Chapter 3: Discovering Security Concepts

As you dive further into the world of cybersecurity, you will learn about various security concepts and strategies that many organizations implement to secure their assets from both internal and external cyber threats and attacks. Having a solid understanding of the importance of information security is vital, and in this chapter, you will be exposed to the three pillars that are used to keep organizations and their assets safe from cyber attacks.

Throughout this chapter, you will learn about these three pillars and how they are used within any organization, whether small or large, to create a secure network designed to protect its users, devices, and data. Furthermore, you will learn about various security deployments, key security terminologies, and access control models. These key topics will help you understand what is needed and expected of a cybersecurity professional and an information security professional in the industry. Hackers are not waiting for cybersecurity professionals to get ahead of the game; it is our responsibility to stay up to date and ahead of the bad guys.

In this chapter, we will cover the following topics:

  • Introducing the principles of defense in depth
  • Exploring security terminologies
  • Exploring access control models
  • Understanding security deployment

Without further ado, let's dive into the chapter!

Introducing the principles of defense in depth

Simply by connecting a device to a network and the internet, organizations are opening up a doorway for hackers to infiltrate their network and wreak havoc. There are many organizations that have a firewall on their network and so think that both their internal network and users are protected from threats on the internet. A firewall as the only network appliance deployed between the internal network and the internet is simply a single layer of security for the entire organization. Many people will ask the question, Isn't the firewall designed to filter malicious inbound and outbound traffic?

Many years ago, the answer would have been simply a solid yes. However, as hackers are always looking for new strategies to infiltrate a network, we cannot just rely on a single layer of security to safeguard our assets. The answer to the question is not an easy yes anymore simply because there are many traffic types that use insecure network protocols to exchange messages between a source and a destination.

The following are just a few of the many questions that should be asked by a cybersecurity professional:

  • Is the organization actively monitoring Domain Name System (DNS) messages for threats?
  • Does the organization have any security solutions protecting the company's inbound and outbound email messages?
  • If there's an outbreak of a cyber attack on the network, are there systems implemented to proactively block and alert the Information Technology (IT) team?
  • Is there a dedicated security team or person within the organization for managing the overall security of the entire organization?
  • Are there any security policies and technical controls implemented to safeguard the internal network?

Many security vendors use a lot of marketing strategies and throw out many buzzwords to influence potential customers to purchase their all-in-one security appliances. The key point that many unknowing customers miss is how the security solution or product is going to protect all users and all traffic types, safeguard them when using insecure protocols, and so on. An example is using endpoint protection; you can think of this solution as anti-malware software with centralized management for the administrator. While many anti-malware and endpoint protection solutions offer amazing features, this is still a single layer of security that simply protects the host only. Not all endpoint protection or anti-malware solutions safeguard from email-based threats or even social engineering attacks. To put it simply, an organization cannot rely on a single approach only to safeguard its assets; it needs a multi-layered approach known as Defense in Depth (DiD).

The DiD strategy simply implies that a single layer of security should not be used as the only countermeasure against cyber attacks. Should that one layer fail to protect the network, then everything (assets) is exposed for hackers to compromise. In DiD, a multi-layered approach is implemented to protect all assets from various types of cyber attacks, where if one layer fails to safeguard an asset, another layer is already in place to keep the asset secure. You can think of the multi-layered approach as like having multiple defense mechanisms protecting a king in his castle. Should an invasion occur, the invaders will need to pass multiple layers of defense, including knights and other barriers, before they can reach the king (the asset).

To further understand the importance of DiD, let's dive into exploring the three pillars of information security:

  • Confidentiality
  • Integrity
  • Availability

These three pillars are commonly referred to as the CIA triad. Each pillar plays a vital role in providing information security to any organization. In the following sub-section, you will learn about the characteristics of confidentiality, integrity, and availability and how they are used in the industry to ensure that our networks are safe.

Confidentiality

As more people are connecting to and sharing information over networks, whether it's their private network at home, the corporate network at the office, or even the internet, privacy is a major concern. Every day, organizations are generating new data as they send and receive messages between devices. Imagine an organization that uses email as their only messaging platform; each person creates an email message, which is data, and this data uses some amount of storage space on the local system. When the destination receives the email, the email is stored on the recipient's computer if they are using a host-based email application such as Microsoft Outlook. Another example is data being transmitted across a network: Is the connection secure? Is the communication protocol secure? Is the network secure? These are just some simple questions we may ask when thinking about the security of our data.

Confidentiality simply ensures that messages and other data are kept private from unauthorized persons or devices. In the field of IT, confidentiality is implemented in the form of data encryption. People use devices to perform tasks, whether to send an email, download a file, or even send a message using a smartphone. It's important to protect these messages at all times.

Data usually exists in the following states:

  • Data at rest
  • Data in motion (transit)
  • Data in use

Data at rest is data that is neither in use by an application nor a system. It is currently stored in storage media such as a Hard Disk Drive (HDD) on a local or remote system. When data is at rest, it's vulnerable to attackers attempting to either steal or modify it. Security professionals implement both authentication methods and encryption algorithms to encrypt and protect any data at rest. An example is using BitLocker on the Microsoft Windows 10 operating system, which allows the device administrator to create an encrypted container; the user can then place files in this special area of memory and lock it. Once the BitLocker contents are locked (closed) by the user, both the container and its contents are encrypted. Therefore, access is only granted if a user provides the correct credentials to open and decrypt the contents. If an attacker steals the encrypted container, they will not be able to view the contents due to data encryption.

Tip

To learn more about BitLocker on Windows 10, please visit the following URL: https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.

