Module 01: Introduction to Ethical Hacking

ObjectivesThis module is an introduction to the course and its objective is to introduce students with important security concepts which will be needed later in the course. The module begins with an overview of information security in which students will learn common terminology, information security concepts, and attack vectors. The following chapters discuss concepts of ethical hacking, penetration testing, and finally information security laws and standards.

Overview of Information SecurityWe live in a world where access to the Internet has become an integral part of our lives - both private and professional. Information technology develops at a rapid pace, making our lives simpler and helping us become our best selves. But this also comes with a cost. Our dependence on technology has taken a toll on our privacy. Communication and access to information have never been easier. However, at the same time, the Internet has never been more dangerous. Not everyone connected to the Internet has bad intentions, but there are people who do. These individuals do not hesitate to misuse the information available to them. That does not stop there either. More often than not, these individuals, called hackers, put a lot of effort and energy into performing malicious activities and causing damage to organizations, companies, and even people.Common TermsTo defend against hackers, it is necessary to know what they know and understand their process of hacking. To understand the process of hacking, it is important to understand what some commonly used terms mean.Hack Value

Hack value is hackers’ way of deciding whether something is worth doing or not. It reflects their interest and motivation to prove that something that is normally considered difficult or even impossible to do, is actually doable and that they are the ones who did it. So, if

something is considered to be of high value to a hacker, they will put all of their effort and energy into the hack.

VulnerabilityVulnerability is a weakness which can compromise the system and be used for a possible attack.

ExploitExploit is a piece of code which takes advantage of the identified vulnerability to deliver the malicious code.

PayloadPayload is the malicious code that is executed through the exploit

Let’s illustrate this by telling the story of Jimmy. So, Jimmy decided to go on a vacation. He booked a room in a nice little hotel. Because the hotel has a café in the lobby, Jimmy would drink his morning coffee there. To get to the café, Jimmy had to walk by the reception, and every time he passed by the reception, the receptionist would greet him. One morning, while drinking his coffee, Jimmy noticed how a young man, who was not staying in the hotel, came up to the receptionist, gave him a USB drive and a few minutes later walked out of the hotel with his drive and a bunch of papers in his hands. At first, Jimmy thought this to be odd, but after some thinking about it he realized that the man most likely asked the receptionist to print something out for him, which the receptionist did.Now, for Jimmy this was an opportunity to prove how easy it was to access the hotel’s system and information stored in the system. Even though it was not a big hotel, it surely had to have a system in which the information about every guest that had stayed there is stored. Such information could be valuable. So, this is the HACK VALUE.The receptionist, being friendly and accommodating, helped Jimmy in finding the entry point in the system: the computer from which the receptionist sends document for printing. This is the identified VULNERABILITY. Next thing Jimmy could do is use a USB drive to install a program which will give Jimmy the access to the system. The USB drive is the EXPLOIT of the vulnerability, and the program it installs is the PAYLOAD. This way, Jimmy could gain access to the system and misuse the guest information. But, Jimmy being an ethical hacker, decides that the management of the hotel should be informed of the vulnerability in the hotel’s information security so that they can act on it.

Zero-Day AttackZero-day refers to a vulnerability in software or hardware that is unknown to the vendor. If a hacker discovers and exploits such vulnerability, then that is considered to be a zero-day attack. Even if the vendor is aware of the vulnerability, zero-day attack can happen any time until the vendor releases a patch. So, exploiting previously unknown vulnerabilities for which a patch has not been released is called a zero-day attack.Daisy ChainingDaisy chaining is an attack in which hackers gain access to one computer or network and then use that computer to access the next computer or network.DoxingDoxing is revealing and publishing personal information about someone. It involves gathering private and valuable information about a person or organization and then misusing that information for different reasons. When doxing someone, the attacker starts with the information they know about their target and move their way forward to learning new information. This way the attacker builds a profile of his target. They usually have some sort of a form that they are filling out as they discover new pieces of information. Today, there are numerous tools and sites that help hackers easily find information about their targets. This type of attack could greatly harm the target, because the hacker could use the target’s identity and commit a crime or steal the target’s financial information. Usually, hackers with malicious intentions use doxing as a way to coerce their target’s into doing something they don’t want to.BotBots are malicious programs used by hackers to control the infected machines. Hackers use bots to perform malicious activities from the machines on which bots run. Once the machine is infected, hackers can use that bot to control the computer and perform attacks on other computers. Hackers usually use bots to infect multiple machines, creating a botnet which then they can use for distributed denial of service attacks.

Information SecurityInformation security refers to a set of processes and activities performed in order to protect information. The main objective of information security is to

prevent unauthorized users from stealing and misusing information or services. When talking about information security, we need to take into consideration its five major elements:

Confidentiality - ensures that the information is available ONLY to people who have the authorization to access it.

Integrity - ensures the accuracy of the information. Using hashing helps in keeping the integrity of information.

Availability - ensures that the resources are available whenever the authorized user needs them

Authenticity - ensures that users are actually who they present themselves to be, or that a document or information presented is not corrupted.

Non-repudiation - ensures that a person cannot deny the authenticity of their signature on a document or a message sent by them.

To illustrate all these terms, let’s bring back our Jimmy. Say the hotel manager decides to hire Jimmy to improve the security of the system, as they do not want anyone gaining access to the information stored. First thing Jimmy needs to do is prevent the loss of confidentiality. He can do so with access control and encryption. With access control the system can be accessed by authenticated personnel only, and further access will depend on given permissions. So, if the user cannot be authenticated, then they cannot access the system. Furthermore, information considered sensitive could be encrypted and thus prevent access to it. Then Jimmy needs to make sure the system hasn’t been tampered with, that everything is as it is supposed to be, so he sets up a set of rules which would prevent any unauthorized access to the system and ensure that during the storage or transmission the information remains unchanged. Next, he needs to make sure that the information is available at all times, so he needs to prevent the loss of availability of the information. He can do so by backing up the data. And finally, to ensure non-repudiation, he will log every activity on the system.Defining the Level of Security of a SystemEvery system contains three important components: functionality, usability, and security.

Functionality refers to the features of the system Usability refers to the GUI of the system and how user friendly it is Security refers to how the processes of the system are used and who is

using themThese components are interconnected, so any change made to one component directly affects the other two. This means that if the system

security is increased, then the functionality and usability of the system are decreased. Same thing happens if the functionality or usability of the system are increased. Therefore, it is important to carefully consider these components and then decide how to balance each and every one of them to get the desired levels of security, functionality, and usability.These three components are often illustrated as vertices of a triangle. If we place a ball inside the triangle, we can see how moving towards one component reflects on others. If we place the ball in the center of the triangle, we can see that the distance from all the three components is the same. Now, let’s say we want to increase the security of the system, so we move the ball towards the security vertex. As we move the ball, the closer it gets to the vertex, the further it is from the functionality and usability vertices. Same thing happens if we move the ball towards functionality or usability.

Overview of Information Security Threats and Attacks

Why Are Cyber Attacks Performed?Information security refers to a set of processes and activities performed to protect information. The more valuable information is, the higher the threats and chances for an attack are. Let’s begin with definitions:

Security threat - refers to anything that has a potential of causing damage to a system. Whether they do or do not happen is not as important as the fact that they have a big potential of leading to an attack on the system or network. Therefore, security threats are not to be taken lightly.

Security attack (cyber-attack) - refers to an attempt to gain unauthorized access to a system or network.

What are the motives behind security (cyber) attacks?Accessing valuable information is usually the reason why a hacker would perform an attack. Depending on what hackers want to do, motives can be different, but generally the core of every motive is access to the valuable information. So, we can conclude that a motive comes from the thought that a system has valuable information stored and as such is a potential target for an attack.What is the purpose of the attack on a system?This depends on the hacker as an individual. Every hacker has their own beliefs, motives, and skills. However, some of the most common motives behind cyber-attacks are:

Interrupting the flow of business activities and processes Stealing valuable information Data manipulation Stealing money and important financial information Revenge Ransom

Once the attacker has their motive, they can proceed with finding the right tools and method to exploit the vulnerabilities of the target system and then execute their attack. This can be represented as follows:

What Are the Means by Which Hackers Gain Access to Systems and Networks?Means by which hackers deliver a payload to systems and networks are called attack vectors. Hackers use different attack vectors to gain access to systems and networks.Cloud Computing ThreatsCloud computing refers to the delivery of on-demand resources over the internet in which users pay for what and how much they use the resources. Users use clouds to store their information including sensitive information, which is especially the case with companies. Despite many advantages the cloud computing brings on the table, there are certain drawbacks to using cloud computing, especially when security is in question. Some of the cloud computing threats include:

Stealing information from other cloud users refers to internal threats where employees with bad intentions copy information onto a storage device

Data loss refers to deleting data stored on the cloud through viruses and malware.

Attack on sensitive information refers to hackers breaking into clouds and stealing information about other users. Such information usually include credit card numbers and other financial data.

Advanced Persistent ThreatsThis type of attack refers to stealing information without the target being aware of the attack. The goal of this attack is to steal as much information as possible as well as stay undetected for as long as possible. Usually, victims of this attack are governments and big companies.Viruses and WormsVirus is a type of malicious software designed to replicate itself to other programs and documents on the infected machine. Viruses spread to other computers with the transfer of the infected files or programs.Worm is also a type of malware and, just as a virus, it replicates itself to programs and documents on the victim machine. The difference is that worms do not need help in spreading to other computers. Instead, worms are designed to exploit vulnerabilities on the victim machines and then spread to other computers as the infected files are transferred. They use network connections to spread further.Viruses and worms have capabilities to infect systems and networks in a matter of seconds.

RansomwareRansomware is a type of malware in which hackers restrict access to files and folders on the target system until a payment is made. Victims are usually required to pay a certain sum of money in order to be able to access their files. Mobile ThreatsThis type of attack takes advantage of the lack of security control in smartphones, which are being increasingly used for both private and business matters. Through malware applications delivered to targets’ smartphones, attackers can track their targets and their activities.BotnetsBots are malicious programs used by hackers to control the infected machines. Hackers use bots to perform malicious activities from the machines on which bots run. Once the machine is infected, hackers can use that bot to control the computer and perform attacks on other computers. Hackers usually use bots to infect multiple machines, creating a botnet which then they can use for distributed denial of service attacks.Insider attacksThis type of attack is performed by a person from within the organization who has authorized access.PhishingThis type of attack refers to hackers using deceptive emails to gather personal or account information. Hackers use emails to distribute malicious links in an attempt to steal personal information.Web Application ThreatsThis type of attack takes advantage of poorly written code and lack of proper validation on input and output data. Some of these attacks include SQL injection and cross-site scripting.IoT ThreatsThis type of attack takes advantage of the lack of security mechanisms in IoT devices due to different hardware constraints. Because such devices are connected to the Internet with little to no security measures implemented, IoT devices are vulnerable and susceptible to attacks.Classification of ThreatsThreats can be classified into three categories:

Network threats Host threats Application threats

Network threatsNetwork is a set of computers and hardware devices connected by communication channels. These communication channels enable computers and other hardware devices to communicate and exchange information. Information travels through the communication channel that connects two systems, and during that exchange of information a hacker can break into the channel and steal the information that is being exchanged. Network threats include:

Denial of Service attacks Password-based attacks Compromised-key attacks Firewall and IDS attacks DNS and ARP poisoning Man in the middle attack Spoofing Session hijacking Information gathering Sniffing

Host threatsHost threat refers to the attack on a specific system in an attempt to gain access to the information that resides on the system. Host threats include:

Password attacks Unauthorized access Profiling Malware attacks Footprinting Denial of Service attacks Arbitrary code execution Privilege escalation Backdoor attacks Physical security threats

Application threatsApplication threat refers to the exploit of vulnerabilities that are present in the application due to the lack of proper security measures in the application. Application threats are:

SQL injection Cross-site scripting Session hijacking Identity spoofing Improper input validation Security misconfiguration Information disclosure Hidden-field manipulation Broken session management Cryptography attacks Buffer overflow issue Phishing

Classification of AttacksHackers have many different ways of attacking a system, and all of them depend on one thing and that is the vulnerability of the system. So, for an attack to be performed, it is necessary to find a vulnerability that can be exploited.Attacks can be categorized into four categories:

Operating System Attacks Misconfiguration Attacks Application-level Attacks Shrink-wrap Code Attacks

Operating System AttacksOperating systems have always been appealing to attackers who have always tried to discover and exploit OS vulnerabilities in order to gain access to a target system or network. With the growing number of features as well as the system complexity, operating systems nowadays are a subject to vulnerabilities and as such interesting to hackers. Because of the complexity of the system and networks, it is challenging to protect systems from future attacks. Hot fixes and patches could be applied, but at that point in time it is usually either too late or only one problem is solved. Therefore, protecting the system from OS attacks requires regular monitoring of the network as well as being informed about the latest trends in this area of knowledge and expertise. Following are some of the operating system vulnerabilities and attacks:

Bugs Buffer overflow Unpatched Operating Systems Exploit of the implementation of a specific network protocol

Attack on authentication systems Cracking passwords Breaking filesystem security

Misconfiguration AttacksMisconfiguration attack happens when a hacker gains access to the system that has poorly configured security. This attack allows hackers to access the system and its files, and perform malicious actions. Such vulnerabilities have an effect on networks, databases, web servers, etc. Application-level AttacksWith the ever-increasing number of requested features and tight deadlines, applications nowadays are prone to vulnerabilities due to the developers’ inability to properly and thoroughly test the code. As the number of features and functionalities grows, so do the opportunities for vulnerabilities. Hackers use different tools and techniques in order to discover and exploit these vulnerabilities and thus gain access to the application information. Some of the most common application-level attacks include:

Sensitive information disclosure Buffer overflow attack SQL injection Cross-site scripting Session hijacking Denial of Service Man in the middle Phishing

Shrink-wrap Code AttacksTo spend as little time and money as possible on developing new software, programmers regularly utilize free libraries and code authorized from different sources. Because they don’t change the libraries and code they used, a substantial amount of the program code remains the same. If a hacker manages to find vulnerabilities in that code, then that would cause a great deal of problems. So, it is advised to always check the code and if possible tweak it a bit.Modern Age Information WarfareInformation warfare involves the use and management of information and communication technologies in order to gain the advantage over the competitors. Weapons used in information warfare include various tools and methods such as viruses, trojan horses, and penetration exploits. Information warfare can be classified into several categories:

Command and control warfare Intelligence-based warfare Electronic warfare Psychological warfare Hacker warfare Economic warfare Cyber warfare

Each of these categories consists of offensive and defensive strategies: Offensive strategies refer to the attacks on the opponent Defensive strategies refer to the actions taken against the attacks

History of HackingHow Hacking Came to Be?Back in the 1960s, MIT was the place where extremely skilled individuals worked on creating the impossible. Their knowledge, skills, talents, and ambition resulted in many innovations that changed the future of the technology. These individuals back in the day were known as hackers. At that time, in general, anyone who possessed skills and knowledge and determination to solve problems in a creative way was considered a hacker.Hackers originated at MIT when ARPANET was created. Later on, in 1969 Ken Thompson invented UNIX. Then, we have the C programming language which was created in the early ‘70s. In the ‘80s, the ARPANET was split into military and civilian networks, thus founding the Internet. In 1989, CERN labs produced the WWW. In 1990s, advances in technology continued to be made. However, with each innovation that emerged, there were also certain individuals who tried to use new technologies in different ways. Some of their actions resulted in breaking the law or causing harm to individuals and organizations. For example, in the ‘70s John Draper, known as Captain Crunch found a way to make free long distance calls. Then, in the ‘80s hackers started committing credit card and computer frauds. Also, the first virus was created in 1984. In 1990s though, hackers began committing more serious crimes which often included stealing large amounts of money. With computers being connected to the Internet, hackers found new ways to exploit vulnerabilities in computer systems. This led to the today’s definition of hacking in which the term means exploiting system vulnerabilities in order to gain access to system resources. Today, hackers use different tools to

achieve their goals. Their hacking techniques include DoS attacks, Trojan horses, viruses, worms, sniffing, phishing, and so on. Who is a Hacker?So, we talked about hacking and how it came to be, and we also mentioned hackers. But who are hackers exactly? Well, a hacker is an individual who uses their computer and knowledge to gain access to systems and networks. Hackers are intelligent and skilled individuals who break into systems and networks with the intent of stealing information or performing malicious attacks. Their motives differ: some do it for fun, others to commit a crime.Types of HackersDespite the popular belief, not all hackers are bad. Today, there are several types of hackers, and in this video we will go through them. So, hackers can be categorized as:

Black hat White hat Grey hat Suicide hackers Script kiddies Cyber terrorists State sponsored hackers Hacktivists

Black hatBlack hats are hackers who use their knowledge and skills to discover and exploit security vulnerabilities for financial gain or malicious reasons. Their activities can cause major damage to their targets and their systems. Black hats are usually involved with criminal activities such as stealing personal and financial information or shutting down websites and networks.White hatWhite hats are ethical hackers who use their knowledge and skills to improve security of a system by discovering vulnerabilities before black hats do. They pretty much use the same methods and tools black hats do, but unlike black hats, white hats have a permission of the system owner to use those methods.Grey hatGrey hats are hackers who are not as bad as black hats, but also not as ethical as white hats. They might help black hats in their endeavors, but they

