FACULTY OF NATURAL SCIENCES THE DEPARTMENT OF COMPUTER SCIENCE LEVEL 3 OPEN UNIVERSITY OF SRILANKA (COU3305 : COMPUTER SECURITY CONCEPTS: CSI3361 : COMPUTER SECURITY CONCEPTS. COU3305/CSI13361 COMPUTER SECURITY CONCEPTSFACULTY OF NATURAL SCIENCES LEVEL3 COU3305/CSI3361 COMPUTER SECURITY CONCEPTS Published by The Open University of Sri LankaCOURSE TEAM Composed by The Department of Computer Science (Open University of Sri Lanka. Experimental Copy The Open University of Sri Lanka Nawala, Nugegoda, Sri Lanka First published 2022 ©2022 The Open University of Sri Lanka All rights reserved. No part of this course book may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy and recording or from any information stored in a retrieval system, without permission in writing from the Open University of Sri Lanka.Introduction to the course The Internet has improved our lives in a variety of ways. Unfortunately, this large network and its related technologies have also brought an increase in the number of security threats in their wake. Being informed of common cybersecurity procedures is the most effective approach to protect oneself fram these risks and attacks. We all want to keep our computers and personal information private in this digital era, thus computer security is essential to protect our personal information. It's also critical to keep our computers secure and healthy by avoiding viruses and malware from wreaking havoc on system performance. These days, computer security threats are growing more and more innovative. To protect against these complicated and rising computer security risks and stay safe online, one must arm themselves with information and resources. Welcome to our Computer Security Concepts course. We will introduce you to the context of computer security and related ideas in this course. ‘A student will be able to articulate the basic ideas of cybersecurity after completing this course in Computer Security. Examine the trade-offs involved in balancing critical security properties. Explain the terms "risk," "threats," "vulnerabilities," and "attack vectors.” Explain what authentication, authorization, and access control are. Define the terms "trust" and “trustworthiness.” As 3 security specialist, become familiar with ethical behavioural tendencies. Determine the operation of a secure organization and apply knowledge to attain it. Knowledge use in analysing problems and developing security solutions Determine personal responsibility for secure computing, among other things. Asa result, at the end of the course, a student will be able to define the various security techniques based on standards while considering hardware and software elements. We wish you the best of luck! CQU3305/CSI3361 course teamTable of Contents LS Types of Computer Security Software. 16 Cloud-Based Computer Security . 17 Careers in Computer Security. L& — Zero-Trust Security Policies. Objectives: Session 2 Computer Security Awareness. Contents Introduction: 21 2. Introduction to Computer Security’ 22 23 24 3.2 Security Approaches...Session 1 Introduction to Computer Security References: [1] hitps://hackr.io/blog/what-is-cybersccurity Contents Introduction ‘What is Computer Security? Types of Computer Security ‘Types of Computer Security Threats ‘Common Computer Security Practices Types of Computer Security Software Cloud-Based Computer Security 1.7 Careers in Computer Security 1.8 Zero-Trust Security Policies Objectives Review Questions. Introduction Computer security, often known as "cybersecurity," is the protection of physical computing devices, software information systems, and digital data from unauthorized or hostile access, theft, or damage. Basic cybersecurity principles are crucial for everyone. Computer security is a large and expanding field. ‘Many professians; fields, methods, and technologies are invalved beyond this broad definition of computer security. Seminars, certifications, and even a degree are all realistic options for learning more about computer security technology. 1.1 The Foundation of Computer Security The three major areas of computer security are privacy, integrity, and accessibility. To be more precise: © Privacy refers to the ability to maintain confidentiality regarding data that must be protected (such as personally identifiable information). ‘© Integrity refers to the ability to protect data from being deleted, altered, or otherwise mismanaged.¢ Accessibility refers to the ability for anyone to access the data and thereby potentially: compromise it. ‘As you can see, data plays an important role in computer security. But that's not the whole story. Computer systems now rule the globe. A cyberattack has the potential to-do massive amounts of harm — financial systems, pipelines, and even government agencies can all be access their email and accounts if their phone is not protected. If their phone is lost or stolen, it may be used to access a secure system, © Go to work and use a shared password to log into a eloud-based terminal, When a person shares a password with a trusted co-worker, the danger is usually not malevolent behaviour on the side of the trusted party. The risk is that the devices of a trusted co-worker will be compromised. Installing an unprotected program on their work computer is a bad idea. Self-service TT is notoriously risky. For example, an employee could download a keylogger or virus-infected PDF editing tool. © Respond to an email from IT requesting their credentials. The most prevalent risks are known as social engineering threats; they are difficult to defend against because they do not require any technology. They gain access to-and delete file that they shouldn't. I's easy for employees to unwittingly compromise data if'a company doesn't have Zero-Trust procedures in place. Even with no malicious intent, a security risk exists. ‘+ Atthe end of the day, they forget to log out of their computer. Even if their accounts are protected. it is useless iff someone simply comes up to a computer and starts using it © Log in on their personal tablet at home. Employees who are “always on" and “always accessible" are more likely to use their personal devices. In this situation, the entire family might use this personal tablet, and a toddler could easily compromise data. Every day, every employee is exposed to a variety of hazards. When you consider how many people the average company has, the danger increases dramatically. But, with the correct policies and technologies, almost all of the aforementioned problems could have been avoided. Employee irresponsibility is still responsible for 88% of all cybersecurity breaches, 1.2 Types of Computer Security ‘As previously said, computer security is quite broad. There are many different kinds of computer security. Among the most important are: Information security. This refers directly to the process of securing and protecting data specifically, both from harm and from compromise.Network security. This refers to protecting communications throughout an organization’s network, such as when a computer transmits data to a server. © Application security. This refers to securing data within an application, such as a web application or a mobile app. © Computer security. This refers to securing computer devices or, more specifically, end-user devices (including tablets, smartphones, etc.) ‘© Cybersecurity. This refers to securing computing devices that are connected to the . ‘¢ Cloud security. This refers to the securing, management, and continued security maintenance of private, hybrid, and public cloud systems. So, when someone says "computer security,” it's worth digging a little deeper into the definition; it might refer to a variety of disciplines or embrace them all Certification processes, degree programs, and career routes are all available for each of these areas. 1.3. Types of Computer Security Threats There are numerous sorts of dangers, just as there are numerous types of cacteaer vent liiilbccacs «2. contSesty detoetoe nee eonstes of circumventing even the most secure systems, making compiiter security seem like an arms competition. The following are some of the most common threats: * Viruses. Viruses sneak their way onte-a computer system and then attempt a malicious action. Usually, a vinus is designed to create haloes it may delete files o brick the device. A.virus might be intended for profit ‘on pages that weitere paiiotal aierraee ee * Phishing attempts. Ina phishing attempt, a malicious attacker simply asks for information from a user. They may pretend to be the user's bank, employer, or IT dopartritent. The data gained from this is used to compromise accounts. ©) Ransomware. Ransomware will block access to a device or data until a ransom is paid. The device or data will be encrypted with a key that only the person who ereated the ransomware knows. DDoS attacks. Distributed Denial of Service attacks are designed to block out access toa system, service, or device by repeatedly connecting with that device and exhausting its resources. Rootkits. Ofien hidden in other software, a rootkit gives another user control aver a device. “Root” refers to administrative control. Keyloggers. These software systems log keys pressed ona device, seeking to compromise passwords and confidential information.Ransomware is by far the most common sort of computer security threat today. Ransomware has grown in popularity since the introduction of bitcoin, as itis now easier than ever to pay a ransom via an anonymous service. However, ransomware can be easily defeated by employing security measures such as regular backups. 