Fundamentals of Cybersecurity

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 13

FUNDAMENTALS OF CYBERSECURITY [CSC 203]

From Dr. M.E. Benson-Emenike


DEFINITION
Cybersecurity is a broad field that is mainly concerned with protecting the confidentiality,
integrity, and availability of computing devices and networks, hardware and software, and most
importantly, data and information. Cybersecurity cannot be achieved through technology alone, it
also involves the use of procedures, products and people
Cyber security is different from information security. Although they are very different, the term
cyber security seems to be used interchangeably with the term information security in academic
literature. Cyber security transcends the boundaries of information security to include the defence
of information and also people. The goal and general security objectives of cyber security are the
availability, integrity and confidentiality of an organisation’s assets including networks,
infrastructure, information and personnel.

Internal and External Security Threats


Internal Security Threats
Attacks can originate from within an organization or from outside of the organization. An internal
user, such as an employee or contract partner, can accidently or intentionally:
 Mishandle confidential data, Threaten the operations of internal servers or network infrastructure
devices, Facilitate outside attacks by connecting infected USB media into the corporate computer
system, or Accidentally invite malware onto the network through malicious email or websites.
Internal threats have the potential to cause greater damage than external threats because internal
users have direct access to the building and its infrastructure devices. Internal attackers typically
have knowledge of the corporate network, its resources, and its confidential data. They may also
have knowledge of security countermeasures, policies and higher levels of administrative
privileges.

External Security Threats


External threats from amateurs or skilled attackers can exploit vulnerabilities in networked
devices, or can use social engineering, such as trickery, to gain access. External attacks exploit
weaknesses or vulnerabilities to gain access to internal resources.

Traditional Data
Corporate data includes
i) Personnel information [such as application materials, payroll, offer letters, employee
agreements, and any information used in making employment decisions],
ii) Intellectual property [such as patents, trademarks and new product plans, allows a business to
gain economic advantage over its competitors]. Consider this intellectual property as a trade
secret; losing this information can be disastrous for the future of the company
iii) Financial data [such as income statements, balance sheets, and cash flow statements, gives
insight into the health of the company].

1
The National Cybersecurity Workforce Framework
The Workforce Framework categorizes cybersecurity work into seven categories.
i. Operate and Maintain includes providing the support, administration, and maintenance
required to ensure IT system performance and security.
ii. Protect and Defend includes the identification, analysis, and mitigation of threats to
internal systems and networks.
iii. Investigate includes the investigation of cyber events and/or cyber crimes involving IT
resources.
iv. Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.
v. Analyze includes highly specialized review and evaluation of incoming cybersecurity
information to determine if it is useful for intelligence.
vi. Oversight and Development provides for leadership, management, and direction to
conduct cybersecurity work effectively.
vii. Securely Provision includes conceptualizing, designing, and building secure IT systems.

The Cybersecurity Cube


Cybersecurity professionals are best described as experts charged with the protection of
cyberspace. John McCumber is one of the early cybersecurity experts, developing a commonly
used framework called the McCumber Cube or the Cybersecurity Cube. This is used as tool when
managing the protection of networks, domains and the Internet. The Cybersecurity Cube looks
somewhat like a Rubik's Cube.

The Three categories of Cybersecurity Safeguards


This has to do with three dimensions of Cybersecurity Cube.

a) The first dimension of the Cybersecurity Cube: includes the three principles of information
security known as the CIA Triad. This dimension identifies the goals to protect cyberspace. The
goals identified here are the foundational principles. These three principles are confidentiality,
integrity and availability. The principles provide focus and enable the cybersecurity expert to
prioritize actions when protecting any networked system.

2
CONFIDENTIALITY
This prevents the disclosure of information to unauthorized people, resources, or processes.
Cybersecurity requires privacy in data and information. Certain people, devices, or processes
should be permitted or restricted from seeing data, files, and items, like username, password
combinations, medical records, etc. Confidentiality is concerned with viewing of data or
information because if the wrong people see data or information they are not authorized, many
problems could arise.

Confidentiality measures protect information from unauthorized access and misuse. Most
information systems house information that has some degree of sensitivity. It might be proprietary
business information that competitors could use to their advantage, or personal information
regarding an organization’s employees, customers or clients.
Confidential information often has value and systems are therefore under frequent attack as
criminals hunt for vulnerabilities to exploit. Threat vectors include direct attacks such as stealing
passwords and capturing network traffic, and more layered attacks such as social engineering and
phishing. Not all confidentiality breaches are intentional. A few types of common accidental
breaches include emailing sensitive information to the wrong recipient, publishing private data to
public web servers, and leaving confidential information displayed on an unattended computer
monitor.
Healthcare is an example of an industry where the obligation to protect client information is very
high. Not only do patients expect and demand that healthcare providers protect their privacy,
there are strict regulations governing how healthcare organizations manage security. The Health
Insurance Portability and Accountability Act (HIPAA) addresses security, including privacy
protection, in the handling of personal health information by insurers, providers and claims
processors. HIPAA rules mandate administrative, physical and technical safeguards, and require
organizations to conduct risk analysis.

There are many countermeasures that organizations put in place to ensure confidentiality.
Passwords, access control lists and authentication procedures use software to control access to
resources. These access control methods are complemented by the use encryption to protect
information that can be accessed despite the controls, such as emails that are in transit. Additional
confidentiality countermeasures include administrative solutions such as policies and training, as
well as physical controls that prevent people from accessing facilities and equipment.

INTEGRITY
Integrity refers to the accuracy, consistency, and trustworthiness of data. Cybersecurity requires us
to feel safe that data transmitted, processed, and stored has not been changed from its original
form either accidentally or maliciously. For example, if one bit of a message is changed, the whole
message could change. Also, the whole message could be corrupted or unreadable.

Integrity measures protect information from unauthorized alteration. These measures provide
assurance in the accuracy and completeness of data. The need to protect information includes both
data that is stored on systems and data that is transmitted between systems such as email. In
maintaining integrity, it is not only necessary to control access at the system level, but to further

3
ensure that system users are only able to alter information that they are legitimately authorized to
alter.

As with confidentiality protection, the protection of data integrity extends beyond intentional
breaches. Effective integrity countermeasures must also protect against unintentional alteration,
such as user errors or data loss that is a result of a system malfunction.
While all system owners require confidence in the integrity of their data, the finance industry has a
particularly pointed need to ensure that transactions across its systems are secure from tampering.
One of the most notorious financial data integrity breaches in recent times occurred in February
2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the
central bank of Bangladesh at the Federal Reserve Bank of New York. The hackers executed an
elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals,
along with infecting the banking system with malware that deleted the database records of the
transfers and then suppressed the confirmation messages which would have alerted banking
authorities to the fraud. After the scheme was discovered most of the transfers were either
blocked or the funds recovered, but the thieves were still able to make off with more than $60-
million.
There are many countermeasures that can be put in place to protect integrity. Access control and
rigorous authentication can help prevent authorized users from making unauthorized changes.
Hash verifications and digital signatures can help ensure that transactions are authentic and that
files have not been modified or corrupted. Equally important to protecting data integrity are
administrative controls such as separation of duties and training.

AVAILABILITY
Availability ensures that information is accessible by authorized users when needed. Availability
guarantees that with all the cybersecurity measures in place for dealing with hardware, software,
people, processes and more, users who are authorized to do their job should be able to do so. It
requires that authorized users should be able to access the resources they need to do their job with
ease while ensuring that the system have full tolerance and load balancing in the event of
cybersecurity incident or disaster.

In order for an information system to be useful it must be available to authorized users.


Availability measures protect timely and uninterrupted access to the system. Some of the most
fundamental threats to availability are non-malicious in nature and include hardware failures,
unscheduled software downtime and network bandwidth issues. Malicious attacks include various
forms of sabotage intended to cause harm to an organization by denying users access to the
information system.

The availability and responsiveness of a website is a high priority for many business. Disruption
of website availability for even a short time can lead to loss of revenue, customer dissatisfaction
and reputation damage. The Denial of Service (DoS) attack is a method frequently used by
hackers to disrupt web service. In a DoS attack, hackers flood a server with superfluous requests,
overwhelming the server and degrading service for legitimate users. Over the years, service
providers have developed sophisticated countermeasures for detecting and protecting against DoS
attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing
concern.

4
Availability countermeasures to protect system availability are as far ranging as the threats to
availability. Systems that have a high requirement for continuous uptime should have significant
hardware redundancy with backup servers and data storage immediately available. For large,
enterprise systems it is common to have redundant systems in separate physical locations.
Software tools should be in place to monitor system performance and network traffic.
Countermeasures to protect against DoS attacks include firewalls and routers.

b) The Second dimension of the Cybersecurity Cube


Cyberspace is a domain containing a considerable amount of critically important data. The second
dimension identifies the three states of information or data and focuses on the problems of
protecting all of the states of data in cyberspace. Data has three possible states:
 Data in transit
 Data at rest or in storage
 Data in process
The protection of cyberspace requires cybersecurity professionals to account for the safeguarding
of data in all three states.

c) The Third dimension of the Cybersecurity Cube


The third dimension of the Cybersecurity cube identifies the expertise required to provide
protection. It defines the skills and discipline a cybersecurity professional can call upon to protect
cyberspace. Cybersecurity professionals must use a range of different skills and disciplines
available to them when protecting the data in the cyberspace. They must do this while remaining
on the ‘right side’ of the law.
Three types of skills and disciplines are used here to provide protection.
1. The first skill includes the technologies, devices, and products available to protect information
systems and fend off cyber criminals. However, McCumber reminds them that the technological
tools are not enough to defeat cyber criminals.
2. Cybersecurity professionals must also build a strong defense by establishing policies,
procedures, and guidelines that enable the users of cyberspace to stay safe and follow good
practices.
3. Finally, users of cyberspace must strive to become more knowledgeable about the threats of the
cyberspace and establish a culture of learning and awareness.

Sensitive information
Sensitive information is data protected from unauthorized access to safeguard an individual or an
organization. There are three types of sensitive information:
 Personal information is personally identifiable information (PII) that traces back to an
individual.
 Business information is information that includes anything that poses a risk to the
organization if discovered by the public or a competitor.
 Classified information is information belonging to a government body classified by its
level of sensitivity.

5
ACCESS CONTROL
Access control defines a number of protection schemes that prevent unauthorized access to a
computer, network, database, or other data resources. This has to do with the concepts of AAA
which involves three security services: Authentication, Authorization and Accounting. The
concept of AAA is similar to using a credit card. The credit card identifies who can use it, how
much that user can spend, and accounts for items or services the user purchased. These services
provide the primary framework to control access.

i) Authentication verifies the identity of a user to prevent unauthorized access. Users prove their
identity with a username or ID. In addition, users need to verify their identity by providing one of
the following:
 Something they know (such as a password)
 Something they have (such as a token or card)
 Something they are (such a fingerprint)
For example, if you go to an ATM for cash, you need your bankcard (something you have) and
you need to know the PIN. This is also an example of multifactor authentication. Multifactor
authentication requires more than one type of authentication. The most popular form of
authentication is the use of passwords.

ii) Authorization services determine which resources users can access, along with the operations
that users can perform. Some systems accomplish this by using an access control list [ACL]. An
ACL determines whether a user has certain access privileges once the user authenticates. Just
because you can log onto the corporate network does not mean that you have permission to use the
high-speed colour printer. Authorization can also control when a user has access to a specific
resource. For example, employees may have access to a sales database during work hours, but the
system locks them out after hours.

iii) Accounting keeps track of what users do, including what they access, the amount of time they
access resources, and any changes made. For example, a bank keeps track of each customer
account. An audit of that system can reveal the time and amount of all transactions and the
employee or system that executed the transactions. Cybersecurity accounting services work the
same way. The system tracks each data transaction and provides auditing results. An administrator
can set up computer policies to enable system auditing. Cybersecurity accounting tracks and
monitors in real time. Websites, like Norse, show attacks in real-time based on data collected as
part of an accounting or tracking system.

a) Physical Access Controls


Physical access controls are actual barriers deployed to prevent direct contact with systems. The
goal is to prevent unauthorized users from gaining physical access to facilities, equipment, and
other organizational assets.
Physical access control determines who can enter (or exit), where they can enter (or exit), and
when they can enter (or exit).
Examples of physical access controls include the following:
 Guards -- monitor the facility
 Fences -- protect the perimeter
 Motion detectors -- detect moving objects

6
 Laptop locks -- safeguard portable equipment
 Locked doors --prevent unauthorized access
 Swipe cards -- allow access to restricted areas
 Guard dogs -- protect the facility
 Video cameras -- monitor a facility by collecting and recording images
 Mantraps -- allow access to the secured area after door 1 closes
 Alarms --detect intrusion

b) Logical Access Controls


Logical access controls are the hardware and software solutions used to manage access to
resources and systems. These technology-based solutions include tools and protocols that
computer systems use for identification, authentication, authorization, and accountability.
Logical access controls include the following:
 Encryption is the process of taking plaintext and creating ciphertext
 Smart cards have an embedded microchip
 Passwords are protected string of characters
 Biometrics are users’ physical characteristics
 Access Control Lists (ACLs) define the type of traffic allowed on a network
 Protocols are a set of rules that govern the exchange of data between devices
 Firewalls prevent unwanted network traffic
 Routers connect at least two networks
 Intrusion Detection Systems monitor a network for suspicious activities
 Clipping Levels are certain allowed thresholds for errors before triggering a red flag

c) Administrative Access Controls


Administrative access controls are the policies and procedures defined by organizations to
implement and enforce all aspects of controlling unauthorized access. Administrative controls
focus on personnel and business practices. Administrative controls include the following:
Policies are statements of intent
Procedures are the detailed steps required to perform an activity
Hiring practices involves the steps an organization takes to find qualified employees
Background checks are an employment screening that includes information of past
employment verification, credit history, and criminal history
Data classification categorizes data based on its sensitivity
Security training educates employees about the security policies at an organization
Reviews evaluate an employee’s job performance

7
d) Mandatory Access Control
Mandatory access control (MAC) restricts the actions that a subject can perform on an object. A
subject can be a user or a process. An object can be a file, a port, or an input/output device. An
authorization rule enforces whether or not a subject can access the object.
Organizations use MAC where different levels of security classifications exist. Every object has a
label and every subject has a clearance. A MAC system restricts a subject based on the security
classification of the object and the label attached to the user.
For example, take the military security classifications Secret and Top Secret. If a file (an object) is
considered top secret, it is classified (labelled) Top Secret. The only people (subjects) that may
view the file (object) are those with a Top Secret clearance. It is up to the access control
mechanism to ensure that an individual (subject) with only a Secret clearance, never gains access
to a file labelled as Top Secret. Similarly, a user (subject) cleared for Top Secret access cannot
change the classification of a file (object) labelled Top Secret to Secret. Additionally, a Top Secret
user cannot send a Top Secret file to a user cleared only to see Secret information.

e) Discretionary Access Control


An object’s owner determines whether to allow access to an object with discretionary access
control (DAC). DAC grants or restricts object access determined by the object’s owner. As the
name implies, controls are discretionary because an object owner with certain access permissions
can pass on those permissions to another subject. In systems that employ discretionary access
controls, the owner of an object can decide which subjects can access that object and what specific
access they may have. One common method to accomplish this is with permissions, as shown in
the figure. The owner of a file can specify what permissions (read/write/execute) other users may
have.
Access control lists are another common mechanism used to implement discretionary access
control. An access control list uses rules to determine what traffic can enter or exit a network

f) Role-Based Access Control


Role-based access control (RBAC) depends on the role of the subject. Roles are job functions
within an organization. Specific roles require permissions to perform certain operations. Users
acquire permissions through their role. RBAC can work in combination with DAC or MAC by
enforcing the policies of either one. RBAC helps to implement security administration in large
organizations with hundreds of users and thousands of possible permissions. Organizations widely

8
accept the use of RBAC to manage computer permissions within a system, or application, as a best
practice.

g) Rule-Based Access Control


Rule-based access control uses access control lists (ACLs) to help determine whether to grant
access. A series of rules is contained in the ACL, as shown in the figure. The determination of
whether to grant access depends on these rules. An example of such a rule is one that states that no
employee may have access to the payroll file after hours or on weekends.
As with MAC, users cannot change the access rules. Organizations can combine rule-based access
control with other strategies for implementing access restrictions. For example, MAC methods can
utilize a rule-based approach for implementation.

CONFIDENTIALITY
Confidentiality versus Privacy
Confidentiality and privacy seem interchangeable, but from a legal standpoint, they mean different
things. Most privacy data is confidential, but not all confidential data is private. Access to
confidential information occurs after confirming proper authorization. Financial institutions,
hospitals, medical professionals, law firms, and businesses handle confidential information.
Confidential information has a non-public status. Maintaining confidentiality is more of an ethical
duty.
Privacy is the appropriate use of data. When organizations collect information provided by
customers or employees, they should only use that data for its intended purpose. Most
organizations will require the customer or employee to sign a release form giving the organization
permission to use the data.
The growing number of privacy related statutes create a tremendous burden on organizations that
collect and analyse data. Policies are the best way for an organization to comply with the growing
number of privacy related laws. Policies enable organizations to enforce specific rules, procedures,
and processes when collecting, storing, and sharing data.

INTEGRITY
Data integrity is a fundamental component of information security. The need for data integrity
varies based on how an organization uses data. For example, Facebook does not verify the data
that a user posts in a profile. A bank or financial organization assigns a higher importance to data
integrity than Facebook does. Transactions and customer accounts must be accurate. In a
9
healthcare organization, data integrity might be a matter of life or death. Prescription information
must be accurate.
Protecting data integrity is a constant challenge for most organizations. Loss of data integrity can
render entire data resources unreliable or unusable.

Critical Level
Healthcare and emergency services
All data is validated and tested
Data is verified to provide trustworthiness
Examples include healthcare financial records
Low level
Blogs and personal posting sites
Data may not be verified
Low level of trust in content
Examples include public opinion and open contribution
Mid level
Online sales and search engines
Little verification is performed
Data not completely trustworthy
Data is collected with publicly posted forms
High level
Ecommerce and analytics
All data is validated
Data is checked to provide trustworthiness
Examples include organisation’s databases

Entity Integrity
A database is like an electronic filing system. Maintaining proper filing is critical in maintaining
the trustworthiness and usefulness of the data within the database. Tables, records, fields, and data
within each field make up a database. In order to maintain the integrity of the database filing
system, users must follow certain rules. Entity integrity is an integrity rule, which states that every
table must have a primary key and that the column or columns chosen to be the primary key must
be unique and not NULL. Null in a database signifies missing or unknown values. Entity integrity
enables proper organization of data for that record as shown in the figure.

Referential Integrity

10
Another important concept is the relationship between different filing systems or tables. The basis
of referential integrity is foreign keys. A foreign key in one table references a primary key in a
second table. The primary key for a table uniquely identifies entities (rows) in the table.
Referential integrity maintains the integrity of foreign keys.

Domain Integrity
Domain integrity ensures that all the data items in a column fall within a defined set of valid
values. Each column in a table has a defined set of values, such as the set of all numbers for credit
card numbers, social security numbers, or email addresses. Limiting the value assigned to an
instance of that column (an attribute) enforces domain integrity. Domain integrity enforcement can
be as simple as choosing the correct data type, length and or format for a column.

AVAILABILITY
Data availability is the principle used to describe the need to maintain availability of information
systems and services at all times. Cyber-attacks and system failures can prevent access to
information systems and services. For example, interrupting the availability of the website of a
competitor by bringing it down may provide an advantage to its rival. These denial-of-service
(DoS) attacks threaten system availability and prevent legitimate users from accessing and using
information systems when needed.
Methods used to ensure availability include system redundancy, system backups, increased system
resiliency, equipment maintenance, up-to-date operating systems and software, and plans in place
to recover quickly from unforeseen disasters.

People use various information systems in their day-to-day lives. Computers and information
systems control communications, transportation and the manufacturing of products. The
continuous availability of information systems is imperative to modern life. The term high
availability, describes systems designed to avoid downtime. High availability ensures a level of
performance for a higher than normal period. High availability systems typically include three
design principles:
 Eliminate single points of failure
 Provide for reliable crossover
 Detect failures as they occur
The goal is the ability to continue to operate under extreme conditions, such as during an attack.
One of the most popular high availability practices is five nines. The five nines refer to 99.999%.
This means that downtime is less than 5.26 minutes per year.
Ensuring Availability

11
Organizations can ensure availability by implementing the following:
 Equipment maintenance
 OS and system updates
 Backup testing
 Disaster planning
 New technology implementations
 Unusual activity monitoring
 Availability testing

The Five Nines Concept of Availability


Five nines mean that systems and services are available 99.999% of the time. It also means that
both planned and unplanned downtime is less than 5.26 minutes per year.
High availability refers to a system or component that is continuously operational for a given
length of time. To help ensure high availability:

o Eliminate single points of failure


o Design for reliability
o Detect failures as they occur

Sustaining high availability at the standard of five-nines can increase costs and utilize many
resources. The increased costs are due to the purchase of additional hardware such as servers and
components. As an organization adds components, the result is an increase in configuration
complexity. Unfortunately, increased configuration complexity increases the risk factors. The
more moving parts involved, the higher the likelihood of failed components.

Environments that Require Five Nines


Although the cost of sustaining high availability may be too costly for some industries, several
environments require five nines.
• The finance industry needs to maintain high availability for continuous trading,
compliance, and customer trust.
• Healthcare facilities require high availability to provide around-the-clock care for patients.
• The public safety industry includes agencies that provide security and services to a
community, state, or nation.
• The retail industry depends on efficient supply chains and the delivery of products to
customers. Disruption can be devastating, especially during peak demand times such as holidays.
• The public expects that the news media industry communicate information on events as
they happen. The news cycle is now around the clock, 24/7.

Threats to Availability
The following threats pose a high risk to data and information availability:
• An unauthorized user successfully penetrates and compromises an organization’s
primary database
• A successful DoS attack significantly affects operations
• An organization suffers a significant loss of confidential data
• A mission-critical application goes down
• A compromise of the Admin or root user occurs

12
• The detection of a cross-site script or illegal file server share
• The defacement of an organization’s website impacts public relations
• A severe storm such as a hurricane or tornado
• A catastrophic event such as a terrorist attack, building bombing, or building fire
• Long-term utility or service provider outage
• Water damage as the result of flooding or sprinkler failure

Categorizing the impact level for each threat helps an organization realize the dollar impact of a
threat.

Designing High Availability System


High availability incorporates three major principles to achieve the goal of uninterrupted access to
data and services:
1. Elimination or reduction of single-points of failure
2. System Resiliency
3. Fault Tolerance

Systems resiliency refers to the capability to maintain availability of data and operational
processing despite attacks or disrupting event. Generally, this requires redundant systems, in terms
of both power and processing, so that should one system fail, the other can take over operations
without any break in service. System resiliency is more than hardening devices; it requires that
both data and services be available even when under attack.

Fault tolerance enables a system to continue to operate if one or more components fail. Data
mirroring is one example of fault tolerance. Should a "fault" occur, causing disruption in a device
such as a disk controller, the mirrored system provides the requested data with no apparent
interruption in service to the user.

Asset Identification
An organization needs to know what hardware and software are present as a prerequisite to
knowing what the configuration parameters need to be. Asset management includes a complete
inventory of hardware and software.
This means that the organization needs to know all of components that can be subject to security
risks, including:
• Every hardware system
• Every operating system
• Every hardware network device
• Every network device operating system
• Every software application
• All firmware
• All language runtime environments
• All individual libraries
An organization may choose an automated solution to keep track of assets. An administrator
should investigate any changed configuration because it may mean that the configuration is not
up-to-date. It can also mean that unauthorized changes are happening.

13

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy