[CYBER SECURITY]

1 INTRODUCTION
UNIT

INTRODUCTION TO COMPUTER SECURITY

The internet has become an inseparable part of our lives and it has
transformed the way we live positively. But as technology is increasing at a
very high pace, it is also bringing along various computer security threats with
it. To understand what is computer security and how it affects our lives, you
need to keep reading the article so that you can understand the concept and
threats prevailing in this regard.

You cannot avoid the existence of security threats but can sure be aware and
stay alert. Various cyber security standards have been developed to protect
the information and data of the people and it also provides certain measures
through which people can seek redressal when they have been attacked by
any sort of cyber security threat. If you wish to become a cyber security
professional, start by enrolling yourself in IT Security classes and gain insights
about how cyber security works.

What is Computer Security in Cyber Security?

Computer security is also known as cyber security. It is an operational system

that is set up for computers so that it can protect the data and information
that is stored in the particular system. Computer security means the
protection system that is installed in the computer systems so that it can
protect the important data and information that is stored in the computer
from unauthorized access, misuse of information and data, and information

UNIT - I 1
[CYBER SECURITY]

and data theft. Computer security in cyber security protects various

applications and systems from other malicious activities.

The definition of computer security somewhat goes like this: Computer

security or cyber security is a system that protects critical information and
data that are stored in a computer system from unauthorized use, harm, theft,
misuse, etc.

These are generally used for preventing computer software because the
computer hardware is already protected in some sort of locker or safe place.
so the computer software is vulnerable and needs protection which these
computer security systems offer. These complex security tactics and practices
are hard to break and prevent hackers from getting their hands on critical
information. These systems are developed for preventing the vulnerable and
critical information and data that if exposed, will cause huge losses to a single
entity or a company as a whole.

Importance of Computer Security

You may have come across questions like 'what is computer security, explain'
or 'what is the importance of computer security?' Computer security is
important because it makes sure that your information and data are safe. It
may be related to your business, health, or personal information. Computer
security provides the features of availability, integrity, and confidentiality for
the computer system. The following are the reasons why computer security is
considered important:

UNIT - I 2
[CYBER SECURITY]

1. To Protect Personal Information

To prevent yourself from cyber threats, make sure that you protect your
personal information and data. The issue with Information Technology is a big
one that is still prevailing which is responsible for protecting your personal
information and critical data.

You must keep your information and data safe and you can do that by
implementing the below-mentioned steps:

 Implement an anti-virus software.

 Update the operating system of your computer regularly.
 Apply smart password and other locks.
 Always take a backup of your critical data information.
 Use computer locks for safety.
 Do not fall for the traps of phishing emails.
2. To Protect Company Properties

A company involves a lot of sensitive information and assets. It is very

important to protect the organization's important information and sensitive
data so that it can prevent itself from any unauthorized access or misuse. So,
a company does not compromise the security of its computer system because
if the information gets out then the company has to incur huge losses.
Installing a security system in the computers ensures IT protection which
indeed helps the companies to protect their sensitive data and information.

3. To Prevent Data Theft

Data help means stealing any critical and sensitive information such as
account passwords, bank account details, health-related information,
personal information, important documents that are stored in the computer
systems and its servers, and so on.

Data theft can happen for multiple reasons that can be stated as follows:

 Stolen and weak credentials.

 Errors caused by humans.

UNIT - I 3
[CYBER SECURITY]

 Presence of any malicious insiders.

 Some application vulnerabilities.
To protect your system from Data theft you have to make sure that your
system is equipped with endpoint security, use relevant authentication,
identify sensitive data and log down your computer system.

4. To Prevent Malware and Viruses

Computer viruses and malware can be very annoying at times and computer
security can help you to prevent your system from these unwanted visitors. A
computer virus or malware can delete your important data and corrupt the
sensitive information that is stored in your computer system. It can also harm
your hard disk as it can spread from one computer to another with the help of
email programming.

So you must protect your computer system from computer viruses and
malware. You can do so why following these simple steps:

 Keep your software updated.

 Use paid and good professional software for antivirus.
 Apply a strong password to your computer system.
 Do not click irrelevant links on your system.
 Always back up your sensitive computer data.
 Only go through trusted and authorized security websites.
5. To Protect From Unauthorized Access

By installing computer security in your system, you will be able to understand

who is trying to get unauthorized access to your system. You can prevent your
computer system from being authorized to access it by implementing
computer security. It prevents hackers from getting access to your computer
system and controls your critical information. To stop hackers from humming
your sensitive data, you need to install a security system.

Now you know how to explain computer security and what its importance is.

UNIT - I 4
[CYBER SECURITY]

Computer Security Threats, Issues, Vulnerabilities

Threats to computer security are the potential rests that can cause
dysfunctioning of your computer system and can harm the sensitive
information and data that are stored in your computer. As technology is ever-
increasing, Cyber crimes are also increasing with the number of hackers pacing
in the market.

The major types of computer security threats, issues, and vulnerabilities are
stated as follows:

1. Viruses

A computer virus is a program that can cause a malfunction in your computer

system and it is installed without the permission or knowledge of the user. A
computer virus can replicate itself and multiply so that it can affect all the files
and documents in the computer system. It can very well corrupt your sensitive
information as well. These viruses can cause severe harm to the computer
system of the user and can also make it unusable.

2. Computer Worm

A computer worm also has a similar process of replicating itself just like a
computer virus. It does not need human interaction for replicating from one

UNIT - I 5
[CYBER SECURITY]

computer system to another. A computer worm can corrupt the files in your
computer system and can use all the storage space in your hard disc by
continuously replicating itself. It also slows down the speed of the computer
system and can create malfunctioning for the computer resources.

A computer worm also possesses the extra feature of modifying or deleting

the existing files and documents in your computer system. it can give access
to other malicious activities in your system. It is capable of stealing
information so that it can provide access to hackers to get into your system
without your knowledge.

3. Phishing

Phishing is a cyber crime that mainly exists in the form of a text message, e-
mail, telecommunication, or any other form of communication to the user for
that matter. It is an attempt by hackers to gain personal information about the
users by showing their false legitimacy. They try to see personal information
such as account passwords, OTP, bank details, etc. through which they can
trick the user and make them a victim of a phishing attack.

4. Botnet

The presence and functioning of a Botnet are also similar to that of a computer
virus in a way that the hackers install it in the computer system of the user
without their knowledge. It can replicate itself and transfer from one
computer system to another and the affected computers are called 'zombie
computers. The zombie computers are not safe for storing any sensitive
information on data because that can anyway be corrupted or completely
deleted. The infected computer, which has turned out to be a Botnet now,
performs malicious activities with unauthorized access at a large scale like
DDoS.

5. Rootkit

A Rootkit is a software that is designed to gain unauthorized access to

someone else's computer system without their permission. It can gain access
to restricted areas and can also mask its presence and the user will not know

UNIT - I 6
[CYBER SECURITY]

about its existence. Generally, hackers use rootkits for changing the system
configurations so that they can easily execute and go through the files on the
remote computer.

6. Keylogger

A keylogger is also a software that is designed especially for monitoring,

tracking, and recording all keyboard strokes that he does without being aware
of the fact that the system has been corrupted. A keylogger is also called a
keystroke logger and it is generally used by hackers to steal the login
credentials of the user.

Types of Computer Security

You may often think 'what is computer security and its types?' Here are some
of the major types of computer security practices and tactics that are followed
by users and organizations to protect their sensitive data, Software, and
hardware. The different types of computer security are very important to
protect the data stored in electronic systems and networks.

1. Application Security

When security features are introduced in the primary stage of the

development process, that is one it's known as application security. It is very
well capable of protecting your computer system from cyber security threats
such as unauthorized access and data breaches. Furthermore, it can also help

UNIT - I 7
[CYBER SECURITY]

your computer system to fight against SQL breaches and denial of service
attacks.

Some of the major application tools techniques are used for installing the
application security feature, such as software encryption, antivirus, firewall,
etc. and these help your system to build a wall against cyber attacks.

2. Information Security

Information security is a type of cyber security that specially focuses on the

methodology and techniques that are built for ensuring computer security.
Information security, as a Process was developed to protect the availability,
integrity, and confidentiality of computer systems from Data thefts,
unauthorized access, harm, and destruction.

Information security is commonly known as the CIA triad and this model is
used for protecting the integrity, availability, and confidentiality of
organizational data so that productivity is maintained.

3. Network Security

Network security as the name suggests is another type of computer security

that protects your computer system from authorized intrusions and access to
your computer networks. It is similar to information security in a way that it
also protects the integrity, availability, and confidentiality of your computer
networks. Network security is designed in a way with a lot of configurations
that it performs to its best abilities. it includes the safety of both Software and
hardware.

There are various network security methods and components that help
computer networks to be safe and secure. These are stated as follows:

 Application security
 Anti-virus software
 Behavioral analysis
 Firewall

UNIT - I 8
[CYBER SECURITY]

 Email security
 Web security
 Wireless security
 Network access control
 Network segmentation
 Virtual private network
4. Endpoint Security

Any error that is committed by a human can be easily exploited by hackers or

cyber criminals. End users are facing a huge security risk in any organization.
End users become the victims of Cybercrimes because of their lack of
knowledge about IT protection and policies. Because they lack awareness,
they can unknowingly give access to their computer systems to Cyber
criminals.

So it is important to understand the comprehensive security policies and

procedures so that you do not fall into the trap of cyber criminals and always
stay alert. Awareness training programs should be arranged for enhancing
their knowledge about computer security and its threats.

5. Internet Security

Internet security is the most recent type of computer security that has reached
a boom period in recent times. It is a method for creating a perfect set of rules
and actions to prevent any unauthorized use or harm to computer systems
that are directly connected to the internet.

It is the newest branch of computer security that specifically deals with the
risks and threats that comes with the internet which is enumerated as follows:

 Hacking
 Computer viruses
 Malware
 Denial of service attacks
As you can see computer security protects the hardware and software of a
computer system. If you want to know more about computer security in detail

UNIT - I 9
[CYBER SECURITY]

and become a cyber security professional then take the best Ethical Hacking
course online and know all about cyber security threats and protection
measures.

Steps to Ensure Computer Security

Whether you use your computer for your personal work or your professional
job, make sure it is free from security threats. A broad range of threats is
considered when it comes to computer security. As an active user, it is your
responsibility that you take essential measures for ensuring the security of
your computer system.

Here are some of the easy steps by which you can ensure the security of your
computer system:

 Always keep your computer system and software updated to its latest
version.
 If you are suspicious about having any malfunction in your system then do
check it thoroughly.
 Install a protective firewall in your computer system.
 Adjust your browser settings and remove the risks of malware.
 Install good antivirus software in your system.
 Set a password and protection lock to secure your device.
 Make sure that you encrypt your data so that any man cannot get the
hang of the information.
 Use a VPN for additional production of your device.
 Do not click emails or links sent to you by unknown members.
 Ignore the pop-ups and do not click on them.
 Perform regular system backups and scans.
THREATS
Cybersecurity threats are acts performed by individuals with harmful intent,
whose goal is to steal data, cause damage to or disrupt computing systems.
Common categories of cyber threats include malware, social engineering, man
in the middle (MitM) attacks, denial of service (DoS), and injection attacks—we
describe each of these categories in more detail below.

UNIT - I 10
[CYBER SECURITY]

Cyber threats can originate from a variety of sources, from hostile nation states
and terrorist groups, to individual hackers, to trusted individuals like employees
or contractors, who abuse their privileges to perform malicious acts.

Common Sources of Cyber Threats

Here are several common sources of cyber threats against organizations:

 Nation states—hostile countries can launch cyber attacks against local

companies and institutions, aiming to interfere with communications,
cause disorder, and inflict damage.
 Terrorist organizations—terrorists conduct cyber attacks aimed at
destroying or abusing critical infrastructure, threaten national security,
disrupt economies, and cause bodily harm to citizens.
 Criminal groups—organized groups of hackers aim to break into
computing systems for economic benefit. These groups use phishing,
spam, spyware and malware for extortion, theft of private information,
and online scams.
 Hackers—individual hackers target organizations using a variety of attack
techniques. They are usually motivated by personal gain, revenge,
financial gain, or political activity. Hackers often develop new threats, to
advance their criminal ability and improve their personal standing in the
hacker community.
 Malicious insiders—an employee who has legitimate access to company
assets, and abuses their privileges to steal information or damage
computing systems for economic or personal gain. Insiders may be
employees, contractors, suppliers, or partners of the target organization.
They can also be outsiders who have compromised a privileged account
and are impersonating its owner.

Types of Cybersecurity Threats

Malware Attacks

Malware is an abbreviation of “malicious software”, which includes viruses,

worms, trojans, spyware, and ransomware, and is the most common type
of cyberattack. Malware infiltrates a system, usually via a link on an untrusted
website or email or an unwanted software download. It deploys on the target
system, collects sensitive data, manipulates and blocks access to network
components, and may destroy data or shut down the system altogether.
UNIT - I 11
[CYBER SECURITY]

Here are some of the main types of malware attacks:

 Viruses—a piece of code injects itself into an application. When the

application runs, the malicious code executes.
 Worms—malware that exploits software vulnerabilities and backdoors to
gain access to an operating system. Once installed in the network, the
worm can carry out attacks such as distributed denial of service (DDoS).
 Trojans—malicious code or software that poses as an innocent program,
hiding in apps, games or email attachments. An unsuspecting user
downloads the trojan, allowing it to gain control of their device.
 Ransomware—a user or organization is denied access to their own
systems or data via encryption. The attacker typically demands a ransom
be paid in exchange for a decryption key to restore access, but there is no
guarantee that paying the ransom will actually restore full access or
functionality.
 Cryptojacking—attackers deploy software on a victim’s device, and begin
using their computing resources to generate cryptocurrency, without
their knowledge. Affected systems can become slow and cryptojacking
kits can affect system stability.
 Spyware—a malicious actor gains access to an unsuspecting user’s data,
including sensitive information such as passwords and payment details.
Spyware can affect desktop browsers, mobile phones and desktop
applications.
 Adware—a user’s browsing activity is tracked to determine behavior
patterns and interests, allowing advertisers to send the user targeted
advertising. Adware is related to spyware but does not involve installing
software on the user’s device and is not necessarily used for malicious
purposes, but it can be used without the user’s consent and compromise
their privacy.
 Fileless malware—no software is installed on the operating system.
Native files like WMI and PowerShell are edited to enable malicious
functions. This stealthy form of attack is difficult to detect (antivirus can’t
identify it), because the compromised files are recognized as legitimate.
 Rootkits—software is injected into applications, firmware, operating
system kernels or hypervisors, providing remote administrative access to
a computer. The attacker can start the operating system within a
compromised environment, gain complete control of the computer and
deliver additional malware.

UNIT - I 12
[CYBER SECURITY]

Social Engineering Attacks

Social engineering involves tricking users into providing an entry point for
malware. The victim provides sensitive information or unwittingly installs
malware on their device, because the attacker poses as a legitimate actor.

Here are some of the main types of social engineering attacks:

 Baiting—the attacker lures a user into a social engineering trap, usually

with a promise of something attractive like a free gift card. The victim
provides sensitive information such as credentials to the attacker.
 Pretexting—similar to baiting, the attacker pressures the target into
giving up information under false pretenses. This typically involves
impersonating someone with authority, for example an IRS or police
officer, whose position will compel the victim to comply.
 Phishing—the attacker sends emails pretending to come from a trusted
source. Phishing often involves sending fraudulent emails to as many
users as possible, but can also be more targeted. For example, “spear
phishing” personalizes the email to target a specific user, while “whaling”
takes this a step further by targeting high-value individuals such as CEOs.
 Vishing (voice phishing)—the imposter uses the phone to trick the target
into disclosing sensitive data or grant access to the target system. Vishing
typically targets older individuals but can be employed against anyone.
 Smishing (SMS phishing)—the attacker uses text messages as the means
of deceiving the victim.
 Piggybacking—an authorized user provides physical access to another
individual who “piggybacks” off the user’s credentials. For example, an
employee may grant access to someone posing as a new employee who
misplaced their credential card.
 Tailgating—an unauthorized individual follows an authorized user into a
location, for example by quickly slipping in through a protected door after
the authorized user has opened it. This technique is similar to
piggybacking except that the person being tailgated is unaware that they
are being used by another individual.

Supply Chain Attacks

Supply chain attacks are a new type of threat to software developers and
vendors. Its purpose is to infect legitimate applications and distribute malware
via source code, build processes or software update mechanisms.
UNIT - I 13
[CYBER SECURITY]

Attackers are looking for non-secure network protocols, server infrastructure,

and coding techniques, and use them to compromise build and update process,
modify source code and hide malicious content.

Supply chain attacks are especially severe because the applications

being compromised by attackers are signed and certified by trusted vendors. In
a software supply chain attack, the software vendor is not aware that its
applications or updates are infected with malware. Malicious code runs with the
same trust and privileges as the compromised application.

Types of supply chain attacks include:

 Compromise of build tools or development pipelines

 Compromise of code signing procedures or developer accounts
 Malicious code sent as automated updates to hardware or firmware
components
 Malicious code pre-installed on physical devices

Man-in-the-Middle Attack

A Man-in-the-Middle (MitM) attack involves intercepting the communication

between two endpoints, such as a user and an application. The attacker can
eavesdrop on the communication, steal sensitive data, and impersonate each
party participating in the communication.

Examples of MitM attacks include:

 Wi-Fi eavesdropping—an attacker sets up a Wi-Fi connection, posing as a

legitimate actor, such as a business, that users may connect to. The
fraudulent Wi-Fi allows the attacker to monitor the activity of connected
users and intercept data such as payment card details and login
credentials.
 Email hijacking—an attacker spoofs the email address of a legitimate
organization, such as a bank, and uses it to trick users into giving up
sensitive information or transferring money to the attacker. The user
follows instructions they think come from the bank but are actually from
the attacker.

UNIT - I 14
[CYBER SECURITY]

 DNS spoofing—a Domain Name Server (DNS) is spoofed, directing a user

to a malicious website posing as a legitimate site. The attacker may divert
traffic from the legitimate site or steal the user’s credentials.
 IP spoofing—an internet protocol (IP) address connects users to a specific
website. An attacker can spoof an IP address to pose as a website and
deceive users into thinking they are interacting with that website.
 HTTPS spoofing—HTTPS is generally considered the more secure version
of HTTP, but can also be used to trick the browser into thinking that a
malicious website is safe. The attacker uses “HTTPS” in the URL to conceal
the malicious nature of the website.

Denial-of-Service Attack

A Denial-of-Service (DoS) attack overloads the target system with a large volume
of traffic, hindering the ability of the system to function normally. An attack
involving multiple devices is known as a distributed denial-of-service (DDoS)
attack.

DoS attack techniques include:

 HTTP flood DDoS—the attacker uses HTTP requests that appear

legitimate to overwhelm an application or web server. This technique
does not require high bandwidth or malformed packets, and typically tries
to force a target system to allocate as many resources as possible for each
request.
 SYN flood DDoS—initiating a Transmission Control Protocol (TCP)
connection sequence involves sending a SYN request that the host must
respond to with a SYN-ACK that acknowledges the request, and then the
requester must respond with an ACK. Attackers can exploit this sequence,
tying up server resources, by sending SYN requests but not responding to
the SYN-ACKs from the host.
 UDP flood DDoS—a remote host is flooded with User Datagram Protocol
(UDP) packets sent to random ports. This technique forces the host to
search for applications on the affected ports and respond with
“Destination Unreachable” packets, which uses up the host resources.
 ICMP flood—a barrage of ICMP Echo Request packets overwhelms the
target, consuming both inbound and outgoing bandwidth. The servers
may try to respond to each request with an ICMP Echo Reply packet, but
cannot keep up with the rate of requests, so the system slows down.

UNIT - I 15
[CYBER SECURITY]

 NTP amplification—Network Time Protocol (NTP) servers are accessible

to the public and can be exploited by an attacker to send large volumes
of UDP traffic to a targeted server. This is considered an amplification
attack due to the query-to-response ratio of 1:20 to 1:200, which allows
an attacker to exploit open NTP servers to execute high-volume, high-
bandwidth DDoS attacks.

Injection Attacks

Injection attacks exploit a variety of vulnerabilities to directly insert malicious

input into the code of a web application. Successful attacks may expose sensitive
information, execute a DoS attack or compromise the entire system.

Here are some of the main vectors for injection attacks:

 SQL injection—an attacker enters an SQL query into an end user input
channel, such as a web form or comment field. A vulnerable application
will send the attacker’s data to the database, and will execute any SQL
commands that have been injected into the query. Most web applications
use databases based on Structured Query Language (SQL), making them
vulnerable to SQL injection. A new variant on this attack is NoSQL attacks,
targeted against databases that do not use a relational data structure.
 Code injection—an attacker can inject code into an application if it is
vulnerable. The web server executes the malicious code as if it were part
of the application.
 OS command injection—an attacker can exploit a command injection
vulnerability to input commands for the operating system to execute. This
allows the attack to exfiltrate OS data or take over the system.
 LDAP injection—an attacker inputs characters to alter Lightweight
Directory Access Protocol (LDAP) queries. A system is vulnerable if it uses
unsanitized LDAP queries. These attacks are very severe because LDAP
servers may store user accounts and credentials for an entire
organization.
 XML eXternal Entities (XXE) Injection—an attack is carried out using
specially-constructed XML documents. This differs from other attack
vectors because it exploits inherent vulnerabilities in legacy XML parsers
rather than unvalidated user inputs. XML documents can be used to
traverse paths, execute code remotely and execute server-side request
forgery (SSRF).

UNIT - I 16
[CYBER SECURITY]

 Cross-Site Scripting (XSS)—an attacker inputs a string of text containing

malicious JavaScript. The target’s browser executes the code, enabling the
attacker to redirect users to a malicious website or steal session cookies
to hijack a user’s session. An application is vulnerable to XSS if it doesn’t
sanitize user inputs to remove JavaScript code.

UNIT - I 17
[CYBER SECURITY]

Types of cybersecurity threats

Cyber Security Solutions

Cybersecurity solutions are tools organizations use to help defend against

cybersecurity threats, as well as accidental damage, physical disasters, and other
threats. Here are the main types of security solutions:

 Application security—used to test software application vulnerabilities

during development and testing, and protect applications running in
production, from threats like network attacks, exploits of software
vulnerabilities, and web application attacks.
 Network security—monitors network traffic, identifies potentially
malicious traffic, and enables organizations to block, filter or mitigate
threats.
 Cloud Security—implements security controls in public, private and
hybrid cloud environments, detecting and fixing false security
configurations and vulnerabilities.
 Endpoint security—deployed on endpoint devices such as servers and
employee workstations, which can prevent threats like malware,
unauthorized access, and exploitation of operating system and browser
vulnerabilities.
 Internet of Things (IoT) security—connected devices are often used to
store sensitive data, but are usually not protected by design. IoT security
solutions help gain visibility and improve security for IoT devices.
 Threat intelligence—combines multiple feeds containing data about
attack signatures and threat actors, providing additional context for
security events. Threat intelligence data can help security teams detect
attacks, understand them, and design the most appropriate response.

Imperva Cybersecurity Solutions

Imperva can help you defend your organizations against cybersecurity threats
that affect applications and your sensitive business data.

Imperva Application Security

At the application level, Imperva provides comprehensive protection for

applications, APIs, and microservices:

UNIT - I 18
[CYBER SECURITY]

Web Application Firewall – Prevent attacks with world-class analysis of web

traffic to your applications.

Runtime Application Self-Protection (RASP) – Real-time attack detection and

prevention from your application runtime environment goes wherever your
applications go. Stop external attacks and injections and reduce your
vulnerability backlog.

API Security – Automated API protection ensures your API endpoints are
protected as they are published, shielding your applications from exploitation.

Advanced Bot Protection – Prevent business logic attacks from all access points
– websites, mobile apps and APIs. Gain seamless visibility and control over bot
traffic to stop online fraud through account takeover or competitive price
scraping.

DDoS Protection – Block attack traffic at the edge to ensure business continuity
with guaranteed uptime and no performance impact. Secure your on premises
or cloud-based assets – whether you’re hosted in AWS, Microsoft Azure, or
Google Public Cloud.

Attack Analytics – Ensures complete visibility with machine learning and domain
expertise across the application security stack to reveal patterns in the noise and
detect application attacks, enabling you to isolate and prevent attack
campaigns.

Client-Side Protection – Gain visibility and control over third-party JavaScript

code to reduce the risk of supply chain fraud, prevent data breaches, and client-
side attacks.

Imperva Application Security

At the data level, Imperva protects all cloud-based data stores to ensure
compliance and preserve the agility and cost benefits you get from your cloud
investments:

UNIT - I 19
[CYBER SECURITY]

Cloud Data Security – Simplify securing your cloud databases to catch up and
keep up with DevOps. Imperva’s solution enables cloud-managed services users
to rapidly gain visibility and control of cloud data.

Database Security – Imperva delivers analytics, protection and response across

your data assets, on-premise and in the cloud – giving you the risk visibility to
prevent data breaches and avoid compliance incidents. Integrate with any
database to gain instant visibility, implement universal policies, and speed time
to value.

Data Risk Analysis – Automate the detection of non-compliant, risky, or

malicious data access behavior across all of your databases enterprise-wide to
accelerate remediation.

HARM
The negative consequence of an actualized threat is harm; we protect ourselves
against threats in order to reduce or eliminate harm. We have already described
many examples of computer harm: a stolen computer, modified or lost file,
revealed private letter, or denied access to data. These events cause harm that
we want to avoid.

In our earlier discussion of assets, we noted that value depends on owner or

outsider perception and need. Some aspects of value are immeasurable, such as
the value of the paper you need to submit to your professor tomorrow; if you
lose the paper (that is, if its availability is lost), no amount of money will
compensate you for it. Items on which you place little or no value might be more
valuable to someone else; for example, the group photograph taken at last
night’s party can reveal that your friend was not where he told his wife he would
be. Even though it may be difficult to assign a specific number as the value of an
asset, you can usually assign a value on a generic scale, such as moderate or
minuscule or incredibly high, depending on the degree of harm that loss or
damage to the object would cause. Or you can assign a value relative to other
assets, based on comparable loss: This version of the file is more valuable to you
than that version.

In their 2010 global Internet threat report, security firm Symantec surveyed the
kinds of goods and services offered for sale on underground web pages. The
item most frequently offered in both 2009 and 2008 was credit card numbers,

UNIT - I 20
[CYBER SECURITY]

at prices ranging from $0.85 to $30.00 each. (Compare those prices to an

individual’s effort to deal with the effect of a stolen credit card or the potential
amount lost by the issuing bank.) Second most frequent was bank account
credentials, at $15 to $850; these were offered for sale at 19% of websites in
both years. Email accounts were next at $1 to $20, and lists of email addresses
went for $1.70 to $15.00 per thousand. At position 10 in 2009 were website
administration credentials, costing only $2 to $30. These black market websites
demonstrate that the market price of computer assets can be dramatically
different from their value to rightful owners.

The value of many assets can change over time, so the degree of harm (and
therefore the severity of a threat) can change, too. With unlimited time, money,
and capability, we might try to protect against all kinds of harm. But because our
resources are limited, we must prioritize our protection, safeguarding only
against serious threats and the ones we can control. Choosing the threats we try
to mitigate involves a process called risk management, and it includes weighing
the seriousness of a threat against our ability to protect.

Risk management involves choosing which threats to control and what

resources to devote to protection.

Risk and Common Sense

The number and kinds of threats are practically unlimited because devising an
attack requires an active imagination, determination, persistence, and time (as
well as access and resources). The nature and number of threats in the computer
world reflect life in general: The causes of harm are limitless and largely
unpredictable. Natural disasters like volcanoes and earthquakes happen with
little or no warning, as do auto accidents, heart attacks, influenza, and random
acts of violence. To protect against accidents or the flu, you might decide to stay
indoors, never venturing outside. But by doing so, you trade one set of risks for
another; while you are inside, you are vulnerable to building collapse. There are
too many possible causes of harm for us to protect ourselves—or our
computers—completely against all of them.

In real life we make decisions every day about the best way to provide our
security. For example, although we may choose to live in an area that is not
prone to earthquakes, we cannot entirely eliminate earthquake risk. Some
choices are conscious, such as deciding not to walk down a dark alley in an
unsafe neighborhood; other times our subconscious guides us, from experience

UNIT - I 21
[CYBER SECURITY]

or expertise, to take some precaution. We evaluate the likelihood and severity

of harm, and then consider ways (called countermeasures or controls) to
address threats and determine the controls’ effectiveness.

Computer security is similar. Because we cannot protect against everything, we

prioritize: Only so much time, energy, or money is available for protection, so
we address some risks and let others slide. Or we consider alternative courses
of action, such as transferring risk by purchasing insurance or even doing nothing
if the side effects of the countermeasure could be worse than the possible harm.
The risk that remains uncovered by controls is called residual risk.

A basic model of risk management involves a user’s calculating the value of all
assets, determining the amount of harm from all possible threats, computing
the costs of protection, selecting safeguards (that is, controls or
countermeasures) based on the degree of risk and on limited resources, and
applying the safeguards to optimize harm averted. This approach to risk
management is a logical and sensible approach to protection, but it has
significant drawbacks. In reality, it is difficult to assess the value of each asset;
as we have seen, value can change depending on context, timing, and a host of
other characteristics. Even harder is determining the impact of all possible
threats. The range of possible threats is effectively limitless, and it is difficult (if
not impossible in some situations) to know the short- and long-term impacts of
an action. For instance, Sidebar 1-3 describes a study of the impact of security
breaches over time on corporate finances, showing that a threat must be
evaluated over time, not just at a single instance.

It was long assumed that security breaches would be bad for business: that
customers, fearful of losing their data, would veer away from insecure
businesses and toward more secure ones. But empirical studies suggest that the
picture is more complicated. Early studies of the effects of security breaches,
such as that of Campbell [CAM03], examined the effects of breaches on stock
price. They found that a breach’s impact could depend on the nature of the
breach itself; the effects were higher when the breach involved unauthorized
access to confidential data. Cavusoglu et al. [CAV04] discovered that a breach
affects the value not only of the company experiencing the breach but also of
security enterprises: On average, the breached firms lost 2.1 percent of market
value within two days of the breach’s disclosure, but security
developers’ market value actually increased 1.36 percent.

UNIT - I 22
[CYBER SECURITY]

Myung Ko and Carlos Dorantes [KO06] looked at the longer-term financial

effects of publicly announced breaches. Based on the Campbell et al. study, they
examined data for four quarters following the announcement of unauthorized
access to confidential data. Ko and Dorantes note many types of possible
breach-related costs:

“Examples of short-term costs include cost of repairs, cost of replacement of the

system, lost business due to the disruption of business operations, and lost
productivity of employees. These are also considered tangible costs. On the
other hand, long-term costs include the loss of existing customers due to loss of
trust, failing to attract potential future customers due to negative reputation
from the breach, loss of business partners due to loss of trust, and potential legal
liabilities from the breach. Most of these costs are intangible costs that are
difficult to calculate but extremely important in assessing the overall security
breach costs to the organization.”

Ko and Dorantes compared two groups of companies: one set (the treatment
group) with data breaches, and the other (the control group) without a breach
but matched for size and industry. Their findings were striking. Contrary to what
you might suppose, the breached firms had no decrease in performance for the
quarters following the breach, but their return on assets decreased in the third
quarter. The comparison of treatment with control companies revealed that the
control firms generally outperformed the breached firms. However, the
breached firms outperformed the control firms in the fourth quarter.

These results are consonant with the results of other researchers who conclude
that there is minimal long-term economic impact from a security breach. There
are many reasons why this is so. For example, customers may think that all
competing firms have the same vulnerabilities and threats, so changing to
another vendor does not reduce the risk. Another possible explanation may be
a perception that a breached company has better security since the breach
forces the company to strengthen controls and thus reduce the likelihood of
similar breaches. Yet another explanation may simply be the customers’ short
attention span; as time passes, customers forget about the breach and return to
business as usual.

All these studies have limitations, including small sample sizes and lack of
sufficient data. But they clearly demonstrate the difficulties of quantifying and

UNIT - I 23
[CYBER SECURITY]

verifying the impacts of security risks, and point out a difference between short-
and long-term effects.

Although we should not apply protection haphazardly, we will necessarily

protect against threats we consider most likely or most damaging. For this
reason, it is essential to understand how we perceive threats and evaluate their
likely occurrence and impact. Sidebar 1-4 summarizes some of the relevant
research in risk perception and decision-making. Such research suggests that,
for relatively rare instances such as high-impact security problems, we must take
into account the ways in which people focus more on the impact than on the
actual likelihood of occurrence.

When a type of adverse event happens frequently, we can calculate its

likelihood and impact by examining both frequency and nature of the collective
set of events. For instance, we can calculate the likelihood that it will rain this
week and take an educated guess at the number of inches of precipitation we
will receive; rain is a fairly frequent occurrence. But security problems are often
extreme events: They happen infrequently and under a wide variety of
circumstances, so it is difficult to look at them as a group and draw general
conclusions.

Paul Slovic’s work on risk addresses the particular difficulties with extreme
events. He points out that evaluating risk in such cases can be a political
endeavor as much as a scientific one. He notes that we tend to let values,
process, power, and trust influence our risk analysis [SLO99].

Beginning with Fischoff et al. [FIS78], researchers characterized extreme risk

along two perception-based axes: the dread of the risk and the degree to which
the risk is unknown. These feelings about risk, called affects by psychologists,
enable researchers to discuss relative risks by placing them on a plane defined
by the two perceptions as axes. A study by Loewenstein et al. [LOE01] describes
how risk perceptions are influenced by association (with events already
experienced) and by affect at least as much if not more than by reason. In fact,
if the two influences compete, feelings usually trump reason.

This characteristic of risk analysis is reinforced by prospect theory: studies of

how people make decisions by using reason and feeling. Kahneman and Tversky
[KAH79] showed that people tend to overestimate the likelihood of rare,
unexperienced events because their feelings of dread and the unknown usually
dominate analytical reasoning about the low likelihood of occurrence. By
UNIT - I 24
[CYBER SECURITY]

contrast, if people experience similar outcomes and their likelihood, their feeling
of dread diminishes and they can actually underestimate rare events. In other
words, if the impact of a rare event is high (high dread), then people focus on
the impact, regardless of the likelihood. But if the impact of a rare event is small,
then they pay attention to the likelihood.

Let us look more carefully at the nature of a security threat. We have seen that
one aspect—its potential harm—is the amount of damage it can cause; this
aspect is the impact component of the risk. We also consider the magnitude of
the threat’s likelihood. A likely threat is not just one that someone might want
to pull off but rather one that could actually occur. Some people might
daydream about getting rich by robbing a bank; most, however, would reject
that idea because of its difficulty (if not its immorality or risk). One aspect of
likelihood is feasibility: Is it even possible to accomplish the attack? If the answer
is no, then the likelihood is zero, and therefore so is the risk. So a good place to
start in assessing risk is to look at whether the proposed action is feasible. Three
factors determine feasibility, as we describe next.

Spending for security is based on the impact and likelihood of potential harm—
both of which are nearly impossible to measure precisely.

Method–Opportunity–Motive
A malicious attacker must have three things to ensure success: method,
opportunity, and motive, depicted in Figure 1-11. Roughly speaking, method is
the how; opportunity, the when; and motive, the why of an attack. Deny the
attacker any of those three and the attack will not succeed. Let us examine these
properties individually.

Method
By method we mean the skills, knowledge, tools, and other things with which to
perpetrate the attack. Think of comic figures that want to do something, for
example, to steal valuable jewelry, but the characters are so inept that their
every move is doomed to fail. These people lack the capability or method to
succeed, in part because there are no classes in jewel theft or books on burglary
for dummies.

Anyone can find plenty of courses and books about computing, however.
Knowledge of specific models of computer systems is widely available in
bookstores and on the Internet. Mass-market systems (such as the Microsoft or
Apple or Unix operating systems) are readily available for purchase, as are
UNIT - I 25
[CYBER SECURITY]

common software products, such as word processors or database management

systems, so potential attackers can even get hardware and software on which
to experiment and perfect an attack. Some manufacturers release detailed
specifications on how the system was designed or how it operates, as guides for
users and integrators who want to implement other complementary products.
Various attack tools—scripts, model programs, and tools to test for
weaknesses—are available from hackers’ sites on the Internet, to the degree
that many attacks require only the attacker’s ability to download and run a
program. The term script kiddie describes someone who downloads a complete
attack code package and needs only to enter a few details to identify the target
and let the script perform the attack. Often, only time and inclination limit an
attacker.

Opportunity
Opportunity is the time and access to execute an attack. You hear that a
fabulous apartment has just become available, so you rush to the rental agent,
only to find someone else rented it five minutes earlier. You missed your
opportunity.

Many computer systems present ample opportunity for attack. Systems

available to the public are, by definition, accessible; often their owners take
special care to make them fully available so that if one hardware component
fails, the owner has spares instantly ready to be pressed into service. Other
people are oblivious to the need to protect their computers, so unattended
laptops and unsecured network connections give ample opportunity for attack.
Some systems have private or undocumented entry points for administration or
maintenance, but attackers can also find and use those entry points to attack
the systems.

Motive
Finally, an attacker must have a motive or reason to want to attack. You
probably have ample opportunity and ability to throw a rock through your
neighbor’s window, but you do not. Why not? Because you have no reason to
want to harm your neighbor: You lack motive.

We have already described some of the motives for computer crime: money,
fame, self-esteem, politics, terror. It is often difficult to determine motive for an
attack. Some places are “attractive targets,” meaning they are very appealing to
attackers. Popular targets include law enforcement and defense department

UNIT - I 26
[CYBER SECURITY]

computers, perhaps because they are presumed to be well protected against

attack (so they present a challenge and a successful attack shows the attacker’s
prowess). Other systems are attacked because they are easy to attack. And some
systems are attacked at random simply because they are there.

Method, opportunity, and motive are all necessary for an attack to succeed;
deny any of these and the attack will fail.

By demonstrating feasibility, the factors of method, opportunity, and motive

determine whether an attack can succeed. These factors give the advantage to
the attacker because they are qualities or strengths the attacker must possess.
Another factor, this time giving an advantage to the defender, determines
whether an attack will succeed: The attacker needs a vulnerability, an
undefended place to attack. If the defender removes vulnerabilities, the
attacker cannot attack.

VULNERABILITIES
A vulnerability in security refers to a weakness or opportunity in an information
system that cybercriminals can exploit and gain unauthorized access to a
computer system. Vulnerabilities weaken systems and open the door to
malicious attacks.

More specifically, The International Organization for Standardization (ISO)

defines a vulnerability in security as the weakness of an asset or group of assets
that can be exploited by one or more cyber threats where an asset is anything
that has value to the organization, its business operations, and their continuity,
including information resources that support the organization's mission
Vulnerabilities, Exploits, and Threats at a Glance
In cybersecurity, there are important differences between vulnerabilities,
exploits, and threats.

While a vulnerability refers to weaknesses in hardware, software, or

procedures—the entryway for hackers to access systems—an exploit is the
actual malicious code that cybercriminals use to take advantage of
vulnerabilities and compromise the IT infrastructure.

UNIT - I 27
[CYBER SECURITY]

A threat is a potentially dangerous event that has not occurred but has the
potential to cause damage if it does. Exploits are how threats become attacks,
and vulnerabilities are how exploits gain access to targeted systems.
Examples and Common Types of Vulnerabilities in Security
The four main types of vulnerabilities in information security are network
vulnerabilities, operating system vulnerabilities, process (or
procedural) vulnerabilities, and human vulnerabilities.

1. Network vulnerabilities are weaknesses within an organization’s

hardware or software infrastructure that allow cyberattackers to gain
access and cause harm. These areas of exposure can range
from poorly-protected wireless access all the way to misconfigured
firewalls that don’t guard the network at large.

2. Operating system (OS) vulnerabilities are exposures within an OS that

allow cyberattackers to cause damage on any device where the OS is
installed. An example of an attack that takes advantage of OS
vulnerabilities is a Denial of Service (DoS) attack, where repeated fake
requests clog a system so it becomes overloaded. Unpatched and
outdated software also creates OS vulnerabilities, because the system
running the application is exposed, sometimes endangering the entire
network.

3. Process vulnerabilities are created when procedures that are supposed

to act as security measures are insufficient. One of the most common
process vulnerabilities is an authentication weakness, where users, and
even IT administrators, use weak passwords.

4. Human vulnerabilities are created by user errors that can expose

networks, hardware, and sensitive data to malicious actors. They
arguably pose the most significant threat, particularly because of the
increase in remote and mobile workers. Examples of human
vulnerability in security are opening an email attachment infected with
malware, or not installing software updates on mobile devices.

UNIT - I 28
[CYBER SECURITY]

When Should Known Vulnerabilities Be Publicly Disclosed?

The timeframe for disclosing known vulnerabilities in security can vary between
researchers, vendors, and cybersecurity advocacy organizations.
The Cybersecurity and Infrastructure Security Agency (CISA) provides guidelines
for the remediation and public disclosure of newly identified cybersecurity
vulnerabilities. Their recommendations vary based on variables like whether a
vulnerability is severe, activ exploitation of the vulnerability, or if there are
serious and likely threats.

What Is the Difference Between Vulnerability and Risk?

Vulnerabilities and risks differ in that vulnerabilities are known weaknesses.

They’re the identified gaps that undermine the security efforts of an
organization’s IT systems.

Risks, on the other hand, are potentials for loss or damage when a threat
exploits a vulnerability.

A common equation for calculating it is Risk = Threat x Vulnerability x

Consequence.

When Does a Vulnerability Become Exploitable?

A vulnerability becomes exploitable when there is a definite path to complete

malicious acts. Taking basic security precautions (like keeping security patches
up to date and properly managing user access controls) can help keep
vulnerabilities from becoming more dangerous security breaches.

What Is a Zero-Day Exploit?

Zero-day vulnerabilities are security software flaws that an organization’s IT

security professionals haven’t discovered or patched. A zero-day exploit is one
used to attack a zero-day vulnerability.

UNIT - I 29
[CYBER SECURITY]

What Causes Vulnerabilities?

1. Human error – When end users fall victim to phishing and other social
engineering tactics, they become one of the biggest causes of
vulnerabilities in security.

2. Software bugs – These are flaws in a code that cybercriminals can use
to gain unauthorized access to hardware, software, data, or other
assets in an organization’s network. sensitive data and perform
unauthorized actions, which are considered unethical or illegal.

3. System complexity – When a system is too complex, it causes

vulnerability because there’s an increased likelihood of
misconfigurations, flaws, or unwanted network access.

4. Increased connectivity – Having so many remote devices connected to

a network creates new access points for attacks.

5. Poor access control – improperly managing user roles, like providing

some users more access than they need to data and systems or not
closing accounts for old employees, makes networks vulnerable from
both inside and outside breaches.

What Is Vulnerability Management?

Vulnerability management is a practice that consists of identifying, classifying,

remediating, and mitigating security vulnerabilities. It requires more than
scanning and patching. Rather, vulnerability management requires a 360-degree
view of an organization's systems, processes, and people in order to make
informed decisions about the best course of action for detecting and mitigating
vulnerabilities. From there, IT security teams can remediate through patching
and configuring of the appropriate security settings.

What Is Vulnerability Scanning?

Vulnerability scanning is a process of identifying vulnerabilities within an

organization’s applications and devices. The process is automated by the use

UNIT - I 30
[CYBER SECURITY]

of vulnerability scanners, and takes a snapshot of a network’s vulnerabilities,

allowing security teams to make informed decisions regarding mitigation.

What Is a Cybersecurity Vulnerability and How Is It Different From a

Cybersecurity Threat?

A cybersecurity vulnerability doesn’t actually pose a real or imminent danger to

an organization’s IT networks. Rather, it’s the pathway for malicious actors to
access its target. Cybersecurity threats are the actual means by which cyber
attackers exploit vulnerabilities. Threats can be anything from specifically-
targeted hacker attacks to ransomware that holds systems hostage until
payment is made.

CONTROLS

Cybersecurity controls are mechanisms used to prevent, detect and mitigate

cyber threats and attacks. Mechanisms range from physical controls, such as
security guards and surveillance cameras, to technical controls, including
firewalls and multifactor authentication.

As cyber attacks on enterprises increase in frequency, security teams must

continually reevaluate their security controls continuously. A unilateral approach
to cybersecurity is simply outdated and ineffective. And, because it's impossible
to prevent all attacks in the current threat landscape, organizations should
evaluate their assets based on their importance to the company and set controls
accordingly.

Adding to the challenge is that employees are unlikely to follow compliance

rules if austere controls are implemented across all company assets. The severity
of a control should directly reflect the asset and threat landscape. The
consequences of a hacker exposing thousands of customers' personal data via a
cloud database, for example, may be far greater than if one employee's laptop
is compromised.

UNIT - I 31
[CYBER SECURITY]

"There are many different ways to apply controls based on the nature of what
you're trying to protect," said Joseph MacMillan, author of Infosec Strategies
and Best Practices and cybersecurity global black belt at Microsoft. "What is the
nature of the threat you're trying to protect against? Is it a malicious actor? Or
is it a storm?"

The following excerpt from Chapter 2, "Protecting the Security of Assets,"

of Infosec Strategies and Best Practices explores the different types of
cybersecurity controls, including the varying classes of controls, such as physical
or technical, as well as the order in which to implement them.

Securing information assets

This section is all about implementing the appropriate information security
controls for assets. I've been thinking about this section for a while, trying to
understand how to tackle it best for you.

I know you probably have experience with choosing and implementing controls,
and I don't want this section to end up being half of the entire book, just droning
on and on about different types of controls or all of the great vendors out there
who want to sell you a silver bullet to fix all of your issues. I'm going to go into
many different controls and ideologies in the following chapters, anyway.

Instead, in this chapter, I want to make sure that we focus on heavy-hitting,

effective ideologies to understand in order to select the appropriate controls,
meaning that the asset is considered "secure enough" based on its criticality and
classification.

There are different classes that split up the types of controls:

 Administrative/Managerial Controls are the policies and procedures

I'm always talking about. They aren't as "cool" as a new software
control, but they exist to give structure and guidance to individuals like
you, and other members of your organization, ensuring nobody gets
fined or causes a breach.

UNIT - I 32
[CYBER SECURITY]

 Physical Controls limit the access to systems in a physical way; fences,

CCTV, dogs... and everybody's favorite: fire sprinklers.
 Technical/Logical Controls are those that limit access on a hardware
or software basis, such as encryption, fingerprint readers,
authentication, or Trusted Platform Modules (TPMs). These don't
limit access to the physical systems the way physical controls do, but
rather access to the data or contents.
 Operational Controls are those that involve people conducting
processes on a day-to-day level. Examples could include awareness
training, asset classification, and reviewing log files.

There are so many specific controls, there's just no way we can go into each of
them in this chapter. Beyond the Annex A controls from ISO 27001, further
expansion on controls and the categories of controls can be found in the links
on this page: NIST SP 800-53 Rev 5
(https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final), including
control mappings between the ISO 27001 standard, and NIST SP 800-53.

What I can cover are the types of controls that you'll be able to categorize and
apply as mitigation against risk, depending on the threat and vertical:

 Preventative Controls exist to not allow an action to happen and

include firewalls, fences, and access permissions.
 Detective Controls are only triggered during or after an event, such as
video surveillance, or intrusion detection systems.
 Deterrents discourage threats from attempting to exploit a
vulnerability, such as a "Guard Dog" sign, or dogs.
 Corrective Controls are able to take an action from one state to
another. This is where fail open and fail closed controls are addressed.
 Recovery Controls get something back from a loss, such as the
recovery of a hard drive.

UNIT - I 33
[CYBER SECURITY]

 Compensating Controls are those that attempt to make up for the

shortcomings of other controls, such as reviewing access logs
regularly. This example is also a detective control, but compensating
controls can be of various different types.

Generally, the order in which you would like to place your controls for adequate
defense in depth is the following:

1. Deter actors from attempting to access something that they shouldn't

be.
2. Deny/Prevent Access through a preventative control such as access
permissions or authentication.
3. Detect the risk, making sure to log the detection, such as with
endpoint protection software.
4. Delay the process of the risk from happening again, such as with a "too
many attempts" function for a password entry.
5. Correct the situation by responding to the compromise, such as with
an incident response plan.
6. Recover from the compromised state, such as a backup generator
restoring availability to a server.

Furthermore, in the realm of continual improvement, we should monitor the

value of each asset for any changes. The reason being that we may need to
rethink our controls for protecting those assets if they become more or less
valuable over time, or in certain major events at your organization.

Additionally, as a footnote, when we're looking at controls, we should also be

thinking about recovery. What I mean is that we want to be able to recover from
any adverse situations or changes to assets and their value. Just as examples,
we're talking about backups, redundancy, restoration processes, and the like.

A concept to keep in mind, especially in the era of the cloud, SaaS, PaaS, IaaS,
third-party solutions, and all other forms of "somebody else's computer" is to
UNIT - I 34
[CYBER SECURITY]

ensure that Service-Level Agreements (SLAs) are clearly defined, and have
agreements for maximum allowable downtime, as well as penalties for failing to
deliver on those agreements. This is an example of a compensating control.

As a consumer of third-party solutions, you'll want to fight for SLAs that reflect
your risk appetite. Simultaneously, you'll also want to consider the idea that by
chaining those assets together, you are creating a higher level of risk to
availability. If just one of the services isn't online, and you can't perform a task,
that's a loss of availability. If you're a vendor of cloud services, you need to
consider your availability and what can be offered to your customers
realistically, and what is required from a commercial perspective.

AUTHENTICATION
 Authentication is used by a server when the server needs to know exactly
who is accessing their information or site.
 Authentication is used by a client when the client needs to know that the
server is system it claims to be.
 In authentication, the user or computer has to prove its identity to the
server or client.
 Usually, authentication by a server entails the use of a user name and
password. Other ways to authenticate can be through cards, retina scans,
voice recognition, and fingerprints.
 Authentication by a client usually involves the server giving a certificate
to the client in which a trusted third party such as Verisign or Thawte
states that the server belongs to the entity (such as a bank) that the client
expects it to.
 Authentication does not determine what tasks the individual can do or
what files the individual can see. Authentication merely identifies and
verifies who the person or system is.

ACCESS CONTROL
Access control is a data security process that enables organizations to manage
who is authorized to access corporate data and resources. Secure access control
uses policies that verify users are who they claim to be and ensures appropriate
control access levels are granted to users.

UNIT - I 35
[CYBER SECURITY]

Implementing access control is a crucial component of web application security,

ensuring only the right users have the right level of access to the right resources.
The process is critical to helping organizations avoid data breaches and
fighting attack vectors, such as a buffer overflow attack, KRACK attack, on-path
attack, or phishing attack.
What Are the Components of Access Control?

Access control is managed through several components:

1. Authentication

Authentication is the initial process of establishing the identity of a user. For

example, when a user signs in to their email service or online banking account
with a username and password combination, their identity has been
authenticated. However, authentication alone is not sufficient to protect
organizations’ data.
2. Authorization

Authorization adds an extra layer of security to the authentication process. It

specifies access rights and privileges to resources to determine whether the user
should be granted access to data or make a specific transaction.

For example, an email service or online bank account can require users to
provide two-factor authentication (2FA), which is typically a combination of
something they know (such as a password), something they possess (such as a
token), or something they are (like a biometric verification). This information
can also be verified through a 2FA mobile app or a thumbprint scan on a
smartphone.
3. Access

Once a user has completed the authentication and authorization steps, their
identity will be verified. This grants them access to the resource they are
attempting to log in to.
4. Manage

Organizations can manage their access control system by adding and removing
the authentication and authorization of their users and systems. Managing
these systems can become complex in modern IT environments that comprise
cloud services and on-premises systems.
5. Audit

UNIT - I 36
[CYBER SECURITY]

Organizations can enforce the principle of least privilege through the access
control audit process. This enables them to gather data around user activity and
analyze that information to discover potential access violations.
How Does Access Control Work?
Access control is used to verify the identity of users attempting to log in to digital
resources. But it is also used to grant access to physical buildings and physical
devices.
Physical Access Control

Common examples of physical access controllers include:

Barroom Bouncers
Bouncers can establish an access control list to verify IDs and ensure people
entering bars are of legal age.
Subway Turnstiles
Access control is used at subway turnstiles to only allow verified people to use
subway systems. Subway users scan cards that immediately recognize the user
and verify they have enough credit to use the service.
Keycard or Badge Scanners in Corporate Offices
Organizations can protect their offices by using scanners that provide
mandatory access control. Employees need to scan a keycard or badge to verify
their identity before they can access the building.
Logical/Information Access Control
Logical access control involves tools and protocols being used to identify,
authenticate, and authorize users in computer systems. The access controller
system enforces measures for data, processes, programs, and systems.
Signing Into a Laptop Using a Password
A common form of data loss is through devices being lost or stolen. Users can
keep their personal and corporate data secure by using a password.
Unlocking a Smartphone With a Thumbprint Scan
Smartphones can also be protected with access controls that allow only the user
to open the device. Users can secure their smartphones by using biometrics,
such as a thumbprint scan, to prevent unauthorized access to their devices.
Remotely Accessing an Employer’s Internal Network Using a VPN
Smartphones can also be protected with access controls that allow only the user
to open the device. Users can secure their smartphones by using biometrics,
such as a thumbprint scan, to prevent unauthorized access to their devices.
What Is the Difference Between Authentication and Authorization?
Authentication and authorization are crucial to access control in security.
Authentication is the process of logging in to a system, such as an email address,
online banking service, or social media account. Authorization is the process of
UNIT - I 37
[CYBER SECURITY]

verifying the user’s identity to provide an extra layer of security that the user is
who they claim to be.
Importance of Access Control in Regulatory Compliance

Access control is crucial to helping organizations comply with various data

privacy regulations. These include:
PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a security
standard that protects the payment card ecosystem. An access control system
is crucial to permitting or denying transactions and ensuring the identity of
users.
HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was created to
protect patient health data from being disclosed without their consent. Access
control is vital to limiting access to authorized users, ensuring people cannot
access data that is beyond their privilege level, and preventing data breaches.
SOC 2

Service Organization Control 2 (SOC 2) is an auditing procedure designed for

service providers that store customer data in the cloud. It ensures that providers
protect the privacy of their customers and requires organizations to implement
and follow strict policies and procedures around customer data. Access control
systems are crucial to enforcing these strict data security processes.
ISO 27001

The International Organization for Standardization (ISO) defines security

standards that organizations across all industries need to comply with and
demonstrate to their customers that they take security seriously. ISO 27001 is
the ISO’s gold standard of information security and compliance certification.
Implementing access controls is crucial to complying with this security standard.
What Are the Different Types of Access Controls?
There are various types of access controls that organizations can implement to
safeguard their data and users. These include:
1. Attribute-based Access Control (ABAC)

ABAC is a dynamic, context-based policy that defines access based on policies

granted to users. The system is used in identity and access management
(IAM) frameworks.
2. Discretionary Access Control (DAC)
UNIT - I 38
[CYBER SECURITY]

DAC models allow the data owner to decide access control by assigning access
rights to rules that users specify. When a user is granted access to a system, they
can then provide access to other users as they see fit.
3. Mandatory Access Control (MAC)

MAC places strict policies on individual users and the data, resources, and
systems they want to access. The policies are managed by an organization’s
administrator. Users are not able to alter, revoke, or set permissions.
4. Role-Based Access Control (RBAC)

RBAC creates permissions based on groups of users, roles that users hold, and
actions that users take. Users are able to perform any action enabled to their
role and cannot change the access control level they are assigned.
5. Break-glass Access Control

Break-glass access control involves the creation of an emergency account that

bypasses regular permissions. In the event of a critical emergency, the user is
given immediate access to a system or account they would not usually be
authorized to use.
6. Rule-based Access Control

A rule-based approach sees a system admin define rules that govern access to
corporate resources. These rules are typically built around conditions, such as
the location or time of day that users access resources.
What Are Some Methods for Implementing Access Control?
One of the most common methods for implementing access controls is to use
VPNs. This enables users to securely access resources remotely, which is crucial
when people work away from the physical office. Companies can use VPNs to
provide secure access to their networks when employees are based in various
locations around the world. While this is ideal for security reasons, it can result
in some performance issues, such as latency.

Other access control methods include identity repositories, monitoring and

reporting applications, password management tools, provisioning tools,
and security policy enforcement services.

CRYPTOGRAPHY
Cryptography refers to the technique or practice of securing data and
communications. While today it’s used almost exclusively in a technological
context, the practice of cryptography dates back well before the digital age. The

UNIT - I 39
[CYBER SECURITY]

Navajo code talkers developed a code using the Navajo language to send secret
messages during World War II. Today, cryptography is used to keep sensitive
material, such as private passwords, secure online. Cybersecurity experts use
cryptography to design algorithms, ciphers, and other security measures that
codify and protect company and customer data.

To work in cryptography, individuals must possess the following:

 Programming skills. Cryptography requires professionals to work with

various operating systems as well as coding languages like C++, Java, and
Python. Programming makes up the primary task of a cryptographer’s job.
 Advanced mathematics knowledge. Designing security programs
requires strong math skills. Aspiring cryptographers should complete
coursework in linear algebra, matrix algebra, discrete mathematics, and
number theory, among other areas.
 Education. When companies look for prospective cybersecurity hires,
they look for individuals who’ve completed at least a bachelor’s in
mathematics, computer science, or engineering. A master’s degree is
considered a considerable advantage.

PROGRAMS AND PROGRAMMING

Simply put, it makes you better at your job. Understanding programming helps
cybersecurity experts examine software and discover security vulnerabilities,
detect malicious codes, and execute tasks that involve analytical skills in
cybersecurity.

The choice of which programming language to learn, however, isn’t so simply

put.

The language to learn depends on your concentration, which could be in

computer forensics, security for web applications, information security,
malware analysis, or application security. Though the importance of any given
language varies by role, programming experience offers a higher competitive
edge for cybersecurity experts over others.

And although not all cybersecurity positions require a programming

background, it’s an important skill to have for mid-level and upper-level cyber
positions. A strong understanding of programming languages helps
cybersecurity experts stay on top of cyber criminals, and having a good grasp of
the architecture of a system means that it is easier to defend it.

UNIT - I 40
[CYBER SECURITY]

Fortunately, the beginning of a cybersecurity career is the ideal time to build

your programming knowledge. This way, when you hit the job market, you’ll
know the essential components of programming and will be able to read code
and comprehend its functions.

What programming language should I learn for cybersecurity?

There are about 250 prominent computer programming languages used today,
with as many as 700 used around the world. In cyber, that number shrinks to
around 10-15. Here are the twelve best programming languages to learn for
cybersecurity, so you can set your sights toward starting a new cyber career.

Python

For several years now, Python has been a dominant language in cybersecurity.
It is a server-side scripting language, so the resulting script doesn’t need
compiling by coders. It’s a general-purpose language that is used in many — if
not most — cybersecurity situation.

With Python, you’re able to automate tasks and perform malware analysis. Plus
an extensive third-party library of scripts is readily accessible, meaning help is
right around the corner. Code readability, clear and easy syntax, and a vast
number of libraries are some of the aspects that make it popular.

For cybersecurity experts, Python is a valuable programming language since it

can be used in detecting malware, penetration testing, scanning, and analyzing
cyber threats. If you understand Python, being a SOC support pro makes a whole
lot of sense.

UNIT - I 41
[CYBER SECURITY]

You need to build tools and scripts in this role to protect web pages from security
threats. To examine the root of the issues, you can also employ data, logs, and
artifacts.

As a side note: The chart above shows the relative popularity based on how
many GitHub pulls are made per year for that language. This chart and all the
charts below are based on data from GitHut 2.0, created by littleark.

Golang

 Most malware aims to get into target systems undiscovered, making

Golang perfect for it.
 With Golang, a single source code can be constructed for all major
operating systems.
 The size of malware coded in GoLang is large. This helps them to
penetrate systems undiscovered since large files cannot be scanned by a
lot of popular antivirus software.
 This language also has vast libraries that make the malware creation
process very smooth.

Go has become quite popular as a language for security professionals. It’s a

perfect option for cyber programmers for its use in server and cloud
services, flexibility and ease, and data analysis capabilities.

UNIT - I 42
[CYBER SECURITY]

JavaScript

The most common programming language is JavaScript, a universal

language used by 95 percent of internet sites.

It’s one of the finest programming languages for cybersecurity you can master.

 JavaScript is for you if you want to capture cookies, exploit event handlers,
and carry out cross-site scripting.
 NodeJS, ReactJS, jQuery — these are all JavaScript libraries.
 This also implies that, due to the widespread use of the language,
applications and systems using it are prominent targets.

JavaScript lets programmers use any code while users visit a website,
strengthening that site’s functionality. On the other hand, it may produce
malicious functionality hidden from the visitor. If the web site is compromised,
malicious codes may be used to run a program.

If you’re a JavaScript expert, you can ensure that any site is safe enough to
reduce or even remove Cross-Site Scripting (XSS) attacks.

JavaScript’s also used by front-end developers, full-stack developers, back-end

developers, and more. It’s the most versatile language there is, and the most
popular language there is.

UNIT - I 43
[CYBER SECURITY]

 Applying C language in reverse engineering facilitates the development of

antivirus programs because cybersecurity teams can disassemble a
malware to examine its design, spread, and consequences.
 The C programming language is also essential for developers who QA code
integrity.
 Cyber enemies may also use the language to identify exploitable
weaknesses in the network before an attack is launched.

Being a low-level programming language with simple syntax, someone can

master it with a few months of training. Programmers take further steps to make
sure that their code lacks bugs when writing the program. Hackers can use it to
find vulnerabilities, though.

Lint is a code analysis tool intended for programs that are written in C. Different
versions have emerged since its inception. Both cybersecurity experts and
hackers may use Lint to identify programming errors, and find bugs that risk
computer network security.

C++
C++ was adapted from the C coding language, but has several distinct features.

 In contrast to C, C++ supports objects and classes.

 C++ is faster and performs better than the C language.
 Despite being useful, less than 0.1% of all websites use it.
 A C++ developer develops desktop and mobile apps, whereas coding
specialists identify and eliminate any vulnerability and bugs.

Cybersecurity experts benefit learning C++ because they can detect

vulnerabilities and security weaknesses easily. A scanning tool
UNIT - I 44
[CYBER SECURITY]

like Flawfinder that scans C++ lets cyber experts easily recognize security flaws
in code. These tools describe existing vulnerabilities, their severity, and their
effects on an application by using an integrated database that includes the
language function’s possible risks.

SQL
SQL (Structured Query Language) is a domain-specific programming language. It
highly popular and is used to parse data in large databases. With businesses
becoming more data-driven, SQL is the most demanded database management
programming language.

 Most websites use SQL for their data management activities like
Relational Database Management System (RDBS).
 It deals with numerous database systems.
 Consequently, it is also recognized as the most straightforward language
for handling a database.

Database Administrators, programmers, and end-users create SQL queries for

the retrieval, insertion, modification, and removal of data stored in database
tables. Attackers often use this language to steal confidential data, compromise
data stores, and execute a variety of web-based attacks.

You’ll need to have at least a basic knowledge of SQL if you want to comprehend
the activity of the attacker and avoid SQL injection as well as other database-
related attacks.

Assembly

 An assembly language is any low-level language that helps analyze and

understand how malware works.
 Understanding assembly is relatively straightforward, especially if you
already know a high-programming language.

In 2003, Slammer, a malware based on assembly, caused disorder and slowed

web traffic by forcing service negligence on many, many proprietors. There was
a protective overflow bug on Microsoft’s SQL server that the program exploited.
This incident was not a sudden one — several months before a patch was
released — but several enterprises didn’t implement it, opening the door for the
bug to propagate.

UNIT - I 45
[CYBER SECURITY]

Assembly is an essential programming language as cybersecurity experts might

use it to interpret malware and understand their modes of attack. Cybersecurity
professionals defend against traditional and contemporary malware
continuously, and so it’s essential to understand how malware functions.

PowerShell

PowerShell is a more versatile command-line interface that blends the old

Command Prompt (CMD) features with an advanced scripting environment that
can be used to get access to the inner core of a machine, including Windows
APIs access.

 PowerShell is a valuable tool to automate repetitive tasks for

administrators, but sadly, its capabilities have also been exploited by
malicious actors.
 No longer having to rely on typical malware, Hackers can manipulate
PowerShell to find sensitive domain information and load harmful
executables (also known as fileless malware).
 Because PowerShell is installed on all machines from Windows 7 to
Windows Server 2019 by default, it’s a preferred tool for many attackers.

UNIT - I 46
[CYBER SECURITY]

Ruby

Ruby is a general-purpose high-level language created and developed by

Yukihiro Matsumoto in Japan. Since then, it’s become one of the most popular
programming languages in the world.

 Ruby’s syntax is essentially identical to Perl and Python.

 It was written in C.
 Its ease of use and inherent ability to manage massive code projects make
it popular among coders.
 Ruby has been widely used for sites including Airbnb, Hulu, Kickstarter,
and Github.
 Ruby manages much of a machine’s complex information, making
programs easier to develop and with less code.

Java

Java is one of the first languages to be used in the design of many major
operating systems, like Solaris, Linux, macOS, and Microsoft Windows. Since it
UNIT - I 47
[CYBER SECURITY]

drives both modern and legacy web servers, it is extensively used in all
industries.

In information security, the Java language has many applications.

 Cyber adversaries, for instance, use it to reverse-engineer proprietary

software applications to discover and exploit security vulnerabilities.
 Penetration testers often use Java to organize high-scaling servers they
use in payload delivery.
 Pen testing is one of the essential tasks of a cybersecurity specialist, and
understanding Java makes it easier.
 Experienced ethical hackers use Java programming to build and develop
sophisticated, ethical programs.
 Java is highly dynamic compared to languages like C++, making it popular
among cyber experts.
 Using Java to develop vulnerability testing programs lets ethical hackers
deploy it on multiple platforms.

PHP

PHP is a server-side programming language used to build websites. PHP is

perhaps the most powerful server-side language there is, used in 80 percent of
the web’s top 10 million domains. For this reason alone, it’s obvious that
understanding PHP will help you protect against attackers.

 RIPS is a standard tool for PHP applications that performs automated

security analysis.
 In an application, RIPS examines data flow from input parameters to
critical operations.

