Cybersecurity A Practical Engineering Approach
Cybersecurity A Practical Engineering Approach
Pascal Hitzler, Markus Krötzsch, and Sebastian Rudolph, Foundations of Semantic Web Technologies
Henrik Bærbak Christensen, Flexible, Reliable Software: Using Patterns and Agile Development
John S. Conery, Explorations in Computing: An Introduction to Computer Science
Lisa C. Kaczmarczyk, Computers and Society: Computing for Good
Mark Johnson, A Concise Introduction to Programming in Python
Paul Anderson, Web 2.0 and Beyond: Principles and Technologies
Henry Walker, The Tao of Computing, Second Edition
Ted Herman, A Functional Start to Computing with Python
Mark Johnson, A Concise Introduction to Data Structures Using Java
David D. Riley and Kenny A. Hunt, Computational Thinking for the Modern Problem Solver
Bill Manaris and Andrew R. Brown, Making Music with Computers: Creative Programming in Python
John S. Conery, Explorations in Computing: An Introduction to Computer Science and Python
Programming
Jessen Havill, Discovering Computer Science: Interdisciplinary Problems, Principles, and Python
Programming
Efrem G. Mallach, Information Systems: What Every Business Student Needs to Know
Iztok Fajfar, Start Programming Using HTML, CSS, and JavaScript
Mark C. Lewis and Lisa L. Lacher, Introduction to Programming and Problem-Solving Using Scala, Sec-
ond Edition
Aharon Yadin, Computer Systems Architecture
Mark C. Lewis and Lisa L. Lacher, Object-Orientation, Abstraction, and Data Structures Using Scala,
Second Edition
Henry M. Walker, Teaching Computing: A Practitioner’s Perspective
Efrem G. Mallach, Information Systems:What Every Business Student Needs to Know, Second Edition
Jessen Havill, Discovering Computer Science: Interdisciplinary Problems, Principles, and Python Pro-
gramming, Second Edition
Henrique M. D. Santos, Cybersecurity: A Practical Engineering Approach
Henrique M. D. Santos
First edition published 2022
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742
Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright
holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowl-
edged please write and let us know so we may rectify in any future reprint.
Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or
utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including pho-
tocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission
from the publishers.
For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the
Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are
not available on CCC please contact [email protected]
Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for
identification and explanation without intent to infringe.
DOI: 10.1201/9780429286742
Publisher’s note: This book has been prepared from camera-ready copy provided by the authors.
List of Tables xv
Foreword xvii
Preface xix
Contributors xxv
1.1 SUMMARY 1
1.2 INTRODUCTION 2
1.3 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 5
1.4 INFORMATION SECURITY MODEL BASED ON ISO/IEC 27001 6
1.4.1 Main Information Security Properties 8
1.4.2 Resource or Asset 9
1.4.3 Security Events and Incidents 9
1.4.4 Threats 10
1.4.5 Attack 10
1.4.6 Vulnerability 11
1.4.7 Security Controls 13
1.4.8 Cybersecurity Risk 13
1.4.9 InfoSec Model Implementation 14
1.5 RISK ASSESSMENT BASIS 15
1.5.1 Risk Analysis 16
1.5.2 Risk Evaluation 17
1.6 SECURITY CONTROLS 18
1.7 EXERCISES 22
1.8 INFORMATION SECURITY EVALUATION 25
1.8.1 Security Metrics and Measurements 26
vii
viii Contents
2.1 SUMMARY 45
2.2 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 46
2.3 ACCESS CONTROL FUNDAMENTALS 47
2.3.1 Basic Components 48
2.4 ACCESS CONTROL MODELS 53
2.4.1 Specification Languages 55
2.4.2 Bell-Lapadula Model 56
2.4.3 Biba Model 57
2.4.4 Clark-Wilson Model 58
2.4.5 Chinese Wall Model 59
2.4.6 Lattices for Multilevel Models 60
2.5 NETWORK ACCESS CONTROL 62
2.5.1 RADIUS 63
2.5.2 TACACS+ 64
2.5.3 802.1X Authentication 65
2.5.4 Kerberos 66
2.6 EXERCISES 67
2.7 AUTHENTICATION MODALITIES 69
2.7.1 Knowledge-Based 70
2.7.2 Token-Based 73
2.7.3 ID-Based (Biometrics) 74
2.7.4 Multimodal Authentication 78
2.8 IDENTITY MANAGEMENT 79
2.8.1 A Framework for IdM in Cyberspace 79
Contents ix
3.1 SUMMARY 87
3.2 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 88
3.3 CONCEPTS AND TERMINOLOGY 89
3.3.1 Key-Based Algorithms 90
3.3.1.1 Symmetric Key Algorithms 90
3.3.1.2 Public-Key Algorithms 93
3.3.1.3 Attack Types 97
3.3.2 Hash Functions 98
3.3.3 Digital Signatures 99
3.3.4 Key Management Issues 101
3.3.5 Email Security Protocols 106
3.3.6 Public-Key Infrastructures (PKI) 107
3.4 PKI TOOLS 109
3.5 EXERCISES 110
3.5.1 Basic Tasks 111
3.5.2 Advanced Tasks 125
Bibliography 295
Index 311
List of Figures
xiii
xiv LIST OF FIGURES
xv
Foreword
xvii
xviii Foreword
students should benefit from the experience derived from this work, which is prac-
tical, meaningful, and readable.
The accelerated speed with which digital information occurs triggers a dire need
for cybersecurity. The world should prepare to confront such expansion by ensuring
proper security tools are in place. While all humans must remain vigilant, many
strategies and processes develop at colleges and universities. Students and teachers
must be able to create and design methods to protect the integrity of digital systems.
The work by Professor Santos provides them with a valuable vehicle to understand
and address the digital threats that confront humanity. The work uses real situations
and organizations to provide practical approaches to solving security problems for
the world’s digital infrastructure.
Cybersecurity threats will not disappear and should be prevalent to all for many
decades to come. What is important today may not be necessary for the future;
likewise, what is not essential today could be important for tomorrow. Students and
computing professionals pragmatically need knowledge and preparation. Therefore,
students should learn much from experiencing Professor Santos’ work because it em-
phasizes realistic strategies and approaches toward solving cybersecurity problems
and risks. The book of Professor Santos represents a crucial step in protecting the
digital threats of tomorrow.
I started my contact with the Cybersecurity area (at the time, just referred to by
Information Security or InfoSec) about 20 years ago. At that time, incidents were
still relatively reduced, and the scope of Information and Communication Technology
(ICT) was much more limited. Even so, it was already perceived that Information
Security would be a multidisciplinary activity and that it could hardly be approached
as a whole in a typical academic course. The first efforts to define the Body of
Knowledge (BoK) and the curricular structure in this area indicated clearly that
complete education and training in InfoSec required knowledge in Computer Science,
Computer Engineering (and related areas), Administration, Law, Psychology, and
even Sociology (if we want to include the dimension of what is now called Social
Engineering), and a lot of hard practical work.
In more detail, a Cybersecurity degree would then have to include in the curricu-
lum a technical component (addressing Computer, Network, and Software Engineer-
ing), a Cryptography and Cryptanalysis component (commonly found in Computer
Science undergraduates), a Management component (the security systems controls
have a great impact on the business, and it is necessary to know both areas to ensure
an efficient implementation), and the more ancillary components of Law, Psychol-
ogy, and Sociology (especially addressing regulatory issues and human behavior).
In a classic and strongly segmented university structure, this type of curriculum is
tough to build.
In this context, courses in Cybersecurity emerged at the postgraduate level sup-
ported by the specific knowledge of an under-graduation. It is the most straight-
forward and logical solution in a market that started to emphasize searching for
professionals in this area. It is not the ideal solution, but it is possible. In this strat-
egy, a good Cybersecurity “professional” is not, in reality, an isolated person, but
rather a group of people who, together, cover all the necessary fundamental areas of
knowledge and then the Cybersecurity-related specializations.
In the exploration of alternatives, the way was opened for the emergence of
new “academies.” Not in the literal sense of the term, but from the perspective
of training organizations that bring together professionals from various areas with
much more flexibility. However, these initiatives tend to develop in a monopolistic
strategy, creating their own referential curricula and seeking to assert themselves
before companies, potential customers. If the classical academic alternative, based
on the development of open curricular models, does not seem to respond, due to the
inertia of the educational model, these monopolistic models end up falling short of
what is desired, as they promote more attractiveness than fundamental knowledge.
A solution that may prove to be much more effective in this area is a hybrid model:
xix
xx Preface
open models for competencies and knowledge, developed in academic circles and
with the support of government institutions, complemented with new academies, not
segmented by knowledge. Apparently, it would not be complicated; in practice, it is
a considerable challenge because the human resources to make these academies work
are not motivated and mobilized yet – think of the minimal number of doctorates
in this area.
Over the 20-year period I initially mentioned, I had the privilege of integrat-
ing different working groups. I would like to highlight the MN CD E&T (Multi-
National Cyber Defense Education and Training) project, within the scope of the
NATO Smart Defense program, which aimed to develop a curriculum framework
for Cybersecurity and Cyber Defense and subsequently its inclusion in the NATO
Communications and Information Academy, based in Oeiras, Portugal. I would also
like to highlight my involvement with the IEEE/ACM team that has been devel-
oping curriculum models for several ICTs education areas and that has recently
taken a similar approach to Cybersecurity education. Also worth mentioning, the
involvement with IFIP Working Group 11.8 for Information Security Education,
which promoted a series of scientific events focused on the topic. Lastly, but with
no less impact, my active involvement in Technical Committees for Standardization,
national and international, is all the more relevant as standards are in a disciplinary
area with no other models.
In parallel with the above activity, in my professional career as a university
professor, I have been called to teach Cybersecurity to several engineering courses,
mostly at the postgraduate level: Management of Information Systems, Industrial
and Computer Electronics, Telecommunications and Informatics, and Telecommu-
nications and IT Networks and Services. The trend mentioned above of introducing
Cybersecurity at the postgraduate level in traditional engineering courses related
to ICTs is confirmed. It has been a challenging job. With the invaluable collabora-
tion of the students, I could validate some models of competencies and fundamental
knowledge, for several target audiences, in the scope of engineering based on ICT.
It was possible to arrive at a set of practical exercises that use this knowledge and
effectively develop those skills. Moreover, it was possible to validate the approach
with several companies that contracted with those students. At the moment, I am
convinced that all engineers in the ICT areas must have that knowledge and those
competencies, and that was the fundamental reason that made me write this book.
In synthesis, it all begins by understanding some fundamental concepts related
to what information security is. The available standards are very helpful for that
purpose. It is crucial to understand and evaluate the risk, which depends on the
value of the asset(s) we want to protect, the perception of the threats, and the
reconnaissance of the vulnerabilities, that together define the perceived probability of
something evil happening and the impact. The resulting level of the risk will support
the decision about putting a given security control to work. After, it is required to
measure the efficiency of the control(s) from a management perspective. Despite the
apparent simplicity of the above model, its implementation is complex and full of
pitfalls, imposing limitations (that is what security is about) not often understood
by everyone in an organization. Chapter 1 is devoted to explaining the model and
Preface xxi
• Identity Management (IdM) – With the rise of web services and endpoints in-
troduced with the recent paradigm of the Internet of Things (IoT), it becomes
xxii Preface
We are talking about Intrusion Detection Systems (IDS). This type of mechanism
is first described, and then an exercise is proposed that, in a first phase, aims at
the simple implementation of an IDS. In a more advanced second phase, it proposes
the exploration of visualization techniques, essential for the correct operation of this
type of system. Finally, because the previous two techniques do not solve all security
problems and, above all, when transacted data is the focus of security, we must use
cipher-based protocols. The most used ones are presented, ending the chapter with
an exercise proposal to apply those protocols.
The last chapter can be considered a bit controversial. So far, Cybersecurity has
been the center of the discussion, and it may not seem ethically correct to describe
now methods and tools used in Cyberattacks, even though they are used by so-called
pen-testers who assess the security of computer systems. Usually, these two topics
are approached in different contexts. Nevertheless, the approach taken in Chapter 6
does not seek to explain or teach how cyberattacks are carried out, focusing on tasks
that typically precede attacks, using protocols or methods that cannot be classified,
per se, as abusive, but which can be detected. Despite the title of the chapter, the
objective is to provide the Cybersecurity engineer with greater sensitivity about
what should be considered malicious in Cyberspace while introducing one of the
most recognized tools (or rather, a compilation of tools) in this type of activity, the
Kali. The chapter ends with an exercise that seeks to stimulate the skills mentioned
above.
Finally, I sincerely hope you find the book interesting and helpful in preparing
you for an increasingly demanding and challenging professional activity. The models
and principles used have already proved to be very useful in providing the foundation
for other specialization activities.
xxv
CHAPTER 1
Cybersecurity Fundamentals
“Alice: Would you tell me, please, which way I ought to go from here?
Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where—
Cat: Then it doesn’t matter which way you go.”
– Lewis Carroll, Alice in Wonderland
1.1 Summary
DOI: 10.1201/9780429286742-1 1
2 Cybersecurity: A Practical Engineering Approach
1.2 Introduction
Figure 1.1: Example of the threat landscape provided by ENISA, for 2018 [160]
we do not know many details? How can we manage technological complexity by con-
trolling security aspects in big software stacks? How can we anticipate and prevent
human errors or deviant behaviors? And, above all, how to balance flexibility with
Cybersecurity and its impact on profit (or, who will pay the Cybersecurity bill)? In
this book, we will try to work on answers to some of those questions.
First things first, we cannot approach Cybersecurity without knowing the fun-
damentals. Despite some (interesting) discussions about approaching it as a science
(with some relevance especially with regard to security metrics, as we will address
at the end of this chapter), this is a subjective topic since it is tough to establish any
type of laws governing it. So, Cybersecurity is mostly supported on concepts, prin-
ciples, standards, and good practices. We will do that immediately after describing
the type of problem that an engineer can face when approaching the need to build
a system taking into account also (non-functional) InfoSec requirements.
Cybersecurity Fundamentals 5
Usually, engineers are trained to design and implement Information Systems based
mainly on functional requirements. This is comprehensible since functions are in-
trinsic characteristics of a business model contributing to the system added value.
In fact, except with more critical systems, statements, such as information cannot
be modified when transferred, or information cannot be accessed by a third party, are
very unusual. Users and engineers often assume that these properties are observed
by construction, since the underlying technologies are correct, whatever that
means. Nothing is as far from the truth as this assumption.
With the awareness about the level of threats currently posed to the Information
Systems, it becomes dangerous to develop them without considering those threats.
It is no longer enough to approach InfoSec as something done after the project is
completed, or when problems arise. On the contrary, vulnerabilities, threats, and
security requirements must be known beforehand, and security solutions must be
incorporated throughout the project.
But security problems are very diverse, and it can be very difficult to character-
ize them correctly. Attacks can exploit vulnerabilities in technological infrastructure,
in business processes, or even in human resources, the latter being very difficult to
analyze, usually. Additionally, they can be perpetrated by external agents, from
anywhere in Cyberspace, or internal agents, people we normally trust. In any case,
attackers may have unexpected motivations and, sometimes, using unknown tools.
Within such an uncertain scenario, it is not a simple task to choose the most effec-
tive and efficient security controls, as well as to evaluate them in a logic of InfoSec
management. Figure 1.2 depicts the general function of a Cybersecurity Engineer,
which is required to analyse the context (both technological and personal), its vul-
nerabilities, threats and possible attacks carefully, and decide to deploy effective and
efficient security controls, also aiming technological infrastructure and users. More-
over, since most systems are supposed to work continuously, the initial risk analysis
must be complemented by a continuously monitoring process to assess mitigation
controls’ efficiency and incorporate the required adjustments.
Over the course of several years trying to systematize this process, many models
have been developed. The vast majority of these models use the same concepts,
focusing on risk assessment. Nevertheless, the models reflect the need to adjust to
different realities, taking into account specific aspects of organizations, such as size,
sector of activity, or level of technological literacy.
When facing these challenges, a Cibersecurity engineer should be able to choose
a proper InfoSec model and apply it, starting with the required risk evaluation
and using, as much as possible, the standards, good practices and expertise of all
stakeholders. This chapter aims to explore the fundamental knowledge about this
topic, guiding through standards and related documents and giving the necessary
context to train the required skills.
6 Cybersecurity: A Practical Engineering Approach
question, but more for the sake of completing the description, Safety is also a mea-
surable property of dependability, but related to faults that can lead to catastrophic
effects – typically pertaining critical systems.
Notwithstanding the relation with dependability, by its complex and less objec-
tive nature, InfoSec did not evolved using the same logic, and the related communi-
ties soon presented some models that redefine some similar concepts. One obvious
evidence is the use of availability as a central InfoSec property, while it was already
defined in the dependability context, even with a more limited scope. By the way,
it is important to observe an essential difference between availability and the other
two InfoSec fundamental properties. While the first is measurable in most situations,
the last two are not. In fact, confidentiality and integrity are almost impossible to
measure, which makes them not adapted to the dependability concept being this
one of the reasons for the emergence of different models.
Giving the limited capacity to measure most of the InfoSec properties objectively,
the developed models turn their attention to the concept of risk. It comprises the
intrinsic value of an asset – any Information System component relevant in terms
of security – and the probability of a failure to occur. Neither of these values is
easy to determine, but nothing forces us to use quantitative values, being possible
(and frequently exclusively) to use a qualitative assessment. Risks can be prioritized,
establishing an order for choosing mitigating actions.
Over several years of study and research, several organizations, public and pri-
vate, have developed models that seek to properly articulate all the necessary con-
cepts and deal conveniently with InfoSec’s level of complexity. One of these organi-
zations, ISO, stands out for its scope – more on this subject along the chapter.
Among all the models available, we will get inspiration on the one described in
the ISO/IEC_JCT1 27001 standard, which is one of the most frequently referred by
its generality and wide disclosure [136], complemented by the experience using some
8 Cybersecurity: A Practical Engineering Approach
related tools. The model is presented in Figure 1.4 and the main concepts behind it
are summarized in the next subsections [87].
When approaching an Information System from the security point of view, we need
to define clearly what are the properties we want to promote or, stating in a different
way, what are the security objectives. Actually, this is not different from what an
engineer needs to do from any other functional or non-functional point of view. But
since security is not the main concern, usually, (even when it should be!), it is not
addressed, at large, systematically. Along several years of research, the community
reach a common sense about what we can consider the main security properties:
• Confidentiality – the capacity to assure that only authorized subjects access
the information.
• Integrity – the capacity to assure that information is only modified, in any
way by, as expected.
• Availability – the capacity to assure that information is always available when
necessary.
The CIA triad is assumed the fundamental InfoSec properties. But in some
situations, we may need to use more explicit properties. As an example, a health
record must include a doctor signature since, by its nature, it is important to
assure authenticity. We may argue this is covered by integrity, but making
authenticity a fundamental security property, in this case, seems more robust.
The 27001 standard does not force to use only the main three properties, even