Chapter 1: Cybersecurity, a world of champions, heroes and criminals

Many of the world's original hackers were hobbyists, programmers, and computer
science students during the 1960s. Originally, the term hacker described people with
advanced programming skills. Hackers use these programming skills to test the limits
and capabilities of early systems. These early hackers were also involved in the
development of the first computer games. Many of these games included paladins and
skills.

As hacking culture evolved, it incorporated the lexicon of these games into the culture
itself. Even the outside world began to project the image of powerful champions onto this
misunderstood hacking culture. Books like Where Wizards Stay up Late: The Origins of
The Internet, published in 1996, added to the mystique of hacking culture. The image and
the lexicon stagnated. Many hacking groups today adopt these images. One of the most
infamous hacking groups is known by the name of the Legion of Doom. Understanding
cyber culture is important to understanding cyber criminals and their motivations.

Sun Tzu was a Chinese philosopher and warrior in the 6th century BC. c. Sun Tzu wrote
the book called The Art of War which is a classic work on the strategies available to
defeat the enemy. His book has guided strategists for centuries.

One of Sun Tzu's guiding principles was to know your opponent. Although he was
referring specifically to war, much of his advice translates to other aspects of life,
including the challenges of cybersecurity. This chapter begins by explaining the
structure of the cybersecurity world and why it continues to grow.

This chapter will analyze the role of cybercriminals and their motivations. Finally, the
chapter explains how to become a cybersecurity specialist. These cyber heroes help
defeat cyber criminals who threaten the cyber world.

Kingdoms Overview

There are many groups of data that make up the “cyber world”. When groups can collect
and use enormous amounts of data, they begin to accumulate power and influence. This
data can be in the form of numbers, images, video, audio, or any type of data that can be
digitized. These groups could prove so powerful that they function as if they were
kingdoms. Companies like Google, Facebook and LinkedIn can be considered data
castles in the cyber world kingdom analogy. If we extend the analogy further, the people
who work at these digital companies could be considered cyber champions.

Castles of the cyber world

The cyber champions at Google created one of the first and most powerful castles in the
cyber kingdom. Billions of people use Google to search the web daily. Google has
created what could be considered the largest data collection network in the world.
Google develops Android, the operating systems installed on more than 80% of all mobile
devices connected to the Internet. Each device requires users to create Google accounts
that can save bookmarks and account information, save search results, and even locate
the device. Click here to see some of the many services Google currently offers.
Facebook is another powerful castle in the cyber kingdom. Cyber champions at Facebook
recognized that people create personal accounts daily to communicate with friends and
family. By doing so, they provide a lot of personal data. These Facebook champions
formed a massive castle of data to help people connect in ways never before imagined in
the past. Facebook touches the lives of millions of people every day and allows
businesses and organizations to communicate with people in more personal and targeted
ways.

LinkedIn is another data castle in the cyber realm. LinkedIn's cyber champions
recognized that their members would share information in the quest to create a
professional network. LinkedIn users upload this information to create online profiles and
connect with other members. LinkedIn connects employees with employers and
companies with other companies around the world.

A look inside these castles reveals how they are designed. At a fundamental level, these
castles are strong because of the ability to collect user data contributed by users. This
data often includes users' backgrounds, discussions, preferences, locations, trips,
interests, friends and family members, professions, hobbies, and work and personal
schedules. Cyber champions create great value for organizations interested in using this
data to better understand and communicate with their customers and employees.

The growth of cyber kingdoms

The data collected from the cyber world goes beyond the data that users voluntarily
contribute. The cyber realm continues to grow as science and technology evolve,
allowing cyber champions to collect other forms of data. Cyber champions now have the
technology to track global weather trends, monitor the oceans, and track the movement
and behavior of people, animals, and objects in real time.

New technologies emerged, such as Geospatial Information Systems (GIS) and the
Internet of Everything (IoE). These new technologies can track the types of trees in a
neighborhood and provide up-to-date locations of vehicles, devices, people, and
materials. This type of information can save energy, improve efficiency, and reduce
safety risks. Each of these technologies will also exponentially expand the amount of
data collected, analyzed, and used to understand the world. The data collected by GIS
and the IoE constitute a major challenge for cybersecurity professionals in the future.
The type of data generated by these devices has the potential to allow cybercriminals to
gain access to the very intimate aspects of everyday life.

Who are cyber criminals?

In the early years of the cybersecurity world, typical cybercriminals were teenagers or
hobbyists operating from a home PC, and their attacks were limited to pranks and
vandalism. Nowadays, the world of cybercriminals has become more dangerous.
Attackers are individuals or groups who attempt to attack vulnerabilities for personal or
financial gain. Cybercriminals are interested in everything from credit cards to product
designs and anything else of value.

Hobbyists – Hobbyists, or script kiddies, have little or no skills, and typically use existing
tools or instructions found on the Internet to perform attacks. Some are just curious,
while others try to demonstrate their skills and cause damage. They can use basic tools,
but the results can still be devastating.
Hackers – This group of criminals break into computers or networks to gain access for
various reasons. The intent for which they interrupt determines the classification of
these attackers as white, gray or black hat criminals. White hat attackers penetrate
networks or computer systems to discover weaknesses in order to improve the security
of these systems. The system owners grant them permission to perform the interruption
and receive the test results. On the other hand, black hat attackers exploit
vulnerabilities for illegal personal, financial, or political gain. Gray hat attackers are
somewhere between black and white hat attackers. Gray hat attackers can find a
vulnerability and point it to system owners if that action matches their purposes. Some
gray hat hackers publish the facts about the vulnerability on the Internet so that other
attackers can take advantage of them.

The figure provides details on the terms white, black, and gray hat hacker.

Organized hackers – These hackers include cybercriminal organizations, hacktivists,

terrorists, and state-sponsored hackers. Cybercriminals are generally groups of
professional criminals focused on control, energy, and wealth. Criminals are very
sophisticated and organized, and may even provide cybercrime as a service. Hacktivists
make political statements to raise awareness about issues that are important to them.
Hacktivists publicly post embarrassing information about their victims. State-sponsored
attackers gather intelligence or sabotage on behalf of their government. These attackers
are usually highly trained and well funded. Their attacks focus on specific targets that
are beneficial to their government. Some state-sponsored attackers are even members of
their countries' armed forces.

Click here to see graphical representations of the hackers' profiles.

Motives of cyber criminals

Cybercriminal profiles and motives have changed over the years. Hacking began in the
1960s with “phone freaking” (or “phreaking”), an activity that refers to the use of various
audio frequencies to manipulate telephone systems. In the mid-1980s, criminals used
computer dial-up Internet modems to connect computers to networks and used password
cracking programs to gain access to data. Today, criminals go beyond information theft.
Criminals can now use malware and viruses as high-tech instruments. However, the
biggest motivation for most cybercriminals is financial. Cybercrimes have become more
lucrative than illegal drug transactions.

The general hacker profiles and motives have changed a bit. The figure shows modern
hacking terms and a brief description of each.
Why become a cybersecurity specialist?

The demand for cybersecurity specialists has grown more than the demand for other IT
jobs. All the technology that transforms the kingdom and improves people's way of life
can also make them more vulnerable to attack. Technology itself cannot prevent, detect,
respond to, or recover from cybersecurity incidents. Consider the following:

 The skill level required by an efficient cybersecurity specialist and the shortage of
qualified cybersecurity professionals translates into the possibility of higher
income.

 Information technology is constantly changing. This is also true for cybersecurity.

The highly dynamic nature of the cybersecurity field can be difficult and fascinating.

 The career of a cybersecurity specialist is also highly transferable. Jobs in almost

all geographic locations.

 Cybersecurity specialists provide a necessary service to their organizations,

countries and companies, almost like law enforcement authorities or emergency
response teams.

Becoming a cybersecurity specialist is a rewarding career opportunity.

How to thwart cyber criminals

Thwarting cybercriminals is a difficult task and there is no such thing as a “magic

bullet.” However, businesses, government, and international organizations have begun
taking coordinated action to limit or keep cybercriminals at bay. Coordinated actions
include the following:
  Creating comprehensive databases of known signatures of system vulnerabilities
and attacks (a unique arrangement of information used to identify an attacker's
attempt to exploit a known vulnerability). Organizations share these databases
around the world to help prepare for and fend off many common attacks.

 Establishment of early warning sensors and alert networks. Because of the cost and
inability to monitor each network, organizations monitor high-value targets or create
impostors that look like high-value targets. Because these high-value targets are
more likely to experience attacks, they warn others of potential attacks.

 Cyber intelligence information sharing. Companies, government agencies, and

countries are now collaborating to share essential information about serious
attacks on critical targets to prevent similar attacks elsewhere. Many countries
have established cyber intelligence agencies to collaborate around the world in the
fight against major cyber attacks.

 Establishment of information security management standards between national and

international organizations. ISO 27000 is a good example of these international
efforts.

 Enactment of new laws to discourage cyber attacks and data breaches. These laws
have severe fines to penalize cybercriminals who carry out illegal actions.

The figure shows measures to thwart cybercriminals and a brief description of each.

https://www.cvedetails.com/
https://www.honeynet.org/node/960

https://www.infragard.org/
http://www.27000.org/

https://cybersecurity.isaca.org/legislation
Laboratory practice: job search in the cybersecurity area

In this lab, you will use popular job search websites to identify jobs in the cybersecurity
profession and learn the qualifications needed for cybersecurity professionals.

Laboratory practice: job search in the cybersecurity area

Threats to the people of the kingdom

Cyber Paladins are innovators and visionaries who create the cyber kingdom. They have
the intelligence and knowledge to recognize the power of data and harness that power to
build great organizations, provide services, and protect people from cyber attacks. Cyber
champions recognize the threat that data presents if it is used against people.

Threats and vulnerabilities are the main concern of cyber champions. A cybersecurity
threat is the possibility of a harmful event, such as an attack, occurring. Vulnerability is
a weakness that makes a target susceptible to attack. For example, data in the wrong
hands can result in loss of privacy for owners, affect their credit, or compromise their
professional or personal relationships. Identity theft is big business. However, Google
and Facebook are not necessarily the ones that present the biggest risk. Schools,
hospitals, financial institutions, government agencies, the workplace, and e-commerce
pose greater risks. Organizations like Google and Facebook have the resources to hire
top cybersecurity talent to protect their castles. As organizations develop data castles,
the need for cybersecurity professionals increases. This leaves smaller companies and
organizations in the competition for the remaining pool of cybersecurity professionals.
Cyber threats are particularly dangerous for some industries and the records they must
maintain.

Types of personal records

The following examples are just some data sources that may come from established
organizations.
Medical records

Going to the doctor's office results in more information being added to an electronic
health record (EHR). Your GP's prescription becomes part of the EHR. An EHR includes
physical and mental status, and other personal information that may not be medically
related. For example, a person goes to therapy as a child because of major changes in
the family. This will appear somewhere in your medical record. In addition to medical
history and personal information, the EHR may also include information about that
person's family. Several laws address the protection of patient records.

Medical devices such as fitness bands use the cloud platform to enable wireless
transfer, storage and display of clinical data such as heart rate, blood pressure and blood
sugar. These devices can generate an enormous amount of clinical data that can become
part of your medical records.

