding cloud computing management is performed through different approaches such as Governance, Risk Management, Compliance (GRC), Identity and Access Management (IAM), and Patch and Configuration management. These approaches help to control and manage secure access to resources. Network Layer There are solutions available to secure the network layer in cloud computing, such as deploying Next Generation IDS/IPS devices, Next-Generation Firewalls, DNSSec, AntiDDoS, OAuth, and Deep Packet Inspection (DPI). The Next Generation Intrusion Prevention System, known as NGIPS, is one of the most efficient and proactive components in the Integrated Threat Security Solution. NGIPS secures a network's complex infrastructure by providing a solid security layer with deep visibility, increased security intelligence, and advanced protection against emerging threats. Cisco's NGIPS provides deep network visibility, automation, security intelligence, and next-level protection. It uses the most advanced and effective intrusion prevention capabilities to catch emerging sophisticated network attacks. It continuously collects information regarding the network, including Operating System information, file and application information, device and user information, etc. This information helps NGIPS map the network maps and host profiles, providing contextual information to make better decisions about intrusive events. Trusted Computing Validating each hardware and software component from the end entity to the root certificate establishes the Root of Trust (RoT). Its goal is to ensure that only trustworthy software and hardware may be utilized while still allowing for flexibility. Computer and Storage Cloud computing and storage can be secured by implementing Host-based Intrusion Detection or Prevention Systems HIDS/HIPS. Examples of these are Configuring Integrity Check, File System Monitoring and Log File Analysis, Connection Analysis, 310 Chapter 03: Implementation Kernel Level Detection, Encrypting the Storage, etc. Host-based IPS/IDS is typically deployed to protect a specific host machine, and it works strictly with the machine's Operating System Kernel. It creates a filtering layer to filter out any malicious application call to the OS. Physical Security Physical security is always a priority for securing anything. As it is also the first layer OSI model, any security configuration will not be effective if a device is not physically secure. Physical security includes protection against artificial attacks such as theft, damage, and unauthorized physical access and the environmental impact such as rain, dust, power failure, fire, etc. High Availability Across Zones High Availability (HA) refers to systems that are reliable enough to operate without interruption. They've been thoroughly tested and may include redundant components. The term "high availability" refers to systems that provide high operational performance and quality over a long period. The ability of computing infrastructure to continue to function even if some of its components fail is referred to as high availability. The number "nine" is often used to indicate a high level of Availability. "Five nines," for example, denotes a system that is operational 99.999 percent of the time. Resource policies A cybersecurity policy offers guidelines for activities, including email attachment encryption and social media usage restrictions. Cyberattacks and data breaches can be expensive; thus, cybersecurity standards are crucial. Secrets management Secrets management refers to the tools and processes used to manage digital authentication credentials (secrets) such as passwords, keys, APIs, and tokens for usage in applications, services, privileged accounts, and other sensitive parts of the IT ecosystem. Integration and auditing A security audit is a method of evaluating the security of a company's information system by analyzing how well it meets a set of criteria. These audits are the three fundamental types of security diagnostics, together with vulnerability assessments and penetration testing. 311 Chapter 03: Implementation Storage The Storage Security Audit is a professional, methodical assessment and verification of storage infrastructure security and information management procedures. A third party or an internal audit function performs it. Permissions Permissions to read, write, and delete files on a computer are granted to a user or an application. Access permissions can be assigned to a specific client or server and directories within that system, programs, and data files. Encryption The use of encryption for data in transit and on storage media is referred to as storage encryption. Data is encrypted as it travels to storage devices like hard disks, tape drives, and the libraries and arrays that house them. Replication The process of transferring data from one location to another is known as data replication. In a disaster, the technology allows an organization to have up-to-date copies of its data. Reproduction can occur on a storage area network, a local area network, or a vast area network, and in the cloud. High Availability High Availability refers to an architecture in which one or more servers run parallel with the main one. The other servers are operational in this situation and share the burden with the primary server. A continuously operating storage system is known as HighAvailability Storage (HA storage). Redundancy is a key element of high-availability storage because it allows data to be stored in multiple locations and removes Single Points of Failure (SPOF). Network Virtual networks A virtual network uses software to connect virtual machines and devices, regardless of their location. In addition, network adapters and physical Network Interface Cards (NICs) are used to link computers and servers to the network. These and other tasks are shifted to software by virtual networking. Public and private subnets "Send all outgoing traffic (anything to the CIDR block 0.0. 0.0/0) via this internet gateway," says a routing table for a public subnet. A private subnet either does not allow outward traffic to the Internet or includes a route that says, "All outbound traffic must go via this NAT gateway." 312 Chapter 03: Implementation Let consider the major components of the configuration for public and private subnets as depicted in the diagram below. Figure 3-28: Public and Private Subnets This scenario's configuration contains the following: 1. A VPC had an IPv4 CIDR block size of /16 (for example, 10.0.0.0/16). There are 65,536 private IPv4 addresses available as a result of this. 2. A public subnet with an IPv4 CIDR block size of /24 (for example, 10.0.0.0/24). It gives you 256 unique IPv4 addresses. A public subnet has a route to an internet gateway and is coupled with a routing table. 3. A private subnet with an IPv4 CIDR block size of /24 (for example, 10.0.1.0/24). It gives you 256 unique IPv4 addresses. 4. A doorway to the Internet. It establishes a connection between the VPC and the Internet as well as other AWS services. 5. Instances in the subnet range with private IPv4 addresses (examples: 10.0.0.5, 10.0.1.5). It allows them to communicate with one other as well as other VPC instances. 6. Elastic IPv4 addresses, which are public IPv4 addresses that allow them to be reached via the Internet, are assigned to instances in the public subnet. Instead 313 Chapter 03: Implementation of Elastic IP addresses, public IP addresses can be assigned to the cases at launch. 7. A NAT gateway with an Elastic IPv4 address of its own. Through the NAT gateway, instances on the private subnet can transmit IPv4 queries to the Internet (for example, for software updates). 8. The public subnet is coupled with a custom route table. This route table includes an entry that allows instances in the subnet to communicate over IPv4 with some other cases in the VPC and an admission that enables subnet-models to communicate directly with the Internet. 9. It is the main route table for the private subnet. The route table includes an entry that allows instances in the subnet to communicate over IPv4 with some other cases in the VPC and an admission that will enable models in the subnet to connect over IPv4 with the Internet via the NAT gateway. Segmentation Reasons for segmentation are as follows: Security: The user should not communicate directly to the database server. Performance: High bandwidth application. Compliance: Mandated segmentation (PCI compliance). Physical Segmentation In physical segmentation, the devices are physically divided. Logical Segmentation In logical segmentation, the devices are logically divided into different segments, such as configuring VLANs. API inspection and integration API security is a broad phrase that refers to procedures and technologies that protect application program interfaces from malicious attacks or misuse (API). APIs, or application programming interfaces, make software development and innovation easier by allowing apps to communicate data and functionality securely. APIs have become a target for hackers since they are essential for designing web-based interactions. Compute Security groups User accounts, computer accounts, and other groups are grouped into security groups. Various built-in accounts and security groups in the Windows Server operating system are set up with the proper rights and permissions to execute specific activities. 314 Chapter 03: Implementation Dynamic resource allocation Dynamic resources, like a forklift, travel along with a predetermined path network and can deliver entities between locations. They may also be required to process entities in many places, such as an operator executing multiple jobs. Instance awareness A virtual server instance from a public or private cloud network is referred to as a "cloud instance." In cloud instance computing, a single piece of hardware is turned into software that runs on several computers. A cloud server can easily be relocated from one physical machine to another without causing any downtime. Virtual Private Cloud (VPC) Endpoint A VPC endpoint enables private connections between your VPC and AWS services that are supported, as well as VPC endpoint services offered by AWS PrivateLink. To communicate with resources in the service, instances in your VPC do not require public IP addresses. Virtual devices are VPC endpoints. Container security Container security refers to using security tools and rules to protect a container, its application, and its performance against cyber security threats, such as those posed by infrastructure, software supply chain, system tools, system libraries, and runtime. Solutions Cloud Access Security Broker (CASB) By integrating CASB, you can make security policies work in the cloud. It can be implemented as client software, local security appliances, or a cloud-based security solution. CASB provides Visibility, Compliance, threat prevention, and data security. Application security OWASP stands for Open Web Application Security Project. OWASP provides unbiased and practical information about computer and internet applications. According to OWASP, the top 10 mobile threats are: OWASP Top 10 Mobile Risks (2016) OWASP Top 10 Mobile Risks (2014) Improper Platform Usage Weak Server-Side Controls Insecure Data Storage Insecure Data Storage Insecure Communication Insufficient Protection 315 Transport Layer Chapter 03: Implementation Insecure Authentication Unintended Data Leakage Insufficient Cryptography Poor Authorization Authentication Insecure Authorization Broken Cryptography Client Code Quality Client-Side Injection Code Tampering Security Decisions Via Untrusted Inputs Reverse Engineering Improper Session Handling Extraneous Functionality Lack of Binary Protections and Table 3-08: OWASP Top 10 Mobile Risks Next-generation Secure Web Gateway (SWG) A Next-Generation Secure Web Gateway (NG SWG) is a new cloud-native solution for protecting businesses against sophisticated cloud-based threats and data dangers. It is the natural next step after the secure web gateway, commonly known as a web proxy or filter. Firewall considerations in a cloud environment Like a regular firewall, a cloud firewall is a security solution that filters out potentially dangerous network traffic. Cloud firewalls, unlike traditional firewalls, are hosted in the cloud. This cloud-based firewall delivery paradigm is also known as firewall-as-a-service (FWaaS). Traditional firewalls build a virtual barrier around an organization's internal network, while cloud-based firewalls form a barrier surrounding cloud platforms, infrastructure, and applications. Cloud firewalls can also protect On-premise infrastructure. Cloud-native controls vs. third-party solutions Customers frequently inquire about whether they should utilize cloud-native security measures or third-party solutions. Of course, the answer is not simple. When asked what "third-party security solutions" means, most people say they want to use their existing on-premise security measures. After all, using current tools gives you a sense of security. Who is in charge of cloud security? Customers regularly ask if they should use third-party security solutions or cloud-native security measures. Of course, the Key is not straightforward. Most people answer they wish to use their existing on-premise security measures when asked what "third-party security solutions" entails. Using modern tools, after all, provides you a sense of security. 316 Chapter 03: Implementation The following are the obligations of the cloud provider: ▪ ▪ ▪ ▪ The cloud provider's physical facilities, software, network, and hardware are all protected Security at the server level, i.e., protection against attacks that affect the entire cloud server Assuring that their systems are always up to date and that they have all of the essential updates installed Providing services and contingencies for company continuity in the event of an accident or system breakdown Table 3-09: Comparison between the Native Security Tools Offered by the Cloud Service Providers and Cloud Control 317 Chapter 03: Implementation Mind Map Figure 3-29: Mind Map of Cybersecurity Solutions to the Cloud Implement Identity and Account Management Controls Identity Identity management and access control are controlling access to organizational resources to keep systems and data secure. As a vital component of your security architecture, it can help validate your users' identities before granting them proper access to workplace systems and information. Identity Provider (IdP) A service that saves and manages digital identities is known as an Identity Provider (IdP). These services are used by businesses to link their staff or users to the resources they require. They allow you to manage access by adding or deleting rights while maintaining strict security. Certificates The purpose of an Identity Certificate is similar to a root certificate except that it provides the public Key and identity of a client's computer or device. An excellent example of this is a client router or web server that wishes to make SSL connections with other peers. 318 Chapter 03: Implementation Signed Certificate vs. Self-signed Certificate Self-signed Certificates and Signed Certificates from a Certificate Authority (CA) provide security in the same way. Communication using these types of certificates is protected and encrypted by high-level security. The presence of a Certificate Authority implies that a trusted source has certified the transmission. Signed Security Certificates are purchased, whereas Self-signed Certificates can be configured to optimize cost. A third-party Certificate Authority (CA) requires domain ownership verification and other verification to issue a certificate. Tokens The token generator generates pseudorandom tokens that are used along with various authentication methods. SSH keys An SSH key is a network protocol access credential for the SSH (secure shell). This authenticated and encrypted secure network protocol is employed for remote communication between machines on an unsecured open network. Remote file transmission, network administration, and remote operating system access are all possible with SSH. Smart cards These cards are inserted into the computer. Usually, these cards are combined with a Personal Identification Number or PIN. If some unauthorized person may access your card, he may have to provide that additional information or PIN. Account Types User account It is a type of account that is most common among users and associated with a single person. It allows limited access to the operating system. The user account assigns each user a particular identification number. Multi-users can use the same computer to access their resources only by using a User Account, which keeps each user's data secure from another unauthorized user. By using the User Account, multi-user can log in to the same computer and but they can only access their resources. Shared and generic accounts/credentials As the name suggests, this account can be used by more than one person. For example, some operating systems allow users to log in to a guest account (Guest Login). The shared understanding is difficult to manage because it is hard to identify the person logging in. If the shared account password is changed, then everyone needs to be notified that the password is changed, which brings complexity to the management of 319 Chapter 03: Implementation the password. It is recommended to use a User account on the system rather than Shared Account. Guest accounts User accounts are necessary for any system. The operating system includes several different users' accounts. These users are assigned additional privileges. The system administrator may have to enable or disable default user account such as guest accounts and modify the credentials of root accounts. If you disable a guest account, it means you have created a limit on people accessing your system. By disabling interactive login for the account used as a service, the only actual user can log in interactively to the operating system. Service accounts The operating system or services of the operating system using an internal account is referred to as Service Account. It is used to run a database or web server and used only on the local computer; no user can log in interactively. Different types of access permission can be set up for various services when using Service Account, meaning database and web server rights may vary. Some of the services accounts require a username and password, and some do not. Account Policies Password complexity To make the solid and unrecognizable password, one must use a combination of uppercase letters and lowercase letters, numbers, and symbols and must belong (that can easily be remembered). The organizations can set rules for password requirements like the password must be of a 12-character length and must contain uppercase and lowercase letters plus at least one number and symbol. Password history The number of unique new passwords that must be connected with a user account before an old password can be reused is determined by the Enforce password history policy setting. Users can change their password as many times as they need to reuse their original password if you do not specify a minimum password age. Password reuse Password reuse is a big security problem in every organization. Many users want to keep their account passwords the same as long as they can. The longer a password is used for a given account, the more likely it is that an attacker will be able to brute force it out. 320 Chapter 03: Implementation Network location A network location is a profile with a set of network and sharing options applied to the network to which you are connected. Features like file and printer sharing, network discovery, and others may be enabled or blocked depending on the network location allocated to your active network connection. Geotagging Geotagging is used in the Accounting Policies image result. Users can utilize geotagging to find a range of location-specific information from their devices. For example, by inputting latitude and longitude coordinates into a proper image search engine, someone can see images taken near a specific location. Time-based logins Period-based authentication is a standard method of granting access to an area by recognizing a person at an entrance and opening the barrier at a predetermined time. It has no bearing on the person's ability to remain in the admitted area after going over the barrier Access policies Different permission levels are associated with the Publisher and Advertiser accounts that users have access to. These are the permissions: Owner - Has full write access to the history and can manage Users with various access levels. Account permissions Different permission levels are associated with the Publisher and Advertiser accounts that users have access to. These are the permissions: Owner - Has full write access to the history and can manage Users with various access levels. Account audits Internal audit accounting is a procedure that focuses on reducing risk and identifying cost-cutting opportunities. Audit accountants can also be independent specialists that conduct external audits of a company's financial statements. Impossible travel time/risky login A risky login is a calculation that determines the likelihood of an identity being stolen. Administrators can use this risk score signal to decide whether or not to enforce administrative regulations. Users must have previously registered for a self-service password reset before triggering the user risk policy. Lockout Account lockout means that the account is temporarily blocked due to incorrect password entry too many times. Automatic Lockout is very common on most systems. 321 Chapter 03: Implementation Disablement Account disablement policies specify what happens to accounts when employees leave permanently or for a while. Most regulations require administrators to disable the report as quickly as possible to prevent ex-employees from accessing it. Mind Map Figure 3-30: Mind Map of Account Management Controls Implement Authentication and Authorization Solutions Authentication Management In addition to the standard authentication techniques of login/password, authentication management enables the development of connection processes utilizing authentication mechanisms using physical tokens (smart cards, USB keys, RFID badges), biometrics, or mobile phones. Password keys A key is a piece of information that may be used to lock and unlock cryptographic functions like encryption, authentication, and authorization. An interactive technique for two or more parties to establish cryptographic keys based on one or more parties' knowledge of a password is called a password-authenticated key agreement method. Password vaults A password vault, often known as a password manager, is a tool that securely saves and encrypts usernames and passwords for various applications. A single login and password 322 Chapter 03: Implementation are required to access the password vault. Google or Apple may store your password information in certain instances. Trusted Platform Module (TPM) Replacing and formatting the existing hard drive will not be enough to provide security to it. It is better to take advantage of the built-in Trusted Platform Module (TPM), an embedded security chip that stores encrypted keys, passwords, and digital certificates. Different services can use the TPM chip even without the cost of this service. When you use the TPM with a BIOS-level Administrator password and a User password required at power-on, the system becomes virtually useless to a thief. A piece of hardware that is in charge of handling all the cryptographic functions. TPM contains persistent memory that comes with unique keys. It also has versatile memory that stores configuration information, storage keys, or other different types of data. TPM is password protected (requires authentication for gaining access), and there is no chance of dictionary attack on TPM. Figure 3-31: Internal components of TPM 323 Chapter 03: Implementation Hardware Security Module (HSM) It manages and stores keys in a secure location by keeping the backup of the Key. HSM provides facilities for Cryptographic functions like hashing, encryption, etc. To restrict access to the Key that HSM secures, it has a technique called the tamper protection technique. It is a peripheral device that is usually "attached through USB or a network connection." Figure 3-32: Hardware Security Module Knowledge-based authentication Knowledge-based authentication, or KBA, is a type of authentication that aims to establish the identity of someone using a service like a financial institution or a website. It is a type of authentication that aims to verify that the individual giving identifying information is, in fact, that person. KBA, as the name implies, is based on the individual's knowledge. Authentication The part of the framework deals with the authentication of any person who claims to be authorized. For that, the person generally provides ID and password and usually other additional authentication data. EAP ▪ ▪ ▪ It stands for Extensible Authentication Protocol. It also serves as a framework for creating various types of authentication. WPA and WPA2 also use five various EAP types for authentication on wireless networks. 324 Chapter 03: Implementation Challenge Handshake Authentication Protocol (CHAP) CHAP is the abbreviated form of Challenge Authentication Protocol. For delivering credentials over the network, it uses an encrypted challenge. A three-way arrangement is used by CHAP for authentication that is: 1. The Client sends credentials to the server, and in response, the server sends an encrypted challenge to the Client. 2. The Client responds to the challenge with a hash by combining the password and the challenge. 3. The server compares its database information (it is hash) with the soup it has received. If both matches, the user's authentication is correct and authorized to communicate over the network. Figure 3-33: CHAP Authentication Process The challenge and response mechanism happens multiple times during the connection without the user being aware of it. CHAP Authentication Commands Configuring Hostname Router(config)#hostname R1 Configuring remote router R1(config)# username hostname for incoming requests password <password> <remote_username> PPP Encapsulation Command R1(config-if)#encapsulation ppp PPP Authentication with PAP R1(config-if)#ppp authentication chap PPP Debugging Command R1#debug PPP authentication Table 3-10: CHAP Authentication Commands Password Authentication Protocol (PAP) PAP is abbreviated as Password Authentication Protocol. Used in old systems (mostly legacy systems) and not popular these days. PAP is a weak authentication method because no encryption method is used, which means all the information delivered is in cleartext. Analog dial-up lines do not need encryption because it is impossible for someone to sit somewhere between the communication path to seize data. 325 Chapter 03: Implementation Figure 3-34: PAP Authentication Process Basic Commands for PAP authentication Configuring Hostname Router(config)#hostname R1 Configuring remote router hostname R1(config)# username for incoming request password <password> <remote_username> PPP Encapsulation Command Router(config-if)#encapsulation PPP PPP Authentication with PAP Router(config-if)#ppp authentication pap PPP Debugging Command Router#debug PPP authentication Table 3-11: PAP Authentication Commands 802.1X ▪ ▪ ▪ A standard of authentication is commonly referred to as "Port-based NAC (Network Access Control)." Access is not granted until the authentication process is completed. Over wireless, IEEE 802.1x uses either EAP-based protocol or IEEE 802.11i. RADIUS (Remote Authentication Dial-in User Service) RADIUS is a popular protocol for authentication. It supports numerous devices or networks other than dial-in networks. The services of RADIUS can be used to centralize for a single authentication for various systems like Routers, Switches, Firewall, etc. The benefits of RADIUS are almost available for every Operating System. Single sign-on (SSO) It is a feature that allows one-time authentication. Users do not have to type ID and Password every time they want to access a device or account or connect to a service. It saves a lot of time for the users. In Windows, there is Kerberos to accomplish Single sign-on. 326 Chapter 03: Implementation Security Assertions Markup Language (SAML) SAML is an authentication and authorization method that is an open standard. The user is authenticated through a third party for achieving entry to local sources. Shibboleth software is an example of SAML. Modern mobile networks do not have SAML because it was not created for mobile devices that are its major weakness. Terminal Access Controller Access Control System Plus (TACACS+) It is an authentication protocol developed by Cisco and released as a standard open beginning in 1993. TACACS+ is an entirely new protocol and is not compatible with its predecessors. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol. This table summarizes and compares the unique features of RADIUS and TACACS+. TACACS+ RADIUS UDP ports L4 Protocol TCP port 49. 1812/1645 for authentication 1813/1646 for accounting Encryption Encrypts full payload of Encrypts only passwords each packet Observations Open Standard, robust, great accounting Proprietary to Cisco, features, less granular authorization very granular control of control. Another protocol named authorization, separate DIAMETER may replace RADIUS soon implementation of AAA. with enhanced capabilities. Table 3-12: Comparison of RADIUS and TACACS+ OAuth OAuth was introduced by Google, Twitter, and other parties. It serves as an authorization to what resources a user can gain. OAuth is usually observed to be used by Facebook, Google, etc. It is not a protocol for authentication and just provides authorization between applications. OAuth is combined with OpenID Connect (handles SSO), and then OAuth decides what resources a user may gain. OpenID OpenID Connect is a cross-platform authentication protocol based on the OAuth 2.0 family of standards. It enables clients of various types to conduct sign-in processes and receive verifiable assertions about the identity of signed-in users, including browserbased JavaScript and native mobile apps. 327 Chapter 03: Implementation Kerberos The latest and the most trusted method of authentication is Kerberos. In Kerberos, you only need to authenticate once, which means it is an SSO (no need to re-authenticate every time for access gaining) method. It also prevents man-in-the-middle or replays attacks by allowing mutual authentication between the server and the Client. Kerberos was first introduced in 1980 by MIT. Microsoft started using this in Windows 2000, and now it has been made compatible with all Windows systems. For protecting Kerberos, use extensive cryptography. How Kerberos Works The Client provides a Ticket Granting Ticket to a Ticket Granting Service. The Ticket Granting Service then provides Service Ticket to the Client. All the services on the network are then authenticated through the Service Ticket. It means the user gains access by simply showing the ticket behind the scene, and he does not have to be reauthenticated by putting ID and password again and again. Figure 3-35: Kerberos Working Mechanism Only the devices that are compatible with the Kerberos can use Kerberos authentication. Other types of systems that are not Kerberos friendly can use LDAP, RADIUS, or TACACS for authentication purposes. Access Control Schemes Attribute-Based Access Control (ABAC) In the ABAC model, accessing the resources is allotted to the user depending upon the policies collectively with the attributes. It is also considered the Next Generation Model of authorization because many different attributes determine a user's type of 328 Chapter 03: Implementation access. These attributes may include who is accessing (Role), from where is accessing (Location), what is being accessed (Resource), and when is it being accessed (Time). Role-based access control The role-based access control model offers access based on the role of users in the organization like CEO, manager, director, team leader, etc. The kind of access depends on the user's part. The administrator is responsible for allowing access to the users according to their designated roles. The RBAC will enable users to gain access implicitly. For example, if some type of access is provided to the team leader, then by becoming part of the team leader group, a group member can also enjoy the rights of the team leader. Windows group is used in Windows Operating System for providing role-based access control. Rule-based access control In a rule-based access control model, the administrator creates a set of rules. These rules describe the limits and restrictions to access. A firewall is one of the rule-based access control models we are familiar with. Example of management is: "Only the people in Pakistan can gain access to the web page," "the web form can only be accessed through explorer browser," "the web form can only be accessed between 4 to 8 pm", etc. MAC The operating system describes the limit on how much a user can access the resources based on security clearance level. Each object that somebody requires to access is assigned a label (confidential label, private label, etc.). Then users are provided with some rights decided by the administrator, which the users cannot change. Through these rights, a user can determine what they can access. Some users may access confidential resources; some may access personal resources, and so on. Discretionary Access Control (DAC) Commonly used in most operating systems. It is a type of model in which the owner decides who can access the object or what access the user can gain. The owner can also modify access at any time. The advantage of DAC: Flexible Model. The owner can quickly determine who can gain access and modify the access control whenever he wants to. The disadvantage of DAC: Security is weak. The whole system's security depends upon the security settings made by the owner. For example, suppose you create a spreadsheet, and as an owner, you decide who can access the objects of the file and what objects of the file. You can modify the settings when required. 329 Chapter 03: Implementation Conditional access When you utilize Conditional Access rules, you can apply the proper access controls when they're needed while staying out of your users' way when they are not. After the first-factor authentication is complete, Conditional Access restrictions are implemented. Privilege access management Privileged Access Management (PAM) is an information security (infosec) system that protects identities with particular access or capabilities. Like all other information security solutions, PAM relies on a mix of people, processes, and technology. Filesystem permissions Permissions on files determine which users are allowed to execute certain operations on a file. Permissions on files are an essential aspect of any resistance plan. Only a portion of public systems is open to the public. At the very least, attackers must be prevented from modifying system files without permission. Furthermore, file permissions on internal systems promote the best practices of least privilege and least access, reducing the damage caused by insider attacks. Mind Map Figure 3-36: Mind Map of Authorization and Authentication Solutions Implement Public Key Infrastructure Public Key Infrastructure (PKI) Key management is one of the most challenging aspects of cryptography. Traditional cryptography approaches employ symmetric-key cryptography, in which the same key is used for encryption and decryption. The secure transmission of the Key from one user 330 Chapter 03: Implementation to another is complex. If an unauthorized person has access to the Key, they can read, decrypt, and alter all data. In 1976, PKI was introduced by Whitfield Diffie and Martin Hellman to solve key management issues. Every user obtains two keys in public-key cryptography, i.e. ▪ ▪ Public – Can be published to see or use by the user Private – Always kept secret In public-key cryptography, no secret or private Key is shared or transmitted, and all the communication involves is only through the public Key. Hence, the sharing of the secret fundamental problem in Symmetric Key Cryptography was solved using Public Key cryptography. In Public Key Cryptography, the initial message is encrypted by the sender using the receiver's Public Key, and then they decrypt that message using their own private key. Figure 3-37: Public Key Cryptography The following are the features of Public Key Cryptography: ▪ ▪ ▪ It is efficient. It is secure. It is scalable for a large number of users. PKI Components It describes all the procedures, policies, & people that are required to manage Digital certificates. It encapsulates the process to create, manage to revoke, and distribute these certificates. A PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. It permits users of an unsecured network to securely money and exchange data over the use of a private and a public cryptographic key pair that has been obtained through a trusted authority. The public key infrastructure delivers for a digital certificate that can detect an individual or an enterprise and directory services that can store and, when necessary, revoke the certificates. 331 Chapter 03: Implementation PKI ties public keys with the characters of individuals, applications, and associations. This "binding" is kept up by issuing and administering digital certificates by a Certificate Authority (CA). ▪ ▪ ▪ ▪ PKI Certificate Authority (CA): The CA is a secure third party that issues PKI certificates to substances and individuals after checking their identity. It signs these certificates are utilizing its private key. Certificate database: The certificate database stores all certificates endorsed by the CA. PKI certificate: Certificates contain a substance's or individual's public key, its motivation, the CA that approved and issued the certificate, the date extends amid which the certificate can view as valid, and the algorithm utilized to create the signature. Certificate store: The certificate store resides on a local PC and stores issued certificates and private keys. Use of PKI The use of PKI is server identification certificates. SSL requires a PKI certificate on the server to prove its identity confidentially to the Client. Every HTTPS web server connection uses SSL and, as such, uses PKI. This web page focuses on client-side PKI applications that employ end-user PKI certificates rather than server certificates. Clientside applications of PKI consist of categories are: ▪ ▪ ▪ Authentication Digital signatures Encryption 332 Chapter 03: Implementation Operations of PKI: Figure 3-38: PKI Operation ▪ ▪ ▪ Alex initially requests a certificate from the CA. The CA authenticates Alex and stores Alex's PKI certificate in the certificate database. Alex communicates with Bob using his PKI certificate. Bob communicates with the trusted CA using the CA's Public Key. The CA refers to the certificate database to validate Alex's PKI certificate. Key management The creation of a key is the first step in Key Management. The management of keys starts with the generation of a key. By using the proper cipher, keys with the requested strength are generated. After that, the certificate is generated where a public key is 333 Chapter 03: Implementation allocated to a user or device. Sequentially, it is distributed to the particular user and stored to prevent it from any unauthorized access. In case unauthorized gain access to the certificate, then these certificates are revoked or replaced. If the credentials are not withdrawn, there is an expiry date, so the essential management process begins when the certificate expires. The Certificate Authority (CA) Certificate authority initiates with a single CA, and all the certificates are generated from that single authority. In some organizations, the Hierarchical structure is used that consists of Root CA and Intermediate CA. Intermediate CA The SSL Certificate's signer/issuer is the Intermediate Certificate. The Intermediate Certificate's signer/issuer is the Root CA Certificate. Once the Intermediate CA runs, and the load is distributed, the Root certificate gets offline for protection. Registration Authority (RA) A Registration Authority is a firm or organization that receives and validates digital certificates and public/private key pair requests. The key public infrastructure includes a Registration Authority (RA) PKI. Certificate Revocation List (CRL) A certificate revocation list lists digital certificates that have had their issuing certificate authority revoke them before their actual or assigned expiration date. To avoid tampering, the CA signs the CRL file. Certificate attributes The use of a Digital Certificate to identify a user, machine, or device before giving access to a resource, network, application, or other resource is known as certificate-based authentication. It is common to use it in conjunction with more traditional techniques like username and password when it comes to user authentication. Online Certificate Status Protocol (OCSP) Using the Online certificate status protocol, the browser can check certificate revocation or the certificate's status. The message is usually sent to the OCSP Responder through HTTP (HyperText Markup Language). Not all applications or browsers support the OCSP protocol. Certificate Signing Request (CSR) It is easy to have a digital signature by the certification authority. The process starts with the pair of key creations. One is a private key that is kept on the website, and the other is a public key that is sent to the certification authority to be digitally signed. This 334 Chapter 03: Implementation process is called Certificate Signing Request (CSR). The certification authority performs some checks, and after that sign, the certificate and sometimes provides additional features. CN The Distinguished Name's characteristic value, also known as the Fully Qualified Domain Name (FQDN), is the Common Name (CN) DN. It usually consists of the Host Domain Name and looks like "www.digicert.com" or "digicert.com." Subject alternative name It is a certificate that supports various domains in the same certificate. It is an X.509 standard extension and permits you to put a subject alternative name extension and list out all the DNS names (additional identification information) linked with the certificate. Expiration Using the same password for a long time opens paths for hackers to hack passwords through brute force attacks. For this reason, many organizations force users to change their passwords after a certain amount of time. In case of password loss, the password recovery method helps to reset the password. There is a formal procedure for recovering the password to ensure that the authentic person is recovering the password. Types of certificates Various kinds of certificates are used for different purposes. Some of them are as follows: Wildcard A Wildcard Domain Certificate can be applied to any domain and all the names associated with it. So, the name of the server is not a piece of matter. The main aim is the replacement of the asterisk (*). Example: There are an asterisk and a period that a wildcard notation contains the domain name. *.domainname.com * replacement – ftp.domainname.com, vpn.domainname.com, IPS.domainname.com. Subject alternative name A certificate that supports various domains in the same certificate. It is an X.509 standard extension and permits you to put a subject alternative name extension and list out all the DNS names (additional identification information) linked with the certificate. 