also might help in discovering vulnerabilities or checking the limitations of a system.Suicide hackersSuicide hackers are ready and willing to perform an attack for a “cause”, even if they get caught and prosecuted.Script kiddiesScript kiddies are hackers who are new to hacking and don’t have much knowledge or skills to perform hacks. Instead, they use tools and scripts developed by more experienced hackers. Cyber terroristsCyber terrorists are hackers who are influenced by certain religious or political beliefs. They work to cause fear and disruption of systems and networks.State sponsored hackersState sponsored hackers are recruited by governments to gain access to secret information of other governments.HacktivistsHacktivists break into government or corporate systems out of protest. They use their skills to promote a political or social agenda. Targets are usually government agencies or big corporations. EthicsWhat is Ethical Hacking?Ethical hacking is a term used to describe activities performed by a security specialist to help companies in identifying vulnerabilities in their networks and systems. The security specialists who perform ethical hacking are white hat hackers, also known as ethical hackers. Ethical hackers perform hacking activities with the permission of the company that hired them. Their mission is to bypass system security and discover weaknesses and vulnerabilities in the system or network that could otherwise be exploited by black hats.Ethical hackers usually use the same methods and techniques that black hat hackers do. However, the difference between them is that ethical hackers have the permission to do so, and they do not cause any damage to systems or networks. Their job is to test the system security, notify the administrators about any identified vulnerabilities, and give a suggestion on how to fix them.

Purpose of Ethical HackingThe purpose of ethical hacking is to prevent malicious hackers from breaking into systems and networks. Ethical hackers are capable of employing the same methods and techniques that malicious hackers use in their attacks. By doing so, ethical hackers can discover vulnerabilities in the system or network and ensure that those are patched up. Furthermore, ethical hacking helps companies and organizations in analyzing and strengthening their system and network security. Doing this allows for creating preventive measures that should prevent any future security breaches as well as protect data and information stored in the system.Ethical hackers take on important tasks, and so it is crucial they do their job well. When hired to evaluate the security of the client’s system/network, ethical hackers should ask themselves three questions:

What is it that an attacker can see on this network/system? What could the attacker do with that knowledge? Are there any traces of attempted attacks on the system/network?

After the initial evaluation, the client decides whether they want to continue with security improvements. This greatly depends on the client’s awareness of the importance of security measures as well as their resources. With this in mind, both the client and ethical hacker should come to an agreement prior to undertaking the job.Hacking StagesThere are five stages of hacking:

1. Reconnaissance2. Scanning3. Gaining access4. Maintaining access5. Clearing tracks

ReconnaissanceThis is the initial phase in which a hacker performs certain preparations for the attack. This includes information gathering and learning about the target as much as possible. This phase may take some time due to the information gathering, but this is necessary as without it, the hacker could not plan a successful attack.There are many techniques a hacker can use to gather as much information as possible. However, all techniques fall into one of the two types:

Active or

Passive typeIn the active type, the hacker interacts with their target in one way or another. This can mean using tools that detect open ports, locations of the routers, OS details, etc. In the passive type, the hacker does not interact with the target. Instead, they rely on information that is publicly available.ScanningIn this phase, the hacker uses the information gathered in the reconnaissance phase to scan the network. By doing so, the hacker is often able to map the routers and firewalls. To perform scanning, hackers use tools such as port scanners, network mappers, vulnerability scanners, etc. Gaining AccessGaining access means finding an entry point to the target’s operating system or an application on the system. This is the phase in which the attack on the target happens. Gaining access to the system/network can be through cracking passwords, buffer overflows, session hijacking, DoS attacks, etc. Once they have access to the system/network, hackers may escalate privileges to gain complete control over the system/network.Maintaining AccessThis is the phase in which hackers try to keep the admin/root privileges, so that they can use the system as they want to. They usually try to prevent other hackers from accessing the system by installing backdoors, rootkits, or Trojans. Having the ownership over the system allows hackers to perform all sorts of actions such as the manipulation of the data and information stored, applications, as well as system configurations. Furthermore, they can use the system to perform attacks on other systems and networks.Clearing tracksIn this final phase, hackers attempt to hide their activities on the system. This is done in order to maintain the access to the system but remain unnoticed in the process. They do everything they can to cover their tracks and thus avoid getting caught and legally prosecuted.

Protecting InformationInformation AssuranceInformation assurance is the assurance that the information integrity, availability, confidentiality, authenticity, and non-repudiation are kept during

its use, processing, storage, and transmission. There are several processes defined that help in achieving information assurance:

Development of security policies that help in maintaining the system security

Design of the network and user authentication strategy Identification of vulnerabilities and threats Identification of problems in the system and resource requirements Plan design for the identified requirements Certification and accreditation to find vulnerabilities and remove them Information assurance training for employees

Information Security Management ProgramInformation Security Management Program is an organization-wide program that allows organizations to perform their activities in a secure environment. It should include all processes and participants relevant to the information security in an organization and ensure that the right issues regarding the security of the system are addressed. Information security management program provides a framework of policies, standards, rules, and procedures that help in establishing and maintaining the right level of system security.

Enterprise Information Security ArchitectureEnterprise information security architecture (EISA) refers to a group of requirements, processes, principles, and models that regulate the organization’s structure and behavior in terms of system security, processes, and employees.EISA goals include:

Real time monitoring of the organization's network Detection and recovery from security breaches Ensuring cost efficiency of security provisions

Helping the IT department to function properly Helping in the process of risk assessment of IT assets

Network Security ZoningNetwork zoning is a mechanism that allows efficient management of an organization’s different network zones. It helps in enforcing appropriate rules and establishing appropriate security levels of different network zones.Properties of a network security zone are:

Active security policies in regard to the network traffic Detection and blocking of malicious traffic List of known IP addresses and address sets List of the zone interfaces

Network zones include:Internet zoneThis is an uncontrolled zone and falls out of the boundaries of an organization.Internet DMZ zoneThis is a controlled zone, also known as demilitarized zone, which provides a barrier between the external and internal network. The DMZ uses firewalls to control the traffic coming from and to the Internet, as well as internal networks.Production zoneThis is a restricted zone in which firewalls are used to filter inbound and outbound traffic, and the access from uncontrolled networks is strictly controlled.Intranet zoneThis is a controlled zone with less restrictions. Intranet contains a group of hosts that sit behind one or more firewalls in the organization’s network. Even though it has less restrictions, it still ensures secure operation of business processes.Management zoneThis is a secured zone which enforces strict policies and limits access to a few authorized users.

Defense in DepthDefense-in-depth is a strategy which uses a number of layers of protection. The idea is that having multiple protection layers is better and more secure than having just one, so that attackers cannot easily break into the system. Using this strategy, direct attacks on the system and its data are prevented.

Security PoliciesSecurity policies are the core of every security infrastructure because they define rules and requirements that the system has to have in order to protect organization’s information systems. A security policy is a document that defines what is required and what needs to be done so that the information assurance is achieved and maintained. All policies should be properly documented and should encompass the security of al departments in an organization.Security policies should cover the following:

Encryption Access control Authentication Firewalls Antiviruses Web sites Gateways Routers and switches

Security policies can be technical and administrative. Technical policies define the system configuration, whereas administrative policies define the behavior of employees.

Physical securityPhysical security is the first protection layer and it refers to the protection of all assets of an organization from all sorts of threats and attacks. Physical security helps in:

Preventing unauthorized access to the system Preventing any kind of data manipulation and theft Protecting the system against malicious activities such as espionage,

damage, and theft Protecting employees and preventing social engineering attacks

Physical security consists of two main categories: Natural or environmental threats

o Floodo Fireo Earthquakeo dust

Man-made threatso Terrorismo Warso Explosionso Dumpster diving and thefto Vandalism

There are several types of physical security controls and they are organized by the way they function:

Preventive controlsPreventive controls enforce different access control mechanisms and prevent violations in regard to the security of the system. These may be physical, technical, or administrative.

o Physical controls could be doors, fire extinguishers, flood protection, etc.

o Technical controls include firewalls, authentication systems, etc.o Administrative controls include security policies.

Detective controlsDetective controls detect violations in security as well as any attempts of intrusion. These could be alarm systems, sensors, video surveillance, or motion detectors.

Deterrent controlsDeterrent controls are used to warn intruders to stay away from the system.

Recovery controls

Recovery controls are used after a violation has happened and system needs to be restored to its persistent state. These may include backup systems or disaster recovery.

Compensating controlsCompensating controls do not prevent attacks. Instead, they are used when everything else fails. In this type of control, the goal is to restore everything back to normal.

Physical security controls define several measures that help in protecting the system:

Secure premises and company surroundings Secure the reception area Lock servers and workstations when not in use Lock devices such as modems, removable media, and fax machines

when not in use Implement access control Regularly maintain computer equipment Prevent wiretapping Monitor the environment by checking the humidity and temperature

RiskRisk, by definition, refers to the probability or threat of damage or loss. Furthermore, risk can also be defined as a combination of a probability that an event happens and the consequence the event causes.Risk assessment is used to evaluate the impact an event had on a network. In order for a risk to be evaluated, it is necessary to define the level of risk, that is, the probability of an event happening and the consequence it has.Based on the impact on the system, risk level can be:

Extreme/high Medium Low

When performing risk analysis, one of the most used methods used to categorize risks is the risk matrix. The risk matrix considers the probability of the risk happening as well as its impact on the system. By designing the risk matrix, it is possible to visualize possible risks and how their occurrence might affect the system.

Risk management refers to the process of identifying, assessing, and acting on potential risks. It is an ongoing process, designed to help reduce the risk level and keep it at an acceptable level. Some of the objectives of risk management are:

Identify potential risks

Identify the impacts of those risks Help the organization in creating a risk management strategy and plan Assign priorities to risks Analyze the risks Control the risk Develop strategies and plans for long lasting risks

Risk management has four phases: Identification

In this phase, possible risks, their sources, causes, and consequences are identified.

AssessmentThis phase determines the impact that identified risks might have.

TreatmentIn this phase, a risk treatment is created. The goal is to identify the risk priorities and order them so that the risks can be treated and monitored.

Tracking and reviewRisk tracking ensures that the right actions were taken to manage the identified risks. Risk review refers to the evaluation of the implemented actions and strategies.

Threat ModelingThreat modeling is an assessment approach in which the security of an application is analyzed. It helps in identifying threats that are relevant to the application, discovering application vulnerabilities, and improve the security.Threat modeling process consists of five steps:

1. Identify security objectivesSecurity objectives refer to the objectives related to the integrity, confidentiality, and availability of the application. Identifying security objectives helps in determining how much effort should be put into the threat model.

2. Application overviewIn this step, the components, data flows, and trust boundaries are identified. The administrator begins with creating a structure overview of an application. Then, they should identify the roles that exist in the application and what each role can or can’t do. Next, they should identify the applications usage scenarios, the features and technologies the application uses, and finally to identify the application’s security mechanisms.

3. Decompose applicationIn this step, the administrator should identify the entry and exit points of the application, data flows, as well as trust boundaries.

4. Identify threatsIn this step, based on the information gathered in previous steps, the administrator should be able to identify potential threats.

5. Identify vulnerabilitiesBased on the identified threats, the administrator should identify the vulnerabilities that are related to those threats and thus prevent possible security breaches.Incident ManagementIncident management refers to the process of identifying, analyzing, prioritizing, and solving security incidents. The goal is not only to restore the system back to normal, but also prevent any potential risks and threats by triggering alerts. The security administrator should be aware and able to identify vulnerabilities in the system and act accordingly.The purpose of incident management is to reduce overall impact of incidents on the organization and proactively resolve issues. In addition to this, the incident management process assists in increasing the efficiency and productivity of the organization’s staff, improving user satisfaction, and handling any future incidents.Incident management consists of:

Vulnerability handling Artifact handling Security awareness training Intrusion detection Public or technology monitoring

The figure above illustrates how incident response, handling, and management are related. Incident response is performed in incident handling, whereas incident handling is a service that is part of incident management.Incident management process refers to the process of logging, recording, and resolving incidents that occur in an organization. The goal here is to act promptly when an incident occurs and restore the system to its normal state. The following are the steps of the incident management process:

1. Preparation for incident handling and response2. Detection and analysis3. Categorization and prioritization4. Reporting5. Containment6. Forensic investigation7. Recovery8. Post-incident activities

Preparation for incident handling and responseThis step involves familiarizing the employees with the guideline and plan of actions that is to be followed, establishing different policies, and training people to take effective actions.Detection and analysisIn this step, incidents and their signatures are identified, analyzed, recorded, and prioritized.

Categorization and prioritizationIn this step, each incident that has occurred is classified and prioritized, so that the situation is handled promptly and efficiently. The priority depends on the severity of the incident, and can be low, medium, or high priority.ReportingUpon the identification and classification of the incident, individuals that are in charge of handling such situations are notified about the issue. In addition to this, anyone who is involved in solving the problem, in one way or another, is notified and regularly updated on the development of the situation.ContainmentIn this step, the objective is to prevent the occurring incident from causing any additional damage. It is important to protect all critical and essential computer resources, as well as to perform regular checks on the infected system to determine its operational status.Forensic investigationIn this step, an investigation is performed to determine the main cause of the incident. This is done in order to understand what really happened on the system.RecoveryIn this step, the system is restored to its original state. It is important to perform the cleanup and notify the people working with the incident response team about the taken recovery steps.Post-incident activitiesIn this step, the final review of the incident is conducted. Review questions are created and sent to end users to gather as much information about the handling of the incident as possible. A post incident report is generated upon the completion of the review.Incident response team is in charge of preventing incidents from happening. Their responsibilities are listed below:

1. Manage security issues and respond to security incidents2. Create a plan to be followed in case of an incident3. Manage the response and make sure the plan is being followed4. Identify the cause and impact of the incident5. Provide a point of contact for incident reports6. Stay up-to-date with regulations and requirements

7. Take steps to prevent future incidents8. Establish relationships with the individuals and agencies that play a

role in the organization’s securitySecurity Incident and Event Management (SIEM)Security incident and event management system is responsible for identifying, monitoring, recording, inspecting, and analyzing security incidents, performing threat detection and incident response activities, and real time tracking of suspicious activities.SIEM is a combination of Security Information Management (deals with permanent storage, data analysis and reports) and Security Event Management (deals with real time monitoring, notifications, and console views). The objective of SIEM is to protect the organization and its assets from threats and attacks.The figure shows the functions performed by the SIEM.

SIEM performs normalization and aggregation of event and contextual data gathered from different sources. Security incidents are detected by applying correlation rules to the normalized data.

User Behavior AnalyticsUser behavior analytics refers to the process of monitoring user behavior in an attempt to discover potential threats and attacks. UBA is designed to perform advanced threat detection in an organization by monitoring employee behavior and identifying those behaviors that could lead to potential threats to the organization. UBA is effective because:

It identifies malicious individuals in time It identifies potential risks It is able to analyze user data and human behavior patterns It monitors login attempts based on the location It monitors access to privileged accounts

Network Security ControlsTo ensure the confidentiality, integrity, and availability of the network, it is necessary to use network security controls. Network security controls can be considered as a safeguard that minimizes security risks.

Network security controls include: Access Control Identification Authentication Authorization Accounting Cryptography Security Policy

Access ControlAccess control refers to the restrictions placed upon the system/network. These restrictions determine who has access to a resource and who does not. By placing these restrictions, the organization protects its information assets. Access control can be either physical or logical. Physical access control restricts access to physical locations and buildings, whereas the logical access control restricts the access to networks and information.When defining access control on resource, the following terminology is used:

Subject - user or process which accesses the objects Object - resources upon which the restrictions are placed Reference Monitor - implements the rules which define what actions on

the object can a subject perform Operation - the action performed by the subject on the object

Types of access controlThere are three different types of access control:

Discretionary Access Control (DAC) - access to files is given to users and groups based on the identity of the user and group membership. DAC allows users who have the access to files, to decide themselves how they will protect and share the files.

Mandatory Access Control (MAC) - users cannot decide who has access to files and resources.

Role Based Access Control (RBAC) - access is given for a particular file or system, giving the users all the necessary privileges needed to perform their duties.

Identity and access managementAccess control involves identification, authentication, authorization, and accountability.

Identification is the confirmation of the identity of a user or a device that is accessing the network. Confirming the identity is usually done through the verification of credentials such as an ID or username.

Authentication refers to the verification of the provided user ID/username and password.

Authorization is the process of giving access permissions to authenticated users. Accounting is the process of tracking user activity on the network.

Identity Access ManagementIdentity access management is a framework which makes sure that the right users have access to the right resources at the right time. The framework includes users, procedures, and software that manage users’ access to the organization’s resources.Two main modules in the IAM are:

Access Management Module refers to the authentication and authorization components of IAM.

Identity Management Module refers to the management of users and enterprise directory service components of IAM such as monitoring , recording, and logging the user activities on the network.

IAM services belong to one of the four categories: Authentication component deals with the authentication and session

management. Services include session management, authentication, multi-factor authentication, password services, and other similar services.

Authorization component is in charge of giving access to resources. Services include role-based, rule-based, and attribute-based authorization services.

User management component provides administrative services, including user management, role management, password management, and other similar services.

Enterprise directory services include data synchronization, meta directory, virtual directory, and other services that manage user identity information.

Data Leakage, Backup, and RecoveryData LeakageData leakage is the unauthorized transfer of sensitive information from the organization to the outside world. Causes of data leakage include emails, malicious links, device theft, etc. When it comes to the leakage of data,

organizations encounter risks such as reputation damage, loss of customer loyalty, loss of revenue, and so on.ThreatsData leakage threats are classified into insider and external threats. Insider threats are caused by the people who work in the organization. Usually, insiders are employees who are not careful or sometimes dissatisfied, and as such pose a threat of unknowingly or knowingly sharing sensitive information with the outside world. Insiders use different techniques to leak data and gain unauthorized access.. Some of them include eavesdropping, shoulder surfing, dumpster diving, etc. External threats are attackers who are continuously looking for vulnerabilities and ways to gain access to the system/network. Such threats include malware, phishing, corporate espionage, and so on.Data Loss PreventionData Loss Prevention is the process of identification and monitoring of important information that is not to be shared outside the organization. DLP combines different techniques of data access control. The goal is to protect the sensitive data and provide a secure data transmission.Data BackupData backup is the process of creating and storing a copy of important data that can be used in case an incident occurs and original data is lost. Data backup is used for two main reasons: to restore the system to its normal state and to recover data in case of  data loss or corruption.Data backup strategy consists of several steps that should be followed:

Identify important dataThe organization should identify what data to back up.