1.4 Common Computer Security Practices Imagine being unable to access your email. What information would you be losing? What accounts might be hacked? Everyone is responsible for computer security. While businesses provide the means and gadgets, employees are frequently the weak link, and the majority of assaults are the result af employee negligence Take'a look at some of the most frequent security techniques. For employers: © Installing next-generation antivirus soluti can use machine-learning algorithms and Alto identify a . regular employee training regarding computer security best practices and fing employees with the right training. + Using advanced authentication systems such as multi-factor or biometric authentication rather than passwords. . Streamlining and SSf8Hlidaifiggsystems, such as through an identity-as-a-service solution. © Having written computer security policies and ensuring that these policies are followed at all levels. © Maintaining separate “work” devices from personal devices, particularly when it comes to cell phones and laptops. © Conducting regular audits for potential security threats, security gaps, and improvements that can be made. + Requiring VPN or otherwise encrypted and secured connection. For employees: ¢ Maintaining proper authentication/password hygiene; keeping passwords unique, separate, and private. © Refraining from connecting to systems or downloading data onto platforms that aren't secure, such as a home computer rather than an office computer, * Reporting anything strange that they receive, such as an obvious phishing attempt. «Never send confidential information to a source that has not been properly verified; i.e., if IT sends an email asking for a login, they should call them on the phone to verify that they sent the request. They still should not proffer the login. These are best practices that should be audited on a regular basis. Because harmful attackers are continually refining their attempts, businesses must always improve their securityCyberattacks can cost a business up to $200,000 an average. Many enterprises fail due of financial constraints. 1.5 Types of Computer Security Software ‘Most people use antivirus software at home, such as Avast Antivirus, AVG Antivirus, or McAfee. These are all-in-one security gadgets, although there are a variety of security options available. * Antivirus suites. Commonly, antivirus suites come with an array of malware protection and detection utilities. A common one is “sandboxing.” In a sandbox, an application is run in a protected environment where it cannot access or manipulate: other things on the system. © Firewalls. A firewall is a system within a computer that determines whether a connection should be allowed. * AL algorithms. Al algorithms use machine learning ta identify behaviours that could be potentially dangerous to a system. For instance, they might identify an unusual amount of data transfer occurring, and alert security to possible intrusion. © Backup systems. Backup systems are instrumental in defeating attacks such as ransomware, Even if your system is destroyed by a malicious program, you need to be able to bring it back — quickly. + Email scanners. Email scanners are the frontline against phishing attempts, because these attempts are non-technological in nature, These email scanners can look for potentially suspicious emails. © Data management solutions. Modem data management solutions can actually identify when privileged information or privileged documents might be getting sent out and halt the process, ‘+ Authentication services: Most authentication services today are multi-factor or two- factor, ensuring that an individual has at Jeast two forms of identification. © Mobile device management platforms. MDM platforms manage mobile devices ‘when comnected to the network, such as smariphones and tablets. * VPNs. VPNs provide end-to-end encryption services, soall the sent data is encrypted even on a potentially compromised line (such as a public coffee house). To protect the security of their systems, most businesses will utilize a combination of the above. However, security and performance must always be carefully balanced. The more security a corporation implements, the slower their system will perform because resources will be spent. As a result, a company must choose the most secure system that it can afford to nun, 1.6 Cloud-Based Computer Security Many systems are now hosted in the cloud, which brings with it new challenges. To begin, there are three different sorts of cloud services: Private clouds, which operate very much like a cluster of on-premises servers.© Public clouds, which are accessed online and are usually not in the direct control of the organization. © Hybrid clouds, which are made of 2 mix of the above two types of cloud service. Expert a computer security are now available. Because the cloud’s resources for next-generation, adaptive learning Al/Gaipabilities, cloud security can be Eros Shee] tones poms early to At the same time, because the eloud is so widely available, it has a larger attack surface, and many employees will utilize their cloud platform in public places such as coffee shops and shared computers, When businesses use the cloud, they must exercise greater caution in terms of security. Individuals that use the cloud must likewise exercise caution. Are your images, videos, and documents uploaded to the cloud automatically? How many different devices can access them? Are those devices vulnerable to hacking? For example, you may not understand that if your office computer is hooked into your personal Gmail aecount, anyone on that computer has access to-all of yourimages! 1.7 Careers in Computer Security One of the fastest-growing fields is computer security. There's a lot of space for professional advancement for Information Security Analysts alone, with a growth rate of 33%. As a result, a growing number of people are pursuing professions in computer security. Security roles can be divided into many ¢lassifications (such as cybersecurity or network security): © Admins, Administrators will manage a system that has already been developed. © Analysts. Analysts will analyse, optimize, and improve upon a system that's been developed. ‘© Architects. Architects will create systems or sometimes perform high-level audits on systems. ‘The majority of people choose a cybersecurity path (such as application security) and then follow it. There are several options for gaining relevant experience: ©) Working in an adjacent field, © Acquiring a degree in Computer Security, Computer Science, or Computer Engineering. © Getting certifications or attending a bootcamp. For those who prefer to learn on the job, there are various entry-level positions in computer security. Because the area changes so quickly, computer security requires a high level of ability. Those who work in computer security will need to continue their education throughout their employment. MSPs, SaaS, and Outsourced Security ServicesUnderstandably, not every company has the financial resourees to hire an internal IT security team. Many businesses employ MSPs (managed service providers) or as-a-Service technologies to handle their security needs. The service provider, rather than the firm, is in charge of As-a-Service technology. Outsourcing security has both advantages and disadvantages. A company will most certainly get better resources and technology for less money, but they will become more dependent on the MSP/Saa$ provider and may lose control over their system as a result. Approximately 64% of small firms currently manage their own IT requirements. 1.8 Zero-Trust Security Policies Today's computer security systems frequently include "zero-trust” measures. In the past, systems kept track of which systems they didn't trust. They'd aguressively oppose such arrangements. Systems, likewise, had a list of files that they secured. Unless someone possessed the proper credentials, they would prohibit access ta such files: This was a “trust” policy. which meant that users could access devices and information by default. Zoro-trust policies, on the other hand, are beconiing more common. Instead, systems with a zaro-trust palicy have a list of systems they trust. By default, they block all connections except for specified systems. Instead of a listof protected files, all files are protected by default, with merely a list of those who have permission to access them. Zero-trust management of papers and. computer systems is significantly more effective. It means that if a single account is compromised, the entire network and its data are significantly less likely to be compromised. All data has been securely compartmentalized and separated. The best example of Trust vs, Zero-Trust involves who is allowed to spend money with your bank account, Would you rather it be “everyone, except x, x, and x?” Or would you rather it be “only me?” Learning More About Computer Security Knowing the definition of computer security isn’t always enough. Even someone who only works with technology on a sporadic basis has to understand the fundamentals of computer security. Computers have become ingrained in the way that everyone, especially remote workers, works nowadays. There are numerous resourees available to help you learn more about computer security: © Attend a bootcamp, if you're interested not only in the foundations but potentially making it a career. Go to seminars focused on your industry — every industry is different and maintains different technology. + Lear more online. There's a lot of information out there about new security risks, tools, and technologies.The field of computer security is exceedingly vast. However, it affects every sector, every device, and every individual. You can protect your personal data and gadgets by knowing more about computer security. Objectives Now you will be able to: + Understand the definitions of computer security and main areas of it. + Understand the foundation, the types, and the concept of threats in security, © Know the core knowledge of security practices and how to define it under employer and employee of an organization. ‘© Have to have a general idea of common security software types. «Know how to define cloud-based security services. ‘* Identify the career opportunities in the field of cyber security. + Understand the concept of zero-trust policy. Review Questions 1. What is information security? 2. Briefly describe two cloud-based services 3. Briefly explain the zero-trust policy,Session 2 Computer Security Awareness References: [I] Principles of Computer Security Fourth edition by W.M. Arthur Conklin and Greg White published in Me Graw Hill Education [2] FISMA Compliance Handbook Second edition by Laura P. Taylor published in Elsevier [3] (SC)2 CISSP® Official Study Guide - Eighth E Contents Introduction 2.1 Introduction to Computer Security 2.1.1 Security Trends and Concepts 2.2 Security Awareness and Training 2.3 The Importance of Policies and Procedures 24 — Countermeasures Objectives Review Questions Introduction Security Is one of the highest demand job categories, growing in importance as the frequency and severity of security threats continues to be a major concer for organizations around the world. Jobs for security administrators are expected to increase by 18% —the skill set required. for these types of jobs maps to the CompTIA Security+ certification. ‘Network Security Administrators can cam as much as $106,000 per year in USA. CompTIA Security+ Is the first step in starting your career as a Network Security Administrator or Systems Security Administrator. ‘More than 250,000 individuals worldwide are CompTIA Security+ certified. CompTIA Security+ is regularly used in organizations such as Hitachi Systems, Fuji ‘Xerox, HP, Dell, and a variety of major U.S. government contractors. Computer security i dificult erm to define since i involves mulipl Melee When i comes to computers, they are regarded secure when they perform what they are intended to do and only what they are supposed to do. However, as previously said, the focus of security has changed from the computerto the information being processed. Information security refers to information that is safeguarded from illegal access ar modification while yet being accessible to authorized users when needed, When evaluating the various characteristics ofinformation, i's crucial to remember that data is stored, processed, and transported across machines, and cach of these states necessitates suitable security measures. Information assurance is a term that refers to not only the security of information, but also a method of determining the amount of protection achieved. 2.1 Introduction to Computer Security 2.1.1 Security Trends and Concepts ‘At the moment, new security trends are becoming a more diverse and interesting issue. With the evolution of computer science concepts and procedures, a new cyber security trend emerges. The examples in this section are taken from Mc Graw Hill Education's principles of computer security. The text [1] is based on pattems throughout the last 3-4 decades; with a focus on attacking trends, system overviews, and various domain mappings. Software Patches Keeping all software up to date in terms of vendor-released patches is one of the most effective actions security professionals can take to combat assaults on their computer systems and networks. Many of the virus and worm outbreaks would have been much less severe if everyone had installed security updates and patches as soon.as they were available. Go to your favourite web browser and search for what updates are available for your operating system, as well as what vulnerabilities or issues the patches were meant to address, Intruders Hacking is the act of intentionally aécessing, computer systems and networks without authority. and hackers are those Who carry out this activity. The act of exceeding one's authorization in a system is sometimes referred to as hacking. This includes authorized users who try to acquire access to files they aren't supposed to have access to of who try to get permissions they dont have, The physical act of breaking into ‘systems and been romanticized in the media and entertainment, but it does not live up to the Hllywocd hype Intruders are, if nothing else, incredibly patient, because gaining access to a system requires perseverance and tenacity. Many pre-attack operations will be carried out by the attacker in order to gather the information needed to-assess which attack is most likely to succeed. By the time an assault is conducted, the attacker should have obtained enough information to be confident that it will succeed. Unstructured threats are defined as attacks carried out by a single person or a small group of people, At this level, attacks are usually carried out aver a short length of time (a few months at most) involve a small number of people, have little financial backing, and are carried out by insiders or outsiders who do not seek coordination with insiders. Intruders, or those aitempting fo execute an intrusion, come in a wide variety of shapes and sizes, with varied degrees of sophistication (sce Figure 2.1). Script kiddies are those who do not have the technical knowledge to design scripts or find new vulnerabilities in software but have just enough understanding of computer systems to download and run scripts developed by others. ‘These individuals aren't interested in assaulting specific targets: instead, they're looking for any firm that hasn't patched a recently identified weakness for which a script to exploit the hole has been found. It's difficult to say how many people involved in activities like probingnetworks or scanning individual systems are part of this category. but it's clearly the fastest growing, and these people are likely responsible for the great majority of “unfriendly” behaviour on the Internet. ‘Those who are capable of building scripts to exploit known flaws are at the next level. These people are far more technically capable than script kids, and they account for about 8% to 12% of all hostile Internet activity. At the top of the range are the highly technical individuals known as elite hackers, who are capable of not only writing scripts to exploit flaws but also of discovering new ones. However, this is the smallest of the bunch, accounting for only I to 2 percent of total intrusive activities. Technical Expertise Figure 2.1 Distribution of attacker skill levels [Originally got from [1] 2.2. Security Awareness and Training An effective security solution implementation necessitates changes in user behaviour. The majority of these adjustments are changes to typical job tasks to comply with the security policy's standards. rules, and procedures. The user must learn something new in order to change their behaviour, All key pieces of knowledge transference must be clearly identified, and programs of presentation, exposure, synergy, and execution must be designed to establish and manage security education, training, and awareness. Awareness is a precondition for security training. The purpose of raising awareness is to bring socuity tothe foreffont of user’ minds and make ita recognized thing. Awareness creates a consistent baseline or foundation of security understanding across the whole organization, focusing on key or basic security subjects and issues that all employees must grasp. Awareness can be developed not only in the classroom, but also in the workplace. Posters, notices, newsletter articles, screen savers, T-shirts, rally speeches by managers, announcements, presentations, mouse pads, office supplies, and memos, as well as traditional instructor-led training sessions, can all be utilized to raise awareness.Awareness establishes a minimal common denominator or security understanding base. Security obligations and liabilities should be understood by all emplayees. They should be taught what they should and should not do. Avoiding waste, fraud, and unlawful activity are among the issues that consumers should be aware of. From senior management to temporary interns, all members of a company require the same level of awareness. An organization's awareness program should be integrated with its security policy, incident response plan, business continuity, and disaster protocols. An effective awareness-building program must be fresh, inventive, and updated frequently, The security awareness program should also be linked to an understanding of how corporate culture affects and impacts individual and organizational security. Employees may not feel obligated to follow security policies and standards if they do not witness enforcement, especially at the awareness level. Employees are taught how to do their jobs and follow the security policy through training. An organization usually conducts training for groups of employees who perform comparable job functions. All new employees must receive some amount of training in order to comply with the security policy's standards, guidelines, and procedures. New users mustunderstand how to operate the IT infrastructure, where data is kept, and how and why resources are categorised. Many companies choose te train new employees before giving them network access, while others give mew users limited access until their training in their specialized job position is completed. Training is a continuous process that must be maintained for each employee throughout the organization's lifespan. It's classified as an administrative security measure. To optimize benefits, methods and tactics for presenting awareness and training should be changed and enhanced over time. This will necessitate the collection and evaluation of training metrics. This could involve post-leaming assessment as well as monitoring for work consistency and downtime, security events, or blunders. This can be thought of as a program evaluation. In-house awareness and training aré frequently provided. That is, these teaching resources are developed and distributed by and inside the company. The next level of knowledge distribution, on the other hand, is frequently gained from a third-party source. Education. is a more in-depth endeavour in which students‘users leam far more than they require to fulfil their job activities. Users who are obtaining certification or seeking a promotion are frequently related with education. It is usually a necessity for security professionals looking for work. For the entire organization, not just their specialized work tasks, a security expert requires wide understanding of security and the local environment. Periodic content evaluations should be used to update an assessment af the necessary levels of awareness, training, and education required within the organization. As the organization evolves, training activities must be updated and fine-tuned. To keep the content current and relevant, new bold and subtle means of awareness should also be implemented. Materials will get stale if they are not reviewed for content relevance on a regular basis, and staff will be forced to create their own norms and procedures. The security governance team is in charge of establishing security policies as well as providing training and education to help with their implementation.2.3 The Importance of Policies and Procedures Security Policies ‘A security policy is the highest level of formalization. A security policy is a document that outlines the level of security that an organization requires, as well as the assets that must be safeguarded and the lengths to which security solutions should go to provide that protection. ‘The security policy is a summary or generalization of a company's security requirements. It specifies an organization's security structure and defines the primary security objectives. It also defines and clarifies all necessary terminology, as well as identifying the primary functional areas of data processing. It should state why security is vital as well as what assets are worth, I's a long-term strategy for adopting security. It should provide a general overview of the security objectives and procedures that should be followed to safeguard the organization's essential interests. The document highlights the relevance of security in every area of daily business operations, as well asthe importance of top management's support for assign duties, define roles. specify audit requirements, explain levels, the security policy is employed. This paper is frequently used as proof that senior management took reasonable precautions to protect the company from intrusion, attack, and disaster. Security policies must be followed. To establish or explain their entire security approach, many businesses use a variety of security policies. An organizational security policy addresses concems that affect every part of the business. A network service, department, function, or other area of the company that is separate from the rest of the organization is the focus of an issue-specific security policy. A system-specific security policy focuses om individual systems or categories of systems, prescribing appropriate hardware and software, describing ways for locking down a system, and even mandating firewall or ather specific security controls. In addition to these specific sorts of Security policies, security policies are divided into three broad categories: regulatory, advisory, and instructive. When industry or legal requirements apply to your organization: you'll need a regulatory policy. This policy explains the rules that must be followed and the procedures that must be employed to ensure compliance. An advisory policy discusses appropriate behaviours and actions, as well as the penalties of violations. It explains top management's demand for organizational security and compliance. The majority of policies are advisory. An instructive policy is one that is intended to convey information or expertise about a specific topic, such as the organization's goals, mission statements, of how it interacts with partners and consumers. An informed policy provides support, research, or background knowledge about the policy's specific components. ‘Many other documents or sub-elements are derived from security policies for a complete security solution. Standards, baselines, guidelines, and procedures provide more particular, granular information about the actual security solution, whereas policies provide general overviews. After security policies, there exist standards. Security Procedures The structured security policy structure concludes with procedures. A protocol, often known asa standard operating procedure (SOP), is.a step-by-step document that explains how toapply a certain security mechanism, control, or solution. A procedure cauld cover the complete system deplayment process or focus on a single product or aspect, such as firewall deployment or virus definition updates. Procedures are usually system and software specific ‘They must be updated as a system's hardware and software evolve. A procedure's objective is to assure the consistency of corporate processes. All activities should be compliant with policies, standards, and guidelines if everything is done according to a thorough method. Procedures aid in the uniformity of security across all systems. Policies, standards, baselines, guidelines, and procedures are frequently formed as an afterthought in response to a consultant or auditor's request. The management of a secure environment will be unable to use these documents as guidelines if they are not used and updated. And no environment will remain secure or represent sufficient diligent due.care without the planning, design, structure, and oversight given by these documents. It's also typical to create a single document that incorporates parts of all of these elements. This should not be done. Because each of these structures performs a particular specialized purpose, they must exist as separate entities. There are fewer documents at the top of the formalization security policy documentation stack since they cover generic wide talks of overview and aims. Because they contain specifics relevant to a small number of systems, networks, divisions, and locations, there are more documents:deeper down the formalization structure (in other words, guidelines and procedures) ‘There are various advantages to keeping these documents as separate entities: ‘+ Not all users need to know the security standards, baselines, guidelines, and procedures for all security classification levels. «When changes occur, itis easier to update and redistribute only the affected material rather than updating a monolithic policy and redistributing it throughout the organization. Itcan be difficult to create a comprehensive security policy and its supporting paperwork. Many businesses struggleto identify the fundamental criteria of their security. lot alone document every facet of their daily operations. A precise and comprehensive security policy, on the other hand, theoretically supports real-world security in a targeted, efficient, and specialized manner, Once the security policy documentation is relatively detailed, it may be utilized to guide choices, train new users, respond ta issues, and forecast future growth trends. A Security policy should not be an afterthought, but rather an integral component of forming a company. ‘There are a few more things to consider when it comes to the documentation that makes up a {ull security policy. Policies, standards, recommendations, and procedures all have dependencies, as shown in Figure 2.2. The overall structure of organized security documentation is defined by security policies. Standards are then established based on those principles, as well as rules and contracts. The guidelines are drawn from these. Finally, processes are built around the other three elements. Each of these documents’ volume or size is represented by an inverted pyramid, Procedures are often far more numerous than any other component of a comprehensive security policy. In comparison to processes, there are fewer rules, fewer standards, and even fewer overarching or organization-wide security policiesPace \ /seatutsise J canine. a Z Procedures. \ Figure 2.2 The comparative relationships af security policy components 2.4 Countermeasures Education is the foundation of any security program. Users should be reminded of the importance of choosing a safe password and keeping it secret on a regular basis by security personnel. Users should be trained when they initially join an organization, and they should be reminded about dangers on a regular basis, even if it'ssimply an email from the Give people the information they need to establish safe passwords. Inform them about the methods used by attackers to guess passwords and offer tips on how to construct a strong password, Using a long sentence instead ofa short password, such as "My son Richard likes to eat four pies.” is one of the more effective methods. If your system won't let you use long passwords, try using a mnemonic device like making a password consisting of the initial letter of each word of a long phrase. "My son Richard likes to eat four pies," for example, would become MsRitedp, a very strong password. You might also want to consider giving users access to a secure toal for storing these strong passwords, Password Safe and LastPass are two popular options: Users can use these tools to create unique, secure passwords for each service they use without having to remember them all. Overzealous security administrators make the error of creating. a succession of strong passwords and then assigning them to users (who are then prevented from changing their password). This appears to be a decent security policy at first glance, When a person receives a password like Imf{A8F|, the first thing they will do is write it down on a sticky note and place it under their computer keyboard. Whoops! Security has been thrown out the window (or hidden beneath the keyboard)! Emanation Security Unauthorized individuals can intercept electrical signals or radiation sent by many electrical devices. These signals may convey sensitive, confidential, or private information. Wireless networking equipment and mobile phones are obvious examples of emanation deviees, but many more gadgets are subject to interception. Monitors, modems, and internal or extemal media drives are some other examples (hard drives, USB thumb drives, CDs, and sa on). Unauthorized users can intercept electromagnetic or radio frequency signals (togetherreferred to as emanations) from these devices and interpret them to extract confidential data with the correct equipment. Clearly, if a gadget sends a signal that can be intercepted by someone outside your business, security protection is required. TEMPEST countermeasures are the sorts of countermeasures and safeguards used to protect against emanation attacks. TEMPEST began as a government research project to safeguard electronic equipment from the electromagnetic pulse (EMP) caused by nuclear explosions. It has since evolved into a broader study of monitoring and preventing the interception of emanations. As a result, TEMPEST has become a formal name for a broad range of operations. TEMPEST countermeasures include Faraday cages, white nolse, and control zones. Faraday Cage |A Faraday cage is a box, transportable room, or entire building with an extemal metal shell, usually a wire mesh, that completely encloses an area on all sides (in other words, front, back, left, right, top, and bottom). This metal skin functions as an EML-absorbing capacitor (thus the name, which honours Michael Faraday, a pioneer in the science of electromagnetism) that stops electromagnetic signals (emanations) from leaving or entering the cage’s enclosed region, Faraday cages are very good at blocking electramagnetic waves. Mobile phones do not work inside an active Faraday cage, and you cannot receive broadcast radio or television stations. ‘White Noise White noise simply refers to the continuous broadcast of bogus communications in order to mask and obscure the presence of real-emanations. A real signal from another source that is not confidential, a constant signal at a specific frequency, a randomly variable signal (such as the white noise heard between radio stations or television stations), or even a jam signal that causes interception equipment to fail are all examples of white noise. The most effective use of while noise is to make itaround the periphery of a space and broadcast it outward to protect the intemal area where emanations may be required for normal operations. Control Zone A control zone is a third sort of TEMPEST countermeasure that involves using either a Faraday cage or white noise generator, or both, to safeguard a specified area in an environment while leaving the rest of the environment unaffected. A control zone ean be a single roam, a floor, or the entire structure. Control zones are places where required equipment, such as wireless networking, mobile phones, radios, and televisions, support and utilise emanation signals. Emanation interception is stopped or prevented outside of the control zones using a variety of TEMPEST countermeasures. Modification Attacks Captured packets are altered and then played against a system in modification attacks. The purpose of modified packets is to get around the limitations of enhanced authentication systems and session sequencing. Digital signature verifications and packet checksum verification are two countermeasures to modification replay attacks.Countermeasures and Safeguards against DoS/DDoS attacks «Add firewalls, routers, and intrusion detection systems (IDSs) that detect DoS traffic and automatically block the port or filter out packets based on the source or destination address. + Maintain good contact with your service provider in order to request filtering services when a DoS occurs. ‘Disable echo replies on external systems. © Disable broadcast features on border systems. © Block spoofed packets from entering or leaving your network. «Keep all systems patched with the most current security updates from vendors. ‘¢ Consider commercial DoS protection/response services like CloudFlare’s DDoS. mitigation or Prolexic. These can be expensive, but they are often effective, Preventive Countermeasures In an ideal world, an organization can totally avoid incidents by employing preventative actions. This section discusses many security rules that can help prevent many attacks, as well as a number of well-known attacks. An organization will wish to discover an event as quickly as feasible if one occurs. One way that businesses identify incidents is through intrusion detection and prevention systems, which are covered in this section, along with some specific actions that organizations can take to detect and prevent successful assaults. Basie Preventive Measures: While there is no single action you can take to defend yourself from all forms of assaults, there are some fundamental steps you can take to protect yourself from many of them. Many of these processes are discussed in greater detail in other sections of the book, but they are provided here as an overview of this part, ‘© Keep systems and applications up-to-date. Patches are constantly released by vendors to fix bugs and security problems, but they only help if they're installed. Patch management keeps systems and apps up to date with the latest fixes. «Remove or disable unneeded services and protocols. A system should not be running if it does not require a service or protocol. A vulnerability in a service or protocol that isn't running on a system cantt be exploited by an attacker. Consider the case where a web server is executing every service and protocol available. Any of these services and protocols are subject to potential attacks. ‘+ Use intrusion detection and prevention systems. Intrusion detection and prevention systems keep an eye on what's going on, try to spot threats, and send out notifications. They can frequently stop or block strikes. This chapter goes into greater detail about these systems. Update your anti-malware software. ‘© Use firewalls, Many different forms of attacks ean be prevented by using a firewall. Individual systems are protected by network-based firewalls, whereas entire networks are protected by host-based firewalls.+ Implement configuration and system management processes. Configuration and system management techniques assist in ensuring that systems are launched securely and stay secure throughout their lives. Objectives Now you will be able to: Describe the idea of security trends and concepts. Describe the security awareness and training. Discuss the security policies and procedures. Identify the security countermeasures, Review Questions |. Describe the word “security trend” in your own words. Briefly describe about the security awareness, Differentiate between security policies and procedures. ~. What is called emanation. eae Deseribe three preventive countermeasures.Session 3 Information Security Concepts References: [I] Principles of Computer Security Fourth edition by W.M. Arthur Conklin and Greg White published in Me Graw Hill Education Contents Introduction 3.1 Security Basies 3.2 Security Approaches 3.3 Security Tenets 3.3.1 Session Management 3.3.2 Exception Management 3.3.3. Configuration Management 34 Security Principles 3.4.1 Least Privilege 3.4.2 Separation of Privilege 3.43 Fail-Safe Defaults 3.44 Economy of Mechanism 3.45 Complete Mediation 3.4.6 Open Design 3.4.7 Least Common Mechanism 3.4.8 Psychological Acceptability 3.49 Defence in Depth 3.4.10 Diversity of Defence Objectives Review Questions Introduction ‘You leamed about some of the risks that we encounter on a regular basis as security professionals. This chapter introduces you to the area of computer security. The field of computer security is supported by a set of core ideas. This chapter will begin with an overview of security madels and concepts before moving on to how they are used in practice 3.1 The Idea of Security Computer security is a broad term with numerous definitions and synonyms. The measures used to ensure that a system is secure are referred to as computer security. In terms ofcomputer security, issues like authentication and access controls must be handled. In today’s environment, computers are almost always connected to other computers via networks. The term network security