335 Chapter 03: Implementation Code signing Code Signing Certificates are used by software developers to digitally sign apps, drivers, and software programs as a way for end-users to verify that the code they receive has not been altered or compromised by a third party. They include your signature, your company's name, and, if desired, a timestamp. Self-signed The certificate is not required to be signed by the Certificate Authority (Public). This internal certificate is signed by the same person bearing the certificate. For this, the person creates their certificate authority that issues digitally signed certificates. This certificate is used for the webserver that is only for an internal network of the company. In this way, the person does not have to pay for any external certification authority. These certificates are then installed on every device or web server within a network. Then, every person who connects to the webserver will see the Internal Certification Authority signature certificate. Machine/computer The certificate is used to allow and manage devices for communication on the network. The purpose of this certificate is the authentication of devices. It means that only authenticated devices can communicate over the web. For that, certificates signed by the certification authority are placed on the devices, so if any unauthorized person tries to connect to the network using a VPN, they will not be allowed to communicate over the web because that particular person will not be certified. Email The type of certificate that is usually attached with the email. The email certificate permits us to send the email securely by encrypting the information to the other user. To encrypt the data, it uses a recipient's Key (public) and allows only the receiver to decrypt the information in the email. This certificate can also be used as a Digital signature. If you do not want to encrypt the information, you can digitally sign it through an Email Certificate. User It is a type of certificate usually assigned to a single user or an individual. Generally, it is integrated into a smart card or digital access card. Example: ID card 336 Chapter 03: Implementation Root A public certificate is assigned to the Root CA, and its purpose is to identify the Root CA. Everything initiates with a Root certificate in PKI infrastructure. It is a Root certificate that issues an intermediate certificate or another certificate. In public key infrastructure, the root certificate is the most essential. If somebody gains access to this root certificate private key, it will generate its certificate for any interest. Domain validation The person having a DV certificate has some control over the DNS domain associated with the SSL. Extended validation The certificate receiving person is passed through some additional checks by the certificate authority. If a person dies all the reviews, then that person gets an EV certificate. The web owner's organization name appears in green color on the address bar of the web, which is certified with an EV certificate. Figure 3-39: Extended Validation Certificate Certificate Formats Distinguished Encoding Rules (DER) The DER format is a binary representation of the ASCII PEM Certificate Format. This format allows for storing a single certificate (it does not include the Certificate Chain's Private Key). They are files in binary format. Privacy Enhanced Mail (PEM) PEM (privacy-enhanced mail) is specified through a series of RFCs (Request for Comments) that establish methods and formats for ensuring email authenticity and confidentiality. The term "privacy-enhanced mail" is frequently used interchangeably with the term "secure email." Personal information exchange (PFX) A PFX file is a PKCS#12 certificate that contains the certificate, the intermediate authority certificate required for the certificate's trustworthiness, and the certificate's Private Key. Consider it a repository for everything you will need to deploy a certificate. 337 Chapter 03: Implementation .cer A CER file is a security file that confirms the validity of a website and is issued by a thirdparty Certificate Authority such as VeriSign or Thwate. It is placed on a webserver to verify the legitimacy of a specific website hosted there. P12 A digital certificate using PKCS#12 (Public Key Cryptography Standard #12) encryption is stored in a p12 file. It is used to transfer personal private keys and other sensitive information in a portable format. Various security and encryption programs employ P12 files. P7B P7B is a web service authentication security certificate file. There is no private key in P7B files, only a basic certificate in ASCII Base64 format. Files in the P7B format can be converted to PEM or PFX formats. Users and devices are identified and authenticated using P7B papers. Concepts Online vs. offline CA The infrastructure of a public key relies on trust, and typically this trust is provided by the Certification Authority (CA). However, a compromised CA is a bad thing, and this also creates trust issues with the Certificate Authority. The Intermediate Certificate is the signer/issuer of the SSL Certificate. The Root CA Certificate is the signer/issuer of the Intermediate Certificate. Once the Intermediate CA runs and the load is distributed, the Root certificate gets offline for protection. Stapling As discussed above, the OCSP depends upon CA. It is the responsibility of CA to respond to all the OCSP requests of the clients. In addition, if the numbers of devices that the CA has to check are large, this creates scalability. In this case, OCSP Stapling is implemented. In OCSP Stapling, the device that holds certificate can verify their status and provide revocation status. This information is received from the appliance directly rather than CA, and the knowledge of the group is stored on the server of the certificate holder. The OCSP status or the revocation is stapled into the TSL or SSL handshake, and a digitally signed note by the certification authority is present with the OCSP stapled information. 338 Chapter 03: Implementation Pinning The purpose of the Certificate pinning is to prevent the man-in-the-middle attack. Certificate pinning is used when the server's certificate has been hard-coded into the application by the application itself. In this case, the application communicates to the server and receives a copy of the certificate to compare them. If both of them match, then it means that the person is directly corresponding to the server. If the certificate does not match, then a decision is made by the application accordingly. It shows an error message that the certificate does not check, or it may shut it down. Trust model A trust model is a set of criteria that ensures the validity of digital certificates used by CEF eDelivery components. Many trust models based on various trust anchor types and regulations are available to produce, administer, distribute, store, and revoke digital certificates. Key escrow Key escrow means a third party may have access to your Private Key or the decryption key along with the backup of that Key. It can be employed by some organizations or businesses where the employee's information or partner's data needs to be accessed or decrypted. Certificate chaining As mentioned above, a single certificate authority is not a good idea. However, hierarchical structures, having multiple levels within them, are preferable. All the connections between different certificate authorities are known as Chain of Trust. The certificates between Root CA and other Intermediate CA are listed in the Chain of Trust. The chain of trust initiates with an SSL certificate (part of the webserver) and ends with the Root certificate. In between, there is a certification authority that assigns the certificate. The certificates between SSL certificate and Root CA are called "Intermediate Certificate or Chain Certificate." 339 Chapter 03: Implementation Figure 3-40: Certificate Chaining The web server requires the configuration with an appropriate chain. It is common to configure an SSL certificate and add an Intermediate certificate between Root CA and SSL certificate. Mind Map Figure 3-41: Mind Map of Data Destruction & Disposal Methods 340 Chapter 03: Implementation Practice Questions 1. Which of the following is not a type of Open Source Web Server architecture? A. Apache B. NGINX C. Lighttpd D. IIS Web Server 2. An attacker is attempting a trial and error method to access restricted directories using dots and slash sequences. Which type of web server attack is this? A. LDAP Attack B. AD Attack C. Directory Traversal Attack D. SQL Injection 3. An attacker sends a request, which allows him to add a header response; now, he redirects the user to a malicious website. Which type of attack is this? A. Web Cache Poisoning B. HTTP Response Splitting Attack C. Session Hijacking D. SQL Injection 4. Update that is specially designed to fix the issue for a live production environment is called __________________. A. Hotfix B. Patch C. Bugs D. Patch Management 5. A piece of software developed to fix an issue is called _________________. A. Hotfix B. Patch C. Bugs D. Update 6. Jailbreaking refers to _________________________. A. Root access to a device B. Safe mode of a device C. Compromising a device D. Exploiting a device 341 Chapter 03: Implementation 7. When an iOS device is rebooted, it will no longer have a patched kernel and may stick in a partially started state. Which type of Jailbreaking is performed on it? A. Tethered Jailbreaking B. Semi-Tethered Jailbreaking C. Untethered Jailbreaking D. Userland Exploit 8. Official Application store for Blackberry platform is ________________. A. App Store B. App World C. Play Store D. Play World 9. Which of the following is the most appropriate solution if an administrator is required to monitor and control mobile devices running on a corporate network? A. MDM B. BYOD C. WLAN Controller D. WAP 10. An attack, which denies the services, and resources become unavailable for legitimate users is known as _________. A. DoS Attack B. Application Layer Attack C. SQL Injection D. Network Layer Attack 11. DoS attack in which flooding of the request overloads web application or web server is known as _______________. A. SYN Attack / Flooding B. Service Request Flood C. ICMP Flood Attack D. Peer-to-Peer Attack 12. DoS Attack focused on hardware sabotage is known as ________________. A. DoS Attack B. DDoS Attack C. PDoS Attack D. DRDoS Attack 342 Chapter 03: Implementation 13. DoS Attack, in which intermediary and secondary victims are also involved in the process of launching a DoS attack, is known as _____________. A. DRDoS B. PDoS C. DDoS D. Botnets 343 Chapter 04: Operation and Incident Response Chapter 04: Operations and Incident Response Introduction Incident Response (IR) development and review services ensure that you have a welldefined strategy for responding to an incident that potentially impacts your organization. We use your existing toolsets, data sources, and supplemental solutions introduced as part of the engagement to achieve the essential environmental visibility during IR engagements. Our team can receive current and historical situational awareness by having full access across network, endpoint, logs, and other data sources, ensuring a holistic view of any potential threat acting within the environment. We then devise a complete remediation strategy based on a thorough understanding of the identified dangers and their associated actions. This comprises tactical and strategic recommendations for removing threat actors from your environment successfully, as well as the formation of a baseline for future threat-related operations. Appropriate Tools to Assess Organization Security For many enterprise organizations, administering risk assessments requires building an efficient cyber threat management system. The visibility gained from these assessments provides insight that helps guide high-level cybersecurity decisions, creating them a valuable plus for organizations of all sizes. Network Reconnaissance and Discovery Security experts use command-line tools every day for network discovery and reconnaissance. As a result, you must be familiar with them in order to pass the Security+ exam. Tracert/Traceroute The “Tracert/Traceroute” command allows mapping an entire path between two devices to know what routes may be between point A and point B. This uses the tracert command for Windows and the traceroute command for Linux/Unix/macOS. The information displayed by the traceroute command is received by the router on the network via ICMP “Time to Live Exceeded” error message. You can easily send the packet out to the network, and those packets will cause the routers to create an error message and send that back. The traceroute command uses those error messages to build the route. 344 Chapter 04: Operation and Incident Response Tracert options are available in all Operating Systems as a command line feature. Visual traceroute, graphical, and other GUI-based traceroute applications are also available. Traceroute or Tracert command traces the path information from source to destination in the hop by hop manner. The result includes all hops between source and destination. The development also provides latency between these hops. Traceroute Analysis Consider an example in which an attacker is trying to get network information by using Tracert. After observing the following result, you can identify the network map. 10.0.0. 1 is the first hop, which means it is the gateway. The Tracert result of 200. 100.50.3 shows 200. 100.50.3, which is another interface of the first hop device, whereas connected IP includes 200. 100.50.2 and 200. 100.50. 1. 192. 168.0.254 is the next to last hop 10.0.0. 1. It can either be connected to 200. 100.50. 1 or 200. 100.50.2 to verify and trace the following route. 345 Chapter 04: Operation and Incident Response 192.168.0.254 is another interface of the network device, i.e., 200.100.50.1 is connected next to 10.0.0.1. 192.168.0.1, 192.168.0.2 and 192.168.0.3 are connected directly to 192.168.0.254. 346 Chapter 04: Operation and Incident Response 192.168.10.254 is another interface of the network device, i.e., 200. 100.50.2 connected next to 10.0.0.1 192.168.10.1, 192.168.10.2, and 192.168.10.3 are connected directly to 192.168.10.254. Traceroute Tools Traceroute tools have been listed below: Traceroute Tools Path Analyzer Pro Visual Route Troute 3D Traceroute Website www.pathanalyzer.com www.visualroute.com www.mcafee.com www.d3tr.de Table 4-01: Traceroute Tools nslookup/dig Nslookup  Lookup information from DNS servers like IP addresses, Cache times, canonical names, etc. Dig   It stands for Domain Information Grouper More advanced domain information ipconfig/ifconfig Determines TCP/IP and network adapter information and some additional IP details. In Windows, the command used is “ipconfig” whereas, in Linux and Mac, the command used is “ifconfig.” Tcpdump Captures packets from the command line. Nmap Nmap, in a nutshell, offers Host discovery, Port discovery, Service discovery. Operating system version information. Hardware (MAC) address information, Service version detection, Vulnerability & exploit detection can be found using Nmap scripts (NSE). Using Windows or Linux command prompt, enter the following command: nmap –sP –v <target IP address> 347 Chapter 04: Operation and Incident Response Upon successful response from the targeted host, if the command successfully finds a live host, it returns a message indicating that the IP address of the targeted host is up along with the Media Access Control (MAC) address and the network card vendor. Apart from ICMP Echo Request packets and using ping sweep, nmap also offers a quick scan. Enter the following command for quick scan: nmap –sP –PE –PA<port numbers> <starting IP/ending IP> For example: nmap –sP –PE –PA 21,23,80,3389 <192.168.0.1-50> Figure 4-01: Nmap ping/pathping In windows, a command is merged together with the functionality of ping and traceroute to create a single command called pathping. Pathping will run a traceroute to a destination IP address to determine what routes may be in between your local devices and the one you are running as part of pathping. 348 Chapter 04: Operation and Incident Response Figure 4-02: ping/pathping hping hping may be a command-line-minded transmission control protocol/IP packet assembler/analyzer. The interface is impressed by the ping (8) operating system command. However, hping is not solely able to send ICMP echo requests. Hping is accustomed send massive volumes of TCP traffic at a target whereas spoofing the supply information science address, creating it seem random or perhaps originating from a particular user-defined source. netstat Netstat stands for “Network statistics.” It can be used in many different operating systems. 349 Chapter 04: Operation and Incident Response Figure 4-03(a): netstat 350 Chapter 04: Operation and Incident Response Figure 4-03(b): netstat netcat  It is used to read or write information to or from the network (open a port and send or receive some traffic). Multiple functions    Listens to a port number. Scans ports and sends data to the port. Transfers data. IP scanners IP scanner is a cmd tool to scan the network for IP addresses. This usually uses a number of different techniques to identify and then display the devices and port numbers on your systems. 351 Chapter 04: Operation and Incident Response ARP ARP stands for Address Resolution Protocol, which is a stateless protocol used within a broadcast domain to ensure communication by resolving the IP address to MAC address mapping. It is in charge of L3 to L2 address mappings. ARP protocol provides the binding of IP addresses and MAC addresses. By broadcasting the ARP request with an IP address, the switch can learn the associated MAC address information from the reply of the specific host. In the event that there is no map or the map is unknown, the source will send a broadcast to all nodes. Only the node with a coordinating MAC address for that IP will answer the demand with the MAC address mapping packet. The switch will feed the MAC address and its connection port information into its fixed length CAM table. Figure 4-04: ARP Operations As shown in Figure 112, the source generates an ARP query by broadcasting the ARP packet. A node with the MAC address that the query is destined for will reply only to the packet. The frame is flooded out of all ports (other than the port on which the frame was received) if CAM table entries are full. This also happens when the destination MAC address in the frame is the broadcast address. The MAC flooding technique is used to turn a switch into a hub, in which the switch starts broadcasting each and every packet. In this scenario, each user can catch the packets, even those not intended. ARP Spoofing Attack In ARP spoofing, an attacker sends forged ARP packets over a Local Area Network (LAN). In this case, the switch will update the attacker's MAC Address with the IP address of a legitimate user or server. Once an attacker's MAC address is learned, together with the IP address of an authentic user, the switch will start forwarding the 352 Chapter 04: Operation and Incident Response packets to the attacker, assuming that it is the MAC of the user. Using an ARP Spoofing attack, an attacker can steal information by extracting it from the packet intended for a user over LAN that it received. Apart from stealing information, ARP spoofing can be used for:          Session Hijacking Denial-of-Service Attack Man-in-the-Middle Attack Packet Sniffing Data Interception Connection Hijacking VoIP Tapping Connection Resetting Stealing Passwords Figure 4-05: ARP Spoofing Attack Route The route command is used to view the device’s routing table and help to find the best possible way in which the packets will go. 353 Chapter 04: Operation and Incident Response Figure 4-06: Route Curl The curl command stands for “Client URL” “Uniform Resource Locator.” This command refers to a URL that you can use to access the web pages, perform FTP, or receive emails. This allows you to grab the raw data from different sites and display it on the terminal screen. The harvester There is a fantastic amount of information that can be obtained free from public websites. Such information is referred to as Open-Source Intelligence or OSINT. There are many tools available to allow you to gather information from OSINT sites. To do this, one way is to use the harvester tool. This allows collecting many different kinds of information from many different kinds of sites. It allows gathering information from sources like google, bing, or LinkedIn. It also provides DNS brute force to identify DNS 354 Chapter 04: Operation and Incident Response services that may be publicly available but can find a host that may not be automatically identified in a DNS server. For example, you can find a VPN server or email server running some of the brute-force tasks within a harvester. Sniper Sniper is the reconnaissance tool that integrates different reconnaissance tools into one framework to provide one set of queries and outputs for all different functions. There are many ways to configure the way sniper runs; some of these are very intrusive, and others are specifically built to run in a stealth mode. Scanless One of the problems you may find when performing a pot scan is that your device is easily identified as the scan source. To handle this, you can run a scan from a different host that will act as a proxy for port scanning, and the utility that does this function is called scanless. It includes support for many different services. Dnsenum The dnsenum command will enumerate DNS information from a DNS server. There is a great deal of information you can gather and many hosts you can identify from that DNS server. However, there are also hosts that you can find using a number of different techniques, and dnsenum allows you to do this. Nessus The Nessus is one of the most popular vulnerability scanners because of its very large database. They can easily find many different known vulnerabilities. Nessus is the scanning tool that has extensive reporting help to identify vulnerabilities. It also helps to resolve the vulnerabilities on the system. Cuckoo Cuckoo is s sandbox that is specifically written to run the programs inside and identify any malware. This virtualized environment can consist of many different operating systems, including Windows, Linux, macOS, and Android. It can perform API calls to identify what the application is sending network traffic File Manipulation File management tools are utility package that manages files of the system. Since files are a vital part of the system, all the info is held on within the files. Therefore, this utility software facilitates browsing, searching, arranging, noticing information, and quickly previewing the system files. 355 Chapter 04: Operation and Incident Response head The head command is used to see the top part of the file. There are multiple viewing options available that help to view the file differently. For example, to view the first five lines of the file, you can run the following command: head -n 5 syslog tail The tail command is used to view the last portion of a file. The syntax of head and tail commands are similar. For example, to view the last five lines of a file, run the following command: tail –n 5 syslog cat Cat is short for concatenate. Concatenating a file means that you would either view the contents of files to the screen or link multiple files together to create a large file. grep The grep command allows us to find any bit of text that we require in the file, and we can also search through multiple files at one time. For example, finding the pattern that failed within a file called auth.log runs the following command: grep failed auth.log chmod the chmod command allows changing the mode of the file system object. In this context, the term mode means to change it to either read (r), write (w), or execute (x). You can do set the mode commonly by setting the binary patterns or octal notation within an individual file. # Permission rwx 7 Read, Write, and Execute rwx 6 Read and Write rw- 5 Read and Execute r–x 4 Read only r-- 3 Write and Execute -wx 2 Write only -w- 1 Execute only --x 356 Chapter 04: Operation and Incident Response 0 none --Table 4-02: Permissions logger The logger is responsible for adding the additional information into the system log in that operating system, commonly a file syslog. Shell and Script Environments SSH (Secure Shell) The Secure Shell Protocol, or SSH protocol, is a protocol for establishing secure remote connections. It is a safe replacement for insecure protocols like Telnet, rlogin, and FTP. SSH is used for remote login as well as other protocols like FTP and SCP (Secure Copy Protocol) (SCP). Because it operates through SSH, SFTP (SSH File Transfer Protocol) is widely used for secure file transfer. The SSH protocol operates on a client-server architecture, with the SSH client connecting to the SSH server over an insecure network over a secure SSH channel. The Secure Shell (SSH) protocol is made up of three main parts:  The Transport Layer Protocol [SSH-TRANS] provides server authentication, confidentiality, and integrity. It may optionally also provide compression. The transport layer will typically run over a TCP/IP connection but might also be used on top of any other reliable data stream.  The User Authentication Protocol [SSH-USERAUTH] establishes a connection between the client and the server. It uses the transport layer protocol to operate.  The [SSH-CONNECT] Connection Protocol divides the encrypted tunnel into many logical channels. It uses the user authentication protocol to operate. PowerShell For working with Windows, one of the more advanced shells available is called Windows PowerShell. PowerShell is commonly used by system administrators on Windows devices to control each and every aspect of the Window operating system. Running a script inside o PowerShell has .ps1 file extension. You can also run scripts inside a PowerShell, manipulate everything related to Windows operating system or run certain scripts in a standalone executable mode as well. EXAM TIP: PowerShell is a remarkably powerful tool for doing any type of administration task on a Windows operating system. The system administrator will be responsible for the applications running inside of Windows. 357 Chapter 04: Operation and Incident Response Python Python is a popular scripting language that works across many different operating systems. The Python files have a .py file extension. Python is available in Linux, macOS, and Windows. It is well supported across the entire industry primarily because it has the flexibility to do much more things inside the operating system. Although, the primary emphasis of Python is based around automation and orchestration of cloudbased systems. OpenSSL OpenSSL is a set of utilities and a library that lets you manage SSL and TLS certificates in your systems. You must create X.509 certificates if you are establishing a Certificate Authority (CA) within your organization. Users will send the Certificate Signing Requests (CSRs), and you will be in charge of managing the Certificate Revocation List (CRLs). This can be accomplished using OpenSSL's utilities. OpenSSL also includes cryptographic libraries that can be used to conduct hashing operations on a variety of hashing methods. You can also use OpenSSL's built-in encryption and decryption features. Packet Capture and Replay Full packet capture tools permit security engineers to record and reproduce all the traffic on the network. This permits the validation of IDS/IPS alerts and the validation of things that NetFlow or log knowledge is showing. Tcpreplay When you have captured the packets, you can quickly look at the information present inside the protocol docker like Wireshark. You can also reply to this information back onto the network using a utility called tcpreplay. This allows you to take information and send it to the network using a network interface card so that other devices on the network can see the network traffic. It is a great way to test security devices. It checks the IPS signatures and firewall rules to see if the information you are sending through the network will be allowed or denied access at the firewall. Tcpreplay can also send a large amount of information across the network to test for monitoring tools. Tcpdump If you are working on the system at the command prompt, you may have a graphical front end that you can use with WireShark. Instead of using the Wireshark, you can use tcpdump to do the same function. It captures packets from the command line, displays 358 Chapter 04: Operation and Incident Response packets onto the screen, and writes them in the files. This is often included in many different Linux distributions that help to work with tcpdump capabilities easily. Wireshark Wireshark is the most extensively used Network Protocol Analyzer tool in the commercial, governmental, non-profit, and educational sectors. It is a free, open-source program that runs natively on Windows, Linux, MAC, BSD, Solaris, and other systems. TShark, a terminal version of Wireshark, is also available. Lab 4-01: Introduction to Wireshark Procedure: Open Wireshark to capture the packets. Click Capture > Options to edit capture options. 359 Chapter 04: Operation and Incident Response Here, you can enable or disable a promiscuous mode on an interface. Configure the Capture Filter and click the Start button. Click Capture > Capture Filter to select Defined Filters. You can add the filter by clicking the Add button. 360 Chapter 04: Operation and Incident Response Follow the TCP Stream in Wireshark Working on TCP-based protocols can be very helpful by using the “Follow TCP Stream” feature. This helps to examine the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream. 361 Chapter 04: Operation and Incident Response Examine the data from the captured packet. Filters in Wireshark Following are the Wireshark filters for filtering the output. Operator Function Example == Equal ip.addr == 192.168.1.1 eq Equal tcp.port eq 23 != Not equal ip.addr != 192.168.1.1 ne Not equal ip.src ne 192.168.1.1 contains Contains specified value http contains "http://www.ipspecialist.net" Table 4-03: Wireshark Filters Forensics Our forensic investigation identifies pertinent evidence for incident responders, network engineers, on-site security teams, human resources, and legal teams, allowing you to successfully negotiate technical, legal, and public relations requirements. dd On the IBM mainframe, dd refers to the data definition that was transformed between ASCII and EBCDIC. You can use dd to make a bit-by-bit copy of anything on a drive or in a directory. This would be incredibly beneficial if you needed to save the data for further study. The command to create a disk image is: 362 Chapter 04: Operation and Incident Response dd if=/dev/sda of=/tmp/sda-image.img And, the required command to restore from an image is: dd if=/tmp/sda-image.img of=/dev/sda Memdump The memdump command will send all of the information and system memory to a specific location on your computer. Because much third-party forensics software can read memory dump files and readily identify or discover information that may be saved in the memory file, this is particularly valuable after the fact. You can commonly store the memory dump files outside the system; memdump can be used in conjunction with netcat, stunnel, openssl, etc. WinHex WinHex is a third-party editor that can display the dump files in their original format. Hexadecimal mode is used to display all data. This will assist you in retrieving and editing data from a file, memory, disk, or other location. WinHex also has disk cloning capabilities, which allow you to copy all of the data from a file and save it as an image file or copy it to a different storage device. Additionally, WinHex makes it simple to do secure wipes, ensuring that all data in the file is completely deleted and cannot be recovered using third-party programs. FTK Imager FTK Imager is a Windows executable that can mount a hard drive, image drives and perform file operations. This is also supported by a large number of additional forensics tools. This program aids in the capturing of data and the use of image files in other programs on various operating systems. This program can also read encrypted disks. It may also convert the files to a standard format like dd, expert witness, etc. Autopsy The Autopsy software performs digital forensics on data stored on storage devices or in picture files. It also allows you to see and restore data from these devices. It can search through a downloaded file, check the device's internet history, view email messages, identify databases, and view graphical files, among other things. Exploitation Frameworks Exploitation frameworks are tools that may be used to design unique attacks. They allow you to quickly build attack types and add extra tools for detecting vulnerabilities. These are widely used frameworks that allow you to add modules to your system and use them. For instance, metasploit, the social engineer toolkit, and so forth. 363 Chapter 04: Operation and Incident Response Password crackers Performing vulnerability tests against the system or going through it with forensics tools may result in the discovery of password files or information, including password hashes. You can use a brute force attack to find those passwords if you have that knowledge. A password cracker can be used to accomplish this. Password crackers is an online tracking tool that can perform multiple requests to a device. Data sanitization Data sanitization eliminates all data and transforms it into a format that contains no useable information. This is typically done to clean the entire drive in preparation for future use. Note: There is no way to restore the drive once it has been removed from the data sanitization tool unless you have a backup that has been irreversibly erased. Mind Map Figure 4-07: Mind Map 364 Chapter 04: Operation and Incident Response Importance of Policies, Processes, and Procedures for Incident Response Incident Response Plans An incident response setup ensures that the correct personnel and procedures should effectively cope with a threat in the event of a security breach. Having an event response plan ensures that a structured investigation will occur to supply a targeted response to contain and correct the threat. Incident Response Process As a Security Professional, you will be responsible for responding to security events that occur in the organizations. Events may include a user clicking an email attachment and execute malware. The malware then starts communicating with other services and sending information outside of the organization. The security incidents that occur in the organization require some type of response by the security professional in the organization. The incident response team often responds to the type of incidents. The team is the group of people that have been specifically trained to deal with these circumstances. The team may include the IT management for your security department, compliance officers, technical staff to help troubleshoot, and users in the community for help in these situations. NIST SP800-61 NIST stands for National Institute of Standard and Technology in the US and has created a document to help understand handling the security incidents. This document is NIST special publication 800-61 revision two titled “Computer Security Incident Handling Guide.” This provides information about the entire lifecycle when you are handling the security incidents. This includes:         Preparation Detection Analysis Isolation and Containment Eradication Recovery Reconstitution Lesson Learned Preparation The key to handling the security incidents properly is to make preparation. This includes the communication method, the choice of the right people, and processes, including hardware and software used when an incident occurs. 365 Chapter 04: Operation and Incident Response There will also be a need to have documentation of the organization’s network that defines data location for security reasons. There is also a need to prepare to clean the operating system and application images for the mitigation process. The policies and procedures should be prepared that will apply when the security incident occurs. Detection To be able to respond to the security incident, you should know that how the incident occur. There are different ways to monitor and identify security incidents. This is a big challenge because the organization receives several different types of attacks. There are always some security tools available that will prevent the majority of these types of attacks. Also, the security incidents often include different devices and operating systems to identify legitimate threats. Sometimes, the organization may also prefer to use incident precursors that help to predict where a particular area of the network may receive a security breach. Isolation and Containment When you identify some malicious software or some type of breach, the best approach is to isolate and contain that particular security incident. Instead of malicious software, you can use a sandbox. The sandbox is an isolated operating system that is specifically designed to run the software. This environment can be completely deleted after performing the analysis so that you can easily be assured that the malware is not present outside the sandbox. Sometimes, the sandbox does not provide the perfect analysis of malware. Some malware can recognize when running in a sandbox and perform differently in a sandbox-like an open network. Some malware recognizes when you lose connectivity to the internet. Therefore, you can isolate that system; it begins deleting the files or damaging the operating system. Eradication Once you identified that an incident has occurred and identified that where the malware exists in the system. You should recover that system. The first required step is to eradicate the malware and remove it from that system to recover the system. Sometimes, this includes completely deleting assets from the system, recovering all stuff from known backup, and fixing the vulnerabilities that caused the incident to occur the first time. Recovery After doing the process of eradication, use backup to restore the system’s assets quickly. After retrieving the system assets, rebuild the entire system from scratch. And, lastly, 366 Chapter 04: Operation and Incident Response you should lock down the perimeter of networks to stop the attack before it enters the private network. Reconstitution On large networks, the reconstitution process can be very difficult and time-consuming. A phased-based approach runs very slowly and takes a couple of months for recovery. The plan of the reconstitution process should be efficient, start with quick, high-value security changes. The quick changes may include sending patches to the systems, modify the firewall to prevent a certain type of traffic from entering your network, etc. Lessons learned Once the incident is over, you can look at what processes worked and did not work during an incident. You can also schedule the post-incident meeting where everyone shares the experience that occurred during the process. Exercises Security incidents are usually after the fact that one has already occurred. However, most of the work should be done before an incident occurs in the environment. You can do several things before an incident occurring that can help with the planning process. This required step is to perform exercises. This includes the testing process and workflow that should be used when an incident occurs. These can be scheduled once or twice a year to alert everyone about what they will have to do during an incident. The organization should use the well-defined rules of engagement when performing these exercises and monitor that nothing is affecting the production network. In rare cases, some security incidents take a week or a month to resolve. However, to perform an exercise, you have limited time. Tabletop The tabletop exercise entails putting everything together and conducting a full-scale test of a specific security incident. This performance can be seen from beginning to end. This disaster exercise will take a long time to complete, as well as a significant amount of money and resources. Instead of doing any task, the tabletop exercise refers to discussion with members about the processes in the organization. You should define where and how the process and procedure problems should be resolved before an actual incident occurs. Walkthroughs The walkthroughs allow you to test all the processes and procedures, not only with the organization's management but also with the individual that will respond to the 367 Chapter 04: Operation and Incident Response particular incident. This may include all of the different parts of the organization, and you should all the available tools. This exercise process allows us to go through every process and procedure and identify the actual faults and missing steps by applying the concepts from the tabletop exercise. Simulations Many organizations perform ongoing simulations where they will visualize that how a particular event has occurred. Some examples include phishing attacks, password requests, and data breaches. For example, to test the simulated event “Phishing attack,” the following steps are required:    Going phishing o Create a phishing email attack o Send to the actual user community o See who bites Test internal security Test the users Attack Frameworks Within an organization, a security professional is responsible for protecting the network. The professional may find multiple attacks experience by an organization. It is difficult to keep track of the exact type of attacks that have occurred and how you, as a professional, can protect yourself against these attacks. When the attack is occurring, your response must maintain and gather the ongoing reconnaissance. The main challenge with this is that the attackers use several methods in multiple ways. You should understand the attacks, determine if you are at risk in the organization, and then use appropriate mitigation. MITRE ATT&CK One place to begin gathering the data information is through the MITRE ATT&CK framework. This comes from the MITRE Corporation. They primarily support US governmental agencies. Using this framework, you can identify broad categories of attacks, identify points of intrusion, and identify security techniques that can help you block any future attack. Some tactics of the MITRE ATT&CK for ICS matrix are shown in Figure 4-08. 368 Chapter 04: Operation and Incident Response Figure 4-08: Tactics of MITRE ATT&CK The Diamond Model of Intrusion Analysis The useful framework that is typically used when an intrusion occurs is called Diamond Model. The intelligence community of the federal US government designed the Diamond Model of intrusion analysis. For further detail, you can visit the given URL 369 Chapter 04: Operation and Incident Response https://apps.dtic.mil/docs/citation/ADA586960 The above-mentioned guide is focused on helping you understand the intrusion that has been occurred in the environment. The Diamond Model of intrusion analysis uses scientific principles and applies them towards intrusion analysis. These may include measurement, repeatability, testability. These are the focus of this Diamond Model. Consider a scenario in which an attacker has deployed a capability against a victim via infrastructure. The diamond model can assist in determining the relationship between all of those different domains as well as gathering the necessary information and documents to resolve this intrusion. Figure 4-09: The Diamond Model of Intrusion Analysis The adversary in the above diamond model is an attacker, which is what the attacker uses (this could be malware, hacker tool, etc.). The infrastructure will describe what was used to gain access (e.g., IP address, domain name, email addresses, etc.). A victim is a person or asset on the network that is used. The diamond model defines the relationship between each one. Cyber Kill Chain Lockheed Martin developed the Cyber Kill Chain framework. It is an intelligence-driven defense model for identifying, detecting, and preventing cyber intrusion by understanding the adversary tactics and techniques during the complete intrusion cycle. This framework helps to identify and enhance the visibility into a cyber-attack. It also helps blue teams in understanding the tactics of APT’s. There are seven steps of the Cyber Kill Chain. 370 Chapter 04: Operation and Incident Response 1. 2. 3. 4. 5. 6. 