Choose the appropriate backup mediaWhen selecting a backup media, it is important to take into account the type and amount of data in the backup.

Choose the appropriate backup technologyThe backup technology should be able to restore, recover, and be available at all times.

Choose the appropriate RAID levelsRAID technology provides data availability and efficient recovery.

Choose the appropriate backup methodBackup method can be:Hot backup - active backup method in which the backup of data is performed continuously even if the system is being accessed by usersCold backup - offline backup method in which the backup is performed when the system is not being accessed by usersWarm backup - system updates are turned on so that the system can receive periodic updates

Choose the appropriate locationBackup location can be:Onsite backup - backup is performed within the organizationOffsite backup - backup is performed at a remote locationCloud backup - online backup

Choose the backup typeBackup types can be:Full backup - backup is scheduled and all files are copiedIncremental backup - backups the data that has been modified since the last backupDifferential backup - performs a backup of the changed data since the last full backup

Choose the appropriate backup solutionThe efficiency and effectiveness of a backup depend on the chosen backup solution, so it is important to choose an appropriate one.

Perform a recovery testOnce the backup solution is chosen, it is considered a good practice to test the solution by running a recovery drill.Data RecoveryData recovery refers to the process of retrieving the lost or corrupted data. This process depends on the way the data was lost and, in most cases, the lost data can be recovered.

Penetration TestingAbout Penetration TestingPenetration testing refers to the simulation of a security attack in which the objective is to discover vulnerabilities and evaluate the security of the system that is being tested. Penetration testing performs a detailed analysis of the organization’s information security in terms of weaknesses in design, technical flaws, and vulnerabilities. In addition to found weaknesses and vulnerabilities, penetration testers document the way in which those vulnerabilities can be exploited.Activities that make up a good penetration test include:

Defining the penetration test parameters Engaging skilled penetration testers Following nondisclosure agreement Selecting appropriate tests Using and following a methodology Documenting the results of the test Creating a final report

The purpose of penetration testing is to: Identify threats Reduce security expenses Provide complete security assessment Maintain industry standards and regulations Follow best practices Test security controls Improve current security infrastructure Pay particular attention to severe vulnerabilities Prepare steps for preventing exploitations Test network security devices

When talking about performing an assessment of the security in an organization, it is important to differentiate the terms security audit, vulnerability assessment, and penetration testing.

Security Audit only inspects if an organization is following security standards and policies

Vulnerability Assessment deals only with finding the vulnerabilities in the network

Penetration Testing encompasses both security audit and vulnerability assessment. It also demonstrates how attackers can exploit the identified vulnerabilities.

To perform a security assessment, penetration testers often use either blue teaming approach or red teaming approach. Blue team is the defender team and its role is to detect attackers and predict possible attacks. With this approach, security professionals who are performing the assessment have full access to the organization’s resources and information, which allows them to analyze the security of the system. Red team is the enemy team and its role is to find vulnerabilities in the system and check the security as real attackers would. Unlike the blue team, the red team does not have access to the system. Instead, their goal is to penetrate and examine what real attackers could do. Types of Penetration TestingPenetration testing types depend on how much information is given to the testing team prior to testing. There are three test types:

Black box testing Grey box testing White box testing

Each of these tests can be performed in one of the two ways: Announced testing - the IT team of the organization that is testing its

security is fully aware of the penetration test being conducted Unannounced testing - the IT team is unaware of the security being

testedBlack box testingIn this test, the penetration testers have very little information about the client’s infrastructure. Because of this, the penetration testers can simulate what real attackers would do to find vulnerabilities. Black box testing has two types:

Blind testing - the tester has little to no information about the target, while the target knows that the test is happening. This type of testing demonstrates what a real attacker would do to collect information about the target

Double blind testing - the tester knows nothing about the target, and the target does not know the test details

White box testingPenetration testers are given complete information about the network to be used to perform a complete security audit. Information that provided to the testers to perform white box testing includes the company’s infrastructure, network type, IP address details, firewall details, IDS details, and policies.Grey box testingThis type of testing uses a combination of black box and white box testing and gives a full inspection of the system, simulating both outside and inside attacks.Penetration Testing PhasesPenetration testing is performed in three phases:

Pre-attack phase Attack phase Post-attack phase

Pre-Attack PhaseThe pre-attack phase mainly includes activities such as preparation and planning, and information gathering. The objective is to gather as much information about the target as possible.For the test to be conducted, there needs to be an agreement in which the company that is hiring the pen-testers agrees with them performing the test. This agreement is given in a Rules of Engagement (ROE) document.Rules of Engagement (ROE) refers to the formal agreement and permission to perform a penetration test. ROE is a guideline for testers and as such should clearly state what is and isn’t allowed. The ROE specifies which IP addresses should be tested, hosts that are not to be tested, testing techniques that can be used, time frame when the test can take place, and similar information.Once the ROE is in place, to be able to continue with the test, the pen testers need to ensure that they understand what the client requires from them. Understanding the client’s requirements is of great importance as it ensures that the penetration test is thorough, and the client is satisfied. It is considered good practice to create a checklist of the testing requirements to determine what the client wants to be tested.The next step is to define the scope of the penetration test. The scope of the penetration test should be defined to ensure that requirements are fulfilled, and objectives are met. To be able to define the scope, it is necessary to

determine the objectives of the test. The objectives include determining the deliverables, functionality, data definition, and technical structure.The test should encompass the following areas:

Network security, system software security Client-side application security Client-side to server-side communication security Server-side application security Document security Physical security Application communication security Dumpster diving Insiders Sabotage intruder confusion Intrusion detection Intrusion response Social engineering

Once everything is agreed upon, a penetration testing contract together with the nondisclosure agreement should be signed. The contract should include all information and requirements that the penetration tester needs.As it was stated before, the goal of the pre-attack phase is to gather as much information as possible. The collected information is used to map out the target’s network and plan the attack. Information that is being collected includes:

Physical and logical locations Analog connections Contact information Information about other organizations

This information can be gathered using either passive or active reconnaissance. Passive reconnaissance involves gathering information without coming into a direct contact with the target. Active reconnaissance is gathering information by interacting with the target. Techniques used in passive reconnaissance include news, job postings, WHOIS databases, document sifting, etc.. active reconnaissance requires using network mapping, perimeter mapping, port scanning, web profiling, and so on.Attack PhaseAttack phase is the phase in which the target gets compromised. During this phase, the tester uses the information gathered in the previous one and tries

to carry out an attack. Steps to take when performing an attack are as follows:

1. Penetrate perimeter2. Acquire target3. Escalate privileges4. Execute, implant, retract

Perimeter penetration is an activity in which a pen tester uses social engineering to test out the boundaries and find a way into the system. The pen testing team will try to bypass the IDS and firewall, which includes the following techniques:

ICMP probes Checking access control Evaluating protocol filtering rules Evaluating IDS

Another way of testing the perimeter is to catalog all the network devices together with their descriptions. By cross checking them later again, it is possible to identify unauthorized devices. The inventory sheet should contain the following:

ID of the device Description Hostname Physical location IP and MAC address

Target acquisition involves vulnerability scans to find vulnerabilities which can be later exploited. Some of the activities performed during target acquisition include:

Active probing assaults - scanning the network and gathering more information

Running vulnerability scans - completing vulnerability scans Trusted systems and process assessment - trying to access the

resources on the system using the credentials obtained during the information gathering process

Once the access to the system is granted, privilege escalation is performed to grant elevated access. Some of the techniques used in this activity include password crackers, trojans, and social engineering.The final activity that is performed during the attack phase involves compromising the system with code. By performing this activity, testers will learn what they can and cannot do on the system. Some of the techniques

used in this activity include performing DoS attacks, exploiting buffer overflows, using viruses and trojans, installing backdoors, and so on.Post-Attack PhaseIn this phase, the tester restores the system to the pretest state. The tester should also report where the security flaws are as well as document all activities and results. Some of the activities performed in this phase include deleting files that were uploaded onto the system, removing created vulnerabilities and exploits, mapping the network state, and so on.Security Testing Methodology

Security testing methodology is an approach which attempts to find vulnerabilities in the system’s security mechanisms. The goal is to enable the system administrators to protect the data and information by applying appropriate security controls.The success of a penetration test is determined by the used methodology. There are two types of security testing methodologies:

Proprietary Methodologies Open Source Methodologies

Proprietary methodologies are usually devised by the security companies who offer pen testing services and as such are kept confidential. Examples of proprietary methodologies include:

IBM McAfee Foundstone EC-Council LPT.

Open source methodologies are publicly available and can be used by anyone. Examples of open source methodologies include:

OWASP (Open Web Application Security Project)

OSSTMM (Open Source Security Testing Methodology Manual) ISSAF (Information Systems Security Assessment Framework) NIST (National Institute of Standards and Technology)

Laws, Standards, and RegulationsFollowing is the list of different laws and standards that are relevant for the information security:

PCI DSS - Payment Card Industry Data Security Standard ISO/IEC 27001:2013 HIPAA - Health Insurance Portability and Accountability Act Sarbanes Oxley Act DMCA - Digital Millennium Copyright Act FISMA - Federal Information Security Management Act

PCI DSS - Payment Card Industry Data Security StandardThe PCI DSS standard covers any organization that directly accepts credit or debit card payments and applies to all entities involved in the process of

card payment.ISO/IEC 27001:2013This standard defines the requirements for the establishment, implementation, maintenance, and continuous improvements in the organization’s information security management system.

HIPAA - Health Insurance Portability and Accountability ActHIPAA provides data privacy and protection of medical information. It specifies administrative, physical, and technical protection for all entities involved.

HIPAA’s rules include: Electronic Transaction and Code Sets Standards - every provider who

performs electronic transactions needs to use the same health care transactions, codes, and identifiers.

Privacy rule protects a person’s health information and defines who has the access to the information.

Security rule ensures the confidentiality, integrity, and security of health information.

National identifier requirements - HIPAA uses three identifiers:o NPI - National Provider Identifier, a 10-digit number used for

covered healthcare providerso NHI - National Health Plan, an identifier that is used for

identifying health planso Employer Identifier Standard, a number that identifies employers

on standard transactions Enforcement rule details provisions in regard to the compliance,

investigations, violations, and hearing procedures.Sarbanes Oxley ActThe Sarbanes Oxley Act describes what records organizations must keep and for how long, thus increasing the accuracy and reliability of corporate disclosures and protecting investors and the public. The act contains 11 titles:

1. Public company accounting oversight board2. Auditor independence3. Corporate responsibility4. Enhanced financial disclosures5. Analyst conflicts of interest6. Commission resources and authority7. Studies and reports8. Corporate and criminal fraud accountability9. White-collar-crime penalty enhancement10. Corporate tax returns11.Corporate fraud accountability

DMCA - Digital Millennium Copyright ActThe DMCA is a copyright law in the United States of America which implements the WIPO (World Intellectual Property Organization) Copyright Treaty and WIPO Performances and Phonograms Treaty. The act contains five titles:

1. WIPO Treaty Implementation2. Online Copyright Infringement Liability Limitation3. Computer maintenance or repair4. Miscellaneous provisions5. Protection of certain original designs

FISMA - Federal Information Security Management ActFISMA protects government information, operations, and assets against various threats. The figure shows standards included in the FISMA framework.

s