Fundamentals of Cybersecurity
Fundamentals of Cybersecurity
Fundamentals of Cybersecurity
Traditional Data
Corporate data includes
i) Personnel information [such as application materials, payroll, offer letters, employee
agreements, and any information used in making employment decisions],
ii) Intellectual property [such as patents, trademarks and new product plans, allows a business to
gain economic advantage over its competitors]. Consider this intellectual property as a trade
secret; losing this information can be disastrous for the future of the company
iii) Financial data [such as income statements, balance sheets, and cash flow statements, gives
insight into the health of the company].
1
The National Cybersecurity Workforce Framework
The Workforce Framework categorizes cybersecurity work into seven categories.
i. Operate and Maintain includes providing the support, administration, and maintenance
required to ensure IT system performance and security.
ii. Protect and Defend includes the identification, analysis, and mitigation of threats to
internal systems and networks.
iii. Investigate includes the investigation of cyber events and/or cyber crimes involving IT
resources.
iv. Collect and Operate includes specialized denial and deception operations and the
collection of cybersecurity information.
v. Analyze includes highly specialized review and evaluation of incoming cybersecurity
information to determine if it is useful for intelligence.
vi. Oversight and Development provides for leadership, management, and direction to
conduct cybersecurity work effectively.
vii. Securely Provision includes conceptualizing, designing, and building secure IT systems.
a) The first dimension of the Cybersecurity Cube: includes the three principles of information
security known as the CIA Triad. This dimension identifies the goals to protect cyberspace. The
goals identified here are the foundational principles. These three principles are confidentiality,
integrity and availability. The principles provide focus and enable the cybersecurity expert to
prioritize actions when protecting any networked system.
2
CONFIDENTIALITY
This prevents the disclosure of information to unauthorized people, resources, or processes.
Cybersecurity requires privacy in data and information. Certain people, devices, or processes
should be permitted or restricted from seeing data, files, and items, like username, password
combinations, medical records, etc. Confidentiality is concerned with viewing of data or
information because if the wrong people see data or information they are not authorized, many
problems could arise.
Confidentiality measures protect information from unauthorized access and misuse. Most
information systems house information that has some degree of sensitivity. It might be proprietary
business information that competitors could use to their advantage, or personal information
regarding an organization’s employees, customers or clients.
Confidential information often has value and systems are therefore under frequent attack as
criminals hunt for vulnerabilities to exploit. Threat vectors include direct attacks such as stealing
passwords and capturing network traffic, and more layered attacks such as social engineering and
phishing. Not all confidentiality breaches are intentional. A few types of common accidental
breaches include emailing sensitive information to the wrong recipient, publishing private data to
public web servers, and leaving confidential information displayed on an unattended computer
monitor.
Healthcare is an example of an industry where the obligation to protect client information is very
high. Not only do patients expect and demand that healthcare providers protect their privacy,
there are strict regulations governing how healthcare organizations manage security. The Health
Insurance Portability and Accountability Act (HIPAA) addresses security, including privacy
protection, in the handling of personal health information by insurers, providers and claims
processors. HIPAA rules mandate administrative, physical and technical safeguards, and require
organizations to conduct risk analysis.
There are many countermeasures that organizations put in place to ensure confidentiality.
Passwords, access control lists and authentication procedures use software to control access to
resources. These access control methods are complemented by the use encryption to protect
information that can be accessed despite the controls, such as emails that are in transit. Additional
confidentiality countermeasures include administrative solutions such as policies and training, as
well as physical controls that prevent people from accessing facilities and equipment.
INTEGRITY
Integrity refers to the accuracy, consistency, and trustworthiness of data. Cybersecurity requires us
to feel safe that data transmitted, processed, and stored has not been changed from its original
form either accidentally or maliciously. For example, if one bit of a message is changed, the whole
message could change. Also, the whole message could be corrupted or unreadable.
Integrity measures protect information from unauthorized alteration. These measures provide
assurance in the accuracy and completeness of data. The need to protect information includes both
data that is stored on systems and data that is transmitted between systems such as email. In
maintaining integrity, it is not only necessary to control access at the system level, but to further
3
ensure that system users are only able to alter information that they are legitimately authorized to
alter.
As with confidentiality protection, the protection of data integrity extends beyond intentional
breaches. Effective integrity countermeasures must also protect against unintentional alteration,
such as user errors or data loss that is a result of a system malfunction.
While all system owners require confidence in the integrity of their data, the finance industry has a
particularly pointed need to ensure that transactions across its systems are secure from tampering.
One of the most notorious financial data integrity breaches in recent times occurred in February
2016 when cyber thieves generated $1-billion in fraudulent withdrawals from the account of the
central bank of Bangladesh at the Federal Reserve Bank of New York. The hackers executed an
elaborate scheme that included obtaining the necessary credentials to initiate the withdrawals,
along with infecting the banking system with malware that deleted the database records of the
transfers and then suppressed the confirmation messages which would have alerted banking
authorities to the fraud. After the scheme was discovered most of the transfers were either
blocked or the funds recovered, but the thieves were still able to make off with more than $60-
million.
There are many countermeasures that can be put in place to protect integrity. Access control and
rigorous authentication can help prevent authorized users from making unauthorized changes.
Hash verifications and digital signatures can help ensure that transactions are authentic and that
files have not been modified or corrupted. Equally important to protecting data integrity are
administrative controls such as separation of duties and training.
AVAILABILITY
Availability ensures that information is accessible by authorized users when needed. Availability
guarantees that with all the cybersecurity measures in place for dealing with hardware, software,
people, processes and more, users who are authorized to do their job should be able to do so. It
requires that authorized users should be able to access the resources they need to do their job with
ease while ensuring that the system have full tolerance and load balancing in the event of
cybersecurity incident or disaster.
The availability and responsiveness of a website is a high priority for many business. Disruption
of website availability for even a short time can lead to loss of revenue, customer dissatisfaction
and reputation damage. The Denial of Service (DoS) attack is a method frequently used by
hackers to disrupt web service. In a DoS attack, hackers flood a server with superfluous requests,
overwhelming the server and degrading service for legitimate users. Over the years, service
providers have developed sophisticated countermeasures for detecting and protecting against DoS
attacks, but hackers also continue to gain in sophistication and such attacks remain an ongoing
concern.
4
Availability countermeasures to protect system availability are as far ranging as the threats to
availability. Systems that have a high requirement for continuous uptime should have significant
hardware redundancy with backup servers and data storage immediately available. For large,
enterprise systems it is common to have redundant systems in separate physical locations.
Software tools should be in place to monitor system performance and network traffic.
Countermeasures to protect against DoS attacks include firewalls and routers.
Sensitive information
Sensitive information is data protected from unauthorized access to safeguard an individual or an
organization. There are three types of sensitive information:
Personal information is personally identifiable information (PII) that traces back to an
individual.
Business information is information that includes anything that poses a risk to the
organization if discovered by the public or a competitor.
Classified information is information belonging to a government body classified by its
level of sensitivity.
5
ACCESS CONTROL
Access control defines a number of protection schemes that prevent unauthorized access to a
computer, network, database, or other data resources. This has to do with the concepts of AAA
which involves three security services: Authentication, Authorization and Accounting. The
concept of AAA is similar to using a credit card. The credit card identifies who can use it, how
much that user can spend, and accounts for items or services the user purchased. These services
provide the primary framework to control access.
i) Authentication verifies the identity of a user to prevent unauthorized access. Users prove their
identity with a username or ID. In addition, users need to verify their identity by providing one of
the following:
Something they know (such as a password)
Something they have (such as a token or card)
Something they are (such a fingerprint)
For example, if you go to an ATM for cash, you need your bankcard (something you have) and
you need to know the PIN. This is also an example of multifactor authentication. Multifactor
authentication requires more than one type of authentication. The most popular form of
authentication is the use of passwords.
ii) Authorization services determine which resources users can access, along with the operations
that users can perform. Some systems accomplish this by using an access control list [ACL]. An
ACL determines whether a user has certain access privileges once the user authenticates. Just
because you can log onto the corporate network does not mean that you have permission to use the
high-speed colour printer. Authorization can also control when a user has access to a specific
resource. For example, employees may have access to a sales database during work hours, but the
system locks them out after hours.
iii) Accounting keeps track of what users do, including what they access, the amount of time they
access resources, and any changes made. For example, a bank keeps track of each customer
account. An audit of that system can reveal the time and amount of all transactions and the
employee or system that executed the transactions. Cybersecurity accounting services work the
same way. The system tracks each data transaction and provides auditing results. An administrator
can set up computer policies to enable system auditing. Cybersecurity accounting tracks and
monitors in real time. Websites, like Norse, show attacks in real-time based on data collected as
part of an accounting or tracking system.
6
Laptop locks -- safeguard portable equipment
Locked doors --prevent unauthorized access
Swipe cards -- allow access to restricted areas
Guard dogs -- protect the facility
Video cameras -- monitor a facility by collecting and recording images
Mantraps -- allow access to the secured area after door 1 closes
Alarms --detect intrusion
7
d) Mandatory Access Control
Mandatory access control (MAC) restricts the actions that a subject can perform on an object. A
subject can be a user or a process. An object can be a file, a port, or an input/output device. An
authorization rule enforces whether or not a subject can access the object.
Organizations use MAC where different levels of security classifications exist. Every object has a
label and every subject has a clearance. A MAC system restricts a subject based on the security
classification of the object and the label attached to the user.
For example, take the military security classifications Secret and Top Secret. If a file (an object) is
considered top secret, it is classified (labelled) Top Secret. The only people (subjects) that may
view the file (object) are those with a Top Secret clearance. It is up to the access control
mechanism to ensure that an individual (subject) with only a Secret clearance, never gains access
to a file labelled as Top Secret. Similarly, a user (subject) cleared for Top Secret access cannot
change the classification of a file (object) labelled Top Secret to Secret. Additionally, a Top Secret
user cannot send a Top Secret file to a user cleared only to see Secret information.
8
accept the use of RBAC to manage computer permissions within a system, or application, as a best
practice.
CONFIDENTIALITY
Confidentiality versus Privacy
Confidentiality and privacy seem interchangeable, but from a legal standpoint, they mean different
things. Most privacy data is confidential, but not all confidential data is private. Access to
confidential information occurs after confirming proper authorization. Financial institutions,
hospitals, medical professionals, law firms, and businesses handle confidential information.
Confidential information has a non-public status. Maintaining confidentiality is more of an ethical
duty.
Privacy is the appropriate use of data. When organizations collect information provided by
customers or employees, they should only use that data for its intended purpose. Most
organizations will require the customer or employee to sign a release form giving the organization
permission to use the data.
The growing number of privacy related statutes create a tremendous burden on organizations that
collect and analyse data. Policies are the best way for an organization to comply with the growing
number of privacy related laws. Policies enable organizations to enforce specific rules, procedures,
and processes when collecting, storing, and sharing data.
INTEGRITY
Data integrity is a fundamental component of information security. The need for data integrity
varies based on how an organization uses data. For example, Facebook does not verify the data
that a user posts in a profile. A bank or financial organization assigns a higher importance to data
integrity than Facebook does. Transactions and customer accounts must be accurate. In a
9
healthcare organization, data integrity might be a matter of life or death. Prescription information
must be accurate.
Protecting data integrity is a constant challenge for most organizations. Loss of data integrity can
render entire data resources unreliable or unusable.
Critical Level
Healthcare and emergency services
All data is validated and tested
Data is verified to provide trustworthiness
Examples include healthcare financial records
Low level
Blogs and personal posting sites
Data may not be verified
Low level of trust in content
Examples include public opinion and open contribution
Mid level
Online sales and search engines
Little verification is performed
Data not completely trustworthy
Data is collected with publicly posted forms
High level
Ecommerce and analytics
All data is validated
Data is checked to provide trustworthiness
Examples include organisation’s databases
Entity Integrity
A database is like an electronic filing system. Maintaining proper filing is critical in maintaining
the trustworthiness and usefulness of the data within the database. Tables, records, fields, and data
within each field make up a database. In order to maintain the integrity of the database filing
system, users must follow certain rules. Entity integrity is an integrity rule, which states that every
table must have a primary key and that the column or columns chosen to be the primary key must
be unique and not NULL. Null in a database signifies missing or unknown values. Entity integrity
enables proper organization of data for that record as shown in the figure.
Referential Integrity
10
Another important concept is the relationship between different filing systems or tables. The basis
of referential integrity is foreign keys. A foreign key in one table references a primary key in a
second table. The primary key for a table uniquely identifies entities (rows) in the table.
Referential integrity maintains the integrity of foreign keys.
Domain Integrity
Domain integrity ensures that all the data items in a column fall within a defined set of valid
values. Each column in a table has a defined set of values, such as the set of all numbers for credit
card numbers, social security numbers, or email addresses. Limiting the value assigned to an
instance of that column (an attribute) enforces domain integrity. Domain integrity enforcement can
be as simple as choosing the correct data type, length and or format for a column.
AVAILABILITY
Data availability is the principle used to describe the need to maintain availability of information
systems and services at all times. Cyber-attacks and system failures can prevent access to
information systems and services. For example, interrupting the availability of the website of a
competitor by bringing it down may provide an advantage to its rival. These denial-of-service
(DoS) attacks threaten system availability and prevent legitimate users from accessing and using
information systems when needed.
Methods used to ensure availability include system redundancy, system backups, increased system
resiliency, equipment maintenance, up-to-date operating systems and software, and plans in place
to recover quickly from unforeseen disasters.
People use various information systems in their day-to-day lives. Computers and information
systems control communications, transportation and the manufacturing of products. The
continuous availability of information systems is imperative to modern life. The term high
availability, describes systems designed to avoid downtime. High availability ensures a level of
performance for a higher than normal period. High availability systems typically include three
design principles:
Eliminate single points of failure
Provide for reliable crossover
Detect failures as they occur
The goal is the ability to continue to operate under extreme conditions, such as during an attack.
One of the most popular high availability practices is five nines. The five nines refer to 99.999%.
This means that downtime is less than 5.26 minutes per year.
Ensuring Availability
11
Organizations can ensure availability by implementing the following:
Equipment maintenance
OS and system updates
Backup testing
Disaster planning
New technology implementations
Unusual activity monitoring
Availability testing
Sustaining high availability at the standard of five-nines can increase costs and utilize many
resources. The increased costs are due to the purchase of additional hardware such as servers and
components. As an organization adds components, the result is an increase in configuration
complexity. Unfortunately, increased configuration complexity increases the risk factors. The
more moving parts involved, the higher the likelihood of failed components.
Threats to Availability
The following threats pose a high risk to data and information availability:
• An unauthorized user successfully penetrates and compromises an organization’s
primary database
• A successful DoS attack significantly affects operations
• An organization suffers a significant loss of confidential data
• A mission-critical application goes down
• A compromise of the Admin or root user occurs
12
• The detection of a cross-site script or illegal file server share
• The defacement of an organization’s website impacts public relations
• A severe storm such as a hurricane or tornado
• A catastrophic event such as a terrorist attack, building bombing, or building fire
• Long-term utility or service provider outage
• Water damage as the result of flooding or sprinkler failure
Categorizing the impact level for each threat helps an organization realize the dollar impact of a
threat.
Systems resiliency refers to the capability to maintain availability of data and operational
processing despite attacks or disrupting event. Generally, this requires redundant systems, in terms
of both power and processing, so that should one system fail, the other can take over operations
without any break in service. System resiliency is more than hardening devices; it requires that
both data and services be available even when under attack.
Fault tolerance enables a system to continue to operate if one or more components fail. Data
mirroring is one example of fault tolerance. Should a "fault" occur, causing disruption in a device
such as a disk controller, the mirrored system provides the requested data with no apparent
interruption in service to the user.
Asset Identification
An organization needs to know what hardware and software are present as a prerequisite to
knowing what the configuration parameters need to be. Asset management includes a complete
inventory of hardware and software.
This means that the organization needs to know all of components that can be subject to security
risks, including:
• Every hardware system
• Every operating system
• Every hardware network device
• Every network device operating system
• Every software application
• All firmware
• All language runtime environments
• All individual libraries
An organization may choose an automated solution to keep track of assets. An administrator
should investigate any changed configuration because it may mean that the configuration is not
up-to-date. It can also mean that unauthorized changes are happening.
13
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies: