1
An Introduction to Cybersecurity

Cybersecurity is a vast and diverse field. Whether you’re setting up a firewall or creating a password policy, your actions impact all levels of an organization, from its technicians and help desk to the CEO. Cybersecurity also affects every piece of technology in an organization: mobile phones, servers, and even devices like industrial control systems. A field this extensive and deep can be a little intimidating when you first enter it. This is especially true if you’re trying to learn about cybersecurity without entering the field. For example, you might be an IT department head who wants to learn more so you can better protect your organization.

This chapter starts slow: we’ll talk about what cybersecurity is and isn’t, as well as the difference between white hat and black hat hackers.

What Is Cybersecurity?

At its core, cybersecurity has one driving purpose: to identify cyber threats in an organization, calculate the risk related to those threats, and handle those threats appropriately. Not every threat that a company experiences is an issue that cybersecurity deals with directly (for example, pandemics or physical damage to a building caused by a tornado or flood). In general, cybersecurity uses the CIA triad model to determine which threats are under its purview.

The CIA triad consists of three categories of security: confidentiality, integrity, and availability. Confidentiality involves how assets and data are exposed to people or processes, and ensures that only the people who are supposed to access a resource can access it. Integrity ensures that assets and data aren’t changed without proper authorization. This not only includes items like entries in a database server, but also adding a user to a network, for example. Availability ensures that data or assets are accessible when needed. For work to continue, you must be able to access data when necessary.

Figure 1-1 shows the elements of the CIA triad positioned in a triangle to demonstrate how you might need to balance each of them to maintain the functionality of the others. For example, if you focus too much on confidentiality, you risk significantly locking down your assets so no one else can use that data for their job, creating an availability issue. Similarly, by placing too much emphasis on integrity, you lose confidentiality, because you must be able to read data to ensure that nothing has changed. By balancing the three triad components, you can achieve equilibrium between the core elements that encompass what cybersecurity does on a regular basis.

f01001

Figure 1-1: The CIA triad

Some experts debate the merits of adding elements to the traditional triad to contend with new technologies or priorities within cybersecurity. One element often added is non-repudiation, which is the idea that when a person or entity does something, there must be specific evidence tying them to that action so it’s impossible for them to deny they did it.

Cybersecurity and Privacy

In recent years, there has been an emphasis on the relationship between cybersecurity and privacy. In this situation, privacy means the rights and abilities of a person to control how information about them is stored, shared, and used. Although the topic of privacy extends beyond cybersecurity, cybersecurity still plays a huge role in ensuring that an individual’s data is secured against malicious use. Cybersecurity is also responsible for many of the controls that allow a company to audit its data use, ensuring that it follows any necessary rules or regulations. Going forward, the protection of a user’s privacy will likely become an increasingly integral part of the cybersecurity field.

What Cybersecurity Isn’t

In a field as large as cybersecurity, you’re bound to encounter a few distorted ideas about its scope. To mitigate these misconceptions, it’s best to discuss what cybersecurity isn’t. Doing so will help define the field and what it actually means to do cybersecurity.

First, cybersecurity isn’t synonymous with hacking. The media would have you believe that all cybersecurity professionals do is clack away at a keyboard, trying to break into a system. Although penetration testing—the act of attempting to break into a system you’re authorized to attack, such as your own or a client’s, to discover vulnerabilities from an attacker’s perspective—is a part of cybersecurity, it’s but one section of the field. A vulnerability is a flaw in a system, including how it’s set up or how people use it. For example, having an error in a system’s code can cause a vulnerability. Attackers create exploits to take advantage of vulnerabilities. But just because you don’t know how to execute an exploit using a flaw in a computer’s memory doesn’t mean you can’t be an expert in setting up and maintaining firewalls. This means that you don’t need to understand how every hacking tool works or exactly what the latest exploit does to contribute to the cybersecurity industry.

Second, cybersecurity isn’t switch flipping. Some people use the term switch flipping to describe what they think system engineers or other IT professionals do: they just flip switches or configure systems without understanding the underlying processes that make a system work. It’s true that configuring a system to be secure is vitally important to cybersecurity. But securing a system can’t necessarily be done by following a checklist. It requires looking at the entire system, noting how every component interacts not only with the other components, but also with other systems to fully understand how to secure a system. In addition, professionals need deliberation and critical thinking skills to know how to secure a system in situations where it’s impossible to apply best practices.

Third, cybersecurity doesn’t only require technical skills. Just as important as technical knowledge is the ability to translate that information into tips and resources that everyone can understand when professionals give presentations or write reports. Cybersecurity professionals work with every department in an organization, which means their interpersonal communication skills are essential. The only way your organization will become more secure is if everyone understands their role in maintaining security, which means you must communicate that role effectively.

Black Hats vs. White Hats

When you think of the term hacker, you probably think of someone doing something malicious to or with a computer, such as destroying files or unlocking electronic locks on doors so robbers can break in. The reason you think this way is that the media generally uses the word hacker to describe computer criminals. But not all hackers are hoodie-clad teenagers in basements banging on a keyboard while listening to death metal. In fact, people from all different backgrounds and regions participate in computer crime. The term hacker is also used to describe good cybersecurity experts: the label applies to anyone who asks questions and breaks systems, whether they’re computers or physical devices, to learn more about them, not necessarily just to commit crimes. Many specific expressions, such as bad actor, attacker, and state actor, single out cybercriminals. But in this book, I’ll call them black hats (as well as attackers or adversaries).

As just mentioned, attackers come from different backgrounds and places, but they all share the same intent: to use their technical knowledge to commit a crime. These crimes often revolve around financial gain of some sort, either directly by stealing money or demanding ransom payments, or indirectly by stealing important information, such as social security numbers to sell at a later time. It’s important to note that not every adversary is pursuing money. They could be seeking specific information or trying to disrupt a service. There are many arguments about what constitutes a crime when it comes to malicious computer use. For the purposes of this book, I consider any violation of the current United States Computer Fraud and Abuse Act to fit the definition of cybercrime.

On the other side of the spectrum are the white hats. White hats are cybersecurity experts who apply their technical knowledge to making systems more secure. They not only include people who work for a company’s security department, but also independent professionals who conduct security research, such as analyzing malware or discovering zero-day vulnerabilities (brand-new, never-before-seen vulnerabilities in a system or software). These people work tirelessly to try to stay one step ahead of black hats.

In a gray area in the middle are gray hats. The activities of a gray hat aren’t necessarily malicious, but they’re not honorable either. For example, attacking a system without permission to find vulnerabilities that you then disclose to the system’s owner is a gray area, because typically white hats don’t perform any attacks without permission. Which side a gray hat falls on depends on a person’s perspective. If someone uses their skills to get past a government filter on the internet, they might look like an attacker to the government but a white hat to everyone trying to exercise freedom of speech.

Types of Black Hats

Although a wide variety of people fit the role of a black hat, you can still group them into categories. These categories are not meant to be exhaustive but should give you a general idea of the motivations behind black hat activity.

Script Kiddies

Script kiddies are adversaries who have no inherent skill and follow instructions found on the internet to execute their attacks. They generally find prewritten scripts (hence the name script kiddie) built to run a specific type of attack. They then enter their target information and fire off the script. Traditionally, script kiddies pose a low threat to most organizations. The attacks they use aren’t usually sophisticated and often rely on outdated or easily recognized vectors of attack. But script kiddies shouldn’t be taken lightly. Just because they don’t have the skills of more elite black hats doesn’t mean they can’t do damage given the right set of tools.

Organized Criminals

A growing sector of organized crime is turning to black hat activities as government policing cuts off their other sources of revenue. Organized crime is highly effective at recruiting people with expert skills. As a result, these attackers use the latest vulnerabilities, create their own malware, and do extensive research to obtain large financial payoffs for their work. This makes them significant threats. Eastern Europe and Russia are particular hotbeds for this type of activity.