7. Reconnaissance Weaponization Delivery Exploitation Installation Command and Control Actions on Objectives Figure 4-10: Cyber Kill Chain Reconnaissance Reconnaissance is the beginning stage of the cyber kill chain. The adversaries, in this planning phase, collect information about the target by using different techniques. This information gathering helps the adversaries profile the target and helps understand which vulnerability will lead them to meet their objectives. Following are some reconnaissance techniques:       Information gathering via social networking platforms Social engineering Information gathering via search engines Email address harvesting Network scanning WHOIS searches / DNS queries For security teams, it is very difficult to identify and detect reconnaissance. Adversaries can collect enough information about the target without any active connection. However, to discover internet-facing servers, open ports, running services, and other required information, adversaries need to build an active connection with the target. If 371 Chapter 04: Operation and Incident Response security teams identify reconnaissance activity, it can help them reveal the intent and subsequent actions. Organizations should have a strict policy regarding information disclosure on public and social forums. Security teams should monitor and timely respond if any confidential or even relevant information that adversaries can misuse is publicly posted. Following are some behaviors the security team should monitor to identify reconnaissance activities:     Website visitors log Internal scanning activities Port scanning on public-facing servers Vulnerability scanning on public-facing servers Weaponization After the collection of sufficient information about the target, adversaries prepare the operation in the Weaponization phase. Weaponization may include preparing an exploit for an identified target's vulnerability or developing a malicious payload. Following are some preparation techniques used by adversaries to weaponize themselves:     Preparing a weaponizer or obtaining one from private channels Preparing decoy documents (file-based exploits) for victims Command and Control (C2) implantation Compilation of backdoor Security defenders cannot detect weaponization as the payload is not yet delivered. However, it is an essential phase for defenders; they can keep their security controls harden against advanced tactics and techniques of malware. Mostly, security teams conduct malware analysis and reverse engineering, which helps them identify different techniques of malware development and dropping techniques. In this way, security teams prepare the most durable and resilient defense. Following are some blue team techniques to counter:     Conducting malware analysis for trending malware Building detection rules for weaponizers Intelligence collection about new campaigns, IoCs Correlation of artifacts with APT campaigns Delivery After all the preparation and weaponization, in the delivery phase, adversaries launch the attack by conveying the malware or weaponized payload prepared specially for the target. Following are some common methodologies of launching an attack:   Phishing emails Malware on a USB stick 372 Chapter 04: Operation and Incident Response   Direct exploitation of web servers Via compromised websites This is an important phase for security defenders to identify, detect, and block the delivery operation. Security teams monitor incoming and outgoing traffic, analyze delivery mediums, and monitor public-facing servers to detect and block delivery. Following are some actions for security teams to detect delivery of malware:      Monitoring Emails Campaigns Leverage weaponizer artifacts to detect new malicious payloads at the point of entry Monitoring suspicious networks communications Monitoring alerts, detections on security controls Building signature-based detection rules Exploitation Exploitation is the phase in which an adversary gains access to the victim. To gain access, the adversary needs to exploit a vulnerability. As the adversary already has probably collected the information about the vulnerabilities in the reconnaissance phase and has already been prepared in the weaponization, the adversary can exploit the victim by using any of the following techniques:       Exploiting any software, hardware, or human vulnerability Using exploit code Exploiting operating system vulnerability Exploiting application vulnerability Victim triggered exploitation via phishing email Click Jacking To counter the exploitation phase, security teams should follow the traditional security measures, but they also need to understand new tactics and techniques and harden assets to prevent exploitation. Following are some key measures for security defenders to counter exploitation:        User Awareness Training Phishing Drill Exercises for Employees Periodic Vulnerability assessment Penetration testing Endpoint Hardening Secure coding Network Hardening Installation 373 Chapter 04: Operation and Incident Response After successful exploitation, the adversary moves next to the installation phase. It establishes persistency at the victim either by installing a backdoor or opening a connection from the victim towards C2. This way, the adversary can maintain access for lateral movements. Following are some ways of maintaining the access activities:    Installation of web shell Installation of backdoor Adding auto run keys Security defenders use different security controls such as HIPS, EDR, AV engines to detect block installation of backdoors. Security teams should monitor the following to detect installations:       Suspicious application using administrator privileges Endpoint process auditing Suspicious file creations Registry changes Auto run keys Security control alerts Command and Control The adversary establishes a two-way communication or command channel with its C2 server during the Command and Control (C2) phase. The adversary owns and manages this C2 server, which is used to send commands to infected hosts. Adversaries can change the victim's searches and commands from afar. C2 channels have the following characteristics:    Victim opens two-way communication channel towards C2 Mostly, the C2 channel is on the web, DNS, or email C2 queries encoded commands This is the last chance in this death chain for security defenders to notice and block the assault by blocking the C2 channel. If the C2 channel is blocked immediately, an adversary cannot issue commands to the victim. Some strategies for security teams to guard against C2 communication are as follows:     Collect and block C2 IoC via Threat Intelligence or Malware analysis Require proxies for all types of traffic (HTTP, DNS) DNS Sink Holing and Name Server Poisoning Monitoring network sessions Actions on Objectives The adversary has a victim with persistent access to the C2 server at this point. The adversary can now complete the tasks. What will the opponent do? That is contingent 374 Chapter 04: Operation and Incident Response on his intentions. At this point, the enemy has access to CKC7. The following are some various adversary intentions or possible next steps in this phase:        Collection of credentials from infected machines Privilege Escalation Lateral movement in the network Data exfiltration Data corruption Data modification Destruction At this stage, Security defenders must detect the adversary as earliest as possible. Any delay in detection at this stage can cause a severe impact. Security teams should be wellprepared and ready to respond in this stage to lower the impact. Following are some preparations for security defenders:     Immediate incident response playbooks Incident readiness Incident response team with SMEs Communication and incident escalation point of contacts Stakeholder Management An IT department usually has IT customers with applications, data, and other technical resources that the IT department manages. These are the stakeholders in the organizations. When something is not working properly, the stakeholder will identify and resolve the problem. It is a good way to maintain a satisfactory relationship with the stakeholder. You can involve them in the planning process for certain types of security events. If an event occurs, you can bring the stakeholders and involved them in the resolution process. Most of this relationship built with them does not occur when an event happens. It occurs before the event. Communication Plan Many of the problems during a high-stress event can be mitigated by simply having good communication; when you plan for a security event, the first step to get your contact list together is to inform everyone. In the organization, this could be the CIO/head of information security/internal response teams. You are also required to involve people, not in the IT organization, such as human resources, public affairs, legal department, etc. However, you are also required to get in touch with external sources such as the owner of data, federal or state authorities, etc. Continuity of Operations Planning (COOP) 375 Chapter 04: Operation and Incident Response You must have a plan in place to complete your role in the event of a disaster or security incident. Continuity of operations planning, or COOP, is frequently required. This is frequently done ahead of time before a calamity strikes. Incident Response Team Inside the organization, you should have some trained professionals to respond to security incidents. These professionals made the incident response team efficiently deal with the problem and determine what type of events require a response, such as virus infection, ransomware, or DDoS. The incident response team is not a separate department in the organization. Instead, it contains a group of people that come together in a committee if an incident occurs. This team is specifically responding to any incidents that occur. They provide the analysis of what is occurring and what must be done to resolve it and provide the reporting containing the information to make the network stronger for the next incident. Retention Policies If you are involved in a security incident, the first main step is to identify how much data is affected. The organization should have backups of the data. During the security incident, the organization must protect data location and amount of data. It should have copies of the information both at internal and external places. Some organizations are also required to store a certain type of information for a certain amount of time. This regulatory compliance may affect financial organizations or the organizations that deal with a certain type of data. The organization may also use some policies to make a backup available for operational problems—for example, accidental deletion or disaster recovery. 376 Chapter 04: Operation and Incident Response Mind Map Figure 4-11: Mind Map Appropriate Data Source to Support an Incident Investigation Vulnerability Analysis The scanning process includes vulnerability analysis. It is a crucial aspect of the hacking process. This chapter will go through the definition of vulnerability assessment, the stages of vulnerability assessment, the different types of assessments, the tools, and a few other key points. The Concept of Vulnerability Assessment The discovery of vulnerabilities in an environment is a vital duty for a penetration tester. Vulnerability assessment includes identifying environmental problems, design faults, and other security concerns that could lead to the misuse of an operating system, application, or website. Misconfigurations, default configurations, buffer overflows, Operating System weaknesses, Open Services, and other vulnerabilities are among them. Network administrators and pentesters can use a variety of technologies to scan for vulnerabilities in a network. The threat level of any discovered vulnerabilities is 377 Chapter 04: Operation and Incident Response classified into three categories: low, medium, and high. They can also be classified as a certain exploit range, such as local or remote. Vulnerability Assessment Vulnerability Assessment can be defined as examining, discovering, and identifying weaknesses in systems and applications and evaluating the implemented security measures. The security measures deployed in systems and applications are evaluated to identify the effectiveness of the security layer to withstand attacks and exploitations. Vulnerability assessment also helps to recognize the vulnerabilities that could be exploited, any need for additional security layers, and information that can be revealed using scanners. Types of Vulnerability Assessment  Active Assessment: Active Assessment includes actively sending requests to the live network and examining the responses. In short, it is a process of assessment that requires probing the targeted host  Passive Assessment: Packet sniffing is commonly used in passive assessments to find vulnerabilities, running services, open ports, and other data. The targeted host, on the other hand, is not involved in the assessment process.  External Assessment: External Assessment is a process of assessment carried out from a hacker’s point of view to discover vulnerabilities and exploit them from the outside. Outside of the network refers to how a potential attacker could cause a threat to a resource. External network vulnerability assessment identifies how someone could cause a threat to your network or systems from outside of your network  Internal Assessment: This is another method for spotting flaws. Internal assessments include scanning the internal network and infrastructure for vulnerabilities. Internal network vulnerability assessments are typically based on IT industry best practices and technical implementation instructions from the Department of Defense (DoD). During the internal assessment, there are misconfigurations, flaws, policy non-compliance vulnerabilities, patching difficulties, and other concerns. An internal network assessment is concerned with securing network infrastructure. 378 Chapter 04: Operation and Incident Response Figure 4-12: Vulnerability Assessment Types Vulnerability Assessment Life Cycle The Vulnerability Assessment life cycle consists of the following phases: Creating a Baseline The vulnerability assessment life cycle begins with the creation of a baseline. A pentester or network administrator conducting an assessment determines the characteristics of the corporate network, applications, and services at this phase. They compile a list of all resources and assets, which aids in the management and prioritization of the evaluation. In addition, the pentester maps the infrastructure and learns about the security controls, policies, and standards in place at the company. Additionally, the baseline aids in the efficient planning of the process, scheduling tasks, and managing tasks according to priority levels. Vulnerability Assessment The Vulnerability Assessment phase focuses on the assessment of the target. This phase includes examining and inspecting security measures such as physical security, security policies, and controls. This phase evaluates the target for misconfigurations, default configurations, faults, and other vulnerabilities by probing each component individually or using assessment tools. Once the scanning is complete, the findings are ranked in terms of their priority level. At the end of this phase, the vulnerability assessment report shows all detected vulnerabilities, scope, and priority. 379 Chapter 04: Operation and Incident Response Figure 4-13: Vulnerability Assessment Life Cycle Risk Assessment Risk Assessment includes scoping identified vulnerabilities and their impact on the corporate network or an organization. Remediation The Remediation phase includes remedial action in response to the detected vulnerabilities. High-priority vulnerabilities are addressed first because they can cause a huge impact. Verification The Verification phase ensures that all vulnerabilities in an environment are eliminated. Monitor The Monitoring phase includes monitoring the network traffic and system behaviors for any further intrusion. Annualized Loss Expectancy (ALE) is the product of Annual Rate of Occurrence (ARO) and Single Loss Expectancy (SLE), i.e., mathematically expressed as: ALE = ARO * SLE While performing quantitative risk assessment, ALE estimation defines the cost of any protection or countermeasure to protect an asset. SLE defines the loss value of a single incident, whereas ARO estimates the frequency – how often a threat successfully 380 Chapter 04: Operation and Incident Response exploits a vulnerability. Exposure Factor (EF) is the subjective potential percentage of loss to a specific asset if a specific threat is realized. SLE = EF * AV Real-World Scenario: An organization is approximating the cost of replacement and recovery operations. The maintenance team reported that the hardware costs $300, which needs to be replaced once every three years. A technician charges $ 10 per hour for maintenance; it takes 14 hours to completely replace the hardware and install the software. The EF (Exposure Factor) is one (100 %). Calculating the Single Loss Expectancy (SLE), Annual Rate of Occurrence (ARO), and Annualized Loss Expectancy (ALE) is a need for quantitative risk analysis. Calculation: Asset Value (AV) = $300 + (14 * $ 10) = $440 Single Loss Expectancy (SLE) = EF * AV = 1 * $440 = $440 Annual Rate of Occurrence (ARO) = 1/3 (Once in every three year) Annual Loss Expectancy (ALE) = SLE * ARO = 1/3 * $440 = $ 146.6 Vulnerability Assessment Solutions Product-based Solution Vs. Service-based Solution Product-based solutions are deployed within the corporate network of an organization or a private network. These solutions are usually dedicated to internal (private) networks. Third-party solutions that provide security and auditing services to a network are known as service-based solutions. These solutions can be hosted on-premises or in the cloud. These third-party solutions provide a security concern since they can access and monitor the internal network. Tree-based Assessment Vs. Inference-based Assessment Tree-based Assessment is an assessment approach in which an auditor follows different strategies for each component of an environment. For example, consider a scenario of an organization's network on which different machines are live—the auditor may use a different approach for Windows-based machines and a different approach for Linuxbased servers. Inference-based Assessment is another approach to assessing vulnerabilities depending on the inventory of protocols in an environment. For example, if an auditor finds a protocol using an inference-based assessment approach, they will look for ports and services related to that protocol. 381 Chapter 04: Operation and Incident Response Best Practice for Vulnerability Assessment To acquire effective results, the following are some recommended stages for vulnerability assessment. These recommended practices for vulnerability assessment must be followed by a network administrator or auditor.  Before starting any vulnerability assessment tool on a network, the auditor must understand the complete functionality of that assessment tool. This will help in selecting the appropriate tool for extracting the desired information.  Make sure that the assessment tool does not cause any sort of damage or render services unavailable while running on a network..  Be specific about the scan’s source location to reduce the focus area.  Run a scan frequently for identifying vulnerabilities. Vulnerability Scanning Tools Various tools have made detecting vulnerabilities in an existing environment relatively straightforward in this era of current technology and innovation. There are a variety of automatic and manual tools available to assist you in finding vulnerabilities. Vulnerability Scanners are automated utilities specially developed to detect vulnerabilities, weaknesses, problems, and loopholes in an Operating System, network, software, and applications. Scripts, open ports, banners, running services, configuration errors, and other areas are all thoroughly examined by these scanning tools. The following are some of the vulnerability scanning tools:  Nessus      OpenVAS Nexpose Retina GFI LanGuard Qualys FreeScan, etc. Security experts do not only use these tools to find any risks and vulnerabilities in running software and applications but are also used by attackers to find any loopholes in an organization's operating environment. 1. Nessus Nessus Professional Vulnerability Scanner is the most comprehensive vulnerability scanner software powered by Tenable Network Security. This scanning product focuses on vulnerabilities and configuration assessment. By using this tool, you can customize and schedule scans and extract reports. 382 Chapter 04: Operation and Incident Response 2. GFI LanGuard GFI LanGuard is a network security and patch management software that performs virtual security consultancy. This product offers:       Patch Management for Windows®, Mac OS®, and Linux® Path Management for third-party applications Vulnerability scanning for computers and mobile devices Smart network and software auditing Web reporting console Tracking latest vulnerabilities and missing updates 383 Chapter 04: Operation and Incident Response 3. Qualys FreeScan Qualys FreeScan tool offers Online Vulnerability scanning. It provides a quick snapshot of the security and compliance posture of a network and web, along with recommendations. Qualys FreeScan tool is effective for:  Network Vulnerability scans for server and App  Patches  OWA SP Web Application Audits  SCAP Compliance Audits Go to http://www.qualys.com to purchase this vulnerability scanning tool or register for the trial version and try to perform a scan. Qualys offers a Virtual Scanner to scan the local network, which can be virtualized on any virtualization hosting environment. The figure below shows the results of a vulnerability scan performed on a targeted network. 384 Chapter 04: Operation and Incident Response Vulnerability Scanning Tools for Mobiles Following is a list of vulnerability scanning tools for mobiles: Application Website Retina CS for Mobile http://www.byondtrust.com Security Metrics Mobile Scan http://www.securitymetrics.com Nessus Vulnerability Scanner http://www.tenable.com Table 4-04: Vulnerability Scanning Tools for Mobiles 385 Chapter 04: Operation and Incident Response Figure 4-14: Secuirty Metrics Mobile Scan Lab 4-02: Installing and Using a Vulnerability Assessment Tool Main Objective: In this lab, you will learn how to install and use a vulnerability assessment tool. There are many tools available for vulnerability scanning. The one we will be installing and using is Nessus. Go to the browser and type Nessus Home. Click on the Nessus home link, as marked below. 386 Chapter 04: Operation and Incident Response This will take you to the Nessus registration page. You need to register in order to get the activation code, which you are going to need to activate Nessus. For registration, you need to put in your first name, last name, and email address. Check the checkbox and click on Register. Now to download Nessus, click on the download link. 387 Chapter 04: Operation and Incident Response Select the Operating System on which you are going to install Nessus. Here, we will install it on Windows 8 machine (64 bit); therefore, we will download the first link for the 64-bit version of Windows. Now read the agreement, click on I Agree, and save the file to your computer. 388 Chapter 04: Operation and Incident Response Download and install the software. Select I Agree and click Next. 389 Chapter 04: Operation and Incident Response If you want to change the file destination, click on the Change button or just click Next. Click the Install button. 390 Chapter 04: Operation and Incident Response The installation process will now start. The installation is complete. Click Finish. 391 Chapter 04: Operation and Incident Response When you see this window, click on Connect via SSL. Click on the Advanced option. 392 Chapter 04: Operation and Incident Response Now click on Confirm Security Exception to proceed to localhost. Now you have to create an account for the Nessus server. Here, you will choose a login name and password – make sure you remember it because this is what you will use to 393 Chapter 04: Operation and Incident Response log in to Nessus from now on. After inserting your username and password, click the Continue button. Now choose the scanner type that you want. Here, we have selected the first one, which is Home, Professional, or Manager. Go to the email, copy the activation code that was forwarded to you and paste it here. Then, click Continue. 394 Chapter 04: Operation and Incident Response After that, you are going to see the Initializing window. It fetches all the plugins for Nessus, which can take about 15 to 20 minutes. Once all the plugins are installed, a window will appear. This is what Nessus looks like. Now, the first thing you have to do is create a policy. Click on Policies. Now click on Create a new policy. Here, you have multiple scanner options available. What we are going to do now is Basic Network Scan. So for this, click on the Basic Network Scan option. 395 Chapter 04: Operation and Incident Response When you see this window, you have to name the policy. You may name it anything you want; for now, we will name it Basic Scan. In basic settings, you have another setting option that is the Permission setting. In this, you have two options: one is No Access, and the other is Can Use. Here, we are going to leave it as default. Now click the Discovery option. 396 Chapter 04: Operation and Incident Response Here, you have to choose the Scan Type. You can either choose to scan common ports, all ports, or customize it. After selecting your desired option, click on Assessment. Here, you will see three scanning options. Choose whichever you want and then click on Report. 397 Chapter 04: Operation and Incident Response In this window, you have multiple options, and you can see that some of them are ‘checked’ by default. We will leave it as default, but if you want to change some settings, you may change them according to your needs. Here in the Advanced setting option, you have three options to choose from. Select any of them and click on the Credentials button. 398 Chapter 04: Operation and Incident Response Here, we are going to select “Windows” as we are using Windows OS. However, if you have Mac or Linux, then you have to select SSH. Go ahead and insert your credentials and authentication method. If you have a domain, you may insert that (optional). Check the boxes and click the Save button. And that is it; the policy has been created. Now in order to scan, you have to click on the Scan button at the top of the page. 399 Chapter 04: Operation and Incident Response Click on the Create a new scan option. Go to the User Defined option. Click on Basic Scan. 400 Chapter 04: Operation and Incident Response Now, name this scan. We are going to name it Basic Scan – the same as the policy name. You can also add a description if you want. Select the folder where you want to save a scan, and finally, insert the IP address of the target. You may insert the target in different ways. For example, 192. 168. 1. 1, 192. 168. 1. 1/24, and test.com. 401 Chapter 04: Operation and Incident Response You can also schedule your scan. For this, click on Enabled, then select the frequency, start time, and Time zone. If you want to get a notification, you can add your email address. After configuring all the settings, click on the Save button. 402 Chapter 04: Operation and Incident Response Here, you can see that the scanning process has started. Once the scanning process is complete, you can see the results by clicking on the section that is marked below. Below is the scan result. The result is shown in multiple colors. The red represents the Critical Vulnerability, the orange is for High, yellow is for Medium, green is for Low, and blue is for Info. 403 Chapter 04: Operation and Incident Response Now, click on the Vulnerability next to the Host option. Here you will see the vulnerabilities that have been found. Click on any one of them. You can see the description of a particular vulnerability as well as a solution for it. 404 Chapter 04: Operation and Incident Response Here are some other vulnerabilities that were found. 405 Chapter 04: Operation and Incident Response Lab 4-03: Vulnerability Scanning using the Nessus Vulnerability Scanning Tool Case Study: In this case, we will scan a private network of 10.10.10.0/24 for vulnerabilities using a vulnerability scanning tool. This lab is performed on a Windows 10 virtual machine using the Nessus vulnerability scanning tool. You can download this tool from Tenable’s website: https://www.tenable.com/products/nessus/nessusprofessional. Configuration: 1. Download and install the Nessus vulnerability scanning tool. 2. Open a web browser. 3. Go to the URL http://localhost:8834 4. Click on the Advanced button. 406 Chapter 04: Operation and Incident Response 5. Proceed to Add Security Exception. 6. Click Confirm Security Exception. 407 Chapter 04: Operation and Incident Response 7. Enter Username and Password of your Nessus Account (You have to register to create an account to download the tool from the website). 408 Chapter 04: Operation and Incident Response 8. The following dashboard will appear. 9. Go to the Policies tab and click Create New Policy. 10. In Basic Settings, set the name of the policy. 409 Chapter 04: Operation and Incident Response 11. Go to Settings > Basics > Discovery to configure discovery settings. 12. Configure port scanning settings under the Port Scanning tab. 410 Chapter 04: Operation and Incident Response 13. Under the Report tab, configure settings as per your requirements. 14. Under the Advanced tab, configure parameters. 411 Chapter 04: Operation and Incident Response 15. Now go to the Credentials tab to set credentials. 412 Chapter 04: Operation and Incident Response 16. Enable/disable desired plugins. 17. Check whether the policy is successfully configured or not. 18. Go to Scan > Create New Scan. 413 Chapter 04: Operation and Incident Response 19. Enter the name for a new scan. 20. Enter target address. 414 Chapter 04: Operation and Incident Response 21. Go to My Scan, select your created scan and launch it. 22. Observe the status to check if the scan has successfully started or not. 415 Chapter 04: Operation and Incident Response 23. Upon completion, observe the result. 24. Click on the Vulnerabilities tab to observe the detected vulnerabilities. You can also check other tabs like Remediation, Notes, and History to get more details about the history, issues, and remediation actions. 25. Go to the Export tab to export the report and select the required format. 416 Chapter 04: Operation and Incident Response 26. The below figure is displaying a preview of the exported report in PDF format. 417 Chapter 04: Operation and Incident Response Note: Nessus is a proprietary network vulnerability scanner developed by Tenable that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. Nessus employs the Nessus Attack Scripting Language (NASL), a simple language defining individual threats and potential attacks. Vulnerability Assessment Reports Vulnerability Assessment reports help security teams in addressing the weaknesses and discovered vulnerabilities. VA reports outline all discovered vulnerabilities, weaknesses, security flaws within a network and its connected devices. VA reports should also contain remediation, recommendations, and countermeasures to address the outlined security issues. The VA process consists of two phases, vulnerability scanning and VA reporting. Following are the critical elements of a VA report:      Scope of the Vulnerability Assessment: Scope should define the approved scanning tools, version information, Hosts, Subnets, and Ports information to be scanned. Executive summary of the report Detailed information about existing vulnerabilities on each target Severity level of each vulnerability, i.e., High, Medium, Low Correlation of discovered vulnerabilities with Vulnerability frameworks, such as CVSS Analyze Vulnerability Scan Results Asset Categorization We use public, private, limited, and secretive analyses to structure the assets. The ability to classify an organization's assets aids in the identification of its vulnerabilities and their impact on the broader organizational process. Consider the following example: Public There is no risk to the organization with a public analysis if it is disclosed but does present a risk if it is not modified or accessible. Private A private analysis poses some risk to the organization if a competitor has it or it is modified or unavailable. Restricted This is informationally restricted to a small number of users and may cause serious disruption to business operations. Confidential 418 Chapter 04: Operation and Incident Response If the information is made public, it has a tremendous impact on the company and its clients. Personal Identifiable Information (PII), Protected Health Information (PHI), or Payment Card Information are examples of this type of data (PCI). It can also be divided into groups based on individuals, applications, servers, and places. Adjudication The goal of the adjudication process after a vulnerability scan is to determine the value and legitimacy of the scan result. It assesses and ranks vulnerabilities according to the risk they provide to the organization. The Common Vulnerability Scoring System (CVSS) is one of the most common methods. Common Vulnerability Scoring System The Common Vulnerability Scoring System aids in the diagnosis of a vulnerability's main characteristics and generates a numerical score indicating the severity of the vulnerability. To assist organizations in correctly assessing and prioritizing their vulnerability management process, the numerical score can be translated into a qualitative representation (low, medium, high, or critical). Security Base Score Rating None 0.0 Low 0.1 - 3.9 Medium 4.0 - 6.9 High 7.0 - 8.9 Critical 9.0 - 10.0 Table 4-05: CVSSv3 Scoring False Positives In vulnerability scanning, False Positives occur when the scanner can access only a subset of the required information, preventing it from accurately determining whether a vulnerability exists. False positives use more than one type of scan and cross-reference. The most common false positives occur on static web pages. A false positive is when the system incorrectly receives a biometric sample as being a match. Biometric sensors can sometimes make mistakes for several reasons. A biometric, such as a fingerprint or iris scan, is submitted to the system, and it is compared to all entries in a database for a match. A one-to-many search is what this is called. Live biometrics change due to climate, age, or a possible injury on a finger. 419 Chapter 04: Operation and Incident Response Vendors refer to these threshold settings as False Acceptance Rates (FARs) and False Rejection Rates (FRRs). Prioritization of Vulnerabilities The majority of these vulnerabilities are considered high or critical based on the industry-standard CVSS. Vulnerability Management strategies allow them to respond to the growing number of threats of the digital age. We find the Vulnerability Prioritization within these strategies. Vulnerability Prioritization represents one of the key reasons for the Vulnerability Management process. The Benefits of Vulnerability Prioritization There are several benefits of Vulnerability Prioritization; Few are as follows: Faster and more effective responses: Among the enormous volume of vulnerabilities that affect one organization, there are trivial numbers compared to others. By prioritizing the most important threats, the security team avoids wasting time on solving less significant problems. Better use of resources: Vulnerability prioritization allows organizations to use their resources more intelligently. Whether referring to security professionals or vulnerability scanners, companies can invest in useful resources without worrying about wasting time and money addressing minor threats. Lack of Best Practices Each tetwork and running service rtype equires best practices to be followed while planning, deploying, and functioning. These best practices help the administrator to control and monitor the network and running services with ease. Best practices for wired networks may differ from the recommendations suggested for wireless networks. Similarly, applications and software services running on different operating systems and servers are recommended with different best practices. Several worldwide standard organizations manage and govern standards and policies for organizations providing services across the globe. These best practices are based on past experiences and consider disclosed vulnerabilities detected threats and industry experts' recommendations. Appropriate Solutions/Recommendations Vulnerabilities to Remediate the Discovered The following are five recommendations for implementing controls that will help organizations maintain a regularly configured environment that is secure against known vulnerabilities. 420 Chapter 04: Operation and Incident Response Threat Monitoring Process Your security staff must stay up to date on these risks. They accomplish this by examining vendor notifications of threats, patches, and system updates and receiving information from US CERT, which is always up to current with the most recent information. Vulnerability remediation management must address any dangers discovered by the team. Regularly assess your vulnerability This is not something you do once and never think about again. Because the evaluation is merely a snapshot of your position at a certain point in time, it can alter if new vulnerabilities are discovered. As a result, you must ensure that you create a structured program with clearly defined roles and duties that focus on developing and maintaining good performance. Set up and stick to a set of baseline setups Using documented configurations and applicable standards, standardize the configuration of similar technology assets inside your firm. Your security team must document all baseline configurations in your environment, keep these documents up to date, and ensure that they are integrated into your system build process and enforced throughout. Remediate vulnerabilities This is the process of assessing the vulnerabilities you have discovered, assigning risk to them, preparing responses to them, and then logging any activities taken to mitigate the vulnerabilities you have discovered. Finding flaws and doing nothing about them is pointless and leaves your company vulnerable to a variety of attacks. Patch vulnerabilities Vulnerability and patch management is best handled in the following manner:     You must have processes in place to discover and confirm vulnerabilities utilizing relevant tools and services that will help you detect suspected or confirmed threats to your organization. The next step is to examine your findings in order to comprehend the hazards fully. How can you put the right measures in place to cope with them if you do not have a true understanding? After you have completed your analysis, you will be required to address the issues. Once you have put your "repair" in place, you will be required to rescan or retest it to make sure the effectiveness. SIEM DashBoard 421 Chapter 04: Operation and Incident Response SIEM stands for Security Information and Event Management. This is usually a logging information device from any different resources on the network and consolidating all of those logs back to one single reporting tool. SIEM allows you to analyze the data to create security alerts and real-time information about what is happening on the network right now since you can collect all the information and aggregate it into a single place and create long-term storage to easily create some extensive reports over a long period of time. Figure 4-15: SIEM Dashboard Sensors A SIEM can collect data from a variety of sources. You can collect the log files for a particular operating system, such as Windows or Linux, and have them forwarded to a central SIEM database. Switches, routers, firewalls, and other devices all have log files. You can also use third-party sensors that follow the standards, such as NetFlow that provide information about traffic flows across the network. Sensitivity It is almost overwhelming when you consolidate all of the information from so many different devices into a single database and then read through the database to find the information that you can use; therefore, it is important to use a SIEM to parse the data and put the information into different categories (like information, urgent, warning, etc.). Trends As all the gathered information over a very long time, you can see the change that identifies the change over time. You can also see a spike whenever a particular security event occurs, or network utilization is less than normal. 422 Chapter 04: Operation and Incident Response Alerts SIEM also features intelligence that can interpret the collected data, look for specifics, and offer you proactive alarms and alerts. You could then use the data in the SIEM to build reports and view additional information about the occurrence. Correlation You can also begin correlating different data types into a standard set of information. For example, you can view the relationship between source and destination IP addresses, user, source type, and other information gathered from the log files. Log Files Several devices connected to the networking infrastructure can provide you with feedback about the things that may be occurring on the network. This includes switches, routers, firewalls, VPN concentrators, and other devices. An example is shown in Figure 4-15. This is a switch log file that contains information about the interfaces. The switch's security information is also defined in this file. For 60 seconds, all TCP SYN traffic destined for the local system is immediately blocked. The receiving logs may provide this type of information. Figure 4-16: Log Files Network The log file may define the routing updates, authentication issues, and network security issues in terms of networking information. System When you see the log files on the operating system, you will see extensive information and must include the information about the operating system. The files and the applications are running on that OS. The information about the program configuration, the system, and forwarded events is also included in the security events area of Windows. The operating system can keep an eye out for security or authentication events and log everything. Because these operating system log files contain so much data, you will need a way to filter it. Massive events are kept in a log file on the event viewer. Fortunately, Event Viewer includes a variety of options that allow you to filter the data in a variety of ways. 423 Chapter 04: Operation and Incident Response Application Many applications also keep their own log files. You will find the application log information in the "Event Viewer” under application log-in windows. For Linux/macOS, it is present under /var/log. Security The security log files provide detailed security-related information. You have many devices that gather the security details to easily see what traffic flows have been allowed or blocked through the network. You can also view any exploits that may have been attempted. You would see if any of the URL categories have been blocked by the firewall or proxy or DNS sinkhole traffic, telling you what devices attempted to connect to a known malicious location. Most of the log and security details are created on the security devices connected to the network, such as intrusion prevention systems, firewalls, or proxies. This can provide detailed security information about every single traffic flow going through the network. Firewall The firewall logs can give information about traffic flows that may be allowed or blocked. It also provides information on what IPv6 packets have been blocked on the network. It also provides information on website access that has been denied. Web If you have a web server, you have an extensive log that defines exactly who is connected to the website server and what pages they can view. It also defines the information occurring, especially if someone is trying to access non-existent files or files associated with known vulnerabilities. DNS A Domain Name Server can provide information about what queries have been made against the DNS server. You can view the IP address of the request, and many log files will store the fully qualified domain name for the request. Since you have full control of your DNS server, you can block any attempts to resolve a known malicious site. You can then use that list to identify the potentially infected device, and then you can clean those devices and remove them to focus your network. Authentication The process of validation is called Authentication. TWhen a client requests a resource request, thewebserver has to verify a user's identity in the authentication process This way, user credentials are supplied, and the webserver validates them—the 424 Chapter 04: Operation and Incident Response authentication attack targets and attempts to exploit the authentication process for the user’s identity. Un-authenticated hackers can gain network access by exploiting these vulnerabilities. Credentials of the user include name, user ID, and password to verify the identity of a user. The system determines whether the credentials are rightly used. The system authenticates user identity via login passwords in public and private networks. A user’s identity is simply determined by what they know, what they have, or what they are. The verification of at least two or all the three authentication factors is essential for security. Authentication has different factors that include: Single-factor Authentication The simplest authentication method depends on a simple password. A system such as a website or a network grants access using the verified credentials’ identity. Login credentials are the most common examples of single-factor authentication for which only a password and user name are required. Two-factor Authentication A two-step verification process requires a username, password, and something only the user knows to guarantee tecurity such as an ATM pin. With an additional piece of confidential information along with a username and password, any attempt to steal valuable data becomes more difficult. Multi-Factor Authentication This authentication method uses two or more levels of security from the independent categories of authentication to grant access to a system. The factors must be independent of each other to remove any existing vulnerabilities in the system. Multiple-factor authentication is used by banks, law enforcement agencies, and financial organizations to protect their applications and data from threats. The types of attacks that are considered authentication attacks are as follows: Attack types Brute Force Attack description Allows an intruder or attacker to predict a person's user name, credit card number, password, or cryptographic key using an automatic procedure of trial and error Insufficient Authentication Allows an attacker to access a website comprising content that is sensitive or functions without having to authenticate with the website Weak Password Permits an intruder or attacker to access a website that offers Recovery them the ability to illegally obtain, change, or recover another Validation user's password 425 Chapter 04: Operation and Incident Response Table 4-06: Authentication Attacks Dump Files The memory dump files are those that can create on-demand. You can take a single application using task manager and Windows and create a dump file that will store everything in memory associated with the application into a single file. This file is normally created when working with technical support to resolve an application problem and send that memory dump file to the developer to try to locate and resolve that issue. The dump files can be easily created from Windows Task Manager VoIP and Call Managers Although, most of the environments you are working in have moved from the traditional plain old telephone system, running over analog phone lines to voiceover IP and digital packets. The call manager log includes the inbound and outbound call information and security information. Session Initiation Protocol (SIP) Traffic Voiceover IP protocols, such as Session Initiation Protocol, can provide detailed log information (SIP). It sets up the phone call and messages so that you can monitor the call setup, management, and teardown. You will also be able to see information on inbound and outbound traffic. syslog/rsyslogs/syslog-ng Syslog is a common way for transmitting log files from a single device to a centralized database. This is built into the SIEM (Security Information and Event Manager). It is a centralized log server that collects logs from all of the devices and consolidates them. Journalctl If you are managing the Linux operating system, there are many different logs available on that device. Some of them are specific to the operating system itself, and some of the logs are created by the demons running on the system or application. There is a standard format for storing system logs on Linux in a special binary format. This optimizes the storage area and allows to query the information very fast. However, you are not able to see it with a text editor because of binary formatting. Fortunately, Linux has a utility called “journalctl.” It allows to query information present in the system journal and provide output on what may be present there. nxlog 426 Chapter 04: Operation and Incident Response nxLog is a multiplatform log collection and centralization solution that includes log enrichment and forwarding capabilities. nxLog may be used as a single tool to process all of the different types of logs that your company generates. Various sources, such as files, databases, Unix domain sockets, network connections, and other sources, can be used to collect logs. Bandwidth monitors One of the first statistics you want to gather from log files is information on the bandwidth. This is a fundamental network statistic that shows the percentage of the network that has been used over time. There are different ways to gather these metrics: Simple Network Management Protocol (SNMP), NetFlow, sFlow, IPFIX, etc. You can also use a protocol analyzer through the software agent that is running on a particular device. EXAM TIP: Bandwidth monitoring is always good to qualify that you have the bandwidth available to transfer information for the application because if the bandwidth has been exceeded and you are running out of the available space on the network, then none of the applications will perform properly. Metadata Metadata is data that describe other types of data. It contains within the files that are using on the device. Email If you send and receive an email, there is metadata within the email messages you normally do not see. The information is present in the email message's header; the information defines which servers are used to transfer the email from one point to another. Mobile In terms of phones, there is an extensive amount of metadata that could be stored. For example, if you take a picture or store video on the mobile device, it could be kept in that metadata, the type of phone used to take a picture ,or the GPS location where the picture was taken. Web If you are using a web browser to connect to the webserver, then metadata will be transferred back and forth there. For example, you could send your operating system information, the type of browser you are using, and the IP address you are sending it from. 427 Chapter 04: Operation and Incident Response File You can store files or documents in Microsoft Office; you may find the metadata inside that document that shows the name, address, contact number, title, and other identifying information. Netflow NetFlow is a standardized way for collecting network information from switches, routers, and other network devices. NetFlow data is frequently pooled into a single NetFlow server, from which you may examine data from all of your devices through a single administration console. NetFlow is a well-known standard that makes it simple to collect data from devices made by a variety of different manufacturers. Bring all of the data back to a single central NetFlow server. The NetFlow architecture is an architecture that separates the probe from the collector. The architecture may have a different number of devices, such as individual NetFlow probes or the NetFlow capability built into the network device that it is using. These probes are either sitting inline within the network traffic or receiving a copy of the network traffic, and all the other details are exported to a central NetFlow collector where you can easily create different reports. Figure 4-17: NetFlow 428 Chapter 04: Operation and Incident Response sFlow One of the difficulties with collecting network traffic and developing metrics based on the discussions taking place on the network is that it can consume a lot of resources, especially if you run a very high-speed network. Sampled Flow (sFlow) is used to balance the available resources with the demand to examine more statistics on the network. This allows viewing the selected portion of the network traffic to gather metrics. Because of the lower resources required for sFlow, you can embed this capability in a number of infrastructure devices. IPFIX IPFIX is the industry standard for exporting IP flow data. It is also regarded as a new NetFlow version. It was made with NetFlow v9 in mind (version 9). This gives us more freedom in terms of what data we gather and what information is sent to a centralized server. The functionality is similar to the NetFlow, except you can customize exactly what kind of data you receive from those collectors. Protocol Analyzer Output Protocol analyzers are commonly used to diagnose complex application problems since they capture every bit of data from the network and explain what is happening across those specific network channels. Wireless networks and wide area networks can also benefit from the protocol analyzer. This analyzer gives you precise information about unknown traffic, packet filtering, and security control, as well as a plain-language description of the application data. 429 Chapter 04: Operation and Incident Response Mind Map Figure 4-18: Mind Map Use of Mitigation Techniques or Controls to Secure an Environment Reconfigure Endpoint Security Solution Endpoints refer to the devices that are using day today to do the jobs. This includes a desktop computer, laptops, tablets, smartphones, etc. There are multiple ways available to exploit these devices. The endpoint is a critical piece of security. These devices should be protected from malware, operating system, or vulnerabilities. The IT security team is responsible for monitoring all these devices, and they are constantly watching for alerts and alarms that can let them know when something usually might be happening on the endpoint. Application Whitelisting One security control is to define that what applications are allowed or not allowed on a particular endpoint. When the user downloads any software from a third-party website and software has some malware, the IT security team can create a more secure and stable environment. by providing control of the applications running on the endpoint 430 Chapter 04: Operation and Incident Response One approach on how to implement this type of control is through the use of an approved list. That means that the IT security team would create a list of approved applications and allow them to run only that application on the endpoint. Application Blacklisting Another way to implement the control is to have a blocklist or deny list. The blocklist contains the applications that are specifically be prevented from running on the particular endpoint. This means that the users are allowed to install the application unless that application is listed in the deny list. It is very common for anti-virus or antimalware to have their own deny list, and if the user tries to launch that application, the anti-malware software will prevent that application from running. Quarantine If the endpoint security software recognizes an application that seems to have malicious software, it can remove that from the system and place it into a quarantine area. This can be a folder on the existing system where no applications are allowed to run. Configuration Changes Secure configuration refers to the security precautions taken when developing and installing computers and network equipment in order to reduce cyber vulnerabilities. One of the most prevalent security flaws that criminal hackers attempt to exploit is security misconfigurations more than 96% of the time. Internal penetration tests frequently meet a network or service misconfiguration, according to recent research from Rapid 7. Firewall rules The latest generation of firewall allows you to allow or deny certain applications from traversing the network. The firewall allows access to a Microsoft SQL Server application; however, deny access to a web application. The firewall rules are most commonly used to manage application flows and block dangerous applications. Mobile Device Manager (MDM) The Mobile Device Manager (MDM) can allow or deny access to mobile devices. The MDM allows the IT security administrator to set policies on all of the mobile devices and always protect the devices from malicious software. Data Loss Prevention (DLP) The DLP’s role is to identify and block the transfer of any personally identifiable information. When someone is trying to transfer personal records, social security, or anything that is sensitive, it could be blocked by DLP. 431 Chapter 04: Operation and Incident Response Content Filter/URL Filter The Uniform Resource Locator (URL) can be used as a security control. If anyone tries to visit malicious sites, the URL can block access to that particular location. And, if anyone is trying to access a known location, the URL will allow access to those sites as well. Many of the URL filters can also be integrated with third-party blocklists. These blocklists are constantly updated and can provide a real-time blocking of known malicious sites. Update or revoke certificates A Certificate Revocation List, or CRL, is used to verify that a digital certificate is still valid. Before connecting VPN tunnels, VPN appliances employ CRLs to check for invalid certificates. The certificate is validated during phase 1 discussions when using digital certificates with VPNs. The appliance tries to retrieve a CRL via LDAP (Lightweight Directory Access Protocol) or HTTP (Hypertext Transfer Protocol), which is defined inside the CA certificate if no CRL has been loaded into the VPN. Many VPN appliances additionally let you choose an address to which the CRL should be sent. Isolation The concept of isolation is one where you can move a device into an area with limited or no access to other resources. Isolation is a key strategy, especially when trying to fight with malicious software or software constantly trying to communicate back to a command and control location. The isolation concept is often used when someone is trying to connect to the network and does not have the correct security posture on their device. Perhaps, they have not updated to the latest antivirus signatures. Therefore, the devices will be put on a separate remediation VLAN that would give them access to update the signature. Once those signatures are updated, they are then allowed access to the rest of the network. You can also implement process isolation. If you identify a process running on the device that seems suspicious, you can disallow any access from that process to the rest of the network. Therefore, the user will still be able to communicate using the normal trusted applications. Containment Containment inhibits or logs harmful behaviors in an application that is constantly changing based on containment criteria. Every application is executed in its own sandbox, with only limited access to the operating system and other processes. This means that if the computer is compromised with ransomware, the malware could infect that specific program. 432 Chapter 04: Operation and Incident Response The containment can be reactive because once some machine identifies ransomware, you can change the security event, disable administrative shares, remote management, local account access, and also change the local administrator password. Segmentation Network segmentation helps protect against data breaches, ransomware attacks, and other cybersecurity threats. In a correctly segmented network, groups of end devices such as servers and workstations have only the connectivity required for legitimate business use. This limits the potential of ransomware to spread or an attacker pivot from one system to another. SOAR SOAR stands for Security Orchestration, Automation, and Response (SOAR). SOAR platforms are a set of security software solutions and applications that allow you to browse and collect data from various sources. SOAR solutions then evaluate this disparate data using a combination of human and machine learning to comprehend and prioritize incident response actions. An administrator can use SOAR to connect numerous third-party products and make them function together. Runbooks serve as the foundation for the integration. Runbooks A runbook contains explicit instructions on how to do a certain task. It also includes extensive instructions on how to reset a password, create a website certificate, and backup application data, among other things. Playbooks Playbooks can be made by combining the runbooks. A playbook is a more detailed description of what to do if a specific event occurs. For example, if you want to recover from ransomware, you will need a playbook that lays out all of the procedures you will need to do to get rid of the ransomware. 433 Chapter 04: Operation and Incident Response Mind Map Figure 4-19: Mind Map The Key Aspect of Digital Forensics Digital Forensics describes the process of collecting and protecting information that is usually related to the same type of security event. This covers many different techniques for gathering data across many types of digital devices. It also describes different methods used for protecting that information once you have retrieved it. Documentation/Evidence RFC 3227 is the guideline for evidence collection and archiving. It is a great best practice to get what is involved with the digital forensics process. This RFC describes three phases for the digital forensics process the acquisition of data, the analysis of that data, and reporting of that data. Legal hold Legal hold is a legal technique to prevent relevant information requested by legal counsel. It describes what type of data needs to be preserved for later use. The data 434 Chapter 04: Operation and Incident Response copied for this legal hold is often stored in a separate repository, and it is referred to as Electronically Stored Information or ESI. These legal holds may ask for many different kinds of information and many types of applications, and the information is stored for a certain amount of time or maybe of indefinite hold. When you receive the legal hold and have the responsibility to gather and maintain the data, you will preserve all of the information. Video Another good source of information to gather is from video. Video can provide information external to the computer and network. For example, you can capture the screen information and other details around the system that normally would not be captured through other means. Admissibility Not all data can be used in a legal environment, and the laws are different depending on where you may be. The important part of the collected data is w set of standards that aallowthe data to be used in the legal environment. Legal authorization If you are authorized to gather the information, the data itself is protected. In other, the network administrator may complete the access to that data. Procedures and tools The correct tools are used the correct way. You should use the best practices for tools and procedures that you follow. Laboratories If the laboratories use the data, the proper scientific principles should be used to analyze the evidence. Chain of Custody To verify that no changes occur to the collected data, you require documentation that maintains the integrity. This documentation is called a chain of custody. It is common to have a catalog that labels and documents everything collected into a central database. You can also use hashes during the collection process to easily verify the data you are looking at is the same data that was collected. Timelines of Sequence of Events As time goes on, the important information is to document the time zone information associated with the device that you are examining. Timestamps 435 Chapter 04: Operation and Incident Response Different file systems store timestamps differently. FAT: If you are using the File Allocation Table file system, all of the timestamps are stored in the local time on that file system. NTFS: If the device was storing the information in a file system using NTFS, the timestamps are stored in Greenwich Mean Time (GMT). Time offset The time offsets can be different depending on the operating system you are using, the file system in place, or the device Tags Reports When all the data is collected, there is a need to analyze and report exactly what occurred during that security event. The report should start with a summary providing a high-level overview of what occurred during the security event. There should also be detailed documentation describing how the data was collected, the analysis performed on that data, the inferences, and the conclusion gathered based on that analysis. Event Logs Event logs provide a wealth of information because they store details about the operating system, the security events, and the applications running in the operating system. Interviews Interviews will allow you to ask questions and get information about what a person saw when a particular security event occurred. Acquisition Order of Volatility When collecting data from a system, one challenge you have when collecting data from a system is that some of the data is more volatile than others. Certain data will be stored on the system for an extended period of time, while other data may only be available for a few minutes. Therefore, you need to start collecting the data with the information that is more volatile and less volatile. The order of volatility is shown in Figures 4-20. 436 Chapter 04: Operation and Incident Response Figure 4-20: Order of Volatility Disk There is a great deal of information stored on a system’s hard drive or SSD. If you want to learn the best way to gather the information for forensics, the first step is to prepare the drive to be imaged. You can power down the system so that nothing can be written to that drive, and you can also easily remove the storage drive from the system. After that, you will connect the drive to a device specifically designed for imaging. These are the handling systems designed with the right protection so that nothing on that drive can be altered. You will then copy all of the data on the drive. Random-Access Memory (RAM) The important source of data is the information in memory. This can be difficult to gather, not only because the information changes constantly; however, capturing the information from memory can change a portion of that memory. There are also third-party tools available that can provide memory dump. They will take everything in the system's active memory and copy it to a separate system or a separate connected device. You can also gather as much as you can from the memory because some of the information is never written to a storage drive. The important data like browsing keys, clipboard information, encryption keys, and command history may be found in memory; however, they do not display on the storage drive itself. Swap/pagefile A swap or pagefile is a temporary storage region in current operating systems. These pagefiles have slightly different operating systems depending on whatever operating system you use. 437 Chapter 04: Operation and Incident Response In many places, the swap drive is a section of the storage device that may be used to swap data out of random access memory and free up space for other applications to run. A piece of an application is contained in the swap. You can transfer an application that is not currently in use to active memory and store it on a local drive temporarily. As a result, the application should run smoothly. Note: The swap also collects information from active RAM and contains data comparable to the RAM dump. OS The files and data present on the operating systems can help to understand the security events. The operating system also contains information like a number of logged-in users, open ports on devices, currently running processes, and attached devices. If you investigate the malware infection or ransomware installation, then the attached devices from the operating system can provide important information during the analysis. Device There are several tools available for collecting the same type of information from a mobile device. There are capture methods available, that you could either use a backup file that was previously made from that device, or you cannot directly be connected to the device, usually over USB, and create a new image from the device. Inside of the mobile device, you can easily find information about the phone call, contact, text message, email data, images, movies, etc. Firmware With some security events, you may have noticed that the firmware of a device has been modified. The firmware implementation is specific to the platforms. The attackers gain access to the device and install the updated and hacked version of the firmware. Getting access to the firmware may help understand how the device was exploited, the firmware functionality, and the real-time data sent to and from the device. Snapshot When working with virtual machines, you can easily get details from the snapshot. The snapshot is like an image of the virtual machine. Taking the snapshots starts with the original image that will act as a full backup of the system. It is common to then take subsequent snapshots of the virtual machine. Especially when you change and update the VM due to any reason, you will be required to take every updated snapshot. 438 Chapter 04: Operation and Incident Response To restore the virtual machine from the snapshots, you will be required to use the original snapshot with all the incremental snapshots (updated version). Cache The operating system and applications can speed themselves up through the use of a cache. A cache is a temporary storage area designed to speed up the performance of an application or an operating system. There are many different kinds of cache, including CPU cache, disk cache, the cache for a browser, and cache connected to the network. The cache often contains very specialized data. CPU cache – It contains all the data specified on the operation of a single CPU. Browser cache – It only contains the URLs of the location visiting with some browser page components, including text, images, etc. The cache is usually writing information that was queried originally so that if the other query was made that was identical, you can simply go to the cache instead of performing the query against the original service. Network The network contains a wealth of information. You can see all of the different connections made over the network. The networks are useful for the inbound and outbound session with the device's operating system and application traffic. In large environments, extensive packet captures occurring, and storage of large amounts of data is sent across the network. There might also be smaller packet captures available on the security devices like firewalls, Intrusion Prevention System (IPS), etc. Artifacts The artifacts are the things stored in a log. It may be a flash memory, prefetch cache files, information stored in the recycle bin, and the information that you are storing in the browser. Note: Bookmarks and log-in records are also considered artifacts. On-Premises vs. Cloud We have discussed the digital forensics process with devices that would be in the possession. It can be a computer, laptop, mobile device, etc. To perform digital forensics in the cloud, complexities are added concerning cloud technologies. The technical challenges become wide as the devices are located in another facility somewhere in the cloud. It is also very difficult to associate the cloud439 Chapter 04: Operation and Incident Response based data to one specific user. As many people access the cloud-based service simultaneously, picking out an individual’s piece of data adds extra complexities to the forensics process. The legal issues are also associated with cloud-based data, especially since the rules and regulations around the data can be of different types due to your location in the world. Right-to-Audit Clauses Before you work to get access to cloud-based data for forensics purposes, it would be valuable to have already created an agreement on how the data could be accessed. Therefore, working for a cloud provider or a business partner will be very useful to qualify how the data should be shared, and outsourcing would work. The right to audit clauses in the agreement will permit knowing where the data is being held, how the data is being accessed over the internet, and what security features may be in place to protect the data. As the initial contract with the cloud provider is being created, the right to clause can be added to specify how to create a security audit of that data. Regulatory/Jurisdiction The technology behind cloud computing is evolving rapidly, and the legal system is trying to make changes with the technology. That is why forensics professionals need to work with the legal team. Very different regulations may bind the data in a different jurisdiction. In cloud-based applications, the data can be located in a completely different country. In a particular case, the physical location of the data center may determine the legal jurisdiction for that data. Data Breach Notification Laws Another concern is that notification laws associated with data breaches are called data breach notification laws. Many states and countries have laws and regulations stating, “if any consumer data happens to be breached, then the consumer must be informed of that situation. These notification laws can be different depending on the location of where the data would be stored. If there is a cloud-based application, then the data will be storing information from all countries into a single database, and a breach of that data may have a broad impact on who gets notified. The notification requirement varies depending on the geography. There may be rules and regulations regarding the type of breached data, who needs to be notified if a breach occurs, how quickly you get notify, etc. 440 Chapter 04: Operation and Incident Response Integrity Hashing When you are collecting data for evidence, you want to be sure that nothing will change with your collected information. One way to ensure this is to create a hash of that data. This is a way to cryptographically verify that what you have collected will be exactly the same as what you will examine later. Checksums A relatively simple integrity check can be done with checksum. This is commonly done with network communication to ensure that the information you have sent from one side of the network to the other has shown up without any type of corruption. This is not designed to replace a hash. However, it provides a simple integrity check that may be useful in certain situations. Provenance The source of the data is called provenance. This provides the documentation of where this data originated. It is also useful to have a chain of custody for data handling. This also provides an opportunity to take advantage of newer blockchain technologies that can provide more detailed information tracking. Preservation It is very important when working with data as evidence that you can preserve the information and verify that nothing has changed with the information while it has been stored. Additionally, you should manage the collection process from mobile devices. The live collection of data becomes an important skill. Data is converted into an encrypted form, making it difficult to collect after powering down. The gathering of information requires the best practices to ensure the admissibility of data legally. This will be useful, especially if the data will be used later for some reason. E-discovery There is a legal mechanism used to gather information called discovering. When this mechanism applies to digital technologies, it is referred to as Electronic discovery (Ediscovery). This process gathers the data. Hence there is no need to examine or analyze the information. For data, you are simply required to search from the list of information that is being requested. The process of E-discovery often works in conjunction with digital forensics. For example, with E-discovery, you will obtain the storage drive and provide that to the authorities. The authorities will then look for that drive and notice the information on 441 Chapter 04: Operation and Incident Response that drive is smaller than expected. At that point, you will bring in some digital forensics experts that can examine the drive and attempt to recover any data that have been deleted. Data recovery Recovering missing processes can be a complex process. There is no single way to recover the data. The recovery requires extensive training and expertise to find the best way for data recovery. The exact process of data recovery may be based on:     Deleted files on the drive Hidden files Hardware and software corruption Damaged storage device Non-repudiation Non-repudiation is the process of proving the data integrity and the origin of data. With this process, you know who sent the data; however, you have high confidence of exactly who sent that information. This means that the only person who could have sent the data is the original sender. There are two ways to providing non-repudiation: Message Authentication Code (MAC) – With MAC, the two parties that are communicating back and forth are the two that can verify that non-repudiation. Digital Signature – Anyone who has access to the public key of the person who wrote the information can verify that they can use it. EXAM TIP: With MAC, the two parties can verify non-repudiation. In contrast, the non-repudiation can be publicly verified in the digital signature. Strategic Intelligence/ CounterIntelligence (CI) Gathering evidence can also be done by using strategies intelligence, also known as counterintelligence. This is when you are focusing on the domain and gathering threat information about that domain. This is useful when finding out business information, geographic information, or details about a specific country. You can also gather much of this information from threat reports that you crate internally or information gathered from a third party. There might also be some other data sources, especially with Open Source Intelligence (OSIT), that provide some additional information as well. 442 Chapter 04: Operation and Incident Response Strategies intelligence also helps to determine the threat landscape based on the trends. If you are the subject of someone’s strategy intelligence, you may want to prevent that intelligence from occurring, and instead, you should perform the strategy counterintelligence. With CI, you could easily identify someone trying to gather information and attempt to disrupt that process. CI also helps to gather threat information on foreign intelligence operations. Mind Map Figure 4-21: Mind Map 443 Chapter 04: Operation and Incident Response Practice Questions 1. Which of the following commands is used to determine the network adapter information? A. ipconfig B. Nmap C. hping D. curl 2. Which of the following methods is used to gather the network statistics? A. Metadata B. Data Recovery C. NetFlow D. None of the above 3. Which of the following is a temporary storage area? A. Swap B. Firmware C. Snapshot D. Cache 4. Which of the following defines a set of security software solutions and applications to browse and collect data from different sources? A. Evidence B. SOAR C. E-Discovery D. File manipulation 5. Which of the following has cryptographic libraries to perform hashing functions? A. SSH B. CLI C. PowerShell D. OpenSSL 6. Which of the following is the stateless protocol that ensures the binding of IP and MAC addresses? A. TCP B. ARP C. FTP D. SMNP 444 Chapter 04: Operation and Incident Response 7. Which of the following allows and denies access to the mobile device? A. MDM B. DLP C. URL Filter D. All of the above 8. Which of the following is used to troubleshoot complex application problems? A. Log Files B. SIEM Dashboard C. Protocol Analyzer Output D. Metadata 9. Which of the following store an application that seems to have malicious software? A. Application Whitelisting B. Application Blacklisting C. Cache D. Quarantine 10. Which of the following is the legal mechanism to gather information from electronic devices? A. E-discovery B. Data recovery C. Non-repudiation D. None of the above 11. How many ways are there to provide non-repudiation? A. Three B. Two C. Four D. Five 12. Which of the following allows to perform analysis of data for security alerts and realtime information? A. SOAR B. Acquisition C. Forensics D. SIEM 13. How many types of vulnerability assessment are there? 445 Chapter 04: Operation and Incident Response A. Two B. Four C. Three D. Five 14. Which of the following is a third-party editor tool that provides a raw representation of dump files? A. WinHex B. FTK Imager C. Autopsy D. Memdump 15. Which of the following attack framework apply security techniques to block future attacks? A. Cyber Kill Chain B. The Diamond Model of Intrusion C. MITRE ATT&CK D. None of the above 446 Chapter 05: Governance, Risk, and Compliance Chapter 05: Governance, Risk, and Compliance Introduction The Governance, Risk, and Compliance (GRC) is a combined collection of potentials that allows the organizations and companies to reliably achieve ethical management, minimizing the risk of failures and ensuring the organization is complying with state requirements. GRC Concepts Governance The governance is about how an organization has to be run in an efficient and responsible manner, and they report their policy to all stakeholders. Processes and goals of the organization have to be aligned. Compliance Compliance is an integral part of GRC, which demonstrably meets the applicable rules and regulations. Risk Identify all risks through risk management and register the related management measures and then report on these. Figure 5-01: GRC Concepts Why GRC? The importance of embedding GRC in an organization can have to do with whether the organization wants to:  Steer performance 447 Chapter 05: Governance, Risk, and Compliance    Improve the quality of products and services Prevent damage The controlled and structured environment Functions Supported by GRC The different functions supported by the GRC platform are summarized in table 5-01. Functions Description Vendor Management It includes the vendor selection on a risk basis with relationship management and compliance monitoring Policy Management Defines the workflow and policy lifecycle that can help to review, change, and archive policies to authoritative sources Risk & Compliance Management Defines the workflow, reporting, analysis, and remediation of risks that will help the organizations to understand and deal with risks Business Continuity Recovery Management Plan/Disaster Integrate the functionality of Business Continuity Plan and Disaster Recovery for an organization to perform a Business Impact Analysis to minimize the risk of failures and improve the value of business processes The incident, Threat, and Vulnerability These include the consolidate Management vulnerabilities and patch information from the security intelligence providers to better explore the vulnerability results Asset Management Handle the system, databases, applications, and infrastructure assets to key the business processes for better compliance, business continuity, and disaster recovery tasks Table 5-01: Functions Supported by GRC 448 Chapter 05: Governance, Risk, and Compliance Analyze Risks Associated with Cloud Infrastructure A cloud-based system should be managed and approached as other outsourced platforms, with the same types of concerns, risks, and audit/governance prerequisites as an external hosting environment. Eventually, all risks related to a Cloud infrastructure must be customized for their individual needs. Risks to consider include:      Policy and organization Risks Loss of governance Provider lock-in Compliance challenges Provider exit Risk Assessment/Analysis A major risk in a Cloud environment is the sanitization of data. In a traditional data center, physical media can be destroyed to guarantee data destruction, which is not possible in a Cloud environment, so concepts of overwriting and cryptographic erasure are highly used. Data protection is the security of system images within a Cloud environment. The images themselves are just files on a file system without any physical partition of servers, shared with the possibility of malware being injected into an image even when it is not running; their security becomes essential in a Cloud environment, where the Cloud provider bears sole duty for assurance. Cloud service providers have a generally huge innovation scale, which influences risk. This one result relies upon the circumstance. considerations include:    Larger scale platforms require more technical skills to manage Shifts control of technical risks toward the cloud service provider Consolidation of Cloud and IT infrastructure leads to the consolidation of points of failure. Cloud Attack Vectors In Cloud Computing, the following are the most common attacks used by an attacker to extract sensitive information such as credentials or gain unauthorized access. Cloud Computing Attacks include:         Service Hijacking using Social Engineering Attacks Session Hijacking using XSS Attack Domain Name System (DNS) Attack SQL Injection Attack Wrapping Attack Service Hijacking using Network Sniffing Session Hijacking using Session Riding Side Channel Attack or Cross-guest VM Breaches 449 Chapter 05: Governance, Risk, and Compliance   Cryptanalysis Dos / DDoS Attacks Service Hijacking using Social Engineering Attacks The attacker may try to guess the password using Social Engineering tactics. Unauthorized access to sensitive information is gained as a result of social engineering assaults, depending on the privilege level of the affected user. Service Hijacking using Network Sniffing Using Packet Sniffing tools by placing himself in the network, an attacker can capture sensitive information such as passwords, session ID, cookies, and other web servicerelated information such as UDDI, SOAP, and WSDL Session Hijacking using XSS Attack By launching Cross-Site Scripting (XSS), the attacker can steal cookies by injecting malicious code into the website. Session Hijacking using Session Riding Session hijacking is the goal of session riding. An attacker could take advantage of this flaw by trying cross-site request forgery. By tracking the user to click on a malicious link, the attacker exploits presently active sessions to execute requests such as data alteration, data erasure, online transactions, and password change. Domain Name System (DNS) Attacks DNS poisoning, cybersquatting, domain hijacking, and domain snipping are examples of DNS attacks. An attacker could try to fake by poisoning the DNS server or cache in order to gain internal user credentials. Theft of the Cloud service domain name is known as domain hijacking. Phishing scams can also lead to consumers being led to a bogus website. Side-Channel Attacks or Cross-Guest VM Breaches Side-Channel Attacks or Cross-Guest VM Breach is an attack that requires the deployment of a malicious virtual machine on the same host. For example, deploying a malicious VM co-resident of the target VM will result in resource sharing. An attacker can extract cryptographic keys. Similarly, the attacker can also exploit shared high-level cache memory to launch side-channel attacks. A malicious insider or an attacker can do the installation by impersonating a legitimate user. Similarly, other attackers are also vulnerable to Cloud Computing, such as SQL Injection attacks (injecting malicious SQL statements to extract information), Cryptanalysis Attacks (weak or obsolete encryption), Wrapping attacks (duplicating the body of a message), Denial-of-Service (DoS), and Distributed Denial-of-Service (DDoS) Attacks. 450 Chapter 05: Governance, Risk, and Compliance Virtualization Rısks Virtualization can expand the security of IT because it is easier to set up the correct network access controls between machines. A Layered-based approach in virtualization also raises some risks that are not found in the traditional server-based model. Compromising the hypervisor layer will also compromise the hosted virtual machines because the hypervisor is an authoritative layer over the hosts. As the hypervisor is hosting all the VMs on it, it is a single point of failure resulting in a denial of services. Any unauthorized access to the hypervisor can result in operational changes, access restrictions, service hijacking, and much more. Similarly, installation of obsolete or unpatched, or pre-configured virtual machines can also increase the risk in a virtual environment. Additionally, some virtual environments are over-allocated, resulting in an exhaust of resources. Another risk of server virtualization is called “Resource Abuse,” where one guest (or tenant) is over-using the physical resources, in this manner keeping alternate guests of the resources required to run their workloads. This is also called the “noisy neighbor” issue. The hypervisor may have the capacity to limit the over usage of a guest, but the administrator must consider restricting a large number of visitors on a single host. Few guests mean you are not saving money sufficiently.  Numerous guests mean you risk performance issues. With virtual servers, it becomes easy to clone, replicate, snapshot, and stop images. However, there are benefits of using virtual servers, with a probability of new risks. It can prompt enormous sprawl or proliferation of server images that need to be stored somewhere. This can become difficult to manage, and it represents a security risk. Counter-Measure Strategies Cloud computing faces the same difficulties as other networks and infrastructures that use the internet; there are numerous ways in which counter-measures can avert the risks and threats that are manageable against cloud security. There are various counter-measures that can be executed in the cloud infrastructure. These include:        Access Management Centralized Directory Role-based Access Control Privileged User and Access Management User Access Certifications Identity and Access Reporting Separation of Duties 451 Chapter 05: Governance, Risk, and Compliance Other counter-measures are conventional in order to prevent the use of attacks that include better techniques for transforming sensitive data over public cloud deployments. More significantly, cloud servers need improved data portability and protection from external threats. This includes creating an identity and access management guidance. Encryption should be increasingly unique and secure to protect files and other user data. Better encryptions permit better methods in storage, provisions for security, acquisitions of data, and information from service providers and vendors that support regulations, dimensions, and opportunities in the cloud. Cloud environments are of high availability in nature with redundancy, rapid elasticity, and auto-scaling. This architectural plan makes the maintenance, patching, and isolation of hosts in case of a conceivable security breach much easier because they can be removed from production pools. It also allows for scanning, updating, and making configuration changes without impacting the customer and users of a system or application, consequently reducing this risk to availability. Security Controls In order to protect a sound security policy and overall governance, the cloud security professional must concentrate on some different areas, as discussed in this section. Physical and Environmental Protection The word physical and environmental security refers to measures taken to ensure the safety and security of infrastructure against natural disasters, environmental effects, human attacks. While the access and technologies used with a cloud infrastructure offer a single set of services to customers, covered it is all is a classic data center model. While in most cases on a much larger scale. Because a cloud is a system that is accessible over broad networking, such as the public Internet, physical protection should also extend to those systems that are used to access the cloud. The physical assets in the concrete data center include servers, physical racks, power distribution units, cooling units, as well as real physical facilities and the auxiliary systems located on the premises, for example, power conduits, battery backups, fuel tanks, generators. Outside the Datacenter property, there are still further physical devices and infrastructure that are essential to the cloud security professional. These include the power and network conduits that the data center depends on, as well as the endpoints of access for the users and customers, for example, workstation, laptops, and mobile devices. Examples of relevant controls based upon one or more regulations:  Procedures and policies recognized for maintaining safe and secure working environments; including, offices, facilities, rooms, and secure areas 452 Chapter 05: Governance, Risk, and Compliance   Restricted physical access of users and support personnel to information assets and functions Physical security perimeters such as fences, guards, barriers, walls, and so on Protecting Datacenter Facilities Datacenters are essential to have a redundant, multi-layered way to deal with user access control. Controls are requisite to be at the facilities level, the computer floor level, and at the data center/facility staff level to guard against risk. System and Communication Protection Cloud computer run on physical systems that use services need protection. A number of these services are:        Hypervisor Volume Management Storage Controller IP Address Management Identity Service VM Image Service Management Databases Other factors to consider for system and communication security include:    Detecting and logging of security events Responsibilities of protecting the Cloud: Cloud provider is responsible for underlying software and hardware regardless of the cloud service model. Including knowing where the responsibility among cloud service providers and cloud customers Automation of configuration Category of Security Control The security controls are categorized at different levels:    Technical Management Operational Technical – This category covers the access control that can authenticate onto different resources present on the network. Additionally, it defines audit, accountability, system, and communication protection. Management – It includes managing different aspects of risk like security assessment, how you provide authorization to different resources that exist in the network, planning, risk management, service, system acquisition, program management, etc. 453 Chapter 05: Governance, Risk, and Compliance Operational – This category is more important in terms of hardware and software mechanisms that can be used to manage and protect the information and information systems. It also defines how do you handle the changes that occur in configuration management, how you can protect the resources physically, etc. In short, these controls are designed, configured, implemented monitored at the technology level. Types of Security Control Deterrent Control A Deterrent Control serves to inhibit the attacker by reducing the possibility of success from the viewpoint of the attacker. Preventive Control Preventive Control refers to the prevention of specific action from occurring. For example, Firewall Detective Control Detective Control helps to detect a physical security breach. It alerts the operator to specific conditions and acts during an event. Corrective Control Corrective Control is an attempt to reduce the amount of damage and is used after an event. For example, ‘Backup’ helps the rapid restoration of operation. Compensating Control To directly address the threat when there is no control available, one thing needed to meet the requirement is ‘Compensating Control.’ For example, the ‘Fire suppression System’ that do not stop fire damage but can limit fire damage. Technical Control When some form of technology is used to address the physical security issue, it is referred to as a ‘Technical Control.’ For example, Biometrics. Administrative Control Limiting the security risks through policies and procedures is known as ‘Administrative Control.’ For example: Giving instructions to a security guard. Physical Control Physical Control refers to restricting specific physical activity from occurring. For example, Mantrap prevents tailgating. It basically restricts the accidental operating and specific human interaction with a system. 454 Chapter 05: Governance, Risk, and Compliance Mind Map Figure 5-02: Mind Map Importance of Applicable Regulations, Standards, or Frameworks that Impact Organizational Security Posture. The regulatory frameworks are the set of policies defined by the platform to meet the regulatory requirements. These rules should be followed by organizations, businesses, and companies to strengthen security, improve processes and capabilities. EXAM TIP: The Language Understanding (LUIS) can work with text as well as with audio for a single file cohesive result. Regulations, Standards, and Legislation 455 Chapter 05: Governance, Risk, and Compliance The regulations defined in the security system refer to the directives with information that should be followed by the organizations and companies to protect their information from cyberattacks like Denial of Service (DoS), unauthorized access, etc. The standards are the things with guidelines and requirements for the product, services, and system. The legislation is the set of rules defined by the cybersecurity administrative to do any task. All systems are mandatory to follow them. Some of the common cybersecurity regulations include: General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) is the biggest European Union legislation giving ordinary people and precedented control over how your data is collected, used, and forced companies to justify everything they do with it. It has a huge effect on businesses outside the EU, including the US. As everything moves their future towards the digital domain, the massive collection of sensitive data requires strict and protected regulations from holding them. Any type of data that can identify you with your name, contact details, username, IP address, and location is required by the GDPR. The organizations will have to prove that they have a lawful reason for holding the particular kind of data Why is it needed? Before smartphones, a massive amount of sensitive information was collected from the sources like Google and Facebook. GDPR gives organizations guidelines on what they can and cannot do with personal data. It also makes them gives users more clarity over the kind of data being used and how companies will use it. National, Territory, State Laws Information security breaches in the past two decades necessitated the creation of new legal and regulatory frameworks and changes to current legal and regulatory frameworks to include security related to compliance needs across several countries. Due to the worldwide nature of internet services, cross-border information interchange, and electronic commerce services, the need to comply with regulatory and legislative frameworks has expanded dynamically. The following are some key legal and legislative phrases in the field of information security. Legislative and Regulatory Compliance The legal system that relies on common law is known as a common law legal system, and it is based on court rulings. Common law is followed in countries such as the United Kingdom, the United States, Canada, Australia, South Africa, India, Malaysia, Singapore, and Hong Kong. 456 Chapter 05: Governance, Risk, and Compliance In general, the common law establishes three categories: 1. Regulatory law: Administrative law is another name for it. It is concerned with the rules and regulations of the government's administrative agencies. The legislative statute, also known as statutory law, is a legal system established by the legislative part of the government. 2. Criminal law: It is concerned with the breaking of government laws. A legal system founded on religious beliefs is known as religious law—for example, Islam, Hindu, and Christian laws. 3. Civil law: It deals with litigation brought by private individuals. Civil laws, in contrast to common law, are a legal system based on codified law. Civil laws are followed in countries such as France, Germany, and others. Privacy Requirements in Compliance Privacy is the protection of Personally Identifiable Information (PII) or Sensitive Personal Information (SPI) that can be used to identify a person in context with a group or individual. National Institute of Standards and Technology (NIST) The National Institute of Standards and Technology (NIST) is releasing guidance to protect the privacy of Personally Identifiable Information (PII). Personally Identifiable Information (PII) is defined as follows by NIST special publication 800-122: 1. Any information that can be used to find out the individual’s identity, such as his name, social security number, date, and birthplace, or biometric records. 2. Any information which belongs to an individual, such as medical, educational, financial, and employment information. Privacy Laws Privacy laws deal with protecting and preserving the rights of an individual’s privacy. Privacy laws in the U.S include the following:    Health Insurance Portability and Accountability Act (HIPAA) Financial Services Modernization Act (GLB), 15 U.S. Code: 6801-6810 Final Rule on Privacy of Consumer Financial Information, 16 Code of Federal Regulations, Part 313 In the UK, they include the following:   Data Protection Act 1998 (United Kingdom) Data Protection Directive (European Union) 457 Chapter 05: Governance, Risk, and Compliance Legal & Regulatory Issues Legal and regulatory issues will be bundled together with information compromise that could result in civil or criminal liability for a company. The issues listed below may have legal or regulatory ramifications. Cyber Crime - Cybercrime refers to criminal activities carried out across communication networks such as the Internet, telephone, radio, satellite, and mobile networks. Cyber Terrorism – It is a sort of cybercrime that targets computers and computer networks, and it is usually premeditated. The main goal of these attacks could be to injure people on the basis of social, ideological, religious, political, or other factors. Cyber Stalking Cyber stalking is a sort of cybercrime in which the offender uses the Internet and other electronic tools to harass or frighten the victim. Information Warfare - Information warfare is a sort of cybercrime that aims to disrupt adversaries, such as organizations and institutions, in order to obtain a competitive advantage. False propaganda, for example, or web page defacement, to name a few examples. Denial-Of-Service (DoS) Attack or Distributed Denial-Of-Service (DDoS) - DoS / DDoS attacks are cybercrimes where websites of any user's computer systems are made inaccessible using multiple services request to overload the web and application servers. Payment Card Industry Data Security Standards (PCI DSS) To determine security controls, a variety of standards are available. PCI-DSS (Payment Card Industry Data Security Standard) is an industry-specific security standard. Other standards include OCTAVE®, ISO 17799/27002, and COBIT, which are more widely used. The Payment Card Industry Data Security Standard (PCI-DSS) is a multi-layered security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This widely adopted standard aims to assist enterprises in protecting customer account data in a proactive manner. The Payment Card Industry Security Standards Council produced the PCI-DSS security standard (PCI-SSC). American Express, Discover, Master Card, Visa, and other credit card companies are represented on the council. PCI-DSS aims to protect credit cards by forcing merchants who use them to follow certain security precautions. The core principles of PCI-DSS are: 458 Chapter 05: Governance, Risk, and Compliance       Build and Maintain a Secure Network and System Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy Center for Internet Security (CIS) The Center for Internet Security (CIS) is a major security control that guides the global community in securing the internet. It is a non-profit organization that harnesses the worldwide IT community's capacity to protect private and public enterprises from cyber threats. Global standards and accepted best practices for safeguarding IT systems and data from the most ubiquitous assaults are accessible controls and benchmarks. The volunteer, a global community of IT experts, keeps these tried-and-true principles up to date. NIST Risk Management Framework Managing and controlling the risk is one of the major goals of businesses, particularly in the information security program. Risk management gives the vehicle for maintaining the balance between resources, compliance, and security. Organizations should be able to protect their information assets by establishing and creating an efficient risk management program, considering the organization’s environment, threats, resources, and sensitivity of its data. The NIST Risk Management Framework (RMF) process is defined in NIST 800-37 r2 (Risk Management Framework for Information Systems and Organizations). It provides a comprehensive, flexible, repeatable, and measurable 7-step process that any organization can use to manage information security and privacy risk for organizations and systems, as well as links to a suite of NIST standards and guidelines to aid in the implementation of risk management programs to meet the Federal Information Security Modernization Act's (FISMA) requirements 459 Chapter 05: Governance, Risk, and Compliance Figure 5-03: The 7-Step Process of NIST RMF The main purpose of each step required in the Risk Management Framework is summarized in table 5-02. Step # Step name Purpose 1. Prepare It holds all the essential activities to help prepare all the levels that an organization required to measure its security and privacy risk 2. Category The steps find all the disastrous effects in terms of loss of confidentiality, integrity, availability of the system, information processes, etc. It is also responsible for informing the organizational risk management processes and tasking about these effects 3. Select It selects, documents, and pile up all the necessary controls to safeguard the corresponding risk faced by the system and organization 4. Implement This step implements all the necessary controls for security and privacy 5. Assess This step is responsible for ensuring that all the controls are implemented correctly, operating as planned and create the desired results required to 460 Chapter 05: Governance, Risk, and Compliance meet the security and privacy requirements for the system and the organization 6. Authorize It provides the responsibility features if the security and privacy risk based on the operation of a system is allowed 7. Monitor It maintains the current situational information regarding the security and privacy posture of the system and organization to accept the risk management based findings Table 5-02: Purpose of Steps in RMF EXAM TIP: The Risk Management Framework process can also be useful to the new provisioning systems and technologies (e.g., IoT, control systems), etc. NIST Cybersecurity Framework Today, data is the most valuable asset, which is the reason why security has become the highest priority-based agenda. The data breaches and security failures introduce risk and require national and economic security. Therefore, the US issued an executive to develop a Cybersecurity Framework to help reduce the cyber risk Also, the NIST Cybersecurity Framework combines the industry standards with best practices to help the systems and organizations manage and monitor their cybersecurity risk (threats, vulnerabilities, and impacts). The designed framework also helps to reduce the risks by utilizing the customized measures. The usage of the Cybersecurity Framework is shown in Figure 5-02. According to the information technology research company, the Cybersecurity Framework is used by 30% of the US organization because of its response and recovery feature against cybersecurity incidents. 461 Chapter 05: Governance, Risk, and Compliance Percentage of US Organzations Cybersecuirty Framework Usage 2012 2015 2020 50 30 2 Years Figure 5-04: Cybersecurity Framework Usage Note: The NIST Cybersecurity Framework, which was launched in early 2014, was created by the private sector and the US government. In the “Cybersecurity Enhancement Act of 2014,” Congress confirmed this initiative as a NIST obligation. According to the US Chamber of Commerce, “The NIST Framework has proved that the designed framework has incorporated into cybersecurity recommendations including auto manufacturers, the chemical industry, communication, transportation, and corporate directors.” Why Cybersecurity Framework (CSF)? The Cybersecurity Framework will help organizations and systems better understand, manage, and reduce their cybersecurity risks. It will assist in determining which activities are most important to assure critical operations and service delivery in turn that will help in prioritizing investments and maximize the impact of each spend money on cybersecurity. It shifts from compliance to action and specifies outcomes by providing a common language to address cybersecurity risk management. It is especially helpful in communicating inside, outside the organization that includes improving communication awareness and among IT planning and operating units as well as senior executives of organizations. 462 Chapter 05: Governance, Risk, and Compliance The Cybersecurity Framework allows you to assess where you are now and where you need to go. It may be adopted in stages or to varying degrees, making it more appealing to businesses. Built-in maturity models in the framework eliminate the need for extra maturity models on top of the Cybersecurity Framework. CSF Components The NIST Cybersecurity Framework consists of three main components, namely:    Core implementation tiers Framework profiles Framework core CSF Components Core implementation tiers Framework profiles Framework core Figure 5-05: CSF Components Core implementation tiers – It explains how an organization manages cybersecurity risk and the extent to which risk management methods display important features. Framework profiles – The profiles are an organization's unique arrangements of organizational requirements and goals, as well as an asset against the framework core's covered outcomes. Framework core – Assists organizations in monitoring and reducing their Cybersecurity risks in a way that complements their existing Cybersecurity and risk management processes. International Standard Organization (ISO) The International Organization for Standardization (ISO) is a global standard-setting organization made up of representatives from various national standards bodies. The organization, which was founded on the 23rd of February 1947, develops and publishes international technical, industrial, and commercial standards. 463 Chapter 05: Governance, Risk, and Compliance ISO 27001 As the risk associated with cyberattacks and data breaches continues to increase, information security has become a critical issue for every business. An effective approach should help defend against both external attacks and common internal threats such as incidents breaches and human error. The international standard ISO 27001 specifies the requirements for an Information Security Management System (ISMS). Through risk management, this systematic approach of people procedures and technology assists you in protecting and managing all of your organization's information. ISO 27002 The information technology security technique ISO 27002 relates to. It outlines organizational information security standards and an information security management code of practice for information security controls, including control selection, implementation, and management while taking into account the organization's information security risk environment (s). It is intended for usage by companies that want to:    Select controls within the process of implementing an Information Security Management System based on ISO 27001 Implement commonly accepted information security controls Develop their own information security management guidelines ISO 27701 The International Organization for Standardization (ISO) and International ElectroTechnical Commission (IEC) are organizations that globally develop and maintain their standards. The ISO/IEC 2700 1:20 13 standard ensures that an information security management system is implemented, maintained, and improved. This standard is a revised edition (second) of ISO/ISE 27001:2005, which was first published in 2005. The following major aspects of information security are covered by ISO/IEC 27001:2013:      Implementing and maintaining security requirements Information security management processes Assurance of cost-effective risk management Status of information security management activities Compliance with laws ISO 31000 Organizational risk can have ramifications in terms of financial performance, professional reputation, and environmental safety. As a result, efficiently managing risk aids firms in operating smoothly in an uncertain environment. 464 Chapter 05: Governance, Risk, and Compliance The ISO 31000 standard lays forth general concepts and standards for businesses to follow when dealing with risks. Any organization, regardless of size, activity, or sector, can use it. It can also assist organizations in increasing the possibility of meeting goals, improving the identification of opportunities and threats, and effectively allocating and using resources for risk management. SSAE SOC The teams that analyze the security procedures should be aware of the output and reporting capabilities for the data. Any information that is of important consideration must be reported to the management teams immediately so that they are alert of possible risks or harm. Depending on their roles and responsibilities, the information sent to management teams may move via several levels. The kind of reports that must be used depends on the type of auditing that is being done. A Service Organization Control (SOC) report is required by the American Statement on Standards for Attestation Engagements (SSAE) 16 audit, for example. There are two types of SOC1 reports: SOC 1 Type 1 The findings of an audit, as well as the completeness and correctness of the documented controls, systems, and facilities, are outlined in this report. Type 1 reports are concerned with the systems of a service organization. It also includes reporting on the control's adequacy for achieving the goal. SOC 1 Type 2 The Type 1 report is included, as well as information on the effectiveness of the procedures and controls in place for the near future. Type 2 reports are focused on the systems of service organizations and include a report on whether the control is running properly to fulfill its goal. SOC 2 A SOC 2 audit examines a service organization's non-financial reporting controls in relation to the Trust Services Criteria, which include the system's security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type 1 The type 1 audit reports are placed in operation at a specified point in time. SOC 2 Type 2 This type autotests the effectiveness of the controls over a period of time. 465 Chapter 05: Governance, Risk, and Compliance SOC 3 This report includes general audit results as well as a certification level for datacenters. These reports are for users or clients who require control security, process integrity and confidentiality, and availability assurance. SOC3 reports can be freely exchanged and publicized. Cloud Security Alliance The Cloud Security Alliance is a non-profit organization whose mission is to encourage the implementation of best practices for providing security assurance in Cloud Computing and educating people about how Cloud Computing may assist protect other types of computing. The Cloud Security Alliance (CSA) was founded in 2008, and its first product was "Security Guidance for Critical Areas of Focus in Cloud Computing." In 2009, CSA became a corporation in Nevada and received US Federal 501(c)(6) non-profit status. Membership The Cloud Security Alliance has a network of chapters worldwide that are separate legal entities from the CSA but operate within guidelines set by the CSA. Note: Individuals who are interested in cloud computing and have the experience to assist in making it more secure receive a complimentary individual membership based on a minimum level of participation. CSA Cloud Controls Matrix (CCM)       Provides a fundamental security principle to guide Cloud vendors and to assist prospective cloud customers in assessing the entire security risk of a cloud provider. The CSA CCM is aligned to the Cloud Security Alliance guidance in 13 domains. Customized relationship to important industry security standards, guidelines, and controls frameworks such as the ISACA COBIT, ISO 27001/27002, PCI, NIST, Jericho Forum, and NERC CIP CCM provides organizations with the needed structure, in detail and clarity, and related information security tailored into the Cloud industry. It provides operational risk management and standardized security and seeks to normalize security expectations, cloud taxonomy, and terminology. It has the following versions: o Cloud Control Matrix v3.0.1 o Cloud Control Matrix v3 o Cloud Control Matrix v1.4 o Cloud Control Matrix v1.3 o Cloud Control Matrix v1.2 466 Chapter 05: Governance, Risk, and Compliance o Cloud Control Matrix v1.1 o Cloud Control Matrix v1.0 CSA Reference Architecture The Enterprise design is a technique and a collection of tools that alter security, enterprise architects, and risk management professionals to leverage a standard set of solutions that fulfill their common must be ready to assess wherever their internal IT and cloud suppliers are in terms of security capabilities and to arrange a roadmap to fulfill the protection wants of their business. BUSINESS OPERATION SUPPORT SERVICES (BOSS) INFORMATION TECHNOLOGY OPERATION & SUPPORT (ITOS) PRESENTATION SERVICES APPLICATION SERVICES SECURITY & RISK MANAGEMENT INFORMATION SERVICES INFRASTRUCTURE SERVICES (SABSA) (ITIL) (TOGAF) (Jericho) Table 5-03: CSA Reference Architecture Benchmarks/Secure Configuration Guides When the operating systems, database servers, web servers, or other technologies are installed, they are far away from the secure configuration. Systems with a default configuration are not secure. Some guidelines are needed to keep everything safe and secure. Platform-Specific Guide The platform-specific guide is the finest guide that comes from the manufacturer. This guide includes all the essential principles regarding installation, configuration, and sometimes operations as well. 1. Web Server Web servers provide a link between clients and web pages. They are susceptible to attacks as they are open to the internet. Therefore, the proper setting of external-facing applications is the key to avoid unnecessary risk. For web servers, several reliable and prescriptive sources of instruction are available to support administrators to properly protect and secure the application. Web Server Concepts 467 Chapter 05: Governance, Risk, and Compliance A Web Server is a program that hosts websites based on both hardware and software. It delivers files and other content on a website over Hypertext Transfer Protocol (HTTP). As the use of the internet and intranet has increased, web services have become a major part of the internet. They are used for delivering files, email communication, and other purposes. Web servers support different types of application extensions, whereas all of them support HTML for basic content delivery. Web servers can be differentiated by security model, operating system, and other factors. Open Source Web Server Architecture Open source web server architecture is a web server model in which an open-source web server is hosted on either a web server or a third-party host over the internet. The most popular and widely used open-source web server are:      Apache HTTP Server NGINX Apache Tomcat Lighttpd Node Figure 5-06: Open Source Web Server Architecture IIS Web Server Architecture 468 Chapter 05: Governance, Risk, and Compliance The Internet Information Services (IIS) service is a Windows-based request processing architecture. IIS 7.x is the most recent version. Windows Process Activation Services (WAS), Web Server Engine, and Integrated Request Processing Pipelines are all part of the design. IIS contains multiple components that are responsible for several functions such as listening to the request, managing processes, reading configuration files, etc. Components of IIS Components of IIS include:     Protocol Listener: Protocol listeners are responsible for receiving protocolspecific requests. They forward these requests to IIS for processing and then return responses to requestors. HTTP.sys: The HTTP protocol stack is a kernel-mode device driver that implements the HTTP listener (HTTP.sys). HTTP.sys is in charge of listening for HTTP requests, sending them to IIS for processing, and then providing the results to client browsers. World Wide Web Publishing Service (WWW Service) Windows Process Activation Service (WAS) In the previous version of IIS, World Wide Web Publishing Service (WWW Service) handles the functionality, whereas in version 7 and later, WWW Service and WAS service are used. These services run svchost.exe on the local system and share the same binaries. Figure 5-07: IIS Web Server Architecture 2. Operating System 469 Chapter 05: Governance, Risk, and Compliance The operating system serves as the interface between the physical hardware and the application. Configuration guide from all the significant operating system manufacturers is available on the CIS platform. 3. Application Server The application server resides between the back-end database and the webserver. It is sometimes called Middleware. A proper configuration guide for application servers is available at CIS and STIGs. 4. Network Infrastructure Device Network infrastructure devices include routers, switches, firewalls, concentrators, and any other devices that are required for the network to function effectively. Configuring these devices correctly is difficult but vital because any failure can compromise the security of the data being handled. General Purpose Guide CIS control is a first-rate general-purpose guide that comprises 20 common security control sets. The framework maintained by the Center for Internet Security can be found on this link: https://www.cisecurity.org/controls/ 470 Chapter 05: Governance, Risk, and Compliance Mind Map Figure 5-08: Mind Map Importance of Policies to Organizational Security Policies Policies can be documented and articulate in a formal manner the desired or required systems and operations standards for any IT system or organization. They are crucial for implementing an effective data security strategy. Typically, they act as the connectors that hold many parts of the data security together across both technical and non-technical elements. The failure to implement and utilizes policies in cloud-based computing or non-cloud-based computing would likely become in different parts or isolation of activities, efficiently operating as standalone and leading to multiple duplication and limited standardization. The policies designed for organizational security consist of several rules and procedures that can be imposed by operations of an organization to protect and manage critical and sensitive data. 471 Chapter 05: Governance, Risk, and Compliance Personnel Security Personnel security policies apply to those who work for the company, including employees, contractors, consultants, and users. The following policies are included in these policies:     Screening processes to validate security requirements Understanding their security responsibilities Understanding their suitability to security roles Reducing the risk of theft, fraud, or the misuse of facilities General Concepts Acceptable Use Policies (AUPs) The Acceptable Use Policies (AUPs) are those policies that describe the right usage of the organization’s resources (like computers, the Internet, and Network). These policies are described by the organization, as they should be concerned about any personal use of these resources that do not serve the organization. Job Rotation Job rotation, also known as a rotation of duties or responsibilities, aids an organization in reducing the risk of a single employee having too many rights. Rotation of responsibilities simply means that no one individual performs important functions or obligations for a long period of time. An accountant, for example, might move from payroll to accounts payable, then accounts receivable. The major purpose of job rotation is to reduce the amount of time that one individual spends on one task. This reduces the possibility of mistakes or malevolent actions going undiscovered. Job rotation can also be used to cross-train team members to reduce the impact of an unplanned absence. Mandatory Vacations Mandatory vacations are a part of employee ship and a requirement in some organizations. On mandatory vacations, the employees are required to take a vacation for a certain period of time during the year. In some organizations, employees are forced to take mandatory vacations, and in case if they do not want to, the organization becomes cautious of the possibility of them being involved in any illegal activity or fraud. Therefore, mandatory vacations, in some way, helps the organization to discover illegal activities of employees. Thus, the policy may prove to be a security protection mechanism at times. 472 Chapter 05: Governance, Risk, and Compliance Separation of Duties Implementing the separation of duties principle ensures that no one person can complete all required tasks for a business process or function. Separation of duties is also a part of the business policy. Separation of duties is divided into two types, i.e., Split Knowledge and Dual Control. Split knowledge refers to the separation of duties in which no single person has all the information needed to perform a specific task. Rather, it is split into two arsons. It means that each person has half of a safe combination. Another type is Dual Control that requires both persons to be present at the same time for performing a specific task. Both persons have their secret keys. (they do not have to disclose their secret keys with each other). Secure access will require both keys at a time. Least Privilege The least privilege is considered a significant principle in the management of the account. The principle allows the user to have only the rights and permission that are necessary for them to perform their task or accomplish their objective, and no extra rights are given to the user. By limiting the access rights of objects (user, process, or application), the administrator can also limit the cause of harm and malware. Clean Desk As one of the very effective business security policies, the Clean Desk policy enforces that when an employee leaves their desk, it should be when the person leaves the desk, it should be clean and clear, i.e., PC should be shut down properly, and no paperwork should be left on the desk. In short, employees should clean their desks before leaving the office, so no one can see any of their information. It is an efficient security policy for the one who deals with sensitive data. Background Checks A background check is also called pre-employment screening. A background check is performed by the organization to check if the person they are hiring is trustworthy and verify if their provided information is authentic or not. This basically provides all the necessary information to the HR members so that they can make the right decision. Exit Interview In terms of security, an exit interview can be a powerful tool for gathering information when an employee leaves the organization. This also includes termination of all the accounts and collection of mobile devices supplied to the employee at the time of hiring. Non-Disclosure Agreement (NDA) The purpose of the Non-Disclosure Agreement (NDA) is to protect confidential information that is disclosed, shared, received, or exchanged with customers, suppliers, 473 Chapter 05: Governance, Risk, and Compliance and other parties. Therefore, an NDA should be used when individuals or companies enter:    Consulting Engagements Service Agreements Strategic Alliance A person can either construct a free-standing confidentiality agreement, depending on the circumstances. An NDA binds a recipient to keep secret information from being revealed to a third party or the general public. The following are examples of confidential information:        Business and marketing plans, strategies, and programs Financial budgets, projections, and results Employee or contractor list and records Business methods, operating, and production procedures Technical, engineering, scientific research, development, methodology, devices, and processes Trade secrets and unpublished patent applications Software development tools and documentation Social Media Analysis Social media analytics is the process of tracking, collecting, and analyzing data from social networks and media channels. With the right tools, you can easily analyze and track the social performance of the products and companies, On-Boarding On-Boarding refers to the hiring of new personnel in the organization. For account management, the administrator needs to have an agreement and AUC (Acceptable Use Policy) to be signed by the onboarding member. After the agreement signing step, the administrator creates an account of the new member and puts him in an appropriate access control group according to their requirement. Off-Boarding Prior to on-boarding, off-boarding refers to the removal of personnel from the organization or group, or team. When the member is off-boarded, some proper steps should be followed by the administrator; that is, the off-boarding personnel’s account should be disabled (not deleted), and they should be removed from the access group. Perform Routine Audits Routine Auditing allows the administrator to check or to assure that the account policies are being followed by everyone. It means that the administrator will check the validation of all the accounts of the users and ensure if all members are in their 474 Chapter 05: Governance, Risk, and Compliance respective groups. Routine auditing is necessary because of the timely On-Boarding and Off-Boarding of the members. Some audits are automatic that automatically generate a list of alerts. Auditing Auditing can be categorized into two main types; one is Permission Auditing, and the second is Usage Auditing.   Permission Auditing-Type of auditing to ensure that every user has legit permission or only the permission they need. It also assures that all the users are in a proper group. Usage Auditing-Type of auditing to assure that all the resources are being used correctly and to review how and where the files are being stored and if the system is secure. User Training Users are fundamental elements in the security defense of an organization. Users also serve as a significant reason behind vulnerabilities. Therefore, it is necessary to have a strong security defense that can be achieved by enforcing user training programs for guiding the users to recognize between safe and unsafe computing behavior. Gamification Gamification is the use of game mechanics and game thinking to have interactions with users in finding issues and inspiring them by introducing parts of competition and reward. Capture the Flag A cybersecurity capture the flag may be a team-based competition during which participants use cybersecurity tools and techniques to search out hidden clues or “flags.” The team that locates the foremost flags throughout the event wins. These events are usually beginner-level and open to the public. Phishing Campaigns A phishing campaign is an associate email scam designed to steal personal info from victims. Cybercriminals use phishing, the fallacious plan to acquire sensitive information comparable to master card details and login credentials, by disguising as a trustworthy organization or prestigious person in email communication. Phishing The Phishing process is a technique in which a fake email that looks like an authentic email is sent to a target host. When the recipient opens the link, he is enticed to provide information. Typically, readers are redirected to fake web pages that resemble an official 475 Chapter 05: Governance, Risk, and Compliance website. Because of the resemblance, the user provides sensitive information to a fake website believing that it is an official website. Spear Phishing Spear Phishing is a type of phishing that focuses on a target. This is a targeted phishing attack on an individual. Spear phishing generates a higher response rate compared to a random phishing attack. SMS Phishing SMS phishing, also called Smishing, is the act of sending a short message to try to gain sensitive information or installing malware like Trojan without the user’s knowledge. The malware captures and transmits all the stored data such as credit card numbers, bank account details, and other data like username, password, and email account. SMS phishing occurs when a cell phone receives an SMS from a fake person or entity. Thus, a user can easily ignore an SMS phishing attack. Voice Phishing The words phishing and voice create an attack known as Vishing. Instead of using traditional attacks, fishers use an internet telephone service (VoIP) where, even if you do not answer the phone call, the attacker can leave a voice message provoking a response. A phone call can be from someone pretending to be from a charitable organization, debt collection department, or healthcare department, or it can be a call telling you that you have won a prize and demand money to collect it. The attacker's aim is to collect sensitive information such as bank details, so they can access your account or steal your identity. Whaling Whaling is a targeted attack at the senior management of a company, such as the CFO, CEO, or other executives who have full access to sensitive data. Attackers use formal emails and websites to make the communication appear as legitimate as possible.  Phishing Simulation – Phishing simulations guarantee your workers will find and avoid phishing or social engineering threats. These styles of interactive phishing tests can be a region of any security awareness training initiative and permit your organization to check user information with a real-world scenario. Phishing simulations add a robust dimension to awareness campaigns and facilitate the method of coaching your legion of cyber experts Computer-Based Training Computer-based training is an automated pre-built training that will be doing in the time that you schedule into your computer. This training generally includes video, 476 Chapter 05: Governance, Risk, and Compliance audio, Q&A, and some games. Instead of using the proper training room, it gives the same training environment as other platforms provide. Role-Based Training Role-based Access Control (RBAC) governs how information on a system is accessed based on the subject's role. Role-based or task-based access restrictions describe a subject's capacity to access an object in terms of his or her role or assigned tasks. Groups are frequently used to achieve (role-BAC). Users do not have discretion over which groups of objects they are authorized to access, and they are unable to move objects to other subjects, making RBAC a sort of non-discretionary access control. RBAC is widely used in businesses and is considered an industry-standard practice. A bank, for example, may employ loan officers, tellers, and managers. As illustrated in Figure 5-09, administrators can create a group called Loan Officers, add the user accounts of each loan officer to it, and then provide suitable privileges to the group. If the company recruits a new loan officer, administrators simply add the new loan officer's account to the Loan Officers group, and the new employee is given the same permissions as the existing loan officers in the group. Tellers and managers would be subjected to comparable procedures by administrators. Figure 5-09: Role-Based Access Control 477 Chapter 05: Governance, Risk, and Compliance Role-based Awareness Training Data Owner One of the roles for which the training is offered is “Data Owner.” This designated post is of executive level and has the responsibilities of administrating data and application. System Administrator The system administrator is the one who administrates the operation of the system., The responsibilities of a system administrator include modifying product access privileges for other members, changing the operational roles of members, and inviting/removing members to/from an organization. An organization can have more than one administrator. System Owner A system owner is the one who purchases the subscription. A system owner has all the privileges, including buying, upgrading, downgrading, and canceling subscriptions. Also, modifying product access privileges and removing/inviting members from/to an organization comes under his authority. User The users are those who have the least privilege access to the applications. As the name implies, the users are the application users. Users can be categorized into two types which are as follows:  Privileged User A user who has a higher level of rights and permission is known as a “Privilege User.” This may be an area manager or the one who creates a report. Someone has permission to do a wider range of tasks. A database administrator is also an example of a privileged user who needs database function access but not to all servers or operating system options.  Executive User A user who is holding the responsibility of overall application use and operation. He is responsible for making a decision related to the usage of data or applications. NDA NDA stands for Non-Disclosure Agreement that is a standard document of a corporation that sets the boundaries of information and secret material of the company. This agreement is responsible for controlling the disclosure of any secret or confidential information to an unauthorized person or party. 478 Chapter 05: Governance, Risk, and Compliance On-boarding An important element when on-boarding a workforce is to assure that the workforce must understand and be aware of its responsibilities related to securing information and assets of the company. Continuing Education Advancement in technology and security is a continuous process. Therefore, proper training and education are required for retaining skilled personnel in security. To modify the skill set of the security personnel, the “Continuing Education” programs help a lot. Adverse Actions When employees break the rules or policies, they face disciplinary action. The following are the two sorts of adverse actions:  Zero Tolerance When staff breach the rules or do not follow the regulations correctly, they will be treated with zero tolerance. One of the benefits of this move is that the company maintains a code of conduct, which leads to improved performance. There is also a downside to this action, that is, the organization may lose an outstanding long-term employee due to a single mistake under strict rules.  Discretionary Action Adverse issues are examined by adopting the rule that is “violation will be punished through a variety of HR actions including termination.” This is more challenging for the management of the organization to figure out the correct adverse action. This action offers flexibility to the valuable workforce member who made uncharacteristic mistakes. General Security Policies Social Media Network/Application In today’s world, where everyone is connected to each other socially, the organization needs social media policies for security purposes that establish a balance between the company’s requirements and social media. These policies represent the company’s requirements and expectations (company’s code of conduct). It is part of social media policy that the confidential information of the company should not be shared on social media, and it is the personal responsibility of each employee to put only the information on social media that the company approves. Personal Email The policies that are used for a business email account by the company are known as Personal Email Policies. Some companies allow their corporate email account for both 479 Chapter 05: Governance, Risk, and Compliance personal and business use. Typically, business email addresses are for official use only. All the policies related to the use of a business email account must be documented properly. Diversity of Training Techniques IT security strategies for any organization that involves multiple security technologies and devices are commonly referred to as Defense in depth. Defense in depth is an assortment of multiple devices and security technologies in order to strengthen security. Vendor Diversity When you have multiple suppliers, it creates vendor diversity and reduces the risk from a particular supplier. Relying on a single vendor increases the risk factor. For example, if you have two firewalls from two different vendors, it reduces risk and adds diversity because you can turn to the other firewall in case something happens to one firewall or if the firewall contains flaws. Control Diversity Control diversity is also significant since it provides tiered security, which aids in the production of the desired outcome. Administrative Control Administrative control is by all means necessary. Administrative control includes all the policies and procedures that are required to be followed by everyone in order to maintain security. Technical Control Technical control is also essential to ensure that the hardware and software we use are hardened or not. Active Directory authentication, firewall, and disk encryption are all parts of technical control. Third-Party Risk Management The risk management framework used by third parties is identical to the risk management framework used by a business internally. A third-party contract ensures cost-effective and impartial outcomes. Both the organization and the third party must be prepared and understand their roles, responsibilities, and restrictions well. Both sides can assure effective productivity if they work together. Confidential information should only be shared with identified personnel by third parties. Key Challenges in Third-Party Risk Management   Increases the complexity of third-party network & it is management Risk of failure to manage regulatory compliances 480 Chapter 05: Governance, Risk, and Compliance    Additional Cost for monitoring third-parties Lack of collaboration among parties Risk of information/data leakage Minimum security requirements Before acquiring services, having any agreement, or starting any process with the third party, the organization must have to evaluate the agreed criteria, capabilities, roles, responsibilities, limitations, and risks of the third parties.    The third-party assessor must be certified in Information Security Management System (in accordance with ISO/IEC 27001: 2005). Third parties should be willing to comply with the organization’s security policies & procedures. Third parties should have certified personnel in information security areas (organizations should check the accuracy of third-party assessor’s qualifications). Key Components of Third-Party Risk Management Framework Following are the key components of the Third-Party Risk Management (TPRM) Framework.           Planning & Processes Definition Segmentation & Screening Qualification Security & Permissions Workflows Risk Mitigation Continuous Monitoring Reports & Dashboard Centralized Repository Alert & Notification Vendors If you are a part of the company, then you are certainly required to connect with thirdparty vendors. These could be people that are providing the payroll for the organization, customer relationship management, email marketing, etc. In each one of these relationships, the company’s data will be shared with a third party. You will be required to use the cloud-based service for sharing purposes. From the security perspective, the understanding of the risk associated with providing the data to the third party is very important. For simplification, you can categorize the 481 Chapter 05: Governance, Risk, and Compliance risk for each individual vendor and then apply the security policies and procedure that helps to protect against the highest risk vendors. Supply Chain In September 2015, the researchers found that many Cisco routers were infected by a malicious firmware called “SYNful Knock.” This malicious firmware allows the threat actor to gain backdoor access to the infrastructure devices, which creates trust issues. End users realized that they need vendors in the supply chain that they can trust, so they know exactly where this hardware is coming from. They also need to check and make sure that these very critical devices are not connected to the Internet before security is in place. It is always useful to verify in some way that the hardware and the firmware inside of that hardware are secure. Supply-Chain Management It is crucial for organizations to consider the implications of non-secure software beyond their corporate boundaries. The ease with which software components with uncertain development processes can be combined to produce new applications has built a complex and highly dynamic software supply chain (API management). We utilize software that is being developed by a third party or accessed with or through third-party libraries to enable or create functionality without having a clear understanding of the origins of the software. This typically leads to a situation where there is complex and highly dynamic software interaction taking place between and among more than one service and system within an organization and between organizations via Cloud. This supply chain provides agility in the rapid development of applications to meet customer’s demands. Therefore, it is important to assess all codes and services for accurate and secure functioning, no matter where they are sourced. Business Partners Your organization may have a third party that you have work with very closely as a business partner. There may be a direct network connection between your corporate network and the network on the business partner side. Because of this relatively open path, there could be significant security concerns that have to be addressed. During communication with business partners, it is often difficult to identify malicious activity. This monitor this behavior, there are some policies required to use. These defined policies focus on what best practices are required for the connection between your organization and business partner. The policies also handle the data between the organizations and also provide the way to how to deal with Intellectual Property (IP). 482 Chapter 05: Governance, Risk, and Compliance Service Level Agreement (SLA) A Service Level Agreement (SLA) is a contract between a company and a third-party vendor. The SLA outlines performance expectations and, in many cases, contains consequences if the vendor fails to satisfy them. Many businesses, for example, rent servers using cloud-based services. A vendor offers access to the servers and ensures that they are operational. An SLA can be used by the organization to specify availability, such as with the fewest possible interruptions. Keep in mind that while working with third parties, a company should have a thorough understanding of its expectations and ensure that the SLA addresses these criteria. Interoperability Agreement To provide products and services, every organization needs to work with a third party. It is important to make an agreement before handling sensitive data of your organization to a third party. The question that arises is why an organization would share its sensitive data with a third party. One reason might be that the organization may need a third party that provides web hosting, firewall management, or payroll services to your organization. ISA ISA stands for Interconnection Security Agreement. A type of agreement that takes place between the organization and the interconnected IT system. The requirements of the security that are associated with the interconnection are documented in the ISA agreement. The document is detailed with all the legitimate plans of action about how the connection will be established, maintained, and disconnected by the two parties. MOU/MOA A Memorandum of Understanding (MOU) is a contract that can be bilateral or multilateral, meaning it is between two or more parties. It is a form of agreement between two or more parties that includes a "series of desired actions" aimed at achieving a common objective. Measurement System Analysis (MSA) Measurement System Analysis (MSA) can be a structured procedure that we have a tendency to use to assess the flexibility of a measuring system to produce sensible quality data. Master Service Agreement (MSA) The terms that an organization will employ for future work are defined in a Master Services Agreement (MSA). This simplifies ongoing engagements and SOWs because the overall MSA is referenced in the SOW, eliminating the need to renegotiate terms. 483 Chapter 05: Governance, Risk, and Compliance MSAs are common when organizations anticipate working together over a period of time or when a support contract is created. Business Partnership Agreement (BPA) A Partnership Agreement defines as a contract between one or a lot of businesses or people who are selecting to run a business together. Usually, every member can rouse the initial business contributions corresponding to capital, intellectual property, real property, or producing area to secure their valuable assets from cyber-attacks. Note: Partnership Agreements outline the initial contribution and future contributions that are expected of the partners. End of Life (EOL) System An 'End of Life system' is one that no longer functions or performs as planned. End-oflife systems can be caused by a variety of factors, including a lack of vendor support or incompatibility with other system features. Because the vendor no longer assists it with patches and updates, this vulnerability makes the system easy to target for an attacker. End of Support (EOS) EOS happens once software system updates, patches, and different styles of support are no longer offered, leading to software changing into liable to future security vulnerabilities. Data Classification Data classification aids in the implementation of appropriate and effective security procedures and controls to effectively secure information assets. The primary goal of data categorization is to define the level of confidentiality, integrity, and availability protection that each type of dataset requires. It is not a smart approach to consider confidentiality as the only part of data security without also classifying the data. Data classification aids in defining the Confidentiality, Integrity, and Availability requirements (CIA). 484 Chapter 05: Governance, Risk, and Compliance Figure 5-10: Security, Functionality, & Usability Triangle The Level of Security in a System is a measurement of the system's security, functionality, and usability. The Security, Functionality, and Usability triangle refers to these three elements. Consider a ball in this triangle; if the ball is centered, it means all three components are stronger. On the other hand, if the ball is closer to security, it means the system is consuming more resources for security and feature, function, and Usability requires attention. A secure system must provide strong protection along with offering all services, features, and usability to the user. The simplicity with which a high level of security is implemented has a direct impact on the level of functionality and usability. With a drop in performance, the system becomes less user-friendly. When designing an application or deploying security in a system, security specialists must ensure that the application is functional and easy to use. The triangle's three components must be balanced. Data Classification Procedures The processes required for proper data classification are outlined below: 1. Define classification levels. 2. Identify the criteria that determine the classification of data. 3. Identify data owners who are responsible for classifying data. 4. Identify the data custodians who are responsible for maintaining data and its security level. 5. Indicate the security controls or protection mechanisms required for each classification level. 6. Document any exceptions to the previous classification issues. 7. Indicate the methods that can be used to transfer custody of the information to a different data owner. 485 Chapter 05: Governance, Risk, and Compliance 8. Establish a mechanism for reviewing classification and ownership on a regular basis. Notify the data custodian of any modifications. 9. Indicate procedures for declassifying the data. 10. Integrate these issues into the security-awareness program so all employees understand how to handle data at different classification levels. Classifications Levels There are no set guidelines for categorizing data levels. Here are a few different levels of data classification. 1. Data classification for commercial businesses. 2. Data classification for the military. Each classification should have its own set of handling requirements and procedures for accessing, using, and destroying data. Classification Definition Public Disclosure is not welcome, but it would not cause an adverse impact on the company or personnel Sensitive It requires higher than the normal assurance of accuracy and completeness Private The personal information for use within a company Confidential For use within the company Unclassified Data is not sensitive or classified Sensitive but classified Secret Minor secret Top secret If disclosed, it could cause serious damage to national security If disclosed, it could be crucial damage to national security 486 Example Upcoming projects Application Commercial business Financial information Commercial business Human resource information Trade secrets Programming code Recruiting information Medical data Commercial business Commercial business Military Military Military Deployment Military plans for troops. Spy satellite Military information Chapter 05: Governance, Risk, and Compliance Espionage data Table 5-04: Commercial Business and Military Data Classifications Governance Data governance is the capability inside a corporation to assist shield for top-quality data throughout the lifecycle. Data integrity, data security, availability, and consistency are all part of this. It also involves people, procedures, and technology that help to change how information is handled within the organization. Data in Media The physical protection of equipment, as well as the security needs relating to the media where the data is stored, are both addressed by assets retained in the form of digital media. Additional security procedures are required for storage media such as hard disks, backup tapes, and CDs to ensure the security of the data they carry. Controls should ensure that data is not disclosed or modified by an unauthorized person. Consider the following controls for media security:  Storage controls are the most common way to secure data on storage mediums, including hard disks, magnetic tapes, and CDs. Encrypted keys should be used to protect this consideration. When backup media is stored offshore, further security precautions are required.  Maintenance is a process that is carried out on a regular basis to guarantee that the data stored on the storage medium is not corrupted or damaged. Media handling methods should be used to assure maintenance.  Usage instructions should be provided properly to users and operators to handle the media.  Media usage should comply with the established policies and procedures.  Formatting the media is used to destroy data. Formatting may not totally remove all data in a single session. For total data deletion, some of the standards recommend formatting the media seven times. Data in Hardware Stealing is one of the most common threats that need to be addressed for personal computers, laptops, or media protection. To avoid being stolen, the following controls should be considered:  Cable locks are used to physically secure PCs and laptop computers. These locks prevent the computer or laptop from being detached and stolen. 487 Chapter 05: Governance, Risk, and Compliance  Port protection ensures that unauthorized workers cannot access media sharing devices such as CD-ROMs, floppy drives, USB, Wi-Fi ports, printers, and scanners. The goal of port protection is to prevent unauthorized users from downloading and transferring confidential information on a portable medium.  Switches are used to prevent a malicious user from powering on/off the systems.  BIOS checks help in password protection during the boot-up process so that access to the operating system is controlled.  Encryption secures folders and data, preventing unauthorized access and change. Information can also be shared using encryption techniques via an unsafe communication connection. Data with Personnel The information in the minds of people, employees, managers, and other related individuals should also be secured. It can be secured and protected by training the individuals about the risk and impact of disclosure of any information on an organization. Individuals should avoid discussing confidential or personally identifiable information in public areas, social networking platforms, unofficial organizations, or exchanging information through publicly available channels as part of their social engineering awareness and countermeasures. Credential Management System When SSO is not available, a credential management system centralizes the handling of credentials. These solutions often enhance the capability of a standard directory service's default capabilities. A credential management system, for example, might maintain account passwords automatically, even if the accounts are in a third-party, public cloud, or an on-premises directory service. Users can frequently check out accounts for administrative needs using credential management systems. To prevent the un-authentication process, the management system encrypts the credentials. Consider an example of a Credential Manager tool within a Windows system. Users enter their credentials into the Credential Manager, and the operating system collects them and submits them automatically as needed. Users enter the URL, login, and password when utilizing this for a website. When the user visits the website later, the Credential Manager knows the URL and immediately delivers the credentials. An organization's risk level rises when it has multiple methods and unmanaged applications. When a single credential management system is implemented, it usually improves efficiency and security. When it comes to credential security, credential management is required. Instead of being stored on the client, the credential should be stored on the server. Also, credentials should not be transferred over the network in clear text (they should be encrypted). 488 Chapter 05: Governance, Risk, and Compliance Credential Policies We can use username, password, and other credentials as a critical part of our data security strategy. Without the proper credential management, the data would be accessible to anyone. It is remarkable then how often the implementation of passwords might be on a system. On several occasions, run an application that stores the password as part of the application. This is unquestionably not a secure method of credential management. Rather, all of the credentials must be stored on the server. Personnel In terms of privacy perspective, everyone wants to log into the system securely with their personnel accounts. This is an account that is not shared with anyone, and the only person who could be logging in with this account is the single owner of that account. One of the important security policies associated with these user accounts is that the user does not have privileged access to the operating system. Third-Party The third-party accounts use to log into the external system. This is common when accessing cloud-based systems which do not require the authentication method to access the database. This type of account is required when someone is logging into the cloud platform for payroll, enterprise resource planning, etc. The business partners or vendors that log into the local computer system usually use this account. Note: The third-party accounts used by someone outside of the organization and could be connected to the network from anywhere on the internet. In both of these situations, it is mandatory to use some additional security features like authentication. Devices Sometimes, we need to define some additional credential policies for mobile devices by deploying device certificates. This will easily identify that the device is a trusted piece of hardware and the one that has already been validated by the security team. All those security standards are managed through the Mobile Device Manager (MDM). MDM provides a uniform set of policies for all mobile devices. Account Types User Account - This is a type of account that is most common among users and associated with a single person. It allows limited access to the operating system. Each user is assigned a particular identification number by the user account. Multi-users can use the same computer for accessing their resources only by using a User Account, which also keeps each user’s data secure from another unauthorized user. This means 489 Chapter 05: Governance, Risk, and Compliance that by using the User Account, multi-user can log in to the same computer and but they can only access their own resources. Shared Account - As the name suggests, this account can be used by more than one person. For example, some operating systems allow the user to log in to a guest account (Guest Login). The shared account is difficult to manage because it is hard to identify the person logging in. If the password of the shared account is changed, then everyone needs to be notified that the password is changed, and this brings complexity to the management of the password. It is recommended to use a User account on the system rather than Shared Account. Service Account - The operating system or services of the operating system use an internal account that is referred to as Service Account. It is used to run a database or web server. Used only on the local computer, and no user can log in interactively. Different types of access permission can be set up for various services when using Service Account, which means database and web server rights may vary from each other. Some of the services accounts require a username and password, and some do not. Privileged Account - Also known as Root account or an administrator. Generally, these accounts can access the complete operating system. If you have to install application or device drivers or have to manage hardware, then you need to log in to Privileged Account. Organizational Policies Change Management One of the key processes on which to focus in for improvement is change management. Changes during a product’s life cycle can cause a lot of chaos if not treated properly and appropriately. Changes can interrupt the development, testing, and release of products. An organization should have a change control process that includes documenting and understanding a change before attempting to implement it. Request Control The request control provides an organized framework for users to request changes, managers to do cost-benefit analyses, and developers to prioritize actions. Change Control The change control process is used by developers to regenerate the situation encountered by the user and analyze the appropriate changes to fix the situation. It also provides an organized framework within which multiple developers can create and test a solution before moving into a production environment. As we know, documentation is always needed when we make configuration changes in the future. Therefore, these documents should be changed with the system changes. In 490 Chapter 05: Governance, Risk, and Compliance this section, we will discuss documenting the reasons for the change, change requests, approval processes, maintenance windows, notifications, and final documentation of the changes. Document Reason for a Change Every change in a network should be properly documented. Although, it is not an easy duty to update the document concerning any changes that occur in the network. For this, many organizations hire people to perform the responsibility. Some use software to update the track. Change Request A change should start its process as a change request. This request will move through various stages of the approval process and should include certain parts of information that will guide those tasked by approving or denying it. Configuration Procedures The particular steps required to implement the change and the particular devices involved should be detailed. Complete documentation must be produced and submitted with a formal report to the change management board. Rollback Process Change is always fraught with risk. Before any changes are made, strategies for reversing the modifications and recovering from any negative consequences of the changes should be in place. Before implementing the modifications, those making them must be fully educated on the rollback methods and demonstrate a thorough grasp of the changes. Potential Impact One of the advantages of going through this procedure is that it can indicate systems that need to be watched more closely for their reaction to the change as it happens. Notification When all systems that may be affected by the change are identified, system owners should be notified of all changes that could potentially affect them. Approval Process The actual approval process will depend on the organization. Some organizations may approve with a verbal statement of the change, while others may require documentation. The main factor is that the change should reflect the company's overall goals regarding network connectivity, disaster recovery, fault tolerance, security, and so on. Maintenance Window 491 Chapter 05: Governance, Risk, and Compliance During the execution of modifications, a maintenance window is the amount of time a system will be offline or unavailable. All affected systems should be reviewed for their criticality in supporting mission-critical operations before this window of time is specified. Authorized Downtime When the time required to make the change has been compared to the maximum allowable downtime, a system may suffer, and the optimum time for the change is identified, and thus the authorized downtime can be specified. These amounts help reach a final decision on when the change will be made. Notification of Change When the change has been completed and sufficient time has passed for issues to manifest themselves, all affected members should be notified that the change is complete. At that time, these affected members can continue to monitor the situation for any residual problems. Documentation The procedure is not finished until all of the paperwork is completed. In this case, the following items should be updated to reflect the network's current state:    Network configurations Additions to network Physical location changes Release Control Once the changes are finalized, they must go through the release control procedure to be approved for release. Before deploying the new software to production, ensure that any code included as a programming help during the change process, such as debugging code and backdoors, is deleted. Asset Management A general approach to operational information security requires organizations to focus on systems as well as the people, data, and media. Systems security is another vital component of operational security, and there are specific controls that can greatly help system security throughout the system's lifecycle. Asset management can be separated into two categories, each of which is briefly detailed below: Configuration Management Basic configuration management is responsible for activities such as preventing superfluous services, deleting unwanted programs, enabling security features like 492 Chapter 05: Governance, Risk, and Compliance firewalls, antivirus, and intrusion detection and prevention systems, and establishing security and audit logs. Baselining - The process of obtaining a snapshot of the current system security configuration is known as security baselining. Baselining is a simple way to capture the current security configuration of a system, which can be incredibly useful for responding to a possible security event. Vulnerability Management - Vulnerability management refers to regularly identifying vulnerabilities, evaluating vulnerabilities, and taking steps to mitigate risks associated with vulnerabilities. It is not possible to eliminate all the risks; similarly, it is also not possible to eliminate all the vulnerabilities. However, an effective vulnerability management program helps an organization that ensures regular evaluating vulnerabilities and mitigating the vulnerabilities that represent the greatest risks. 493 Chapter 05: Governance, Risk, and Compliance Mind Map Figure 5-11: Mind Map Risk Management Processes and Concepts Risk management can also be called the “Decision Making Process.” All the components like threat assessment, risk assessment, and security implementation approach arranged within the process of business management describe the risk management 494 Chapter 05: Governance, Risk, and Compliance Threat Assessment An organized interpretation of threat that encounters a firm is known as Threat assessment. Threats cannot be changed; however, the way it affects can be changed. Therefore, threats are necessary to figure out. Environment The Environment is one of the biggest sources of threat to the system. There is a variety of sources that cause an environmental change like weather, storm, flood, lightning, etc. These environmental changes disrupt the normal operation of the system and increase risk. To overcome this situation, make the system resilient so that it mitigates the risk sources and reduces impacts on the enterprise. Manmade As the name implies, manmade threats are those threats caused by the action of a person. These threats are the result of both the adverse action of the attacker and accidents by the users. Therefore, appropriate control against intended and unintended actions is necessary to deal with the risk of the system. Risk Types The risk can define the identifiable assets that could be affected by an attack. Several types of risk can define, identify the threats and expose the disruption of service. External Threat The risk can occur from the external side of an organization where a hacker group tries to access the data or might be a former employee of an organization. Internal Threat The risk could also be presented inside the organization. It might be the employees who are coming to work every day or any partner. Some disgruntled employees have access to the internals of the network. They can easily use this access to create a security event. Legacy Systems If you do not pay attention to the assets of your network, then those assets could be used against you. The legacy system normally runs the outdated operating systems, and the manufacturer no longer supports older software that you might find in your network. There may be significant security concerns with the software that is running on those systems. As these devices become older, it becomes more difficult and complex to find security patches. 495 Chapter 05: Governance, Risk, and Compliance Multi-party Sometimes, security breaches may involve more than one entity. It could be your organization, and many others are involved because all of your networks are connected in the same way. In May of this year, the American Medical Collection Agency was a prime illustration of this. This company handled debt collection for a variety of companies, and they suffered a data breach that affected 24 million people. This collection agency was in charge of 23 different healthcare groups. As a result, one data breach impacted 23 additional companies, forcing them to notify their consumers that their information had been exposed. Intellectual Property (IP) Theft IP theft can be significant if an organization has a lot of IPs, such as an idea, inventions, and creative expressions. Third parties could gain access to the intellectual property through no fault. It could be that people have a mistake in how they set up permissions in the cloud, and all of that information is available to the world. It is also possible that someone is actively hacking your system to find this Intellectual Property (IP) or someone inside the company who has access. Software Compliance/Licensing Another risky area of concern is software compliance in the organization and how you are handle the application licensing. You should purchase a proper license according to your organization's requirements. The unneeded license in the organization creates some hurdles, such as:    The operational risk with too few licenses The financial risk with budgeting and over-allocated licenses Legal risk if proper licensing is not followed Risk Management Strategies Acceptance Risk can be accepted. Risk acceptance is the practice of accepting the specific risk, typically based on an organizational decision that may also weigh the cost versus the benefits of dealing with the risk in another way. Avoidance It is possible to escape danger. Risk avoidance is the process of devising a plan to avoid the occurrence of the risk in the issue. 496 Chapter 05: Governance, Risk, and Compliance Transference It is possible to transfer risk. The activity of passing on risk to another entity, such as an insurance company, is known as risk transfer.  Cybersecurity Insurance - Cybersecurity insurance is intended to mitigate losses from a spread of cyber incidents, as well as knowledge breaches, business interruption, and network damage. Mitigation The majority of the development approaches covered in the preceding section include a way for performing a risk analysis of the current development cycle. When a risk has been recognized, a strategy for mitigating that risk should be devised. Furthermore, it can document causes of risk that might be ignored or not addressed during a certain phase of the development process. Risk Monitoring Risk monitoring is a continuous process that tracks and evaluates the levels of risk in an organization. Along with monitoring itself, the discipline tracks evaluate the effectiveness of risk management strategies. The findings that are produced by risk monitoring processes can be used to assist in creating new strategies and updating previous strategies that may have proved to be ineffective. The objective of risk monitoring is to constantly track the risks that occur and the effectiveness of the responses that are implemented by an organization. Monitoring can help to ascertain whether the suitable policies were adopted, whether new risks can now be identified, or whether the old strategies to do with these risks are still valid. Monitoring is most important because the risk is not static. Analyze Risks Associated with Cloud Infrastructure A cloud-based system should be managed and approached as other outsourced platforms, with the same types of concerns, risks, and audit/governance prerequisites as an external hosting environment. Eventually, all risks related to a Cloud infrastructure must be customized for their individual needs. Risks to consider include:      Policy and Organization Risks Loss of Governance Provider Lock-in Compliance challenges Provider Exit 497 Chapter 05: Governance, Risk, and Compliance Risk Register The risk register is something that contains the list of all the risks linked with the system and all the information regarding those risks; for example, their Types to arrange them, Mitigation factor, Possibility of occurrence, Impact to a business, etc. Risk Matrix/Heat Map Risk must communicate in a straightforward and easy-to-understand manner. It may also be necessary to share risk information with others outside the organization. The organization must agree on a set of risk management KPIs in order to be successful. Using a risk scorecard is recommended. The impact and probability of each risk are assessed separately, and then the outcomes are joined to give an indication of exposure using a five-level scale in each of these quantities:      Minimal Low Moderate High Maximum This enables a clear and simple graphical representation of project risks. Likelihood Minimal Low Moderate High Critical 1 2 3 4 5 A (almost certain) H H E E E B (likely) M H H E E C (possible) L M H E E D (unlikely) L L M H E E (rare) L L M H H Table 5-05: Risk Scorecard Note: E = Extreme Risk: Immediate action required to mitigate the risk or decide if not to proceed. H = High Risk: Action must be taken to compensate for the risk. M= Moderate Risk: Action must be taken to monitor the risk. L = Low Risk: Routine acceptance of the risk 498 Chapter 05: Governance, Risk, and Compliance Risk Control Assessment After detecting and identifying the risk, a risk heat map will be created to identify how this risk will affect the organization. After that, the cybersecurity requirement will be created around the identified risk. You can also determine the gaps that may be in the security posture; this can require a formal audit to have someone in every aspect of the organization. After identifying the gaps, you can easily build the security control that would fill in all those risky areas. The risk control assessment also determines if existing controls are compliant or noncompliant. Note: Make plans to bring all of the security systems into the compliant domain. Risk Control Self-Assessment In a smaller organization, you may be able to do a self-assessment to be able to find the gaps in the security posture. Risk Awareness Risk awareness is like a constantly changing battlefield. There is a constant change with the type of risk that you have to prepare for, and there is also a new risk that is emerging all the time. The amount of information on existing and newer threats are almost overwhelming, and it takes constant study to stay up to date allows you to manage the defense. Note: Understanding how to recognize the security risk events and protect against them is the responsibility of individuals. Inherent Risk Inherent risk is the risk that exists in the absence of security control. This means that when there is no external influence, the system will experience a certain amount of risk. In some models that describe inherent risk, you would also include your existing security controls. Residual Risk The reason a company implements counter-measures is to reduce its overall risk to an acceptable level. As no system or environment is 100 percent secure, which means there is always some risk left over to deal with. This is called residual risk. The residual risk is the combination of inherent risk that exist and the effectiveness of security controls. After combining, you can add a firewall to provide additional security controls that will then allow calculating the residual risk. Some models of residual risk include some additional security controls that would add on top of what is already existing. 499 Chapter 05: Governance, Risk, and Compliance Control Risk Control risk, also called internal control risk, is when the current internal control cannot detect or fail to protect against significant error. Risk Appetite The type or the amount of risk that an organization is prepared to pursue, take or retain is called Risk Appetite. An organization's risk appetite is its willingness to tolerate risk within the environment. If a company is highly risk-averse, it may choose to run scans more regularly to reduce the period between when a vulnerability is discovered and when it is discovered by a scan. Regulations that Affect Risk Posture There are several constant sets of threats that you have to keep track of. From an IT perspective, there is an extensive number of regulations affecting cybersecurity. Many of these regulations are associated with protecting someone’s critical, sensitive, and financial information. Several regulations describe the disclosure of information breaches.   HIPAA – Health Insurance Portability and Accountability Act is a board regulation that covers many different areas. From the risk and security perspective, it provides the privacy of patient records. The record includes the information from other sources, storage requirements, network security, and how to protect the information against threats. GDPR – General Data Protection Regulation, European Union-based data protection, and privacy regulation. It ensures that personal data must be protected and managed for privacy. Risk Assessment The process of determining potential risk based on mathematical and statistical design is called risk assessment. For measuring the risk assessment value, any of the methods can be adopted by the user. A simple technique is to calculate ALE (Annualized Loss Expectancy) that generates the financial value of impact, and its calculation starts with the measurement of SLE (Single Loss Expectancy). Risk Assessment Types There are two main types of risk assessment. Qualitative - To subjectively figure out the impact of an action which affects a business or program is known as “Qualitative Risk Assessment. Experienced and expert judgments are needed to perform this assessment. 500 Chapter 05: Governance, Risk, and Compliance Risk Factor Impact Annualized Rate of Occurrence Cost of Controls Overall Risk Legacy Windows Clients Medium Low Medium Low Untrained Staff High Medium High Medium No Anti-Virus Software Medium Low Medium Low Table 5-06: Qualitative Risk Assessment Quantitative - To objectively figure out the impact of an action which affects a business or program is known as “Quantitative Risk Assessment.” In order to perform this assessment, the use of models and metrics are involved commonly. Likelihood of Occurrence The “Likelihood of Occurrence,” which can be quantitative or qualitative, is the probability of a specific danger occurring. When qualitatively stated, the likelihood of recurrence is usually described on an annual basis in order to compare it to other yearly measurements. It is utilized to generate rank-order results if it is described quantitatively. Supply Chain Assessment All the organizations are required to look at not only the risk linked to a system but the risk enclosed in a system. The process of exploration and identification of these risks is known as “Supply Chain Assessment.” Impact When an incident or risk occurs, it creates an impact on an organization. The impact can be a financial gain or instability, reputational rise and fall, and much more.     Financial gain/loss Variation in reputation Unavailability Degradation Some IT systems are used in the healthcare industry. As a result, any system malfunction can result in the victim's damage or death. This loss or injury to life is an issue that the substitute will not be able to remedy. To avoid impact, it is therefore vital to ensure that the system is very unnecessary.  Property 501 Chapter 05: Governance, Risk, and Compliance Unmitigated risks result in property damage. Property damage to an organization’s property or other’s property and environmental damage caused due to the toxic release in an industrial setting are all those damages that are caused by IT security failure.  Safety “Protection against risk, danger, or injury” is how safety is defined. Safety concerns (as a result of failure) increase losses and can cause work interruptions. Because computers are now involved in every part of business, they can have an impact on safety.  Finance The final arbiter of all work is 'Finance,' which assists us in keeping track of a score. Profit can be used to quantify gain, whereas unchecked threats can be used to assess the loss. When consequences exceed the projected costs associated with the planned residual risks, it becomes a problem and has a negative impact on earnings.  Reputation One of the essential values in marketing is Reputation. Junky history or shoddy record ruins the company’s reputation and costs the company in client base and revenue. For example, nobody wants to give up personal information or contract with a bank with a junky history Asset Value The amount of money that is required to equate the value of an asset is known as ‘’Asset Value.’’ The term Asset Value is commonly used with the term exposure factor for the determination of SLE. Single Loss Expectancy (SLE) SLE refers to the loss value that is expected from an event. The mathematical formula for calculating SLE is as follows: SLE = asset value × exposure factor The determination of the amount of loss of a resource is called the Exposure factor, or we can say it is a measurement of the risk level of an asset (how much it is at risk). Asset=Resource Annualized Loss Expectancy (ALE) ALE is determined by multiplying SLE and ARO after SLE has been calculated; the mathematical formula is as follows: ALE= SLE * ARO Where; 502 Chapter 05: Governance, Risk, and Compliance ARO stands for Annualized Rate of Occurrence, and it refers to the period of time the event is supposed to take place in a year. Annualized Rate of Occurrence (ARO) The ARO is the amount of time the event takes to occur in a year or less; it can also be called “events frequency in a standard year.” For example: If the event is taking place twice in 15 years, then the ARO is 2/15 Disaster When talking about the risk of an organization, the disaster is also necessary to discuss. There are different types of disaster can be possible when handling the security risk. Environmental The environmental disaster threats could be a tornado, hurricane, earthquake, or severe weather. Person-made There are some person-made threats possible. This may include human intent, negligence, or error. These types of threats could also include severe disasters like arson, crime, civil disorder, fires, riots, etc. Internal and External The disaster types can also be categorized in terms of internal and external threats. The internal threats tend to be from the employees present in the organization. The external threats come from outside of the organization. Business Impact Analysis The process of determining the source and relative impact value of a risk element is known as business impact analysis. It also refers to the document that outlines the sources of risk as well as the procedures for mitigating them. Recovery Time Objective (RTO) RTO stands for Recovery Time Objective, and it is the objective time for resuming operations after an incident has occurred, as the name implies. More efforts and coordination are required for a shorter RTO. As a result, the costs are higher. This word is frequently used in disaster recovery and business continuity activities. Recovery Point Objective (RPO) RPO stands for Recovery Point Objective, which is defined as the time period that represents the maximum period of acceptable data loss. It determines the backup 503 Chapter 05: Governance, Risk, and Compliance frequency essential for preventing unacceptable data loss. The RPO answers how much data loss is affordable. Mean Time to Repair (MTTR) Mean Time to Repair is the time required to repair a given failure. Mathematically, MTTR is formulated below: MTBF = Σ (start of downtime – start of uptime) / number of failures Availability is defined as the time in which the system performs its intended function. Its mathematical formula is as follows, and it is defined in terms of percentage. Availability = MTBF / (MTBF + MTTR) Mean Time Between Failure (MTBF) Mean Time Between Failure (MTBF) is a measure of a system's reliability, and its expression describes the average time between failures. MTBF is defined mathematically as the arithmetic means of system failures, which is written as: MTBF = Σ (start of downtime – start of uptime) / number of failures Functional Recovery Plans All businesses must prepare processes to develop IT disaster recovery plans within the event IT systems to ensure the continuity of the business. The recovery procedures should aim at restoring data, applications, and hardware in time to fulfill the requirements of the recovery of business functions. Single Point of Failure The Single point of failure is defined as any of the system’s components whose breakdown or flaw could result in the entire system’s breakdown. For example:   Fine for a small firm A single connection to the internet Disaster Recovery (DR) and Business Continuity (BC) Most organizations cannot afford to be unable to perform their business processes for a very long period. The tolerable downtime can be measured in minutes, hours, or days, depending on the unique company. In some noncritical sectors, days may be acceptable. Consequently, the organization needs such a plan that process regardless of what happens around us. As introduced in the previous chapter, business continuity is the term used to describe the processes enacted by an organization to ensure that its vital business processes remain unaffected or can be quickly restored by experiencing a serious incident. 504 Chapter 05: Governance, Risk, and Compliance Disaster Recovery Sites When a disaster strikes, it is usually too late to begin the response method. As a result, catastrophe recovery sites must be constructed. There are numerous choices for constructing a disaster recovery site, including a hot site, a warm site, and a cold site. Disaster Recovery Plan (DRP) After a human-caused or natural disaster, a Disaster Recovery Plan (DRP) is the process of regaining access to data, hardware, and software needed to continue crucial business activities (such as storm, flood, tornado, etc.). DRP's major goal is to quickly restore or recover essential parts or elements of the business following a disaster or other incident. DRP is part of a larger process known as business continuity planning. The below steps can be used to build a disaster recovery plan:     Plan for an unexpected scenario: Form a team, perform a Business Impact Analysis (BIA) for your technologies, identify a budget and figure out which business processes are mission-critical. Review your technologies: Set the recovery time objective and recovery point objective, develop a technology plan, review vendor support contracts, and create or review disaster recovery plans. Build the communication plan: Finalize who needs to be contacted, figure out primary and alternative contact methods, and ensure that everybody can work, possibly from a backup location. Coordinate with external entities: Communicate with external units such as the police department, government agencies, partner companies, and the community. Mission Essential Functions The security squad can use the important mission function to correctly build up defenses for securing systems and data in a way that corresponds to the related risk. It also ensures that service will be restored. Identification of Critical Systems The identification of the critical system is used in continuity planning to figure out what you need to protect as part of the plan. The first step would be to make a list of all the critical systems and identify the different processes running inside an organization. After that, list down all of the business processes, including the accountability system, manufacturing application, VoIP. It is also important to associate the tangible and intangible assets and resources with the business processes. 505 Chapter 05: Governance, Risk, and Compliance Site Risk Assessment Site risk assessments are the chance evaluations that have been adjusted to a particular location ad as they contain important data for that specific extend. Site-specific risk assessment takes into consideration the reallocation and sort of extending and address as it were the important dangers. MindMap Figure 5-12: MindMap Privacy and Sensitive Data Concepts in Relation to Security This section of the chapter focuses on the data privacy and sensitivity of data in terms of security. Organizational consequences of privacy breaches The organizational consequences of privacy breaches include: 506 Chapter 05: Governance, Risk, and Compliance Reputation damage During every step of the information life cycle, there is a potential for a data breach. One consequence of the data breach is damage to one’s reputation. If the organization is not trusted to store the data then, it could have a negative impact on how other organization might view. Additionally, there is also a negative impact on the products and services. Identity theft One of the major concerns is that the data can be used for identity theft and easily taking advantage of other people’s private information. If the data gets into the hands of a third party, then it is an organizational responsibility to have a public disclosure. This activity will create some credit monitoring costs. This will constantly monitor your organization’s data. Fines There are some fines and lawsuits associated with the data breach.   In 2016, the company “Uber” had a data breach and did not disclose it. Instead, Uber contacted the hackers that originally stole the data and paid them $100,000. There was a lawsuit settlement from Uber of about $148 million In 2017, “Equifax” had a data breach when the US government fined them over $700 million IP Theft In the form of Intellectual Property, many organizations contain data that they have generated themselves (IP). If someone has access to these trade secrets, they may be able to use them for their own gain, ultimately putting you out of business. Notifications of Breaches In many cases, the discovery of these data breaches occurs inside of the organization initially. Escalation Internal Escalation Process   Breaches are often found by a technician Provide a process for making those finding known External Escalation Process   Know when to ask for assistance from external resources Security experts can find and stop an active breach Breaches 507 Chapter 05: Governance, Risk, and Compliance A data breach exposes confidential, sensitive, or protected info to an unauthorized associate person. The files in an information breach are viewed and/or shared without permission. Public Notification and Disclosure Once the initial phase of the escalation process is over, the public of the data breach needs to be informed. There are a number of security breach notification laws in almost every geography, all 50 US states, the European Union, Australia, and almost every country has laws regarding public disclosure. Normally, these disclosures occur relatively. However, there may be times when criminal investigations are underway, and it may be more important to keep that information private until the investigation is over. Data Types Classification The data can be classified into the following categories:          Public Private Sensitive Confidential Critical Proprietary Personally Identifiable Information (PII) Health and financial information Government and customer data Public Public data refers to the data with no restrictions. The data can be easily viewed from any source, location, and region across the world. Private Private data is used to limit access to public data. This may require a Non-Disclosure Agreement (NDA). The data are only available for internal use. Sensitive Sensitive data is that classified data that has to be protected and is inaccessible to outsiders unless given specifically granted permission. The information will be in physical or electronic form; however, sensitive data can be considered as personal information or data. Confidential 508 Chapter 05: Governance, Risk, and Compliance Confidential data is very sensitive data that allow only certain people have approved access. Critical Critical data is the information that organizations hold essential for success or data that needs to be preserved for regulative purposes. For example, customer data. Proprietary Proprietary data is a type of sensitive data and is considered the personal property of an organization. It can include trade secrets, passwords, or often unique data of an organization. Personally Identifiable Information (PII) This type of data can be used to identify an individual with the name, date of birth, biometric information, etc. Health Information Sensitive health information comes into the category of Protect Health Information (PHI). It holds the health-related information associated with an individual—for example, health care records, health status, payment, insurance, etc. Financial Information Financial information is the knowledge regarding the monetary transactions of an individual or business. The information may include the records of a business's financial situation. They embrace commonplace reports such as the balance sheet, financial gain or profit, and loss statements, and income statements. Government Data The information holds all the records that are done by the government in terms of policies, agreements, projects, budgets, etc. Customer Data Customer data includes the details about the customer with respect to certain activities that have been done, like the name of the purchased product, pricing, discount, customer’s biodata, location, etc. Privacy Enhancing Technologies The application developers may have techniques that they can use to help keep data safe and secure. Different ways of enhancing privacy are available in the security domain. 509 Chapter 05: Governance, Risk, and Compliance Data minimization One way to enhance privacy is through the use of data minimization. Whenever you require data to perform some functions, you can use the data minimization technique. This is included in many different regulations like HIPAA that has a “Minimum Necessary” rule and GDPR. These techniques also minimize some of the information like cell phone numbers or addresses from the registration process and also limit the internal data required to perform some organizational tasks. Data masking One way to protect data is to simply hide it. This is called data masking. It is a way to obfuscate data in a way that shows data exists; however, it does not allow you to see any of the portions of data. This technique is helpful in protecting your Personally Identifiable Information (PII), financial details, or any other sensitive data. The data masking process hides the data from the screen and displays only relevant information. However, it does exist in its complete form in the database. This technique also allows you to control what exactly you want to display on the screen by defining certain policies and permissions. EXAM TIP: There are multiple techniques available for data masking, such as substituting, shuffling, encryption, masking out, etc. Figure 5-13: Before Masking 510 Chapter 05: Governance, Risk, and Compliance Figure 5-14: After Masking Tokenization Tokenization is the way of using personal data without using the actual data. This is when we take sensitive data and replace it with a completely different bit of data (nonsensitive placeholder) that is called a token. A token provides a way to store the data in the database according to the SSN token number and display it on the screen with some other number. You can easily use tokenization many times in a day like it is used in credit card processing. EXAM TIP: Tokenization is the hashing technique, not an encryption technique. There is no need to care about the processing, memory, CPU, and any other type of overhead. Figure 5-15: Tokenization 511 Chapter 05: Governance, Risk, and Compliance Anonymization Anonymization is the process of making it difficult to correlate anything with the preserved data. You can anonymize data in a variety of ways, including hashing it to make it unreadable or using masking techniques to replace actual data with asterisks. You can even anonymize portions of the data while leaving the rest intact. This is especially important if you wish to conduct some sort of analysis. The fundamental disadvantage of anonymization is that it is impossible to return to the original data. After the data has been anonymized, it is stored with the desired hashes and masking techniques in the data. Pseudo-anonymization The Pseudo-anonymization technique replaces personal information with pseudonyms. This technique can convert the data back to its original shape if you need to provide it for other processes. There are different replacements available for data protection. You can display the same names with different alphabets every time. This technique also helps to maintain consistency. If you need to access some particular record, you might have a consistent replacement for this. EXAM TIP: Pseudo-anonymization is a data protection technique used to maintain statistical relationships. Roles and Resposnibilities There are many people in an organization responsible for data. Some of them are a technician that works at a very low level with the data. However, there are many responsibilities in the management layer of the organization. Data owners At the management level, there is a data owner who is responsible for a certain set of data. The accountability of the specific data is often handled and managed by the data owner. The Vice President (VP) of sales owns the customer relationship data, or there might be a treasure in charge of the financial information of the organization. Data controllers Separating the people who process the data from the people who control the data is a good idea. The data controllers are in charge of the data's processing purposes and methods. 512 Chapter 05: Governance, Risk, and Compliance Data processor The data processors are working on behalf of the data controllers, or sometimes this can be a third party. For example, the payroll process within an organization can be utilized by the payroll department and payroll company. The payroll department would play a role as a data controller and defines the payroll amount and timeframe whereas, the payroll company would act as a data processor and processes payroll and stores employee information. Data custodian/steward Data custodian/steward is one of the additional data roles. This will be responsible for the accuracy of the data, for keeping all the data privacy and security associated with the data that is stored in the system. This may include a user or a group of users that will identify or set labels associated with data. The user groups will also keep track of all the laws and regulations associated with data so that the organization complies with all of those roles. They are also responsible for implementing the security control for the data and determine who has accessed that information. Data Protection Officer (DPO) Data Protection Officer is the higher-level manager who is responsible for the organization’s overall data privacy policies. DPO will define the exact privacy policies for the organization and implement the processes and procedures. Information Lifecycle The entire life cycle of the information consists of: Creation and receipt The life cycle of the information starts with the creation and receipt of the data that is used inside the organization or received from a third party. Distribution After the data has been created or received, it needs to be processed. Commonly, you would sort the data and store it in the appropriate area. Use After setting up and storing the data, the data will be ready to be used. The data will probably use to make business decisions, create products and services. Maintenance With several data source, regular, constant monitoring and maintenance procedure is required to retrieve the data and transfer it to other location. 513 Chapter 05: Governance, Risk, and Compliance Disposition When the data are successfully retrieved and transferred, you need to archive it or find a secure way to dispose of the data. Creation and receipt Disposition Distribution Maintenance Use Figure 5-16: Information Life Cycle Privacy Impact Assessment Privacy Impact Assessment (PIA) is an organized way of figuring out the gap between the needed privacy act and the actual privacy act. PIA ensures the compliance of the process and system with the existing laws and regulations. It analyzes how the PII (Personally Identifiable Information) is gathered, secured, and used. All this information is provided to the users in the written privacy statement. Terms of Agreement There are several areas where you may learn more about how a company handles data. One of these is during the agreement's term. This is a legal agreement, and before utilizing a service, a user must agree to these terms and conditions. Privacy Notice/ Privacy Policy Privacy notice or privacy policy is a separate document required on where the organization happens to do business. This document also defines how the organization is going to manage the data that you provided to them and also gives you options on what you can do to help protect data, and you can contact that organization for more information. 514 Chapter 05: Governance, Risk, and Compliance Mind Map Figure 2-17: Mind Map Data Security and Privacy Practices Data Destruction and Media Sanitization It is important to destroy the data that is no longer in use because that data or information can be discovered and used by criminals in malicious activities like identity theft, social engineering, etc. Dumpster diving is used by criminals for this purpose because its value is well known to criminals. For every organization, it is vital to have effective demolition and destruction policies and associated procedures. The following are some methods of data destruction and media sanitization. 515 Chapter 05: Governance, Risk, and Compliance Burning A method of destruction, which is regarded as a gold method, is referred to as Burning. The data/media is carried out in a form that can be demolished by the fire, and then it is burned. This is the process that is irreversible and makes the data be lost permanently. Shredding Shredding, which is also referred to as physical destruction, is the method of splitting things into small chunks and then mixed making the reassembling impossible or difficult. Everything that might be advantageous to a criminal or dumpster diver should be shredded. Pulping Puling is the process of recombining a paper into a new paper by suspending a paper fiber in a liquid. Once the paper is shredded, the pulping process erases the ink by bleaching, and then those shredded pieces are recombined into new paper. This way, the layout of the old paper is completely destroyed. Pulverizing Breaking things by external force into unusable pieces (that cannot be reconstructed) is known as Pulverizing, which is also referred to as ‘Physical Process of Destruction.’ Used for hard disk drives like items. Encryption is the modern approach to pulverizing. In this method, the owner encrypts the drive’s data and destroys the key. This process makes the data non-recoverable depending on the strength of encryption. Degaussing The files on a magnetic storage device can be destroyed magnetically, i.e., using a magnetic field; this method is known as degaussing. This is a safe technique for degaussing the data or media. In this method, the magnetic particles got realigned by discarding the organized format that displayed the data. Purging A process of discarding and erasing data from the storage zone permanently is known as purging. A key expression that reflects the purging is “removing data,” which is planned to clear up the storage zone for re-use—for example, Circular Buffer. Wiping Wiping is the technique of repeatedly rewriting the media in storage with a 1's and 0's pattern series to remove all traces of the original data or media. Because it is a nondestructive procedure, it is suitable for the method. Depending on the level of data protection, several data wiping techniques are available with different passes, such as 3, 7, or 35. 516 Chapter 05: Governance, Risk, and Compliance Data Sensitivity Labelling and Handling Confidential A ‘Confidential’ labeled data on exposure to an illegitimate or unauthorized party leads to severe harm to the corporation. The data is specified by the policy that covers detail regarding who possesses the authority to issue the data. Software Codes, Trade Secrets, and Product Design are all included in confidential data. Private A ‘Private’ labeled data on exposure to an illegitimate or unauthorized party leads to disruption or harm to the corporation. Private data is commonly related to the personal data that belongs to an individual or less often with the corporation. The damage level related to the private data is less as compared to the confidential data but still significant. Public A ‘Public’ labeled data can be viewed by the public and carries no protection in regards to confidentiality. Nevertheless, protection is still required for its integrity. For example, Press Releases, Public Web Pages, etc., are all examples of public data. Proprietary ‘Proprietary’ is something that is owned and controlled by an individual or organization. Therefore, proprietary data is something that is confined to a business for competitive use. Proprietary labeled data can be shared with a group of users other than a competitor, and the label of proprietary is for alerting the group not to further share that proprietary data. For protecting proprietary data, the laws of secrecy, copyright, patent are used. PII Personally Identifiable Information (PII) is a term that refers to data that can be used to identify a person. It refers to the data needed to distinguish or detect an individual's identification, such as a person's name in combination with one or more of the following:    Social security number Driving License number Account number or credit card number or other identifying information that is linked to a specific person In other words, a set of data elements that leads to the identity of a specific individual. PII is mostly used in online transactions. There always exists a possibility that it can be 517 Chapter 05: Governance, Risk, and Compliance misused by any unauthorized person or miscreant. Therefore, it is necessary to protect that personal information. PHI Protected Health Information (PHI) refers to an individual's health information, such as a health care record, a payment for health treatment, insurance information, and any other medical-care-related information. The Health Insurance Portability and Accountability Act (HIPAA) protects personal health information. Data Retention Data retention refers to the storage of data logs. Another important characteristic of data retention is to determine what data needs to be stored and for how long. Data is retained for multiple purposes like a contractual obligation, accounting, and billing, warranty history, etc. However, storing data for a long period of time may cause risks if not maintained properly. Legal and Compliance Some of the data security and privacy actions are retained under legal requirements and regulatory compliance. An organization must have to follow regulations and standards to meet data security. Following are some general-sector specific regulations:    Federal Information Security Management Act (FISMA), U.S Security of Network and Information Systems (NIS Directive), Europe General Data Protection Regulation (GDPR), Europe 518 Chapter 05: Governance, Risk, and Compliance Mind Map Figure 5-18: Mind Map 519 Chapter 05: Governance, Risk, and Compliance Practice Questions 1. What is the purpose of Governance, Risk, and Compliance? A. Achieve Objectives B. Address Uncertainty C. Act with Integrity D. All of the above 2. Which of the following privacy breaches create credit monitoring costs? A. Fines B. Identity Theft C. Reputation Damage D. None of the above 3. Which of the following provides the storage for data logs? A. Data Retention B. Data Roles C. Governance D. All of the above 4. How many roles and responsibilities are there at the management layer of the organization? A. Seven B. Six C. Five D. Four 5. Which of the following assessment ensures the compliance of the process and system with the existing laws and regulations? A. Risk Assessment B. Risk Control Assessment C. Impact Assessment D. Privacy Impact Assessment 6. How many categories are there for security control? A. Four 520 Chapter 05: Governance, Risk, and Compliance B. Three C. Two D. Five 7. Which of the following security control type helps to detect physical security breaches? A. Detective B. Technical C. Preventive D. Corrective 8. The information lifecycle consists of ___________ strategies. A. Four B. Three C. Five D. Two 9. Which of the following agreement is used to protect confidential information? A. Non-Disclosure Agreement B. Service Level Agreement C. Business Partnership Agreement D. Interoperability Agreement 10. Which of the following is responsible to rapidly recover the disaster? A. Disaster Recovery Sites B. Mission Essential Functions C. Disaster Recovery Plans D. Business Continuity 11. Which of the following defines the security policies concern with the people associated with the organization? A. Personnel Security B. Privacy Policies C. Role and Responsibilities D. Organizational Policies 12. How many account types can be included in the credential policies? 521 Chapter 05: Governance, Risk, and Compliance A. Four B. Three C. Two D. Six 13. Which of the following is also called rotation of duties or rotation of responsibilities? A. Separation of Duties B. Social Media Analysis C. Phishing D. Job Rotation 14. An organized interpretation of threat that encounters a firm is called _________________. A. Risk Monitoring B. Risk Assessment C. Threat Assessment D. Supply Chain Assessment 15. How many types of Risk assessment are there? A. One B. Two C. Three D. Four 522 Appendix A: Answers Answers Chapter 01: Threats, Attacks, and Vulnerabilities 1. Answer: B Ethical Hackers always require legal permission. 2. Answer: B Gray Box penetration testing is a sort of penetration testing in which the pentester has very little prior knowledge of the system and no information about the targets. 3. Answer: C White Hat Hackers always have legal permission to perform penetration testing against a target system. 4. Answer: C Hacktivists draw attention to the target to deliver a message or promote an agenda. 5. Answer: A Script Kiddies have no or very low knowledge about hacking. 6. Answer: C White Box testing requires complete knowledge of a target. 7. Answer: D Suicide Hackers are those who aim for destruction without worrying about punishment. 8. Answer: B and C Penetration testing is required in an environment to perform an audit, find vulnerabilities, and exploit them to address them before an attacker reaches them. 9. Answer: B Gray Hats are those who work for both offensively and defensively. 10. Answer: B 523 Appendix A: Answers The process of finding, quantifying, and prioritizing (or ranking) the vulnerabilities in a system is known as vulnerability assessment. 11. Answer: A The Black Box is a sort of penetration testing in which the pentester is blind or doubleblind tested, meaning that the pentester has no prior knowledge of the system or information about the target. 12. Answer: D Vulnerability is a weak point or loophole in any system or network, which can be exploited by an attacker. 13. Answer: C A Directory Traversal Attack is a sort of attack in which an attacker attempts to enter restricted directories by applying dots and slash sequences in a trial and error technique. The attacker can divulge sensitive information about the system by accessing folders outside the root directory. 14. Answer: B An attacker sends a response splitting request to the server in an HTTP Response Splitting Attack. An attacker can add the header response in this manner. As a result, the response will be split into two parts by the server. The attacker controls the second response, which is used to redirect the visitor to a malicious website. 15. Answer: A Active and passive reconnaissance methods are also popular for gaining information about the target, either directly or indirectly. This phase's ultimate purpose is to maintain contact with the target in order to obtain information without being recognized or warned. 16. Answer: A Footprinting is basically the collection of every possible information regarding the target and target network. 17. Answer: A 524 Appendix A: Answers Social engineering is a psychological manipulation approach used in information security. This approach is used to acquire information from persons who are interfering with you either directly or indirectly. 18. Answer: A Every possible combination of characters is computed for the hash to create a rainbow table. When a rainbow table contains all possible pre-computed hashes, the attacker captures the password hash of the target and compares it with the rainbow table. 19. Answer: D Meterpreter is a popular backdoor of the Metasploit framework. It is used to create a control channel for lateral access after a successful attack. 20. Answer: C Salting a password is the process of adding an extra character to it to make it a one-way function. The inclusion of characters makes it more difficult to reverse the hash of the password. The primary benefit or function of password salting is to protect against dictionary and pre-computed attacks. 21. Answer: B Malware stands for Malicious Software and is an abbreviation for it. Malware is a blanket term that covers a wide range of potentially harmful software. This malicious program was created with the intent of getting access to target machines, stealing data, and causing harm to the target system. 525 Appendix A: Answers Chapter 02: Architecture and Design 1. Answer: A Being the oldest and most widely used technique in the domain of cryptography, Symmetric Ciphers use the same secret key for the encryption and decryption of data. 2. Answer: A Being the oldest and most widely used technique in the domain of cryptography, Symmetric Ciphers use the same secret key for the encryption and decryption of data. The most widely used symmetric ciphers are AES and DES. 3. Answer: B Stream Cipher is a type of symmetric-key cipher that encrypts the plain text one by one. 4. Answer: B The process of identifying weaknesses in an environment is known as vulnerability assessment. Among the vulnerabilities are misconfigurations, default configurations, buffer overflows, operating system flaws, Open Services flaws, and other flaws. To scan a network for vulnerabilities, network administrators and pentesters can use a variety of tools. 5. Answer: A Creating a Baseline is a pre-assessment phase of the vulnerability assessment life-cycle in which the pentester or network administrator who is performing the assessment identifies the nature of the corporate network, the applications, and services. The pentester creates an inventory of all resources and assets, which helps to manage, prioritize the assessment. Furthermore, they also map the infrastructure, learns about the security controls, policies, and standards followed by the organization. 6. Answer: D Wireshark is the most popular Network Protocol Analyzer tool in commercial, governmental, non-profit, and educational environments. It is a free and open-source tool that runs natively on Windows, Linux, MAC, BSD, Solaris, and other platforms. 7. Answer: D 526 Appendix A: Answers Non-Electronic Attacks, also known as Nontechnical Attacks, are attacks that do not necessitate any technical understanding or knowledge. Shoulder surfing, social engineering, and dumpster diving can all be used to carry out this type of attack. 8. Answer: B In Dictionary Attack, to perform password cracking, a password cracking application is used along with a dictionary file. This dictionary file contains an entire dictionary or list of known and common words to attempt password recovery. It is the most fundamental type of password cracking. When systems use strong, unique, and alphanumeric passwords, they are usually not vulnerable to dictionary attacks. 9. Answer: A Brute Force Attack tries every possible combination of characters to recover the password. Until the password is accepted, each combination pattern is tried. Brute forcing is the most common and basic method for obtaining passwords. 10. Answer: D Password salting is the process of adding extra characters to a one-way function's password. The addition of characters makes it more difficult to reverse the hash of the password. The primary benefit or function of password salting is to defeat dictionary and pre-computed attacks. 11. Answer: A Every possible combination of characters is computed for the hash to create a rainbow table. When a rainbow table contains all possible pre-computed hashes, the attacker captures the password hash of the target and compares it with the rainbow table. 12. Answer: D Meterpreter is a popular backdoor of the Metasploit framework. It is used to create a control channel for lateral access after a successful attack. 13. Answer: C Password salting is the process of adding an extra character to a password in order to make it a one-way function. The addition of characters makes it more difficult to reverse the hash of the password. The major advantage or primary function of password salting is to defeat dictionary attacks and pre-computed attacks. 527 Appendix A: Answers 14. Answer: D Microsoft's Internet Information Services is an extensible web server designed for use with the Windows NT operating system. HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP, and NNTP are all supported by IIS. 15. Answer: C Directory Traversal Attack is a type of attack in which an attacker attempts to access restricted directories through trial and error by using dots and slash sequences. The attacker can obtain sensitive information about the system by accessing directories other than the root directory. 16. Answer: B HTTP Response Splitting Attack is a technique in which an attacker sends a request to the server for response splitting. An attacker can add the header response in this manner. As a result, the server will split the response into two responses. The second response is under the control of the attacker so that the user can be redirected to the malicious website. 17. Answer: B Patches are pieces of software that are specially designed for fixing the issue. 18. Answer: A The Microsoft Baseline Security Analyzer is a Microsoft-powered patch management tool for Windows. MBSA detects missing security updates as well as common security misconfigurations. 528 Appendix A: Answers Chapter 03: Implementation 1. Answer: D Internet Information Services is an extensible web server created by Microsoft to be used with the Windows NT family. IIS supports HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP. 2. Answer: C Directory Traversal Attack is a type of attack in which an attacker attempts using a trial and error method to access restricted directories by applying dots and slash sequences. By accessing the guides outside the root directory, the attacker can reveal sensitive information about the system. 