Cybersecurity

Chapman & Hall/CRC

Textbooks in Computing
Series Editors
John Impagliazzo
Andrew McGettrick

Pascal Hitzler, Markus Krötzsch, and Sebastian Rudolph, Foundations of Semantic Web Technologies
Henrik Bærbak Christensen, Flexible, Reliable Software: Using Patterns and Agile Development
John S. Conery, Explorations in Computing: An Introduction to Computer Science
Lisa C. Kaczmarczyk, Computers and Society: Computing for Good
Mark Johnson, A Concise Introduction to Programming in Python
Paul Anderson, Web 2.0 and Beyond: Principles and Technologies
Henry Walker, The Tao of Computing, Second Edition
Ted Herman, A Functional Start to Computing with Python
Mark Johnson, A Concise Introduction to Data Structures Using Java
David D. Riley and Kenny A. Hunt, Computational Thinking for the Modern Problem Solver
Bill Manaris and Andrew R. Brown, Making Music with Computers: Creative Programming in Python
John S. Conery, Explorations in Computing: An Introduction to Computer Science and Python
Programming
Jessen Havill, Discovering Computer Science: Interdisciplinary Problems, Principles, and Python
Programming
Efrem G. Mallach, Information Systems: What Every Business Student Needs to Know
Iztok Fajfar, Start Programming Using HTML, CSS, and JavaScript
Mark C. Lewis and Lisa L. Lacher, Introduction to Programming and Problem-Solving Using Scala, Sec-
ond Edition
Aharon Yadin, Computer Systems Architecture
Mark C. Lewis and Lisa L. Lacher, Object-Orientation, Abstraction, and Data Structures Using Scala,
Second Edition
Henry M. Walker, Teaching Computing: A Practitioner’s Perspective
Efrem G. Mallach, Information Systems:What Every Business Student Needs to Know, Second Edition
Jessen Havill, Discovering Computer Science: Interdisciplinary Problems, Principles, and Python Pro-
gramming, Second Edition
Henrique M. D. Santos, Cybersecurity: A Practical Engineering Approach

For more information about this series please visit:

https://www.routledge.com/Chapman--HallCRC-Textbooks-in-Computing/book-series/
CANDHTEXCOMSER
 Cybersecurity
A Practical Engineering Approach

Henrique M. D. Santos
First edition published 2022
by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press

4 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

CRC Press is an imprint of Taylor & Francis Group, LLC

© 2022 Henrique M. D. Santos

Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot
assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers
have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright
holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowl-
edged please write and let us know so we may rectify in any future reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or
utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including pho-
tocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission
from the publishers.

For permission to photocopy or use material electronically from this work, access www.copyright.com or contact the
Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. For works that are
not available on CCC please contact [email protected]

Trademark notice: Product or corporate names may be trademarks or registered trademarks and are used only for
identification and explanation without intent to infringe.

Library of Congress Cataloging‑in‑Publication Data

Names: Santos, Henrique, 1960- author.
Title: Cybersecurity : a practical engineering approach / Henrique M. D.
Santos.
Description: First edition. | Boca Raton : CRC Press, 2022. | Series:
Chapman & Hall/CRC textbooks in computing | Includes bibliographical
references and index.
Identifiers: LCCN 2021049495 | ISBN 9780367252427 (hbk) | ISBN
9781032211305 (pbk) | ISBN 9780429286742 (ebk)
Subjects: LCSH: Computer networks--Security measures. | Computer security.
Classification: LCC TK5105.59 .S2595 2022 | DDC 005.8--dc23/eng/20220103
LC record available at https://lccn.loc.gov/2021049495

ISBN: 978-0-367-25242-7 (hbk)

ISBN: 978-1-032-21130-5 (pbk)
ISBN: 978-0-429-28674-2 (ebk)

DOI: 10.1201/9780429286742

Typeset in Computer Modern

by KnowledgeWorks Global Ltd.

Publisher’s note: This book has been prepared from camera-ready copy provided by the authors.

Access the Support Material: https://hsantos.dsi.uminho.pt/cybersecengbook-crc

 To my wife
and my sons (extending to the daughters they have chosen and
the grandsons that delight me).
To my parents
Contents

List of Figures xiii

List of Tables xv

Foreword xvii

Preface xix

Contributors xxv

Chapter 1  Cybersecurity Fundamentals 1

1.1 SUMMARY 1
1.2 INTRODUCTION 2
1.3 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 5
1.4 INFORMATION SECURITY MODEL BASED ON ISO/IEC 27001 6
1.4.1 Main Information Security Properties 8
1.4.2 Resource or Asset 9
1.4.3 Security Events and Incidents 9
1.4.4 Threats 10
1.4.5 Attack 10
1.4.6 Vulnerability 11
1.4.7 Security Controls 13
1.4.8 Cybersecurity Risk 13
1.4.9 InfoSec Model Implementation 14
1.5 RISK ASSESSMENT BASIS 15
1.5.1 Risk Analysis 16
1.5.2 Risk Evaluation 17
1.6 SECURITY CONTROLS 18
1.7 EXERCISES 22
1.8 INFORMATION SECURITY EVALUATION 25
1.8.1 Security Metrics and Measurements 26

vii
viii  Contents

1.8.1.1 The Effect of Maturity 28

1.8.1.2 Details about Metrics 30
1.9 CYBERSECURITY LAB REQUIREMENTS AND IMPLEMENTATION 34
1.9.1 Host Machine 35
1.9.2 Virtualization Platform 36
1.9.3 Network Issues 38
1.9.4 External Interface and Integration Issues 40

Chapter 2  Access Control Techniques 45

2.1 SUMMARY 45
2.2 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 46
2.3 ACCESS CONTROL FUNDAMENTALS 47
2.3.1 Basic Components 48
2.4 ACCESS CONTROL MODELS 53
2.4.1 Specification Languages 55
2.4.2 Bell-Lapadula Model 56
2.4.3 Biba Model 57
2.4.4 Clark-Wilson Model 58
2.4.5 Chinese Wall Model 59
2.4.6 Lattices for Multilevel Models 60
2.5 NETWORK ACCESS CONTROL 62
2.5.1 RADIUS 63
2.5.2 TACACS+ 64
2.5.3 802.1X Authentication 65
2.5.4 Kerberos 66
2.6 EXERCISES 67
2.7 AUTHENTICATION MODALITIES 69
2.7.1 Knowledge-Based 70
2.7.2 Token-Based 73
2.7.3 ID-Based (Biometrics) 74
2.7.4 Multimodal Authentication 78
2.8 IDENTITY MANAGEMENT 79
2.8.1 A Framework for IdM in Cyberspace 79
 Contents  ix

Chapter 3  Basic Cryptography Operations 87

3.1 SUMMARY 87
3.2 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 88
3.3 CONCEPTS AND TERMINOLOGY 89
3.3.1 Key-Based Algorithms 90
3.3.1.1 Symmetric Key Algorithms 90
3.3.1.2 Public-Key Algorithms 93
3.3.1.3 Attack Types 97
3.3.2 Hash Functions 98
3.3.3 Digital Signatures 99
3.3.4 Key Management Issues 101
3.3.5 Email Security Protocols 106
3.3.6 Public-Key Infrastructures (PKI) 107
3.4 PKI TOOLS 109
3.5 EXERCISES 110
3.5.1 Basic Tasks 111
3.5.2 Advanced Tasks 125

Chapter 4  Internet and Web Communication Models 131

4.1 SUMMARY 131

4.2 COMPUTER NETWORK FUNDAMENTALS 132
4.2.1 Link Level 133
4.2.2 Network Level 135
4.2.2.1 ICMP Protocol 140
4.2.2.2 Security Issues at the Link Level 141
4.2.3 Transport Level 142
4.2.3.1 TCP 142
4.2.3.2 UDP 143
4.2.3.3 Security Issues at the Transport Level 144
4.2.4 Application Level 146
4.3 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 151
4.4 NETWORK ANALYSIS TOOLS 152
4.5 NETWORK TRAFFIC ANOMALY SIGNS 159
4.6 ANALYSIS STRATEGY 160
4.7 EXERCISES 163
x  Contents

Chapter 5  Synthesis of Perimeter Security Technologies 171

5.1 SUMMARY 171

5.2 PRELIMINARY CONSIDERATIONS 172
5.2.1 Defense in Depth 172
5.3 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 177
5.4 FIREWALLS 178
5.4.1 Netfilter/Iptables – Where It All Begins 179
5.4.2 Iptables – Looking into the Future 185
5.4.3 Firewall Types 185
5.5 EXERCISE – FIREWALL 188
5.5.1 Summary of Tasks 189
5.5.2 Basic Tasks 189
5.5.3 Advanced Tasks 195
5.6 INTRUSION DETECTION SYSTEMS (IDS) 202
5.6.1 IDS Types 204
5.6.2 IDS Evaluation 206
5.7 EXERCISE – INTRUSION DETECTION 210
5.7.1 Summary of Tasks 211
5.7.2 Basic Tasks 211
5.7.3 Advanced Tasks 218
5.7.4 Recommended Complementary Tasks 224
5.8 NETWORK AND TRANSPORT SECURITY PROTOCOLS 240
5.8.1 VPNs 241
5.8.2 TLS/SSL 247
5.8.3 SSH 249
5.8.4 IPSec 251
5.9 EXERCISE – SECURITY PROTOCOLS 254

Chapter 6  Anatomy of Network and Computer Attacks 261

6.1 SUMMARY 261

6.2 INTRODUCTION TO PENTEST 261
6.2.1 Types of Pentest 264
6.2.2 Pentest Limitations 265
6.3 PROBLEM STATEMENT AND CHAPTER EXERCISE DESCRIPTION 266
 Contents  xi

6.4 INTRODUCTION TO KALI LINUX 267

6.5 INFORMATION GATHERING 268
6.6 SCANNING PORTS AND SERVICES 271
6.7 VULNERABILITY SCANNING 273
6.8 TARGET ENUMERATION 275
6.9 TARGET EXPLOITATION 277
6.10 EXERCISES 277

Bibliography 295

Index 311
List of Figures

1.1 2018 threat landscape by ENISA 4

1.2 Cybersecurity Engineer general role 6
1.3 InfoSec in the broader context of Dependability 7
1.4 General InfoSec Model 8
1.5 Typical vulnerability life cycle 12
1.6 Security controls organization according to ISO/IEC 27002 20
1.7 Typical architecture of a Smart City – from [94] 23
1.8 Virtual architecture implemented in the Host System 35

2.1 Access Control context 47

2.2 Capability-based centralized AC in a distributed environment 53
2.3 Simple lattice 61
2.4 Basic Network Access Control 63
2.5 Information Entropy for 8-bit and 4-bit size symbols, with up to 40
random symbol combinations 71
2.6 Extended Biometrics taxonomy 76
2.7 Illustration of probabilistic density functions, FNR and FPR 77
2.8 Federated IdM - basic operation 82

3.1 General scenario to deploy crypto security 89

3.2 Generic cert life cycle 104
3.3 Certificate details window – Kleopatra 114
3.4 Subkeys details window – Kleopatra 115
3.5 Importing X.509 Certificate – Kleopatra main window (partial) 120
3.6 X.509 Certificate details window (partial) – Kleopatra 120
3.7 CA trust setting after certificate importing 121
3.8 Certifying a public key using Enigmail 122

4.1 TCP/IP Communication Model 132

4.2 TCP 3-Way Handshake 144

xiii
xiv  LIST OF FIGURES

4.3 Protocol encapsulation 147

4.4 Protocol encapsulation details 148
4.5 Wireshark: interface select window 156
4.6 Wireshark: main analysis window 157

5.1 Security in Depth model adopted 173

5.2 De-Militarized Zone typical design 174
5.3 Alternatives to deploy encryption in network communications 176
5.4 Netfilter operation 180
5.5 Iptables relations 181
5.6 Main interface window of system-config-firewall-tui 191
5.7 General architecture to accommodate a firewall in a virtual environ-
ment 196
5.8 Generic IDS architecture 203
5.9 Examples of benign and intrusions probability density functions 209
5.10 Example of a Detection Error Trade-Off curve 209
5.11 Example of a ROC curve 210
5.12 Example of a dashboard prepared with Kibana 224
5.13 VPN types based on endpoints 244
5.14 TLS/SSL protocol sequence of operations 248
5.15 Sample of the traffic generated by one IPSec implementation 253

6.1 Target window details 282

6.2 Task window details 283
6.3 Task specific window details, with results 285
6.4 Metsploit console 288
List of Tables

1.1 Example of a Risk Matrix 18

1.2 Example of a a risk identification and analysis table 24
1.3 Example of a security metrics definition table 33

2.1 Example of an Access Matrix 49

2.2 Comparison between Authentication modalities 78

4.1 IPv4 reserved addresses 136

4.2 IPv6 reserved addresses 137

5.1 Firewall comparison 187

5.2 Simplified IDS taxonomy 205

xv
Foreword

In today’s world, we experience many challenges involving computer security. Crimi-

nals compromise millions of accounts from major companies, siphon billions of Euros
each year from businesses and personal accounts, and coerce thousands of people
and companies through spyware, ransomware, and phishing schemes. In addition,
consumers witness almost daily news broadcasts of the malicious abuse of computer
usage and the lack of integrity in cybersecurity protection in the routine use of digital
expressions. This change in life has caused concern at finance, research, government,
and educational institutions.
Security and cybersecurity education degree programs have emerged to combat
these threats to humans and society over the past two decades. As a result, students,
teachers, and researchers have developed a greater interest in secure computing in
recent years. Professor Henrique Santos has written this textbook, adequately titled
Cybersecurity: A Practical Engineering Approach. In brief, Professor Santos has hit
the mark in transforming intellectual and practical thought to this vital subject.
Henrique and I first met in Santos (yes, Santos), Brazil, in 2017. Since then, he and
I have developed a close human bond in our mutual promotion of quality computing
education. We both believe that cybersecurity should be part of every student’s
university education. He is a known scholar in European computing circles and has
produced several doctoral graduates in cybersecurity. I encouraged him to develop
this work, and I am delighted he decided to do so. His efforts have created a helpful
book in a pedagogical style where chapters include summaries, problem statements,
and thought-provoking exercises. The writing style is clear, concise, and to the point.
The book’s content promotes thought and diligence. Students should appreciate
this direct approach as they dwell among the elements surrounding the cybersecu-
rity field. The content style of the work is refreshing. The author uses methods and
data founded by the International Standards Organization (ISO), the North Atlantic
Treaty Organization (NATO), the National Institute of Standards and Technology
(NIST) in North America, and other agencies responsible for publishing cybersecu-
rity guidelines. The information, standards, and data used are non-confidential and
form a fundamental basis to present ideas and processes for students to consider.
While not explicitly stated, this work addresses the eight elements stated in the
ACM/IEEE Curriculum Guidelines for Post-Secondary Degree Programs in Cyber-
security (CSEC2017). These guidelines promote eight knowledge areas: data security,
software security, component security, connection security, system security, human
security, organizational security, and societal security. Hence, Professor Santos has
addressed these security areas and has done so convincingly and pragmatically. All

xvii
xviii  Foreword

students should benefit from the experience derived from this work, which is prac-
tical, meaningful, and readable.
The accelerated speed with which digital information occurs triggers a dire need
for cybersecurity. The world should prepare to confront such expansion by ensuring
proper security tools are in place. While all humans must remain vigilant, many
strategies and processes develop at colleges and universities. Students and teachers
must be able to create and design methods to protect the integrity of digital systems.
The work by Professor Santos provides them with a valuable vehicle to understand
and address the digital threats that confront humanity. The work uses real situations
and organizations to provide practical approaches to solving security problems for
the world’s digital infrastructure.
Cybersecurity threats will not disappear and should be prevalent to all for many
decades to come. What is important today may not be necessary for the future;
likewise, what is not essential today could be important for tomorrow. Students and
computing professionals pragmatically need knowledge and preparation. Therefore,
students should learn much from experiencing Professor Santos’ work because it em-
phasizes realistic strategies and approaches toward solving cybersecurity problems
and risks. The book of Professor Santos represents a crucial step in protecting the
digital threats of tomorrow.