Data in motion is defined as data that is in transit between a source and a destination. Imagine there are employees who are telecommuters or who are working at a remote location away from the office. These people may need to access the corporate network frequently to access network resources, such as when retrieving or working on documents that are on the file server. As cybersecurity professionals, we need to be concerned about what types of protection or security mechanisms are in place to protect the data that is being transmitted between the user's device and the file server. Furthermore, devices send and receive messages almost every second, and some of these messages are exchanged using insecure protocols, which allows an attacker to intercept the messages (data) as they are sent across the network. If the data is sent across the network in an unencrypted format, the attacker can see all the content in plaintext and will be able to gather sensitive information, such as usernames and passwords. These are just a couple of possible situations that can occur when data is in motion. Some recommended actions are to always use secure network protocols whenever possible and to ensure that employees who access the corporate network while working remotely use a Virtual Private Network (VPN) to encrypt the traffic between the user's device and the corporate network.

To get a better understanding of the need for a VPN, imagine that an organization has multiple branches and wants to extend the resources from the head office location to a remote branch office. Using the internet is unsafe, especially for transferring corporate data between branch offices. One solution could be to use a Wide Area Network (WAN) that is provided by an Internet Service Provider (ISP). If the organization decides to use a WAN, this means there is a charge for this service, and for some companies, this solution may be beyond the budget. As an alternative, if the organization has an internet connection and firewalls are at each office location, then a security professional can configure a VPN between the two firewall appliances; this type of VPN is known as a site-to-site VPN.

The following diagram shows a visual representation of a site-to-site VPN:

Figure 3.1 – Site-to-site VPN

Figure 3.1 – Site-to-site VPN

As shown in the preceding figure, a site-to-site VPN establishes a secure, encrypted connection between the head office and remote branch office locations over the internet. Therefore, any messages that are between office locations are encrypted and sent through the VPN tunnel while protecting the messages from unauthorized users.

Furthermore, a remote access VPN allows a user to establish a VPN tunnel between their end device, such as a laptop, and their organization's firewall appliance. This type of VPN allows employees who are either working from home or working on the go to securely connect to the organization's network and access the network resources. Keep in mind that a VPN client is required to be installed on the employee's device, which is used to establish a secure connection between the computer and the corporate firewall.

The following diagram shows an example of a remote access VPN:

Figure 3.2 – Remote access VPN

Figure 3.2 – Remote access VPN

Data in use is data that is currently being accessed or used by an application. In this state, data is at its most vulnerable. For an example of data in use, imagine opening a PDF document using a PDF reader application. Before the application can successfully open the PDF file, the document has to be decrypted if the file is password-protected. Once the correct password is provided, the document will be presented to the user in an unencrypted format. It is important to ensure that the system and the applications that are accessing and/or using the data are always kept secure.

As you have learned, confidentiality is all about protecting your assets from unauthorized persons or devices.

Integrity

Integrity plays an important role in our daily lives, particularly in ensuring that things are done as they are intended. The same principle is needed in a network. Imagine you have received a letter from a friend via your local courier service, and upon opening the letter, the content seems to be fine. As the receiver, you would assume that the content of the letter has remained unchanged during the delivery process, but how can you verify whether the content was modified by a person or device along the way? On a network, it's very important to ensure that data or messages are not modified during the transmission process between a source and a destination.

In the world of cybersecurity, professionals use hashing algorithms to help users and devices validate whether a message was modified or not as it was transmitted. Hashing algorithms create a one-way, cryptographic hash (digest), which is a mathematical representation of a message. This means that only that message can produce the same hash value. Hashing algorithms create a one-way function, which makes it almost impossible for a hacker to reverse the process and determine the contents of the message itself.

The following diagram shows a representation of the hashing process for a message:

Figure 3.3 – Hashing process

Figure 3.3 – Hashing process

As shown in Figure 3.3, the message passes through the cryptographic algorithm, which creates a one-way hash function of the message. When the user or device wants to send the message to a destination, both the message and its hash value are packaged together and sent across the network. When the recipient receives the inbound message, the recipient will perform its own hashing function on the message and calculate its hash value.

Next, the recipient will compare the hash value received from the sender with the hash value it has now calculated. If both hash values match, it means the message was not modified during transmission and integrity was maintained. However, if the hashes do not match, this is an indication that the message was tampered with and the recipient will simply discard it.

Availability

Many hackers use various types of cyber attacks to prevent legitimate users from accessing a resource. In other words, they try to disrupt the availability of data and resources. Within the field of cybersecurity, availability simply ensures that data and resources are always available to users and systems that are authorized to access these resources.

A simple example of a cyber attack that can be used to disrupt availability over a network is a Distributed Denial of Service (DDoS) attack. This type of attack is launched from multiple geographic locations and targeted at a system or network. The goal is to make the target system or network unusable or inaccessible by other users.

Cloudflare (www.cloudflare.com) provides unmetered DDoS mitigation to users. This allows a user to migrate their DNS records over to Cloudflare to manage the DNS services. This will allow Cloudflare to sit between your public server and the rest of the internet, so that if any DDoS attack comes from anywhere in the world, it has to pass through Cloudflare's network, which will mitigate the attack.

While you may think network resources and data are always readily available, in reality, there are threat actors whose goal is to ensure that those resources are no longer available to users. Simply imagine the possibility of a threat actor who has the capability to compromise the operating systems for controlling the power grid for your country or community. If a hacker is able to turn off these systems, there will be no power and many consumers and organizations will be affected. In such situations, it's important that professionals implement security controls to protect their critical processes, systems, and networks from being compromised.

Combining the three pillars

Some organizations will value one pillar over others. An example is that a company may focus more on securing their data with many authentication systems and data encryption. This aspect focuses more on confidentiality. Primarily focusing on one pillar, such as confidentiality, more than others will allow less focus on the others, integrity and/or availability. You may be wondering, How can this be a challenge? Imagine an organization implements the strictest security controls to prevent any unauthorized access to their systems and network. For an authorized user to gain access to these resources, the user will need to provide perhaps multiple validations of their identity, such as in Multi-Factor Authentication (MFA), and even passwords to open files. As a result, accessing the resources will be more difficult for anyone, including authorized users; therefore, availability will suffer a bit.