Educational records

Educational records include information on grades, test scores, attendance, courses

taken, awards, degrees awarded, and disciplinary reports. This record may also include
contact information, health and immunization records, and special education records,
including individualized educational programs (IEPs).

Employment and financial records

Employment information may include past employment and performance. Employment

records may also include wage and insurance information. Financial records may include
information about income and expenses. Tax records may include pay stubs, credit card
statements, credit scores, and banking information.
Threats to kingdom services

Realm services are the same services that a network and ultimately the Internet needs
to operate. These services include routing, addressing, naming, and database
management. These services also serve as prime targets for cybercriminals.

Criminals use packet analysis tools to capture data flows on a network. This means that
all sensitive data, such as usernames, passwords, and credit card numbers, are at risk.
Packet protocol analyzers monitor and record all information coming from a network.
Criminals can also use fake devices, such as unsecured Wi-Fi access points. If the
criminal sets up these devices near a public place, such as a coffee shop, unsuspecting
people can connect and the protocol analyzer will copy their personal information.

The Domain Name Service (DNS) translates a domain name, for example
www.facebook.com into its numerical IP address. If a DNS server does not know the IP
address, it will query another DNS server. With DNS spoofing (or DNS cache poisoning),
the criminal introduces false data into the DNS resolver cache. These poisoning attacks
attack a weakness in DNS software that causes DNS servers to redirect traffic from a
specific domain to the criminal's computer, instead of redirecting it to the legitimate
owner of the domain.

Packets transport data over a network or the Internet. Packet spoofing (or packet
injection) interferes with an established network communication by creating packets to
appear as if they are part of a communication. Packet spoofing allows a criminal to alter
or intercept packets. This process allows criminals to hijack an authorized connection or
deny a person's ability to use certain network services. Cyber professionals call this
activity a man-in-the-middle attack.

The examples given are only general examples of the types of threats that criminals can
launch against kingdom services.

Threats to sectors of the kingdom

The kingdom's sectors include infrastructure systems such as manufacturing, energy,

communication and transportation. For example, the smart matrix is an improvement to
the electricity generation and distribution system. The electrical matrix carries energy
from central generators to a large number of customers. A smart array uses information
to create an advanced, automated power distribution network. Global leaders recognize
that protecting infrastructure is critical to protecting their economy.

Over the past decade, cyberattacks like Stuxnet have demonstrated that a cyberattack
can successfully destroy or disrupt critical infrastructure. Specifically, the Stuxnet
attack targeted the supervisory control and data acquisition (SCADA) system used to
control and monitor industrial processes. SCADA can be part of various industrial
processes in manufacturing, production, energy and communication systems. Click here
to see more information about the Stuxnet attack.

A cyber attack could nullify or interrupt industrial sectors such as telecommunications,

transportation, or electricity generation and distribution systems. It may also disrupt the
financial services sector. One of the problems with environments that incorporate a
SCADA is that the designers did not connect the SCADA to the traditional IT environment
and the Internet. Therefore, they did not adequately consider cybersecurity during the
development phase of these systems. Like other industries, organizations using SCADA
systems recognize the value of data collection to improve operations and lower costs.
The resulting trend is to connect SCADA systems to traditional IT systems. However, this
increases the vulnerability of sectors that use SCADA systems.

The advanced threat potential that exists in the realms today demands a special
generation of cybersecurity specialists.
Threats to the kingdom's way of life

Cybersecurity is the constant effort to protect network systems and data from
unauthorized access. On a personal level, everyone needs to protect their identity, their
data and their computing devices. At the corporate level, it is the responsibility of
employees to protect the organization's reputation, data, and customers. At the state
level, national security and the safety and well-being of citizens are at stake.
Cybersecurity professionals are often involved in working with government agencies in
identifying and collecting data.

In the US, the National Security Agency (NSA) is responsible for intelligence gathering
and surveillance activities. The NSA created a new data center to process the increasing
volume of information. In 2015, the US Congress passed the USA Freedom Act which
ended the practice of mass collecting the phone records of US citizens. The program
provided the metadata and gave the NSA information about communications sent and
received.

Efforts to protect people's way of life often conflict with their right to privacy. It will be
interesting to see what happens with the balance between these rights and the security
of the kingdom.

Lab: Threat Identification

In this lab, you will examine the threats that cybercriminals pose and identify the traits
and requirements necessary to become a cybersecurity specialist.
Lab: Threat Identification

Internal and external threats

Internal security threats

Attacks can originate within an organization or outside it, as shown in the figure. An
internal user, such as an employee or contracted partner, may accidentally or
intentionally:

 Mishandling sensitive data

 Threaten the operations of internal servers or network infrastructure devices

 Facilitate external attacks by connecting infected USB media to the corporate

computer system

 Accidentally inviting malware to your network with malicious emails or web pages

Internal threats have the potential to cause greater damage than external threats
because internal users have direct access to the building and its infrastructure devices.
Insider attackers typically have knowledge of the corporate network, its resources, and
its sensitive data. They may also be aware of security countermeasures, policies, and
higher levels of administrative privileges.

External security threats

External threats from amateurs or expert attackers can exploit vulnerabilities in devices
connected to the network or can use social engineering, such as tricks, to gain access.
External attacks exploit weaknesses or vulnerabilities to gain access to internal
resources.

Traditional data

Corporate data includes personnel information, intellectual property and financial data.
Personnel information includes application materials, payroll, offer letter, employee
agreements, and any information used to make employment decisions. Intellectual
property, such as patents, trademarks, and new product plans, allows a company to gain
an economic advantage over its competitors. Consider this intellectual property a trade
secret; Losing this information can be disastrous for the future of the company. Financial
data such as income statements, balance sheets, and cash flow statements provide
information about the health of the company.
Vulnerabilities of mobile devices

In the past, employees typically used company computers connected to a corporate LAN.
Administrators continually monitor and update these computers to meet security
requirements. Today, mobile devices such as iPhones, smartphones, tablets and
thousands of other devices are powerful substitutes or additions to traditional
computers. People are increasingly using these devices to access company information.
Bring Your Own Device (BYOD) is a growing trend. The inability to centrally manage and
update mobile devices presents a growing threat to organizations that allow employee
mobile device use on their networks.

The emergence of the internet of things

The Internet of Things (IoT) is the set of technologies that allow the connection of
various devices to the Internet. The technological evolution associated with the advent
of the IoT is changing business and consumer environments. IoT technologies allow
people to connect billions of devices to the Internet. These devices include locks,
motors, and entertainment devices, just to name a few examples. This technology
affects the amount of data that needs protection. Users access these devices remotely,
increasing the number of networks that require protection.

With the rise of the IoT, there is much more data that needs to be managed and
protected. All of these connections, plus the expanded storage capacity and services
offered through the cloud and virtualization, have driven exponential data growth. This
expansion of data has created a new area of interest in technology and business called
“big data.”
The impact of big data

Big data is the result of data sets that are large and complex, making traditional data
processing applications inadequate. Big data presents challenges and opportunities
according to three dimensions:

 The volume or amount of data

 Data speed

 The variety or range of data types and sources

There are many examples of major threats in the news. Companies like Target, Home
Depot, and PayPal are targets of highly promoted attacks. As a result, enterprise
systems must make dramatic changes to security product designs and major upgrades to
technologies and practices. Additionally, governments and industries are introducing
more regulations and obligations that require better data protection and security
controls to help protect big data.
Use of advanced instruments

Software vulnerabilities are currently based on programming errors, protocol

vulnerabilities or system misconfigurations. The cybercriminal only has to take
advantage of one of these. For example, a common attack was constructing an entry to a
program to sabotage the program, causing it to malfunction. This malfunction provided
input to the program or caused it to leak information.

Currently, there is growing sophistication in cyberattacks. An advanced persistent threat

(APT) is a continuous threat to radar computers against a specific target. Criminals
generally choose an APT for political or business reasons. An APT occurs over a long
period of time with a high level of confidentiality using sophisticated malware.

Algorithm attacks can track a system's self-reporting data, such as how much power a
computer uses, and use that information to select targets or trigger false alerts.
Algorithmic attacks can also disable a computer by forcing it to use memory or overwork
its central processing unit. Algorithm attacks are sneakier because they attack the
designs used to improve energy savings, reduce system failures, and improve
efficiencies.

Finally, the new generation of attacks involves intelligent victim selection. In the past,
attacks selected the easiest options or the most vulnerable victims. However, with more
attention to detecting and isolating cyberattacks, cybercriminals must be more careful.
They can't risk early detection or cybersecurity specialists will close the castle doors.
As a result, many of the most sophisticated attacks will only be launched if the attacker
can match the target's signature.

A wider reach and the cascade effect

Federated identity management refers to multiple companies allowing users to use the
same identification credentials that gain access to the networks of all companies in the
group. This extends the range and increases the chances of a cascading effect if an
attack occurs.

A federated identity connects a subject's electronic identity through separate identity

management systems. For example, a subject may log in to Yahoo! with Google or
Facebook credentials. This is an example of a social login.

The goal of federated identity management is to share identity information automatically

across castle boundaries. From the perspective of the individual user, this means a
single login to the network.

It is imperative that organizations scrutinize identifying information shared with partners.

Social security numbers, names, and addresses can allow identity thieves the
opportunity to steal this partner information to perpetrate fraud. The most common way
to protect federated identity is to link the login capability to an authorized device.

Security implications

Emergency call centers in the US They are vulnerable to cyberattacks that could shut
down 911 networks, compromising public safety. A telephone denial of service (TDoS)
attack uses telephone calls to a target telephone network, subduing the system and
preventing legitimate calls from getting through. Next-generation 911 call centers are
vulnerable because they use voice over IP (VoIP) systems instead of traditional landlines.
In addition to TDoS attacks, these call centers can also be at the mercy of distributed
denial of service (DDoS) attacks that use many systems to overwhelm the target's
resources, making it unavailable to legitimate users. Today, there are many ways to
request 911 help, from using an app on a smartphone to a home security system.

Improved recognition of cybersecurity threats

Defenses against cyberattacks at the beginning of the cyber age were low. A smart high
school student or script kiddie could have access to the systems. Countries around the
world are becoming more aware of the threats of cyber attacks. The threat posed by
cyberattacks now tops the list of the biggest threats to national and economic security
in most countries.

How to address the shortage of cybersecurity specialists

In the US, the National Institute of Standards and Technology (NIST) created a
framework for companies and organizations that need professionals in the area of
cybersecurity. The framework allows companies to identify the main types of
responsibilities, positions and workforce skills needed. The National Cybersecurity
Workforce Framework classifies and describes cybersecurity work. It provides a common
language that defines cybersecurity work along with a common set of tasks and skills
required to become a cybersecurity specialist. The framework helps define cybersecurity
professional requirements.

Seven categories of champions in the area of cybersecurity

The workforce framework categorizes cybersecurity work into seven categories.

Operate and maintain includes providing technical support, administration, and

maintenance necessary to ensure the performance and security of IT systems.

Protect and defend includes identifying, analyzing and mitigating threats to internal
systems and internal networks.

Investigate includes the investigation of cyber events or computer crimes involving IT

resources.

Collect and operate includes specialized attack and deception operations, and the
collection of cybersecurity information.

Analyze includes the highly specialized review and evaluation of incoming cybersecurity
information to determine whether it is useful for intelligence.

Supervision and development establishes the leadership, management and direction to

carry out cybersecurity work effectively.

Deploying securely includes conceptualizing, designing, and building secure IT systems.

Within each category, there are several areas of specialty. The specialty areas then
define common types of cybersecurity work.

The figure shows each of the categories and a brief description of each one.
Professional organizations
Cybersecurity specialists must often collaborate with professional colleagues.
International technology organizations often sponsor workshops and conferences. These
organizations generally keep cybersecurity professionals inspired and motivated.

Click on the logos in the figure to learn more about some important security
organizations.
Cybersecurity student competitions and organizations

Cybersecurity specialists must have the same skills as hackers, especially black hat
hackers, to offer protection against attacks. How can a person create and practice the
skills necessary to become a cybersecurity specialist? Student skills competencies are a
great way to develop cybersecurity knowledge skills and capabilities. There are many
national cybersecurity skills competitions available to cybersecurity students.

Click on the logos above to learn more about student cybersecurity competencies,
organizations, and clubs.
https://www.uscyberpatriot.org/

https://www.skillsusa.org/

https://www.uscyberchallenge.org/

https://www.nationalcyberleague.org/index.shtml

Industry certifications

In a world of cybersecurity threats, there is a great need for expert and qualified
information security professionals. The IT industry established standards for
cybersecurity specialists to obtain professional certifications that provide proof of skills
and level of knowledge.

CompTIA Security+

Security+ is a CompTIA-sponsored testing program that certifies IT administrators'

competency in information security. The Security+ test covers the most important
principles for protecting a network and managing risk, including concerns related to
cloud computing.

Ethical hacker certified by the International Council of Electronic Commerce

Consultation (CEH)
This intermediate-level certification affirms that cybersecurity specialists who hold this
credential possess the skills and knowledge for various hacking practices. These
cybersecurity specialists use the same skills and techniques that cybercriminals use to
identify system vulnerabilities and access points in systems.

SANS GIAC Security Essentials (GSEC)

The GSEC certification is a good choice as an entry-level credential for cybersecurity

specialists who can demonstrate that they understand security terminology and
concepts, and have the skills and experience necessary for “hands-on” security
positions. The SANS GIAC program offers several additional certifications in the fields of
security management, computer forensics, and auditing.

(ISC)^2 Certified Computer Systems Security Professional (CISSP)

The CISSP certification is a vendor-neutral certification for cybersecurity specialists with

extensive technical and administrative experience. It is also formally approved by the US
Department of Defense (DoD). and it is a certification with global recognition in the
sector in the field of security.

ISACA Certification for Computer Security Managers (CISM)

Cyber heroes responsible for managing, developing and monitoring enterprise-level

information security systems or those who develop security best practices can earn
CISM certification. Holders of these credentials possess advanced skills in security risk
management.

Company Sponsored Certifications

Other important credentials for cybersecurity specialists are company-sponsored

certifications. These certifications measure knowledge and proficiency in installing,
configuring, and maintaining vendors' products. Cisco and Microsoft are examples of
companies with certifications that prove knowledge of their products. Click here to
explore the matrix of Cisco certifications shown in the figure.

Cisco Certified Networking Associate (CCNA Security)

The CCNA Security certification confirms that a cybersecurity specialist has the
knowledge and skills necessary to protect Cisco networks.

Click here to learn more about CCNA Security certification.

How to become a cyber hero

To become a successful cybersecurity specialist, the potential candidate must take into
account some of the unique requirements. Heroes must be able to respond to threats as
soon as they occur. This means that work hours can be unconventional.

Cyber Heroes also analyze policies, trends and intelligence to understand how cyber
criminals think. Many times, this can include a lot of discovery work.

The following recommendations will help aspiring cybersecurity specialists achieve their
goals:

 Study – Learn the basics by completing courses in IT. Be a lifelong student.

Cybersecurity is an ever-changing field and cybersecurity specialists must stay up
to date.

 Earn Certifications – Company- and industry-sponsored certifications from

organizations such as Microsoft and Cisco demonstrate that one possesses the
knowledge necessary to seek employment as a cybersecurity specialist.

 Look for Internships – Pursuing a security internship as a student can translate into
opportunities down the road.

 Join professional organizations – Join cybersecurity organizations, attend meetups

and conferences, and participate in forums and blogs to gain knowledge from
experts.
Laboratory practice: exploring the world of professionals in the area of
cybersecurity

In this lab, you will examine the daily responsibilities of a cybersecurity professional and
identify the types of controls and security precautions that large organizations must take
to protect their information and information systems.

Laboratory practice: exploring the world of professionals in the area of cybersecurity

Packet Tracer: creating a cyber world

In this Packet Tracer activity, you will accomplish the following objectives:

 Configure the FTP server

 Configure the web server

 Set up email server

 Configure DNS server

 Configure the NTP server

 Configure AAA Server

1.5.3.5 Packet Tracer: Creating a Cyber World.pdf

1.5.3.5 Packet Tracer: Creating a Cyber World.pka

Packet Tracer: communication in a cyber world

In this Packet Tracer activity, you will accomplish the following objectives:

 Send email between users

 Upload and download files using FTP

 Remotely access a company router using Telnet

 Remotely access a company router using SSH

1.5.3.6 Packet Tracer: Creating a Cyber World.pdf

1.5.3.6 Packet Tracer: Creating a Cyber World.pka

Chapter 2: The Cybersecurity Skills Cube

The term "sorcerer" is a label that describes cybersecurity professionals who protect the
cyber world. Like sorcerers of the mystical world, cybernetic sorcerers are interested in
promoting good and protecting others. John McCumber is one of the first cybersecurity
wizards. He developed a framework called McCumber's Cube that cybersecurity wizards
use to protect the cyber world. McCumber's Cube resembles the Rubik's Cube.

The first dimension of the cybersecurity skills cube includes the three principles of
cybersecurity. Cybersecurity professionals refer to the three principles as the CID Triad.
The second dimension identifies the three states of information or data. The third
dimension of the cube identifies the powers of sorcerers that provide protection. These
powers are the three categories of mechanisms of cybersecurity measures.

The chapter also analyzes the ISO cybersecurity model. The model represents an
international framework to standardize the administration of information systems.

The security principles

The first dimension of the cybersecurity skills cube identifies the objectives to protect
the cyber world. The objectives identified in the first dimension are the basic principles
of the world of cybersecurity. These three principles are confidentiality, integrity and
availability. The principles provide focus and allow the cyber sorcerer to prioritize
actions in protecting the cyber world.

Confidentiality prevents the disclosure of information to unauthorized persons,

resources, or processes. Integrity refers to the accuracy, consistency, and reliability of
data. Finally, availability ensures that users can access information when needed. Use
the acronym CID to remember these three principles.
Data States

The cyber world is a world of data; Therefore, cyber wizards focus on data protection.
The second dimension of the cybersecurity skills cube focuses on the problems of
protecting all states of data in the cyber world. The data has three possible states:

 Data in transit

 Stored data

 Data in process

Protecting the cyber world requires cybersecurity professionals to explain data

protection in all three states.

Cybersecurity measures
The third dimension of the cybersecurity skills cube defines the types of powers that a
cybersecurity wizard draws on to protect the cyber world. Cybersecurity professionals
must use all available powers at their disposal to protect data from the cyber world.

The Cybersecurity Skills Cube identifies the three types of powers and instruments used
to provide protection. The first type of power includes technologies, devices, and
products available to protect information systems and keep cybercriminals out.
Cybersecurity professionals have a reputation for mastering the technological tools at
their disposal. However, McCumber reminds us that technological tools are not enough
to defeat computer criminals. Cybersecurity professionals must also create a strong
defense by establishing the policies, procedures and guidelines that allow citizens of the
cyber world to stay safe and follow proper practices. Lastly, like the world of sorcerers,
citizens of the cyber world must strive to gain more knowledge about their world and the
dangers that threaten their world. They must continually seek greater knowledge and
establish a culture of learning and awareness.

The principle of confidentiality

Confidentiality prevents the disclosure of information to unauthorized persons,

resources, and processes. Another term for confidentiality is privacy. Organizations
restrict access to ensure that only authorized operators can use data or other network
resources. For example, a programmer should not have access to the personal
information of all employees.
Organizations need to train employees on best practices in protecting sensitive
information to protect themselves and the organization from attacks. Methods used to
ensure confidentiality include data encryption, authentication, and access control.

Data privacy protection

Organizations collect large amounts of data. Most of this data is not confidential because
it is publicly available, such as names and phone numbers. Other data collected,
however, is confidential. Sensitive information refers to data protected from
unauthorized access to protect a person or organization. There are three types of
confidential information:

 Personal information in the personally identifiable information (PII) that carries

towards an individual. Figure 2 lists this category of data.

 Commercial information is information that includes everything that represents a

risk to the organization if discovered by the public or competitors. Figure 3 lists this
category of data.

 Classified information is information that belongs to a government entity classified

by its level of confidentiality. Figure 4 lists this category of data.
Access control

Access control defines various protection schemes that prevent unauthorized access to
a computer, network, database, or other data resources. The AAA concept involves three
security services: Authentication, Authorization and Auditing. These services provide the
primary framework for controlling access.

The first “A” in AAA represents authentication. Authentication Verifies a user's identity
to prevent unauthorized access. Users prove their identity with a username or ID.
Additionally, users must verify their identity using one of the following ways, as shown in
Figure 1:

 Something they know (for example, a password)

 Something they have (for example, a token or card)

 Something they are (for example, a fingerprint)

For example, if you go to an ATM to get cash, you need your bank card (something you
have) and you need to know the PIN. This is also an example of multi-factor
authentication. Multi-factor authentication requires more than one type of
authentication. The most popular form of authentication is the use of passwords.

Authorization Authorization services determine what resources users can access, along
with the operations that users can perform, as shown in Figure 2. Some systems
accomplish this with an access control list or ACL. An ACL determines whether a user
has certain access privileges once the user authenticates. Just because you can't log in
to the company network doesn't mean you're allowed to use the high-speed color printer.
Authorization can also control when a user has access to a specific resource. For
example, employees may have access to a sales database during work hours, but the
system locks them out after hours.

Accounting Tracks user activities, including the sites they have access to, the amount of
time they have access to resources, and the changes made. For example, a bank keeps
track of each customer account. An audit of that system can reveal the timing and
quantity of all transactions and the employee or system that executed the transactions.
Cybersecurity audit services work the same way. The system tracks each data
transaction and provides audit results. An administrator can configure computer policies,
as shown in Figure 3, to enable system auditing.

The concept of AAA is similar to using a credit card, as indicated in Figure 4. The credit
card identifies who uses it and how much the user can spend and explains how many
items or services the user purchased.

The cybersecurity audit tracks and monitors in real time. Websites, such as Norse,
display attacks in real time based on data collected as part of an audit or tracking
system. Click here to visit Norse's real-time tracking website.
Laws and responsibilities

Confidentiality and privacy seem interchangeable, but from a legal point of view, they
have different meanings. Most privacy data is sensitive, but not all sensitive data is
private. Access to confidential information occurs after confirming appropriate
authorization. Financial institutions, hospitals, medical professionals, law firms, and
corporations manage confidential information. Sensitive information has private status.
Maintaining confidentiality is more than an ethical duty.

Privacy is the appropriate use of data. When organizations collect information provided
by customers or employees, they may only use that data for its intended purpose. Most
organizations require a customer or employee to sign an authorization form giving the
organization permission to use the data.

All of the laws listed in the figure include a provision to address privacy that begins with
US laws. in Figure 1. Figure 2 lists a sample of international efforts. Most of these laws
are a response to the massive growth in data collection.

The growing number of privacy-related statutes creates an enormous burden on

organizations that collect and analyze data. Policies are the best way for an organization
to comply with the growing number of privacy-related laws. Policies allow organizations
to apply specific rules, procedures, and processes when collecting, storing, and sharing
data.
Data integrity principle

Integrity is the accuracy, consistency, and reliability of data throughout its lifecycle.
Another term for integrity is quality. Data undergoes various operations such as capture,
storage, retrieval, update and transfer. Unauthorized entities must keep data unaltered
during all these operations.

Methods used to ensure data integrity include hashing, data validation checks, data
consistency checks, and access controls. Data integrity systems may include one or
more of the methods mentioned above.

The need for data integrity

Data integrity is a fundamental component of cybersecurity. The need for data integrity
varies depending on how an organization uses data. For example, Facebook does not
verify the data that a user posts on a profile. A bank or financial organization places a
higher importance on data integrity than Facebook. Customer transactions and accounts
must be accurate. In a healthcare organization, data integrity can be a matter of life and
death. Prescription information must be accurate.
Protecting data integrity is a constant challenge for most organizations. Loss of data
integrity can make all data resources corrupt or unusable.
Integrity checks

An integrity check is a way to measure the consistency of a collection of data (a file, an

image, a record). Integrity verification performs a process called a hash function to take
a snapshot of the data at a point in time. Integrity checking uses the snapshot to ensure
that the data remains unchanged.

A checksum is an example of a hash function. A checksum verifies the integrity of files

or strings before and after they are transferred from one device to another over a local
network or the Internet. Checksums simply convert each piece of information to a value
and add up to the total. To check the integrity of the data, a receiving system simply
repeats the process. If the two sums are equal, the data is valid (Figure 1). If they are not
equal, a change occurred somewhere on the line (Figure 2).

Common hash functions include MD5, SHA-1, SHA-256, and SHA-512. These hash
functions use complex mathematical algorithms. The hash value is simply there for
comparison. For example, after downloading a file, the user can verify the integrity of the
file by comparing hash values from the source with that generated by any hash
calculator.

Organizations use version control to prevent accidental changes made by authorized

users. Two users cannot update the same object. Objects can be files, database records,
or transactions. For example, the first user to open a document has permission to
change that document; the second person has a read-only version.

Accurate backups help maintain data integrity if data becomes corrupted. A company
needs to verify the backup process to ensure the integrity of the backup before data loss
occurs.

Authorization determines who has access to an organization's resources based on the

information need. For example, file permissions and user access controls ensure that
only certain users can modify data. An administrator can set read-only permissions for a
file. As a result, a user with access to that file cannot make any changes.
The principle of availability

Data availability is the principle used to describe the need to maintain the availability of
information systems and services at all times. Cyber attacks and system failures can
prevent access to information systems and services. For example, altering the
availability of a competitor's website by removing it can provide an advantage to your
rival. These denial of service (DoS) attacks threaten system availability and prevent
legitimate users from accessing and using information systems when necessary.

Methods used to ensure availability include system redundancy, system backups,

increased system recoverability, equipment maintenance, updated operating systems
and software, and plans to recover quickly from unplanned disasters.

The five nines

People use different information systems in their daily lives. Computers and information
systems control communications, transportation, and product manufacturing. The
continuous availability of information systems is essential for modern life. The term "high
availability" describes systems designed to avoid downtime. High availability ensures a
level of performance for a higher than normal period. High availability systems typically
include three design principles (Figure 1):
  Eliminate single points of failure

 Provide a reliable cross connection

 Detect failures as they occur

The goal is the ability to continue functioning under extreme conditions, such as during
an attack. One of the most popular high availability practices is the five nines practice.
The five nines refer to 99.999%. This means downtime is less than 5.26 minutes per year.
Figure 2 provides three approaches to the five nines.
Ensure availability

Organizations can ensure availability by implementing the following:

 Perform equipment maintenance

 Perform OS and system updates

 Perform backup tests

 Plan to avoid disasters

 Carry out implementations of new technologies

 Monitor unusual activities

 Perform the availability test

Types of data storage

Stored data refers to saved data. Stored data means that a type of storage device retains
data when no user or process uses it. A storage device can be local (on a computing
device) or centralized (on the network). There are several options for storing data.

Direct Attached Storage (DAS) provides storage attached to a computer. A hard drive or
USB flash drive is an example of direct-attached storage. By default, systems are not
configured to share direct-attached storage.

Redundant Array of Independent Disks (RAID) uses multiple hard drives in an array,
which is a method of combining multiple disks so that the operating system sees them
as a single disk. RAID provides better performance and fault tolerance.

A network attached storage (NAS) device is a storage device attached to a network that
enables storage and retrieval of data from a centralized location by authorized users of
the network. NAS devices are flexible and scalable, meaning administrators can increase
capacity as needed.

A storage area network (SAN) architecture is a network-based storage system. SAN

systems connect to the network using high-speed interfaces that allow for better
performance and the ability to connect multiple servers to a centralized disk storage
repository.

Cloud storage is a remote storage option that uses space at a data center provider and is
accessible from any computer with Internet access. Google Drive, iCloud, and Dropbox
are examples of cloud storage providers.

Challenges in protecting stored data

Organizations have a difficult task when trying to protect stored data. To improve data
storage, companies can automate and centralize data backups.

Direct-attached storage can be one of the most difficult types of data storage to manage
and control. Direct attached storage is vulnerable to malicious attacks on the local host.
Stored data may also include backup data. Backups can be manual or automatic.
Organizations should limit the types of data stored in direct-attached storage. In
particular, an organization would not store critical data on direct-attached storage
devices.

Network storage systems offer a more secure alternative. Network storage systems
including RAID, SAN, and NAS provide increased performance and redundancy. However,
network storage systems are more complicated to configure and manage. They also
handle more data, which presents a greater risk to the organization if the device fails.
The particular challenges of network storage systems include system configuration,
testing, and monitoring.

Data transmission methods

Data transmission involves sending information from one device to another. There are
several methods to transmit information between devices, including the following:

 Transfer Network – Uses removable media to physically move data from one
computer to another

 Wired networks : use cables to transmit data

 Wireless networks – use radio waves to transmit data

Organizations will never be able to eliminate the use of a transfer network.

Wired networks include copper and fiber optic cabling networks. Wired networks can
serve a local geographic area (local area network) or can span large distances (wide
area networks).

Wireless networks are replacing wired networks. Wireless networks are becoming faster
and capable of handling more bandwidth. Wireless networks extend the number of guest
users with mobile devices in small office, home office (SOHO) and enterprise networks.

Wired and wireless networks use packets or units of data. The term packet refers to a
unit of data that moves between a source and a destination on the network. Standard
protocols such as Internet Protocol (IP) and Hypertext Transfer Protocol (HTTP) define
the structure and formation of data packets. These standards are open source and
available to the public. Protecting the confidentiality, integrity and availability of
transmitted data is one of the most important responsibilities of a cybersecurity
professional.

Challenges in protecting data in transit

Protecting transmitted data is one of the most challenging jobs for a cybersecurity
professional. With the growth of mobile and wireless devices, cybersecurity
professionals are responsible for protecting massive amounts of data that cross the
network daily. Cybersecurity professionals must face several challenges when protecting
this data:

 Protecting data confidentiality – Cybercriminals can capture, store and steal data in
transit. Cyber professionals must take steps to counter these actions.

 Protecting data integrity – Cybercriminals can intercept and alter data in transit.
Cybersecurity professionals implement data integrity systems that evaluate the
integrity and authenticity of transmitted data to respond to these actions.

 Protecting data availability – Cybercriminals can use fake or unauthorized devices

to disrupt data availability. A simple mobile device can present itself as a local
wireless access point and trick unsuspecting users by associating with the fake
device. Cybercriminals can hijack an authorized connection to a service or a
protected device. Network security professionals can implement mutual
authentication systems to respond to these actions. Mutual authentication systems
require the user to authenticate the server and request that the server authenticate
the user.

Forms of data processing and computing

The third state of the data is data in process. This refers to data during input,
modification, computation, or output.

Protecting data integrity begins with the initial data entry. Organizations use various
methods to collect data, such as manual data entry, analysis forms, file uploads, and
data collected from sensors. Each of these methods represents potential threats to data
integrity. An example of data corruption during the capture process includes errors in
data entry or system sensors that are disconnected, malfunctioning, or inoperable. Other
examples may include misidentification, incorrect, or mismatched data formats.

Data modification refers to any changes to the original data, such as users' manual
modification of data, program processing and data change, and equipment failure,
resulting in modification of data. the data. Processes such as encoding and decoding,
compression and decompression, and encryption and decryption are examples of data
modification. Malicious code also causes data corruption.

Data corruption also occurs during the data output process. Data output refers to data
output from printers, electronic displays, or directly to other devices. The accuracy of
the output data is critical as the result provides information and affects decision making.
Examples of data corruption include incorrect use of data delimiters, incorrect
communication settings, and incorrectly configured printers.

Challenges in data protection in process

Protecting against invalid data being modified during the process can have an adverse
effect. Software errors are the reason for many misfortunes and disasters. For example,
just two weeks before Christmas, some of Amazon's third-party retailers saw the posted
price on their items change to just one cent. The problem lasted an hour. The mistake
caused thousands of shoppers to get the discount of a lifetime and the company lost
revenue. In 2016, Nest's thermostat was malfunctioning, leaving users without heat. The
Nest thermostat is a smart technology owned by Google. A software glitch left users
literally out in the cold. A software update was the problem and the device's batteries
died, preventing it from controlling the temperature. As a result, customers were unable
to heat their homes or get hot water on one of the coldest weekends of the year.

Protecting data during the process requires well-designed systems. Cybersecurity

professionals design policies and procedures that require testing, maintenance, and
updating of systems to keep them up and running with the fewest errors.
Software-based technological protection measures

Software protection measures include programs and services that protect operating
systems, databases, and other services that operate on workstations, portable devices,
and servers. Administrators install software-based countermeasures or protections on
individual hosts or servers. There are several software-based technologies used to
protect organizational assets:

 Software firewalls control remote access to a system. Operating systems typically

include a firewall or a user can purchase or download third-party software.

 Network and port scanners detect and monitor open ports on a host or server.

 Protocol analyzers, or signature analyzers, are devices that collect and analyze
network traffic. They identify performance problems, detect incorrect
configurations, identify applications that are performing incorrectly, establish
baseline and normal traffic patterns, and debug communication problems.

 Vulnerability scanners are computer programs designed to assess weaknesses in

computers or networks.

 Host-based intrusion detection systems (IDS) examine activity on host systems. An

IDS generates log files and alarm messages when it detects unusual activity. A
system that stores sensitive data or provides critical services is a candidate for
host-based IDS.

Hardware-based technological protection measures

There are several hardware-based technologies used to protect organizational assets:

 Firewall devices block unwanted traffic. Firewalls contain rules that define the
traffic allowed in and out of the network.

 Dedicated intrusion detection systems (IDS) detect signs of attacks or unusual

traffic on a network and send an alert.

 Intrusion prevention systems (IPS) detect signs of attacks or unusual traffic on a

network, generate an alert, and take corrective action.

 Content filtering services control access to and transmission of unacceptable or

offensive content.
Network-based technological protection measures

There are several network-based technologies used to protect organizational assets:

 Virtual Private Network (VPN) is a secure virtual network that uses the public
network (i.e., Internet). The security of a VPN lies in the encryption of the content of
packets between the terminals that define the VPN.

 Network Access Control (NAC) requires a set of verifications before allowing a

device to connect to a network. Some common checks include installing antivirus
software or operating system updates.

 Wireless access point security includes the implementation of authentication and

encryption.

Cloud-based technological protection measures

Cloud-based technologies shift the technology component from the organization to the
cloud provider. The three main cloud computing services include the following:

 Software as a Service (SaaS) allows users to access application software and

databases. Cloud providers manage the infrastructure. Users store data on the
cloud provider's servers.
  Infrastructure as a Service (IaaS) provides virtualized computing resources over the
Internet. The provider is the host of the hardware, software, servers, and storage
components.

 Platform as a Service (PaaS) provides access to the development tools and services
used to provide the applications.

Cloud service providers have expanded these options to include IT as a service (ITaaS),
which provides IT support for IaaS, PaaS, and SaaS service models. In the ITaaS model,
an organization has a contract with the cloud provider for individual or bundled services.

Cloud service providers use virtual security appliances that run in a virtual environment
with a prepackaged and hardened operating system running on virtualized hardware.

How to implement cybersecurity training and education

Investing a lot of money in technology will not change if the people within the
organization are the weakest link in the area of cybersecurity. A security recognition
program is extremely important for an organization. An employee may not be
intentionally malicious, but may not know what proper procedures are. There are many
ways to implement a formal training program:

 Make security awareness training a part of the employee onboarding process

 Link security knowledge to requirements or performance assessments

 Conduct in-person training sessions

 Complete online courses

Security awareness should be an ongoing process as new threats and techniques are
always on the horizon.
Establishing a culture of cybersecurity knowledge

Members of an organization must be aware of security policies and have the knowledge
to make security a part of their daily activities.

A security recognition program depends on:

 The organization's environment

 The threat level

Creating a culture of cybersecurity awareness is an ongoing effort that requires

leadership from senior management and commitment from all users and employees.
Changing an organization's cybersecurity culture begins with management establishing
policies and procedures. For example, many organizations have cybersecurity awareness
days. Organizations can also post messages and signage to increase general
cybersecurity awareness. Creating cybersecurity guidance workshops and seminars
helps increase awareness.

Policies

A security policy is a set of security objectives for an enterprise that includes rules of
behavior for users and administrators and specify system requirements. These
objectives, these rules and these requirements together guarantee the security of a
network, data and computer systems of an organization.
A complete security policy accomplishes several tasks:

 Demonstrates an organization's commitment to security.

 Set the rules for expected behavior.

 Ensures consistency in system operations, software and hardware acquisition and

use, and maintenance.

 Defines the legal consequences of violations.

 Provides security personnel with management support.

Security policies inform users, staff, and managers of an organization's requirements for
protecting technology and information assets. A security policy also specifies the
mechanisms necessary to meet security requirements.

As shown in the figure, a security policy generally includes:

 Authentication and identification policies: determine which authorized persons can

access network resources and describe verification procedures.

 Password policies: Ensure that passwords meet minimum requirements and are
changed periodically.

 Acceptable use policies: Identify resources and network usage that are acceptable
to the organization. You can also identify the consequences of policy violations.

 Remote access policies: Identify how remote users can access the network and
which is accessible remotely.

 Network maintenance policies: Specify the operating systems of network devices

and update procedures for end-user applications.

 Incident handling policies: Describe how security incidents are handled.

One of the most common components of security policy is an acceptable use policy
(AUP). This component defines what users can and cannot do in the different
components of the system. The AUP should be as explicit as possible to avoid
misinterpretation. For example, an AUP lists specific web pages, newsgroups, or
bandwidth-intensive applications that users cannot access using the company's
computers or network.
Standards

Standards help IT staff maintain consistency in network operation. Standards documents

provide the technologies that specific users or programs need, as well as the program
requirements or criteria that an organization must follow. This allows IT staff to improve
efficiency and simplicity in design, maintenance and troubleshooting.

One of the most important security principles is uniformity. For this reason, it is
necessary for organizations to establish standards. Each organization develops
standards to support the unique operating environment. For example, an organization
establishes a password policy. The standard is that passwords require a minimum of
eight alphanumeric characters of upper and lower case letters, with at least one special
character. A user must change a password every 30 days, and a password history of 12
previous passwords ensures that the user creates unique passwords for one year.

Guidelines

The guidelines consist of a list of suggestions on how to do things more efficiently and
safely. They are similar to standards, but are more flexible and generally not mandatory.
The guidelines define how standards are developed and ensure compliance with overall
security policies.
Some of the most useful guidelines make up an organization's best practices. In addition
to best practices that define an organization, guidelines are also available from the
following:

 National Institute of Standards and Technology (NIST), Computer Security Resource

Center (Figure 1)

 Department of Homeland Security (NSA), Security Configuration Guidelines (Figure

2)

 The Common Criteria Standard (Figure 3)

Using the password policies example, a pattern is a suggestion in which the user takes a
phrase like “I have a dream” and turns it into a strong password, Ihv@dr3 @m. The user
can create other passwords from this phrase by changing the number, moving the
symbol, or changing the punctuation mark.

Procedures

Procedure documents are more detailed than standards and guidelines. Procedure
documents include implementation details that typically contain step-by-step
instructions and graphics.

The figure shows an example of the procedure that was used to change a password.
Large organizations should use procedure documents to maintain the consistency of
implementation that is needed for a secure environment.
Model Overview

Security professionals need to protect information comprehensively across the

organization. This is a monumental task and it is unreasonable to expect one person to
have all the necessary knowledge. The International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC) developed a global
framework to guide information security management. The ISO cybersecurity model is to
cybersecurity professionals what the OSI network model is to network engineers. Both
provide a framework for understanding and addressing complex tasks.

Cybersecurity domains

The ISO/IEC 27000 standard is a computer security standard published in 2005 and
revised in 2013. ISO publishes the ISO 27000 standards. While the standards are not
mandatory, most countries use them as a de facto framework for implementing
cybersecurity.

ISO 27000 standards describe the implementation of a comprehensive information

security management system (ISMS). An ISMS includes all administrative, technical and
operational controls to keep information secure within an organization. Twelve
independent domains represent the components of the ISO 27000 standard. These
twelve domains serve to organize, at a high level, the vast areas of information under the
general term of computer security.

The structure of the ISO cybersecurity model is different from the OSI model as it uses
domains instead of layers to describe security categories. The reason is that the ISO
cybersecurity model is not a hierarchical relationship. It is a pair model in which each
domain has a direct relationship with the other domains. The ISO 27000 cybersecurity
model is very similar to the OSI model in that it is critical for cybersecurity wizards to
understand both models to be successful.
Click on each domain in the figure to see a brief description.

The twelve domains serve as a common foundation for developing organizational

security standards and effective security management practices. They also facilitate
communication between organizations.
Control objectives

The twelve domains consist of control objectives defined in part 27001 of the standard.
Control objectives define the high-level requirements for implementing a complete ISM.
An organization's management team uses ISO 27001 control objectives to define and
publish the organization's security policies. Control objectives provide a checklist to use
during security management audits. Many organizations must pass an ISMS audit to
obtain a designation of compliance with the ISO 27001 standard.

Certification and compliance provide trust for two organizations that must trust each
other's sensitive data and operations. Compliance and security audits show that
organizations are continually increasing their cybersecurity management system.

The following is an example of a control objective:

Control access to networks through appropriate authentication mechanisms for users
and computers.

Controls

The ISO/IEC 27002 standard defines computer security management system controls.
Controls are more detailed than objectives. Control objectives tell the organization what
it should do. Controls define how to achieve the objective.

According to the control objective, to control access to networks through the

appropriate authentication mechanisms for users and computers, the control would be
as follows:

Use strong passwords. A strong password consists of at least eight characters that are a
combination of letters, numbers, and symbols (@, #, $, %, etc.) if allowed. Passwords are
case-sensitive, so a strong password contains both upper and lower case letters.

Cybersecurity professionals recognize the following:

 The controls are not mandatory, but are widely accepted and adopted.

 Controls should maintain supplier neutrality to avoid the appearance of endorsing a

specific product or company.

 Controls are like guidelines. This means that there may be more than one way to
meet the goal.
The ISO Cybersecurity Model and the CID Triad

The ISO 27000 standard is a universal framework for each type of organization. To use
the framework effectively, an organization must narrow the domains, control objectives,
and controls that apply to its environment and operations.

The ISO 27001 control objectives function as a checklist. The first step that an
organization takes is to determine whether these control objectives apply to the
organization. Most organizations generate a document called a Statement of
Applicability (SOA). The SOA defines the control objectives that the organization needs
to use.

Different organizations give higher priority to confidentiality, integrity and availability

depending on the type of industry. For example, Google places the highest value on the
confidentiality and availability of user data and the lowest on integrity. Google does not
verify user data. Amazon places a big emphasis on availability. If the site is not available,
Amazon does not make the sale. This doesn't mean Amazon ignores confidentiality in
favor of availability. Amazon just puts a higher priority on availability. Therefore, Amazon
can dedicate more resources and ensure that more servers are available to handle
customer purchases.

An organization adapts its use of control objectives and available controls to best meet
its priorities regarding confidentiality, integrity, and availability.
The ISO cybersecurity model and data states

Different groups in an organization can be responsible for data in each of the different
states. For example, the network security group is responsible for data during
transmission. Programmers and data entry persons are responsible for the data during
processing. Hardware and server support specialists are responsible for the data stored.
ISO controls specifically address the data security objectives of each of the three states.

In this example, representatives from each of the three groups help identify which
controls are applicable and the priority of each control in their area. The network
security group representative identifies controls that ensure the confidentiality, integrity,
and availability of all transmitted data.

The ISO cybersecurity protection model and mechanisms

The control objectives of ISO 27001 relate directly to the organization's cybersecurity
policies, procedures and guidelines that are determined by senior management. ISO
27002 controls provide technical direction. For example, senior management establishes
a policy that specifies the protection of all data entering or leaving the organization.
Implementing technology to meet policy objectives would not involve senior
management. It is the responsibility of IT professionals to properly deploy and configure
the equipment used to satisfy policy directives established by senior management.
Lab - Installing a Virtual Machine on a Personal Computer

A virtual machine image file has been created so you can install it on your computer. In
this lab, you will download and import this image file by using your desktop virtualization
application, such as VirtualBox.

Lab - Installing a virtual machine on a personal computer

VM image (2.5 GB)

Lab: Exploring Authentication, Authorization, and Auditing

In this activity, you will examine, identify, and configure the appropriate authentication,
authorization, or access controls. You will also install and configure security controls.

Lab: Authentication, Authorization, and Auditing

Packet Tracer: How to explore file and data encryption

In this Packet Tracer activity, you will accomplish the following objectives:

 Locate the FTP account credentials for Mary's laptop

 Upload sensitive data using FTP

 Locate the FTP account credentials for Bob's computer

 Download sensitive data using FTP

 Decrypt the contents of the clientinfo.txt file

Packet Tracer: How to explore file and data encryption. Instructions

Packet Tracer: How to explore file and data encryption. Activity

Packet Tracer: How to use file and data integrity checks

In this Packet Tracer activity, you will accomplish the following objectives:

 Download the client files to Mike's computer

 Download the client files from the backup file server to Mike's computer

 Verify the integrity of client files using a hash

 Verify the integrity of essential files using HMAC

Packet Tracer: How to use file and data integrity checks. Instructions

Packet Tracer: How to use file and data integrity checks. Activity

Chapter 3: Cybersecurity threats, vulnerabilities and attacks

Threats, vulnerabilities and attacks are the central focus of cybersecurity champions. A
cybersecurity threat is the possibility of a harmful event, such as an attack, occurring. A
vulnerability is a weakness that makes a target susceptible to an attack. An attack is a
deliberate exploitation of a detected weakness in computer information systems, either
as specific targets or simply as targets of opportunity. Cybercriminals may have different
motivations for selecting an attack target. Cybercriminals succeed by continually
searching for and identifying systems with obvious vulnerabilities. Common victims
include unpatched systems or systems that do not have virus and spam detection.

This chapter examines the most common cybersecurity attacks. Cyber sorcerers must
know how each attack works, what it takes advantage of, and how it affects the victim.
The chapter begins by explaining the threat of malware and malicious code, and then
explains the types of tricks involved in social engineering. A cyber attack is a type of
offensive maneuver used by cyber criminals to attack computer information systems,
computer networks, or other computer devices, through a malicious act. Cybercriminals
launch offensive maneuvers against wired and wireless networks.

What is malware?

Malicious software, or malware, is a term used to describe software designed to disrupt

computer operations or gain access to computer systems, without the user's knowledge
or permission. Malware has become a general term used to describe all hostile or
intrusive software. The term malware includes viruses, worms, Trojan horses,
ransomware, spyware, adware, scareware and other malicious programs. Malware can
be obvious and simple to identify or it can be very stealthy and almost impossible to
detect.

Viruses, worms and trojans

Cybercriminals target user endpoints by installing malware. Click Play to see an

animation of the three most common types of malware.

Virus

A virus is malicious executable code associated with another executable file, such as a
legitimate program. Most viruses require initialization by the end user and can activate
at a specific time or date. Computer viruses generally spread in one of three ways: from
removable media; from Internet downloads and from email attachments. Viruses can be
harmless and simply display an image or they can be destructive, such as those that
modify or delete data. To avoid detection, a virus transforms itself. The simple act of
opening a file can activate a virus. A boot sector or file system virus infects USB flash
drives and can spread to the system's hard drive. Running a specific program can
activate a program virus. Once the program virus is active, it will usually infect other
programs on the computer or other computers on the network. The Melissa virus is an
example of a virus that spreads via email. Melissa affected tens of thousands of users
and caused an estimated $1.2 billion in damages. Click here to read more about viruses.

Worms

Worms are malicious code that replicates itself by independently exploiting

vulnerabilities in networks. Worms generally slow down networks. While a virus requires
the execution of a host program, worms can execute themselves. Except for the initial
infection, worms no longer require user participation. After a worm affects a host, it can
spread very quickly on the network. Worms share similar patterns. They all have an
activation vulnerability, a way to spread, and contain a payload.

Worms are responsible for some of the most devastating attacks on the Internet. For
example, in 2001, the Code Red worm infected 658 servers. Within 19 hours, the worm
infected more than 300,000 servers.

Trojan

A Trojan is malware that executes malicious operations under the guise of a desired
operation. This malicious code attacks the user privileges that execute it. A Trojan
differs from a virus because the Trojan is related to non-executable files, such as image
files, audio files, or games.

logic bomb

A logic bomb is a malicious program that uses an activator to reactivate malicious code.
For example, triggers can be dates, times, other programs running, or deletion of a user
account. The logic pump remains inactive until the triggering event occurs. Once
activated, a logic bomb deploys malicious code that causes damage to a computer. A
logic bomb can sabotage database logs, delete files, and attack operating systems or
applications. Cyber champions recently discovered logic bombs that attack and destroy
the hardware components of a workstation or server, such as cooling fans, CPUs,
memories, hard drives, and power supplies. The logic bomb overwhelms these devices
until they overheat or fail.

Ransomware

Ransomware holds a computer system or the data it contains captive until the target
makes a payment. Ransomware generally works by encrypting computer data with a key
unknown to the user. The user must pay a ransom to the criminals to remove the
restriction.

Some other versions of ransomware can exploit specific vulnerabilities in the system to
lock it down. Ransomware spreads like a Trojan horse and is the result of a downloaded
file or some weakness in the software.

Payment through an untraceable payment system is always the objective of the criminal.
Once the victim pays, the criminals provide a program that decrypts the files or send an
unlock code. Click here to read more about ransomware.

Backdoors and rootkits

A backdoor or rootkit refers to the program or code generated by a criminal that has
compromised a system. The backdoor bypasses the normal authentication used to
access a system. Some common backdoor programs are Netbus and Back Orifice, which
allow remote access to unauthorized users of the system. The purpose of the backdoor is
to grant cybercriminals future access to the system, even if the organization fixes the
original vulnerability used to attack the system. Typically, criminals get authorized users
to unknowingly run a Trojan program on their machine to install the backdoor.

A rootkit modifies the operating system to create a backdoor. The attackers then use the
backdoor to access the computer remotely. Most rootkits exploit software vulnerabilities
to perform privilege escalation and modify system files. Privilege escalation takes
advantage of programming errors or design flaws to grant the criminal elevated access
to network resources and data. It is also common for rootkits to modify system forensics
and monitoring tools, making them very difficult to detect. Often, the user must clean
and reinstall the operating system of a computer infected by a rootkit.
Defense against malware

A few simple steps can help protect against all forms of malware.

 Antivirus program – Most antivirus suites acquire the most widespread forms of
malware. However, cybercriminals develop and deploy new threats daily. Therefore,
the key to an effective antivirus solution is to keep signatures up to date. A
signature is like a footprint. Identify the characteristics of malicious code.

 Updating software – Many forms of malware achieve their goals by exploiting

vulnerabilities in software, in the operating system and applications. Although
operating system vulnerabilities were the primary source of the problems, current
application-level vulnerabilities represent the greatest risk. Unfortunately, while
operating system manufacturers are increasingly receptive to patches, most
application vendors are not.

Unwanted email

Email is a universal service used by billions of people around the world. As one of the
most popular services, email has become a major vulnerability for users and
organizations. Spam, also known as “spam,” is unsolicited email. In most cases, spam is
an advertising method. However, spam can be used to send harmful links, malware, or
deceptive content. The ultimate goal is to obtain sensitive information, such as social
security number or bank account information. Most spam comes from multiple computers
on networks infected by a virus or worm. These compromised computers send out as
much mass email as possible.
Even with the implementation of these security features, some spam emails may still
reach your inbox. Some of the most common indicators of spam are:

 The email has no subject.

 The email requests an account update.

 The email text has misspelled words or strange punctuation.

 The links in the email are long or cryptic.

 An email looks like correspondence from a legitimate company.

 The email requests that the user open an attachment.

Click here for more information about spam.

If a user receives an email that contains one or more of these flags, they should not open
the email or any attachments. It is very common for an organization's email policy to
require a user who receives this type of email to report it to cybersecurity personnel.
Almost all email providers filter spam email. Unfortunately, spam email still consumes
bandwidth and the recipient's server must still process the message.

Spyware, adware and scareware

Spyware is software that allows a criminal to obtain information about a user's

computing activities. Spyware often includes activity trackers, keystroke collection, and
data capture. In an attempt to bypass security measures, spyware often modifies
security settings. Spyware is often grouped with legitimate software or Trojans. Many
shareware websites are full of spyware.

Adware usually displays annoying pop-ups to generate revenue for its authors. Malware
can analyze user interests by tracking the websites visited. You can then send pop-up
advertising in relation to those sites. Some software versions automatically install
adware. Some adware only delivers ads, but it is also common for adware to include
spyware.

Scareware convinces the user to take specific actions based on the fear. Scareware
fakes pop-up windows that resemble operating system dialog windows. These windows
carry forged messages stating that the system is at risk or requires the execution of a
specific program to return to normal operation. In reality, there are no problems and if
the user accepts and allows the mentioned program to run, the malware will infect his
system.

Identity forgery

Identity theft is a form of fraud. Cybercriminals use email, instant messaging, or other
social media to attempt to collect information such as login credentials or account
information by disguising themselves as a trusted entity or person. Phishing occurs when
a malicious party sends a fraudulent email disguised as a legitimate and trusted source.
The goal of this message is to trick the recipient into installing malware on their device
or sharing personal or financial information. An example of phishing is a spoofed email
similar to one that came from a retail business, asking the user to click a link to claim a
prize. The link may go to a fake site that asks for personal information or may install a
virus.

Targeted phishing is a highly targeted spoofing attack. While phishing and targeted
phishing use emails to reach victims, targeted phishing sends personalized emails to a
specific person. The criminal investigates the interests of the target before sending the
email. For example, the criminal discovers that the target is interested in cars and is
interested in purchasing a specific model of car. The criminal joins the same car
discussion forum where the target is a member, creates an offer to sell the car, and
sends an email to the target. The email contains a link to images of the car. When the
target clicks the link, it unknowingly installs the malware on the computer. Click here to
learn more about email scams.

"Vishing", "Smishing", "Pharming" and "Whaling"

"Vishing" is a practice of identity theft through the use of voice communication

technology. Criminals can make spoofing calls from legitimate sources using voice over
IP (VoIP) technology. Victims may also receive a recorded message that appears
legitimate. Criminals want to obtain credit card numbers or other information to steal the
victim's identity. Vishing takes advantage of the fact that people depend on the
telephone network.

“Smishing” (short message service spoofing) is identity theft using text messaging on
mobile phones. Criminals pose as a legitimate source in an attempt to gain the victim's
trust. For example, a smishing attack may send the victim a website link. When the
victim visits the website, the malware is installed on the mobile phone.

“Pharming” is the impersonation of a legitimate website in an effort to trick users into

entering their credentials. “Pharming” mistakenly directs users to a fake website that
appears to be official. Victims then enter their personal information thinking they
connected to a legitimate site.

Whaling is a phishing attack that targets high-level targets within an organization, such
as senior executives. Additional targets include politicians or celebrities.

Click here to read an RSA article on spoofing, smishing, vishing and whaling activities.

Plugins and browser poisoning

Security breaches can affect web browsers by displaying pop-up advertisements,

collecting personally identifiable information, or installing adware, viruses, or spyware. A
criminal can hack a browser executable file, browser components, or browser plug-ins.

Accessories

Adobe's flash and shockwave plugins allow the development of interesting graph and
cartoon animations that greatly enhance the appearance of a web page. Plugins display
content developed using the appropriate software.
Until recently, plugins had a remarkable security record. While Flash-based content grew
and became more popular, criminals examined Flash plugins and software, determined
vulnerabilities, and attacked Flash Player. Successful attack can cause a system to
crash or allow a criminal to take control of the affected system. Expect data losses to
increase as criminals continue to investigate vulnerabilities in popular plugins and
protocols.

SEO Poisoning

Search engines, such as Google, work by ranking pages and presenting relevant results
according to users' search queries. Depending on the importance of the website's
content, it may appear higher or lower in the list of search results. SEO (Search Engine
Optimization) is a set of techniques used to improve the ranking of a website by a search
engine. Although many legitimate companies specialize in website optimization to
improve their rankings, SEO poisoning uses SEO to make a malicious website appear
higher in search results.

The most common goal of SEO poisoning is to increase traffic to malicious sites that may
host malware or perpetrate social engineering. To force a malicious site to rank higher in
search results, attackers take advantage of popular search terms.

Browser hijacker

A browser hijacker is malware that alters a computer's browser settings to redirect the
user to websites that are paid for by cybercriminals' clients. Browser hijackers install
without user permission and are usually part of an unnoticed download. A drive download
is a program that is automatically downloaded to the computer when a user visits a
website or views an HTML email message. Always read user agreements carefully when
downloading programs to avoid this type of malware.

How to defend against email and browser attacks

Methods for dealing with spam include email filtering, user training on precautions
against unknown emails, and the use of host and server filters.

It's hard to stop spam email, but there are ways to reduce its effects. For example, most
ISPs filter spam before it reaches the user's inbox. Many antivirus and email software
programs automatically perform email filtering. This means they detect and remove
spam from your email inbox.

Organizations also warn employees about the dangers of opening email attachments that
may contain a virus or worm. Don't assume email attachments are safe, even if they
come from a trusted contact. A virus may try to spread by using the sender's computer.
Always examine email attachments before opening them.

The Anti-Phishing Working Group (APWG) is an industry association dedicated to

eliminating identity theft and fraud caused by phishing and email spoofing.

Keeping all software up to date ensures that your system has all the latest security
patches applied to remove known vulnerabilities. Click here to learn more about how to
avoid browser attacks
Social engineering

Social engineering is a completely non-technical means by which the criminal gathers

information about a target. Social engineering is an attack that attempts to manipulate
people into taking actions or disclosing sensitive information.

Social engineers often rely on people's willingness to be helpful, but they also take
advantage of their vulnerabilities. For example, an attacker may call an authorized
employee with an urgent problem that requires immediate access to the network. The
attacker can appeal to the employee's vanity or greed or invoke authority through
naming techniques.

These are some types of social engineering attacks:

Pretexting: This is when an attacker calls a person and lies in an attempt to gain access
to privileged data. One example involves an attacker claiming to need personal or
financial data to confirm the recipient's identity.

Something for something (quid pro quo): This is when an attacker requests personal
information from a party in exchange for something, for example, a gift.

Social engineering tactics

Social engineers use several tactics. Social engineering tactics include the following:

 Authority: People are more likely to comply when they receive instructions from “an
authority.”
  Intimidation: Criminals harass a victim into taking action

 Consensus/social proof: people will take action if they feel that other people like it
too

 Scarcity: People will take action when they believe there is a limited supply

 Urgency: People will take action when they feel there is limited time

 Familiarity/liking: offenders develop a good relationship with the victim to establish

rapport and trust

 Trust: Offenders create a relationship of trust with a victim which may take longer
to establish.

Click on each tactic in the figure to see an example.

Cybersecurity professionals are responsible for training other people in the organization
regarding the tactics of social engineers. Click here to learn more about social
engineering tactics.
"Spying over your shoulder" and "dumpster diving"

A criminal watches, or spies over the man, to collect PINs, access codes or credit card
numbers. An attacker may be very close to his victim or may use binoculars or closed-
circuit cameras to spy. That's one reason a person can only read an ATM screen at
certain angles. These types of security measures make the technique of spying over your
shoulder much more difficult.

"One man's trash is another man's treasure." This phrase may be especially true in the
activity of “trash scavenging,” which is the process of searching through a target's trash
to see what information an organization discards. Please note to protect the trash
receptacle. Any confidential information should be disposed of properly by shredding or
using incineration bags, a container that preserves confidential documents for later
destruction by incineration.

Identity simulation and deception

Identity simulation is the action of pretending to be someone else. For example, a recent
telephone scam affected taxpayers. One criminal, who presented himself as an IRS
employee, told victims they owed money to the IRS. Victims must pay immediately via
bank transfer. The impersonator threatened that if he did not pay, this would lead to an
arrest. Criminals also use simulation to attack other people. They can put people's
credibility at risk by using website or social media posts.
A deception is an act carried out with the intention of deceiving or deceiving. A cyber
hoax can cause as much disruption as an actual breach can. A hoax provokes a user's
reaction. The reaction can cause unnecessary fear and irrational behavior. Users
transmit hoaxes through email and social media. Click here to visit a website that offers
a list of hoax messages.

"Piggybacking" and "Tailgating"

Piggybacking is a practice whereby a criminal follows an authorized person around to

gain entry to a secure location or restricted area. Criminals use several methods to carry
out piggyback activity:

 They give the appearance of being accompanied by an authorized person

 They join a large crowd and pretend to be a member

 They target a victim who is careless regarding the facility's rules

"Tailgating" is another term that describes the same practice.

One trap avoids the practice of "piggybacking" by using two sets of doors. Once people
enter an external door, that door must be closed before entering the internal door.

Online and email tricks

If you forward misleading emails and other non-work related pranks, funny movies, and
emails in the workplace, you may violate the company's acceptable use policy and may
result in disciplinary action. Click here to visit a website that publishes rumors and
monitors information

How to defend against the use of cheats

Organizations should promote awareness of social engineering tactics and properly train
employees on prevention measures, such as:

 Never provide confidential information or credentials via email, chat sessions, in

person, or over the phone to strangers.

 Resist the urge to click on attractive emails and website links.

 Pay attention to uninitiated or automatic downloads.

 Establish policies and provide training to employees on those policies.

 When it comes to security, give employees a sense of ownership.

 Don't feel pressured by unknown people.

Click here to learn more about cybersecurity knowledge

Online and email tricks

If you forward misleading emails and other non-work related pranks, funny movies, and
emails in the workplace, you may violate the company's acceptable use policy and may
result in disciplinary action. Click here to visit a website that publishes rumors and
monitors information

How to defend against the use of cheats

Organizations should promote awareness of social engineering tactics and properly train
employees on prevention measures, such as:

 Never provide confidential information or credentials via email, chat sessions, in

person, or over the phone to strangers.

 Resist the urge to click on attractive emails and website links.

 Pay attention to uninitiated or automatic downloads.

 Establish policies and provide training to employees on those policies.

 When it comes to security, give employees a sense of ownership.

 Don't feel pressured by unknown people.

Click here to learn more about cybersecurity knowledge

Denial of service

Denial of service (DoS) attacks are a type of network attack. A DoS attack results in
some type of disruption of network services to users, devices, or applications. There are
two main types of DoS attacks:

 Overwhelming amount of traffic: The attacker sends a large amount of data at a

speed that the network, host, or application cannot handle. This causes a decrease
in transmission or response speed or a failure of a device or service.

 Formatted malicious packets – This happens when a formatted malicious packet is

sent to a host or application and the receiver cannot handle it. For example, an
application cannot identify packets that contain errors or incorrectly formatted
packets forwarded by the attacker. This causes the receiving device to run very
slowly or stop.

DoS attacks are a major risk because they can easily disrupt communication and cause
significant loss of time and money. These attacks are relatively simple to carry out, even
by an inexperienced attacker.

The goal of a denial of service attack is to deny access to authorized users by making
the network unavailable (remember the three basic security principles: confidentiality,
integrity, and availability). Click Play on Figure 1 to see animations of a DoS attack.

A distributed DoS (DDoS) attack is similar to a DoS attack but comes from multiple
coordinated sources. For example, a DDoS attack could occur as follows:

An attacker creates a network of infected hosts, called a botnet, composed of zombies.

Zombies are infected hosts. The attacker uses controller systems to control the zombies.
Zombie computers constantly scan and infect more hosts, generating more zombies.
When ready, the hacker provides instructions to the manipulating systems for the zombie
botnet to carry out a DDoS attack.

Click Play on Figure 2 to see animations of a DDoS attack. A distributed denial of service
(DDoS) attack uses many zombies to overwhelm a target.

Analysis

The analysis technique is similar to eavesdropping on someone. It occurs when

attackers examine all network traffic as it passes through the NIC, regardless of whether
the traffic is directed at them or not. Criminals perform network analysis using a
software application, hardware device, or a combination of both. As shown in the figure,
the analysis practice is to view all network traffic or can target a specific protocol,
service, or even a string of characters, such as a login or password. Some network
protocol analyzers look at all traffic and modify all or part of the traffic.

The practice of analysis also has its benefits. Network administrators can use protocol
analyzers to analyze network traffic, identify bandwidth problems, and to troubleshoot
other network problems.

Physical security is important to prevent the introduction of protocol analyzers into the
internal network.

Identity falsification (spoofing)

Identity spoofing is an attack that takes advantage of a trust relationship between two
systems. If two systems accept the authentication achieved by each, a person registered
in one system may not go through an authentication process again to access the other
system. An attacker can exploit this provision by sending a packet to a system that
appears to come from a trusted system. Since the trust relationship exists, the target
system can perform the requested task without authentication.

There are several types of phishing attacks.

 MAC address spoofing occurs when one computer accepts data packets based on
the MAC address of another computer.

 IP address spoofing sends IP packets from a spoofed source address to disguise

itself.

 Address Resolution Protocol (ARP) is a protocol that corrects IP addresses to MAC

addresses for transmitting data. ARP spoofing sends fake ARP messages over the
LAN to connect the offender's MAC address to the IP address of an authorized
member of the network.

 The Domain Name System (DNS) maps domain names to IP addresses. DNS server
spoofing modifies the DNS server to redirect a specific domain name to a different
IP address, controlled by the criminal.
Man-in-the-middle attack

A criminal carries out a man-in-the-middle (MitM) attack by intercepting communications

between computers to steal information passing through the network. The criminal may
also choose to manipulate messages and relay false information between hosts since
they are unaware that a modification to the messages has occurred. The MitM attack
allows the criminal to take control of a device without the user's knowledge.

Click the steps in the figure to learn the basics of a MitM attack.

Man-In-The-Mobile (MitMo) is a variation of man-in-middle. MitMo takes control of a

mobile device. The infected mobile device sends sensitive user information to the
attackers. ZeuS, an example of an attack with MitMo capabilities, allows attackers to
silently capture 2-step verification SMS sent to users. For example, when a user sets an
ID. from Apple, you must provide an SMS-enabled phone number to receive a temporary
verification code via text message to prove the user's identity. Malware spies on this
type of communication and transmits the information to criminals.

A replay attack occurs when an attacker captures a portion of a communication between

two hosts and then transmits the captured message later. Replay attacks bypass
authentication mechanisms.
Zero-day attacks

A zero-day attack, sometimes called a zero-day threat, is a computer attack that

attempts to exploit software vulnerabilities that are unknown or undisclosed by the
software vendor. The term zero hour describes the moment when someone discovers the
attack. During the time it takes the software vendor to develop and release a patch, the
network is vulnerable to these attacks, as shown in the figure. Defending against these
rapid attacks requires network security professionals to take a more sophisticated view
of network architecture. It is no longer possible to contain intrusions at some points in
the network.
Keyboard Logging

Keylogger is a software program that records keystrokes of system users. Criminals can
implement keylogging through software installed on a computer system or through
hardware physically connected to a computer. The criminal configures the key logging
software to email the log file. Keystrokes captured in the log file can reveal usernames,
passwords, websites visited and other sensitive information.

Keyloggers can be legitimate, commercial software. Parents often purchase key logging
software to track websites and children's Internet behavior. Many antispyware
applications can detect and remove unauthorized key records. While keylogging software
is legal, criminals use the software for illegal purposes.
How to defend against attacks

An organization can take several steps to defend against various attacks. Configure
firewalls to discard any packets outside the network that have addresses indicating that
they originated within the network. This situation does not normally occur, and indicates
that a cybercriminal attempted to conduct a phishing attack.

To prevent DoS and DDoS attacks, ensure patches and updates are current, distribute
the workload across all server systems, and block Internet Control Messaging Protocol
(ICMP) packets at the border. Network devices use ICMP packets to send error
messages. For example, the ping command uses ICMP packets to verify that one device
can communicate with another device on the network.

Systems can avoid falling victim to a replay attack by encrypting traffic, providing
cryptographic authentication, and including a timestamp with each part of the message.
Click here to learn more about ways to avoid cyber attacks.

Lab Test: Threat and Vulnerability Detection

This lab test will introduce tools that can detect threats and eliminate vulnerabilities
from a host.

Lab Test: Threat and Vulnerability Detection

Grayware and SMiShing

Grayware technique is becoming a problem area in mobile security with the popularity of
smartphones. Grayware technique includes applications that behave in annoying or
unwanted ways. The Grayware technique may not have recognizable malware, but it can
still pose a risk to the user. For example, grayware can track the user's location.
Grayware creators generally maintain legitimacy by including an application's
capabilities in the fine print of the software license agreement. Users install many
mobile applications without really considering their capabilities.

The term SMiShing is short for SMS spoofing. Use Short Message Service (SMS) to send
fake text messages. Criminals trick the user by visiting a website or calling a phone
number. Unsuspecting victims may provide sensitive information such as credit card
information. Visiting a web page can cause the user to unknowingly download malware
that infects the device.

Unauthorized access points

A rogue access point is a wireless access point installed on a secure network without
explicit authorization. A rogue access point can be configured in two ways. The first is
when a well-intentioned employee tries to be helpful by facilitating the connection of
mobile devices. The second way is when a criminal gains physical access to an
organization by sneaking in and installing the rogue access point. Since both are
unauthorized ways, they present risks to the organization.

A rogue access point can also refer to a criminal's access point. In this case, the
criminal configures the access point as a MitM device to capture user login information.

An attack with an intrusive network AP uses the criminal access point thanks to higher
power and higher antennas to gain being a better connection option for users. Once
users connect to the unauthorized access point, criminals can analyze the traffic and
execute MitM attacks.

RF interference

Wireless signals are susceptible to electromagnetic interference (EMI), radio frequency

interference (RFI), and may even be vulnerable to lightning or noise from fluorescent
lights. Wireless signals are also vulnerable to deliberate interference. Radio frequency
(RF) interference disrupts the transmission of a radio or satellite station so that the
signal does not reach the receiving station.

The frequency, modulation, and power of the RF jammer must match that of the device
the offender wishes to discontinue in order to successfully jam the wireless signal.

"Bluejacking" and "Bluesnarfing"

Bluetooth is a short-range, low-energy protocol. Bluetooth transmits data over a personal

area network, or PAN, and can include devices such as mobile phones, laptop PCs and
printers. Bluetooth has gone through several new versions. Easy setup is a feature of
Bluetooth, so there is no need to use network addresses. Bluetooth uses pairing to
establish the relationship between devices. When pairing, both devices use the same
passkey.

Bluetooth vulnerabilities have emerged, but because of the limited range of Bluetooth,
the victim and the attacker must be within range of the other person.

 "Bluejacking" is the term used for sending unauthorized messages to another

Bluetooth device. A variation of this is to send a striking image to another device.

 “Bluesnarfing” occurs when the attacker copies the victim's information from their
device. This information may include emails and contact lists.

Attacks on WEP and WPA protocols

Wired Equivalent Privacy (WEP): is a security protocol that attempted to provide a

wireless local area network (WLAN) with the same level of security as a wired LAN.
Since physical security measures help protect a wired LAN, the WEP protocol seeks to
provide similar protection for data transmitted over the WLAN with encryption.

The WEP protocol uses a key for encryption. There are no provisions for key management
with WEP, so the number of people sharing the key will continually grow. Since everyone
uses the same key, the criminal has access to a large amount of traffic for analytical
attacks.

WEP also has several problems with the initialization vector (IV) which is one of the
components of the cryptographic system:

 It is a 24-bit field, which is too small.

 It is clear text, which means it is readable.

 It is static, so identical key flows will repeat over a busy network.

Wi-Fi Protected Access Protocol (WPA) and later WPA2 came out as enhanced protocols
to replace the WEP protocol. The WPA2 protocol does not have the same encryption
problems because an attacker cannot recover the key by observing the traffic. The WPA2
protocol is susceptible to attacks because cybercriminals can analyze packets sent
between the access point and a legitimate user. Cybercriminals use a packet protocol
analyzer and then execute offline attacks on the password.

Defense against attacks on mobile and wireless devices

There are several steps to follow to defend against attacks on mobile and wireless
devices. Most WLAN products use default configurations. Take advantage of basic
wireless security features such as authentication and encryption by changing the default
configuration settings.
Restrict the location of the access point with the network by placing these devices
outside the firewall or inside a perimeter zone (DMZ) that contains other untrusted
devices, such as email and web servers.

WLAN tools like NetStumbler can discover rogue access points or rogue workstations.
Develop a guest policy to address the need when legitimate guests need to connect to
the Internet while visiting. For authorized employees, use a remote access virtual private
network (VPN) for WLAN access.

Packet Tracer: How to configure WEP/WPA2 PSK/WPA2 RADIUS

protocols

This Packet Tracer lab will introduce security measures used to prevent attacks on
mobile and wireless devices.

 Configure WEP protocol for Healthcare at Home

 Configure WPA2 PSK protocol for Gotham Healthcare Branch

 Configure WPA2 RADIUS protocol for Metropolis Bank HQ

Packet Tracer: WEP/WPA2 PSK/WPA2 RADIUS protocols. Instructions

Packet Tracer: WEP/WPA2 PSK/WPA2 RADIUS protocols. Activity

Cross-site scripting

Cross-site scripting (XSS) is a vulnerability found in Web applications. XSS allows

criminals to inject scripts into web pages that users view. This script may contain
malicious code.

Cross-site scripting has three participants: the criminal, the victim, and the website. The
cybercriminal does not target a victim directly. The criminal exploits the vulnerability in
a website or web application. Criminals insert client scripts into websites that are
viewed by users, the victims. The malicious script is unknowingly transferred to the
user's browser. Such a malicious script can access cookies, session tokens, or other
sensitive information. If criminals obtain the victim's session cookie, they can
impersonate that user.

Code injection

One way to store data on a website is to use a database. There are different types of
databases, such as a Structured Query Language (SQL) database or an Extensible
Markup Language (XML) database. XML and SQL injection attacks take advantage of
program weaknesses, such as not validating database queries correctly.

XML injection
When using an XML database, an XML injection is an attack that can corrupt data. Once
the user provides input, the system accesses the necessary data through a query. The
issue occurs when the system does not properly inspect the input request provided by
the user. Criminals can manipulate the query by programming it to suit their needs and
gain access to information in the database.

All sensitive data stored in the database is accessible to criminals and they can make
any number of changes to the website. An XML injection attack threatens website
security.

SQL injection

The cybercriminal attacks a vulnerability by inserting a malicious SQL statement into an

input field. Again, the system does not properly filter user input characters in an SQL
statement. Criminals use SQL injection on websites or any SQL database.

Criminals can impersonate, modify existing data, destroy data, or become database
server administrators.

Buffer overflow

A buffer overflow occurs when data goes beyond the limits of a buffer. Buffers are areas
of memory allocated to an application. By changing data beyond the boundaries of a
buffer, the application accesses memory allocated to other processes. This can lead to a
system crash, data compromise, or escalation of privileges.

Carnegie Mellon University's CERT/CC estimates that nearly half of all computer program
attacks historically arise from some form of buffer overflow. The generic classification of
buffer overflows includes many variants, such as static buffer overflows, indexing errors,
format string errors, ANSI and Unicode buffer size incompatibilities, and stack overflows.

Remote code executions

Vulnerabilities that allow cybercriminals to execute malicious code and take control of a
system with the privileges of the user running the application. Remote code execution
allows a criminal to execute any command on a target machine.

Consider, for example, Metasploit. Metasploit is a tool for developing and executing
attack code against a remote target. Meterpreter is an attack module within Metasploit
that provides advanced features. Meterpreter allows criminals to write their own
extensions as a shared object. The criminals upload and insert these files into a running
process of the target. Meterpreter loads and runs all memory extents, so they never
include the hard drive. This also means that these files move under the radar of antivirus
detection Meterpreter has a module to monitor the webcam of a remote system. Once
the criminal installs Meterpreter on the victim's system, the criminal can view and
capture images from the victim's webcam.

ActiveX and Java controls

When browsing the Web, some pages may not function correctly unless the user installs
an ActiveX control. ActiveX and Java controls provide plug-in functionality to Internet
Explorer. ActiveX controls are pieces of software installed by users to provide extended
functionality. Some ActiveX controls are written by third parties and can be malicious.
They can monitor browsing habits, install malware, or keylogging. ActiveX controls also
work in other Microsoft applications.

Java operates through an interpreter, the Java Virtual Machine (JVM). The JVM enables
the functionality of the Java program. The JVM isolates untrusted code from the rest of
the operating system. Vulnerabilities exist that allow untrusted code to bypass
restrictions imposed by the sandbox. There are also vulnerabilities in the Java class
library, which an application uses for security. Java is the second largest security
vulnerability next to Adobe's Flash plugin.

Defense against application attacks

The first line of defense against an application attack is to write strong code. Regardless
of the language used or the source of external input, prudent programming practice is to
treat input outside a function as hostile. Validate all inputs as hostile.

Keep all software, including operating systems and applications, up to date, and don't
ignore update indicators. Not all programs update automatically. At a minimum, select
the manual update option. Manual updates allow users to see exactly what updates are
being made.