John Impagliazzo, Ph.D.

Professor Emeritus, Hofstra University
IEEE Fellow and Life Member
ACM Distinguished Educator
2021 October 20
Preface

I started my contact with the Cybersecurity area (at the time, just referred to by
Information Security or InfoSec) about 20 years ago. At that time, incidents were
still relatively reduced, and the scope of Information and Communication Technology
(ICT) was much more limited. Even so, it was already perceived that Information
Security would be a multidisciplinary activity and that it could hardly be approached
as a whole in a typical academic course. The first efforts to define the Body of
Knowledge (BoK) and the curricular structure in this area indicated clearly that
complete education and training in InfoSec required knowledge in Computer Science,
Computer Engineering (and related areas), Administration, Law, Psychology, and
even Sociology (if we want to include the dimension of what is now called Social
Engineering), and a lot of hard practical work.
In more detail, a Cybersecurity degree would then have to include in the curricu-
lum a technical component (addressing Computer, Network, and Software Engineer-
ing), a Cryptography and Cryptanalysis component (commonly found in Computer
Science undergraduates), a Management component (the security systems controls
have a great impact on the business, and it is necessary to know both areas to ensure
an efficient implementation), and the more ancillary components of Law, Psychol-
ogy, and Sociology (especially addressing regulatory issues and human behavior).
In a classic and strongly segmented university structure, this type of curriculum is
tough to build.
In this context, courses in Cybersecurity emerged at the postgraduate level sup-
ported by the specific knowledge of an under-graduation. It is the most straight-
forward and logical solution in a market that started to emphasize searching for
professionals in this area. It is not the ideal solution, but it is possible. In this strat-
egy, a good Cybersecurity “professional” is not, in reality, an isolated person, but
rather a group of people who, together, cover all the necessary fundamental areas of
knowledge and then the Cybersecurity-related specializations.
In the exploration of alternatives, the way was opened for the emergence of
new “academies.” Not in the literal sense of the term, but from the perspective
of training organizations that bring together professionals from various areas with
much more flexibility. However, these initiatives tend to develop in a monopolistic
strategy, creating their own referential curricula and seeking to assert themselves
before companies, potential customers. If the classical academic alternative, based
on the development of open curricular models, does not seem to respond, due to the
inertia of the educational model, these monopolistic models end up falling short of
what is desired, as they promote more attractiveness than fundamental knowledge.
A solution that may prove to be much more effective in this area is a hybrid model:

xix
xx  Preface

open models for competencies and knowledge, developed in academic circles and
with the support of government institutions, complemented with new academies, not
segmented by knowledge. Apparently, it would not be complicated; in practice, it is
a considerable challenge because the human resources to make these academies work
are not motivated and mobilized yet – think of the minimal number of doctorates
in this area.
Over the 20-year period I initially mentioned, I had the privilege of integrat-
ing different working groups. I would like to highlight the MN CD E&T (Multi-
National Cyber Defense Education and Training) project, within the scope of the
NATO Smart Defense program, which aimed to develop a curriculum framework
for Cybersecurity and Cyber Defense and subsequently its inclusion in the NATO
Communications and Information Academy, based in Oeiras, Portugal. I would also
like to highlight my involvement with the IEEE/ACM team that has been devel-
oping curriculum models for several ICTs education areas and that has recently
taken a similar approach to Cybersecurity education. Also worth mentioning, the
involvement with IFIP Working Group 11.8 for Information Security Education,
which promoted a series of scientific events focused on the topic. Lastly, but with
no less impact, my active involvement in Technical Committees for Standardization,
national and international, is all the more relevant as standards are in a disciplinary
area with no other models.
In parallel with the above activity, in my professional career as a university
professor, I have been called to teach Cybersecurity to several engineering courses,
mostly at the postgraduate level: Management of Information Systems, Industrial
and Computer Electronics, Telecommunications and Informatics, and Telecommu-
nications and IT Networks and Services. The trend mentioned above of introducing
Cybersecurity at the postgraduate level in traditional engineering courses related
to ICTs is confirmed. It has been a challenging job. With the invaluable collabora-
tion of the students, I could validate some models of competencies and fundamental
knowledge, for several target audiences, in the scope of engineering based on ICT.
It was possible to arrive at a set of practical exercises that use this knowledge and
effectively develop those skills. Moreover, it was possible to validate the approach
with several companies that contracted with those students. At the moment, I am
convinced that all engineers in the ICT areas must have that knowledge and those
competencies, and that was the fundamental reason that made me write this book.
In synthesis, it all begins by understanding some fundamental concepts related
to what information security is. The available standards are very helpful for that
purpose. It is crucial to understand and evaluate the risk, which depends on the
value of the asset(s) we want to protect, the perception of the threats, and the
reconnaissance of the vulnerabilities, that together define the perceived probability of
something evil happening and the impact. The resulting level of the risk will support
the decision about putting a given security control to work. After, it is required to
measure the efficiency of the control(s) from a management perspective. Despite the
apparent simplicity of the above model, its implementation is complex and full of
pitfalls, imposing limitations (that is what security is about) not often understood
by everyone in an organization. Chapter 1 is devoted to explaining the model and
 Preface  xxi

making it simple to approach by individuals or SMEs, who usually cannot afford to

spend the money required to buy a Cybersecurity solution. Anyway, buying security
may not be a good idea unless we also pass the responsibility for harmful attacks,
which no seller is likely to accept. Cybersecurity demands mindset changes, and
that is something we cannot buy. A practical exercise is also proposed, allowing to
improve the skills to handle risk management. The chapter ends with two sections not
directly related to the above model but fundamental for the Engineering approach
to Cybersecurity:
• Information Security evaluation, which is summarily described as an open ap-
plied research issue. Information Security is a management process and, as
such, metrics play a fundamental role. There is no ‘general metrics catalog’
available (despite some efforts), mainly because each organization approaches
the problems in a different way, with the maturity level assuming high rele-
vance. This section aims to highlight the issues while giving some clues about
the possible ways to conduct the task.

• Engineering Cybersecurity products usually demand some tests and experi-

ments before sending them to production. Testing security is a complex task,
especially when threats and attacks are not fully understood and/or non-
functional requirements are not clearly defined (this is often the case). It is very
dangerous and error-prone to test such products in real non-controlled envi-
ronments, where actions and resulting events will be merged with thousands of
other unrelated ones, making it hard to objectively test what we want, besides
putting at risk the neighbor systems. To overcome this limitation, engineers
usually use a dedicated and closed laboratory based on virtualization tech-
niques. This section characterizes and describes the implementation of such a
laboratory that we will use along with the book.
Access Control (AC) has a crucial role in Cybersecurity. This control protects
(or should protect) all accesses to any device, whether initiated by a human or a
machine, which is the essence of the interconnected Cyberspace. It works like a gate
and, when compromised or poorly designed, jeopardizes all security properties of
the target system. For this reason, it is the first to be discussed in the book, which
is accomplished in Chapter 2. In addition to describing the technologies used in
the implementation, both in accessing computers and network devices, the chapter
also describes several models used to define an appropriate Access Control Policy.
The practice exercise in this chapter focuses on precisely this dimension, which is
frequently undervalued. The chapter ends with two topics for further investigation:
• User Authentication modalities – User authentication is a crucial operation
in AC. Since users are usually associated with many failures, it is critical to
choose an authentication method that assures an adequate level of security and
an adequate level of user acceptance so that the user does not make serious
mistakes. In this section, several authentication modalities are discussed and
evaluated.

• Identity Management (IdM) – With the rise of web services and endpoints in-
troduced with the recent paradigm of the Internet of Things (IoT), it becomes
xxii  Preface

a nightmare to manage all the different digital identities linked to humans

or machines. IdM is evolving to aim the necessary central management of
digital identities while trying to keep the privacy and the different identity
attributes exposed according to the requirements of each ecosystem. However,
being centralized also raises some security concerns at the AC level. This sec-
tion discusses some technologies along with the issues they introduce.

Chapter 3 takes an applicational approach to cryptographic technologies. This

topic is covered at this stage because other security controls use several of these
techniques – otherwise, it would be approached later. Encryption protects the confi-
dentiality and integrity of data and should be seen as a ‘last resort’ control, as there
are more effective ones for all security properties, like AC. Furthermore, encryption
even poses a threat to availability, as will be described. The chapter presents a brief
summary of the main cryptographic techniques used today and some protocols that
use them. Usually, these techniques are considered obscure. Aiming to make it more
transparent, this chapter includes several small examples that show what applied
cryptography is about and some techniques used in its application. The final exer-
cise consists of creating a PKI, which requires the use of different techniques and
protocols.
Network communications play a crucial role in our connected world, ruled by a
dominant stack of protocols, known by TCP/IP, or Internet protocol. The so-called
IoT brings some new protocol stacks, mainly in a local context, but the Internet
is still the primary path used by all our digital transactions, and the very same
attackers explore when approaching target computing systems. It all happens at
a vertiginous speed. Network traffic monitoring and analysis become an essential
security control to look for malicious activities, and only automatic tools can per-
form it for speed reasons. However, those tools need some form of programming
made by humans with special skills to investigate and interpret traffic. This is the
focus of Chapter 4, which starts by describing the main concepts and the commu-
nication model underneath the Internet. After, some techniques and tools for traffic
analysis are presented, along with a discussion about typical anomaly signs and a
proposed strategy to approach this complex task. The main objective is to support
the correct configuration of the security tools discussed in the next chapter, more so
than preparing a human being to inspect network traffic. The chapter ends with a
consolidation exercise.
Building on the knowledge explored in previous chapters, Chapter 5 holistically
explores network security. Initially, some considerations are made regarding the phys-
ical organization of a computer network, where security should begin (unfortunately,
that is not the usual case). Next, we should focus on traffic filtering, trying to avoid
everything that is recognized as not necessary or as malicious. Firewalls generally
perform this filtering function. The filtering mechanisms are explained, and an ex-
ercise that explores a simple firewall is proposed, followed by a second one that
proposes the implementation of a real firewall. Filtering will not solve all security
problems. Many attacks maliciously use legitimate traffic and operations. The next
level is then to analyze that legitimate traffic and look for signs of anomalous activity.
 Preface  xxiii

We are talking about Intrusion Detection Systems (IDS). This type of mechanism
is first described, and then an exercise is proposed that, in a first phase, aims at
the simple implementation of an IDS. In a more advanced second phase, it proposes
the exploration of visualization techniques, essential for the correct operation of this
type of system. Finally, because the previous two techniques do not solve all security
problems and, above all, when transacted data is the focus of security, we must use
cipher-based protocols. The most used ones are presented, ending the chapter with
an exercise proposal to apply those protocols.
The last chapter can be considered a bit controversial. So far, Cybersecurity has
been the center of the discussion, and it may not seem ethically correct to describe
now methods and tools used in Cyberattacks, even though they are used by so-called
pen-testers who assess the security of computer systems. Usually, these two topics
are approached in different contexts. Nevertheless, the approach taken in Chapter 6
does not seek to explain or teach how cyberattacks are carried out, focusing on tasks
that typically precede attacks, using protocols or methods that cannot be classified,
per se, as abusive, but which can be detected. Despite the title of the chapter, the
objective is to provide the Cybersecurity engineer with greater sensitivity about
what should be considered malicious in Cyberspace while introducing one of the
most recognized tools (or rather, a compilation of tools) in this type of activity, the
Kali. The chapter ends with an exercise that seeks to stimulate the skills mentioned
above.
Finally, I sincerely hope you find the book interesting and helpful in preparing
you for an increasingly demanding and challenging professional activity. The models
and principles used have already proved to be very useful in providing the foundation
for other specialization activities.

“Traveler, there is no path. The path is made by walking.”

– António Machado
Contributors

Ricardo Santos Martins Pedro Magalhães

DigitalSign Universidade do Minho
Guimarães, Portugal Guimarães, Portugal

xxv
 CHAPTER 1

Cybersecurity Fundamentals

“Alice: Would you tell me, please, which way I ought to go from here?
Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where—
Cat: Then it doesn’t matter which way you go.”
– Lewis Carroll, Alice in Wonderland

1.1 Summary

Cybersecurity is becoming a central issue to any Information System utilization,

affecting everything we interact with nowadays. In a simple way, it starts with the
identification of security properties we want to preserve, the main threats that can
affect those properties, the weaknesses of the target system, and the techniques and
procedures we can use to mitigate those threats. However, given the dynamics of the
overall system and the surround, it is still necessary to keep an eye on the security
properties and protection mechanism, measuring all possible security indicators in
a continuous and manageable way. It sounds like a model, right? And it is.
Among the proposals to address the above process, the family of standards known
as ISO/IEC 27k describes all the main components, even addressing different con-
texts, and deserving the acceptance of a large community by its nature. There are
some alternatives focusing on some particular systems details, but the 27k model is
generic enough to allow the deployment of flexible and effective information security
management systems. Despite the apparent simplicity of the task, the subjectively
of some security objectives, and the intrinsic difficulty of measuring most security
controls’ efficiency, deploying a proper Cybersecurity program can be a nightmare.
This chapter starts by describing the main concepts and definitions, and purposes
a simple model based on the ISO/IEC 27001 standard aimed to allow an easier
approach (specially crafted for small implementations) and a better understanding
of the overall process in the way to promote the engineering of more adequate security
solutions. The related skills are exercised using a typical case study. After that, and
as part of the Cybersecurity Engineer toolbox, a laboratory based on virtualization
technologies is described in a tutorial fashion. This lab will be used along with the
book.

DOI: 10.1201/9780429286742-1 1
2  Cybersecurity: A Practical Engineering Approach

1.2 Introduction

Security can be simply defined as a process aiming to protect something (a sys-

tem) against threats, like attacks, accidents, or any other type of event that can
produce damage. In the context of this book, by ‘system’ we are restricting to In-
formation Systems in general, including computer systems, networks, users, and the
information they handle. By protection, we mean to minimize the impact of failures
(their damages), keeping the system working as long as possible and fulfilling the
requirements (both functional and non-functional) as much as possible. We are not
considering the effects of the system failures in its environment, nor any appreciation
of external perceptions, like reliability, for example. We are mainly concerned with
information, while a central asset of Information Systems. This is basically what
Information Security (InfoSec) is about.
Notwithstanding the simplicity of the above definition, putting together such
a process is a daunting task. Besides requiring a deep knowledge of the complex
and diverse technology used nowadays to design and build all the types of digital
equipment in question (by itself, it is behind the capacity of any single person), it
also demands an enlarge understanding of the highly complex threats landscape, and
even a ground knowledge of business models, legal frameworks and human behavior
(both legitimate and malicious users). Furthermore, with the technological evolution,
as well as the social-economic turbulence of our days (and, most likely, of future
eras), there is a trend for systems and threats becoming more complex. In short,
system engineering with Cybersecurity objectives in mind means to aim for more
dependable systems [7, p. 20]. Simple to state, (very) hard to make happen.
It is useful to look back, where it all began, to understand better why we are here
and what the future may bring us, concerning Cybersecurity. In the beginning of the
IT era (on the ’50s), with a few computer centers available in easy-to-control physical
spaces, and used for particular purposes, InfoSec was mostly a matter of controlling
carefully the physical access, limited to a few groups of specialized operators, and
monitoring a single computer facility. Easy task. In just a few decades, and mostly for
economical reasons, we evolved first to time-sharing systems, allowing several users
to use the system, at the same time, but still confined to the same building. InfoSec
became more difficult, but even feasible, being additionally necessary supervising
and control a limited number of room spaces and the users entering and leaving and
the paper listings they carried – there were no external storage devices at that time.
The next step, promoting flexibility, ease-of-access and new business oppor-
tunities, was to deploy and explore fully distributed Information Systems. They
become supported by a global Internet1 (slowly but steadily integrating all com-
munication technologies), operated by virtually any human being, or even any ma-
chine (the emerging Internet of Things – IoT – paradigm), through a plethora of
1
The expansion of the Internet has been followed and documented by some inter-
esting projects, one of the most well-known is the ‘Internet Mapping Project’ (see
https://en.wikipedia.org/wiki/Internet_Mapping_Project). One of the outcomes is Lumeta
(https://www.firemon.com/products/lumeta/) that provides useful information about the global
Internet.
 Cybersecurity Fundamentals  3

heterogeneous devices, using incredibly complicated (and economically almost im-

possible to test) software and protocol stacks, and used to support nearly all aspects
of human life (social, professional, and leisure). Understandably, InfoSec has become
an impressive task, very complex, as well as critical. The worst part of it, potentially
cutting business exploration by limiting flexibility.
Given the scope, the community naturally began to use the prefix Cyber, merely
seeking to convey the idea of the magnitude, but without significantly altering its
fundamentals. Therefore, talking about Cybersecurity or InfoSec, at the level of the
fundamentals is no different, being only relevant when analyzing specific contexts or
technologies. But indeed, a highly demanding job, from all the engineering, operat-
ing, and managing perspectives.
Over the past few decades, Cybersecurity problems have been alarmingly accen-
tuated. After calling the interest of ‘harmless’ hackers (frequently young students,
or self-taught technicians, driven by curiosity or just the challenge), the rapid in-
crease in profit from Cybercrime, coupled with a relatively low-risk perception
of being caught, began to attract organized criminal groups. Contributing to this
trend is also the development of increasingly sophisticated attack tools frameworks,
requiring (also) increasingly low technical skills to operate.
It is therefore not surprising to notice a rise in news related to cyber attacks,
targeting all types of organizations and even individuals, accompanied by a remark-
able effort by different institutions to put in place an influential security culture. As
an example of this effort, in Europe ENISA2 organizes a Cybersecurity month (with
several events to raise Cybersecurity awareness in general), promotes standards, reg-
ulations, projects, policies, strategies, a multinational cyber-exercise, a network of
emergency response centers (CERTs3 ), and periodic reports that expose the main
dangers and trends [36, 160] – see the example in Figure 1.1. The same effort is very
evident in the USA, mainly through NIST4 , in many other countries and even in
organizations of broad scopes, such as the NATO’s Cyber Security Centre5 , a spe-
cialized unit within the NATO’s NCI Agency. Unfortunately, these efforts appear
to be much more reactive than proactive, which makes cybersecurity professionals
seem to be chasing the damage instead of the cause, most of the time.
This scenario’s foreseeable evolution does not seem to alter this trend, as de-
scribed in a report by the European Parliamentary Research Service [106], which
contains some impressive projections: in 2030 we may have about 125 billion inter-
connected devices; 90% of the population will be on-line; and Cybercrime will cost
an estimated A C530.000 million. That is why it is imperative to adopt a more effective
strategy with Cybersecurity and the way to design more secure cyber systems. But,
how should we approach this? How can we deal with legacy systems, about which
2
European Union Agency for Cybersecurity; more information available at
https://www.enisa.europa.eu/
3
Computer Emergence Response Teams
4
National Institute of Standards and Technology; more information available at
https://www.nist.gov/
5
More information available at https://www.ncia.nato.int/what-we-do/cyber-security.html
4  Cybersecurity: A Practical Engineering Approach

Figure 1.1: Example of the threat landscape provided by ENISA, for 2018 [160]

we do not know many details? How can we manage technological complexity by con-
trolling security aspects in big software stacks? How can we anticipate and prevent
human errors or deviant behaviors? And, above all, how to balance flexibility with
Cybersecurity and its impact on profit (or, who will pay the Cybersecurity bill)? In
this book, we will try to work on answers to some of those questions.
First things first, we cannot approach Cybersecurity without knowing the fun-
damentals. Despite some (interesting) discussions about approaching it as a science
(with some relevance especially with regard to security metrics, as we will address
at the end of this chapter), this is a subjective topic since it is tough to establish any
type of laws governing it. So, Cybersecurity is mostly supported on concepts, prin-
ciples, standards, and good practices. We will do that immediately after describing
the type of problem that an engineer can face when approaching the need to build
a system taking into account also (non-functional) InfoSec requirements.
 Cybersecurity Fundamentals  5

1.3 Problem statement and chapter exercise description

Usually, engineers are trained to design and implement Information Systems based
mainly on functional requirements. This is comprehensible since functions are in-
trinsic characteristics of a business model contributing to the system added value.
In fact, except with more critical systems, statements, such as information cannot
be modified when transferred, or information cannot be accessed by a third party, are
very unusual. Users and engineers often assume that these properties are observed
by construction, since the underlying technologies are correct, whatever that
means. Nothing is as far from the truth as this assumption.
With the awareness about the level of threats currently posed to the Information
Systems, it becomes dangerous to develop them without considering those threats.
It is no longer enough to approach InfoSec as something done after the project is
completed, or when problems arise. On the contrary, vulnerabilities, threats, and
security requirements must be known beforehand, and security solutions must be
incorporated throughout the project.
But security problems are very diverse, and it can be very difficult to character-
ize them correctly. Attacks can exploit vulnerabilities in technological infrastructure,
in business processes, or even in human resources, the latter being very difficult to
analyze, usually. Additionally, they can be perpetrated by external agents, from
anywhere in Cyberspace, or internal agents, people we normally trust. In any case,
attackers may have unexpected motivations and, sometimes, using unknown tools.
Within such an uncertain scenario, it is not a simple task to choose the most effec-
tive and efficient security controls, as well as to evaluate them in a logic of InfoSec
management. Figure 1.2 depicts the general function of a Cybersecurity Engineer,
which is required to analyse the context (both technological and personal), its vul-
nerabilities, threats and possible attacks carefully, and decide to deploy effective and
efficient security controls, also aiming technological infrastructure and users. More-
over, since most systems are supposed to work continuously, the initial risk analysis
must be complemented by a continuously monitoring process to assess mitigation
controls’ efficiency and incorporate the required adjustments.
Over the course of several years trying to systematize this process, many models
have been developed. The vast majority of these models use the same concepts,
focusing on risk assessment. Nevertheless, the models reflect the need to adjust to
different realities, taking into account specific aspects of organizations, such as size,
sector of activity, or level of technological literacy.
When facing these challenges, a Cibersecurity engineer should be able to choose
a proper InfoSec model and apply it, starting with the required risk evaluation
and using, as much as possible, the standards, good practices and expertise of all
stakeholders. This chapter aims to explore the fundamental knowledge about this
topic, guiding through standards and related documents and giving the necessary
context to train the required skills.
6  Cybersecurity: A Practical Engineering Approach

Figure 1.2: Cybersecurity Engineer general role

1.4 Information Security Model based on ISO/IEC 27001

It is commonly accepted that InfoSec is a process to protect some fundamen-

tal properties of Information Systems, namely confidentiality, integrity, and
availability – frequently referred to as the CIA triad. InfoSec falls in the broader
Engineering System Dependability concept, defined as a quality of a system that
allows us to justifiably trust the service offered. To be trustable, we need to mea-
sure some system characteristics which, when compared to reference (or require-
ments) values, support the dependability justification [7, 10].
Figure 1.3 presents how the different concepts relate to dependability, in a mind
map format. Faults are the origin of system malfunction, in any of its components,
and errors are the inconsistent states (based on system specification) where system
is placed as a consequence of faults. When errors become effective and cause external
manifestations, we call them failures. Failures can cause other faults. When design-
ing a system engineers can use some well-known techniques or methods to properly
handle faults, following one or more of the strategies: tolerance, prevention, fore-
casting, and removal or avoidance. However, this is possible only when faults are
properly recognized.
Reliability, availability, and maintainability are a set of measurable
properties impacting dependability. They are evaluated using mainly error
or failure rates, as well as the system working and recovering times.
In Figure 1.3, InfoSec is seen as another dependability dimension, much more com-
plex and not so easy (if even possible) to evaluate, at least in a similar way, as we
will discuss along with this book, but with a larger focus in Section 1.8. From this
perspective, one can argue if it is legitimate to have InfoSec at the level of the other
simple and objective concepts. But looking to the dependability definition and the
importance of being able to establish a justifiable trust level concerning InfoSec,
the relation becomes more pertinent, even taking into account that InfoSec encom-
passes a much more subjective set of properties. Not so relevant to the study in
 Cybersecurity Fundamentals  7

Figure 1.3: InfoSec in the broader context of Dependability

question, but more for the sake of completing the description, Safety is also a mea-
surable property of dependability, but related to faults that can lead to catastrophic
effects – typically pertaining critical systems.
Notwithstanding the relation with dependability, by its complex and less objec-
tive nature, InfoSec did not evolved using the same logic, and the related communi-
ties soon presented some models that redefine some similar concepts. One obvious
evidence is the use of availability as a central InfoSec property, while it was already
defined in the dependability context, even with a more limited scope. By the way,
it is important to observe an essential difference between availability and the other
two InfoSec fundamental properties. While the first is measurable in most situations,
the last two are not. In fact, confidentiality and integrity are almost impossible to
measure, which makes them not adapted to the dependability concept being this
one of the reasons for the emergence of different models.
Giving the limited capacity to measure most of the InfoSec properties objectively,
the developed models turn their attention to the concept of risk. It comprises the
intrinsic value of an asset – any Information System component relevant in terms
of security – and the probability of a failure to occur. Neither of these values is
easy to determine, but nothing forces us to use quantitative values, being possible
(and frequently exclusively) to use a qualitative assessment. Risks can be prioritized,
establishing an order for choosing mitigating actions.
Over several years of study and research, several organizations, public and pri-
vate, have developed models that seek to properly articulate all the necessary con-
cepts and deal conveniently with InfoSec’s level of complexity. One of these organi-
zations, ISO, stands out for its scope – more on this subject along the chapter.
Among all the models available, we will get inspiration on the one described in
the ISO/IEC_JCT1 27001 standard, which is one of the most frequently referred by
its generality and wide disclosure [136], complemented by the experience using some
8  Cybersecurity: A Practical Engineering Approach

Figure 1.4: General InfoSec Model

related tools. The model is presented in Figure 1.4 and the main concepts behind it
are summarized in the next subsections [87].

1.4.1 Main Information Security Properties

When approaching an Information System from the security point of view, we need
to define clearly what are the properties we want to promote or, stating in a different
way, what are the security objectives. Actually, this is not different from what an
engineer needs to do from any other functional or non-functional point of view. But
since security is not the main concern, usually, (even when it should be!), it is not
addressed, at large, systematically. Along several years of research, the community
reach a common sense about what we can consider the main security properties:
• Confidentiality – the capacity to assure that only authorized subjects access
the information.
• Integrity – the capacity to assure that information is only modified, in any
way by, as expected.
• Availability – the capacity to assure that information is always available when
necessary.

The CIA triad is assumed the fundamental InfoSec properties. But in some
situations, we may need to use more explicit properties. As an example, a health
record must include a doctor signature since, by its nature, it is important to
assure authenticity. We may argue this is covered by integrity, but making
authenticity a fundamental security property, in this case, seems more robust.
The 27001 standard does not force to use only the main three properties, even