Skip to content

1. General Concepts of Cybersecurity

Network Security 1 2 3 4

Key Concepts in Cyber Security 1

  • All stakeholders (government, industry, academia, and civil society) must work together to ensure that the benefits of cyberspace are accessible to citizens, and that major challenges are addressed.
  • OECD: Organization for Economic Co-operation and Development.
  • The 9 principles from the OECD guidelines for cyber security are:
Type of Element ID Principle Description
Policy, organizational 1 Awareness We must be aware of security needs and requirements
2 Responsibility All share responsibility to make cyberspace more secure
3 Response Response to incidents must be timed and all should cooperate
Technology 4 Risk assessment Regular risk assessments must be conducted
5 Security design When designing systems, security should be part of design and implementation
6 Security management Documented approach should exist to manage incidents
7 Reassessment Security policies and approaches should be reassessed and modified
Society 8 Ethics Legitimate interests of others should be respected
9 Democracy Security systems should be compatible with democratic society
  • Ontology: a formal naming and definition of the types, properties, and interrelationships of the entities that really or fundamentally exist for a particular domain of discourse.
  • CPS: Cyber-Physical Systems, a system that have computing components, communication capabilities, and physical subsystems; e.g. ATM, Cars, etc.
  • For CPS, the traditionally separated domains of safety, resilience, reliability, security, and privacy, are intertwined.
  • Depending on the type of CPS, the security requirements may vary. For example, when developing a risk models for nuclear power station management; where privacy is much less important than safety and reliability.
  • Stuxnet is a computer worm that was discovered in 2010 and was used to attack Iran’s nuclear program. It was the first discovered malware that spies on and subverts industrial systems, and the first to include a programmable logic controller (PLC) rootkit.
  • ICT: Information and Communication Technology.
  • ICT sector generates 6% of GDP and employs 20% of the workforce in OECD countries (2010).
  • Sources of High Level Concepts for the Ontology:
    1. Theoretical research.
    2. Cyber security strategies.
    3. Industry-led initiatives. E.g. Seoul Conference on Cyberspace 2013.
    4. Global digital infrastructure.
  • Gaps in cyber security:
    1. Scientific Foundations for Cyber Security: It is hard to develop a curriculum for Cyber-security as it requires understanding of computer science concepts, and other sciences such as epidemiology, economics, and clinical medicine.
    2. Standardisation Strategy, Process, and Policy: Sharing information about cyber security is important, but it is hard to do so as it may reveal vulnerabilities.
    3. Absence of a Common Vocabulary and Reasoning Framework.

Network Attacks and Network Security Threats 2

  • Endpoint Attacks: gaining unauthorized access to some users’ devices (laptops, servers, and other peripherals and endpoints).
  • Malware attacks: Infecting IT resources with malicious software.
  • Vulnerabilities, and Exploits: exploiting vulnerabilities in software and hardware.
  • Advanced Persistent Threats (APT): APTs are complex multi-layered threats that includes network attacks and other types of attacks usually conducted by a large organization or a nation-state.
  • Network attack: is an attempt to gain unauthorized access to an organization’s network, with the objective of stealing data or perform other malicious activity.
  • Categories of network attacks:
    • Passive: The attacker is just listening to the network traffic and does not make any changes.
    • Active: The attacker is making changes to the network traffic.

Common Types of Network Attacks

  1. Unauthorized Access: Attackers gain access to network without permission. causes: weak passwords, lack of protection against social engineering, and insider threats (compromised employees or accounts).
  2. Distributed Denial of service DDOS: Attackers overwhelm the network with traffic, causing it to crash. causes: Botnets, and IoT devices.
  3. Man in the Middle: Attackers intercept the communication between two parties within the network or between this network and other networks, and then they can listen, steal, or modify transmitted data.
  4. Code and SQL Injection: Malicious code is injected through user input.
  5. Privilege Escalation: Attackers gain access to more privileges than they are allowed to have. Horizontal: access adjacent systems on the same privilege level. Vertical: access higher privilege levels.
  6. Insider Threats: compromised employees or users. UEBA User and Entity Behavior Analytics can be used to analyze user behavior and detect anomalies.

Network Protection Best Practices

  • Segregate your network:
    • Split network into subnets or zones and each one has its own security policies.
  • Regulate access to the internet vis a proxy server:
    • Prevent users from accessing the internet directly.
    • All outside traffic must go through a proxy server that is monitored and controlled for each request.
  • Place security devices correctly:
    • Use firewalls at every junction between the subnets and not just at the network edges.
    • Use network hardware’s built-in security features (e.g. routers, switches, etc.).
    • Use load balancers and other anti-DDOS devices at the network edge.
  • Use Network Address Translation NAT:
    • NATs lets you translate internal IPs to public IPS, where multiple internal IPs can be translated to a single public IP.
    • Incoming traffic must go through the same NAT device to get the right machine (with the right internal IP).
    • The entire organization will have much less public IPs which makes it harder to identify a the right machine to attack.
    • Placing good security devices at the NAT device will protect all machines that uses this NAT device.
  • Monitor Network traffic:
    • All incoming, outgoing, and internal traffic must be monitored.
    • Usually a threat involves multiple machines, users, and subsystems, so minoring the state of the entire network is important to detect threats and act fast.
  • Use Deception Technology:
    • Be prepared for attacks by using decoys. E.g. fake servers, fake data, etc.
    • Direct the attackers into false places and keep them busy until you understand what they want and how to stop them.

Computer Security Threats 3

  • The common types of vulnerabilities are errors in the design or configuration of network infrastructure, protocols, communication media, operating systems, web-based applications and services, databases, etc.
  • Threat is a potential risk that exploits a vulnerability to infringe security and cause probable damage/disruption to the information/service stored/offered in/by computer systems or through communication links.
  • A threat happens when one or more CIA triad properties are compromised:
    • Confidentiality: preventing unauthorized access to information.
    • Integrity: preventing unauthorized modification of information.
    • Availability: information are always available to authorized users.
  • Threads can be Physical or non-physical:
    • Physical: theft, fire, flood, etc, that affects hardware and then affect CIA triad properties.
    • Non-physical: malware, phishing, etc.
  • The exploits when successful result in security attacks on computer systems. Hence, threat is a possible danger caused by system vulnerability, while attack is the attempt of unauthorized action or a harmful action.
Term Description
Threat Theoretical Concept. Potential Risk that exploits a vulnerability which leads to an attack.
Exploit Theoretical Concept. Finding and using a vulnerability to gain unauthorized access.
Vulnerability Property of a system. Weakness in a system that can be exploited.
Attack Action. Attempt to gain unauthorized access to a system.
  • Motivation and objectives of hackers
    • Fun.
    • Vulnerability testing: professional hackers are hired to test the security of a system and report vulnerabilities.
    • Theft: stealing user data.
    • Espionage: stealing sensitive data and selling it to competitors.
    • Spamming.
    • Control: taking control of a system to use it for other attacks.
    • Disruption: disrupting the normal operation of a system.
  • The attack scenario:
    1. Spoofing: pretending to be someone else, attackers hide their identity using IP spoofing, email spoofing, MAC cloning, etc.
    2. Reconnaissance: attackers gather as much information as possible about the target system and its vulnerabilities.
    3. Weaponization: attackers identify tools and techniques to exploit the vulnerabilities according to the gathered information.
    4. Implementation: attackers implement the attack. E.g. sending a phishing email, deploying the fake web pages, etc.
    5. Exploitation: the implemented weapon start sending sensitive information to the attacker, such as passwords, credit card numbers, etc.
    6. Installation: attackers install malware on the target system to gain more control or create a backdoor by creating an new admin account.
    7. Control: attackers enter the system and prepare for the next steps.
    8. Action: attackers perform the intended action, such as stealing data, disrupting the system, etc.

Computer Threats

  1. Spoofing: Hiding identity by pretending to be someone else.
  2. Information gathering attacks: Gathering information about the target system; this passive action and considered a pre-phase of an attack. Information like open ports, OS type and version, vulnerability scanning, sniffing, mapping, etc.
  3. Password attacks: Guessing or cracking passwords. Social engineering is used guess password. Dictionary attacks is the automated version of password guessing.
  4. Malware: An installed malicious software that acts against the interest of the computer user.
  5. Virus: An installed malicious software that replicates itself and infects other files or machines. Viruses change system settings, delete files, etc. Types: Executable viruses, boot sector viruses, email viruses, macro viruses, etc.
  6. Worms: Fragments of malicious software that replicate themselves and spread to other machines. Worms do not need a host file to spread (no installation, work on memory). Worms can be used to create botnets.
  7. Trojans: Legitimate software that contains malicious code. Trojans are installed by the user, and they can be used to create backdoors, steal data, etc. Trojans opens a port that is always listening for the attacker to connect.
  8. SpyWare and AdWare: Spyware is a software that collects information about the user and sends it to the attacker, they use key logging to send all keyboard strokes to the attacher. Adware is a software that displays ads on the user’s machine.
  9. ScareWare: A software that displays fake warnings to scare the user and make them install a malicious software.
  10. RootKit: It is a pool of software tools that are attached to legitimate software without the software owner’s knowledge. Rootkits are used to gain access to the system control panel to disable security features or key logging.
  11. Key Logger: A software that records key strokes and screenshots and save them into an encrypted file, then send it to the attacker at a specific time using email or FTP.
  12. Ransomware: A software that encrypts the user’s files and ask for a ransom to decrypt them.
  13. Rouge Security Software: A software that pretends to be a security software and tells the user that their machine is infected and they need to install the software to remove the infection. The software-to-install is the actual malware.
  14. BotNets: A collection of compromised systems or bots acts as a team of infected computers under the control of a bot master to remotely control and send synchronized attacks on a victim host. This army of bots, agents, and bot master constitute a botnet.
  15. DOS attacks: Denial legitimate use of accessing the system services by overwhelming bandwidth, CPU, or memory of the target.
  16. DDOS attacks: Distributed DOS attacks, where multiple machines are used to attack the target. Theses machines are called zombies or bots and may be compromised themselves by the attacker.
  17. IOT based arracks: IOT smart devices are known for weak security as patches take a long time to be released. IOT devices can be attacked to create botnets or install malware that spread over the network.
  18. Session hijacking: Common in networks that uses TCP with a sequence number predictions. The attacker takes control of ongoing sessiion between two hosts by guessing the sequence number of the next packet.
  19. Blended attacks: A combination of multiple attacks to achieve a specific goal. E.g. a virus that spreads through email and then install a trojan that creates a backdoor.
  20. Website attacks: Attacking a website from the browser requests. E.g. SQL injection.
  21. Mobile phone and VOIP threats: Malware target mobile phones, VoIP systems, and the IP PBXs as these devices have plentiful published vulnerabilities.
  22. WiFi eavesdropping: Silently listening on an unencrypted Wi-Fi network to capture and view data packets and sensitive information.
  23. WPA2 handshake vulnerability: A vulnerability in the WPA2 protocol that allows attackers to decrypt the traffic between the client and the access point.
  24. Insider attacks: Attacks from within the organization. E.g. disgruntled employees, or employees who are bribed by competitors.
  25. Supply chain attacks: Attacking the weakest link in the supply chain to gain access and follow the chain to the target. E.g. attacking a supplier to gain access to the target’s network.
  26. Buffer overflow attacks: Buffer overflows are used to exploit programming glitches that do not take care of the buffer size. If a buffer is jam-packed beyond its size, the data overflows into the contiguous memory. This flaw gets smartly used by hackers to change the execution of the program.
  27. User to root attack: It is a privilege escalation attack, where the attacker gains access to a user account and then escalate their privileges to root user.
  28. Man in the middle attack: The attacker intercepts the communication between two parties and then can listen, steal, or modify transmitted data.
  29. Pharming: A DNS poisoning attack that redirects the user to a fake website that looks like the original one. Pharming is done by changing the DNS records of the target website. Although the user enters the legitimate URL, they will be redirected to the fake website.
  30. Spam: Sending unsolicited emails to a large number of users. Spam is used to spread malware, phishing, etc.