Hacktivists

A hacktivist is a person or group who uses hacking skills for a political purpose. They usually try to deface or disrupt services rather than stealing data or money. For example, a hacktivist group might take possession of the Twitter account of a company they disagree with, using the account to write terrible messages to smear the company’s reputation or promote their own agenda. One of the most legendary hacktivist groups is Anonymous, which generally targets governments or other organizations it believes are authoritative in nature. It has taken down websites and released leaked documents, among a number of other activities (although it’s hard to know exactly what the group has accomplished, because anyone can claim to be a member). Hacktivists can pose a significant threat to organizations and are generally more skilled than script kiddies.

State Actor

A state actor is a black hat who works for a government. To many, these agents operate in the gray area, because the legitimacy of their actions might seem to vary depending on which government they happen to work for. Nevertheless, state actors use the same techniques as other attackers, and their attacks can cause significant damage. State actors are typically interested in either stealing proprietary information to help their nation or disrupting services to hurt a foreign nation. China, North Korea, Iran, and Russia have robust programs connected to several major black hat campaigns, including breaches into Sony to steal sensitive internal documents and disruptions to elections worldwide. State actors pose some of the highest risks because they’re well funded and they operate with the latest technology and training.

Advanced Persistent Threats

A more recent term, an Advanced Persistent Threat (APT) describes an attack that remains hidden for an extended period, slowly digging deeper into its target system until it meets its goals. Originally, state actors were the only types of adversaries with the resources and expertise to perform this type of attack. But in recent years several non-government groups have been able to execute similar operations. APTs are extremely dangerous, because it’s difficult to identify where they are in your organization, what they might have access to, or who they’ve compromised. APTs run the gamut of motivation from targeted data theft to straight ransom.

Types of White Hats

Just like black hats, white hats fill a diverse variety of roles needed for a successful cybersecurity program. Cybersecurity isn’t a monolith; it covers a multitude of fields and areas of expertise, and it’s extremely difficult for one person to handle it alone. Organizations that cannot afford a dedicated security team should consider seeking outside help to supplement their own internal IT staff and provide advice where required.

The following sections explain various white hat positions along with a brief description of the typical tasks of each position. This list is by no means exhaustive, nor should it be considered standard, because some organizations might have different needs or differing ideas about where a position fits in their internal structure. That said, this list should provide you with a good idea of the types of positions that exist and the skills a person needs to fill specific roles. Also, note that I don’t mention any educational degrees. The reason is that most roles in cybersecurity don’t require any specific degree; instead, they rely heavily on knowledge and experience (both of which can be accumulated elsewhere). I’ve encountered experts with advanced cybersecurity degrees and others who had master’s degrees in military history. Even so, it might take longer to gather the necessary knowledge and experience without a degree.

Cybersecurity/Security Operations Center Analysts

A cybersecurity analyst is an entry-level role tasked with maintaining and monitoring alerts that come in from various cybersecurity tools or devices. Their primary job is to find anything that looks suspicious and send it up the chain for further analysis if necessary. Often, these roles are tied into a Security Operations Center (SOC), a facility where systems aggregate and monitor alerts from across an organization.

Analysts are the first responders for many security incidents, because they’re the ones getting the alerts or directly contacting end users. These jobs typically require a strong IT background: additional security experience is beneficial, but it’s not always required. To be successful in this position, a person needs a solid understanding of networking or system administration, attention to detail, patience, and problem solving and task management skills.

Cybersecurity Consultants

Cybersecurity consultants provide a wide range of services and require an extensive background in security. Essentially, they’re tasked with providing security expertise to an organization for whatever task or problem the organization is currently dealing with. This includes issues such as policy creation, system security controls, incident response, training and awareness, and general security advice. Consultants require a deep understanding of the overarching principles of security and typically have a base knowledge of most operating systems, software, or specific hardware devices. Critical thinking, problem solving, excellent verbal and written skills, and task management skills are essential for this position.

Cybersecurity Architects

We typically think of an architect as someone who designs buildings. A cybersecurity architect has a similar job, but instead of buildings, they design security. They’re tasked with creating security controls for environments rather than implementing or managing existing controls. This means they must have a complete understanding of how security controls work and of the environment they’re working with, as well as how that environment and the controls within it interact during normal workflow. For example, a network security architect would design the security controls that protect a particular network environment, taking into account the security devices needed, how information flows across the network, and any necessary network security controls on individual systems.

If you think this sounds like a sizable and complex job, you’re right. Cybersecurity architects must have a vast amount of experience in their particular area of expertise, such as networking or databases, in addition to a robust security background. Understanding what controls a workflow needs and how those controls might have adverse interactions with other parts of an environment requires high-level critical thinking and problem solving skills. Architects must also work with diverse teams that span every aspect of IT, so they must hone their written and verbal communication skills. Additionally, architects are often working against a production timeline, which means they need to be efficient but diligent in their work.

Chief Information Security Officers

Organizations generally have a group of people tasked with running all operations. These people hold titles such as chief executive officer (CEO), chief financial officer (CFO), or chief information officer (CIO). In the security sector, the comparable position is the chief information security officer (CISO). The CISO oversees all security operations within an organization: they make broad decisions about how the organization should manage its security and what projects or resources the company needs to ensure it maintains an adequate level of security for the threats it faces.

The CISO requires an extensive understanding of security, but what sets them apart from most security professionals is their other skills. To be a CISO, you need excellent project management skills and budgeting experience. You also need to be able to communicate with your team and other executive officers to explain the organization’s goals and mission, as well as how security relates to them. CISOs spend a good amount of their time as managers, whether with respect to personnel, budgets, or risk. Risk management requires you to identify a threat, the impact of that threat on the organization, the likelihood of that threat being realized, and what you can do to mitigate it (Chapter 10 covers risk management in depth). As the head of security for your organization, strong leadership skills are also a must.

Even small organizations need a CISO. Having a person in this role, whether it’s a full-time job or part of other duties they carry out, is integral to building and maintaining security. Smaller organizations might consider finding a consultant to provide CISO-level guidance on a part-time basis.

Incident Responders

An incident is anything bad that happens to an organization: for example, an account is compromised, data is lost or destroyed, or malware has infected a system. Incident responders are the people who react when an incident happens. Their main job is to run an initial investigation, preserve information and evidence, contain the incident from spreading, and restore affected systems as quickly as possible. You can compare an incident responder to a paramedic. Paramedics stabilize an injured person and determine how they were hurt so the doctor can fully treat them. Incident responders are somewhat similar: they don’t perform the full investigation into what happened. That is left up to forensics experts, which we’ll look at shortly.

Instead, incident responders stabilize the systems where the incident occurred to ensure the attack doesn’t spread across the entire environment. For example, they might take a system off the network to stop the spread of malware. Incident responders then gather and preserve evidence of the incident. This means checking logs, copies of systems, backups, and whatever other information they can find. Once they’ve gathered all the data and have the incident contained, they work to restore the environment. This might mean wiping a system to remove any possible trace of malware, for example.

Incident responders must work quickly but methodically. They require a cool head under pressure. They must be critical thinkers capable of reasoning through every action to ensure they don’t make the incident worse or destroy evidence. Incident responders usually have a strong security background but often require additional training in specific incident response techniques. Responders typically work in a large team. Often, they’re called on to provide specific system expertise for that team; for example, they might have an in-depth understanding of Linux operating systems.

Vulnerability Managers and Threat Hunters

Whereas incident response is about reacting to a harmful occurrence, vulnerability management attempts to prevent adverse events before they happen. Vulnerability managers look for security flaws in systems and try to correct them. This is a constant process, because systems continuously change and thus develop new vulnerabilities. A vulnerability manager needs patience and diligence, leaving no stone unturned to ensure they leave no vulnerabilities undiscovered.

Threat hunters have similar jobs, but they operate on a deeper scale, attempting to correlate events from across an organization to detect possible threats. They often look for advanced black hat activity, such as that carried out by an APT and not normally identified by typical alerts. Threat hunters require deep security knowledge, an eye for details, and excellent critical thinking skills. They also need good verbal and written communication skills to inform everyone in the organization about the threats they’re detecting.

Computer Forensic Analysts

After an incident takes place and incident responders have completed their job, the forensic analysis of the incident begins. Computer forensic analysis is the process of retrieving and analyzing evidence related to an incident.

Computer forensic analysts could be part of the incident response team but are often a separate group that takes over the investigation after the threat has been contained. These analysts do a deep and detailed investigation of the evidence gathered. Not only do they look at items like logs, but they also examine the processes that were running on a system, what was loaded into memory during the incident, and even individual software code. This requires an extremely technical background with an in-depth knowledge of the inner workings of computer code. Computer forensic analysts use a variety of specialty tools that require training and practice to use effectively. They must have an intense attention to detail, as well as good communications skills to relay their findings in language accessible to nontechnical people.

Penetration Testers

The quintessential role for most people with cybersecurity expertise is penetration tester. They try to break into a system as if they were black hats to discover the system’s flaws and vulnerabilities. Penetration testing is actually a minor field that requires a great deal of training to be successful.

Penetration testers must have robust technical skills, because they must understand security concepts and the types of techniques attackers use. This requires constant training and practice. Penetration testers rely on a variety of tools to attack systems, each of which comes with its own set of expertise. It’s also essential that they maintain meticulous documentation to provide evidence of their actions to the client: ultimately, breaking into a system doesn’t matter if you can’t explain how you did it.

Exercise: Learning More About Cybersecurity and Threats

To better understand cybersecurity, it helps to get involved in the community. The best way to do this is to sign up for newsletters and alerts. The following sections provide a list of some of the best feeds available to get you started. As you look through these resources, try to answer these questions: What types of threats are most common? How do various sources categorize these threats? What common advice can you find across different resources to prevent attacks? What sorts of search terms might you use to find more resources?

Government resources

National Institute of Standards and Technology (NIST) Computer Security Resource Center at https://csrc.nist.gov/: a great place to find articles and other information on how to secure your systems at home or work.

Cybersecurity and Infrastructure Security Agency (CISA) at https://www.cisa.gov/: the government agency charged with providing guidance on cybersecurity and infrastructure security. The site contains lots of resources and bulletins on security practices and threats.

National Institute for Cybersecurity Education (NICE) at https://www.nist.gov/itl/applied-cybersecurity/nice/: part of NIST, this group provides educational resources related to cybersecurity, including challenges and training courses for middle and high school students.

Threat feeds

Multi-State Information Sharing and Analysis Center (MS-ISAC) at https://www.cisecurity.org/ms-isac/: this site provides alerts on critical vulnerabilities and other information related to cybersecurity.

InfraGard at https://www.infragard.org/: this program provides national and state organizations with threat intelligence as well as other services, including training.

SANS Internet Storm Center at https://isc.sans.edu/: this site provides updates on security vulnerabilities and blog posts on various security topics.

Cybersecurity blogs

Krebs on Security at https://krebsonsecurity.com/: written by security expert Brian Krebs, this site provides lots of informative articles on current threats and other cybersecurity trends.

Threatpost at https://threatpost.com/: this site provides articles on the latest vulnerabilities and threats being exploited.

FireEye Blogs at https://www.fireeye.com/blog.html: this site contains information on threats, stories from the industry, and other valuable cybersecurity articles.

Cybersecurity podcasts

Security Now at https://twit.tv/shows/security-now/: hosted by Leo Laporte and Steve Gibson, this cast delves deeply into the headlines of the week related to cybersecurity. It’s a great resource to use to keep up with the latest vulnerabilities, exploits, and threats.

Darknet Diaries at https://darknetdiaries.com/: created by Jack Rhysider, this cast investigates real-life stories of hackers and other security events over the years.

Conclusion

Cybersecurity can be an intimidating field to enter. However, faced with a wide variety of attackers and threats, organizations need cybersecurity professionals more than ever if they want to preserve their security. This chapter introduced you to what cybersecurity is and the threats that exist. The rest of the book will guide you through the cybersecurity field and the threats you might encounter, whether you’re a manager, a long-time IT person switching to a new field, or someone just entering the professional world.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.237.0.123