The following diagram shows the CIA triad and the focus point at the center:

Figure 3.4 – The CIA triad

Figure 3.4 – The CIA triad

The key point is to always ensure that there is a balance when implementing confidentiality, integrity, and availability on any system and network. It's important to apply equal focus to all pillars simply to ensure that there is no lack of any aspect of information security.

Having completed this section, you have learned about the foundation and the importance of information security. Acquiring this knowledge will prove to be very useful when you are tasked with securing the assets within your organization. In the next section, you will learn about various security terminologies.

Exploring security terminologies

As a soon-to-be cybersecurity professional, you will notice that there are a lot of terminologies that are commonly used in various literature and discussions. It's important that you understand what these terminologies mean before diving further into advanced topics. This section focuses on learning about various security terminologies.

Threats, vulnerabilities, and exploits

A vulnerability is defined as a security weakness or design flaw on a system. Both hackers and cybersecurity professionals are racing against each other to discover design flaws in systems. Hackers are always looking for security weaknesses that allow them to compromise the system or network. Cybersecurity professionals are always on the hunt to discover these design flaws and fix them before hackers are able to find them. Security researchers are constantly working with operating systems and software vendors, application developers, and many other organizations to help keep their products safe from malicious users.

Whenever a new vulnerability is discovered for the first time in the wild, the security researcher usually obtains a unique identifier that is publicly disclosed on a database. This database is known as Common Vulnerabilities and Exposures (CVE). Once a CVE number has been assigned, the vulnerability details are usually shared with the cybersecurity community, as this will include details about a design flaw. The sharing of this information helps other professionals within the field to implement mitigation and/or any remediation to safeguard their systems. Imagine your company has been using an application from Vendor A for many years. One day, a vulnerability is disclosed publicly and the information is shared with your IT team. Your team can use the CVE reference number to gather additional information, such as the vulnerability description, affected applications, and operating systems affected. Therefore, if your organization has that vulnerable application on the specified operation system, your team can implement additional security controls to safeguard systems and users until the application vendor releases a security update to remediate the security weakness.

Tip

CVE is publicly accessible at https://cve.mitre.org/.

An example of a known vulnerability is EternalBlue, which was first discovered on Microsoft Windows operating systems back in 2017. This security weakness allowed a malicious user such as a hacker to execute code remotely on any target system that had Microsoft's Server Message Block (SMB) 1.0, better known as SMBv1. If the attacker was successful, a malicious payload could be delivered and executed on the victim's system.

Tip

To get more details on the EternalBlue vulnerability, please visit https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010 for the official disclosure from Microsoft.

While there are many existing and newly emerging threats, many organizations try to implement a zero-trust policy on their network and systems. Zero trust ensures that everyone, as in all employees and other users, is properly authenticated and authorized to use the system and access corporate resources. There is no exception to any user on the enterprise network, and security policies and configurations are continuously validated and improved to ensure that access is strictly limited to those authenticated and authorized users on the network.

In many instances, an attacker can send across a payload that can allow them to gain remote access to a target without the user's knowledge. The EternalBlue vulnerability was assigned the reference number MS17-010 by the Microsoft security bulletin center.

Hackers use exploits to take advantage of a vulnerability on a system. An exploit is defined as anything, such as malicious code or a tool, that can be used to leverage a security weakness on a target system or network. Exploits can be either local or remote. A local exploit would need to be on the target system, which means the hacker would need to get access to the target, then execute the exploit on the system. A remote exploit allows the hacker to launch the exploit over the network, so the attacker does not require physical access to the victim machine but simply network connectivity.

Tip

The Exploit Database is an exploit database that is maintained by the creators of Kali Linux, Offensive Security. The Exploit Database contains many exploits used by security researchers to test their systems to determine whether a vulnerability exists or not. The Exploit Database can be accessed via https://www.exploit-db.com/.

Cybersecurity professionals use both custom-built and commercial tools to assist them in discovering vulnerabilities. Take penetration testers, for example, whose task is to discover and exploit all known and hidden vulnerabilities on their client's target that are within a given scope. A penetration tester may use a tool such as Metasploit, which is an exploitation development framework. It allows the penetration tester to develop and launch exploits and payloads to a target.

Attackers also automate their exploits by using exploit kits. An exploit kit is a pre-packaged exploit that is usually loaded onto a public server, such as a popular web server on the internet. The objective of the exploit kit is to discover any vulnerabilities on users' systems when they visit the infected web server. Once the exploit kit finds a vulnerability, it will attempt to exploit it by simply uploading malicious code on the victim's system and executing it. An example of an exploit kit is Angler.

Another key security term is threat. A threat is defined as anything that has the potential to cause harm or danger to an asset. An example of a threat could be a disgruntled employee who has the intention to disable the organization's network upon their departure from the company. This intent is focused on the disruption of one of the three pillars of the CIA triad: availability.

Threat hunting is becoming a very popular activity within the cybersecurity world. It involves the act of proactively searching through systems and networks, simply to detect and mitigate any type of cyber threats that have evaded the existing security appliances and solutions.

It's important that security professionals secure their internal network with countermeasures just as much as they do for their perimeter network. A countermeasure is a security safeguard that is designed to mitigate (remove) a potential threat. An example of a countermeasure is implementing Layer 2 security controls, such as port security, Dynamic ARP Inspection (DAI), Network Access Control (NAC), DHCP snooping, and so on.

Identifying threat actors

Throughout the course of this book, you will notice the term threat actor being used a lot. A threat actor is usually a person or a group of people with the intent to use their skillset to perform malicious actions on an organization, person, or system. All hackers do not have the same intent to compromise target systems; some hack for fun, while others hack for financial gain.

The following is a list of various types of threat actors and their intent:

  • Script kiddie: A script kiddie is not necessarily a kid but someone who uses pre-built scripts and tools created by real hackers. This person lacks the actual technical security knowledge that real hackers have but has the same intent to cause harm or damage to a system or network. Script kiddies can cause the same amount of damage to a target as real hackers even though they lack the security knowledge or skillset. Simply, they can follow the instructions of a seasoned hacker and achieve the same results without fully understanding the technical details.
  • Hacktivists: A hacktivist is an activist with the skillset of a hacker. This person uses their hacking skills to support either a political or social agenda. Hacktivists use their skills to perform actions such as website defacement, stealing and leaking confidential information on the internet, and so on. This is their way of protesting for a cause.
  • Organized crime: Hackers are not just hacking for fun anymore, though some still do. Nowadays, some hackers are working in groups with the intention of using their skills and resources to benefit financially. Each person within an organized crime group usually has a specialization and plays an important role in a team. There's usually a benefactor who provides the financial resources the group needs to acquire the best tools that money can buy to ensure that their attacks on targets are successful.
  • State-sponsored: This type of hacker is hired by a government to both defend their nation from cyber attacks and perform information gathering (reconnaissance) on other nations. This group of hackers is usually provided with the best tools and equipment money can buy.
  • Insider: While an organization performs a thorough screening of any potential employees during their interviewing process, hackers can also pretend to be an innocent person who is interested in gaining employment within a target organization. The goal is to gain employment as a trusted employee, and then when within the network, the hacker can better learn the network and security systems from the inside, thus making it easier to compromise the organization. This is known as an insider threat.

There are also black hat hackers, who use their skillset for malicious intentions, as well as white hat hackers, who are the good guys within the cybersecurity industry, who use their skills to help secure organizations. However, there are also gray hat hackers, who exist between the black hat and white hat groups. Gray hat hackers can use their skills for both good and bad intentions, for example, if they work as a security professional by day and a malicious hacker at night.

Understanding runbook automation

A Security Operations Center (SOC) is a team of people who are trained and qualified in the field of cybersecurity. The goal of a SOC is to monitor, detect, prevent, and remediate any threats on an organization's network. Within a SOC, there are many processes to follow simply to ensure that each analyst or engineer is able to strategically process all the data that is coming into the SOC from various network and security appliances. These processes help the SOC team to better monitor the incoming data and identify any threats that occur in the organization.

A SOC usually has a set of processes, tools, and workflows that are kept up to date. As new threats and attacks emerge, the processes, tools, and workflows can be modified to ensure that the SOC is well equipped to handle the next generation of cyber threats. A runbook, sometimes known as a playbook, is used within a SOC to help the team better follow the processes involved in day-to-day operations.

The following diagram shows the components of a SOC runbook or playbook:

Figure 3.5 – SOC runbook

Figure 3.5 – SOC runbook

Many SOCs will automate their runbooks to improve the time it takes to react when a security incident occurs. This process is known as Runbook Automation (RBA). Many organizations do not immediately detect threats or any form of compromise on their network. Sometimes, it takes an organization many weeks or even months to detect a threat on their network. Between the time of the initial compromise and the time of detection, a threat actor or malware can cause a lot of damage to the victim's systems and networks. By automating the processes within a SOC, RBA reduces the time between detection and remediation.

Chain of custody

A chain of custody is used during a forensic investigation. As a forensic investigator, you will be required to gather evidence of a cybercrime. This evidence may be passed between multiple people who are working on the same case or evidence as you. To ensure that you keep track of the content of the evidence and who has possession of it as it is passed from person to person, a chain of custody is used.

The chain of custody usually contains the following details:

  • Forensic investigator's name
  • Date and time when the evidence was acquired
  • The case and number
  • Exhibit number if there are multiple parts
  • The reason the evidence was collected
  • The location of evidence

If a chain of custody is not maintained properly, the evidence may not be admissible in a court of law. Furthermore, you need to ensure that the evidence is not modified in any way and that it always maintains its original state. Forensic investigators will create a forensically sound copy of the evidence and work only on the copy, simply to preserve the integrity of the original. There are various forensic tools in the industry that allow a forensic investigator to acquire an image of digital evidence. A couple of these tools are the following:

  • EnCase forensic software
  • AccessData Forensic Toolkit (FTK)

Lastly, when transporting any evidence from one location to another, such as from the crime scene to the forensic lab, it is very important that the chain of custody is also maintained properly to ensure that no pieces of evidence are tampered with or mishandled along the way.

Reverse engineering

Reverse engineering is the technique of taking apart an application, piece of software, or object to determine how it actually functions and operates. In the field of cybersecurity, a reverse malware engineer is a professional who uses their skillset to take apart malware to better understand how to detect and protect systems from any future attacks.

Tip

During reverse engineering, the security professional also performs malware analysis to learn about and understand the impact and function of the malware.

In a SOC, there are usually people who specialize in reverse engineering who will take apart malware after it has been detected and contained on the network. The forensic process begins by containing the malware on the network, such as by removing all infected systems from the network and creating a forensic image or clone of the HDDs for analysis by the security analyst and reverse malware engineer.

The reverse malware engineer is responsible for determining the following about the malware:

  • How does the malware function?
  • What is the intent of the malware?
  • How is the malware spreading?

The following is an example of the reverse malware engineering phases:

  1. Isolate the infected systems on the network.
  2. Create a forensic image of the infected computer and place it in an isolated network.
  3. Perform forensic investigation and reverse malware engineering.
  4. Monitor what the malware is trying to do.

Once the malware has been thoroughly investigated, the SOC can then begin implementing new countermeasures to protect against this threat in the future.

It's important to use various tools to assist you during the investigation, such as the following:

  • Registry tools
  • Network forensic tools
  • File modification forensics tools
  • Debugging and disassembler tools

PII and PHI

We live in a world where it's almost impossible to not have our information stored on a system or a network. Whether you are shopping on an e-commerce website, doing an online transaction with your bank, or even paying utility bills online, the systems we use to help provide us with these capabilities store information about us. With online banking, the bank requires personal details about you to create an account, and this information is stored on the bank's system and network. The same is the case with any organization in today's world. There are regulations in various countries that require these systems, networks, and information to be secured and protected by law.