Network Security Tools 4

  • TCP/IP is the most widely used protocol suite for communication over the internet, it was developed in 1980s and suffers from many security vulnerabilities:
    • HTTP transfers data in plain text => data sniffing.
    • Weak authentication between client and server during TCP handshake (session initiation) => session hijacking.
    • 3-way handshake is vulnerable to SYN flooding where attacker half-open many connections and then do not complete the handshake => DOS attack.
    • IP packets do not have any security features => IP spoofing.
  • If one layer in TCP/IP is hacked, all layers are compromised since they are not aware of each other => each layer must have its own security mechanism.
  • Mechanisms to achieve security on the network:
    • Encryption/decryption using secret keys.
    • Digital signatures.
    • Access control.
  • Some protocols in Internet applications:
    • S/MIME: Secure/Multipurpose Internet Mail Extensions. Works at the application layer.
    • SSL: Secure Sockets Layer. Works at the transport layer.
    • IPSec: Internet Protocol Security. Works at the network layer.
  • Email Security:
    • Confidentiality: Only the sender and the receiver can read the message.
    • Authentication: The identity of the sender and the receiver is verified.
    • Integrity: The message is not modified during transmission.
    • Non-repudiation: The sender cannot deny sending the message.
    • Proof of Submission: The sender gets a confirmation that the message is submitted to the server (before delivery).
    • Proof of Delivery: The sender gets a confirmation that the message is delivered.
  • Nmap is a tool used in cybersecurity for intelligence gathering about targets. It can be used to scan a single machine, a range of machines, or an entire network. It can be used to scan for open ports, OS type and version, etc. See https://nmap.org/

Security Protocols 5 6 7

SSL 5

  • SSL: Secure Sockets Layer.
  • TLS: Transport Layer Security.
  • CA: Certificate Authority, a trusted third party that issues digital SSL certificates.
  • In 1999, TLS 1.0 was released and SSL 3.0 was deprecated. But the term SSL is still used to refer to TLS.
  • SSL provides a secure channel between two machines or devices operating over the internet or an internal network.
  • SSL functions:
    • Encryption: Encrypting data to prevent eavesdropping.
    • Authentication: Verifying the identity of the server and the client.
    • Integrity: Ensuring that the data is not modified during transmission.

HTTP vs HTTPS 6

  • HTTP is layer 7 (Application layer) protocol, while HTTPS is a combination of HTTP and SSL/TLS (Transport layer).
  • HTTP:
    • Layer 7 protocol (Application layer) that uses TCP as the transport layer protocol.
    • Sends data in plain text, thus, insecure.
    • It is lightweight and fast.
    • Listening port is 80.
  • HTTPS:
    • HTTP (layer 7) + SSL/TLS (layer 4: transportation).
    • Data is encrypted/decrypted using SSL/TLS before sending/receiving.
    • Key exchange using asymmetric or symmetric encryption.
    • Listening port is 443.
    • Slower and heavier than HTTP.
  • Encryption: Symmetric vs Asymmetric
    • Symmetric: Same key is used for encryption and decryption.
    • Asymmetric: Different keys are used for encryption and decryption.
  • ASymmetric encryption:
    • Public and private keys are used.
    • Private key never leaves the server and never shared (even with the client).
    • Encryption: Public key is used to encrypt data.
    • Decryption: Private key is used to decrypt data.
    • Size: Public key is usually 2048 bits, while private key is 256 bits.
    • Safer and harder to crack.
  • Symmetric encryption:
    • Same key is used for encryption and decryption.
    • Key is shared between the client and the server.
    • Size: 128 or 256 bits.
    • Faster than asymmetric encryption.

HTTPS communication steps

  1. Server sends its asymmetric public key to the client.
  2. Browser generates and send a symmetric session key to the server: This key itself is encrypted using the server’s public key from step 1.
  3. Server decrypts the session key using its private key.
  4. From now on, the client and the server will use the session key to encrypt and decrypt data.

How does HTTPS work? 7

  • Two concepts that we need to trust:
    • Public key cryptography: Any message that has been encrypted using a public key can only be decrypted using the corresponding private key. So even if the encrypted message is publicly available, only the owner of the private key can decrypt it.
    • Digital signature: Anyone with the public key can verify that a decrypted message has been signed by the owner of the corresponding private key, without needing the private key itself or decrypting the message.

HTTPs Steps:

  1. Browser (client) sends a request to the server (DNS resolves the domain name to an IP address and foreword the request).
  2. Server responds with a Certificate containing a the server public key which was signed by a trusted CA.
  3. The browser validates the certificate actually signed by the claimed CA using the CA’s public key that the browser already has.
  4. The browser generates a session key and encrypts it using the server’s public key from step 2.
  5. The session key is sent to the server and the server decrypts it using its private key.
  6. From now on, the client and the server will use the session key to encrypt and decrypt data.

C.I.A. Triad 8 9 10

  • Confidentiality is a set of rules that limits access to information. Similar to privacy.
  • Integrity is the assurance that the information is trustworthy and accurate. Data should not be modified by unauthorized people even in case of confidentiality breach.
  • Availability is a guarantee of reliable access to the information by authorized people.
  • Methods used to ensure Confidentiality:
    • Asking for PIN number between routes or page transitions.
    • Data encryption.
    • User IDs and passwords.
    • Two-factor authentication.
    • Biometric authentication.
    • Security tokens.
    • For sensitive documents: Storing only on a disconnected device or hard-copy only (air-gapped device).
  • Methods used to ensure Integrity:
    • File permissions and user access controls: Only authorized users can modify files.
    • Version control: Track changes to files, this can track and correct errors.
    • Checksums.
    • Backups: must always be available to restore data in case of corruption, or unauthorized modification.
    • Digital signatures.
  • Methods to ensure Availability:
    • Regular maintenance to the hardware.
    • Regular maintenance and upgrade for the software (including the operating system and the applications).
    • Enough bandwidth to handle the traffic.
    • Redundancy: having multiple servers to handle the traffic in case of failure.
    • Failover: having a backup server that takes over in case of failure.
    • RAID: Redundant Array of Independent Disks, a storage technology that combines multiple disk drives into a single logical unit.
    • Disaster recovery plan.
  • Challenges to CIA triad:
    • Big data: scaling up the security to handle big data.
    • Multiple places of storage and data sources.
    • High costs for backup, redundancy, and disaster recovery.
    • IOT security.

References

  1. Vishik, C., Matsurbara, M., & Plonk, A. (2016). Key concepts in cyber security: Towards a common policy and technology context for cyber security norms. In A. Osula & H. Roigas (Eds), International cyber norms: Legal, policy & industry perspectives (pp 241-242). NATO. https://www.ccdcoe.org/uploads/2018/10/InternationalCyberNorms_Ch11.pdf 

  2. Network attacks and network security threats. (2021, December 14). Cynet. https://www.cynet.com/network-attacks/network-attacks-and-network-security-threats/ 

  3. Thomas, C., Fraga-Lamas, P., & Fernandez-Carames, T. M. (2020). Introductory chapter: computer security threats. Intechopen.com. https://www.intechopen.com/chapters/72730 

  4. Edureka!. (2018, August 19). Network security tutorial | introduction to network security | network security tools | edureka [Video]. YouTube. https://www.youtube.com/watch?v=6Jubl1UnJTE 

  5. What is SSL? (n.d.). Global sign by GMO. https://www.globalsign.com/en-in/ssl-information-center/what-is-ssl 

  6. IT k Funde. (2021, April 28). http vs https | how SSL (TLS) encryption works in networking ? (2021) [Video]. YouTube. https://www.youtube.com/watch?v=eWdPWSBKxso 

  7. Kubucation. (2018, April 2). How does https work? What’s a ca? What’s a self-signed certificate? [Video]. YouTube. https://www.youtube.com/watch?v=T4Df5_cojAs 

  8. Chai, W. (2021, January). Confidentiality, integrity and availability (CIA triad). TechTarget. https://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA 

  9. Barker, K. (2015, October 4). The “C.I.A.” security concepts [Video]. YouTube. https://www.youtube.com/watch?v=432IHWNMqJE 

  10. Project Ares (2018, September 19). 3 steps to protect your reputation online [Video]. YouTube. https://www.youtube.com/watch?v=rwigKjEsdTc