Cyber Security Fundamentals Notes

• Cyber security is the name we give to the study of methods we

can use to reduce the likelihood of cyber-attacks however they
originate and what are their motivations.

• Risk management involves understanding the value of the

assets we wish to protect, and the size of the various threats
these assets face. The process of Cataloguing these risks and
understanding their seriousness is known as risk assessment.

• We need to continuously monitor both the effectiveness of our

security controls in preventing security breaches and the
changing security landscape, and update our risk assessment
and our security controls as appropriate. This monitoring
includes a range of types of auditing, ranging from formal
paper-based audits to penetration tests, where authorized
security experts attempt to breach cyber security using the
methods employed by hackers.

• ISMS = Information Security Management System

• Providing cyber security involves implementing security

controls to prevent damage to information assets.
• There are four main ways to approaching a risk.
1. First and perhaps most obviously we can implement
security controls to try to reduce the level of risk; this is
called risk modification. Ex: Encrypting the database or
both encrypting and security token like 2 factor
authentication.
2. Second, for some risks a decision can be made to live with
the risk in unmodified form; this is known as risk
acceptance.
3. A third possibility is risk sharing, where one or more 3rd
parties bear some of the risk. This could, for example,
involve an insurance policy where an organization pays an
annual fee to an insurance company who will reimburse
the organization if the risk is realized.
4. The final possibility is known as risk avoidance. In this
case it may be decided that the risk is significant, but yet
the value of the asset to the organization is not high. In
such a case, the organization could decide to stop
engaging in the activity that bears the risk. For example, if
the risk relates to a database of personal data and the
legal penalties for security breaches to this database are
high, but yet the value to the organization is small, then
the organization could decide to delete the database
altogether.
• There are two main categories of security control, namely
preventive controls and reactive controls.
1. Preventive controls are probably the ones we think of
first. These are measures designed to prevent cyber
security breaches or at least make them less likely to
occur. For example: using a password manager enables us
to set up a unique, strong password for every website we
engage with, thereby reducing the risk of password
compromise and unauthorized access to our resources;
setting up our phone or tablet so that after a short period
of inactivity it will require unlocking; using a fingerprint
scan or facial recognition reduces the risks arising from a
lost or stolen device; and performing regular backups
protects against the case where data is deliberately or
accidentally corrupted or deleted.
2. Reactive controls are perhaps a little less obvious. There
are many types of reactive controls, such as intrusion
detection systems that are designed to detect
unauthorized activity within a system. A network
intrusion detection system will monitor network traffic to
look for unusual patterns which may indicate an ongoing
attack, and a host intrusion detection system will look for
unusual behaviour within a system.

• Incident management systems enable users to report possible

cyber security breaches and for them to be handled in a timely
and organized way with key actions logged for later auditing
and learning of lessons.

• Incident management systems enable users to report possible

cyber security breaches and for them to be handled in a timely
and organized way with key actions logged for later auditing
and learning of lessons.
• Predefined reporting procedures enable an organization to
make a coherent response to an incident, including notifying
regulatory and law enforcement bodies in a timely and
appropriate way.

• Some security controls are both preventive and reactive. For

example, enhancing the security knowledge and awareness of
staff members should help to reduce the likelihood of security
breaches as well as enhancing the effectiveness of responses to
breaches.

• Access to data can lead to either disclosure or modification or

both. This leads to a possible way of defining cyber security in
terms of preventing three main types of threat: unauthorized
disclosure of data (unauthorized reading), unauthorized
modification of data (unauthorized writing), and loss of
authorized access to data or processing resources.

• We define cyber security as maintaining the confidentiality,

integrity, and availability of information where confidentiality,
integrity, and availability equate to preventing unauthorized
disclosure, preventing unauthorized modification, and
preventing loss of authorized access, respectively. This then
leads to the three-letter abbreviation CIA, which is very widely
used as a shorthand for this simple definition of cyber security.
• Two particularly important examples are ISO/IEC 27002 and
NIST Special Publication 800-53. The internationally
standardized catalog, ISO/IEC 27002, has a long history, and it's
very widely used. The 2013 edition of the standard describes
114 security controls in 14 categories, including security
policies, human resource security, cryptography, and
communication security. The 2022 major revision of the
standard includes slightly fewer controls, 93, arranged in four
broader categories: organizational controls, people controls,
physical controls, and technological controls.

Security Audits

• One type of security audit would involve an internal auditor, i.e.

a member of the organization's own audit team, regularly
reviewing security incident information, including both
automatically generated reports and manually completed
incident report forms.

• Another different type of audit would involve penetration

testers, who could be company employees or external experts,
probing systems using methods deployed by cyber attackers, to
see if the deployed controls effectively prevent cyber-attacks.

• Another type of audit would involve checking the integrity of

stored archived data. This might involve verifying check values
computed as a function of the entire dataset, perhaps
generated using cryptographic methods. The idea behind such
an approach, would be that any changes in the data would
mean that the check value becomes invalid, indicating loss of
integrity.
• Information used in an organization, once it has been
generated, faces two main kinds of threat to its confidentiality
and integrity - threats that apply when the data is at rest, i.e.
stored in a server, desktop computer, laptop, tablet, phone or
standalone storage device, such as a USB drive, and threats
that apply when the data is in motion, i.e. being communicated
across a network of some kind, whether it's wireless such as
Wi-Fi, Bluetooth or a mobile phone network, or wired,
including office LANs, conventional phone cable, or optic fiber
broadband.

• Cryptographic check values can be generated as a function of a

block of data in such a way that (a) any changes to the data will
mean that the check value will no longer be correct and (b)
generating a check value for a modified block of data requires
knowledge of a cryptographic key which should not be
available to unauthorized parties.

Cryptography

• A literal translation of the word cryptography from the Greek

words cryptos, which means hidden, and graphia, means
writing, is probably as old as writing itself.
• This led to the need for methods for encryption or ciphers,
ways of transforming or encrypting a message into a form
which hides its true content, what is usually called the
ciphertext, and which can only be transformed back into its
original form, known as the plaintext, by the intended
recipient. This process is usually called decryption.

• Parallel science of cryptanalysis, that is the study of methods of

breaking ciphers, i.e. finding ways to recover the plaintext from
the ciphertext without being one of the authorized parties. An
individual performing cryptanalysis is known as a cryptanalyst.
• The only thing we can rely on remaining unknown to the
cryptanalyst is the secret key.

• The simplest method of cryptanalysis is known as a brute force

key search. This involves working one-by-one through every
possible key value until the correct one is found. For each key
value, the ciphertext is decrypted using this key. If the result
matches the known plaintext, then the key is assumed to be
correct and the search halts. Otherwise, the next key is tried.

• Most modern ciphers will at least have 10 to the power 38

keys, meaning that brute-force key searches are completely
infeasible.

• The concept of a message authentication code or MAC,

emerged in the 1970s to address the need of verifying the
message.

•
• just as with encryption, using a MAC requires the sender and
receiver to share a secret key. When sending a message, the
sender uses the MAC algorithm and the secret key to compute
the MAC, a fixed length bit string or check value, which is then
sent with the message. The recipient of a message does exactly
the same calculation using the received message, and if the
newly computed MAC agrees with the value sent with the
message, then the recipient knows the message has not been
modified in transit.

• If both integrity and confidentiality protection are required, the

sender can first encrypt the message and then compute a MAC
on the encrypted message using two separate keys. The
receiver can verify the MAC before decrypting the message.

• Finally, in the late 1970s, Diffie and Hellman introduced the

notion of a digital signature.

• If a key for a cipher consists of a string of n bits, for some whole

number n, then the number of possible keys is 2 to the power
n, i.e., 2 multiplied by itself n times. For n=64. A common key
length in the past, this means there are 2^64 keys. That is over
18 million, million, million keys, or using scientific notation, 1.8
x 10^19.
• DES, short for Data Encryption Standard, cipher. This cipher was
published in 1976 by the US National Bureau of Standards,
since replaced by the National Institute of Standards and
Technology, or NIST, and was intended for US Federal
Government use. The DES cipher uses 56-bit keys. Actually, it
uses 64-bit keys, but eight of the key bits are not used in
encryption and so, in effect, it uses a 56-bit key. This means
there are two to the power of 56 possible keys, i.e., just over
72,000 million million.

• A 64-bit key is 256 times more difficult to break. That is, a

brute-force search would take 256 times as long as for a 56-bit
key. However, it still doesn't give a sufficient margin of comfort,
given that hardware continues to become cheaper and more
effective over time. As a result, a typical key length for a
modern cipher is 128 bits.

• The study of trying to break cryptographic algorithms is known

as cryptanalysis.

• There are many ways of distributing keys, ranging from manual

distribution, for example, using trusted couriers, to the use of
complex cryptographic protocols based on a hierarchy of keys
in which key encrypting keys are used to encrypt data
encryption keys.

• Two main types of attack can be conducted against a MAC

algorithm: forgery attacks and key recovery attacks.
• A successful forgery attack would enable a third party to
generate a valid MAC for a message without knowing the secret
key. That is, for a MAC algorithm to be secure it's necessary
that, even if an attacker knows a number of message-MAC
pairs, all generated using the same secret key, the attacker isn't
able to generate a new valid message and MAC pair.

• A key recovery attack would enable an attacker to work out all

or part of the secret key used to generate some observed pairs
of messages and MACs. Obviously, if a complete key is
recovered, this is the most powerful attack, since it would allow
any number of forgeries. That is, for a MAC algorithm to be
secure, it's necessary that, even if an attacker knows a number
of message and MAC pairs all generated using the same secret
key, the attacker isn't able to work out all or part of the key
used to generate the MACs.

• One important practical issue is that using a MAC will obviously

slightly extend the length of the transmitted message. Since the
MAC needs to be sent along with the message it's protecting.