Showing posts with label Cybersecurity Essentials. Show all posts
Showing posts with label Cybersecurity Essentials. Show all posts

Chapter 8: Becoming a Cybersecurity Specialist

The advancement of technology provided a number of devices used in society on a daily basis that interconnects the world. This increased connectivity, though, results in increased risk of theft, fraud, and abuse throughout the technology infrastructure. This chapter categorizes the information technology infrastructure into seven domains. Each domain requires the proper security controls to meet the requirements of the CIA triad.

The chapter discusses the laws that affect technology and cybersecurity requirements. Many of these laws focus on different types of data found in various industries and contain privacy and information security concepts. Several agencies within the U.S. government regulate an organization’s compliance with these types of laws. The cybersecurity specialist needs to understand how the law and the organization’s interests help to guide ethical decisions. Cyber ethics looks at the effect of the use of computers and technology on individuals and society.

Organizations employ cybersecurity specialists in many different positions, such as penetration testers, security analysts, and other network security professionals. Cybersecurity specialists help protect personal data and the ability to use network based services. The chapter discusses the pathway to becoming a cybersecurity specialist. Finally, this chapter discusses several tools available to cybersecurity specialists.

Common User Threats and Vulnerabilities

The User Domain includes the users who access the organization’s information system. Users can be employees, customers, business contractors and other individuals that need access to data. Users are often the weakest link in the information security systems and pose a significant threat to the confidentiality, integrity, and availability of the organization’s data.

Risky or poor user practices often undermine even the best security system. The following are common user threats found in many organizations:

  • No awareness of security – users must be aware of sensitive data, security policies and procedures, technologies and countermeasures provided to protect information and information systems.
  • Poorly enforced security policies – all users must be aware of security policies and consequences of not complying with the organization’s policies.
  • Data theft – data theft by users can cost organizations financially resulting in damage to an organization’s reputation or posing a legal liability associated with disclosure of sensitive information.
  • Unauthorized downloads – many network and workstation infections and attacks trace back to users who download unauthorized emails, photos, music, games, apps, programs and videos to workstations, networks, or storage devices.
  • Unauthorized media – the use of unauthorized media like CDs, USB drives and network storage devices can result in malware infections and attacks.
  • Unauthorized VPNs – VPNs can hide the theft of unauthorized information. The encryption normally used to protect confidentiality blinds the IT security staff to data transmission without proper authority.
  • Unauthorized websites – accessing unauthorized websites can pose a risk to the user’s data, devices and the organization. Many websites prompt the visitors to download scripts or plugins that contain malicious code or adware. Some of these sites can take over devices like cameras and applications.
  • Destruction of systems, applications, or data – accidental or deliberate destruction or sabotage of systems, application and data pose a great risk to all organizations. Activists, disgruntled employees and industry competitors can delete data, destroy devices or misconfigure devices to make data and information systems unavailable.

No technical solution, controls or countermeasures make information systems any more secure than the behaviors and processes of the people who use these systems.

Managing User Threats

Organizations can implement various measures to manage user threats:

  • Conduct security awareness training by displaying security awareness posters, inserting reminders in banner greetings, and sending email reminders to employees.
  • Educate users annually on policies, staff manuals, and handbook updates.
  • Tie security awareness to performance review objectives.
  • Enable content filtering and antivirus scanning for email attachments.
  • Use content filtering to permit or deny specific domain names in accordance with Acceptable Use Policies (AUP).
  • Disable internal CD drives and USB ports.
  • Enable automatic antivirus scans for inserted media drives, files, and email attachments.
  • Restrict access for users to only those systems, applications, and data needed to perform their job.
  • Minimize write/delete permissions to the data owner only.
  • Track and monitor abnormal employee behavior, erratic job performance, and use of IT infrastructure during off-hours.
  • Implement access control lockout procedures based on AUP monitoring and compliance.
  • Enable intrusion detection system/intrusion prevention system (IDS/IPS) monitoring for sensitive employee positions and access.

The table shown in the figure matches up user domain threats with the countermeasures used to manage it.


Common Threats to Devices

A device is any desktop computer, laptop, tablet, or smartphone that connects to the network.

The following pose a threat to devices:

  • Unattended workstations – workstations left powered on and unattended pose a risk of unauthorized access to network resources
  • User downloads – downloaded files, photos, music, or videos can be a vehicle for malicious code
  • Unpatched software – software security vulnerabilities provide weaknesses that cyber criminals can exploit
  • Malware – new viruses, worms, and other malicious code come to light on a daily basis
  • Unauthorized Media – users that insert USB drives, CD’s, or DVD’s can either introduce malware or run the risk of compromising data stored on the workstation
  • Acceptable Use Policy Violation – Policies are in place to protect the organization’s IT infrastructure

Managing Device Threats

Organizations can implement various measures to manage threats to devices:
  • Establish policies for password protection and lockout thresholds on all devices.
  • Enable screen lockout during times of inactivity.
  • Disable administrative rights for users.
  • Define access control policies, standards, procedures, and guidelines.
  • Update and patch all operating systems and software applications.
  • Implement automated antivirus solutions that scan the system and update the antivirus software to provide proper protection.
  • Deactivate all CD, DVD, and USB ports.
  • Enable automatic antivirus scans for any CD’s, DVD’s, or USB drives inserted.
  • Use content filtering.
  • Mandate annual security awareness training or implement security awareness campaigns and programs that run throughout the year.
The table shown in the figure matches up device domain threats with the countermeasures used to manage them.

Common Threats to the LAN

The local area network (LAN) is a collection of devices interconnected using cables or airwaves. The LAN Domain requires strong security and access controls since users can access the organization’s systems, applications, and data from the LAN domain.

The following pose a threat to the LAN:
  • Unauthorized LAN access – wiring closets, data centers, and computer room must remain secure
  • Unauthorized access to systems, applications, and data
  • Network operating system software vulnerabilities
  • Network operating system updates
  • Unauthorized access by rogue users on wireless networks
  • Exploits of data in-transit
  • LAN servers with different hardware or operating systems – managing and troubleshooting servers becomes more difficult with varied configurations
  • Unauthorized network probing and port scanning
  • Misconfigured firewall

Managing Threats to the LAN

Organizations can implement various measures to manage threats to the local area network:
  • Secure wiring closets, data centers, and computer rooms. Deny access to anyone without the proper credentials.
  • Define strict access control policies, standards, procedures, and guidelines.
  • Restrict access privileges for specific folders and files based on need.
  • Require passphrases or authentication for wireless networks.
  • Implement encryption between devices and wireless networks to maintain confidentiality.
  • Implement LAN server configuration standards.
  • Conduct post-configuration penetration tests.
  • Disable ping and port scanning.
The table shown in the figure matches up LAN domain threats with the countermeasures used to manage them.

Common Threats to the Private Cloud

The Private Cloud Domain includes private servers, resources, and IT infrastructure available to members of an organization via the Internet.

The following pose a threat to the private cloud:
  • Unauthorized network probing and port scanning
  • Unauthorized access to resources
  • Router, firewall, or network device operating system software vulnerability
  • Router, firewall, or network device configuration error
  • Remote users accessing the organization’s infrastructure and downloading sensitive data

Managing Threats to the Private Cloud

Organizations can implement various measures to manage threats to the private cloud:
  • Disable ping, probing, and port scanning.
  • Implement intrusion detection and prevention systems.
  • Monitor inbound IP traffic anomalies.
  • Update devices with security fixes and patches.
  • Conduct penetration tests post configuration.
  • Test inbound and outbound traffic.
  • Implement a data classification standard.
  • Implement file transfer monitoring and scanning for unknown file type.
The table shown in the figure matches up Private Cloud Domain threats with the countermeasures used to manage them.

Common Threats to the Public Cloud

The Public Cloud Domain includes services hosted by a cloud provider, service provider, or Internet provider. Cloud providers do implement security controls to protect the cloud environment, but organizations are responsible for protecting their resources on the cloud. Three different service models exist from which an organization may choose:
  • Software as a service (SaaS) – a subscription-based model that provides access to software that is centrally hosted and accessed by users via a web browser.
  • Platform as a service (PaaS) – provides a platform that allows an organization to develop, run, and manage its applications on the service’s hardware using tools that the service provides.
  • Infrastructure as a service (IaaS) – provides virtualized computing resources such as hardware, software, servers, storage and other infrastructure components over the Internet.
The following pose a threat to the public cloud:
  • Data breaches
  • Loss or theft of intellectual property
  • Compromised credentials
  • Federated identity repositories are a high-value target
  • Account hijacking
  • Lack of understanding on the part of the organization
  • Social engineering attacks that lure the victim
  • Compliance violation

Managing Threats to the Public Cloud

Organizations can implement various measures to manage threats to the physical facilities:
  • Multifactor authentication
  • Use of encryption
  • Implement one-time passwords, phone-based authentication, and smartcards
  • Distributing data and applications across multiple zones
  • Data backup procedures
  • Due diligence
  • Security awareness programs
  • Policies
The table shown in the figure matches up Public Cloud Domain threats with the countermeasures used to manage them.

Common Threats to Physical Facilities

The Physical Facilities Domain includes all of the services used by an organization including HVAC, water, and fire detection. This domain also includes physical security measures employed to safeguard the facility.

The following pose a threat to an organization’s facilities:
  • Natural threats including weather problems and geological hazards
  • Unauthorized access to the facilities
  • Power interruptions
  • Social engineering to learn about security procedures and office policies
  • Breach of electronic perimeter defenses
  • Theft
  • An open lobby that allows a visitor to walk straight through to the inside facilities
  • An unlocked data center
  • Lack of surveillance

Managing Threats to Physical Facilities

Organizations can implement various measures to manage threats to the physical facilities:
  • Implement access control and closed-circuit TV (CCTV) coverage at all entrances.
  • Establish policies and procedures for guests visiting the facility.
  • Test building security using both cyber and physical means to covertly gain access.
  • Implement badge encryption for entry access.
  • Develop a disaster recovery plan.
  • Develop a business continuity plan.
  • Conduct security awareness training regularly.
  • Implement an asset tagging system.
The table shown in the figure matches up Physical Facilities Domain threats with the countermeasures used to manage them.

Common Threats to Applications

The Application Domain includes all of the critical systems, applications, and data. Additionally, it includes the hardware and any logical design required. Organizations are moving applications like email, security monitoring and database management to the public cloud.

The following pose a threat to applications:
  • Unauthorized access to data centers, computer rooms, and wiring closets
  • Server downtime for maintenance purposes
  • Network operating system software vulnerability
  • Unauthorized access to systems
  • Data loss
  • Downtime of IT systems for an extended period
  • Client/server or web application development vulnerabilities

Managing Threats to Applications

Organizations can implement various measures to manage threats to the Application Domain:
  • Implement policies, standards, and procedures for staff and visitors to ensure the facilities are secure.
  • Conduct software testing prior to launch.
  • Implement data classification standards.
  • Develop a policy to address application software and operating system updates.
  • Implement backup procedures.
  • Develop a business continuity plan for critical applications to maintain availability of operations.
  • Develop a disaster recovery plan for critical applications and data.
  • Implement logging.
The table shown in the figure matches up Application Domain threats with the countermeasures used to manage them.

Activity - Matching Cybersecurity Domains


Ethics of a Cybersecurity Specialist

Ethics is the little voice in the background guiding a cybersecurity specialist as to what he should or should not do, regardless of whether it is legal. The organization entrusts the cybersecurity specialist with the most sensitive data and resources. The cybersecurity specialist needs to understand how the law and the organization’s interests help to guide ethical decisions.

Cyber criminals that break into a system, steal credit card numbers, and release a worm are performing unethical actions. How does an organization view the actions of a cybersecurity specialist if they are similar? For example, a cybersecurity specialist may have the opportunity to stop the spread of a worm preemptively by patching it. In effect, the cybersecurity specialist is releasing a worm. This worm is not malicious, though, so does this case get a pass?

The following ethical systems look at ethics from various perspectives.

Utilitarian Ethics

During the 19th century, Jeremy Benthan and John Stuart Mill created Utilitarian Ethics. The guiding principle is that any actions that provide the greatest amount of good over bad or evil are ethical choices.

The Rights Approach

The guiding principle for the Rights Approach is that individuals have the right to make their own choices. This perspective looks at how an action affects the rights of others to judge whether an action is right or wrong. These rights include the right to truth, privacy, safety, and that society applies laws fairly to all members of society.

The Common-Good Approach

The Common-Good Approach proposes that the common good is whatever benefits the community. In this case, a cybersecurity specialist looks at how an action affects the common good of society or the community.

No clear-cut answers provide obvious solutions to the ethical issues that cybersecurity specialists face. The answer as to what is right or wrong can change depending on the situation and the ethical perspective.

Computer Ethics Institute

The Computer Ethics Institute is a resource for identifying, assessing, and responding to ethical issues throughout the information technology industry. CEI was one of the first organizations to recognize the ethical and public policy issues arising from the rapid growth of the information technology field. The figure lists the Ten Commandments of Computer Ethics created by the Computer Ethics Institute.

Activity - Exploring Cyber Ethics


Cybercrime

Laws prohibit undesired behaviors. Unfortunately, the advancements in information system technologies are much greater than the legal system of compromise and lawmaking. A number of laws and regulations affect cyberspace. Several specific laws guide the policies and procedures developed by an organization to ensure that they are in compliance.

Cybercrime

A computer may be involved in a cybercrime in a couple of different ways. There is computer-assisted crime, computer-targeted crime, and computer-incidental crime. Child pornography is an example of computer-incidental crime—the computer is a storage device and is not the actual tool used to commit the crime.

The growth in cybercrime is due to a number of different reasons. There are many tools widely available on the Internet now, and potential users do not need a great deal of expertise to use these tools.

Organizations Created to Fight Cybercrime

There are a number of agencies and organizations out there to aid the fight against cybercrime. Click each of the links in the figure to visit the websites for these organizations to help keep up with the important issues.

Civil, Criminal, and Regulatory Cyber Laws

In the United States, there are three primary sources of laws and regulations: statutory law, administrative law, and common law. All three sources involve computer security. The U.S. Congress established federal administrative agencies and a regulatory framework that includes both civil and criminal penalties for failing to follow the rules.

Criminal laws enforce a commonly accepted moral code backed by the authority of the government. Regulations establish rules designed to address consequences in a rapidly changing society enforcing penalties for violating those rules. For example, the Computer Fraud and Abuse Act is a statutory law. Administratively, the FCC and Federal Trade Commission have been concerned with issues such as intellectual property theft and fraud. Finally, common law cases work their ways through the judicial system providing precedents and constitutional bases for laws.

The Federal Information Security Management Act (FISMA)

Congress created FISMA in 2002 to change the U.S. government’s approach to information security. As the largest creator and user of information, federal IT systems are high value targets for cyber criminals. FISMA applies to federal agencies’ IT systems and stipulates that agencies create an information security program that includes the following:
  • Risk assessments
  • Annual inventory of IT systems
  • Policies and procedures to reduce risk
  • Security awareness training
  • Testing and evaluation of all IT system controls
  • Incident response procedure
  • Continuity of operations plan

Industry-Specific Laws

Many industry specific laws have a security and/or a privacy component. The U.S. government requires compliance from organizations within these industries. Cybersecurity specialists must be able to translate the legal requirements into security policies and practices.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act is a piece of legislation that mainly affects the financial industry. A portion of that legislation, though, includes privacy provisions for individuals. The provision provides for opt-out methods so that individuals can control the use of information provided in a business transaction with an organization that is part of the financial institution. The GLBA restricts information sharing with third-party firms.

Sarbanes-Oxley Act (SOX)

Following several high-profile corporate accounting scandals in the U.S., congress passed the Sarbanes-Oxley Act (SOX).The purpose of SOX was to overhaul financial and corporate accounting standards and specifically targeted the standards of publicly traded firms in the United States.

Payment Card Industry Data Security Standard (PCI DSS)

Private industry also recognizes how important uniform and enforceable standards are. A Security Standards Council composed of the top corporations in the payment card industry designed a private sector initiative to improve the confidentiality of network communications.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of contractual rules governing how to protect credit card data as merchants and banks exchange the transaction. The PCI DSS is a voluntary standard (in theory) and merchants/vendors can choose whether they wish to abide by the standard. However, vendor noncompliance may result in significantly higher transaction fees, fines up to $500,000, and possibly even the loss of the ability to process credit cards.

Import/Export Encryption Restrictions

Since World War II, the United States has regulated the export of cryptography due to national security considerations. The Bureau of Industry and Security in the Department of Commerce now controls non-military cryptography exports. There are still export restrictions to rogue states and terrorist organizations.

Countries may decide to restrict the import of cryptography technologies for the following reasons:
  • The technology may contain a backdoor or security vulnerability.
  • Citizens can anonymously communicate and avoid any monitoring.
  • Cryptography may increase levels of privacy above an acceptable level.

Security Breach Notification Laws

Businesses are collecting ever-increasing amounts of personal information about their customers, from account passwords and email addresses to highly sensitive medical and financial information. Companies large and small recognize the value of big data and data analytics. This encourages organizations to collect and store information. Cyber criminals are always looking for ways to obtain such information or access and exploit a company’s most sensitive, confidential data. Organizations that collect sensitive data need to be good data custodians. In response to this growth in data collection, several laws require organizations that collect personal information to notify individuals if a breach of their personal data occurs. To see a list of these laws click here.

Electronic Communications Privacy Act (ECPA)

The Electronic Communications Privacy Act (ECPA) addresses a myriad of legal privacy issues that resulted from the increasing use of computers and other technology specific to telecommunications. Sections of this law address email, cellular communications, workplace privacy, and a host of other issues related to communicating electronically.

Computer Fraud and Abuse Act (1986)

The Computer Fraud and Abuse Act (CFAA) has been in force for over 20 years. The CFAA provides the foundation for U.S. laws criminalizing unauthorized access to computer systems. The CFAA makes it a crime to knowingly access a computer considered either a government computer or a computer used in interstate commerce, without permission. The CFAA also criminalizes the use of a computer in a crime that is interstate in nature.

The Act criminalizes trafficking in passwords or similar access information, and the act makes it a crime to transmit a program, code, or a command knowingly that results in damage.

Protecting Privacy

The following U.S. laws protect privacy.

Privacy Act of 1974

This act establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies.

Freedom of Information ACT (FOIA)

FOIA enables public access to U.S. government records. FOIA carries a presumption of disclosure, so the burden is on the government as to why it cannot release the information.

There are nine disclosure exemptions pertaining to FOIA.
  • National security and foreign policy information
  • Internal personnel rules and practices of an agency
  • Information specifically exempted by statute
  • Confidential business information
  • Inter- or intra-agency communication subject to deliberative process, litigation, and other privileges
  • Information that, if disclosed, would constitute a clearly unwarranted invasion of personal privacy
  • Law enforcement records that implicate one of a set of enumerated concerns
  • Agency information from financial institutions
  • Geological and geophysical information concerning wells
Family Education Records and Privacy Act (FERPA)

This Federal law gave students access to their education records. FERPA operates on an opt-in basis, as the student must approve the disclosure of information prior to the actual disclosure. When a student turns 18 years old or enters a postsecondary institution at any age, these rights under FERPA transfer from the student’s parents to the student.

U.S. Computer Fraud and Abuse Act (CFAA)

This amendment to the Comprehensive Crime Control Act of 1984 prohibits the unauthorized access of a computer. The CFAA increased the scope of the previous Act to cases of great federal interest. These cases are defined as involving computers belonging to the federal government or some financial institutions or where the crime is interstate in nature.

U.S. Children’s Online Privacy Protection Act (COPPA)

This federal law applies to the online collection of personal information by persons or entities under U.S. jurisdiction from children under 13 years of age. Before information can be collected and used from children (ages 13 and under), parental permission needs to be obtained.

U.S. Children’s Internet Protection Act (CIPA)

The U.S. Congress passed CIPA in 2000 to protect children under the age of 17 from exposure to offensive Internet content and obscene material.

Video Privacy Protection Act (VPPA)

The Video Privacy Protection Act protects an individual from having the video tapes, DVD’s and games rented disclosed to another party. The statute provides the protections by default, thus requiring a video rental company to obtain the renter’s consent to opt out of the protections if the company wants to disclose personal information about rentals. Many privacy advocates consider VPPA to be the strongest U.S. privacy law.

Health Insurance Portability & Accountability Act

The standards mandate safeguards for physical storage, maintenance, transmission, and access to individuals’ health information. HIPAA mandates that organizations that use electronic signatures have to meet standards ensuring information integrity, signer authentication, and nonrepudiation.

California Senate Bill 1386 (SB 1386)

California was the first state to pass a law regarding the notification of the unauthorized disclosure of personally identifiable information. Since then, many other states have followed suit. Each of these disclosure notice laws is different, making the case for a unifying federal statute compelling. This act requires that the agencies provide consumers notice of their rights and responsibilities. It mandates that the state notify citizens whenever PII is lost or disclosed. Since the passage of SB 1386, numerous other states have modeled legislation on this bill.

Privacy Policies

Policies are the best way to ensure compliance across an organization, and a privacy policy plays an important role within the organization, especially with the numerous laws enacted to protect privacy. One of the direct outcomes of the legal statutes associated with privacy has been the development of a need for corporate privacy policies associated with data collection.

Privacy Impact Assessment (PIA)

A privacy impact assessment ensures that personally identifiable information (PII) is properly handled throughout an organization.
  • Establish PIA scope.
  • Identify key stakeholders.
  • Document all contact with PII.
  • Review legal and regulatory requirements.
  • Document potential issues found when comparing requirements and practices.
  • Review findings with key stakeholders.

International Laws

With the growth of the Internet and global network connections, unauthorized entry into a computer system, or computer trespass, has emerged as a concern that can have national and international consequences. National laws for computer trespass exist in many countries, but there can always be gaps in how these nations handle this type of crime.

Convention on Cybercrime

The Convention on Cybercrime is the first international treaty on Internet crimes (EU, U.S., Canada, Japan, and others). Common policies handle cybercrime and address the following: copyright infringement, computer-related fraud, child pornography, and violations of network security. Click here to read more about the Convention on Cybercrime.

Electronic Privacy Information Center (EPIC)

EPIC promotes privacy and open government laws and policies globally and focuses on EU-US relations. 

Activity - Matching Cybersecurity Related Laws

National Vulnerability Database

The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data that uses the Security Content Automation Protocol (SCAP). SCAP is a method for using specific standards to automate vulnerability management, measurement, and policy compliance evaluation. Click here to visit the National Vulnerability Database website.

SCAP uses open standards to enumerate security software flaws and configuration issues. The specifications organize and measure security-related information in standardized ways. The SCAP community is a partnership between the private and public sector to advance the standardization of technical security operations. Click here to visit the Security Content Automation Protocol website.

The NVD uses the Common Vulnerability Scoring System to assess the impact of vulnerabilities. An organization can use the scores to rank the severity of vulnerabilities that it finds within its network. This, in turn, can help determine the mitigation strategy.

The site also contains a number of checklists that provide guidance on configuring operating systems and applications to provide a hardened environment. Click here to visit the National Checklist Program Repository.

CERT

The Software Engineering Institute (SEI) at Carnegie Mellon University helps government and industry organizations to develop, operate, and maintain software systems that are innovative, affordable, and trustworthy. It is a Federally Funded Research and Development Center sponsored by the U.S. Department of Defense.

The CERT Division of SEI studies and solves problems in the cybersecurity arena including security vulnerabilities in software products, changes in networked systems, and training to help improve cybersecurity. CERT provides the following services:
  • Helps to resolve software vulnerabilities
  • Develops tools, products, and methods to conduct forensic examinations
  • Develops tools, products, and methods to analyze vulnerabilities
  • Develops tools, products, and methods to monitor large networks
  • Helps organizations determine how effective their security-related practices are
CERT has an extensive database of information about software vulnerabilities and malicious code to help develop solutions and remediation strategies. Click here to visit the CERT website.

Internet Storm Center

The Internet Storm Center (ISC) provides a free analysis and warning service to Internet users and organizations. It also works with Internet Service Providers to combat malicious cyber criminals. The Internet Storm Center gathers millions of log entries from intrusion detection systems every day using sensors covering 500,000 IP addresses in over 50 countries. The ISC identifies sites used for attacks and provides data on the types of attacks launched against various industries and regions of the world.

Click here to visit the Internet Storm Center. The website offers the following resources:
  • An InfoSec Diary Blog Archive
  • Podcasts which include the Daily Stormcasts, daily 5-10 minute information security threat updates
  • InfoSec Job Postings
  • Information Security News
  • InfoSec Tools
  • InfoSec Reports
  • SANS ISC InfoSec Forums
The SANS Institute supports the Internet Storm Center. SANS is a trusted source for information security training, certification, and research.

The Advanced Cyber Security Center

The Advanced Cyber Security Center (ACSC) is a non-profit organization that brings together industry, academia, and government to address advanced cyber threats. The organization shares information on cyber threats, engages in cybersecurity research and development, and creates education programs to promote the cybersecurity profession.

ACSC defined four challenges that will help shape its priorities:
  • Build resilient systems to recover from attacks and failures.
  • Enhance mobile security.
  • Develop real-time threat sharing.
  • Integrate cyber risks with enterprise risk frameworks.
Click here to visit the Advanced Cyber Security Center.

Vulnerability Scanners

A vulnerability scanner assesses computers, computer systems, networks, or applications for weaknesses. Vulnerability scanners help to automate security auditing by scanning the network for security risks and producing a prioritized list to address weaknesses. A vulnerability scanner looks for the following types of vulnerabilities:
  • Use of default passwords or common passwords
  • Missing patches
  • Open ports
  • Misconfiguration of operating systems and software
  • Active IP addresses
When evaluating a vulnerability scanner, look at how it is rated for accuracy, reliability, scalability, and reporting. There are two types of vulnerability scanners to choose from—software-based or cloud-based.

Vulnerability scanning is critical for organizations with networks that include a large number of network segments, routers, firewalls, servers, and other business devices. Click here to see several available options for both commercial and free versions.

Penetration Testing

Penetration testing (pen testing) is a method of testing the areas of weaknesses in systems by using various malicious techniques. Pen testing is not the same as vulnerability testing. Vulnerability testing just identifies potential problems. Pen testing involves a cybersecurity specialist that hacks a website, network, or server with the organization’s permission to try to gain access to resources with the knowledge of usernames, passwords, or other normal means. The important differentiation between cyber criminals and cybersecurity specialists is that the cybersecurity specialists have the permission of the organization to conduct the tests.

One of the primary reasons that an organization uses pen testing is to find and fix any vulnerability before the cyber criminals do. Penetration testing is also known as ethical hacking.

Packet Analyzers

Packet analyzers (or packet sniffers) intercept and log network traffic. The packet analyzer captures each packet, shows the values of various fields in the packet, and analyzes its content. A sniffer can capture network traffic on both wired and wireless networks. Packet analyzers perform the following functions:
  • Network problem analysis
  • Detection of network intrusion attempts
  • Isolation of exploited system
  • Traffic logging
  • Detection of network misuse
Click here to see a comparison of packet analyzers.

Security Tools

There is no one size fits all when it comes to the best security tools. A lot is going to depend on the situation, circumstance, and personal preference. A cybersecurity specialist must know where to go to get sound information.

Kali

Kali is an open source Linux security distribution. IT professionals use Kali Linux to test the security of their networks. Kali Linux incorporates more than 300 penetration testing and security auditing programs on a Linux platform. Click here to visit the website.

Network Situational Awareness

An organization needs the ability to monitor networks, analyze the resulting data, and detect malicious activity. Click here for access to a collection of traffic analysis tools developed by CERT.

Activity - Using the Appropriate Tool


Defining the Roles of Cybersecurity Professionals

The ISO standard defines the role of cybersecurity professionals. The ISO 27000 framework requires:
  • A senior manager responsible for IT and ISM (often the audit sponsor)
  • Information security professionals
  • Security administrators
  • Site/physical security manager and facilities contacts
  • HR contact for HR matters such as disciplinary action and training
  • Systems and network managers, security architects and other IT professionals
The types of information security positions can be broken down as follows:
  • Definers provide policies, guidelines, and standards and include consultants who do risk assessment and develop the product and technical architectures and senior level individuals within an organization who have a broad knowledge, but not a lot of in-depth knowledge.
  • Builders are the real techies who create and install security solutions.
  • Monitors administer the security tools, perform the security monitoring function, and improve the processes.

Job Search Tools

A variety of websites and mobile applications advertise information technology jobs. Each site targets varying job applicants and provides different tools for candidates researching their ideal job position. Many sites are job site aggregators, a job search site that gathers listings from other job board and company career sites and displays them in a single location.

Indeed.com

Advertised as the world's #1 job site, Indeed.com attracts over 180 million unique visitors every month from over 50 different countries. Indeed is truly a worldwide job site. Indeed helps companies of all sizes hire the best talent and offers the best opportunity for job seekers.

CareerBuilder.com

CareerBuilder serves many large and prestigious companies. As a result, this site attracts specific candidates that typically have more education and higher credentials. The employers posting on CareerBuilder commonly get more candidates with college degrees, advanced credentials and industry certifications.

USAJobs.gov

The federal government posts any openings on USAJobs. Click here to learn more about the application process used by the U.S. government.

Ref : [1]

Chapter 7: Protecting a Cybersecurity Domain

Protecting your domain is an on-going process to secure an organization’s network infrastructure. It requires that individuals remain constantly vigilant to threats and take action to prevent any compromises. This chapter discusses the technologies, processes and procedures that cybersecurity professionals use to defend the systems, devices, and data that make up the network infrastructure.

A secure network is only as strong as its weakest link. It is important to secure the end devices that reside on the network. Endpoint security includes securing the network infrastructure devices on the local-area network (LAN) and end systems, such as workstations, servers, IP phones, and access points.

Device hardening is a critical task when securing the network. It involves implementing proven methods of physically securing network devices. Some of these methods involve securing administrative access, maintaining passwords, and implementing secure communications.

Operating System Security

The operating system plays a critical role in the operation of a computer system and is the target of many attacks. The security of the operating system has a cascading effect on the overall security of a computer system.

An administrator hardens an operating system by modifying the default configuration to make it more secure to outside threats. This process includes the removal of unnecessary programs and services. Another critical requirement of hardening operating systems is the application of security patches and updates. Security patches and updates are fixes which companies release in an effort to mitigate vulnerability and correct faults in their products.

An organization should have a systematic approach in place for addressing system updates by:

  • Establishing procedures for monitoring security-related information
  • Evaluating updates for applicability
  • Planning the installation of application updates and patches
  • Installing updates using a documented plan

Another critical requirement of securing operating systems is to identify potential vulnerabilities. This can be accomplished by establishing a baseline. Establishing a baseline enables the administrator to do a comparison of how a system is performing versus its baseline expectations.

Microsoft Baseline Security Analyzer (MBSA) assesses missing security updates and security misconfigurations in Microsoft Windows. MBSA checks blank, simple, or non-existent passwords, firewall settings, guest account status, administrator account details, security event auditing, unnecessary services, network shares, and registry settings. After hardening the operating system, the administrator creates the policies and procedures to maintain a high level of security.


Antimalware

Malware includes viruses, worms, Trojan horses, keyloggers, spyware, and adware. They all invade privacy, steal information, damage the system, or delete and corrupt data.

It is important to protect computers and mobile devices using reputable antimalware software. The following types of antimalware programs are available:

  • Antivirus protection - Program continuously monitors for viruses. When it detects a virus, the program warns the user, and it attempts to quarantine or delete the virus, as shown in Figure 1.
  • Adware protection – Program continuously looks for programs that display advertising on a computer.
  • Phishing protection – Program blocks the IP addresses of known phishing websites and warns the user about suspicious sites.
  • Spyware protection – Program scans for keyloggers and other spyware.
  • Trusted / untrusted sources – Program warns the user about unsafe programs trying to install or unsafe websites before a user visits them.

It may take several different programs and multiple scans to remove all malicious software completely. Run only one malware protection program at a time.

Several reputable security organizations such as McAfee, Symantec, and Kaspersky offer all-inclusive malware protection for computers and mobile devices.

Be cautious of malicious rogue antivirus products that may appear while browsing the Internet. Most of these rogue antivirus products display an ad or pop-up that looks like an actual Windows warning window, as shown in Figure 2. They usually state that malware is infecting the computer and prompts the user to clean it. Clicking anywhere inside the window may actually begin the download and installation of the malware.

Unapproved, or non-compliant, software is not just software that a user unintentionally installs on a computer. It can also come from users that meant to install it. It may not be malicious, but it still may violate security policy. This type of non-compliant system can interfere with company software, or network services. Users must remove unapproved software immediately.


Patch Management

Patches are code updates that manufacturers provide to prevent a newly discovered virus or worm from making a successful attack. From time to time, manufacturers combine patches and upgrades into a comprehensive update application called a service pack. Many devastating virus attacks could have been much less severe if more users had downloaded and installed the latest service pack.

Windows routinely checks the Windows Update website for high-priority updates that can help protect a computer from the latest security threats. These updates include security updates, critical updates, and service packs. Depending on the setting configured, Windows automatically downloads and installs any high-priority updates that the computer needs or notifies the user as these updates become available.

Some organizations may want to test a patch before deploying it throughout the organization. The organization would use a service to manage patches locally instead of using the vendor’s online update service. The benefits of using an automated patch update service include the following:

  • Administrators can approve or decline updates
  • Administrators can force the update of systems for a specific date
  • Administrators can obtain reports on the update needed by each system
  • Each computer does not have to connect to the vendor’s service to download patches; a system gets the update from a local server
  • Users cannot disable or circumvent updates

An automated patch service provides administrators with a more controlled setting.

Host-Based Firewalls and Intrusion Detection Systems

A host-based solution is a software application that runs on a local host computer to protect it. The software works with the operating system to help prevent attacks.

Host-based Firewalls

A software firewall is a program that runs on a computer to allow or deny traffic between the computer and other connected computers. The software firewall applies a set of rules to data transmissions through inspection and filtering of data packets. Windows Firewall is an example of a software firewall. The Windows operating system installs it by default during installation.

The user can control the type of data sent to and from the computer by opening or blocking selected ports. Firewalls block incoming and outgoing network connections, unless exceptions are defined to open and close the ports required by a program.

In Figure 1, the user selects Inbound Rules to configure the types of traffic allowed to pass through to the system. Configuring inbound rules will help protect the system from unwanted traffic.

Host Intrusion Detection Systems

A host intrusion detection system (HIDS) is software that runs on a host computer that monitors suspicious activity. Each server or desktop system that requires protection will need to have the software installed as shown in Figure 2. HIDS monitors system calls and file system access to ensure that the requests are not the result of malicious activity. It can also monitor system registry settings. The registry maintains configuration information about the computer.


HIDS stores all log data locally. It can also affect system performance because it is resource intensive. A host intrusion detection system cannot monitor any network traffic that does not reach the host system, but it does monitor operating system and critical system processes specific to that host.

Secure Communications

When connecting to the local network and sharing files, the communication between computers remains within that network. Data remains secure because it is off other networks and off the Internet. To communicate and share resources over a network that is not secure, users employ a Virtual Private Network (VPN).

A VPN is a private network that connects remote sites or users together over a public network, like the Internet. The most common type of VPN accesses a corporate private network. The VPN uses dedicated secure connections, routed through the Internet, from the corporate private network to the remote user. When connected to the corporate private network, users become part of that network and have access to all services and resources as if they physically connected to the corporate LAN.

Remote-access users must have a VPN client installed on their computers to form a secure connection with the corporate private network. The VPN client software encrypts data before sending it over the Internet to the VPN gateway at the corporate private network. VPN gateways establish, manage, and control VPN connections, also known as VPN tunnels.


Operating systems include a VPN client that the user configures for a VPN connection.

WEP

One of the most important components of modern computing are mobile devices. The majority of devices found on today’s networks are laptops, tablets, smart phones and other wireless devices. Mobile devices transmit data using radio signals that any device with a compatible antenna can receive. For this reason the computer industry has developed a suite of wireless or mobile security standards, products and devices. These standards encrypt information transmitted through the airwaves by mobile devices.

Wired Equivalent Privacy (WEP) is one of the first and widely used Wi-Fi security standards. The WEP standard provides authentication and encryption protections. The WEP standards are obsolete but many devices still support WEP for backwards compatibility. The WEP standard became a Wi-Fi security standard in 1999 when wireless communication was just catching on. Despite revisions to the standard and an increased key size, WEP suffered from numerous security weaknesses. Cyber criminals can crack WEP passwords in minutes using freely available software. Despite improvements, WEP remains highly vulnerable and users should upgrade systems that rely on WEP.

WPA/WPA2

The next major improvement to wireless security was the introduction of WPA and WPA2. Wi-Fi Protected Access (WPA) was the computer industry’s response to the weakness of the WEP standard. The most common WPA configuration is WPA-PSK (Pre-Shared Key). The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-bit keys used in the WEP system.

The WPA standard provided several security improvements. First, WPA provided message integrity checks (MIC) which could detect if an attacker had captured and altered data passed between the wireless access point and a wireless client. Another key security enhancement was Temporal Key Integrity Protocol (TKIP). The TKIP standard provided the ability to better handle, protect and change encryption keys. Advanced Encryption Standard (AES) superseded TKIP for even better key management and encryption protection.

WPA, like its predecessor WEP, included several widely recognized vulnerabilities. As a result, the release of Wi-Fi Protected Access II (WPA2) standard happened in 2006. One of the most significant security improvements from WPA to WPA2 was the mandatory use of AES algorithms and the introduction of Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCM) as a replacement for TKIP.

Mutual Authentication

One of the great vulnerabilities of wireless networks is the use of rogue access points. Access points are the devices that communicate with the wireless devices and connect them back to the wired network. Any device that has a wireless transmitter and hardwired interface to a network can potentially act as a rouge or unauthorized access point. The rouge access point can imitate an authorized access point. The result is that wireless devices on the wireless network establish communication with the rouge access point instead of the authorized access point.

The imposter can receive connection requests, copy the data in the request and forward the data to the authorized network access point. This type of man-in-the-middle attack is very difficult to detect and can result in stolen login credentials and transmitted data. To prevent rouge access points, the computer industry developed mutual authentication. Mutual authentication, also called two-way authentication, is a process or technology in which both entities in a communications link authenticate to each other. In a wireless network environment, the client authenticates to the access point and the access point authenticates the client. This improvement enabled clients to detect rouge access points before connecting to the unauthorized device.

Activity – Hardening Wireless and Mobile Devices

File Access Control

Permissions are rules configured to limit folder or file access for an individual or for a group of users. The figure lists the permissions that are available for files and folders.

Principle of Least Privilege

Users should be limited to only the resources they need on a computer system or on a network. For example, they should not be able to access all files on a server if they only need access to a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the folder that they need to perform their job. This is the principle of least privilege. Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected.

Restricting User Permissions

If an administrator denies permissions to a network share for an individual or a group, this denial overrides any other permission settings. For example, if the administrator denies someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the administrator group. The local security policy must outline which resources and the type of access allowed for each user and group.

When a user changes the permissions of a folder, she has the option to apply the same permissions to all sub-folders. This is permission propagation. Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and files created inside the parent folder inherit the permissions of the parent folder.

In addition, the location of the data and the action performed on the data determine the permission propagation:

  • Data moved to the same volume will keep the original permissions
  • Data copied to the same volume will inherit new permissions
  • Data moved to a different volume will inherit new permissions
  • Data copied to a different volume will inherit new permission

File Encryption

Encryption is a tool used to protect data. Encryption transforms data using a complicated algorithm to make it unreadable. A special key returns the unreadable information back into readable data. Software programs encrypt files, folders, and even entire drives.

Encrypting File System (EFS) is a Windows feature that can encrypt data. The Windows implementation of EFS links it directly to a specific user account. Only the user that encrypted the data will be able to access the encrypted files or folders.

A user can also choose to encrypt an entire hard drive in Windows using a feature called BitLocker. To use BitLocker, at least two volumes must be present on a hard disk.

Before using BitLocker, the user needs to enable Trusted Platform Module (TPM) in the BIOS. The TPM is a specialized chip installed on the motherboard. The TPM stores information specific to the host system, such as encryption keys, digital certificates, and passwords. Applications, like BitLocker, that use encryption can make use of the TPM chip. Click TPM Administration to view the TPM details, as shown in the Figure.

BitLocker To Go encrypts removable drives. BitLocker To Go does not use a TPM chip, but still provides encryption for the data and requires a password.

System and Data Backups

An organization can lose data if cyber criminals steal it, equipment fails, or a disaster occurs. For this reason, it is important to perform a data backup regularly.

A data backup stores a copy of the information from a computer to removable backup media. The operator stores the backup media in a safe place. Backing up data is one of the most effective ways of protecting against data loss. If the computer hardware fails, the user can restore the data from the backup once the system is functional.

The organization’s security policy should include data backups. Users should perform data backups on a regular basis. Data backups are usually stored offsite to protect the backup media if anything happens to the main facility.

These are some considerations for data backups:

  • Frequency - Backups can take a long time. Sometimes it is easier to make a full backup monthly or weekly, and then do frequent partial backups of any data that has changed since the last full backup. However, having many partial backups increases the amount of time needed to restore the data.
  • Storage - For extra security, transport backups to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by the security policy.
  • Security – Protect backups with passwords. The operator then enters the password before restoring the data on the backup media.
  • Validation - Always validate backups to ensure the integrity of the data.

Content Screening and Blocking

Content control software restricts the content that a user can access using a web browser over the Internet. Content control software can block sites that contain certain types of material such as pornography or controversial religious or political content. A parent may implement content control software on the computer used by a child. Libraries and schools also implement the software to prevent access to content considered objectionable.

An administrator can implement the following types of filters:

  • Browser-based filters through a third-party browser extension
  • Email filters through a client- or server-based filter
  • Client-side filters installed on a specific computer
  • Router-based content filters that block traffic from entering the network
  • Appliance-based content filtering similar to router based
  • Cloud-based content filtering

Search engines such as Google offers the option of turning on a safety filter to exclude inappropriate links from search results.

Click here for a comparison of content-control software providers.

Disk Cloning and Deep Freeze

Many third-party applications are available to restore a system back to a default state. This allows the administrator to protect the operating system and configuration files for a system.

Disk cloning copies the contents of the computer’s hard disk to an image file. For example, an administrator creates the required partitions on a system, formats the partition, and then installs the operating system. She installs all required application software and configures all hardware. The administrator then uses disk-cloning software to create the image file. The administrator can use the cloned image as follows:

  • To automatically wipe a system and restore a clean master image
  • To deploy new computers within the organization
  • To provide a full system backup

Click here for a comparison of disk cloning software.

Deep Freeze “freezes” the hard drive partition. When a user restarts the system, the system reverts to its frozen configuration. The system does not save any changes that the user makes, so any applications installed or files saved are lost when the system restarts.

If the administrator needs to change the system’s configuration, she must first “thaw” the protected partition by disabling Deep Freeze. After making the changes, she must re-enable the program. The administrator can configure Deep Freeze to restart after a user logs out, shuts down after a period of inactivity, or shuts down at a scheduled time.

These products do not offer real-time protection. A system remains vulnerable until the user or a scheduled event restarts the system. A system infected with malicious code though, gets a fresh start as soon as the system restarts.

Security Cables and Locks

There are several methods of physically protecting computer equipment:

  • Use cable locks with equipment.
  • Keep telecommunication rooms locked.
  • Use security cages around equipment.

Many portable devices and expensive computer monitors have a special steel bracket security slot built in to use in conjunction with cable locks.

The most common type of door lock is a standard keyed entry lock. It does not automatically lock when the door closes. Additionally, an individual can wedge a thin plastic card such as a credit card between the lock and the door casing to force the door open. Door locks in commercial buildings are different from residential door locks. For additional security, a deadbolt lock provides extra security. Any lock that requires a key, though, poses a vulnerability if the keys are lost, stolen, or duplicated.

A cipher lock, uses buttons that a user presses in a given sequence to open the door. It is possible to program a cipher lock. This means that a user’s code may only work during certain days or certain times. For example, a cipher lock may only allow Bob access to the server room between the hours of 7 a.m. and 6 p.m. Monday through Friday. Cipher locks can also keep a record of when the door opened, and the code used to open it.

Logout Timers

An employee gets up and leaves his computer to take a break. If the employee does not take any action to secure his workstation, any information on that system is vulnerable to an unauthorized user. An organization can take the following measures to deter unauthorized access:

Idle Timeout and Screen Lock

Employees may or may not log out of their computer when they leave the workplace. Therefore, it is a security best practice to configure an idle timer that will automatically log the user out and lock the screen after a specified period. The user must log back in to unlock the screen.

Login Times

In some situations, an organization may want employees to log in during specific hours, such as 7 a.m. to 6 p.m. The system blocks logins during the hours that fall outside of the allowed login hours.

GPS Tracking

The Global Positioning System (GPS) uses satellites and computers to determine the location of a device. GPS technology is a standard feature on smartphones that provide real-time position tracking. GPS tracking can pinpoint a location within 100 meters. This technology is available to track children, senior citizens, pets, and vehicles. Using GPS to locate a cell phone without the user’s permission though is an invasion of privacy and it is illegal.

Many cell phone apps use GPS tracking to track a phone’s location. For example, Facebook allows users to check in to a location, which is then visible to people in their networks.

Inventory and RFID Tags

Radio frequency identification (RFID) uses radio waves to identify and track objects. RFID inventory systems use tags attached to all items that an organization wants to track. The tags contain an integrated circuit that connects to an antenna. RFID tags are small and require very little power, so they do not need a battery to store information to exchange with a reader. RFID can help automate asset tracking or wirelessly lock, unlock, or configure electronic devices.

RFID systems operate within different frequencies. Low frequency systems have a shorter read range and slower data read rates, but are not as sensitive to radio wave interference caused by liquids and metals that are present. Higher frequencies have a faster data transfer rate and longer read ranges, but are more sensitive to radio wave interference.

Activity - Defending Systems and Devices


Managing Remote Access

Remote access refers to any combination of hardware and software that enables users to access a local internal network remotely.

With the Windows operating system, technicians can use Remote Desktop and Remote Assistance to repair and upgrade computers. Remote Desktop, as shown in the figure, allows technicians to view and control a computer from a remote location. Remote Assistance allows technicians to assist customers with problems from a remote location. Remote Assistance also allows the customer to view the repair or upgrade in real time on the screen.

The Windows installation process does not enable remote desktop by default. Enabling this feature opens port 3389 and could result in a vulnerability if a user does not need this service.

Telnet, SSH, and SCP

Secure Shell (SSH) is a protocol that provides a secure (encrypted) management connection to a remote device. SSH should replace Telnet for management connections. Telnet is an older protocol that uses unsecure plaintext transmission of both the login authentication (username and password) and the data transmitted between the communicating devices. SSH provides security for remote connections by providing strong encryption when a device authenticates (username and password) and for transmitting data between the communicating devices. SSH uses TCP port 22. Telnet uses TCP port 23.

In Figure 1, cyber criminals monitor packets using Wireshark. In Figure 2, cyber criminals capture the username and password of the administrator from the plaintext Telnet session.

Figure 3 shows the Wireshark view of an SSH session. Cyber criminals track the session using the IP address of the administrator device, but in Figure 4, the session encrypts the username and password.



Secure copy (SCP) securely transfers computer files between two remote systems. SCP uses SSH for data transfer (including the authentication element), so SCP ensures the authenticity and confidentiality of the data in transit.

Securing Ports and Services

Cyber criminals exploit the services running on a system because they know that most devices run more services or programs than they need. An administrator should look at every service to verify its necessity and evaluate its risk. Remove any unnecessary services.

A simple method that many administrators use to help secure the network from unauthorized access is to disable all unused ports on a switch. For example, if a switch has 24 ports and there are three Fast Ethernet connections in use, it is good practice to disable the 21 unused ports.

The process of enabling and disabling ports can be time-consuming, but it enhances security on the network and is well worth the effort.

Privileged Accounts

Cyber criminals exploit privileged accounts because they are the most powerful accounts in the organization. Privileged accounts have the credentials to gain access to systems and they provide elevated, unrestricted access. Administrators use these accounts to deploy and manage operating systems, applications, and network devices. The figure summarizes the types of privileged accounts.

Organization should adopt the following best practices for securing privileged accounts:

  • Identify and reduce the number of privileged accounts
  • Enforce the principle of least privilege
  • Establish a process for revocation of rights when employees leave or change jobs
  • Eliminate shared accounts with passwords that do not expire
  • Secure password storage
  • Eliminate shared credentials for multiple administrators
  • Automatically change privileged account passwords every 30 or 60 days
  • Record privileged sessions
  • Implement a process to change embedded passwords for scripts and service accounts
  • Log all user activity
  • Generate alerts for unusual behavior
  • Disable inactive privileged accounts
  • Use multi-factor authentication for all administrative access
  • Implement a gateway between the end-user and sensitive assets to limit network exposure to malware

Locking down privileged accounts is critical to the security of the organization. Securing these accounts needs to be a continuous process. An organization should evaluate this process to make any required adjustments to improve security.

Group Policies

In most networks that use Windows computers, an administrator configures Active Directory with Domains on a Windows Server. Windows computers are members of a domain. The administrator configures a Domain Security Policy that applies to all computers that join. Account policies are automatically set when a user logs in to Windows.

When a computer is not part of an Active Directory domain, the user configures policies through Windows Local Security Policy. In all versions of Windows except Home edition, enter secpol.msc at the Run command to open the Local Security Policy tool.

An administrator configures user account policies such as password policies and lockout policies by expanding Account Policies > Password Policy. With the settings shown in Figure 1, users must change their passwords every 90 days and use the new password for at least one (1) day. Passwords must contain eight (8) characters and three of the following four categories: uppercase letters, lowercase letters, numbers, and symbols. Lastly, the user can reuse a password after 24 unique passwords.

An account Lockout Policy locks a computer for a configured duration when too many incorrect login attempts occur. For example, the policy shown in Figure 2 allows the user to enter the wrong username and/or password five times. After five attempts, the account locks users out for 30 minutes. After 30 minutes, the number of attempts resets to zero and the user can attempt to login again.


More security settings are available by expanding the Local Policies folder. An Audit Policy creates a security log file used to track the events listed in Figure 3.


Enable Logs and Alerts

A log records all events as they occur. Log entries make up a log file, and a log entry contains all of the information related to a specific event. Logs that relate to computer security have grown in importance.

For example, an audit log tracks user authentication attempts, and an access log provides all of the details on requests for specific files on a system. Monitoring system logs can determine how an attack occurred and whether the defenses deployed were successful.

With the increase in the sheer number of log files generated for computer security purposes, the organization should consider a log management process. Log management determines the process for generating, transmitting, storing, analyzing, and disposing of computer security log data.

Operating System Logs

Operating system logs record events that occur because of operational actions performed by the operating system. System events include the following:

  • Client requests and server responses such as successful user authentications
  • Usage information that contains the number and size of transactions in a given period of time

Security Application Logs

Organizations use network-based or system-based security software to detect malicious activity. This software generates a security log to provide computer security data. Logs are useful for performing auditing analysis and identifying trends and long-term problems. Logs also enable an organization to provide documentation showing that it is in compliance with laws and regulatory requirements.

Power

A critical issue in protecting information systems is electrical power systems and power considerations. A continuous supply of electrical power is critical in today's massive server and data storage facilities. Here are some general rules in building effective electrical supply systems:

  • Data centers should be on a different power supply from the rest of the building
  • Redundant power sources: two or more feeds coming from two or more electrical substations
  • Power conditioning
  • Backup power systems are often required
  • UPS should be available to gracefully shutdown systems

An organization must protect itself from several issues when designing its electrical power supply systems.

Power Excess

  • Spike: momentary high voltage
  • Surge: prolonged high voltage

Power Loss

  • Fault: momentary loss of power
  • Blackout: complete loss of power

Power Degradation

  • Sag/dip: momentary low voltage
  • Brownout: prolonged low voltage
  • Inrush Current: initial surge of power

Heating, Ventilation, and Air Conditioning (HVAC)

HVAC systems are critical to the safety of people and information systems in the organization's facilities. When designing modern IT facilities, these systems play a very important role in the overall security. HVAC systems control the ambient environment (temperature, humidity, airflow, and air filtering) and must be planned for and operated along with other data center components such as computing hardware, cabling, data storage, fire protection, physical security systems and power. Almost all physical computer hardware devices come with environmental requirements that include acceptable temperature and humidity ranges. Environmental requirements appear in a product specifications document or in a physical planning guide. It is critical to maintain these environmental requirements to prevent system failures and extend the life of IT systems. Commercial HVAC systems and other building management systems now connect to the Internet for remote monitoring and control. Recent events have shown such systems (often called "smart systems") also raise big security implications.

One of the risks associated with smart systems is that the individuals who access and manage the system work for a contractor or a third-party vendor. Because HVAC technicians need to be able to find information quickly, crucial data tends to be stored in many different places, making it accessible to even more people. Such a situation allows a wide network of individuals, including even associates of contractors, to gain access to the credentials for an HVAC system. The interruption of these systems can pose considerable risk to the organization's information security.

Hardware Monitoring

Hardware monitoring is often found in large server farms. A server farm is a facility that houses hundreds or thousands of servers for companies. Google has many server farms around the world to provide optimal services. Even smaller companies are building local server farms to house the growing number of servers need to conduct business. Hardware monitoring systems are used to monitor the health of these systems and to minimize server and application downtime. Modern hardware monitoring systems use USB and network ports to transmit the condition of CPU temperature, power supply status, fan speed and temperature, memory status, disk space and network card status. Hardware monitoring systems enable a technician to monitor hundreds or thousands of systems from a single terminal. As the number of server farms continues to grow, hardware-monitoring systems have become an essential security countermeasure.


Activity - Hardening Servers


Operation Centers

The Network Operation Center (NOC) is one or more locations containing the tools that provide administrators with a detailed status of the organization’s network. The NOC is ground zero for network troubleshooting, performance monitoring, software distribution and updates, communications management, and device management.

The Security Operation Center (SOC) is a dedicated site that monitors, assesses, and defends the organization’s information systems such as websites, applications, databases, data centers, networks, servers, and user systems. A SOC is a team of security analysts who detect, analyze, respond to, report on, and prevent cybersecurity incidents.

Both of these entities use a hierarchical tier structure to handle events. The first tier handles all events and escalates any event that it cannot handle to the second tier. Tier 2 staff reviews the event in detail to try to resolve it. If they cannot, they escalate the event to Tier 3, the subject matter experts.

To measure the overall effectiveness of an operation center, an organization will conduct realistic drills and exercises. A tabletop simulation exercise is a structured walk-through by a team to simulate an event and evaluate the center’s effectiveness. A more effective measure is to simulate a full-fledged intrusion with no warning. This involves using a Red Team, an independent group of individuals who challenges processes within an organization, to evaluate the organization’s effectiveness. For example, the Red Team should attack a critical mission system and include reconnaissance and attack, privilege escalation, and remote access.

Switches, Routers, and Network Appliances

Network devices ship with either no passwords or default passwords. Change the default passwords before connecting any device to the network. Document the changes to network devices and log the changes. Lastly, examine all configuration logs.

The following sections discuss several measures that an administrator can take to protect various network devices.

Switches

Network switches are the heart of the modern data communication network. The main threat to network switches are theft, hacking and remote access, attacks against network protocols like ARP/STP or attacks against performance and availability. Several countermeasures and controls can protect network switches including improved physical security, advanced configuration, and implementing proper system updates and patches as needed. Another effective control is the implementation of port security. An administrator should secure all switch ports (interfaces) before deploying the switch for production use. One way to secure ports is by implementing a feature called port security. Port security limits the number of valid MAC addresses allowed on a port. The switch allows access to devices with legitimate MAC addresses while it denies other MAC addresses.

VLANs

VLANs provide a way to group devices within a LAN and on individual switches. VLANs use logical connections instead of physical connections. Individual ports of a switch can be assigned to a specific VLAN. Other ports can be used to physically interconnect switches and allow multiple VLAN traffic between switches. These ports are called trunks.

For example, the HR department may need to protect sensitive data. VLANs allow an administrator to segment networks based on factors such as function, project team, or application, without regard for the physical location of the user or device as shown in Figure 1. Devices within a VLAN act as if they are in their own independent network, even if they share a common infrastructure with other VLANs. A VLAN can separate groups that have sensitive data from the rest of the network, decreasing the chances of confidential information breaches. Trunks allow individuals on the HR VLAN to be physically connected to multiple switches.

There are many different types of VLAN vulnerabilities and attacks. These can include attacking the VLAN and Trucking protocols. These attack details are beyond the scope of this course. Hackers can also attack VLAN performance and availability. Common countermeasures include monitoring VLAN changes and performance, advanced configurations and regular system patching and updates to the IOS.

Firewalls

Firewalls are hardware or software solutions that enforce network security policies. A firewall filters unauthorized or potentially dangerous traffic from entering the network. A simple firewall provides basic traffic filtering capabilities using access control lists (ACLs). Administrators use ACLs to stop traffic or permit only specified traffic on their networks. An ACL is a sequential list of permit or deny statements that apply to addresses or protocols. ACLs provide a powerful way to control traffic into and out of a network. Firewalls keep attacks out of a private network and are a common target of hackers in order to defeat the firewall protections. The main threat to firewalls are theft, hacking and remote access, attacks against ACLs or attacks against performance and availability. Several countermeasures and controls can protect firewalls including improved physical security, advanced configuration, secure remote access and authentication, and proper system updates and patches as needed.

Routers

Routers form the backbone of the Internet and communications between different networks. Routers communicate with one another to identify the best possible path to deliver traffic to different networks. Routers use routing protocols to make routing decision. Routers can also integrate other services like switching and firewall capabilities. These operations make routers prime targets. The main threat to network routers are theft, hacking and remote access, attacks against routing protocols like RIP/OSPF or attacks against performance and availability. Several countermeasures and controls can protect network routers including improved physical security, advanced configuration settings, use of secure routing protocols with authentication, and proper system updates and patches as needed.

Wireless and Mobile Devices

Wireless and mobile devices have become the predominant type of devices on most modern networks. They provide mobility and convenience but pose a host of vulnerabilities. These vulnerabilities include theft, hacking and unauthorized remote access, sniffing, man-in-the-middle attacks, and attacks against performance and availability. The best way to secure a wireless network is to use authentication and encryption. The original wireless standard, 801.11, introduced two types of authentication as shown in the figure:
  • Open system authentication - Any wireless device can connect to the wireless network. Use this method in situations where security is of no concern.
  • Shared key authentication - Provides mechanisms to authenticate and encrypt data between a wireless client and AP or wireless router.
The three shared key authentication techniques for WLANs are as follows:
  • Wired Equivalent Privacy (WEP) - This was the original 802.11 specification securing WLANs. However, the encryption key never changes when exchanging packets, making it easy to hack.
  • Wi-Fi Protected Access (WPA) - This standard uses WEP, but secures the data with the much stronger Temporal Key Integrity Protocol (TKIP) encryption algorithm. TKIP changes the key for each packet, making it much more difficult to hack.
  • IEEE 802.11i/WPA2 - IEEE 802.11i is now the industry standard for securing WLANs. 802.11i and WPA2 both use the Advanced Encryption Standard (AES) for encryption, which is currently the strongest encryption protocol.
Since 2006, any device that bears the Wi-Fi Certified logo is WPA2 certified. Therefore, modern WLANs should always use the 802.11i/WPA2 standard. Other countermeasure include improved physical security and regular system updates and patching of devices.


Network and Routing Services

Cyber criminals use vulnerable network services to attack a device or to use it as part of the attack. To check for insecure network services, review a device for open ports using a port scanner. A port scanner is an application that probes a device for open ports by sending a message to each port and waiting for a response. The response indicates how the port is used. Cyber criminals will also use port scanners for the same reason. Securing network services ensures that only necessary ports are exposed and available.

Dynamic Host Control Protocol (DHCP)

DHCP uses a server to assign an IP address and other configuration information automatically to network devices. In effect, the device is getting a permission slip from the DHCP server to use the network. Attackers can target DHCP servers in order to deny access to devices on the network. Figure 1 provides a security checklist for DHCP.

Domain Name System (DNS)

DNS resolves a Uniform Resource Locator URL or website address (http://www.cisco.com) to the IP address of the site. When users type a web address into the address bar they depend on DNS servers to resolve the actual IP address of that destination. Attackers can target DNS servers in order to deny access to network resources or redirect traffic to rogue websites. Click on Figure 2 to view a security checklist for DNS. Use secure service and authentication between DNS servers to protect them from these attacks.

Internet Control Messaging Protocol (ICMP)

Network devices use ICMP to send error messages like a requested service is not available or that the host could not reach the router. The ping command is a network utility that uses ICMP to test the reachability of a host on a network. Ping sends ICMP messages to the host and waits for a reply. Cyber criminals can alter the use of ICMP for the evil purposes listed in Figure 3. Denial-of-Service attacks use ICMP, so many networks filter certain ICMP requests to prevent such attacks.

Routing Information Protocol (RIP)

RIP limits the number of hops allowed in a path on a network from the source device to the destination. The maximum number of hops allowed for RIP is fifteen. RIP is a routing protocol used to exchange routing information about which networks each router can reach and how far away those networks are. RIP calculates the best route based on hop count. Figure 4 lists RIP vulnerabilities and defenses against RIP attack. Hackers can target routers and the RIP protocol. Attacks on routing services can effect performance and availability. Some attacks can even result in traffic redirection. Use secure services with authentication and implement system patching and updates to protect routing services such as RIP.

Network Time Protocol (NTP)

Having the correct time within networks is important. Correct time stamps accurately track network events such as security violations. Additionally, clock synchronization is critical for the correct interpretation of events within syslog data files as well as for digital certificates.

Network Time Protocol (NTP) is a protocol that synchronizes the clocks of computer systems over data networks. NTP allows network devices to synchronize their time settings with an NTP server. Figure 5 lists the various methods used to provide secure clocking for the network. Cyber criminals attack timeservers to disrupt secure communication that depends on digital certificates and to hide attack information like accurate time stamps.

VoIP Equipment

Voice over IP (VoIP) uses networks such as the Internet to make and receive phone calls. The equipment required for VoIP includes an Internet connection plus a phone. Several options are available for the phone set:
  • A traditional phone with an adapter (the adapter acts as a hardware interface between a traditional, analog phone and a digital VoIP line)
  • A VoIP-enabled phone
  • VoIP software installed on a computer
Most consumer VoIP services use the Internet for phone calls. Many organizations, though, use their private networks because they provide stronger security and service quality. VoIP security is only as reliable as the underlying network security. Cyber criminals target these systems in order to gain access to free phone services, eavesdrop on phone calls, or to affect performance and availability.

Implement the following countermeasures to secure VoIP:
  • Encrypt voice message packets to protect against eavesdropping.
  • Use SSH to protect gateways and switches.
  • Change all default passwords.
  • Use an intrusion detection system to detect attacks such as ARP poisoning.
  • Use strong authentication to mitigate registration spoofing (cyber criminals route all incoming calls for the victim to them), proxy impersonating (tricks the victim into communicating with a rogue proxy set up by the cyber criminals), and call hijacking (the call is intercepted and rerouted to a different path before reaching the destination).
  • Implement firewalls that recognize VoIP to monitor streams and filter abnormal signals.
When the network goes down, voice communications will also go down.

Cameras

An Internet camera sends and receives data over a LAN and/or the Internet. A user can remotely view live video using a web browser on a wide range of devices including computer systems, laptops, tablets, and smartphones.

Cameras come in various forms including the traditional security camera. Other options include Internet cameras discreetly hidden in clock radios, books, or DVD players.

Internet cameras transmit digital video over a data connection. The camera connects directly to the network and has everything required for transferring the images over the network. The figure lists best practices for camera systems.

Videoconferencing Equipment

Videoconferencing allows two or more locations to communicate simultaneously using telecommunication technologies. These technologies take advantage of the new high definition video standards. Products like Cisco TelePresence enable a group of people in one location to conference with a group of people from other locations in real time. Videoconferencing is now part of normal day-to-day operations in industries like the medical field. Doctors can review patient symptoms and consult with experts to identify potential treatments.

Many local pharmacies employ physician assistants that can link live to doctors using videoconferencing to schedule visits or emergency responses. Many manufacturing organizations are using teleconferencing to help engineers and technicians perform complex operations or maintenance tasks. Videoconferencing equipment can be extremely expensive and are high value targets for thieves and cyber criminals. Click here to watch a video demonstrating the power of videoconferencing systems. Cyber criminals target these systems in order to eavesdrop on video calls or to affect performance and availability.

Network and IoT Sensors

One of the fastest sectors of information technology is the use of intelligent devices and sensors. The computer industry brands this sector as the Internet of Things (IoT). Businesses and consumers use IoT devices to automate processes, monitor environmental conditions, and alert the user of adverse conditions. Most IoT devices connect to a network via wireless technology and include cameras, door locks, proximity sensors, lights, and other types of sensors used to collect information about an environment or the status of a device. Several appliance manufacturers use IoT to inform users that parts need replacement, components are failing, or supplies are running out.

Businesses use these devices to track inventory, vehicles, and personnel. IoT devices contain geospatial sensors. A user can globally locate, monitor, and control environmental variables such as temperature, humidity, and lighting. The IoT industry poses a tremendous challenge to information security professionals because many IoT devices capture and transmit sensitive information. Cyber criminals target these systems in order to intercept data or to affect performance and availability.

Activity - Hardening Networks


Fencing and Barricades

Physical barriers are the first thing that comes to mind when thinking about physical security. This is the outermost layer of security, and these solutions are the most publicly visible. A perimeter security system typically consists of the following components:
  • Perimeter fence system
  • Security gate system
  • Bollards (a short post used to protect from vehicle intrusions as shown in Figure 2)
  • Vehicle entry barriers
  • Guard shelters
A fence is a barrier that encloses secure areas and designates property boundaries. All barriers should meet specific design requirements and fabric specifications. High-security areas often require a "top guard" such as barbed wire or concertina wire. When designing the perimeter, fencing systems use the following rules:
  • 1 meter (3-4 ft.) will only deter casual trespassers
  • 2 meters (6-7 ft.) are too high to climb by casual trespassers
  • 2.5 meters (8 ft.) will offer limited delay to a determined intruder
Top guards provide an added deterrent and can delay the intruder by severely cutting the intruder; however, attackers can use a blanket or mattress to alleviate this threat. Local regulations may restrict the type of fencing system an organization can use.

Fences require regular maintenance. Animals may burrow under the fence or the earth may wash out leaving the fence unstable providing easy access for an intruder. Inspect fencing systems regularly. Do not park any vehicles near fences. A parked vehicle near the fence can assist the intruder climbing over or damaging the fence. Click here for additional fencing recommendations.

Biometrics

Biometrics describes the automated methods of recognizing an individual based on a physiological or behavioral characteristic. Biometric authentication systems include measurements of the face, fingerprint, hand geometry, iris, retina, signature, and voice. Biometric technologies can be the foundation of highly secure identification and personal verification solutions. The popularity and use of biometric systems has increased because of the increased number of security breaches and transaction fraud. Biometrics provides confidential financial transactions and personal data privacy. For example, Apple uses fingerprint technology with its smartphones. The user’s fingerprint unlocks the device and accesses various apps such as online banking or payment apps.

When comparing biometric systems there are several important factors to consider including accuracy, speed or throughput rate, acceptability to users, uniqueness of the biometric organ and action, resistance to counterfeiting, reliability, data storage requirements, enrollment time, and intrusiveness of the scan. The most important factor is accuracy. Accuracy is expressed in error types and rates.

The first error rate is Type I Errors or false rejections. A Type I Error rejects a person that registers and is an authorized user. In access control, if the requirement is to keep the bad guys out, false rejection is the least important error. However, in many biometric applications, false rejections can have a very negative impact on business. For example, bank or retail store needs to authenticate customer identity and account balance. False rejection means that the transaction or sale is lost, and the customer becomes upset. Most bankers and retailers are willing to allow a few false accepts as long as there are minimal false rejects.

The acceptance rate is stated as a percentage and is the rate at which a system accepts unenrolled individuals or imposters as authentic users. False acceptance is a Type II error. Type II errors allow the bad guys in so they are normally considered to be the most important error for a biometric access control system.

The most widely used method to measure the accuracy of biometric authentication is the Crossover Error Rate (CER). The CER is the rate where false rejection rate and the false acceptance rate are equal as shown in the figure.

Badges and Access Logs

An access badge allows an individual to gain access to an area with automated entry points. An entry point can be a door, a turnstile, a gate, or other barrier. Access badges use various technologies such as a magnetic stripe, barcode, or biometrics.

A card reader reads a number contained on the access badge. The system sends the number to a computer that makes access control decisions based on the credential provided. The system logs the transaction for later retrieval. Reports reveal who entered what entry points at what time.

Guards and Escorts

All physical access controls including deterrent and detection systems ultimately rely on personnel to intervene and stop the actual attack or intrusion. In highly secure information system facilities, guards control access to the organization’s sensitive areas. The benefit of using guards is that they can adapt more than automated systems. Guards can learn and distinguish many different conditions and situations and make decisions on the spot. Security guards are the best solution for access control when the situation requires an instantaneous and appropriate response. However, guards are not always the best solution. There are numerous disadvantages to using security guards including cost and the ability to monitor and record high volume traffic. The use of guards also introduces human error to the mix.

Video and Electronic Surveillance

Video and electronic surveillance supplement or in some cases, replace security guards. The benefit of video and electronic surveillance is the ability to monitor areas even when no guards or personnel are present, the ability to record and log surveillance videos and data for long periods, and the ability to incorporate motion detection and notification.

Video and electronic surveillance can also be more accurate in capturing events even after they occur. Another major advantage is that video and electronic surveillance provide points of view not easily achieved with guards. It can also be far more economical to use cameras to monitor the entire perimeter of a facility. In a highly secure environment, an organization should place video and electronic surveillance at all entrances, exits, loading bays, stairwells and refuse collection areas. In most cases, video and electronic surveillance supplement security guards.

RFID and Wireless Surveillance

Managing and locating important information system assets are a key challenge for most organizations. Growth in the number of mobile devices and IoT devices has made this job even more difficult. Time spent searching for critical equipment can lead to expensive delays or downtime. The use of Radio Frequency Identification (RFID) asset tags can be of great value to the security staff. An organization can place RFID readers in the door frames of secure areas so that they are not visible to individuals.

The benefit of RFID asset tags is that they can track any asset that physically leaves a secure area. New RFID asset tag systems can read multiple tags simultaneously. RFID systems do not require line-of-sight to scan tags. Another advantage of RFID is the ability to read tags that are not visible. Unlike barcodes and human readable tags that must be physically located and viewable to read, RFID tags do not need to be visible to scan. For example, tagging a PC up under a desk would require personnel to crawl under the desk to physically locate and view the tag when using a manual or barcode process. Using an RFID tag would allow personnel to scan the tag without even seeing it.


Ref : [1]