2.

Summarize fundamental security concepts

Confidentiality, Integrity and Availability
➢ CIA Triad represents a bedrock of protection in which three vital principles join forces
to fortify our digital landscapes. These principles are as follows:
Confidentiality:

➢ It ensures that sensitive information remains shielded from prying (interfering) eyes
and that access is granted solely to those with the appropriate authorization.
➢ Confidentiality safeguards trade secrets, personal data, and any confidential
information that requires a digital lock and key.

Integrity:

➢ It ensures that your data remains unaltered and trustworthy. It prevents unauthorized
changes or manipulations to your information, maintaining its accuracy and
reliability.
➢ Hashing algorithms such as SHA1 or MD5 provide data integrity.

Availability:

➢ This principle guarantees that your digital assets and services are accessible when
needed.
➢ Availability ensures that your systems are up and running, that your data can be
accessed promptly, and that your online services remain accessible.

Non-Repudiation
➢ It prevents denial of actions, ensuring accountability and reliability in electronic
transactions and communications.
➢ Through authentication, digital signatures, and audit trails, it safeguards electronic
interactions.
➢ The key aspects of non-repudiation are as follows:
Digital signatures:
➢ Utilizing cryptographic identifiers to confirm the sender’s identity and ensure the
integrity of the content.
Audit trails:
➢ Maintaining chronological (sequential) records of actions, which are crucial for
tracing events and assigning accountability to the parties involved.
➢ Within e-commerce, non-repudiation establishes trust by effectively thwarting any
potential denial of online transactions, thereby fostering a secure environment for
electronic trade.
➢ This can be done by using a digital signature.
 Access controls:
➢ The three main parts of access controls are identifying an individual, authenticating
them when they insert a password or PIN, and authorizing them by granting
permission to the different forms of data.
➢ These parts are further defined as follows:
Identification:
➢ Identification in a secure environment may involve having a user account, a
smart card, or providing some sort of biometrics via fingerprint or facial scan
as these are unique to each individual.
➢ Each person has their own Security Identifier (SID) for their account, which is
like an account serial number.
Authentication:
➢ After inputting their chosen identification method, individuals must undergo a
verification process, such as entering a password or PIN, or using biometric
credentials.

Authorization:
➢ This is the level of access or permissions that you must apply to selected data
according to the group to which you belong.
➢ For example, a sales manager could access data from the sales group, and then
access data from the managers’ group.
Authentication, Authorization, and Accounting
➢ AAA server is responsible for three important tasks: authentication, authorization, and
accounting.
➢ Let’s explore what AAA servers do and how they help keep our digital interactions safe
and reliable:
Authenticating people:
➢ It assures that solely authorized users are granted with access privileges is set,
effectively neutralizing the prospect of potential security breaches.
➢ This process is often facilitated by an AAA server, which collaborates with various
authentication methods, including contacting a domain controller in the context of
Windows-based networks.
➢ When a user initiates an authentication request, the AAA server interfaces with the
domain controller, a specialized server responsible for managing user accounts and
authentication within a Windows domain environment.
Authenticating systems:
➢ AAA framework and the 802.1X protocol partnership empowers network security by
seamlessly integrating a robust authentication process.
➢ 802.1X takes the lead in authenticating devices seeking access to a network, and each
device must have a valid certificate on its endpoint.
Authorization models:
➢ Authorization models define the scope of permissible activities, creating a controlled
environment that mitigates the risks associated with unauthorized actions.
 Accounting:
➢ This process involves capturing essential details such as usernames, timestamps, IP
addresses, accessed resources, and actions performed.
➢ This data is then stored securely, ensuring its integrity and confidentiality.
➢ The accounting information can be used for real-time monitoring, historical analysis,
and generating reports for compliance or troubleshooting purposes.
AAA protocols:
➢ These protocols employ a series of processes, authentication, authorization, and
accounting, the last of which is the process by which users and devices that log in are
stored as a database.
➢ These AAA protocols are defined as follows:
Remote Authentication Dial-In User Service (RADIUS):
➢ It is a remote access protocol and RADIUS clients encompass a variety of devices,
including wireless access points, routers, and switches.
➢ As these clients forward authentication requests to a RADIUS server, they require
a shared secret. This secret, known to both the RADIUS client and server,
safeguards the exchange of sensitive data, boosting the integrity of the
authentication process.
Diameter:
➢ Diameter is the successor of RADIUS, extending its capabilities to modern network
technologies.
➢ In this area, network elements such as 4G and 5G infrastructure devices, including
LTE and WiMAX access points, serve as Diameter clients.
➢ Similarly, the shared secret becomes dominant here, ensuring secure
communication between Diameter clients and servers.
Terminal Access Controller Access Control System Plus (TACACS+):
➢ TACACS+, created by CISCO, is used to grant or deny access to network devices.
TACACS+ clients often include routers, switches, and firewalls.
➢ Just as with RADIUS and Diameter, IAMETER, the shared secret’s role remains
pivotal, as it forms the foundation of secure interactions between TACACS+ clients
and servers.
Gap Analysis
➢ It is a strategic process that evaluates an organization’s security practices against
established security standards, regulations, and industry best practices.
➢ It identifies discrepancies or “gaps” between the current security posture and the desired
state of security.
➢ The process of gap analysis involves several key tasks:

Assessment:

➢ A thorough assessment is conducted to understand the organization’s current security

measures, policies, procedures, and technologies.
Benchmarking:

➢ This involves comparing the existing security practices against established industry
standards, frameworks, and compliance regulations.

Identification:

➢ Gaps are pinpointed by identifying areas where security measures fall short of the
desired or required level.

Prioritization:

➢ Prioritization involves ranking the identified gaps based on their potential impact and
likelihood of exploitation.

Remediation strategy:

➢ This strategy outlines actionable steps to close the identified gaps and enhance the
organization’s security posture.

Zero Trust
➢ The concept of zero-trust cybersecurity aligns with the importance of the data and
control planes in networking.
➢ The data plane and control plane should not be tightly coupled.
➢ In a zero-trust model, the principle of “never trust, always verify” reflects the need to
continually validate the legitimacy of users and devices accessing resources, regardless
of their location.
➢ The data plane ensures the efficient movement of information.
➢ The control plane manages the intelligence behind data routing, network health, and
device coordination.
➢ Zero trust enhances cybersecurity by verifying access at every step.
➢ In both cases, the underlying principle is to minimize assumptions and maximize
validation, leading to stronger overall systems.
➢ Let us look at the data and control planes in more depth:
 Fig.: The control plane dictates how users and devices are
authorized to access network resources
➢ Above Figure illustrates a cybersecurity framework dividing the Control Plane and
Data Plane. The Control Plane is where user and device authorization are managed by
a Policy Engine and administered by a Policy Administrator, which then communicates
decisions to the Policy Enforcement Point. The data plane is responsible for secure data
transfers and is mediated by the policy enforcement point, with an Implicit Trust Zone
indicating a segment of the network considered secure without needing continuous
verification. Arrows show the directional flow of policy decisions and enforcement
through the system.

Control plane:

➢ It uses the subject/identity with company policies and threat intelligence data to decide
which users or devices can access the network.
➢ By centralizing control this way, organizations can regulate access, monitor activity, and
quickly respond to emerging threats.

Adaptive identity:

➢ It tailors user privileges based on contextual understanding.

➢ By analysing user behaviour, location, and device characteristics, it ensures that access
rights are dynamically adjusted, drastically minimizing the risk of unauthorized activity
while allowing for seamless user experiences.
Threat scope reduction:

➢ This involves strategies such as minimizing exposed services, reducing the attackable code
base, and employing rigorous patch management.
➢ Through such proactive measures, the potential for breaches is significantly reduced.

Policy-driven access control:

➢ It offers a solution by automating the enforcement of policies and guidelines.

➢ Through a systematic approach, organizations can define access rights, permissions, and
responses to specific scenarios.
➢ This not only ensures consistency but also eliminates the risk of human error in the execution
of security protocols.

Policy administrator:

➢ The policy administrator executes the decisions made by the policy engine to control access
to the network.
➢ They issue access tokens and can communicate with the data plane.

Policy engine:

➢ The policy engine determines who gains access to critical network resources on a per-user
basis.
➢ It operates based on policies, written by the organization’s security team, which lay down
the rules for access.
➢ Context is crucial, with data from SIEM, threat intelligence, user attributes, and device
information informing decisions.
➢ Once the policy engine evaluates all the parameters, it communicates its decision to a policy
administrator, who executes it on the ground.
Policy enforcement point:

➢ It’s like a security checkpoint that follows the rules set by the policy administrator and
double-checked by the policy engine.
➢ This checkpoint ensures that only authorized actions get through and prevents potential
breaches.
➢ It’s the ultimate decision maker that verifies everything is safe and trustworthy before letting
it in.

The Data Plane

➢ It is the operational core responsible for the actual movement and forwarding of data packets
within a network.
➢ It focuses on executing tasks such as routing, switching, and packet forwarding based on
predefined rules and policies.
➢ It ensures efficient and secure data transmission between devices and across networks,
playing a pivotal role in network communication while adhering to the principles of security
and performance.
Subjects

➢ These are the entities that initiate data communication.

Systems

➢ These represent the collective infrastructure, resources, and devices that are responsible for
processing and forwarding data packets as they traverse the network.
➢ These systems include routers, switches, firewalls, load balancers, and any other network
equipment involved in transmitting and managing data traffic.

Trust zones are used to categorize and manage the security requirements and access controls for
different parts of a system, as defined here:

Implicit trust zone:

➢ This refers to areas within a network or system where certain levels of trust are assumed
without explicit verification.
➢ These zones are designed to simplify and accelerate communication and interactions
between components within those zones.
➢ It is established based on predefined rules, configurations, or assumptions about the security
and integrity of the components involved.
➢ It implies that the components within that zone are considered trustworthy and authorized
to communicate with each other without stringent authentication or verification processes.

Internal network zone:

➢ Devices and resources within the company’s internal network are assumed to be trustworthy
because they are behind the organization’s firewall.
➢ This zone is also known as the local area network, and the domain controller and database
servers reside here.

Demilitarized Zone (DMZ):

➢ It is an area that is neither fully trusted nor fully untrusted.
➢ It’s an intermediate zone that allows controlled access to certain services from the external
network.
➢ Communication between the DMZ and the internal network might be subject to more
stringent controls.
➢ This is also commonly known as a screened subnet, where resources that are accessed by
untrusted and trusted networks reside.
External network zone:

➢ External networks, such as the internet, are typically treated as untrusted zones due to the
inherent risks associated with them.
➢ Communication from the external network into the internal network usually requires strong
security measures.
➢ This is also known as the wide area network—an untrusted network.
Physical Security
➢ It encompasses a range of measures designed to deter, detect, and respond to potential risks.

Bollards:

➢ These sturdy (solidly built) posts, often seen in urban settings, serve as a formidable barrier
against vehicular threats.
➢ Whether placed around high-profile buildings, public spaces, or critical infrastructure,
bollards are engineered to resist impact, preventing unauthorized vehicles from breaching
secure zones.
Access control vestibule:

➢ Access control vestibules establish a controlled environment that enhances security.

➢ An example of this can be found in door entry systems. Someone entering a building opens
one door into a controlled space from which the security guard can confirm their identity
before they are allowed to access the premises via a second door.

Fencing:

➢ Fencing acts as a visible deterrent against unauthorized entry.

➢ Modern fencing solutions incorporate cutting-edge materials, designs, and technologies that
enhance the security of the building.

Video surveillance:

➢ Video surveillance provides real-time visibility and a historical record of events.

➢ This technology helps the security team to identify threats, investigate incidents, and
strengthen overall security management.

Security guard:

➢ A security guard is a dynamic presence that enforces security protocols, conducts patrols,
and responds swiftly to incidents.
➢ Their keen observation skills, combined with training in conflict resolution and emergency
response, make them an essential asset.
Access badges:

➢ These badges, often integrated with RFID or smart technology, grant authorized personnel
seamless entry to secure areas.
➢ Access badges help identify authorized personnel and provide an audit trail of entry events.
These can be coloured differently for guests.

Lighting:

➢ It deters intruders through well-lit areas, enhancing visibility by reducing hiding spots,
discouraging crimes such as theft and damage, and aiding access control and identity
verification.
Visitors logs:

➢ These records meticulously document each entry and exit, providing an invaluable historical
reference for audits and investigations.
➢ Furthermore, when you sign in a visitor, you become responsible for their presence,
underscoring the importance of accurate documentation in upholding accountability.

Sensor technologies:

➢ Sensors serve as the vanguard, detecting anomalies and triggering responses.

➢ Spanning technologies such as infrared, pressure, microwave, and ultrasonic, these sensors
empower real-time threat detection with minimal human intervention.
Type of Sensor Function and Application

Infrared These detect heat signature changes,

effectively identifying human or animal

presence. They find applications in

perimeter protection and indoor security.

Pressure Sensing changes in pressure from touch or

step, these provide reliable indicators of

movement, both indoors and outdoors.

Microwave Emitting microwave pulses and detecting

frequency alterations caused by moving

objects, these sensors excel in diverse

security scenarios.

Ultrasonic Operating with sound waves, ultrasonic

sensors “see” around corners or within

concealed areas, proving valuable in
challenging environments.

Deception and Disruption Technology

➢ This strategic shift empowers organizations to not only defend but also actively deceive
(cheat) and disrupt (disturb) potential threats.
Honeypot:

➢ When security teams are trying to find out the attack methods that hackers are using, they
set up a website similar to a legitimate website with lower security, known as a honeypot.
➢ When the attack commences, the security team monitors the attack methods so that they can
prevent future attacks.
➢ Another reason a honeypot is set up is as a decoy so that the real web server is not attacked.

Honeynet:

➢ Honeynets are a group of honeypots that give the appearance of a network.

➢ These, too, are created as a decoy to draw attackers away from the actual network and can
provide a testing ground through which cybersecurity professionals can study and analyze
malicious activities.
➢ They act as a decoy through which cybersecurity professionals can study and understand
malicious activities while safeguarding their actual networks from harm.

Honeyfile

➢ It may well be a file titled password that is saved onto a desktop.

➢ This is designed to lure an attacker’s curiosity.
➢ Once accessed, it sets off alarms, marking the intrusion and triggering a proactive defense.
➢ This digital bait, seemingly safe, reveals an attacker’s intent and direction, allowing
defenders to anticipate their next move.
Honeytoken:

➢ Crafted with precision, these tokens house deceptive markers—dummy data that presents
itself as a prized possession to potential thieves.
➢ Yet, this trap data holds no genuine value for the organization.
➢ Once this irresistible bait (inducement) is taken, a concealed web is cast, enabling the pursuit
of the infiltrator.
➢ Whether the adversary struck from beyond the organizational walls or emerged from within,
this web of honeytokens remains an unwavering sentinel of security.
Fake Information:

➢ A DNS sinkhole, often playfully dubbed the “black hole of the internet,” is a tactic where
DNS queries are deliberately redirected to different IP addresses, typically for security or
control reasons.
➢ Imagine typing a website’s address into your browser and being sent to an empty room
instead of your desired destination.