Cisco Cybersecurity Fundamentals Course
Cisco Cybersecurity Fundamentals Course
This chapter explains what cybersecurity is and why the demand for cybersecurity
professionals is growing. Explains what your online identity and data is, where it is
located and why it is of interest to cybercriminals.
This chapter also discusses what an organization's data is and why it should be
protected. Analyze who the cyber attackers are and what they want. Cybersecurity
professionals must have the same skills as cyber attackers, but cybersecurity
professionals must work in accordance with local, national and international law.
Cybersecurity professionals must also use their skills ethically.
This chapter also includes content that briefly explains cyber warfare and why nations
and governments need cybersecurity professionals to protect their citizens and
infrastructure.
What is cybersecurity?
The connected electronic information network has become an integral part of our daily
lives. All types of organizations such as medical, financial and educational institutions
use this network to function effectively. They use the network to collect, process, store
and share large amounts of digital information. As more digital information is collected
and shared, protecting this information becomes even more important to our national
security and economic stability.
Cybersecurity is the constant effort to protect these network systems and all data from
unauthorized use or damage. On a personal level, you must protect your identity, your
data, and your computing devices. At the corporate level, it is everyone's responsibility
to protect the organization's reputation, data, and customers. At the state level, national
security, and the safety and well-being of citizens, are at stake.
This chapter explains what cybersecurity is and why the demand for cybersecurity
professionals is growing. Explains what your online identity and data is, where it is
located and why it is of interest to cybercriminals.
This chapter also discusses what an organization's data is and why it should be
protected. Analyze who the cyber attackers are and what they want. Cybersecurity
professionals must have the same skills as cyber attackers, but cybersecurity
professionals must work in accordance with local, national and international law.
Cybersecurity professionals must also use their skills ethically.
This chapter also includes content that briefly explains cyber warfare and why nations
and governments need cybersecurity professionals to protect their citizens and
infrastructure.
What is cybersecurity?
The connected electronic information network has become an integral part of our daily
lives. All types of organizations such as medical, financial and educational institutions
use this network to function effectively. They use the network to collect, process, store
and share large amounts of digital information. As more digital information is collected
and shared, protecting this information becomes even more important to our national
security and economic stability.
Cybersecurity is the constant effort to protect these network systems and all data from
unauthorized use or damage. On a personal level, you must protect your identity, your
data, and your computing devices. At the corporate level, it is everyone's responsibility
to protect the organization's reputation, data, and customers. At the state level, national
security, and the safety and well-being of citizens, are at stake.
As you spend more time online, your identity, online and offline, can affect your life. Your
offline identity is the person your friends and family interact with daily at home, school,
or work. They know your personal information, such as your name, age, or where you
live. Your online identity is who you are in cyberspace. Your online identity is how you
present yourself to others online. This online identity should only reveal a limited amount
of information about you.
You should be careful when choosing a username or alias for your online identity. The
username must not contain personal information. It must be something correct and
respectful. This username should not lead strangers to think that you are an easy target
for cybercrime or unwanted attention.
Your data
Any information about you can be considered your data. This personal information may
uniquely identify you as an individual. This data includes the images and messages you
exchange with your family and friends online. Other information, such as your name,
social security number, date and place of birth, or your mother's last name, is known to
you and is used to identify you. Information such as medical, educational, financial, and
employment information may also be used to identify you online.
Medical record
Every time you go to the doctor's office, more information is added to your medical
history. Your GP's prescription becomes part of your medical history. Your medical
history includes your physical and mental condition, and other personal information that
may not be medically related. For example, if you attended therapy during childhood
when major changes occurred in the family, this will be listed somewhere in your
medical records. In addition to your medical history and personal information, your
medical history may also include information about your family.
Medical devices such as fitness bracelets use the cloud platform to enable wireless
transfer, storage and display of clinical data such as heart rate, blood pressure and blood
sugar. These devices can generate a tremendous amount of clinical data that can
become part of your medical record.
Educational history
As you progress in your education, information about your grades and test scores, your
attendance, courses taken, awards and degrees acquired, as well as any disciplinary
reports may be in your educational record. This history may also include contact
information, health and your immunization history, as well as a history of special
education, including individualized educational programs.
Your financial history may include information about your income and expenses. Tax
history may include pay stubs, credit card statements, your credit score, and other
banking information. Your employment information may include your previous
employment and performance.
All this information is about you. There are different laws that protect privacy and data in
your country. But do you know where your data is?
When you are at the doctor's office, the conversation you have with the doctor is
recorded in your medical record. For billing purposes, this information may be shared
with the insurance company to ensure proper billing and quality. Now, a part of your
medical history from the visit is also with the insurance company.
Store loyalty cards can be a convenient way to save money on your purchases. However,
the store compiles a profile of your purchases and uses that information for its own use.
The profile shows that a shopper buys a certain brand and flavor of toothpaste regularly.
The store uses this information to target the shopper with special offers from the
marketing partner. With the loyalty card, the store and the marketing partner have a
profile of a customer's purchasing behavior.
When you share your images online with your friends, do you know who can have a copy
of the images? The copies of the images are on your own devices. Your friends may have
copies of those images downloaded to their devices. If the images are shared publicly,
strangers may have copies of them as well. They could download said images or take
screenshots of said images. Because the images were posted online, they are also
stored on servers located in different parts of the world. Now images are no longer just
on your computing devices.
Your computing devices don't just store your data. Now these devices have become the
portal to your data and generate information about you.
Unless you have selected to receive paper statements for all of your accounts, you use
your computing devices to access the data. If you want a digital copy of your latest
credit card statement, use your computing devices to access the credit card issuer's
website. If you want to pay your credit card bill online, you access your bank's website
to transfer the funds with your computing devices. In addition to allowing you to access
your information, computing devices may also generate information about you.
With all this information about you available online, your personal data has become
profitable for hackers.
Your online credentials are valuable. These credentials give thieves access to your
accounts. You may think that purchased frequent flyer miles are worthless to
cybercriminals, but you'll need to reconsider this statement. After approximately 10,000
American Airlines and United accounts were hacked, cybercriminals were booking free
flights and upgrades with these stolen credentials. Although frequent flyer kilometers
were returned to customers by airlines, this demonstrates the value of login credentials.
A criminal could also take advantage of your relationships. They can access your online
accounts and reputation to trick you into transferring money to your friends or family.
The criminal may send messages stating that your family or friends need you to transfer
money to them so they can return from abroad after losing their wallets.
Criminals are very imaginative when trying to trick you into giving them money. They
don't just steal your money; They can also steal your identity and ruin your life.
As medical costs rise, medical identity theft also increases. Identity thieves can steal
your health insurance and use your health benefits for themselves, and these medical
procedures are now in your medical records.
Annual tax filing procedures may vary from country to country; However, cybercriminals
see this as an opportunity. For example, people in the United States need to file their
taxes by April 15 of each year. The Internal Revenue Service (IRS) does not flag tax
returns against employer information until July. An identity thief can generate a false tax
return and collect the refund. Legitimate users will notice when their refunds are
rejected by the IRS. With the stolen identity, they can also open credit card accounts and
rack up debts in your name. This will cause damage to your credit rating and make it
more difficult for you to obtain loans.
Personal credentials can also allow access to corporate and government data.
Traditional data
Corporate data includes personnel information, intellectual properties and financial data.
Personnel information includes application materials, payroll, offer letter, employee
agreements, and any information used to make employment decisions. Intellectual
property, such as patents, trademarks, and new product plans, allows a company to gain
an economic advantage over its competitors. This intellectual property may be
considered a trade secret; Losing this information can be disastrous for the future of the
company. Financial data such as a company's income statements, balance sheets, and
cash flow statements provide information about the health of the company.
With the rise of the Internet of Things (IoT), there is much more data to manage and
secure. The IoT is a large network of physical objects, such as sensors and equipment,
that extends beyond the traditional computer network. All of these connections, plus the
fact that we have expanded storage capacity and services through the cloud and
virtualization, lead to exponential data growth. This data has created a new area of
interest in technology and business called “big data.” With the speed, volume and variety
of data generated by the IoT and daily business operations, the confidentiality, integrity
and availability of this data is vital to the survival of the organization.
Confidentiality, integrity and availability, known as the CID triad (Figure 1), is a guide to
an organization's IT security. Confidentiality ensures data privacy by restricting access
with authentication encryption. Integrity ensures that information is accurate and
reliable. Availability ensures that information is available to authorized people.
Confidentiality
Another term for confidentiality would be privacy. Company policies should restrict
access to information to authorized personnel and ensure that only authorized people
will see this data. Data can be divided into sections based on the level of security or
sensitivity of the information. For example, a Java developer should not have access to
the personal information of all employees. Additionally, employees should be trained to
understand best practices for safeguarding sensitive data to protect themselves and the
company from attacks. Methods to ensure confidentiality include data encryption,
username and password, two-factor authentication, and minimizing exposure of sensitive
information.
Integrity
Integrity is accuracy, consistency, and reliability of data throughout its lifecycle. The
data must remain unchanged during transfer and must not be modified by unauthorized
entities. File permissions and user access control can prevent unauthorized access.
Version control can be used to prevent accidental changes by authorized users. Backups
must be available to restore corrupted data, and the hash checksum can be used to
verify data integrity during transfer.
The checksum is used to verify the integrity of files, or strings of characters, after they
have been transferred from one device to another over your local network or the Internet.
Checksums are calculated with hash functions. Some of the common checksums are
MD5, SHA-1, SHA-256, and SHA-512. A hash function uses a mathematical algorithm to
transform data into a fixed-length value that represents the data, as shown in Figure 2.
The hash value is only there for comparison. From the hash value, the original data
cannot be recovered directly. For example, if you forgot your password, your password
cannot be recovered from the hash value. The password must be reset.
After downloading a file, you can verify its integrity by comparing the hash values from
the source with the one you generated with any hash calculator. By comparing hash
values, you can ensure that the file has not been altered or damaged during the transfer.
Availability
Protecting organizations against any possible cyberattack is not feasible, for some
reasons. The expertise required to set up and maintain your secure network can be
expensive. Attackers will always continue to find new ways to target networks. Over
time, an advanced and targeted cyberattack will succeed. The priority then will be how
quickly your security team can respond to the attack to minimize data loss, downtime
and lost revenue.
You now know that anything posted online can live online forever, even if you managed
to delete all copies in your possession. If your servers were attacked, sensitive staff
information could become public. A hacker (or hacking group) can vandalize the
company's website by posting false information and ruining the reputation of the
company that took years to create. Hackers can also take down a company's website
and cause it to lose revenue. If the website is left inactive for longer periods of time, the
company may appear unreliable and possibly lose credibility. If the company's website or
network has had a security breach, this could lead to the leak of confidential documents,
the disclosure of trade secrets, and the theft of intellectual property. The loss of all this
information can impede the growth and expansion of the company.
The monetary cost of an attack is much greater than simply replacing lost or stolen
devices, investing in existing security, and strengthening the physical security of the
building. The company will be responsible for contacting all customers affected by the
breach and may need to prepare for legal proceedings. With all this confusion, employees
may choose to leave the company. The company may need to focus less on growth and
more on repairing its reputation.
Online password manager LastPass detected unusual activity on its network in July
2015. It turned out that hackers had stolen users' email addresses, password reminders,
and authentication hashes. Fortunately for users, hackers were unable to obtain
anyone's encrypted password repository.
Even though there was a security breach, LastPass was still able to protect users'
account information. LastPass requires email verification or multi-factor authentication
every time there is a new login from an unknown device or IP address. Hackers would
also need the primary password to access the account.
LastPass users also have some responsibility for protecting their accounts. Users should
always use complex master passwords and change master passwords periodically.
Users should always be wary of phishing attacks. An example of a phishing attack would
be an attacker sending fake emails on behalf of LastPass. The emails request that users
click on an embedded link and change the password. The link in the email is sent to a
fraudulent version of the web page used to steal the primary password. Users should not
click on links embedded in an email. Users should also be careful about the password
reminder. The password reminder should not reveal your passwords. Most importantly,
users should enable two-step authentication when it is available for any website that
offers it.
If users and service providers use appropriate tools and procedures to protect user
information, user data could be protected, even in the event of a security breach.
High-tech children's toy maker Vtech suffered a security breach in its database in
November 2015. This security breach could affect millions of customers around the
world, including children. The data breach exposed sensitive information, including
customer names, email addresses, passwords, images, and chat logs.
Toy tablets had become a new target for hackers. Customers had shared photos and
used chat functions on the toy tablets. The information was not properly secured, and
the company's website did not support secure communication with SSL. Although the
security breach did not expose any credit card information or personally identifiable
data, the company was suspended from the stock exchange due to concerns about the
immensity of the attack.
Vtech did not properly protect customer information and it was exposed during the
security breach. Although the company informed its customers that their passwords had
been encrypted, it was still possible for hackers to crack them. The passwords in the
database were encrypted using the MD5 hash function, but the security questions and
answers were stored in clear text. Unfortunately, the MD5 hash function has known
vulnerabilities. Hackers can determine original passwords by comparing millions of
previously calculated hash values.
With the information exposed in this data breach, cybercriminals were able to use it to
create email accounts, apply for credit, and commit crimes before children were old
enough to go to school. As for the parents of these children, cybercriminals were able to
take over online accounts because many people reuse passwords across various
websites and accounts.
The security breach not only affected the privacy of customers, but also ruined the
company's reputation, as indicated by the company when its presence on the stock
exchange was suspended.
For parents, it is a wake-up call to be more careful about their children's privacy online
and request better security for children's products. As for manufacturers of network-
connected products, they must be more aggressive in protecting customer data and
privacy now and in the future, as the cyberattack landscape evolves.
Equifax Inc. is one of the United States' national consumer credit reporting agencies.
This company collects information from millions of individual and business customers
around the world. Based on the information collected, credit scores and credit reports
are created about customers. This information could impact customers when applying
for loans and seeking employment.
In September 2017, Equifax publicly announced a data breach event. Attackers exploited
a vulnerability in Apache Struts web application software. The company believes that
cybercriminals had access to millions of sensitive personal data of American consumers
between May and July 2017. Personal data includes customers' full names, social
security numbers, dates of birth, addresses and other personally identifiable information.
There is evidence that the breach could have affected customers in the United Kingdom
and Canada.
As a concerned consumer, you will want to quickly check if your information has been
compromised so you can minimize the impact. In a time of crisis, you can be tricked into
using unauthorized websites. You should be careful when providing personal information
so as not to become a victim again. Additionally, companies are responsible for keeping
our information protected from unauthorized access. Companies should periodically
patch and update their software to mitigate the exploitation of known vulnerabilities.
They should teach their employees the procedures for protecting information and what to
do in the event of a breach, and provide them with information about it.
Unfortunately, the real victims of this breach are the people whose data has been
compromised. In this case, Equifax has the responsibility to protect the data collected
from the consumer during the credit check, since the customers did not choose to use
the services provided by Equifax. The consumer must trust the company to protect the
information collected. Furthermore, attackers can use this data to assume your identity,
and it is very difficult to prove otherwise, since the attacker and the victim know the
same information. In these situations, the only thing you can do is be alert when
providing personally identifiable information online. Review your credit reports
periodically (once a month or once a quarter). Immediately report any false information,
such as credit applications you didn't initiate or credit card purchases you didn't make.
Types of attackers
Attackers are individuals or groups who attempt to exploit vulnerabilities for personal or
financial gain. Attackers are interested in everything from credit cards to product
designs and anything else of value.
Amateurs – Sometimes called Script Kiddies. These are generally low- or no-skilled
attackers who often use existing tools or instructions found on the Internet to carry out
attacks. Some of them are just curious, while others try to demonstrate their skills and
cause damage. They can use basic tools, but the results can still be devastating.
Hackers – This group of attackers break into computers or networks to gain access.
Depending on the intent of the intrusion, these attackers are classified as White, Gray, or
Black Hat. White Hat attackers enter networks or computer systems to discover
weaknesses so they can improve the security of these systems. These intrusions are
carried out with prior permission and the results are reported to the owner. On the other
hand, Black Hat attackers exploit vulnerabilities for illegal personal, financial, or political
gain. The Gray Hat attackers are somewhere between the black and white hat attackers.
Gray Hat attackers can find a vulnerability in a system. It is possible for Gray Hat
hackers to report the vulnerability to system owners if that action coincides with their
agenda. Some Gray Hat hackers publish the facts about the vulnerability on the Internet
so that other attackers can exploit them.
The figure provides details on the terms white, black, and gray hat hacker.
Attacks can originate within an organization or outside it, as shown in the figure. An
internal user, such as an employee or contracted partner, may accidentally or
intentionally:
Accidentally inviting malware to your network with malicious emails or web pages
Internal threats also have the potential to cause greater damage than external threats,
because internal users have direct access to the building and its infrastructure devices.
Employees also have knowledge of the corporate network, its resources and its sensitive
data, as well as different user levels or administrative privileges.
External threats from amateurs or expert attackers can attack vulnerabilities in the
network or computing devices, or use social engineering to gain access.
Cyberspace has become another important dimension of warfare, where nations can
have conflicts without the clashes of traditional troops and machines. This allows
countries with minimal military presence to be as strong as other nations in cyberspace.
Cyberwarfare is an Internet-based conflict that involves the penetration of other
countries' computer systems and networks. These attackers have the resources and
knowledge to launch massive Internet-based attacks against other countries to cause
damage or to disrupt services, such as shutting down the entire power grid.
The primary purpose of cyber warfare is to gain advantages over adversaries, whether
they are nations or competitors.
A country can constantly invade another country's infrastructure, steal defense secrets,
and gather information on technology to close gaps in its industrial and military sectors.
In addition to industrial and military espionage, cyber warfare can damage other
countries' infrastructure and cost lives in targeted nations. For example, an attack may
affect the power grid of a major city. Traffic may be disrupted. The exchange of goods
and services stops. Patients cannot get necessary care in emergency situations. Internet
access may also be interrupted. By affecting the power grid, the attack can affect the
daily lives of ordinary citizens.
Additionally, compromised sensitive data can give attackers the ability to blackmail
personnel within the government. The information may allow an attacker to impersonate
an authorized user to access sensitive information or the computer.
If the government cannot defend itself from cyber attacks, citizens may lose confidence
in the government's ability to protect them. Cyberwarfare can destabilize a nation,
disrupt commerce, and affect citizens' faith in their government without physically
invading the target country.
This chapter explained the functions and characteristics of cybersecurity. Explained why
the demand for cybersecurity professionals will only continue to increase. The content
explains why your online identity and personal data are vulnerable to cybercriminals.
Suggestions are provided on how you can protect your identity and personal data online.
This chapter also analyzed the organization's data: what it is, where it is, and why it
should be protected. It was explained who the cyber attackers are and what they want.
Cybersecurity professionals must have the same skills as cyber attackers. Cybersecurity
professionals must work within the parameters of local, national and international law.
Cybersecurity professionals must also use their skills ethically.
Finally, this chapter briefly explained cyber warfare and why nations and governments
need cybersecurity professionals to protect their citizens and infrastructure.
If you would like to further explore the concepts in this chapter, see the Additional
Activities and Resources page in Student Resources.
This chapter covers the ways that cybersecurity professionals analyze what happened
after a cyberattack. Explains security software and hardware vulnerabilities and the
different categories of security vulnerabilities.
Discusses the different types of malicious software (known as malware) and malware
symptoms. It covers the different ways attackers can infiltrate a system, as well as
denial of service attacks.
Most modern cyber attacks are considered combination attacks. Combined attacks use
several techniques to infiltrate and attack a system. When an attack cannot be avoided,
it is the job of the cybersecurity professional to reduce the impact of said attack.
Security vulnerabilities are any type of defect in software or hardware. After gaining
knowledge about a vulnerability, malicious users attempt to exploit it. An attack is the
term used to describe a program written to exploit a known vulnerability. The act of
exploiting a vulnerability is known as an attack. The goal of the attack is to access a
system, the data it hosts, or specific resources.
Software vulnerabilities
In 2015, a major vulnerability, called SYNful Knock, was discovered in Cisco IOS. This
vulnerability allowed attackers to gain control of enterprise-grade routers, such as the
older Cisco 1841, 2811, and 3825 routers. The attackers were thus able to monitor all
network communications and had the ability to infect other devices on the network. This
vulnerability was introduced into the system when an altered version of IOS was
installed on the routers. To avoid this, always verify the integrity of the downloaded IOS
image and limit physical access to the computer to authorized personnel only.
The goal of software updates is to stay up-to-date and prevent vulnerabilities from being
exploited. While some companies have penetration testing teams dedicated to finding
and fixing software vulnerabilities before they can be exploited, there are independent
security researchers who also specialize in finding software vulnerabilities.
Google's Project Zero is an excellent example of this practice. After discovering several
vulnerabilities in the various software programs used by end users, Google formed a
team dedicated to finding software vulnerabilities. Google's security research can be
found here .
Hardware vulnerabilities
Hardware vulnerabilities often arise through hardware design flaws. RAM, for example,
basically consists of capacitors installed very close to each other. It was discovered
that, due to proximity, constant changes applied to one of these capacitors could
influence neighboring capacitors. Due to this design flaw, a vulnerability called
Rowhammer was generated. By repeatedly writing memory to the same addresses, the
Rowhammer attack allows data to be recovered from memory cells at nearby addresses,
even if the cells are protected.
Hardware vulnerabilities are specific to device models and are generally not targeted by
random compromise attempts. While hardware vulnerabilities are more common in highly
targeted attacks, traditional malware protection and physical security are sufficient to
protect the average user.
Most software security vulnerabilities fall into one of the following categories:
Buffer Overflow: This vulnerability occurs when data is written beyond the limits of a
buffer. Buffers are areas of memory allocated to an application. By changing data beyond
the boundaries of a buffer, the application accesses memory allocated to other
processes. This can lead to a system crash, data compromise, or escalation of
privileges.
Unvalidated input: Programs often work with data entry. This data entering the program
may contain malicious content designed to cause the program to behave in unwanted
ways. Consider a program that receives an image for processing. A malicious user could
create an image file with invalid image dimensions. Maliciously created dimensions
could force the program to allocate buffers of incorrect and unexpected sizes.
Race Conditions: This vulnerability occurs when the outcome of an event depends on
ordered or timed results. A race condition becomes a source of vulnerability when the
required ordered or timed events do not occur in the correct order or at the proper time.
Weaknesses in security practices: Sensitive systems and data can be protected with
techniques such as authentication, authorization, and encryption. Developers should not
attempt to create their own security algorithms because they are likely to introduce
vulnerabilities. It is strongly recommended that developers use already created,
approved and verified security libraries.
Access control issues: Access control is the process of controlling who does what, from
managing physical access to computers to determining who has access to a resource,
such as a file, and what they can do with it. , how to read or modify it. Many security
vulnerabilities are generated by the incorrect use of access controls.
Almost all access controls and security practices can be bypassed if the attacker has
physical access to the targeted computers. For example, no matter whether you have set
permissions on a file, the operating system cannot prevent someone from bypassing the
operating system and reading the data directly from the disk. To protect the equipment
and the data contained therein, physical access must be restricted and encryption
techniques must be used to protect the data from theft or damage.
Types of malware
Malware, an acronym for “Malicious Software,” is any code that can be used to steal
data, bypass access controls, cause damage, or compromise a system. Below are some
common types of malware:
Spyware: This malware is designed to track and spy on the user. Spyware often includes
activity trackers, keystroke collection, and data capture. In an attempt to bypass
security measures, spyware often modifies security settings. Spyware is often grouped
with legitimate software or Trojan horses.
Bot: From the word robot, a bot is malware designed to perform actions automatically,
usually online. While most bots are harmless, an increasingly common use of malicious
bots is botnets. Multiple computers can be infected with bots programmed to silently
wait for commands provided by the attacker.
Scareware: This type of malware is designed to persuade the user to take specific
actions based on fear. Scareware fakes pop-up windows that resemble operating system
dialog windows. These windows display forged messages indicating that the system is at
risk or needs a specific program to be run to return to normal operation. In reality, no
problem was evaluated or detected and if the user accepts and authorizes the execution
of the mentioned program, the system becomes infected with malware.
Rootkit – This malware is designed to modify the operating system to create a backdoor.
The attackers then use the backdoor to access the computer remotely. Most rootkits
exploit software vulnerabilities to perform privilege escalation and modify system files. It
is also common for rootkits to modify forensic system monitoring tools, making them
very difficult to detect. Often, a computer infected by a rootkit must be cleaned and
reinstalled.
Virus: A virus is malicious executable code that is attached to other executable files,
usually legitimate programs. Most viruses require end-user activation and can activate at
a specific date or time. Viruses can be harmless and simply display an image or they can
be destructive, such as those that modify or delete data. Viruses can also be
programmed to mutate to avoid detection. Most viruses now spread via USB drives,
optical disks, network shares, or email.
Trojan: A Trojan is malware that executes malicious operations under the guise of a
desired operation. This malicious code attacks the user privileges that execute it.
Trojans are often found in image files, audio files or games. A Trojan differs from a virus
in that it attaches itself to non-executable files.
Worms: Worms are malicious code that replicates itself by independently exploiting
vulnerabilities in networks. Worms generally slow down networks. While a virus requires
the execution of a host program, worms can execute themselves. Except for the initial
infection, they no longer require user participation. Once the host is infected, the worm
can spread rapidly across the network. Worms share similar patterns. They all have an
activation vulnerability, a way to spread, and contain a payload.
Worms are responsible for some of the most devastating attacks on the Internet. As
shown in Figure 1, in 2001 the Code Red worm infected 658 servers. Within 19 hours, the
worm infected more than 300,000 servers, as shown in Figure 2.
Man in the Middle (MitM): MitM allows the attacker to take control of a device without
the user's knowledge. With that level of access, the attacker can intercept and capture
information about the user before relaying it to its destination. MitM attacks are widely
used to steal financial information. Many techniques and malware exist to provide MitM
capabilities to attackers.
Man in the Mobile (MitMo): A variation of the man in the middle, the MitMo is a type of
attack used to take control of a mobile device. When infected, the mobile device can be
ordered to exfiltrate sensitive user information and send it to attackers. ZeuS, an
example of an attack with MitMo capabilities, allows attackers to silently capture 2-step
verification SMS sent to users.
Malware symptoms
Regardless of the type of malware a system has been infected with, these are common
malware symptoms:
Social engineering
Social engineering is an access attack that attempts to manipulate people into taking
actions or disclosing sensitive information. Social engineers often rely on people's
willingness to help, but they also take advantage of their vulnerabilities. For example, an
attacker may call an authorized employee with an urgent problem that requires
immediate access to the network. The attacker can appeal to the employee's vanity or
greed or invoke authority through naming techniques.
Pretexting: This is when an attacker calls a person and lies in an attempt to gain
access to privileged data. One example involves an attacker claiming to need
personal or financial data to confirm the target's identity.
Something for something (quid pro quo): This is when an attacker requests personal
information from a party in exchange for something, for example, a gift.
Wi-Fi password cracking is the process of detecting the password used to protect the
wireless network. These are some techniques used in password cracking:
Social engineering: The attacker manipulates a person who knows the password into
giving it to them.
Brute force attacks: The attacker tries several possible passwords in an attempt to
guess the password. If the password is a 4-digit number, for example, the attacker will
have to try each of the 10,000 combinations. Brute force attacks typically involve a word
list file. This is a text file that contains a list of words taken from the dictionary. A
program then tests each word and common combinations. Because brute force attacks
take time, complex passwords take much longer to crack. Some password cracking tools
include Ophcrack, L0phtCrack, THC Hydra, RainbowCrack, and Medusa.
Network monitoring: By listening and capturing packets sent over the network, an
attacker can discover the password, if the password is sent unencrypted (in plain text).
If the password is encrypted, the attacker can still reveal it using a password cracking
tool.
Identity fraud
Targeted phishing is a highly targeted phishing attack. While phishing and targeted
phishing use emails to reach victims, targeted phishing emails are personalized to each
specific person. The attacker investigates the target's interests before sending the
email. For example, the attacker discovers that the target is interested in cars and is
interested in purchasing a specific model. The attacker joins the same car discussion
forum where the target is a member, posts an offer to sell the car, and sends an email to
the target. The email contains a link to images of the car. When the target clicks on the
link, the malware is installed on the target's computer.
Exploitation of vulnerabilities
Step 1 . Collection of information about the target system. This can be done in many
different ways, such as with a port scanner or through social engineering. The goal is to
learn as much as possible about the target computer.
Step 2 . Some of the pertinent information learned in Step 1 may be the operating
system, its version, and a list of the services it runs.
Step 3 . Once the target operating system and version is known, the attacker looks for
any known vulnerabilities specific to that OS version or other operating system services.
Step 4 . When a vulnerability is found, the attacker seeks to use a previously developed
attack. If no attack has been developed, the attacker may consider developing one.
One way to achieve infiltration is through advanced persistent threats (APT). These
consist of a cautious and advanced multi-phase long-term operation against a specific
target. Due to the complexity and skill level required, APTs are generally well funded.
APTs target organizations or nations for political or commercial reasons.
Two
Denial of service (DoS) attacks are a type of network attack. A DoS attack results in
some type of interruption of network service to users, devices, or applications. There are
two main types of DoS attacks:
Overwhelming amount of traffic: This occurs when a large amount of data is sent to a
network, host, or application at a speed that it cannot handle. This causes a decrease in
transmission or response speed or a failure of a device or service.
Formatted malicious packets: This happens when a formatted malicious packet is sent
to a host or application and the receiver cannot handle it. For example, an attacker
sends packets that contain errors that applications cannot identify or forwards
incorrectly formatted packets. This causes the receiving device to run very slowly or
stop.
DoS attacks are considered a major risk because they can easily disrupt communication
and cause significant loss of time and money. These attacks are relatively simple to
carry out, even by an inexperienced attacker.
DDoS
A distributed DoS (DDoS) attack is similar to a DoS attack but comes from multiple
coordinated sources. For example, a DDoS attack could occur as follows:
An attacker creates a network of infected hosts, called a botnet. Infected hosts are
called zombies. Zombies are controlled by manipulative systems.
Zombie computers constantly scan and infect more hosts, creating more zombies. When
ready, the hacker provides instructions to the manipulating systems for the zombie
botnet to carry out a DDoS attack.
Search engines, such as Google, work by ranking pages and presenting relevant results
according to users' search queries. Depending on the importance of the website's
content, it may appear higher or lower in the list of search results. Search engine
optimization (SEO) is a set of techniques used to improve the ranking of a website by a
search engine. Although many legitimate companies specialize in website optimization
to improve their rankings, a malicious user can use SEO to make a malicious website
appear higher in search results. This technique is called SEO poisoning.
The most common goal of SEO poisoning is to increase traffic to malicious sites that may
host malware or engage in social engineering. To force a malicious site to rank higher in
search results, attackers take advantage of popular search terms.
What is a combined attack?
Combination attacks are attacks that use various techniques to compromise a target. By
using several simultaneous attack techniques, attackers have malware that combines
worms, Trojans, spyware, keyloggers, spam, and phishing schemes. This trend of
combined attacks reveals more complex malware and puts user data at great risk.
The most common types of combination attacks use spam emails, instant messages, or
legitimate websites to distribute links where malware or spyware is secretly downloaded
to the computer. Another common combo attack uses DDoS combined with phishing
emails. First, the DDoS attack is used to suspend a popular bank website and send
emails to its customers apologizing for the inconvenience. The email also redirects users
to a fake emergency site where real login information can be stolen.
Many of the most damaging computer worms, such as Nimbda, CodeRed, BugBear, Klez,
and Slammer, are best categorized as combination attacks, as shown below:
Other Nimbda variants can modify system guest accounts to provide the attacker or
malicious code with administrative privileges.
The recent Conficker and ZeuS/LICAT worms are also combined attacks. Conficker uses
all traditional distribution methods.
It is important to understand that the impact of the security breach is not only related to
the technical aspect, stolen data, damaged databases or damage to intellectual
property; The damage also extends to the company's reputation. Responding to a data
breach is a very dynamic process.
Below are some important steps a company should take when it identifies a security
breach, according to many security experts:
Communicate the problem. Internally inform employees of the problem and call
them to action. Externally inform customers through direct communication and
official announcements. Communication creates transparency, which is crucial for
this type of situation.
Provide details. Explain why the situation occurred and what was affected. The
company is also expected to cover the costs of identity theft protection services for
affected customers.
Understand what caused and facilitated the security breach. If necessary, hire
computer forensic experts to investigate and find out the details.
Ensure all systems are clean, no backdoors have been installed, and nothing else is
compromised. Attackers will often try leaving a backdoor to facilitate future
breaches. Make sure this doesn't happen.
This chapter covers the ways cybersecurity professionals analyze what happened after a
cyberattack. Explains security vulnerabilities in software and hardware and the different
categories of security vulnerabilities.
Explains the different types of malicious software (known as malware) and the symptoms
of malware. Some of the malware analyzed included viruses, worms, Trojans, spyware,
adware and others.
They covered the different ways attackers can infiltrate a system, including social
engineering, cracking Wi-Fi passwords, phishing, and exploiting vulnerabilities. Different
types of denial of service attacks were also explained.
Combined attacks use several techniques to infiltrate and attack a system. Many of the
most damaging computer worms, such as Nimbda, CodeRed, BugBear, Klez, and
Slammer, are best categorized as combination attacks. When an attack cannot be
avoided, it is the job of the cybersecurity professional to reduce the impact of said
attack.
If you would like to further explore the concepts in this chapter, see the Additional
Activities and Resources page in Student Resources.
This chapter focuses on your personal devices and personal data. Includes tips for
securing your devices, creating strong passwords, and using wireless networks safely. It
also discusses keeping your data protected.
Your online data is worth a lot to cyber criminals. This chapter briefly covers
authentication techniques to help you keep your data protected. Additionally, it covers
options for improving the security of your online data with tips on what to do and what
not to do online.
Your computing devices store your data and are the portal to your online life. The
following is a short list of steps to follow to protect your computing devices from
intrusions:
Use antivirus and antispyware: Malicious software such as viruses, trojans, worms,
ransomware, and spyware install on computing devices without your permission to
gain access to your computer and its data. Viruses can destroy your data, slow
down your computer, or take over your computer. One way viruses can take over
your computer is by allowing spammers to send emails from your account. Spyware
may monitor your online activities, collect your personal information, or send
unwanted pop-up ads to your web browser while you are online. A good rule of
thumb is to only download software from trusted websites to avoid getting spyware
in the first place. Antivirus software is designed to scan your computer and
incoming email for viruses and remove them. Sometimes antivirus software also
includes antispyware. Keep your software up to date to protect your computer from
recent malicious software.
Manage your operating system and browser: Hackers are always trying to exploit
vulnerabilities in your operating systems and web browsers. To protect your
computer and data, set the security settings on your computer or browser to
medium or high. Update your computer's operating system, including web browsers,
and periodically download and install software patches and security updates from
vendors.
Protect all your devices: Your computing devices, whether PCs, laptops, tablets or
smartphones, should be password protected to prevent unauthorized access. Stored
information must be encrypted, especially in the case of sensitive or confidential
data. On mobile devices, store only information necessary in case of theft or loss
when you are away from home. If any of your devices are compromised, criminals
can access all your data through your cloud storage service provider, such as iCloud
or Google Drive.
IoT (Internet of Things) devices pose an even greater risk than other electronic devices.
While desktops, laptops, and mobile devices receive frequent software updates, most IoT
devices still have their original firmware. If vulnerabilities are found in the firmware, the
IoT device is likely to remain vulnerable. To make the problem worse, IoT devices are
designed to connect to the provider's servers (call home) and request Internet access.
To access the Internet, most IoT device manufacturers rely on the customer's local
network. The result is that IoT devices are very prone to being compromised and, when
compromised, allow access to the customer's local network and its data. The best way
to protect yourself from this situation is to have IoT devices with an isolated network
shared only with other IoT devices.
Wireless networks allow Wi-Fi enabled devices, such as laptops and tablets, to connect
to the network using a network identifier known as a service set identifier (SSID). To
prevent intruders from entering your home wireless network, the default SSID and default
password for the management interface in the web browser must be changed. Hackers
are aware of this type of default login information. Optionally, the wireless router can
also be configured not to broadcast the SSID, which adds an additional barrier to
network discovery. However, this should not be considered adequate security for a
wireless network. Additionally, you must encrypt wireless communication by enabling
wireless security and the WPA2 encryption function on the wireless router. Even with
WPA2 encryption enabled, the wireless network can still be vulnerable.
In October 2017, a security flaw was discovered in the WPA2 protocol. This flaw allows
an intruder to crack the encryption between the wireless router and the wireless client,
allowing the intruder to access and manipulate network traffic. This vulnerability can be
attacked using the Key Reinstallation Attack (KRACK). Affects all modern, protected Wi-
Fi networks. To mitigate an attack, a user should update all affected products: wireless
routers and any wireless devices, such as laptops and mobile devices, as soon as
security updates are available. For laptops or other devices with a wired NIC, a wired
connection could mitigate this vulnerability. Additionally, a trusted VPN service can also
be used to prevent unauthorized access to data while using the wireless network.
When you're away from home, public wireless hotspots make it easy to access your
online information and surf the Internet. However, it is best not to access or send
sensitive personal information over a public wireless network. Check if your computer is
set up for digital file and media sharing and if it requires user authentication with
encryption. To prevent someone from intercepting your information (known as
“eavesdropping”) while using a public wireless network, use VPN tunnels and encrypted
services. The VPN service provides secure Internet access with an encrypted connection
between the computer and the VPN server of the VPN service provider. With an
encrypted VPN tunnel, even if a data transmission is intercepted, it cannot be decrypted.
Click here for more information about protection when using wireless networks.
Many mobile devices, such as smartphones and tablets, include the Bluetooth wireless
protocol. This functionality allows Bluetooth-enabled devices to connect with each other
and share information. Unfortunately, Bluetooth can be attacked by hackers to spy on
some devices, establish remote access controls, distribute malware, and drain batteries.
To avoid these problems, keep Bluetooth turned off when not in use.
You may have more than one online account, and each account should have a unique
password. That's a lot of passwords to remember. However, the consequence of not
using strong, unique passwords leaves you and your data vulnerable to cybercriminals.
Using the same password for all online accounts is like using the same key for all locked
doors; If an attacker got your password, they would have access to everything you own.
If criminals obtain your password through phishing, for example, they will try to break
into your other online accounts. If you only use one password for all accounts, they can
break into all of your accounts, steal or delete all your data, or impersonate you.
We use so many online accounts that require passwords that it's too much to remember.
One solution to avoid reusing passwords or using weak passwords is to use a password
manager. The password manager stores and encrypts all your complex and different
passwords. The administrator can help you log in to your online accounts automatically.
You only need to remember the master password to access the password manager and
manage all your accounts and passwords.
Avoid common or famous sentences, for example, lyrics from a popular song.
Recently, the United States National Institute of Standards and Technology (NIST)
published enhanced password requirements. NIST standards are intended for
government applications, but can also serve as standards for others. The new guidelines
aim to provide a better user experience and put the onus of user verification on
providers.
Do not use common or easily guessed passwords; for example, password, abc123.
There are no composition rules, such as having to include numbers and upper and
lower case letters.
Improve typing accuracy by allowing the user to see the password as they type it.
No password hints.
Although access to your computers and network devices is secure, it is also important to
protect and preserve your data.
Your data should always be encrypted. You may think that you have no secrets or
anything to hide, why use encryption? Maybe you think no one wants your data. Most
likely, this is not true.
Are you ready to show all your photos and documents to strangers? Are you ready to
share financial information stored on your computer with your friends? Do you want to
disclose your emails and account passwords to the general public?
This can be even more problematic if a malicious app infects your computer or mobile
device and steals potentially valuable information, such as account numbers, passwords,
and other official documents. This type of information can lead to identity theft, fraud or
ransoms. Criminals may decide to simply encrypt your data and make it unusable until
the extortion is settled.
Software programs are used to encrypt files, folders, and even entire drives.
Encrypting File System (EFS) is a Windows feature that allows you to encrypt data. The
EFS is directly linked to a given user account. Only the user who encrypted the data can
access it once encrypted with EFS. To encrypt data with EFS on all versions of Windows,
follow these steps:
Step 5 : Folders and files encrypted with EFS are displayed in green, as shown in the
illustration.
Your hard drive may fail. Your laptop may be lost. They can steal your phone. Maybe you
deleted the original version of an important document. Having a backup can prevent the
loss of irreplaceable data, such as family photos. To successfully back up data, you will
need an additional storage location for the data, and you will need to copy the data to
that location periodically and automatically.
The additional location for the backup files can be on your home network, a secondary
location, or the cloud. By storing data backups locally, you have full control of the data.
You can decide to copy all your data to a network attached storage (NAS) device, a
simple external hard drive, or you can select just a few important folders to back up to
USB flash drives, CD/DVDs, or even tapes. In such a scenario, you are the owner and are
fully responsible for the cost and maintenance of the storage device equipment. If you
hire a cloud storage service, the cost depends on the amount of storage space you need.
With a cloud storage service, such as Amazon Web Services (AWS), you will have access
to your backup data as long as you have access to your account. When you purchase
online storage services, you may need to be more selective about the data you back up
due to the cost of storage and constant online data transfers. One of the benefits of
saving a backup in an alternate location is that it is safe in the event of fire, theft, or
other disaster, unless the storage device fails.
When you move a file to the Recycle Bin and permanently delete it, the file cannot be
accessed from the operating system alone. Anyone with the proper forensic tools can
recover the file due to the magnetic trace it leaves on the hard drive.
To erase data so that it is not recoverable, the data must be overwritten with ones and
zeros multiple times. To prevent recovery of deleted files, you may need to use tools
specifically designed to do so. Microsoft's SDelete program (for Vista and later) claims to
have the ability to delete sensitive files completely. Shred for Linux and Secure Empty
Trash for Mac OSX are some tools that claim to provide a similar service.
The only way to be sure that data or files are not recoverable is to physically destroy the
hard drive or storage device. Many criminals are foolish enough to think that their files
are impenetrable or unrecoverable.
In addition to storing data on local hard drives, your data can also be saved online in the
cloud. Such copies must also be deleted. Take a moment to ask yourself: where is my
data stored? In a backup somewhere? Are they encrypted? When you need to delete your
data or get rid of a hard drive or computer, ask yourself: Have I protected the data from
falling into the wrong hands?
Two-factor authentication
Most popular online services, such as Google, Facebook, Twitter, LinkedIn, Apple, and
Microsoft, use two-factor authentication to add an extra layer of security for account
logins. In addition to the username and password, or a pattern or personal identification
number (PIN), two-factor authentication requires a second token, for example:
OAuth 2.0
Open Authorization (OAuth) is an open standard protocol that allows end-user credentials
to access third-party applications without exposing user passwords. OAuth acts as an
intermediary to decide whether end users can access third-party applications. For
example, suppose you want to access web application XYZ and you do not have a user
account to access this web application. However, XYZ has the option to allow you to log
in with ABC social network credentials. So you can access XYZ website with ABC social
network login.
For this to work, app 'XYZ' registers with 'ABC' and is an approved app. When you access
XYZ, you use your user credentials for ABC. XYZ then requests an access token from
ABC on its behalf. You now have access to XYZ. XYZ does not have any information
about you and your user credentials; This interaction is completely transparent to the
user. Using secret tokens prevents a malicious application from obtaining your
information and data.
Even with two-factor authentication, hackers can still gain access to your online
accounts through attacks such as phishing, malware, and social engineering.
Click here to detect if the websites you visit use two-factor authentication.
Don't share too much on social media
If you want to maintain your privacy on social media, share as little information as
possible. You should not share information such as your date of birth, email address or
phone number on your profile. The person who needs to know your personal information
probably already knows it. Do not fill out your social media profile in its entirety, only
provide the minimum information required. Also, check your social media settings to
allow only people you know to see your activities or participate in your conversations.
The more personal information you share online, the easier it will be for someone to
create a profile about you and take advantage of you offline.
Have you ever forgotten the username and password for an online account? Security
questions such as “What is your mother's name?” or “What city were you born in?” They
are supposed to help keep your account protected from intrusions. However, anyone who
wants to access their accounts can search the Internet for answers. You can answer
these questions with false information, as long as you remember the false answers. If
you have a problem remembering them, you can use the password manager to manage
them.
Every day, millions of email messages are used to communicate with friends and conduct
business. Email is a convenient way to communicate quickly. When you send an email, it
is similar to sending a message using a postcard. The message on the postcard is
conveyed in plain view of anyone who can observe it; The email message is transmitted
in plain text and is readable by anyone who has access. These communications also
pass through different servers on the route to their destination. Even if you delete email
messages, the messages may be archived on mail servers for some time.
Anyone with physical access to your computer or router can see what websites you have
visited using your web browser history, cache, and possibly log files. This problem can
be minimized by enabling private browsing mode in the web browser. Most popular web
browsers have a name for private browsing mode:
When using private mode, cookies and temporary Internet files are disabled and your
browsing history is deleted after you close the window or program.
Keeping your Internet browsing history private can prevent others from collecting
information about your online activities and tempting you to buy something with targeted
advertising. Even with private browsing enabled and cookies disabled, companies
develop different ways to identify users to collect information and track user behavior.
For example, intermediary devices, such as routers, may have information about the
user's web browsing history.
Ultimately, it is your responsibility to protect your data, your identity, and your
computing devices. When you send an email, should you include your medical history?
The next time you search the Internet, will your transmission be secure? Just a few
precautions can save you trouble in the future.
In this lab, you will identify risky online behaviors and explore some tips on how to
increase online safety.
This chapter covers some of the processes and technologies used by cybersecurity
professionals to protect an organization's network, equipment, and data. First, it briefly
explains the types of firewalls, security devices, and software currently in use, including
best practices.
This chapter then explains botnets, the kill chain, behavior-based security, and using
NetFlow to monitor a network.
Briefly covers the tools that cybersecurity professionals use to detect and prevent
network attacks. Briefly covers the tools that cybersecurity professionals use to detect
and prevent network attacks.
Firewall types
A firewall is a wall or partition designed to prevent fire from spreading from one part of a
building to another. In computer networks, a firewall is designed to control or filter the
input or output of communications from a device or a network, as shown in the figure. A
firewall can be installed on a single computer for the purpose of protecting that
computer (host-based firewall) or it can be a stand-alone network device that protects an
entire network of computers and all host devices on that network (host-based firewall).
grid).
Over the years, as computer and network attacks have become more sophisticated, new
types of firewalls have been developed that serve different purposes in network
protection. This is a list of common firewall types:
Transport layer firewall: filtering based on source ports and destination data and
filtering based on connection states.
Proxy Server: Filtering requests for web content, such as URL, domain, media, etc.
Reverse Proxy Server: Located in front of web servers, reverse proxy servers
protect, hide, download, and distribute access to web servers.
Network Address Translation (NAT) Firewalls: Hide or mask the private addresses of
network hosts.
Host-based firewall: Port filtering and system service calls in a computer's operating
system.
Port scanning
Port scanning is a process of checking a computer, server, or other network host for
open ports. In networking, each application running on a device is assigned an identifier
called a port number. This port number is used at both ends of the transmission to
ensure that the data is reaching the correct application. Port scanning can be used
maliciously as a reconnaissance tool, to identify the operating system and services
running on a computer or host, or used harmlessly by a network administrator to verify
policies network security.
For the purpose of evaluating your computer network firewall and port security, you can
use a port scanning tool, such as Nmap, to find all open ports on your network. Port
scanning can be considered a precursor to a network attack and therefore should not be
performed on public servers on the Internet or a company network without permission.
To run Nmap port scanning of a computer on your local home network, download and run
a program like Zenmap, provide the destination IP address of the computer you want to
scan, choose a default scanning profile, and press Scan. The Nmap scan will report any
services that are running (such as web services, mail services, etc.) and the port
numbers. Port scanning usually causes one of three responses:
Open or accepted: The host responded and indicated that there is an active service
on the port.
Closed, Denied, or Not Listening: The host responded and indicated that
connections on the port will be denied.
To run a port scan from outside the network, you will need to start the scan from outside
the network. This will involve running an Nmap port scan against the public IP address of
the firewall or router. To obtain your public IP address, use a search engine, such as
Google, with the query “what is my IP address.” The search engine will return your public
IP address.
To run a scan of the six most common ports on a home router or firewall, go to Nmap's
online port scanner at https://hackertarget.com/nmap-online-port-scanner/ and enter your
public IP address in the form box : IP address to scan… and press Nmap Quick Scan . If
the response is Open for any of the ports: 21, 22, 25, 80, 443, or 3389, you most likely
have port forwarding enabled on your router or firewall and you are running servers on
your private network, as shown. shown in the figure.
Safety devices
Today there is no one security device or technology that solves all network security
needs on its own. Because there are a variety of security devices and tools that need to
be implemented, it is important that they work together. Safety devices are most
effective when they are part of a system.
Security devices can be stand-alone devices, such as a router or firewall, a card that can
be installed in a network device, or a module with its own processor and cache memory.
Security devices can also be software tools that run on a network device. Safety devices
are divided into the following general categories:
Routers: Cisco Integrated Services Routers (ISRs), as shown in Figure 1, have many
firewall-like capabilities in addition to routing functions, including traffic filtering, the
ability to run a system Intrusion Prevention (IPS), encryption and VPN capabilities for
securely encrypted connections.
Firewalls: Cisco next-generation firewalls have all the capabilities of an ISR router plus
advanced network analysis and management. The Cisco Adaptive Security Appliance
(ASA) with firewall capabilities is shown in Figure 2.
VPN: Cisco security devices feature virtual private network (VPN) technologies for both
client and server. They are designed for securely encrypted connections.
Other Security Devices: This category includes web and email security devices,
decryption devices, client access control servers, and security management systems.
Real-time attack detection
The software is not perfect. When a hacker exploits a software flaw before the creator
can fix it, it is known as a zero-day attack. Due to the complexity and size of zero-day
attacks currently encountered, it is not uncommon for network attacks to be successful
and the success of their defense is now measured by how quickly a network responds to
an attack. . The ability to detect attacks as they happen in real time, as well as stop
them immediately or within minutes, is the ideal goal. Unfortunately, many companies
and organizations today cannot detect attacks until days or even months after they
occur.
DDoS attacks and real-time response: DDoS attack is one of the biggest threats that
requires real-time detection and response. It is extremely difficult to defend against
DDoS attacks because the attacks originate from hundreds or thousands of zombie
hosts and appear as legitimate traffic, as shown in the figure. For many businesses
and organizations, DDoS attacks occur regularly and cripple Internet servers and
network availability. The ability to detect and respond to DDoS attacks in real time
is crucial.
Protection against malware
How do you defend against the constant presence of zero-day attacks and advanced
persistent threats (APTs) that steal data over long periods of time? One solution is to use
an advanced, enterprise-grade malware detection application that offers real-time
malware detection.
Network administrators must constantly monitor the network for signs of malware or
behaviors that reveal the presence of an APT. Cisco has Advanced Malware Protection
(AMP) Threat Grid, which analyzes millions of files and correlates them with hundreds of
millions of other analyzed malware objects. This gives clients a global view of malware
campaigns, distribution and attacks. AMP is Client/Server software deployed on host
terminals, as a stand-alone server, or on other network security devices. The figure
shows the benefits of AMP Threat Grid.
Good security practices
Many national and professional organizations have published lists of good security
practices. The following is a list of some good security practices:
Conduct a risk assessment: Knowing the value of what you protect helps justify
security expenses.
Create a safety policy: Create a policy that clearly outlines company rules, tasks,
and expectations.
Physical security measures: Restrict access to data centers, server locations, and
fire extinguishers.
Perform and test backups: Perform regular backups and test data recovered from
backups.
Implement access controls: Configure user roles and privilege levels, as well as
strong user authentication.
Periodically review incident response: Use an incident response team and test
emergency response scenarios.
Some of the most useful guidelines are found in organizational repositories, such as the
National Institute of Standards and Technology (NIST) Computer Security Resource
Center, as shown in the figure.
One of the most well-known and respected organizations for cybersecurity training is the
SANS Institute. Click here to learn more about SANS and the types of training and
certifications it offers.
Botnet
A botnet is a group of bots connected over the Internet with the ability to be controlled
by a malicious individual or group. A bot computer is usually infected by visiting a
website, opening an email attachment, or opening an infected media file.
A botnet can have tens of thousands or even hundreds of thousands of bots. These bots
can be activated to distribute malware, launch DDoS attacks, distribute spam email, or
execute brute force password attacks. Botnets are usually controlled through a
command and control server.
Cybercriminals often rent botnets, for a fee, to other vendors for nefarious purposes.
The figure shows how a botnet traffic filter is used to inform the global security
community of botnet locations.
In cybersecurity, the kill chain or attack process (Kill Chain) represents the stages of an
attack on information systems. Developed by Lockheed Martin as a security framework
for incident detection and response, the kill chain consists of the following steps:
Stage 3. Delivery: The attacker sends the attack and malicious payload to the target via
email or other methods.
Stage 6. Command and control: Remote control of the target is obtained through a
command and control server or channel.
Stage 7. Action: The attacker performs malicious actions, such as stealing information,
or executes additional attacks on other devices from within the network through the
stages of the kill chain again.
To defend against the kill chain, there are security actions designed around the stages of
the kill chain. Here are some questions about a company's security defenses based on
the kill chain:
• What are the attack indicators at each stage of the kill chain?
• What security tools are necessary to detect attack indicators in each of the stages?
According to Lockheed Martin, understanding the stages of the kill chain allows you to
put up defensive obstacles, delay the attack, and ultimately prevent data loss. The figure
shows how each stage of the takedown chain equates to an increase in the amount of
effort and cost to prevent and remediate attacks.
Behavior-based security
Behavior-based security is a form of threat detection that does not rely on known
malicious signatures, but uses informational context to detect network anomalies.
Behavior-based detection involves capturing and analyzing the communication flow
between a local network user and a local or remote destination. These communications,
when detected and analyzed, reveal context and behavioral patterns that can be used to
detect anomalies. Behavior-based detection can detect the presence of an attack
through a change in normal behavior.
NetFlow technology is used to collect information about data passing through the
network. NetFlow information can be compared to a telephone bill for network traffic.
Shows who and what devices are on the network as well as how and when users and
devices accessed the network. NetFlow is an important component of behavior-based
detection and analysis. NetFlow-equipped switches, routers, and firewalls can
communicate information about the data entering, exiting, and traveling over the
network. The information is sent to NetFlow collectors that collect, store, and analyze
NetFlow logs.
NetFlow can collect usage information through many different characteristics of how
data is transported across the network, as shown in the figure. By collecting information
about network data flows, NetFlow can establish baseline behaviors on more than 90
different attributes.
CSIRT
Many large organizations have a Computer Security Incident Response Team (CSIRT) to
receive, review, and respond to computer security incident reports, as shown in Figure 1.
The CSIRT's primary function is to help protect the business, system, and data
preservation by conducting comprehensive investigations of cybersecurity incidents. To
prevent security incidents, Cisco CSIRT provides proactive threat assessment, mitigation
planning, incident trend analysis, and security architecture review, as shown in Figure 2.
Cisco CSIRT collaborates with the Forum for Incident Response and Security Teams
(FIRST), the National Security Information Exchange (NSIE), the Defense Security
Information Exchange (DSIE), and the Center for Research and Analysis of DNS
operations (DNS-OARC).
There are national and public CSIRT organizations, such as the CERT Division of the
Software Engineering Institute at Carnegie Mellon University, that are willing to help
organizations, and national CSIRTs, develop, use and improve their incident management
capabilities. .
Security Playbook
Technology is constantly changing. This means that cyber attacks are also evolving.
New vulnerabilities and attack methods are continually being discovered. Security has
become a major concern for businesses due to the reputational and financial impact
resulting from security breaches. The attacks target critical networks and sensitive
data. Organizations must have plans to prepare for, address, and recover from security
breaches.
One of the best ways to prepare for a security breach is to prevent it. There should be
guidelines on how to identify cybersecurity risk to systems, assets, data, and
functionality, protect the system by implementing safeguards and staff training, and
detect the cybersecurity event as quickly as possible. When a security breach is
detected, appropriate actions must be taken to minimize the impact and damage. The
response plan should be flexible with multiple options for action during the breach. Once
the breach is contained and compromised systems and services are restored, security
measures and processes must be updated to include lessons learned during the breach.
All of this information should be compiled into a security playbook. A security playbook is
a set of repeated queries (reports) of security event data sources that lead to incident
detection and response. Ideally, the security playbook should do the following:
These are some of the tools used to detect and avoid security incidents:
Cisco ISE and TrustSec: Cisco Identity Services Engine (Cisco ISE) and Cisco
TrustSec enforce access to network resources by creating role-based access
control policies that segment network access (temporary users, mobile users,
employees) without added complexity. Traffic classification is based on the identity
of the user or device. Click Play on the figure to learn more about ISE.
An intrusion detection system (IDS), shown in the figure, is a dedicated network device,
or one of several tools on a server or firewall, that analyzes data from a database of
attack rules or signatures, which looks for malicious traffic. If a match is detected, the
IDS will log the detection and create an alert for the network administrator. The intrusion
detection system does not take action when a match is detected, so it does not prevent
attacks from occurring. The job of the IDS is simply to detect, record and report.
The analysis performed by the IDS slows down the network (this is called latency). To
avoid network delay, the IDS is usually configured offline, separate from ordinary
network traffic. Data is copied or mirrored through a switch and then forwarded to IDSs
for offline discovery. There are also IDS tools that can be installed on top of a host
computer operating system, such as Linux or Windows.
An intrusion prevention system (IPS) has the ability to block or deny traffic based on
positive rule or signature matches. One of the most recognized IPS/IDS is Snort. The
commercial version of Snort is Cisco's Sourcefire. Sourcefire has the ability to perform
real-time traffic and port analysis, log, search and compare content; can detect probes,
attacks and port scans. It is also combined with other third-party tools to report and
analyze performance and logs.
Chapter 5: Will your future be related to cybersecurity?
This chapter examines the legal and ethical issues that arise when working in
cybersecurity. Educational and professional trajectories in the field of cybersecurity are
also analyzed. There is an educational path for the certifications you want to earn with
Cisco Networking Academy (NetAcad). Some of these certifications are prerequisites for
specialization certificates in many networking areas, including cybersecurity.
Cybersecurity professionals must have the same skills as hackers, especially Black Hat
hackers, to offer protection against attacks. One difference between a hacker and a
cybersecurity professional is that the cybersecurity professional must work within legal
boundaries.
Cybersecurity professionals develop many skills that can be used for good or evil. Those
who use their skills within the legal system, to protect infrastructure, networks and
privacy are always in high demand.
Most countries have some cybersecurity laws. They may be related to critical
infrastructure, networks, and corporate and individual privacy. Companies must comply
with these laws.
In some cases, if you violate cybersecurity laws while doing your job, the company may
be punished and you could lose your job. In other cases, you could be prosecuted, fined
and possibly convicted.
Generally, if you are in doubt about whether an action or behavior may be illegal, assume
that it is illegal and do not do it. Your company may have a legal department or someone
from the Human Resources department who can answer your question before you do
something illegal.
The area of cybersecurity law is much newer than cybersecurity itself. As mentioned
above, most countries have some laws, and there will be more laws to come.
A person can act unethically and not be subject to legal process, fines, or imprisonment.
This is because the action may not have been technically illegal. But that doesn't mean
the behavior is acceptable. Ethical behavior is very easy to verify. It is impossible to list
all the different unethical behaviors that someone with cybersecurity skills can exhibit.
Below we present just two. Ask yourself the following questions:
Would I like to find out that someone hacked my computer and altered the images
on my social networking sites?
If you answer 'no' to any of these questions, then don't do those things to others.
Ethics represents the codes of behavior that are sometimes enforced by laws. There are
many areas in cybersecurity that are not covered by laws. This means that doing
something that is technically legal may still be unethical. Because many areas of
cybersecurity are not (or not yet) covered by law, many professional IT organizations
have created codes of ethics for those in the sector. Below is a list of three
organizations with codes of ethics:
The Cybersecurity Institute (CSI) has issued a code of ethics which you can read
here .
The Information Systems Security Association (ISSA) has a code of ethics found
here .
Cisco has a team dedicated exclusively to ethical business behavior. Go here to read
more about this. This site contains an eBook on the Cisco Code of Business Conduct and
a PDF file. In both files there is an “Ethics Decision Tree”, as shown in the figure. Even if
you don't work for Cisco, the questions and answers found in this decision tree can
easily be applied to your workplace. As with legal questions, generally, if you have
doubts about whether an action or behavior might be immoral, assume that it is and don't
do it. There may be someone in your company's Human Resources or Legal department
who can clarify your situation before doing something that would be considered
unethical.
Search online to find other IT-related organizations with codes of ethics. Try to find what
you have in common.
Cybersecurity jobs
Many other businesses and sectors are hiring cybersecurity professionals. There are
several online search engines to help you find the right cybersecurity job:
ITJobMatch : The ITJobMatch search engine specializes in IT jobs of all types, all
over the world.
Monster : Monster is a search engine for all types of jobs. The link provided goes
directly to cybersecurity jobs.
CareerBuilder – CareerBuilder is also a search engine for all types of jobs. The link
provided goes directly to cybersecurity jobs.
These are just three of many different online job search sites. Even if you're just starting
your studies in IT and cybersecurity, using job search engines is a good way to see what
kind of jobs are available, all over the world.
We hope this course has gained your interest in training in IT and cybersecurity, and then
moving on to an exciting career. Cisco Networking Academy offers many courses so you
can continue your cybersecurity education. We invite you to enroll in the following
course, Cybersecurity Essentials, to continue acquiring a solid foundation of
cybersecurity knowledge. Visit Cisco Networking Academy and see the list of courses
that are available. Additionally, you can also access professional resources available at
Cisco Networking Academy.
Just for fun, click here to read a cybersecurity superhero graphic novel.