One type of data that is usually stored by companies about their clients is known as Personally Identifiable Information (PII). PII is any information that can be used to identify a person's identity. Imagine you are a frequent shopper on a popular e-commerce shopping website; you will need to create an account and provide some personal information about yourself, such as your name, date of birth, and even your credit card number. This information is categorized as PII. PII should always be protected simply because if a threat actor compromised the systems and/or networks where your data is stored, the attacker could steal your information and leak it onto the dark web or sell it, allowing other syndicate organizations to personally target you. How would you feel about your personal information being leaked online? Not good, I hope.

The following are examples of PII:

  • Name
  • Date of birth
  • Credit card number
  • Driver's permit/license number
  • Any biological characteristics, such as fingerprints, facial geometry, and so on
  • Mother's maiden name
  • Social Security Number (SSN)
  • Bank account details
  • Email address
  • Telephone number
  • Physical residential address

The following are examples of organizations that store PII about you:

  • Employers
  • Health care providers
  • Financial organizations
  • Government agencies

Health care providers always store information about their patients, and this information should always be kept confidential and secure. Protected Health Information (PHI) is any information that a health care provider stores about their patients that can be used to identify them. The Health Insurance Portability and Accountability Act (HIPAA) is a regulation that requires health care providers to be compliant to ensure that their systems, networks, and processes meet the requirements to protect PHI within their organization.

The following are examples of PHI:

  • Patient's name
  • Telephone number
  • Email address
  • Residential address
  • Any dates on medical records, such as date of birth, date of death, date of administration, and date of discharge from the health facility
  • SSN
  • Driver's permit/license number
  • Biometric information about the patient
  • Information about the patient's mental or physical health
  • The health care provider information for the patient

Both PII and PHI are only as secure as the systems, networks, and processes that are used to safeguard the data. Imagine if the systems that are storing the data do not have any security controls to prevent any cyber threats or attacks, or the systems do not have the latest security patches installed; these systems would be vulnerable to attacks.

Understanding risk

As more organizations and people are connecting their systems and private networks to the internet, the risk increases as many of these devices and networks are vulnerable to many cyber attacks. Risk is defined as the potential to cause harm or damage to something or someone. In the field of cybersecurity, it's very challenging to remove all possible risks and threats completely from a network or an entire organization.

Important note

According to the National Institute of Standards and Technology (NIST), Risk = Threat x Vulnerabilities x Impact.

When calculating risk, we define a threat as anything that has the intent to exploit a vulnerability on a target. As you know, a vulnerability is a weakness on a system and the attack surface is the sum of all the weaknesses on a target system, while the impact is the actual damage that will be done to the target if the attack is successful. Within the world of cybersecurity and information security, placing a fixed numerical value on each of these variables is tough; therefore, we understand that risk can exist when there is a loss of any information that has impacted confidentiality, integrity, and/or availability.

The following are various types of risk that organizations face each day in their industry:

  • Business risk: These are potential risks or risks that exist from doing day-to-day business. An example of a business risk is that a competitor may decide to open a new branch close to your organization with the intention of attracting your customers.
  • Data risk: This risk exists when data is stolen or compromised by a threat actor or a cyber attack. An example of data loss risk is the potential of being infected with ransomware, which will encrypt all your data and hold it hostage for a ransom.
  • Systems risk: A systems risk is when the systems that are used to ensure daily operations of the business are left vulnerable to cyber attacks and threats, such as malware.
  • Data loss risk: This type of risk exists when the data on a system is lost due to some type of system failure. An example of a data loss risk is the potential of a hard drive that stores important files and records failing.
  • Insider risk: Insider risk is the risk of an employee who intends to compromise the corporate network and cause damage to systems owned by the organization.
  • Application risk: This type of risk is the potential of an important application failing on the corporate network.

As soon-to-be security professionals, we should learn how to minimize the attack surface and reduce the risk of cyber attacks on any assets. To help reduce the likelihood of cyber attacks, it's best to first identify all the assets within the organization. An asset is anything that is valuable to the company.

Assets can be broken down into the following categories:

  • Tangible: Tangible assets are physical objects that are of worth to the organization. Examples of tangible assets are computers, servers, network devices such as routers and switches, security appliances such as firewalls and IPS systems, and furniture.
  • Intangible: Intangible assets are objects that we can't physically touch. Examples of intangible assets are data, intellectual property, processes, procedures, and anything that is in a digital format.
  • People: The people who are the employees of an organization and customers' data should also be protected. If hackers are able to trick your employees in a social engineering attack, this can lead to the entire organization's network becoming compromised.

In the world of cybersecurity, threats exist all around us, and the level of risk increases each day. There are many organizations that believe that all cyber threats and attacks originate from the internet and will perhaps purchase an "expensive" firewall appliance from a trusted provider in the hopes that it will safeguard the corporate network. As you have learned previously, this is a single-layer approach and does not safeguard from all cyber threats or attacks. What many organizations fail to realize or sometimes realize too late is that over 90% of cyber attacks originate from their internal network, behind the perimeter security appliance that was supposed to protect their network.

There could be an insider who is a threat actor pretending to be a trusted employee, a disgruntled employee who wants to take down the company's IT infrastructure for personal reasons, or even an innocent employee who clicks on a malicious link within an email message. Protecting your internal network should always be equally as important as protecting the perimeter.

Managing risk

Risk management simply entails the processes that are used to identify what the potential and existing risks are that may be affecting an organization, assessing each risk, and implementing processes and procedures to reduce the risks.