UNIT - I 48
[CYBER SECURITY]

 You could use RIPS if you’re a PHP developer working with security
vulnerabilities.
 As a PHP security-focused developer, you can write server-side web
application logic.
 You can handle back-end resources and data sharing between servers and
their consumers using PHP
 You can also use your PHP knowledge to eliminate any vulnerabilities in
your code.

It’s also worth noting that PHP is used by businesses as a language on the server-
side that works with HTML, helping websites work properly. To make website
updates easier, web designers use PHP to connect databases with web pages.

Shell scripting

Shell scripting incorporates several of the same commands that you may already
use in your operating system’s terminal sessions and lets developers create
automated scripts for various routine activities.

Do you need to provision accounts quickly and facilitate sufficient access? Do

you want to automate a system configuration security lockdown quickly? This is
where shell scripting comes into play.

You’ll want to master some Linux script languages like Bash if you’re using Linux
or macOS. If you’re a Windows pro, immerse yourself in PowerShell.

What’s the first cybersecurity language I should learn?

We recommend starting with Python. The syntax is straightforward and there
are countless libraries that make your coding life much easier.

UNIT - I 49
[CYBER SECURITY]

In cybersecurity, Python is used to conduct many cybersecurity tasks like

scanning and analyzing malware. Python is a helpful step towards more
sophisticated programming languages, too. It offers a high level of web
readability and is used by tech’s largest companies, including Google, Reddit,
and NASA. Once you have Python down-pat, you can move on to high-level
programming languages.

What are the best ways to learn these cyber languages?

Like with any type of coding language, there are lots of ways to get started
learning. It really all depends on how much time and money you’d like to commit
to. If you want to learn casually or dabble in coding before committing, we
suggest starting with a free introductory course. And if you know you’re ready
to pursue a career in cybersecurity, then a full-time bootcamp is your best bet.

Introductory cybersecurity courses

Coursera’s Introduction to Cybersecurity. Built to help learning understand
modern technology and strategies for information and system security.

EdX. This course provides a high-level introduction to cybersecurity and is suited

for people interested in internet security.

Flatiron School’s Cybersecurity Prep Work. Learners who want to dive into
cybersecurity fundamentals like virtualization functions can get started with this
free prep work.

In-person cybersecurity courses designed to help you change careers

Evolve Security. Evolve Security is an interactive and hands-on cybersecurity
training program for 20 weeks. Students spend roughly 20 hours a week on
cybersecurity bootcamp training, including in-class and individual study.

SecureSet. This 800-hour comprehensive course is intended to help you learn

the skills to become a level 1+ strategic analyst, security engineer, or
penetration testing officer. SecureSet’s is a part of Flatiron.

Fullstack Academy. Fullstack Academy is designed to take you from a

cybersecurity beginner to an in-demand cybersecurity expert in only 17 weeks
of full-time training.

UNIT - I 50
[CYBER SECURITY]

Flatiron School’s cybersecurity course. This course is intended to teach you

everything you need to know to start a career as a level 1+ threat
analyst, compliance analyst, security consultant, or SOC specialist.

We also offer our full-time Cybersecurity Engineering course. This course

focuses more on learners with a technical background, helping them start a
career as a cybersecurity engineer and joining the forefront of global
technological development.

The best online cybersecurity courses to change your career

Brainstation. Through this cybersecurity course, you can gain a better
understanding of the technologies developed every day and how security
attacks leverage vulnerabilities and evolve within cybersecurity.

Level Effect. This course focuses on security and is paired with practical
applications and use cases. Develop the skills needed to secure cybersecurity job
roles or advance your career with new strategies, techniques, and processes.

UNINTENTIONAL (NON-MALICIOUS) PROGRAMMING

OVERSIGHTS
Being human, programmers and other developers make many mistakes, most
of which are unintentional and nonmalicious. Many such errors cause program
malfunctions but do not lead to more serious security vulnerabilities. However,
a few classes of errors have plagued programmers and security professionals for
decades, and there is no reason to believe they will disappear. In this section we
consider three classic error types that have enabled many recent security
breaches. We explain each type, why it is relevant to security, and how it can be
prevented or mitigated.

Buffer Overflows
A buffer overflow is the computing equivalent of trying to pour two liters of
water into a one-liter pitcher: Some water is going to spill out and make a mess.
And in computing, what a mess these errors have made!

Definition
A buffer (or array or string) is a space in which data can be held. A buffer resides
in memory. Because memory is finite, a buffer's capacity is finite. For this reason,
in many programming languages the programmer must declare the buffer's
maximum size so that the compiler can set aside that amount of space.

UNIT - I 51
[CYBER SECURITY]

Let us look at an example to see how buffer overflows can happen. Suppose a C
language program contains the declaration:

char sample[10];

The compiler sets aside 10 bytes to store this buffer, one byte for each of the
ten elements of the array, sample[0] through sample[9]. Now we execute the
statement:

sample[10] = 'A';

The subscript is out of bounds (that is, it does not fall between 0 and 9), so we
have a problem. The nicest outcome (from a security perspective) is for the
compiler to detect the problem and mark the error during compilation.
However, if the statement were

sample[i] = 'A';

we could not identify the problem until i was set during execution to a too-big
subscript. It would be useful if, during execution, the system produced an error
message warning of a subscript out of bounds. Unfortunately, in some
languages, buffer sizes do not have to be predefined, so there is no way to detect
an out-of-bounds error. More importantly, the code needed to check each
subscript against its potential maximum value takes time and space during
execution, and the resources are applied to catch a problem that occurs
relatively infrequently. Even if the compiler were careful in analyzing the buffer
declaration and use, this same problem can be caused with pointers, for which
there is no reasonable way to define a proper limit. Thus, some compilers do not
generate the code to check for exceeding bounds.

Let us examine this problem more closely. It is important to recognize that the
potential overflow causes a serious problem only in some instances. The

UNIT - I 52
[CYBER SECURITY]

problem's occurrence depends on what is adjacent to the array sample. For

example, suppose each of the ten elements of the array sample is filled with the
letter A and the erroneous reference uses the letter B, as follows:

for (i=0; i<=9; i++) sample[i] = 'A'; sample[10] = 'B'

All program and data elements are in memory during execution, sharing space
with the operating system, other code, and resident routines. So there are four
cases to consider in deciding where the 'B' goes, as shown in Figure 3-1. If the
extra character overflows into the user's data space, it simply overwrites an
existing variable value (or it may be written into an as-yet unused location),
perhaps affecting the program's result, but affecting no other program or data.

FIGURE 3-1 Places Where a Buffer Can Overflow.

In the second case, the 'B' goes into the user's program area. If it
overlays an already executed instruction (which will not be
executed again), the user should perceive no effect. If it overlays an instruction
that is not yet executed, the machine will try to execute an instruction with
operation code 0x42, the internal code for the character 'B'. If there is no
instruction with operation code 0x42, the system will halt on an illegal
instruction exception. Otherwise, the machine will use subsequent bytes as if
they were the rest of the instruction, with success or failure depending on the
meaning of the contents. Again, only the user is likely to experience an effect.

The most interesting cases occur when the system owns the space immediately
after the array that overflows. Spilling over into system data or code areas
produces similar results to those for the user's space: computing with a faulty
value or trying to execute an improper operation.

Security Implication
Let us suppose that a malicious person understands the damage that can be
done by a buffer overflow; that is, we are dealing with more than simply a
normal, errant programmer. The malicious programmer looks at the four cases
illustrated in Figure 3-1 and thinks deviously about the last two: What data
values could the attacker insert just after the buffer so as to cause mischief or
damage, and what planned instruction codes could the system be forced to

UNIT - I 53
[CYBER SECURITY]

execute? There are many possible answers, some of which are more malevolent
than others. Here, we present two buffer overflow attacks that are used
frequently. (See [ALE96] for more details.) First, the attacker may replace code
in the system space. Remember that every program is invoked by the operating
system and that the operating system may run with higher privileges than those
of a regular program. Thus, if the attacker can gain control by masquerading as
the operating system, the attacker can execute many commands in a powerful
role. Therefore, by replacing a few instructions right after returning from his or
her own procedure, the attacker can get control back from the operating
system, possibly with raised privileges. If the buffer overflows into system code
space, the attacker merely inserts overflow data that correspond to the machine
code for instructions.

On the other hand, the attacker may make use of the stack pointer or the return
register. Subprocedures calls are handled with a stack, a data structure in which
the most recent item inserted is the next one removed (last arrived, first served).
This structure works well because procedure calls can be nested, with each
return causing control to transfer back to the immediately preceding routine at
its point of execution. Each time a procedure is called, its parameters, the return
address (the address immediately after its call), and other local values are
pushed onto a stack. An old stack pointer is also pushed onto the stack, and a
stack pointer register is reloaded with the address of these new values. Then,
control is transferred to the subprocedure.

As the subprocedure executes, it fetches parameters that it finds by using the

address pointed to by the stack pointer. Typically, the stack pointer is a register
in the processor. Therefore, by causing an overflow into the stack, the attacker
can change either the old stack pointer (changing the context for the calling
procedure) or the return address (causing control to transfer where the attacker
wants when the subprocedure returns). Changing the context or return address
allows the attacker to redirect execution to a block of code the attacker wants.

In both these cases, a little experimentation is needed to determine where the

overflow is and how to control it. But the work to be done is relatively small—
probably a day or two for a competent analyst. These buffer overflows are
carefully explained in a paper by Mudge [MUD95] of the famed l0pht computer
security group.

UNIT - I 54
[CYBER SECURITY]

An alternative style of buffer overflow occurs when parameter values are passed
into a routine, especially when the parameters are passed to a web server on
the Inter-net. Parameters are passed in the URL line, with a syntax similar
to http://www.somesite.com/subpage/userinput&parm1=(808)555-
1212&parm2=2004Jan01
In this example, the page userinput receives two parameters, parm1 with value
(808)555-1212 (perhaps a U.S. telephone number) and parm2 with value
2004Jan01 (perhaps a date). The web browser on the caller's machine will
accept values from a user who probably completes fields on a form. The browser
encodes those values and transmits them back to the server's web site.

The attacker might question what the server would do with a really long
telephone number, say, one with 500 or 1000 digits. But, you say, no telephone
in the world has such a telephone number; that is probably exactly what the
developer thought, so the developer may have allocated 15 or 20 bytes for an
expected maximum length telephone number. Will the program crash with 500
digits? And if it crashes, can it be made to crash in a predictable and usable way?
(For the answer to this question, see Litchfield's investigation of the
Microsoft dialer program [LIT99].) Passing a very long string to a web server is a
slight variation on the classic buffer overflow, but no less effective.

As noted above, buffer overflows have existed almost as long as higher-level

programming languages with arrays. For a long time they were simply a minor
annoyance to programmers and users, a cause of errors and sometimes even
system crashes. Rather recently, attackers have used them as vehicles to cause
first a system crash and then a controlled failure with a serious security
implication. The large number of security vulnerabilities based on buffer
overflows shows that developers must pay more attention now to what had
previously been thought to be just a minor annoyance.

Incomplete Mediation
Incomplete mediation is another security problem that has been with us for
decades. Attackers are exploiting it to cause security problems.

Definition
Consider the example of the previous section:

http://www.somesite.com/subpage/userinput&parm1=(808)555-
1212&parm2=2004Jan01

UNIT - I 55
[CYBER SECURITY]

The two parameters look like a telephone number and a date. Probably the
client's (user's) web browser enters those two values in their specified format
for easy processing on the server's side. What would happen if parm2 were
submitted as 1800Jan01? Or 1800Feb30? Or 2048Min32? Or 1Aardvark2Many?

Something would likely fail. As with buffer overflows, one possibility is that the
system would fail catastrophically, with a routine's failing on a data type error
as it tried to handle a month named "Min" or even a year (like 1800) which was
out of range. Another possibility is that the receiving program would continue
to execute but would generate a very wrong result. (For example, imagine the
amount of interest due today on a billing error with a start date of 1 Jan 1800.)
Then again, the processing server might have a default condition, deciding to
treat 1Aardvark2Many as 3 July 1947. The possibilities are endless.

One way to address the potential problems is to try to anticipate them. For
instance, the programmer in the examples above may have written code to
check for correctness on the client's side (that is, the user's browser). The client
program can search for and screen out errors. Or, to prevent the use of
nonsense data, the program can restrict choices only to valid ones. For example,
the program supplying the parameters might have solicited them by using a
drop-down box or choice list from which only the twelve conventional months
would have been possible choices. Similarly, the year could have been tested to
ensure that the value was between 1995 and 2005, and date numbers would
have to have been appropriate for the months in which they occur (no 30th of
February, for example). Using these verification techniques, the programmer
may have felt well insulated from the possible problems a careless or malicious
user could cause.

However, the program is still vulnerable. By packing the result into the return
URL, the programmer left these data fields in a place accessible to (and
changeable by) the user. In particular, the user could edit the URL line, change
any parameter values, and resend the line. On the server side, there is no way
for the server to tell if the response line came from the client's browser or as a
result of the user's editing the URL directly. We say in this case that the data
values are not completely mediated: The sensitive data (namely, the parameter
values) are in an exposed, uncontrolled condition.

Security Implication

UNIT - I 56
[CYBER SECURITY]

Incomplete mediation is easy to exploit, but it has been exercised less often than
buffer overflows. Nevertheless, unchecked data values represent a serious
potential vulnerability.

To demonstrate this flaw's security implications, we use a real example; only the
name of the vendor has been changed to protect the guilty. Things, Inc., was a
very large, international vendor of consumer products, called Objects. The
company was ready to sell its Objects through a web site, using what appeared
to be a standard e-commerce application. The management at Things decided
to let some of its in-house developers produce the web site so that its customers
could order Objects directly from the web.

To accompany the web site, Things developed a complete price list of its Objects,
including pictures, descriptions, and drop-down menus for size, shape, color,
scent, and any other properties. For example, a customer on the web could
choose to buy 20 of part number 555A Objects. If the price of one such part were
$10, the web server would correctly compute the price of the 20 parts to be
$200. Then the customer could decide whether to have the Objects shipped by
boat, by ground transportation, or sent electronically. If the customer were to
choose boat delivery, the customer's web browser would complete a form with
parameters like these:

http://www.things.com/order/final&custID=101&part=555A
&qy=20&price=10&ship=boat&shipcost=5&total=205
So far, so good; everything in the parameter passage looks correct. But this
procedure leaves the parameter statement open for malicious tampering.
Things should not need to pass the price of the items back to itself as an input
parameter; presumably Things knows how much its Objects cost, and they are
unlikely to change dramatically since the time the price was quoted a few
screens earlier.

A malicious attacker may decide to exploit this peculiarity by supplying instead

the following URL, where the price has been reduced from $205 to $25:

http://www.things.com/order/final&custID=101&part=555A
&qy=20&price=1&ship=boat&shipcost=5&total=25
Surprise! It worked. The attacker could have ordered Objects from Things in any
quantity at any price. And yes, this code was running on the web site for a while
before the problem was detected. From a security perspective, the most serious
concern about this flaw was the length of time that it could have run undetected.
UNIT - I 57
[CYBER SECURITY]

Had the whole world suddenly made a rush to Things's web site and bought
Objects at a fraction of their price, Things probably would have noticed. But
Things is large enough that it would never have detected a few customers a day
choosing prices that were similar to (but smaller than) the real price, say 30
percent off. The e-commerce division would have shown a slightly smaller profit
than other divisions, but the difference probably would not have been enough
to raise anyone's eyebrows; the vulnerability could have gone unnoticed for
years. Fortunately Things hired a consultant to do a routine review of its code,
and the consultant found the error quickly.

This web program design flaw is easy to imagine in other web settings. Those of
us interested in security must ask ourselves how many similar problems are
there in running code today? And how will those vulnerabilities ever be found?

Time-of-Check to Time-of-Use Errors

The third programming flaw we investigate involves synchronization. To
improve efficiency, modern processors and operating systems usually change
the order in which instructions and procedures are executed. In particular,
instructions that appear to be adjacent may not actually be executed
immediately after each other, either because of intentionally changed order or
because of the effects of other processes in concurrent execution.

Definition
Access control is a fundamental part of computer security; we want to make
sure that only those who should access an object are allowed that access. (We
explore the access control mechanisms in operating systems in greater detail in
Chapter 4.) Every requested access must be governed by an access policy stating
who is allowed access to what; then the request must be mediated by an access
policy enforcement agent. But an incomplete mediation problem occurs when
access is not checked universally. The time-of-check to time-of-use (TOCTTOU)
flaw concerns mediation that is performed with a "bait and switch" in the
middle. It is also known as a serialization or synchronization flaw.

To understand the nature of this flaw, consider a person's buying a sculpture

that costs $100. The buyer removes five $20 bills from a wallet, carefully counts
them in front of the seller, and lays them on the table. Then the seller turns
around to write a receipt. While the seller's back is turned, the buyer takes back
one $20 bill. When the seller turns around, the buyer hands over the stack of
bills, takes the receipt, and leaves with the sculpture. Between the time when

UNIT - I 58
[CYBER SECURITY]

the security was checked (counting the bills) and the access (exchanging the
sculpture for the bills), a condition changed: what was checked is no longer valid
when the object (that is, the sculpture) is accessed.

A similar situation can occur with computing systems. Suppose a request to

access a file were presented as a data structure, with the name of the file and
the mode of access presented in the structure. An example of such a structure
is shown in Figure 3-2.

FIGURE 3-2 Data Structure for File Access.

The data structure is essentially a "work ticket," requiring a stamp

of authorization; once authorized, it will be put on a queue of
things to be done. Normally the access control mediator receives the data
structure, determines whether the access should be allowed, and either rejects
the access and stops or allows the access and forwards the data structure to the
file handler for processing.

To carry out this authorization sequence, the access control mediator would
have to look up the file name (and the user identity and any other relevant
parameters) in tables. The mediator could compare the names in the table to
the file name in the data structure to determine whether access is appropriate.
More likely, the mediator would copy the file name into its own local storage
area and compare from there. Comparing from the copy leaves the data
structure in the user's area, under the user's control.

It is at this point that the incomplete mediation flaw can be exploited. While the
mediator is checking access rights for the file my_file, the user could change the
file name descriptor to your_file, the value shown in Figure 3-3. Having read the
work ticket once, the mediator would not be expected to reread the ticket
before approving it; the mediator would approve the access and send the now-
modified descriptor to the file handler.

FIGURE 3-3 Modified Data.

The problem is called a time-of-check to time-of-use flaw because

it exploits the delay between the two times. That is, between the
time the access was checked and the time the result of the check was used, a
change occurred, invalidating the result of the check.

UNIT - I 59
[CYBER SECURITY]

Security Implication
The security implication here is pretty clear: Checking one action and performing
another is an example of ineffective access control. We must be wary whenever
there is a time lag, making sure that there is no way to corrupt the check's results
during that interval.

Fortunately, there are ways to prevent exploitation of the time lag. One way to
do so is to use digital signatures and certificates. As described in Chapter 2, a
digital signature is a sequence of bits applied with public key cryptography, so
that many people—using a public key—can verify the authenticity of the bits,
but only one person—using the corresponding private key—could have created
them. In this case, the time of check is when the person signs, and the time of
use is when anyone verifies the signature.

Suppose the signer's private key is disclosed some time before its time of use. In
that case, we do not know for sure that the signer did indeed "sign" the digital
signature; it might have been a malicious attacker acting with the private key of
the signer. To counter this vulnerability, a public key cryptographic
infrastructure includes a mechanism called a key revocation list, for reporting a
revoked public key—one that had been disclosed, was feared disclosed or lost,
became inoperative, or for any other reason should no longer be taken as valid.
The recipient must check the key revocation list before accepting a digital
signature as valid.

Combinations of Nonmalicious Program Flaws

These three vulnerabilities are bad enough when each is considered on its own.
But perhaps the worst aspect of all three flaws is that they can be used together,
as one step in a multistep attack. An attacker may not be content with causing
a buffer overflow. Instead the attacker may begin a three-pronged attack by
using a buffer overflow to disrupt all execution of arbitrary code on a machine.
At the same time, the attacker may exploit a time-of-check to time-of-use flaw
to add a new user ID to the system. The attacker then logs in as the new user
and exploits an incomplete mediation flaw to obtain privileged status, and so
forth. The clever attacker uses flaws as common building blocks to build a
complex attack. For this reason, we must know about and protect against even
simple flaws. (See Sidebar 3-3 for other examples of the effects of unintentional
errors.) Unfortunately, these kinds of flaws are widespread and dangerous. As
we will see in the next section, innocuous-seeming program flaws can be
exploited by malicious attackers to plant intentionally harmful code.

UNIT - I 60
[CYBER SECURITY]

MALICIOUS CODE MALWARE

Malicious code is code inserted in a software system or web script intended to
cause undesired effects, security breaches, or damage to a system. Taking
advantage of common system vulnerabilities, malicious code examples include
computer viruses, worms, Trojan horses, logic bombs, spyware, adware, and
backdoor programs. Visiting infected websites or clicking on a bad email link or
attachment are ways for malicious code to sneak its way into a system.

The most common form of malicious code is the computer virus, which infects a
computer by attaching itself to another program and then propagating when
that program is executed. Another common form is the worm, which makes
copies of itself, spreading through connected systems and consuming resources
on affected computers.

Malicious code is self-activating and takes on various forms, including Java

Applets, ActiveX controls, pushed content, plug-ins, scripting languages, or other
programming languages. By modifying, destroying, or stealing data, gaining or
allowing unauthorized access to a system, and executing functions that a user
never intended, malicious code can expose an organization’s systems, sensitive
data, and valuable information assets. The ideal solution is self-protecting
software that can defend itself from these kinds of vulnerabilities and attacks.

COUNTERMEASURES
In IT systems, multiple countermeasures may be applied for enhanced security.
Protective countermeasures may be in the form of hardware or software.

Examples include:

 Routers: Mask Internet Protocol (IP) addresses

 Anti-virus and anti-spyware applications: Protect against malicious
software (malware), including viruses, Trojans and adware
 Behavioral techniques: Applied by users to deter threats, such as
suspicious email attachments
 Firewalls: Facilitate authorized network access
 Intrusion detection systems (IDS): Prevent and/or block unauthorized
system access
 Physical security (especially in enterprises): Prevents hacking and network
subterfuge

UNIT - I 61