is subsequently introduced to refer to the protection of many computers and other devices that are linked together. Two other phrases related to these two are information security and information assurance, which emphasis the security process on the data processed by them rather than the hardware and software used. Another concept introduced by assurance is the availability of systems and information when we need them. ‘The term cybersecurity has been used by the general public and many professionals to define the topic. Another term in the security sector is COMSEC, which stands for communications security and refers to the protection of telecommunications networks. With allegations of data breaches, fraud, and a variety of other disasters, cybersecurity has become a regular headline topic these days. The general public has become inereasingly aware of its reliance on computers and networks, and as a result, security of these computers and networks has piqued their attention. Several new terminologies have become widespread in conversations and print as a result of the increasing public awareness. Hacking, virus, ‘TCPAP. encryption, and firewalls are all terms that are now commonly used in the mainstream press and have crept into everyday discourse, What used to be the domain of scientists and engineers is now commonplace. With our growing reliance on computers and networks for everything from grocery shopping to banking, stock trading, and medical treatment to taking our children to school, ensuring that computers and networks are safe has become critical. Computers and the data they handle have infiltrated almost every area of our life 3.2 Security Approaches ‘A business can take one of many approaches to network security: disregard security concerns, provide host security, provide network level security. or provide a combination of the two. Host security and network-level security, the middle two, have prevention, detection, and response components, Rather of viewing these two techniques as separate answers, a mature organization employs them in tandem. If a company chooses to disregard security, it will only use the bare minimum of security features available on its workstations, servers, and devices. There will be no additional security measures implemented. Certain security settings can be configured on every "out of the box” system, and they should be. However, protecting an centire network needs labour in addition to the limited protection methods that come standard with systems. Host Security Instead of tackling network security as a whole, host security takes a granular approach to security by focusing on safeguarding each computer and device individually. When using host security, each computer is expected to secure itself. There is a substantial risk of introducing of overlooking vulnerabilities if'a company decides to deploy only host security and ignore network security. Different operating systems (Windows, UNIX, Linux, OS X), different versions of those aperating systems, and different types of installed programs can be found in most contexts. Each operating system has its own security configurations, and evendifferent versions of the same operating system may have slight differences in security setups. Host security is critical and should be addressed at all times. However, security should not end there, as host security is a complimentary procedure that should be used in conjunction with network security. If individual host machines include weaknesses, network security can ive an additional layer of defense, hopefully preventing any intruders from getting that far into the environment. Network Security In some smaller situations, host security may suffice, but as systems become moré interconnected, security should extend to the network itself. Controlling access to internal computers from external entities is emphasized in network security. Devices stich a8 routers, firewalls, authentication hardware and software, encryption, and intrusion detection systems an provide this control (IDSs). Because of no two networks have exactly the same number of machines, installed applications, users, configurations, or available servers, network environments tend to be distinct entities. They will not have the same functionality'or architecture. Because networks come in so-many shapes and sizes, there are numerous Ways to safeguard and configure them. This chapter introduces some basic network and host security concepts. Each technique can be applied in a variety of ways, but for an effective complete security program, both network and host security must be addressed. 3.3. Security Tenets ‘There are more tenets that serve asa foundation for the CIA aspects. There are additional tenets that constitute the foundation for system security in addition to the CIA elements. Session management, exception management, and configuration management are the three operational tenets found in secure deployments. 3.3.1. Session Management Session management is a calleetion of procedures for establishing a communication channel between two parties and identifying each in such a way that subsequent activity is not required to be authenticated again, Session management allows an application to authenticate only once and then attribute subsequent actions to the authenticated user. Sessions are commonly employed in web applications to keep track of state and user data between normally stateless actions. Sessions are often identifiable by a unique ID that is shared by both parties. This ID can be used to identify you in the future. If confidentiality is necessary, the channel should be protected using a suitable level of cryptography. Session management encompasses all operations related to the administration of the dialogue, from its inception to its conclusion. Because the session reflects the continuation of a security condition established during authentication, the session ID should be protected to the same level as the level of security first established.3.3.2. Exception Management Exceptions are situations that are invoked outside of the normal flow of operations. Exceptions are deviations from normal processes that must be controlled, whether they are caused by human error or malicious intent. Special processing necessitated by conditions outside of usual parameters might lead to errors locally or in subsequent operations in a system. Exception handling, often known as error handling, is an important concen throughout software development. In software development, exception management encompasses more than just exception handling. When a system experiences an exception, whether caused by a person, process, technology, or a mix of these factors, the system must be able to efficiently address the situation. This might signify a variety of things, including working outside of usual policy parameters. Exception management can also be nontechnical: systems or environments that do not comply with corporate security policy, for example, must be recorded, exceptions ‘must be approved, and mitigation must be implemented to reduce the risk associated with policy exceptions, The bottom line is straightforward: either the system must manage the situation and recover, or it must fail and be retrieved separately. Because exceptions will occur, and how they are handled is the only uncertain consequence. designing in exception handling makes a system more durable. 3.3.3 Configuration Management Configuration management is essential for IT systems to function properly. First and foremost, IT systems are collections of parts that work together to produce a desired outcome. Allof the components in a system must be configured and provisioned properly for the system to function properly. Configuration management is the process of designing and operating the parts that assure a system's correct functional environment. 3.4 Security Principles Jerome Saltzerand Michael Schroeder, two MIT computer scientists, presented a paper on design principles for a secure computer system in the mid-1970s. The "Protection of Information in Computer Systems" paper by Saltzer and Schroeder has been praised as a fundamental work in computer security. and the eight design principles are as important now as they were inthe 1970s. These ideas are useful in the design and operation of secure systems, 3.4.1 Least Privilege The notion of least privilege is one of the most essential in security. This idea can be used to a variety of physical locations, as well as network and host security. The term "least privilege" refers to a topic (which could be a user, application, or process) having only the rights and privileges required to complete its work, with no further authorization. Limiting an. object's privileges reduces the amount of damage that can be done, reducing the risk to an organization. Users may have access to files on their workstations and a limited selection offiles on a file server, but they do not have access to the database's key data. This rule assists ‘an organization in protecting its most sensitive resources and ensuring that anyone interacting with them has a legitimate reason to do sa. The concept of least privilege applies to more than just giving users specific rights and permissions in terms of network security. When trust relationships are established, they should not be set up in such a way that everyone trusts everyone else only to make things easy. For very particular reasons, one domain should trust another, and implementers should fully comprehend what the trust relationship between two domains enables. Do all users on a domain that trusts another automatically become trusted, allowing them to access any and all resources on the other domain? Is this a viable option? Is there a more secure technique to accomplish the same goal? Ifa trusted relationship is established, and users in.one group have access to a plotter or printer that is only available on one domain, il may be more Cost effective to just acquire another plotter so that other, more important or sensitive resources. are not accessible to the entire group, ‘The security context in which an application runs is another issue that falls under the least privilege idea. On an operating system, all applications, scripts, and batch files execute in the security context of a specific user. As if they were a user, they run with eertain rights. The program could be Microsoft Word and run in the context of a regular user, or it could be a diagnostic program that requires access to mare sensitive system files and thus must run under an administrative user account, or it could be a backup program that should run in the context of a backup operator. The essence of the problem is that a program should only run in the security context that is required for it to fulfil its tasks properly. Various people in many environments don't truly understand how to make programs operate in multiple security: contexts, or it may simply seem easier to run everything under the administrator account. If an attacker can compromise an application or service running under the administrator account, they have essentially increased their access level, giving them far greater power over the system and many more possibilities to wreak damage. 3.4.2. Separation of Privilege Access can be granted depending on a variety of parameters using protection methods. One of the key ideas is to make decisions based on multiple sources of data. The notion of separation of privilege states that the protection mechanism should be designed to make acces decisions based on more than one piece of information. When this notion is applied to the human side of security, the concept of division of roles emerges. ‘Separation of privilege applies to both physical and virtual environments, as well as network and host security. When it comes to people's actions, separation of roles means that more than one person is required for every given duty. The task is divided into various responsibilities, each of which is handled by a distinct person, No single individual can take advantage of the system by carrying out a work in this manner. For many years, this approach has been applied in the corporate sector, particularly in financial organizations. A basic example is a system in which one person must make an order and a different person must authorize the transaction. While separation of roles provides some checks and balances, it comes with its own set of disadvantages. The most important of these is the cost of doing the work. This expense comesin the form of both time and money. When a single person could complete the activity, more than one person is necessary, potentially raising the task's cost. Furthermore, when more than one person is engaged, a delay is inevitable because the task must be completed in its entirety. 3.4.3, Fail-Safe Defaults The Internet is no longer the welcoming environment for scholars that it once was. Asa result, several ways have emerged that may appear unfriendly at first, but are necessary for security reasons. The concept of fail-safe defaults states that when something fails, it should fail in a safe manner. A protection mechanism could, for example, prohibit access by default and only provide access when specific permission is granted. This is known as default deny, and implicit deny is a popular operational phrase for this method. ‘Administrators make a lot of judgments about network access in the netWork environment. To determine whether or not to grant access, a set of rules is frequently applied (which is the purpose of a network firewall). If none of the other rules apply to a given case, the implicit refuse approach states that access should not be permitted. In other words, access should not be provided if no regulation would allow it. Implicit reject applies to both permission and access circumstances. Allowing access unless a specified rule prohibits it is an altemative to implicit reject. Programs that monitor and prohibit access to ¢ertain web sites are another illustration of these two techniques. One method is to provide a list of sites that a user is not permitted to visit. ‘Access to any site that isn't on the list would be implied. The implicit refuse strategy. on the other hand, would prohibit all access to sites that aren't explicitly listed as approved. As you can expect, depending on the application, oné approach will be more appropriate than the other. Which technique you take is determined by your company's security goals and policies. 3.4.4 Economy of Mechanism Security and complexity are frequently at odds, because the more complicated something is, the more difficult it is to comprehend it, and you cannot effectively secure anything if you do not comprehend it. Another reason why complexity is a security issue is that it provides far too many opportunities for anything to go wrong, There are far less places for buffer overflows in a 4000-line application than there are in a two-million-line application, for example. When simple solutions are available, the principle of mechanism economy is deseribed as always using them. The number of services you allow your system to operate is an example of the principle. ‘Many services are commonly left running when computer operating systems are installed by default. The keep-it-simple approach instructs us to remove or disable services that we do not require. This is also a good security strategy because it reduces the number of programs that can be exploited and the number of services that the administrator must secure. All non- essential services and protocols should be removed or disabled as a general rule. Of course, this raises the question of how to decide whether a service or protocol is necessary. You should be able to identify and activate only those aspects that are necessary if you know whatyour computer system or network is being used for. This is not as simple as it appears for a variety of reasons. Alternatively, a stricter security strategy is to presume that no service is required (which is obviously nonsensical) and only enable services and ports when needed. Whatever method you use, only enable services and ports when they are requested. Whatever solution is used, the battle to strike a balance between providing functionality and ensuring security is never-ending, 3.4.5 Complete Mediation Checking all access requests for authorization is one of the basic concepts of a security system. The authorization must be checked every time a subject seeks access to an object: otherwise, an attacker could get unauthorized access to an abject. Complete mediation refers to the concept of verifying each and every request. Performance may be improved when permissions are validated the first time and the result is cached for later usage, but this also opens the door to permission mistakes. If a permission changes after the first use, the change will not affect operations performed after the initial check. Complete mediation also means that all operations must pass via the protective mechanism. When security measures are established after the fact, it's critical to ensure that they cover all process flows, including exceptions and out-of-band requests. It is critical to ensure that all checks are still in place if an automated procedure is checked in one way while a human paper backup process is checked in another. When a system goes through disaster recovery or business continuity operations, as well as backup and/or restoration processes, comprehensive mediation is required. 3.4.6 Open Design The open design principle states that an object's protection should not rely on the secrecy of the protection mechanism itself. This notion has long been established in cryptographic cireles, with the genuine protection relying on the secrecy and difficulty of the keys rather than masking the algorithm. The principle does not rule out the use of secret, rather it simply asserts that, on the surface, mechanism secrecy is insufficient for protection. Another security notion worth discussing in this context is the concept af security by: obscurity, Security is regarded effective in this scenario if the surroundings and protective systemsare perplexing or assumed to be unknown. The method of security by abscurity is to protect something by obscuring it. Non-computer instances of this notion include hiding your briefcase or pocketbook if you leave it in the car, hiding a house key under a doormat or in a planter, or pushing your favourite ice cream to the back of the freezer to fool everyone else. If something is out of sight, itis out of mind, according to this theory. However, this method does not give genuine object protection. Someone may still steal the purse by breaking into the car, lifting the doormat to find the key, or digging through the ice cream in the freezer. Although anonymity may make someone work a little harder to complete a task, it does not prevent them from achieving in the end. When attempting to hide particular items in computer and network security, similar tactics are used. For example, a network administrator might move a service from its default port to a different port so that others won't be able to access it as easily, or a firewall might be set upto hide specific information about the internal network so that potential attackers won't be able to use it in a network attack. Security by obscurity is regarded a poor technique in most security circles, especially if itis the only approach to security. Security by obscurity merely seeks to conceal an object rather than implementing a security control to safeguard it. To try to hide important assets, an organization can utilize security via obscurity methods, but other security measures should also be used to provide a better level of protection. For example, even if an administrator changes a service's default port to-a more inconspicuous port, an attacker can still identify it; therefore, a firewall should be used to limit access to the service. Most people are aware that even if you hide your ice cream at the back af the freezer, it will eventually be discovered 3.4.7 Least Common Mechanism The notion of the least common mechanism states that access mechanisms should be dedicated rather than shared. Sharing mechanisms allows for possible channel cross-over, resulting in a protection failure mode. If a module allows employees to check their payroll information, for example, a separate module should be used to alter the information, lest a user get access to change rather than read. Sharing and reuse are beneficial in one sense, but they might pose a security concem in another. In everyday systems, there are several examples of the least common mechanism and its isolation principle. Sandboxing is a technique for isolating an application's functioning from the rest of the operating system. On a single piece of hardware, virtual machines perform the same operation between operating systems. Another example is instantiating shared libraries, in which independent instantiation of local classes allows for different but equal coding. The key is to ereate a barrier between processes s0 that data cannot flow between users unless itis specifically designed to do so. 34.8. Psychological Acceptability Users' psychological acceptability of security measures is referred to as psychological acceptability. Users play an important part in the operation of a system, and if security ‘measures are viewed as an obstruction to the task that a user is responsible for, the user may bypass the control. Although a user may recognize that this could cause a security issue, the idea that it will cause them to perform poorly will put pressure on them to bypass it. Security professionals that are focused on technical difficulties and how they perceive the threat frequently ignore psychological acceptability. They are focused on the threat, which is their professional obligation, so security is a natural extension of that. This congruence of security and professional work responsibilities does not necessarily apply to other positions within a company. Security experts, particularly those responsible for the design of security systems, should not only be aware of this notion, but also pay close attention to how security measures will be seen by workers in the context of their work responsibilities, rather than for the sake of security. 3.4.9 Defence in DepthDefence in depth is a principle that entails employing a variety of defense mechanisms in order to improve the defensive reaction to-an attack. Layered security is another word for defense in depth. Single points of failure are exactly that: chances to fail. A system becomes stronger when numerous defenses are used, each with its own point of failure. While one defense mechanism may not be 100 percent successful, using a second defense mechanism on items that manage to get past the first gives a more powerful response, Layered security and variety of defense are two alternative techniques that can be used in a defense-in-depth approach. Together, they provide a defense-in-depth system that is more effective than any single defense layer. ‘A bank does not just use a vault to protect the money it holds, One or more security guards serve asa first line of defense, keeping an eye out for suspicious activity and securing the facility when the bank is closed. I may have surveillance systems that monitor various actions in the bank, whether they involve clients or personnel. Because the vault is normally in the middle of the complex, there are levels of rooms or walls to pass through before reaching the vault. There is access control, which ensures that anyone accessing the vault ‘must first have permission. In the event that a determined bank robber successfully penetrates any of these layers of protection, the systems, including manual switches, are connected directly to the police station. The same layered security architecture should be used in networks. Because there is no such thing asa 100 percent secure system or a fool-proof system, a single individual protective method should never be depended upon entirely: It is critical for every environment to have multiple layers of protection. Routers, firewalls, network segments, IDSs, encryption, authentication software, physical security, and traffic control are some of the technologies used by these layers. The layers must collaborate in order for one to not obstruct the functionality of another and produce a security flaw. Consider the steps an attacker would have to take to gain access to crucial information stored in a company's back-end database. The invader must first get past the firewall and employ packets and methods that the IDS will not recognize or detect. The attacker must next get past an internal router that does packet filtering, as well as a firewall that separates one internal network from another (see Figure 3.1). Following that, the intruder must defeat the database's access controls, which necessitates a dictionary or brute-force attack to gain access to the database software. The data must still be located within the database if the intruder has made it this far. This can be compounded further by the use of access control lists that define who has permission to see or edit the data. That is a significant amount of effort.—_—a <> Packet filtering 2 ae firewall Database Figure 3.1 Layered security This illustration shows the several layers of protection that many environments employ. It's critical to design multiple layers because if invaders succeed at one, you'll need to be able to stop them at the next. There is no single point of failure in terms of security because of the redundancy of numerous protection layers. If a network's assets were only protected by a firewall, an attacker who successfully penetrated this device would find the remainder of the network exposed and unprotected. When firewalls encounter encrypted network traffic, they show how different security approaches can act against each other. A business may use encryption to ensure that sensitive data being sent between an outside customer and a specific web server is secure. If this encrypted data is contained within Secure Sockets Layer (SSL) or Transport Layer Security (TLS) packets and then delivered via a firewall, the paylead information in the individual packets may not be read by the firewall. ‘As shown in Figure 3.2, the layers are commonly portrayed starting at the top with more generic sorts of security and going downward through each layer with increasing granularityas you approach closer to the real resource. This is because the toplayer protection mechanism is responsible for inspecting a huge amount of data, and inspecting every aspect of each packet would be overwhelming and cause too much performance degradation. Rather, each layer digs further into the packet in search of specific things. Layers closer to the resource deal with a fraction of the traffic that the top-layer security mechanism does, therefore looking deeper and at more granular features of the traffic will not have as big of an impact on performance. Host security Audit logs (Detection) Figure 3.2 Various layers of security 3.4.10 Diversity of Defence Diversity of defense is a concept that goes hand in hand with the concept of multiple layers of protection. It entails making multiple layers of protection dissimilar such that even if attackers figure out how to get through one layer, they may not figure out how to get through another layer that uses a different security mechanism. One firewall may be put at the perimeter of the Internet and the DMZ if an environment has two firewalls that constitute a demilitarized zone (DMZ). This firewall examines the traffic that passes via that particular access point and imposes various limitations. Between the DMZ and the internal network, the other firewall might be installed. You should set up these two firewalls to filter for different sorts of traffic and provide different types of restrictions when: using the diversity-of-defense idea. For example, the first firewall may prevent FTP, SNMP. or Telnet traffic from entering the network while allowing SMTP, SSH. HTTP, and SSL. traffic to pass. The second firewall may refuse to allow SSL or SSH traffic through, as well as inspect SMTP and HTTP traffic to ensure that particular types of attacks are not present. Objectives Now you will be able to: © Understand the concept of security approaches.‘© Know the different tenets of security. + Understand the security principles and describe each of the areas applicable. Review Questions 9, Deseribe the security approaches. Briefly describe two security tenets. ‘What is called separation of privileges. 12. Explain the various layers of security. 13. Explain the diversity of defense.