Important note

The NIST Special Publication (SP) 800-39 is designed as a framework to help organizations manage risk. NIST SP 800-39 is the Risk Management Guide for Information Technology Systems. Further information about this framework can be found at https://csrc.nist.gov/publications/detail/sp/800-39/final.

The following are the four strategies used to mitigate risks:

  • Risk acceptance: In risk acceptance, the organization accepts that there are risks present and does not have any type of countermeasures in place to either reduce or remove the risk. This situation particularly occurs when the cost of damage from the risk does not outweigh the cost to implement countermeasures and security controls.
  • Risk avoidance: With risk avoidance, the organization will identify any activities that may be creating the risk and ends them to simply avoid the possibility of the risk.
  • Risk transfer: When a risk exists, an organization can choose to transfer the responsibility of managing the risk to another organization, such as a third-party service provider. An example of this is that an organization can outsource to a Managed Service Provider (MSP) that specializes in cybersecurity incident response and can actively monitor systems and respond to any cyber attacks against their clients.
  • Risk limitation: Risk limitation is usually a balance of both acceptance and avoidance.

The following are guidelines to help understand how to reduce risk using a strategic approach:

  1. Identify all the vulnerabilities that are a risk to the organization.
  2. Implement technical security controls to reduce the risk of a threat actor exploiting the vulnerabilities.
  3. Ensure that the technical security control does not cost more than the exposure or the potential financial loss if the system should be compromised.

The following diagram shows a visual representation to help understand the need for security controls:

Figure 3.6 – Understanding the placement of security controls for risk management

Figure 3.6 – Understanding the placement of security controls for risk management

When it comes to calculating or measuring the possibility of risk, this concept can be broken down into the following risk assessments:

  • Quantitative risk
  • Qualitative risk

In quantitative risk, an actual numerical value is associated with the risk. For example, if there is a critical application server within the organization that randomly stops working one day, the numerical value will be the financial cost to replace the server. Furthermore, the Single Loss Expectancy (SLE) can be calculated for a one-time event, while the Annual Loss Expectancy (ALE) can also be calculated for the total number of times a failure or incident has occurred over the entire year.

In qualitative risk, the assessment involves assigning various risk levels, such as critical, high, medium, and low, to each risk. In this type of risk assessment, an expert provides their opinion on which factors or risks are significant to the organization.

Important note

ISO 31000 is the Risk management standard that contains the guidelines for managing risk. ISO 27001 is the standard on Identifying Information Risk and Cybersecurity Risk and ISO 27005 is the standard that focuses on Cybersecurity Risk Assessment.

An important technique that many organizations use to help identify vulnerabilities and risks is to perform a penetration test on the systems and networks. A penetration test usually involves a qualified penetration tester who will simulate real-world cyber attacks on the company's systems and networks that are mutually and legally agreed upon in the rules of engagement. The objective of a penetration test is to discover all vulnerabilities on the target and exploit them before a real hacker is able to compromise the organization. If the penetration tester is able to find these security weaknesses and exploit them, so could a real hacker with malicious intent. The organization can use this knowledge to improve the security posture of their systems and networks to safeguard themselves.

Principle of least privilege

To help reduce the risk within a company, there is the concept of applying the principle of least privilege to each employee or user. This concept simply means each employee should only be given the exact privileges they will need to perform their daily duties and nothing more. This concept ensures that a user doesn't have privileges beyond what is needed, such that the user will not be able to perform any actions on the network or system that are out of the scope of their duties.

Another technique is using a rotation of duties within the entire organization. This concept is where each employee is rotated between different duties over a period of time. For example, an employee changes their duties every 4 months. Let's imagine an employee named Bob is doing some fraudulent things in his current position within the company, when a new employee called Alice takes over the duties from Bob. Alice could then notice that Bob has not been a good employee and is doing bad things in the office.

A common issue within many organizations is that a single person usually has the role and function of two or more job positions. A concept known as the separation of duties is where a person who is to make a change to a system, such as modifying the configuration of a firewall, should not be the same person that approves the change. There should always be a separate person who makes the change while another person makes any approvals of the change. This concept prevents a single person from making unauthorized changes and taking over the system or network.

Sometimes, an organization may notice an employee is doing fraudulent activities on the company's systems. The concept of mandatory vacation forces the suspected employee to take a vacation and, during this time, the employee will not have access to the corporate network. If the fraudulent activities stop during the time that the suspected employee is on vacation, then it's obvious who was performing these activities.

Having completed this section, you have learned about the importance of managing risk to reduce the likelihood of a cyber attack within your network or organization. You have also discovered various strategies that organizations use to determine whether an employee is responsible for an attack within a network. In the next section, you will explore various access control models that are used to limit a user's access to a system.

Exploring access control models

To help restrict the access rights of your users, there are various types of access control models that can be used to prevent a user from performing an unauthorized action on a system or network. Each of these models has various characteristics that you will learn about here to understand how they are generally deployed in an organization.

Discretionary access control

When using Discretionary Access Control (DAC), the owner of an object can decide which permissions should be assigned to a user who wants access to it. An example of DAC is if you have created a spreadsheet file on a centralized file server that contains work schedules for certain work-related activities with other staff members. Since you are the creator of the file, you also inherit the title of being the owner as well. This means you can choose which users can perform read, write, and/or execute actions on the file. The owner of the object can assign certain users who can read (open) the file, while some users may also be able to write or edit, and so on. Keep in mind that this is at the sole discretion of the owner of the object.

Mandatory access control

In highly secure environments, such as a government agency, there are many levels of classification for data access. These organizations implement systems that are typically managed by logical security rules and policies that give a user certain access rights based on their security clearance level. This means the user does not have any sort of control over which privileges they acquire; the user may get access to certain systems and data that they do not need access to but still get them anyway because of their security clearance level.

The following are the different security levels that can be applied to an object:

  • Top secret: This is the highest level of classification that can be applied to data. If an unauthorized user gains access to data with this classification, it's considered to cause exceptional damage to the national security of a country.
  • Secret: This is the second-highest level of classification that can be applied to data. If data at this level is compromised, serious damage could occur to the national security of a country.
  • Confidential: This is the lowest level of classification that can be applied to data. If the data is accessed by an unauthorized user, it's expected that there will be some damage to national security.
  • Unclassified: This is data without any classification and can be accessed by anyone without a security clearance.

As an example of a system using these security systems, imagine there's a file that has been assigned the classification of confidential, which means only people who have a security clearance of confidential or higher will be able to view the file. Alice, a user who has a secret clearance level, will be able to view the file simply because the system automatically assigns Alice mandatory access upon logging in to the system and network.

Non-governmental companies will not be able to properly implement Mandatory Access Control (MAC) because regular operating systems such as Windows, Linux, and so on do not support this type of access control model. In non-governmental organizations, DAC will be used, which allows organizations to choose which users can perform certain actions, such as read, write, and execute, on an object.

Rule-based access control

In Rule-Based Access Control (RBAC), user privileges are centrally managed by a system. Users who have a similar job function, such as everyone within a sales department, can be placed in a single group. This will allow administrators to assign a security policy to the group as a whole; the policy will be applied to all users who belong to the group. This allows administrators to centrally manage the policies within an organization simply based on a user's role or job function within the company. An example would be that a domain administrator can create a security group within the Active Directory (AD) server of the company, assign all the users who work in the sales team to the sales group, and then simply create a Group Policy Object (GPO) with all the necessary rules to permit and deny actions. The GPO can be assigned to the sales group, and all user accounts will automatically inherit those rules. Keep in mind that AD is a role within Windows Server that is used to centrally manage users, devices, and policies within a Windows environment.

Time-based access control

Time-based access control is a type of access control that is active on the days and times of day that are specified by the administrator. A typical scenario is an administrator creates a time-based access control that only allows employees to log in to their work computer during business hours. This type of policy is used to prevent employees from working after hours or performing tasks after business hours on the organization's systems and network.

Role-based access control

Role-based access control is a type of access control policy that is designed to ensure strict system and/or network access for a user of a specific job role. This means if a network administrator logs on to a system, the user should only have the privileges to perform the tasks that are outlined in their job description and nothing more. To put it simply, this access control model is designed based on a job role within the organization.

Authentication, authorization, and accounting

Authentication, Authorization, and Accounting (AAA) is a framework that defines how a user is able to provide their identity to a system and the policies to be applied to that authenticated user, as well as keeping a log of the user's activity while they are logged in to the system or network.

Authentication is simply the processes and techniques used to validate a user's identity to a system. We usually create a user account on our computers to prevent unauthorized access, and even with our smartphones, there are PINs and even biometrics implemented to restrict access. Without enabling authentication on our devices, anyone can gain access to a system and use it freely.

The following are various methods that are used during authentication:

  • Something you know: This is a PIN, password, or passphrase.
  • Something you have: This component could be a security key such as a Yubico YubiKey or a Google Titan Security Key.
  • Something you are: This is biometrics such as fingerprints, voice, or facial recognition. An example of facial recognition technology is Windows Hello on the Windows operating system.

After a user has been authenticated to a system, policies are applied that define the privileges of that user; this is known as authorization. Without the authorization aspect, any authenticated user will be able to perform any actions on a system.

This means a user could perform administrative actions on a computer, server, or even network device and cause critical issues or security incidents on the network. Therefore it is wise to provide the least privileges to a user such that they have just enough access to complete their duties and nothing more.

Accounting entails simply keeping a record of all the actions performed by a user on the system. These records are usually in the form of logs that are generated when the user does something. Imagine one day a disgruntled employee decides to perform some malicious actions on an organization's device while logged on. An AAA server would contain a log with the timestamps and details of the actions performed by the user.

To get a better idea of why there's a need for AAA, let's take a look at a small network with just a few networking and security devices. An IT professional can create individual user accounts on each device for each person who requires administrative access to manage the devices. This is good and workable for a small network infrastructure. However, as the network grows, creating those individual user accounts for each person within the IT department on each device becomes challenging.

Consider that within an ISP network, there are hundreds of devices that engineers require access to in order to configure new roles and services, troubleshoot any issues that may exist, and occasionally perform maintenance. Since each engineer requires access to various devices, it's not efficient to create individual user accounts on each device. What if the user has to change their password or have their privileges adjusted? Such a change would have to be done on all devices. Using AAA, an organization can implement an AAA service that handles each aspect of authentication, authorization, and accounting.

The following diagram shows the AAA process of a user attempting to log in to the network:

Figure 3.7 – AAA in action

Figure 3.7 – AAA in action

As shown in the preceding figure, the user's computer (supplicant) is connected to the network and the switch (authenticator) is prompting the user to provide a username and password to gain network access. When the user provides their credentials, the switch (authenticator) queries the AAA server (authentication server) to validate the user's identity and determine the policies for the user. The AAA server responds to the switch (authenticator). If the credentials provided by the user are valid, the user is authenticated to the network and policies are applied that determine what the user can and cannot do when logged in. Additionally, the AAA server keeps a log of all the user's actions for accountability.

The following are two AAA servers:

  • Remote Access Dial-In User Service (RADIUS): RADIUS is an open source AAA server platform that can be implemented in a multi-vendor environment. RADIUS uses UDP port 1812 for the authentication process and UDP port 1813 for the accounting service. The messages that are exchanged between the AAA client and the AAA server are not fully encrypted, as AAA only encrypts passwords in messages. Additionally, RADIUS is commonly used to control and authenticate network access for users on both wired and wireless networks and uses the MD5 hashing algorithm to encrypt passwords only.
  • Terminal Access Controller Access-Control System + (TACACS+): TACACS+ is a Cisco proprietary AAA service that is only operable in a Cisco environment. TACACS+ provides additional functionality as compared to RADIUS such that it creates separate encrypted communication channels for each aspect of AAA over TCP port 49. Furthermore, TACACS+ is commonly used for device administration using Cisco Access Control Server (ACS) as an authentication server and it encrypts the entire payload.

    Important note

    The Cisco Identity Services Engine (ISE) provides AAA services using both RADIUS and TACACS+ on both wired and wireless networks. ISE is also a Cisco authentication server that is mainly used in Network Access Control (NAC), for example, to provide authentication to users on a wireless network. ISE 2.0 uses both TACACS+ and RADIUS protocols.

Having completed this section, you have explored the various access control models and how they are used to limit the privileges of users on a system. In the next section, we will be covering the importance of implementing proper security appliances and applications on a network to help detect and block threats in real time.

Understanding security deployment

When implementing security components such as firewalls and anti-malware/anti-virus programs, it's important to understand the various types of deployments and how they affect the monitoring of threats.

A firewall can be deployed either as a network-based firewall or a host-based firewall. A network-based firewall is simply deployed on the network itself and sits in line with inbound and outbound traffic.

The following diagram shows an example of a network-based firewall:

Figure 3.8 – Network-based firewall

Figure 3.8 – Network-based firewall

The downside of having only a network-based firewall is that if an internal security attack occurs, such as a user inserting a malware-infected USB flash drive into their computer, the malware will most likely attempt to spread to other systems on the network. A network-based firewall will only be able to filter the malicious traffic if it passes through the firewall appliance. To put it simply, a network-based firewall is not able to stop an internal attack or threat if it's not in line with the malicious network traffic.

A host-based firewall is an application that is installed on the host device. The benefit of using a host-based firewall is that it has the capability to filter any malicious traffic that is entering or leaving the host device. Imagine there's an internal outbreak that is affecting the host systems within a corporate network. A host-based firewall would be able to prevent the malicious traffic from entering a non-infected host, and it would also have the capability to prevent an infected host from sending the malicious traffic out over the network.

Tip

Implementing a network-based solution can save an organization lots of money simply because the company will need to purchase a single license for the network-based solution as opposed to individual software licenses for each client device.

The concepts of network-based and host-based deployments apply to anti-virus and anti-malware solutions. Cisco Advanced Malware Protection (AMP) can be implemented both as a network-based solution and as a host-based solution. Some organizations may choose to implement a network-based solution as a service on the Cisco Next-Generation Firewall (NGFW), which will be able to inspect and block both inbound and outbound malware for the corporate network. However, with a host-based deployment, Cisco AMP will have the visibility to inspect and block malware on each individual host device.

Endpoint protection is anti-malware protection that offers organizations a business solution to help administrators manage threats better. With endpoint security solutions, an agent can be installed on each end device, such as computers. The agent will connect to the centralized server, which allows the administrators to centrally manage the threat protection on all connected agents, hence managing all end devices simultaneously.

This allows the administrator to use a centralized dashboard to easily view and manage the entire threat landscape of their organization and determine answers to the following:

  • Which endpoint agents require updates?
  • Is there malware on a system?
  • What has the endpoint protection done to remove the threat?
  • Has the malware spread to other devices on the network?
  • What files were compromised by the malware?

There are some security solutions that do not require an agent; a solution can be agentless and still be able to detect and block threats on an enterprise network. An agentless security solution is one that is not deployed on a host machine but rather on the network itself. An agentless solution uses other methods to monitor for threats, such as monitoring network traffic for any type of malware that may be hidden within packets. Let's imagine a threat actor was able to compromise a file server and locate a spreadsheet containing confidential financial information. The threat actor can attempt to exfiltrate the file from the corporate network. One technique is to convert the file into DNS query messages and send those DNS messages to a DNS server owned by the threat actor. The agentless security solution would then be able to monitor any suspicious network traffic and flag it.

In this section, you learned about various types of security deployments and how they are able to help protect an enterprise network from cyber threats and attacks.

Summary

Having completed this chapter, you have a lot of knowledge that's vital in better understanding the need for implementing a DiD approach in any organization to secure assets. Furthermore, you learned about various key security terminologies, which will help you to better understand what threats are, as well as learning how threat actors use exploits to take advantage of vulnerabilities they discover on a target system. You explored the need to always protect both PII and PHI as threat actors are interested in stealing those types of data and selling it on the dark web. Lastly, we took a deep dive into the need for risk management and access control models within an enterprise organization.

I hope this chapter has been informative for you and is helpful in your journey toward learning the foundations of cybersecurity operations and gaining your Cisco Certified CyberOps Associate certification.

In the next chapter, Chapter 4, Understanding Security Principles, you will learn about the importance of a SOC and data types, looking at various networking technologies and different data types for security and threat monitoring.

Questions

The answers to the questions can be found in the Assessments section at the end of this book.

The following is a short list of review questions to help reinforce your learning and help you identify which areas require some improvement:

  1. If a threat actor is able to intercept network traffic and gather usernames and passwords, which of the following is affected?

    A. Confidentiality

    B. Availability

    C. Integrity

    D. Hashing

  2. How can you protect data at rest?

    A. Save it offline.

    B. With encryption.

    C. Hide it.

    D. Keep it on the cloud.

  3. Which of the following technologies is used to provide integrity?

    A. Anti-malware protection

    B. Firewall

    C. Encryption

    D. Hashing

  4. Which of the following best describes a weakness in a system?

    A. Exploit

    B. Risk

    C. Vulnerability

    D. Threat

  5. Which of the following is a component of a Security Operation Center (SOC) runbook?

    A. Workflow

    B. Tools

    C. Processes

    D. All of the above

  6. Which standard provides risk management guidelines?

    A. ISO 27001

    B. ISO 31000

    C. ISO 27005

    D. ISO 27002

  7. Which of the following access control models is implemented in government agencies?

    A. MAC

    B. DAC

    C. Role-based

    D. Time-based

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
54.147.17.95