3. Answer: B HTTP Response Splitting Attack is the technique in which an attacker sends a response splitting request to the server. In this way, an attacker can add the header response. As a result, the server will split the response into two answers. The second response is under the attacker's control so that the user can be redirected to the malicious website. 4. Answer: A A hotfix is a hot system specially designed for a live production environment where fixes have been made outside a normal development and testing to address the issue. 5. Answer: B Patches are pieces of software that are specially designed for fixing the issue. 6. Answer: A Jailbreaking allows root access to an iOS device, which permits downloading unofficial applications. Jailbreaking is famous for removing restrictions, installation of additional software, malware injection, and software piracy. 7. Answer: A In Tethered Jailbreaking, when the iOS device is rebooted, it will no longer have a patched kernel. It may be stuck in a partially started state. With Tethered Jailbreaking, a computer must boot the device each time; i.e., the device is re-jailbroken each time. Using Jailbreaking tool, the device is started with the patched kernel. 529 Appendix A: Answers 8. Answer: B Blackberry App World is the official application distribution service. 9. Answer: A The primary purpose of implementing Mobile Device Management (MDM) is to deploy, maintain, and monitor mobile devices that make up BYOD solutions. Devices may include laptops, smartphones, tablets, notebooks, or any other electronic device that can be moved outside the corporate office to home or some public place and then gets connected to the corporate office by some means. 10. Answer: A Denial-of-Service (DoS) is an attack in which service offered by a system or a network is denied. Services may be rejected, reducing the functionality or preventing access to the resources even to legitimate users. 11. Answer: B Service Request Flood is a DoS attack in which the attacker floods the request towards a service such as a Web application or Web server until all the services are overloaded. 12. Answer: C The Permanent Denial-of-Service Attack is the DoS attack, which instead of focusing on the denial of services, focuses on hardware sabotage. Affected hardware by PDoS attack become damaged and requires replacement or reinstallation of hardware. PDoS is performed by a method known as "Phishing" that causes irreversible damage to the hardware or "Bricking a system" by sending fraudulent hardware updates. 13. Answer: A A Distributed-Reflection-Denial-of-Service Attack is the type of DoS attack in which intermediary and Secondary victims are also involved in the process of launching a DoS attack. The attacker sends requests to the intermediary victim, which redirects the traffic towards the secondary victim. The secondary victim redirects the traffic toward the target. The involvement of intermediary and secondary victims is for spoofing the attack. 530 Appendix A: Answers Chapter 04: Operations and Incident Response 1. Answer: A Explanation: Determines TCP/IP and network adapter information and some additional IP details. In Windows, the command used is “ipconfig” whereas, in Linux and Mac, the command used is “ifconfig.” 2. Answer: C Explanation: NetFlow is one of the standardized methods of gathering network statistics from switches, routers, and other devices on the network. The NetFlow information is usually consolidated onto a central NetFlow server, and you can view the information across all of the devices on a single management console. 3. Answer: D Explanation: A cache is a temporary storage area designed to speed up the performance of an application or an operating system. There are many different kinds of cache, including CPU cache, disk cache, cache for a browser, and cache connected to the network. 4. Answer: B Explanation: SOAR stands for Security Orchestration, Automation, and Response (SOAR). SOAR platforms are a collection of security tools and programs that let you search and collect data from a variety of sources. SOAR systems then use a combination of human and machine learning to understand and prioritize incident response activities based on this heterogeneous data. Using SOAR, an administrator can integrate multiple third-party tools and have them all work together. The integration is based on the runbooks. 5. Answer: D Explanation: OpenSSL is a library and a series of utilities that allow you to manage SSL and TLS certificates into the systems. If you are building a Certificate Authority (CA) inside the company, you must create X.509 certificates. Users will send the Certificate Signing Requests (CSRs), and you will have to manage the certificates revocation list (CRLs). This can be done by the utilities available in OpenSSL. OpenSSL also includes cryptographic libraries that can be used to conduct hashing operations on a variety of hashing methods. You can also use OpenSSL's built-in encryption and decryption features. 6. Answer: B 531 Appendix A: Answers Explanation: ARP stands for Address Resolution Protocol, which is a stateless protocol used within a broadcast domain to ensure communication by resolving the IP address to MAC address mapping. It is in charge of L3 to L2 address mappings. ARP protocol ensures the binding of IP addresses and MAC addresses. 7. Answer: A Explanation: The Mobile Device Manager (MDM) can allow or deny access to mobile devices. The MDM allows the IT security administrator to set policies on all mobile devices and always protect the devices from malicious software. 8. Answer: C Explanation: Protocol analyzers are generally used to troubleshoot complex application problems because they collect every bit from the network and provide a breakdown of exactly what is going across those particular network links. The protocol analyzer can also be used on wireless networks or wide area networks as well. This analyzer provides detailed information such as unknown traffic, verifying packet filtering and security control, and gives the plain-language description of the application data. 9. Answer: D Explanation: If the endpoint security software recognizes an application that seems to have malicious software, it can remove that from the system and place it into a quarantine area. This can be a folder on the existing system where no applications are allowed to run. 10. Answer: A Explanation: There is a legal mechanism used to gather information called discovering. When this mechanism applies to digital technologies, it is referred to as Electronic discovery (E-discovery). This process gathers the data. Hence there is no need to examine or analyze the information. For data, you are simply required to search from the list of information that is being requested. 11. Answer: B Explanation: There are two ways to providing non-repudiation:   Message Authentication Code (MAC) – With MAC, the two parties that are communicating back and forth are the two that can verify that non-repudiation. Digital Signature – Anyone who has access to the public key of the person who wrote the information can verify that they can use it. 12. Answer: D 532 Appendix A: Answers Explanation: SIEM allows you to analyze the data to create security alerts and realtime information about what is happening on the network right now. Since you can collect all the information and aggregate it into a single place and create long-term storage to easily create some extensive reports over a long period of time. 13. Answer: B Explanation: There are four types of vulnerability assessment. These are:     Active Assessment Passive Assessment External Assessment Internal Assessment 14. Answer: A Explanation: WinHex is the third-party editor tool that can provide the raw representation of the dump files. All information is displayed in hexadecimal mode. This will help you pull and edit information located in the file, memory, disk, etc. WinHex also has disk cloning capabilities, which allow you to copy all of the data from a file and save it as an image file or copy it to a different storage device. Additionally, WinHex makes it simple to do secure wipes, ensuring that all data in the file is completely deleted and cannot be recovered using third-party programs. 15. Answer: C Explanation: WinHex is the third-party editor tool that can provide the raw representation of the dump files. All information is displayed in hexadecimal mode. This will help you pull and edit information located in the file, memory, disk, etc. There are also disk cloning capabilities built into WinHex that help you copy all the data from a file and store that data into the image file or copy it to a separate storage device. Also, you can easily perform secure wipes with WinHex to ensure that all the information that exists within the file will be completed wiped will not be recoverable with third-party utilities. 533 Appendix A: Answers Chapter 05: Governance, Risk, and Compliance 1. Answer: D Explanation: The Governance, Risk, and Compliance (GRC) is a combined collection of potentials that allows the organizations and companies to reliably achieve ethical management, minimizing the risk of failures, and ensuring the organization complying with state requirements. 2. Answer: B Explanation: One of the major concerns is that the data can be used for identity theft and easily taking advantage of other people’s private information. If the data gets into the hands of a third party, then it is an organizational responsibility to have a public disclosure. This activity will create some credit monitoring costs. This will constantly monitor your organization’s data. 3. Answer: A Explanation: Data retention refers to the storage of data logs. Another important characteristic of data retention is to determine what data needs to be stored and for how long. Data is retained for multiple purposes like a contractual obligation, accounting, and billing, warranty history, etc. 4. Answer: C Explanation: There are five roles and responsibilities available at the management layer of the organization.      Data Owners Data Controllers Data Processor Data Custodian/Steward Data Protection Officer (DPO) 5. Answer: D Explanation: The Privacy Impact Assessment (PIA) is a method of determining the gap between the required and existing privacy legislation. PIA guarantees that the process and system comply with all applicable rules and regulations. It examines how personally identifiable information (PII) is collected, stored, and used. The users are given all of this information in a written privacy statement. 6. Answer: B Explanation: The security controls are categorized at different levels:  Technical 534 Appendix A: Answers   Management Operational 7. Answer: A Explanation: Detective Control helps to detect a physical security breach. It alerts the operator to specific conditions and acts during an event. 8 Answer: C Explanation: The entire life cycle of the information consists of:      Creation and Receipt Distribution Use Maintenance Disposition 9. Answer: A Explanation: The purpose of a Non-Disclosure Agreement (NDA) is to protect confidential information that is disclosed, shared, received, or exchanged with customers, suppliers, and other parties. 10. Answer: C Explanation: Disaster Recovery Plan (DRP) is the process of recovering access to data, hardware, and software necessary to continue critical business operations after a human-induced or natural disaster (such as storm, flood, tornado, etc.). The main purpose of DRP is to rapidly re-establish or recover critical areas or elements of the business after a disaster or similar incident. 11. Answer: A Explanation: Personnel security policies concern people associated with the organization, such as employees, contractors, consultants, and users. These policies involve the following:     Screening processes to validate security requirements Understanding their security responsibilities Understanding their suitability to security roles Reducing the risk of theft, fraud, or the misuse of facilities 12. Answer: A Explanation: There are four account types included in the credential policies.   User Account Shared Account 535 Appendix A: Answers   Service Account Privileged Account 13. Answer: D Explanation: Job rotation, also known as a rotation of duties or rotation of responsibilities, helps an organization to mitigate the risk associated with any individual having too many privileges. Rotation of duties simply requires that one person does not perform critical functions or responsibilities for an extended period of time. For example, an accountant might move from payroll to accounts payable and then to accounts receivable. The primary goal of job rotation is to reduce the length of one person being in a certain job for too long minimizes the chances of errors or malicious actions going undetected. Job rotation can also be used to cross-train members of teams to minimize the impact of an unexpected leave of absence. 14. Answer: C Explanation: Threat assessment is a systematic interpretation of a threat that comes into contact with a company. Threats cannot be changed, but the way they influence people can. As a result, threats must be identified. 15. Answer: B Explanation: There are two main types of risk assessment.   Qualitative - To subjectively figure out the impact of an action which affects a business or program is known as “Qualitative Risk Assessment.” Experienced and expert judgments are needed to perform this assessment. Quantitative - To objectively figure out the impact of an action which affects a business or program is known as “Quantitative Risk Assessment.” In order to perform this assessment, the use of models and metrics are involved commonly. 536 Appendix B: Acronyms Acronyms 3DES Triple Digital Encryption Algorithm AAA Authentication, Authorization, and Accounting ABAC Attribute-based Access Control ACL Access Control List AD Active Directory AES Advanced Encryption Standard AES256 Advanced Encryption Standards 256bit AH Authentication Header AI Artificial Intelligence AIS Automated Indicator Sharing ALE Annualized Loss Expectancy AP Access Point API Application Programming Interface APT Advanced Persistent Threat ARO Annualized Rate of Occurrence ARP Address Resolution Protocol ASLR Address Space Layout Randomization ASP Active Server Pages ATT&CK Adversarial Tactics, Techniques, and Common Knowledge AUP Acceptable Use Policy AV Antivirus BASH Bourne Again Shell BCP Business Continuity Planning BGP Border Gateway Protocol BIA Business Impact Analysis BIOS Basic Input/Output System BPA Business Partnership Agreement BPDU Bridge Protocol Data Unit BSSID Basic Service Set Identifier BYOD Bring Your Own Device 537 Appendix B: Acronyms CA Certificate Authority CAC Common Access Card CAPTCHA Humans Apart Completely Automated Public Turing Test to Tell Computers and CAR Corrective Action Report CASB Cloud Access Security Broker CBC Cipher Block Chaining CBT Computer-based Training CCMP Counter-Mode/CBC-MAC Protocol CCTV Closed-Circuit Television CERT Computer Emergency Response Team CFB Cipher Feedback CHAP Challenge-Handshake Authentication Protocol CIO Chief Information Officer CIRT Computer Incident Response Team CIS Center for Internet Security CMS Content Management System CN Common Name COOP Continuity of Operations Planning COPE Corporate-owned Personally Enabled CP Contingency Planning CRC Cyclic Redundancy Check CRL Certificate Revocation List CSA Cloud Security Alliance CSIRT Computer Security Incident Response Team CSO Chief Security Officer CSP Cloud Service Provider CSR Certificate Signing Request CSRF Cross-Site Request Forgery CSU Channel Service Unit 538 Appendix B: Acronyms CTM Counter-Mode CTO Chief Technology Officer CVE Common Vulnerabilities and Exposures CVSS Common Vulnerability Scoring System CYOD Choose Your Own Device DAC Discretionary Access Control DBA Database Administrator DDoS Distributed Denial-of-Service DEP Data Execution Prevention DER Distinguished Encoding Rules DES Data Encryption Standard DHCP Dynamic Host Configuration Protocol DHE Diffie-Hellman Ephemeral DKIM Domain Keys Identified Mail DLL Dynamic Link Library DLP Data Loss Prevention DMARC Domain Message Authentication Reporting and Conformance DMZ Demilitarized Zone DNAT Destination Network Address Transaction DNS Domain Name System DNSSEC Domain Name System Security Extensions DoS Denial-of-Service DPO Data Protection Officer DRP Disaster Recovery Plan DSA Digital Signature Algorithm DSL Digital Subscriber Line EAP Extensible Authentication Protocol ECB Electronic Code Book ECC Elliptic-curve Cryptography ECDHE Elliptic-curve Diffie-Hellman Ephemeral 539 Appendix B: Acronyms ECDSA Elliptic-curve Digital Signature Algorithm EDR Endpoint Detection and Response EFS Encrypted File System EIP Extended Instruction Pointer EOL End of Life EOS End of Service ERP Enterprise Resource Planning ESN Electronic Serial Number ESP Encapsulating Security Payload ESSID Extended Service Set Identifier FACL File System Access Control List FDE Full Disk Encryption FIM File Integrity Monitoring FPGA Field Programmable Gate Array FRR False Rejection Rate FTP File Transfer Protocol FTPS Secured File Transfer Protocol GCM Galois/Counter Mode GDPR General Data Protection Regulation GPG GNU Privacy Guard GPO Group Policy Object GPS Global Positioning System GPU Graphics Processing Unit GRE Generic Routing Encapsulation HA High Availability HDD Hard Disk Drive HIDS Host-based Intrusion Detection System HIPS Host-based Intrusion Prevention System HMAC Hash-based Message Authentication Code HOTP HMAC-based One-time Password 540 Appendix B: Acronyms HSM Hardware Security Module HSMaaS Hardware Security Module as a Service HTML Hypertext Markup Language HTTP Hypertext Transfer Protocol HTTPS Hypertext Transfer Protocol Secure HVAC Heating, Ventilation, Air Conditioning IaaS Infrastructure as a Service IAM Identity and Access Management ICMP Internet Control Message Protocol ICS Industrial Control Systems IDEA International Data Encryption Algorithm IDF Intermediate Distribution Frame IdP Identity Provider IDS Intrusion Detection System IEEE Institute of Electrical and Electronics Engineers IKE Internet Key Exchange IM Instant Messaging IMAP4 Internet Message Access Protocol v4 IoC Indicators of Compromise IoT Internet of Things IP Internet Protocol IPS Intrusion Prevention System IPSec Internet Protocol Security IR Incident Response IRC Internet Relay Chat IRP Incident Response Plan ISA Interconnection Security Agreement ISFW Internal Segmentation Firewall ISO International Organization for Standardization ISP Internet Service Provider 541 Appendix B: Acronyms ISSO Information Systems Security Officer ITCP IT Contingency Plan IV Initialization Vector KDC Key Distribution Center KEK Key Encryption Key L2TP Layer 2 Tunneling Protocol LAN Local Area Network LDAP Lightweight Directory Access Protocol LEAP Lightweight Extensible Authentication Protocol MaaS Monitoring as a Service MAC Media Access Control MAM Mobile Application Management MAN Metropolitan Area Network MBR Master Boot Record MD5 Message Digest 5 MDF Main Distribution Frame MDM Mobile Device Management MFA Multifactor Authentication MFD Multifunction Device MFP Multifunction Printer MITM Man-in-the-Middle ML Machine Learning MMS Multimedia Message Service MOA Memorandum of Agreement MOU Memorandum of Understanding MPLS Multiprotocol Label Switching MSA Measurement Systems Analysis MSCHAP Microsoft Challenge Handshake Authentication Protocol MSP Managed Service Provider MSSP Managed Security Service Provider 542 Appendix B: Acronyms MTBF Mean Time Between Failures MTTF Mean Time to Failure MTTR Mean Time to Repair MTU Maximum Transmission Unit NAC Network Access Control NAS Network-attached Storage NAT Network Address Translation NDA Non-disclosure Agreement NFC Near-field Communication NFV Network Function Virtualization NGFW Next-generation Firewall NG-SWG Next-generation Secure Web Gateway NIC Network Interface Card NIDS Network-based Intrusion Detection System NIPS Network-based Intrusion Prevention System NIST National Institute of Standards & Technology NOC Network Operations Center NTFS New Technology File System NTLM New Technology LAN Manager NTP Network Time Protocol OAUTH Open Authentication OCSP Online Certificate Status Protocol OID Object Identifier OS Operating System OSI Open Systems Interconnection OSINT Open-source Intelligence OSPF Open Shortest Path First OT Operational Technology OTA Over-The-Air OTG On-The-Go 543 Appendix B: Acronyms OVAL Open Vulnerability and Assessment Language OWASP Open Web Application Security Project P12 PKCS #12 P2P Peer-to-Peer PaaS Platform as a Service PAC Proxy Auto Configuration PAM Privileged Access Management PAM Pluggable Authentication Modules PAP Password Authentication Protocol PAT Port Address Translation PBKDF2 Password-based Key Derivation Function 2 PBX Private Branch Exchange PCAP Packet Capture PCI DSS Payment Card Industry Data Security Standard PDU Power Distribution Unit PE Portable Executable PEAP Protected Extensible Authentication Protocol PED Portable Electronic Device PEM Privacy Enhanced Mail PFS Perfect Forward Secrecy PGP Pretty Good Privacy PHI Personal Health Information PII Personally Identifiable Information PIN Personal Identification Number PIV Personal Identity Verification PKCS Public Key Cryptography Standards PKI Public Key Infrastructure PoC Proof of Concept POP Post Office Protocol POTS Plain Old Telephone Service PPP Point-to-Point Protocol 544 Appendix B: Acronyms PPTP Point-to-Point Tunneling Protocol PSK Pre-shared Key PTZ Pan-Tilt-Zoom PUP Potentially Unwanted Program QA Quality Assurance QoS Quality of Service PUP Potentially Unwanted Program RA Registration Authority RAD Rapid Application Development RADIUS Remote Authentication Dial-in User Service RAID Redundant Array of Inexpensive Disks RAM Random Access Memory RAS Remote Access Server RAT Remote Access Trojan RC4 Rivest Cipher version 4 RCS Rich Communication Services RFC Request for Comments RFID Radio Frequency Identifier RIPEMD RACE Integrity Primitives Evaluation Message Digest ROI Return on Investment RPO Recovery Point Objective RSA Rivest, Shamir, & Adleman RTBH Remotely Triggered Black Hole RTO Recovery Time Objective RTOS Real-time Operating System RTP Real-time Transport Protocol S/MIME Secure/Multipurpose Internet Mail Extensions SaaS Software as a Service SAE Simultaneous Authentication of Equals SAML Security Assertions Markup Language 545 Appendix B: Acronyms SCADA Supervisory Control and Data Acquisition SCAP Security Content Automation Protocol SCEP Simple Certificate Enrollment Protocol SDK Software Development Kit SDLC Software Development Life Cycle SDLM Software Development Life-cycle Methodology SDN Software-defined Networking SDP Service Delivery Platform SDV Software-defined Visibility SED Self-Encrypting Drives SEH Structured Exception Handling SFTP SSH File Transfer Protocol SHA Secure Hashing Algorithm S-HTTP Secure Hypertext Transfer Protocol SIEM Security Information and Event Management SIM Subscriber Identity Module SIP Session Initiation Protocol SLA Service-level Agreement SLE Single Loss Expectancy SMB Server Message Block S/MIME Secure/Multipurpose Internet Mail Extensions SMS Short Message Service SMTP Simple Mail Transfer Protocol SMTPS Simple Mail Transfer Protocol Secure SNMP Simple Network Management Protocol SOAP Simple Object Access Protocol SOAR Security Orchestration, Automation, Response SoC System on Chip SOC Security Operations Center SPF Sender Policy Framework 546 Appendix B: Acronyms SPIM Spam over Internet Messaging SQL Structured Query Language SQLi SQL Injection SRTP Secure Real-time Transport Protocol SSD Solid State Drive SSH Secure Shell SSID Service Set Identifier SSL Secure Sockets Layer SSO Single Sign-on STIX Structured Threat Information eXpression STP Shielded Twisted Pair SWG Secure Web Gateway TACACS+ Terminal Access Controller Access Control System TAXII Trusted Automated eXchange of Indicator Information TCP/IP Transmission Control Protocol/Internet Protocol TGT Ticket Granting Ticket TKIP Temporal Key Integrity Protocol TLS Transport Layer Security TOTP Time-based One Time Password TPM Trusted Platform Module TSIG Transaction Signature TTP Tactics, Techniques, and Procedures UAT User Acceptance Testing UAV Unmanned Aerial Vehicle UDP User Datagram Protocol UEBA User and Entity Behavior Analytics UEFI Unified Extensible Firmware Interface UEM Unified Endpoint Management UPS Uninterruptable Power Supply URI Uniform Resource Identifier 547 Appendix B: Acronyms URL Universal Resource Locator USB Universal Serial Bus USB OTG USB On-The-Go UTM Unified Threat Management UTP Unshielded Twisted Pair VBA Visual Basic VDE Virtual Desktop Environment VDI Virtual Desktop Infrastructure VLAN Virtual Local Area Network VLSM Variable-length Subnet Masking VM Virtual Machine VoIP Voice over IP VPC Virtual Private Cloud VPN Virtual Private Network VTC Video Teleconferencing WAF Web Application Firewall WAP Wireless Access Point WEP Wired Equivalent Privacy WIDS Wireless Intrusion Detection System WIPS Wireless Intrusion Prevention System WORM Write Once Read Many WPA WiFi Protected Access WPS WiFi Protected Setup WTLS Wireless TLS XaaS Anything as a Service XML Extensible Markup Language XOR Exclusive Or XSRF Cross-site Request Forgery XSS Cross-site Scripting 548 Appendix C: References References https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/ https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/ https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/ https://trustsds.com/downloads/white-papers/Governance-Risk-Compliance.pdf file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20 to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20 to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf https://www.zurichna.com/-/media/project/zwp/zna/docs/kh/tech/site-securityassessment-guide.pdf https://www.sciencedirect.com/topics/computer-science/organizational-security https://www.osibeyond.com/blog/it-security-policies-every-organization-must-havethem/ https://cybersecurity.att.com/blogs/security-essentials/data-governance.at-the-heartof-security-privacy-andrisk#:~:text=Data%20governance%20is%20the%20capability,security%2C%20availabili ty%2C%20and%20consistency. https://www.cisa.gov/cybersecurityinsurance#:~:text=Cybersecurity%20insurance%20is%20designed%20to,business%20i nterruption%2C%20and%20network%20damage.&text=In%20recent%20years%2C%2 0the%20Cybersecurity,this%20emerging%20cyber%20risk%20area. https://www.cisecurity.org/blog/end-of-support-software-report-list/ https://www.wwt.com/article/the-risk-of-end-of-support-eos-infrastructure-in-yourdata-center https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag/ https://www.mass.gov/files/documents/2016/07/uo/hsn-business-partner-securityagreement.pdf https://ctf101.org/#:~:text=Capture%20The%20Flags%2C%20or%20CTFs,building%20 nature%20and%20competetive%20aspect. 549 Appendix C: References https://onlinedegrees.sandiego.edu/bringing-gamification-to-cyber-security-training/ https://www.synthesio.com/glossary/social-media-analysis/ https://www.skillsoft.com/course/comptia-security-analyzing-application-networkattacks-cf202d2d-86a1-4a7f-8d64-6fed4db6997e https://www.securitymagazine.com/articles/93509-the-importance-of-acybersecurity-framework https://suppliers.rollsroyce.com/GSPWeb/ShowProperty?nodePath=/BEA%20Repository/Global%20Supplie r%20Portal/Section%20DocLink%20Lists/SABRe_2/Main/Column%201/Briefs%20and %20Guidance/B3.7:%20Measurement%20Systems%20Analysis/Documents/MSA%20h andbook//file https://hrdqstore.com/blogs/hrdq-blog/effective-diversity-training-methods https://www.edgepointlearning.com/blog/types-of-diversity-training/ https://terranovasecurity.com/phishing-simulation/ https://www.e-ir.info/2020/03/14/international-law-on-cyber-security-in-the-age-ofdigital-sovereignty/ https://www.upguard.com/blog/third-party-credentials-vendor-risk https://www.iso.org/standard/54533.html https://london.ac.uk/about-us/how-university-run/policies/information-security-andacceptable-use-policy https://it.brown.edu/computing-policies/acceptable-use-policy https://www.cisecurity.org/ https://cloudsecurityalliance.org/research/cloud-controls-matrix/ https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrixccm/ https://cloudsecurityalliance.org/ https://ccsk.cloudsecurityalliance.org/en?gclid=EAIaIQobChMIzMP1o9at8QIVibh3Ch1 RDAVrEAAYASAAEgIYCPD_BwE https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa https://www.iso.org/iso-31000-risk-management.html https://www.pluralsight.com/courses/nist-rmfimplementing?aid=7010a000002LUv7AAG&promo=&utm_source=non_branded&utm_ medium=digital_paid_search_google&utm_campaign=XYZ_APAC_Dynamic&utm_con 550 Appendix C: References tent=&cq_cmp=1576650374&gclid=EAIaIQobChMIxbmv1vGs8QIV5ejtCh0i1QDXEAAY ASAAEgK3sfD_BwE https://www.iso.org/standard/71670.html https://www.nqa.com/en-me/certification/standards/iso-27701 https://www.nist.gov/cyberframework https://www.nist.gov/industry-impacts/cybersecurity-framework https://csrc.nist.gov/Projects/risk-management https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8 http://www.iaps.com/security-overview.html https://trustsds.com/downloads/white-papers/Governance-Risk-Compliance.pdf file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20 to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf file:///C:/Users/ad/Downloads/White%20Paper%20RSA%20Archer%207%20Steps%20 to%20Build%20a%20GRC%20Framework%20H16083%204-2017.pdf https://www.zurichna.com/-/media/project/zwp/zna/docs/kh/tech/site-securityassessment-guide.pdf https://www.beyondtrust.com/blog/entry/vulnerability-remediation-5-steps-towardbuilding-effective-process https://www.sciencedirect.com/topics/computer-science/organizational-security https://www.osibeyond.com/blog/it-security-policies-every-organization-must-havethem/ https://threatresearch.ext.hp.com/application-containment-endpoint-security/ https://www.varonis.com/blog/network-segmentation/ https://www.sciencedirect.com/topics/computer-science/security-configuration https://www.tripwire.com/state-of-security/security-data-protection/securitycontrols/security-configuration-management/ https://docs.mcafee.com/bundle/endpoint-security-10.6.0-adaptive-threat-protectionclient-product-guide-windows/page/GUID-F8CE8A74-826D-41BB-9D6A9CC70C434070.html https://www.fireeye.com/products/helix/what-is-soar.html 551 Appendix C: References https://www.toppr.com/guides/computer-science/computer-fundamentals/utilitysoftware/file-managementtools/#:~:text=File%20management%20tools%20are%20utility,is%20stored%20in%20t he%20files.&text=Windows%20Explorer%20is%20a%20default%20file%20managemen t%20tool%20present%20in%20the%20system. https://logrhythm.com/uk-uws-using-mitre-attack-in-threat-hunting-and-detectionwhite-paper/?utm_source=google&utm_medium=cpc&utm_campaign=LogRhythm__META_-_T1_-_Generics__Mitre_Att&ck&utm_term=mitre%20att%26ck&matchtype=e&utm_region=EMEA&ut m_language=en&utm_program=EMEAcpc1&gclid=EAIaIQobChMIuYHWs9jh8QIV0IB QBh3VTALQEAAYASAAEgLmqfD_BwE risk#:~:text=Data%20governance%20is%20the%20capability,security%2C%20availabili ty%2C%20and%20consistency. https://www.varonis.com/blog/incident-response-plan/ https://www.cisa.gov/cybersecurityinsurance#:~:text=Cybersecurity%20insurance%20is%20designed%20to,business%20i nterruption%2C%20and%20network%20damage.&text=In%20recent%20years%2C%2 0the%20Cybersecurity,this%20emerging%20cyber%20risk%20area. https://www.cisecurity.org/blog/end-of-support-software-report-list/ https://www.wwt.com/article/the-risk-of-end-of-support-eos-infrastructure-in-yourdata-center https://startacybercareer.com/what-is-a-cybersecurity-capture-the-flag/ https://www.mass.gov/files/documents/2016/07/uo/hsn-business-partner-securityagreement.pdf https://ctf101.org/#:~:text=Capture%20The%20Flags%2C%20or%20CTFs,building%20 nature%20and%20competetive%20aspect. https://onlinedegrees.sandiego.edu/bringing-gamification-to-cyber-security-training/ https://www.synthesio.com/glossary/social-media-analysis/ https://www.skillsoft.com/course/comptia-security-analyzing-application-networkattacks-cf202d2d-86a1-4a7f-8d64-6fed4db6997e https://www.securitymagazine.com/articles/93509-the-importance-of-acybersecurity-framework https://suppliers.rollsroyce.com/GSPWeb/ShowProperty?nodePath=/BEA%20Repository/Global%20Supplie r%20Portal/Section%20DocLink%20Lists/SABRe_2/Main/Column%201/Briefs%20and 552 Appendix C: References %20Guidance/B3.7:%20Measurement%20Systems%20Analysis/Documents/MSA%20h andbook//file https://hrdqstore.com/blogs/hrdq-blog/effective-diversity-training-methods https://www.edgepointlearning.com/blog/types-of-diversity-training/ https://terranovasecurity.com/phishing-simulation/ https://www.e-ir.info/2020/03/14/international-law-on-cyber-security-in-the-age-ofdigital-sovereignty/ https://www.upguard.com/blog/third-party-credentials-vendor-risk https://www.iso.org/standard/54533.html https://london.ac.uk/about-us/how-university-run/policies/information-security-andacceptable-use-policy https://it.brown.edu/computing-policies/acceptable-use-policy https://www.cisecurity.org/ https://cloudsecurityalliance.org/research/cloud-controls-matrix/ https://cloudsecurityalliance.org/blog/2020/10/16/what-is-the-cloud-controls-matrixccm/ https://cloudsecurityalliance.org/ https://ccsk.cloudsecurityalliance.org/en?gclid=EAIaIQobChMIzMP1o9at8QIVibh3Ch1 RDAVrEAAYASAAEgIYCPD_BwE https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/usa https://www.iso.org/iso-31000-risk-management.html https://www.pluralsight.com/courses/nist-rmfimplementing?aid=7010a000002LUv7AAG&promo=&utm_source=non_branded&utm_ medium=digital_paid_search_google&utm_campaign=XYZ_APAC_Dynamic&utm_con tent=&cq_cmp=1576650374&gclid=EAIaIQobChMIxbmv1vGs8QIV5ejtCh0i1QDXEAAY ASAAEgK3sfD_BwE https://www.iso.org/standard/71670.html https://www.nqa.com/en-me/certification/standards/iso-27701 https://www.nist.gov/cyberframework https://www.nist.gov/industry-impacts/cybersecurity-framework https://www.guidepointsecurity.com/incident-response-services/ https://niccs.cisa.gov/workforce-development/cyber-security-workforceframework/digital553 Appendix C: References forensics#:~:text=Collects%2C%20processes%2C%20preserves%2C%20analyzes,count erintelligence%2C%20or%20law%20enforcement%20investigations. https://www.ibm.com/security/intelligentorchestration?p1=Search&p4=43700063537908444&p5=e&gclid=EAIaIQobChMIsYWigJ T58QIVZRoGAB37AAawEAAYASAAEgKI2_D_BwE&gclsrc=aw.ds https://info-savvy.com/evidence-collection/ https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk https://www.imperva.com/learn/application-security/vulnerability-assessment/ http://www.brighthub.com/computing/smb-security/articles/31234.aspx https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/ https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/ https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/ https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8 http://www.iaps.com/security-overview.html http://www.brighthub.com/computing/smb-security/articles/31234.aspx https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html https://msdn.microsoft.com/en-us/library/ff648641.aspx https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur _c/scfdenl.html https://www.ietf.org/rfc/rfc3704.txt 554 Appendix C: References www.cisco.com https://msdn.microsoft.com www.intel.com https://meraki.cisco.com https://en.wikipedia.org/wiki/Computer_network http://www.computerhistory.org/timeline/networking-the-web/ http://www.computerhistory.org/timeline/networking-the-web/ http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/ http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/ http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html #wp737141 http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf http://www.diffen.com/difference/TCP_vs_UDP http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact =8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F% 2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2 FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24 http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5 http://www.routeralley.com/guides/static_dynamic_routing.pdf http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7 http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf http://www.cisco.com/c/en/us/products/security/security-manager/index.html http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html https://en.wikipedia.org/wiki/Malware 555 Appendix C: References https://en.wikipedia.org/wiki/Security_information_and_event_management https://en.wikipedia.org/wiki/Malware https://ikrami.net/2014/05/19/siem-soc/ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html https://en.wikipedia.org/wiki/IEEE_802.1X http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3 https://www.paessler.com/info/snmp_mibs_and_oids_an_overview http://www.firewall.cx/downloads.html https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html https://en.wikipedia.org/wiki/Brain_(computer_virus) Badawi, A.M.: Hand vein biometric verification prototype: A testing performance and patterns similarity. In: International Conference on Image Processing, Computer Vision, and Pattern Recognition, pp. 3–9 (2006)Google Scholar Chen, Q., Defrise, M., Deconinck, F.: Symmetric phase-only matched filtering of fouriermellin transforms for image registration and recognition. IEEE Transactions on Pattern Analysis and Machine Intelligence 16(12), 1156–1168 (1994)CrossRefGoogle Scholar https://www.sciencedirect.com/topics/computer-science/false-acceptance-rate https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html https://msdn.microsoft.com/en-us/library/ff648641.aspx https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur _c/scfdenl.html https://www.ietf.org/rfc/rfc3704.txt www.cisco.com https://msdn.microsoft.com www.intel.com https://meraki.cisco.com https://en.wikipedia.org/wiki/Computer_network http://www.computerhistory.org/timeline/networking-the-web/ 556 Appendix C: References http://www.computerhistory.org/timeline/networking-the-web/ http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/ http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/ http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html #wp737141 http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf http://www.diffen.com/difference/TCP_vs_UDP http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact =8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F% 2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2 FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24 http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5 http://www.routeralley.com/guides/static_dynamic_routing.pdf http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7 http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf http://www.cisco.com/c/en/us/products/security/security-manager/index.html http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html https://en.wikipedia.org/wiki/Malware https://en.wikipedia.org/wiki/Security_information_and_event_management https://en.wikipedia.org/wiki/Malware https://ikrami.net/2014/05/19/siem-soc/ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html https://en.wikipedia.org/wiki/IEEE_802.1X http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3 557 Appendix C: References https://www.paessler.com/info/snmp_mibs_and_oids_an_overview http://www.firewall.cx/downloads.html https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html https://en.wikipedia.org/wiki/Brain_(computer_virus) https://www.safaribooksonline.com/library/view/mike-meyerscomptia/9781260026559/ https://www.safaribooksonline.com/library/view/comptia-security-all-inone/9781260019292/ https://www.safaribooksonline.com/library/view/comptia-securityreview/9781118922903/ https://www.cengage.com/resource_uploads/downloads/1111138214_259146.pdf http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-12r1.pdf http://bok.ahima.org/doc?oid=300244#.WkzPTN-WaM8 http://www.iaps.com/security-overview.html http://www.brighthub.com/computing/smb-security/articles/31234.aspx https://www.kaspersky.com/resource-center/threats/top-seven-mobile-securitythreats-smart-phones-tablets-and-mobile-internet-devices-what-the-future-has-instore https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html https://www.safaribooksonline.com/library/view/improving-webapplication/9780735651128/ch02s07.html https://msdn.microsoft.com/en-us/library/ff648641.aspx https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/configuration/guide/fsecur _c/scfdenl.html https://www.ietf.org/rfc/rfc3704.txt www.cisco.com https://msdn.microsoft.com www.intel.com https://meraki.cisco.com https://en.wikipedia.org/wiki/Computer_network http://www.computerhistory.org/timeline/networking-the-web/ 558 Appendix C: References http://www.computerhistory.org/timeline/networking-the-web/ http://www.thetechnicalstuff.com/types-of-networks-osi-layersrefernce-table/ http://www.utilizewindows.com/data-encapsulation-in-the-osi-model/ http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Campus/campover.html #wp737141 http://www.cisco.com/web/services/downloads/smart-solutions-maximize-federalcapabilities-for-mission-success.pdf http://www.diffen.com/difference/TCP_vs_UDP http://www.cisco.com/c/en/us/support/docs/availability/high-availability/15114-NMSbestpractice.html http://www.wi.fh-flensburg.de/fileadmin/dozenten/Riggert/IP-Design-Guide.pdf https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact =8&ved=0ahUKEwihpKO8lozQAhVDkRQKHeAzA_IQFggnMAA&url=https%3A%2F% 2Fwww.cisco.com%2Fc%2Fdam%2Fen%2Fus%2Ftd%2Fdocs%2Fsolutions%2FCVD%2 FOct2016%2FCVD-Campus-LAN-WLAN-Design2016OCT.pdf&usg=AFQjCNHwUZXUr3QCKIzXFtBEfVHJ7OiVw&sig2=lSO526GEgDoomeEfiSFolA&bvm=bv.137132246,d.d24 http://www.ciscopress.com/articles/article.asp?p=2180210&seqNum=5 http://www.routeralley.com/guides/static_dynamic_routing.pdf http://www.comptechdoc.org/independent/networking/guide/netdynamicroute.html http://www.pearsonitcertification.com/articles/article.aspx?p=2168927&seqNum=7 http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/13/configuration/guide/pi_13_cg/ovr.pdf http://www.cisco.com/c/en/us/products/security/security-manager/index.html http://www.cisco.com/c/en/us/about/security-center/dnssec-best-practices.html https://en.wikipedia.org/wiki/Malware https://en.wikipedia.org/wiki/Security_information_and_event_management https://en.wikipedia.org/wiki/Malware https://ikrami.net/2014/05/19/siem-soc/ http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15s/sec-usr-ssh-15-s-book/sec-secure-copy.html https://en.wikipedia.org/wiki/IEEE_802.1X http://www.ciscopress.com/articles/article.asp?p=25477&seqNum=3 559 Appendix C: References https://www.paessler.com/info/snmp_mibs_and_oids_an_overview http://www.firewall.cx/downloads.html https://en.wikipedia.org/wiki/Threat_(computer)#Threat_classification http://www.cisco.com/c/en/us/products/security/ids-4215-sensor/index.html https://en.wikipedia.org/wiki/Brain_(computer_virus) 560 About Our Products About Our Products Other products from IPSpecialist LTD regarding CSP technology are: AWS Certified Cloud Practitioner Study guide AWS Certified SysOps Admin - Associate Study guide AWS Certified Solution Architect - Associate Study guide AWS Certified Developer Associate Study guide AWS Certified Advanced Networking – Specialty Study guide AWS Certified Security – Specialty Study guide AWS Certified Big Data – Specialty Study guide Microsoft Certified: Azure Fundamentals Microsoft Certified: Azure Administrator 561 About Our Products Microsoft Certified: Azure Solution Architect Microsoft Certified: Azure DevOps Engineer Microsoft Certified: Azure Developer Associate Microsoft Certified: Azure Security Engineer Microsoft Certified: Azure Data Fundamentals Microsoft Certified: Azure AI Fundamentals Microsoft Certified: Azure Data Engineer Associate Microsoft Certified: Azure Data Scientist Other Network & Security related products from IPSpecialist LTD are:  CCNA Routing & Switching Study Guide 562 About Our Products                CCNA Security Second Edition Study Guide CCNA Service Provider Study Guide CCDA Study Guide CCDP Study Guide CCNP Route Study Guide CCNP Switch Study Guide CCNP Troubleshoot Study Guide CCNP Security SENSS Study Guide CCNP Security SIMOS Study Guide CCNP Security SITCS Study Guide CCNP Security SISAS Study Guide CompTIA Network+ Study Guide Certified Blockchain Expert (CBEv2) Study Guide EC-Council CEH v10 Second Edition Study Guide Certified Blockchain Expert v2 Study Guide 563

Format-Security-plus-Study-Guide

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib