230 likes | 378 Views
Cybersecurity Threats and Countermeasures. Unit 3: Cyber defense mechanisms. Learning Objectives. Upon the conclusion of this module, the student will be able to:
E N D
Cybersecurity Threats and Countermeasures Unit 3: Cyber defense mechanisms
Learning Objectives • Upon the conclusion of this module, the student will be able to: • Identify common security services, including confidentiality, integrity, availability, authentication, authorization, and access control. • Identify common security components. • Describe common security control types (including preventive, deterrent, detective, and corrective). • Describe the concept of “Defense-in-Depth”, or layered defense, covering security issues associated with hardware, software, and people. • Explain the concept of trusted computing. • Describe cyber defense tools, methods, and components. • Describe important ethical issues to consider in computer security, including ethical issues associated with fixing or not fixing vulnerabilities and disclosing or not disclosing vulnerabilities.
Security Services • Security can be defined as “the quality or state of being secure: such as freedom from danger” and provides an alternative definition as “something that secures: protection.” (Merriam-Webster) • To this end, in order to protect our information assets (information and information systems), we can provide security services, such as confidentiality, integrity, availability, authentication, authorization, and access control, where warranted. • The role of a security officer or system owner is to determine when, and where, these services should be applied to protect data. Not all of these services would be required for all data, as there is always the trade-off between security and usability.
Confidentiality • Confidentiality is concerned with limiting access to data, ensuring that only authorized users have access. • Examples of data that might need confidentiality would be user account data, or electronic medical records. • Security components that provide for confidentiality include encryption technologies, firewalls, and other devices and components that control access to data.
Integrity • Integrity is the assurance that information has not been modified by an unauthorized individual. • Examples of data that must maintain integrity are bank records and electronic health records, both which could have significant negative ramifications if they were modified by an attacker. • Technologies that provide integrity include cryptographic processes called “hashing”, which generate a digital fingerprint, or unique string, for an object.
Availability • Availability is the assurance that the information or system will be accessible to users when it is needed. • Examples of data that needs to be available would be, again, bank records and healthcare systems. • Ensuring that there are redundant system components is important for providing for availability. As an example, multiple hard drives, redundant power supplies in servers, multiple web servers (clustered servers) in the event that one fails or must be taken down. The more critical availability is, the more redundancy that must be built in to the system.
Authentication • Authentication is the verification that something, or someone, is what or who they are. • Authentication of data is synonymous with integrity. We also can desire authentication of origin (knowing that an email was really sent by the person in the From field) or authentication of identity (is that person attempting to log in to the system really that individual?). • Security components that provide for authentication include hashing (integrity), identity credentials, such as passwords and digital signatures, or digitally signing network packets to prove their origin.
Authorization • Once a user is authenticated to the system, he is granted authorization to use its resources. • Authorization allows you in to the network resources. In order to actually access the resources within the network, you need to have permission. Access controls provide that permission.
Access Control • Access controls provides control over what the user can do at the resource. There are different types of access controls: • Mandatory Access Controls (MAC) – They strictly control the operation that can be performed against an object. Considered the most rigid. • Discretionary Access Controls (DAC) – Associated with UNIX and Windows system. The least strict. Object owners can determine the access others have to the object. • Role-Based Access Controls (RBAC) – access is determined by the user’s role. For instance, in a Learning Management System, a student can only see his or her data, but a TA can see everyone and a Teacher can modify the controls.
Security Controls • Security controls are safeguards or protections (countermeasures) that secure information or information systems. There are several types of security controls that can work together to provide a layered defense. Among these, preventive, deterrent, detective, and corrective controls.
Preventive Controls • Preventive controls prevent a risk from happening. An example of a preventive control is an 8’ fence topped with razor wire.
Deterrent Controls • While preventive controls prevent a risk from being actualized, deterrent controls dissuade the attacker from attacker. Using our example of the fence, while an 8’ fence may be a preventive control, a 4’ fence would serve as a deterrent. An individual might step over it, however most will not.
Corrective Controls • Security controls will fail. At that point, we will need to rely on corrective controls. When combined with other controls, corrective controls provide a successful strategy for mitigating risks. • An example of a corrective control are data backups.
Putting it All Together • As a part of a layered defense approach, security controls should be combined. For example when implementing physical security controls to secure a data center you might implement the following:
Defense-in-Depth • The concept of “defense-in-depth” is of military strategy origins, where multiple controls at different layers are implemented to secure the asset, so that when one layer fails, other controls are still in effect to mitigate the risk. These controls are generally implemented in hardware, software, and people. People/Process Software Hardware Data
Trusted Computing • Finally, trusted computing is a broad term that relates to technologies that ensure that computers perform in expected ways, regardless of whether or not it has been compromised, enforced in hardware or software. • The Federal Government requires purchases of its computers and operating systems, such as Microsoft Windows, to include a Trusted Platform Module (TPM) – a standard specifying a secure crypto processor that provides for platform integrity.
Other Cyber Defense Tools, Methods, and Components • In addition to implementing access controls, cryptography, firewalls and intrusion detection systems as discussed, other cyber defense tools include patching O/S and applications, vulnerability scanning, and penetration testing.
Patching • Operating systems and applications contain flaws (“bugs”) that will be present from the point of release through its removal. Based on the severity of the issue, the vendor will issue security patches. • Patches are software designed to fix or improve an issue, most often issues involving security vulnerabilities. • It is important that security patches be reviewed and applied as quickly as possible, as these vulnerabilities are also known to attackers who will quickly develop exploits for them.
Vulnerability Scanning • Vulnerability scanning is an automated inspection of network devices, operating systems, and applications to determine what weaknesses exists. Vulnerabilities can be configuration weaknesses, such as weak or default passwords in use, or missing patches. • Several vulnerability scanning tools exist, including Tenable Nessus and Rapid7, that are widely used. These maintain large lists of known vulnerabilities and configuration “best practices” and assess the devices or applications to these elements.
Penetration Testing • Vulnerability assessments differ from penetration testing in that the former seeks to identify the vulnerabilities so that they can be remediated, penetration testing attempts to exploit those vulnerabilities. • While a seemingly offensive act such as penetration testing, or ethical hacking may seem to be an unusual choice as a defense tool, however attempting to assume the role of the attacker to attack a system through its vulnerabilities serves to ensure that security controls are working as expected. • Many federal agencies have their systems penetration tested once a year as a part of their compliance assessment.
Ethics • Ethics can be defined as the moral principles that guide an individual’s actions. Ethics are developed collectively by communities in which the individual is a member. Failure to adhere to these ethical standards usually results in removal from that community. For instance, most companies have Codes of Ethics that employees must agree to follow. In the event that these are violated, the employee can be terminated.
Ethical Issues in Computer Security • Most organizations that issue certifications to IT security personnel identify a number of ethical issues in their Codes of Ethics. For instance, as a Certified Ethical Hacker (CEH), EC-Council expects the individual to: • Keep information learned in your professional work private, not sharing it without consent. • Protect intellectual property rights. • Provide competent service. • Disclose conflicts of interest. • Not associate with malicious hackers. • Ensure that all penetration testing is legal and authorized. • Failure to follow these standards can result in the loss of certification.