The OSI model, which was first introduced by the International Organization for

Standardization (ISO) in 1977, is a reference that specifies the transferring of data

from one computer to another computer. The layered stack of the OSI (Open System
Interconnection) reference model is made up of seven layers and each has a specific
communication purpose to ensure reliable data flow between computers.
The goal of following the approach of the layered stack in the framework is to make network
application and hardware development, management, and troubleshooting more specified
and straightforward. Each layer is independent and self-contained so that it can carry out its
communication tasks. The OSI model’s application layer is at the top, while the physical layer
is at the bottom as shown below.

Protocol Data Unit (PDU)

Each layer’s information is referred to as a Protocol Data Unit (PDU). Along with the
data, it contains protocol-specific control information. Each layer will add (or delete)
its protocol information as a PDU moves down (or up) each layer. The PDU is given a
different name at each layer to represent its role. So, in a computer network, it refers
to a block of information that is transferred between network end systems. As the
name implies, it is used for Open System Interconnection (OSI) model since it varies
with layer-specific protocols and conventions. In a protocol stack, different layers
have different types of data to be transferred.
There are seven layers in the OSI Model as shown below and in the whole process of
transferring information between these layers, only data goes through changes.
Below mentioned are the layers of the OSI Model:

1.Physical Layer
2.Data Link Layer
3.Network Layer
4.Transport Layer
5.Session Layer
6.Presentation Layer
7.Application Layer
For example, in Layer 4, the PDU of the Transport Layer is referred to as
a segment based on TCP (Transmission Control Protocol) and with UDP (User
Datagram Protocol) PDU is referred to as a datagram.

Layer 3, the PDU of the Network Layer is referred to as a packet.

Layer 2, the PDU of the Data Link Layer is referred to as a frame.

 Layer 1, the PDU of the Physical Layer is referred to as bit (1s or 0s).
Note: Layer 5 and above, the PDU is referred to as data.

Protocol Data Unit

For Internet Protocol Suite

The PDU of the Transport Layer is referred to as a segment based on TCP

(Transmission Control Protocol) and with UDP (User Datagram Protocol) PDU is
referred to as a datagram.

The PDU of the Internet Layer is referred to as a packet.

The PDU of the Link Layer is referred to as a frame.

Encapsulation of Protocol Data Unit (PDU):
 When one PDU is wrapped inside another PDU then it is referred to as
Encapsulation. It generally occurs when one protocol data unit (PDU) is transported
inside the data field of the lower protocol data unit (PDU). In other words, a PDU
contains data comprising relevant lower layer header information and is received
from an upper network layer. This information has been prepared for transmission to
the next lower layer in a row i.e. network layer. As data flows from one layer to the
next, the PDU identifies its state. The major difference between Protocol Data Unit
(PDU) and Service Data Unit (SDU) lies in the encapsulation as Service Data Units
have not been able to encapsulate lower layer data transmission yet.
The following table illustrates the PDU of each protocol stack layer.

Layer Layer
Description
No. Name

Layer Physical In this layer, PDU is bits (1s or 0s) for the transmission of data
1 Layer on the network.

In this layer, PDU comprises-

 Original data with TCP/UDP header
 Network layer header and
Layer Data Link
2 Layer  Data Link Layer header contains MAC (Medium Access Control)
addresses or physical addresses of sender and receiver. The trailer
is also added to this layer.
PDU is called a frame in the Data Link Layer.

In this layer, PDU comprises-

 Data with TCP/UDP headers
Layer Network
3 Layer  The network layer header contains Logical Addresses or IP
Addresses of the sender and receiver.
PDU is called a packet in Network Layer.

Layer Transport In this layer, PDU comprises-

4 Layer
 Data with TCP/UDP headers having sender’s and receiver’s
TCP/UDP port numbers.
PDU is called segment or datagram in Transport Layer
depending upon the protocol used. For TCP (connection-
oriented protocol), it is segmented and for UDP (connectionless
protocol) it is a datagram.
Layer Session
In this layer, PDU is data.
5 Layer

Layer Presentatio
In this layer, PDU is data.
6 n Layer

Layer Application In this layer, PDU contains original data made from a network
7 Layer application.

TCP AND UDP VULNERABLITIES

TCP Segment Header
While some attacks target IP, this topic discusses attacks that target TCP and UDP.
TCP segment information appears immediately after the IP header. The fields of the TCP
segment and the flags for the Control Bits field are displayed in the figure.
 TCP Segment Header
The following are the six control bits of the TCP segment:
URG – Urgent pointer field significant
ACK – Acknowledgment field significant
PSH – Push function
RST- Reset the connection
SYN – Synchronize sequence numbers
FIN – No more data from sender
TCP Services
TCP provides these services:
Reliable delivery – TCP incorporates acknowledgments to guarantee delivery, instead of
relying on upper-layer protocols to detect and resolve errors. If a timely acknowledgment is not
received, the sender retransmits the data. Requiring acknowledgments of received data can
cause substantial delays. Examples of application layer protocols that make use of TCP
reliability include HTTP, SSL/TLS, FTP, DNS zone transfers, and others.
Flow control – TCP implements flow control to address this issue. Rather than acknowledge
one segment at a time, multiple segments can be acknowledged with a single acknowledgment
segment.
Stateful communication – TCP stateful communication between two parties occurs during
the TCP three-way handshake. Before data can be transferred using TCP, a three-way
handshake opens the TCP connection, as shown in the figure. If both sides agree to the TCP
connection, data can be sent and received by both parties using TCP.
TCP Three-Way Handshake

TCP Three-Way Handshake

A TCP connection is established in three steps:
The initiating client requests a client-to-server communication session with the server.
The server acknowledges the client-to-server communication session and requests a
server-to-client communication session.
The initiating client acknowledges the server-to-client communication session.
TCP Attacks
Network applications use TCP or UDP ports. Threat actors conduct port scans of target
devices to discover which services they offer.
TCP SYN Flood Attack
The TCP SYN Flood attack exploits the TCP three-way handshake. The figure shows a threat
actor continually sending TCP SYN session request packets with a randomly spoofed source
IP address to a target. The target device replies with a TCP SYN-ACK packet to the spoofed
IP address and waits for a TCP ACK packet. Those responses never arrive. Eventually the
target host is overwhelmed with half-open TCP connections, and TCP services are denied to
legitimate users.
TCP SYN Flood Attack

TCP SYN Flood Attack

1.The threat actor sends multiple SYN requests to a web server.
2.The web server replies with SYN-ACKs for each SYN request and waits to complete the
three-way handshake. The threat actor does not respond to the SYN-ACKs.
3.A valid user cannot access the web server because the web server has too many half-
opened TCP connections.
TCP Reset Attack
A TCP reset attack can be used to terminate TCP communications between two hosts. TCP
can terminate a connection in a civilized (i.e., normal) manner and uncivilized (i.e., abrupt)
manner.
The figure displays the civilized manner when TCP uses a four-way exchange consisting of a
pair of FIN and ACK segments from each TCP endpoint to close the TCP connection.
The uncivilized manner is when a host receives an TCP segment with the RST bit set. This is
an abrupt way to tear down the TCP connection and inform the receiving host to immediately
stop using the TCP connection.
A threat actor could do a TCP reset attack and send a spoofed packet containing a TCP RST
to one or both endpoints.
Terminating a TCP Connection

Terminating a TCP Connection

Terminating a TCP session uses the following four-way exchange process:
When the client has no more data to send in the stream, it sends a segment with the FIN
flag set.
The server sends an ACK to acknowledge the receipt of the FIN to terminate the session
from client to server.
The server sends a FIN to the client to terminate the server-to-client session.
The client responds with an ACK to acknowledge the FIN from the server.
TCP Session Hijacking
TCP session hijacking is another TCP vulnerability. Although difficult to conduct, a threat actor
takes over an already-authenticated host as it communicates with the target. The threat actor
must spoof the IP address of one host, predict the next sequence number, and send an ACK
to the other host. If successful, the threat actor could send, but not receive, data from the
target device.
UDP Segment Header and Operation
UDP is commonly used by DNS, TFTP, NFS, and SNMP. It is also used with real-time
applications such as media streaming or VoIP. UDP is a connectionless transport layer
protocol. It has much lower overhead than TCP because it is not connection-oriented and
does not offer the sophisticated retransmission, sequencing, and flow control mechanisms
that provide reliability. The UDP segment structure, shown in the figure, is much smaller than
TCP’s segment structure.

UDP Segment Header and Operation

Although UPD is normally called unreliable, in contrast to TCP’s reliability, this does not mean
that applications that use UDP are always unreliable, nor does it mean that UDP is an inferior
protocol. It means that these functions are not provided by the transport layer protocol and
must be implemented elsewhere if required.
The low overhead of UDP makes it very desirable for protocols that make simple request and
reply transactions. For example, using TCP for DHCP would introduce unnecessary network
traffic. If no response is received, the device resends the request.
UDP Attacks
UDP is not protected by any encryption. You can add encryption to UDP, but it is not available
by default. The lack of encryption means that anyone can see the traffic, change it, and send
it on to its destination. Changing the data in the traffic will alter the 16-bit checksum, but the
checksum is optional and is not always used. When the checksum is used, the threat actor
can create a new checksum based on the new data payload, and then record it in the header
as a new checksum. The destination device will find that the checksum matches the data
without knowing that the data has been altered. This type of attack is not widely used.
UDP Flood Attacks
You are more likely to see a UDP flood attack. In a UDP flood attack, all the resources on a
network are consumed. The threat actor must use a tool like UDP Unicorn or Low Orbit Ion
Cannon. These tools send a flood of UDP packets, often from a spoofed host, to a server on
the subnet. The program will sweep through all the known ports trying to find closed ports.
This will cause the server to reply with an ICMP port unreachable message. Because there
are many closed ports on the server, this creates a lot of traffic on the segment, which uses
up most of the bandwidth. The result is very similar to a DoS attack.

What is Defense in Depth?

Defense in depth is a strategy that leverages multiple security measures to protect an
organization's assets. The thinking is that if one line of defense is compromised, additional layers
exist as a backup to ensure that threats are stopped along the way. Defense in depth addresses
 the security vulnerabilities inherent not only with hardware and software but also with people,
as negligence or human error are often the cause of a security breach.
Today’s cyber threats are growing rapidly in scale and sophistication. Defense in depth is a
comprehensive approach that employs a combination of advanced security tools to protect an
organization's endpoints, data, applications, and networks. The goal is to stop cyber threats
before they happen, but a solid defense-in-depth strategy also thwarts an attack that is
already underway, preventing additional damage from taking place.
Antivirus software, firewalls, secure gateways, and virtual private networks (VPNs) serve as
traditional corporate network defenses and are certainly still instrumental in a defense-in-
depth strategy. However, more sophisticated measures, such as the use of machine learning
(ML) to detect anomalies in the behavior of employees and endpoints, are now being used to
build the strongest and most complete defense possible.
A Changing Work Environment and Threat Landscape
Defense in depth is needed now more than ever as more employees work from home and as
organizations increasingly rely on cloud-based services. With employees working from home,
organizations must address the security risks associated with employees using their own devices
for work and their home Wi-Fi connection to enter the corporate network.
Even with IT resources in place, vulnerabilities are inherent in devices used for both work and
personal use—vulnerabilities exploited by cyber criminals. Further, with more companies
using cloud-hosted, Software-as-a-Service (SaaS) applications, many of which are mission-
critical, the privacy and security of an increasing amount of data entered through websites
remain difficult to manage.
Defense in Depth is Similar To Physical Security
The concept of defense in depth is no different from physical security, such as that used for a
building or to start work in an office environment. Building security has many layers, some of
which may be considered redundant:
1. An employee uses a key card to enter the building.
2. A security guard keeps watch in the lobby.
3. Security cameras record all movements in the lobby, on each floor, and in the elevator.
4. Once arriving at her floor, an employee must use her key card to open the door to the office
floor.
5. Once at her desk, the employee turns on her computer and enters her password and
temporary four-digit code (two-factor authentication) to log in to the company network.
These are, of course, just a handful of security steps that the employee must take to begin
work for the day. Some of these may seem unnecessary and some measures may seem
stronger than others, but taken together, they are analogous to a defense-in-depth strategy in
place within organizations.
Common Cybersecurity Issues
The following are some common issues organizations have to deal with when implementing
a cybersecurity strategy:
1. Anti-malware software has not been updated or is not installed on all devices.
 2. Employees have not been trained and are falling victim to phishing schemes.
3. Software patches are not being updated or are ignored.
4. Security policies are not enforced or even known by employees.
5. Missing or poorly implemented encryption.
6. Remote employees are connecting to unsecured networks, such as the public internet.
7. Physical security flaws, such as unsecured server rooms.
8. Business partners, such as cloud service providers, are not fully secure.
Imagine all of these issues taking place at once. The only way for an enterprise to defend
itself from vulnerabilities is with a solid, comprehensive defense-in-depth strategy. If one
measure fails, another measure is on standby ready to take action.
The Different Elements of a Defense-in-Depth System
The multi-tiered approach to security in a defense-in-depth system incorporates elements
from the following areas:
1. Physical controls: Examples include key cards to enter a building or scanners to read
fingerprints.
2. Network security controls: This is software that authenticates an employee to enter the
network and use a device or application.
3. Administrative controls: This authorizes employees, once authenticated, to access only
certain applications or parts of the network.
4. Antivirus: This is the tool that stops malicious software from entering the network and
spreading.
5. Behavioral analysis: Algorithms and ML can detect anomalies in the behavior of employees
and in the applications and devices themselves.
How Does Defense in Depth Help?
By layering and even duplicating security processes, the likelihood of a breach is minimized.
Most organizations recognize that a single layer of security or a single point product (e.g., a
firewall) does not go far enough to protect the enterprise from the increasing sophistication of
today's cyber criminals.
For example, if a hacker successfully infiltrates an organization's network, defense in depth
gives administrators time to launch countermeasures. Antivirus software and firewalls should
be in place to block further entry, protecting the organization's applications and data from
compromise.
Redundancy in security may, at first glance, seem wasteful. However, a defense-in-depth
strategy prevents threats because when one security product fails, another security product is
in place to take over.
What is Layered Security and How Does it Relate To Defense in Depth?
Though used interchangeably (and incorrectly), the term "layered security" is not the same as
defense in depth.
Layered security is having multiple products in place to address one single aspect of security.
The products may be very similar and aim to do the same job, but in a layered security
strategy, they are both necessary. Using seemingly redundant products strengthens the
enterprise's defense against threats.
For example, a gateway and a firewall both determine which data should be allowed to enter
the network. There are certainly differences between the two—a gateway is hardware while a
firewall is both hardware and software—but they both aim to restrict access to certain
websites and applications. Once the gateway and firewall have done their jobs—an employee
has been allowed to visit a particular website, for example—another security product or
service will have to take over if the employee wants to enter a password to log in to that
website.
The next security product can be multi-factor authentication (MFA), which prevents access to a
website unless multiple credentials are provided. In other words, layered security only addresses
one dimension of security or one vector of attack while defense in depth is broader, multi-faceted,
and more strategic in scope. It can also be said that layered security is a subset of defense in
depth.
A layered security strategy is evaluated in three different areas: administrative, physical, and
technical. Administrative controls include the policies and procedures needed to restrict
unauthorized access, such as role-based access control (RBAC) or employee training to protect
against phishing scams. Physical controls incorporate physically securing access to the IT
system, such as locking server rooms, while technical controls include the mix of products and
services the organization selects to address security.
What Are the Essentials Layers in a Defense-in-Depth Mechanism?
Core layers to carry out a defense in depth strategy should include:
1. Strong, complex passwords
2. Antivirus software
3. Secure gateway
4. Firewall
5. Patch management
6. Backup and recovery
7. The principle of least privilege, or giving a user the minimum access level or permissions
needed to do his or her job
As companies grow and the number of devices, applications, and services used across the
organization increases, these serve as important security layers in a defense-in-depth
strategy:
1. Two-factor authentication (2FA) or multi-factor authentication (MFA)
2. Intrusion detection and prevention systems
3. Endpoint detection and response (EDR)
4. Network segmentation
5. Encryption
 6. Data loss prevention
7. VPNs

Security Policies
Security policies are a formal set of rules which is issued by an organization to ensure that the
user who are authorized to access company technology and information assets comply with
rules and guidelines related to the security of information. It is a written document in the
organization which is responsible for how to protect the organizations from threats and how to
handles them when they will occur. A security policy also considered to be a "living document"
which means that the document is never finished, but it is continuously updated as
requirements of the technology and employee changes.
Need of Security policies-
1) It increases efficiency.
The best thing about having a policy is being able to increase the level of consistency which
saves time, money and resources. The policy should inform the employees about their
individual duties, and telling them what they can do and what they cannot do with the
organization sensitive information.
2) It upholds discipline and accountability
When any human mistake will occur, and system security is compromised, then the security
policy of the organization will back up any disciplinary action and also supporting a case in a
court of law. The organization policies act as a contract which proves that an organization has
taken steps to protect its intellectual property, as well as its customers and clients.
3) It can make or break a business deal
It is not necessary for companies to provide a copy of their information security policy to other
vendors during a business deal that involves the transference of their sensitive information. It
is true in a case of bigger businesses which ensures their own security interests are protected
when dealing with smaller businesses which have less high-end security systems in place.
4) It helps to educate employees on security literacy
A well-written security policy can also be seen as an educational document which informs the
readers about their importance of responsibility in protecting the organization sensitive data. It
involves on choosing the right passwords, to providing guidelines for file transfers and data
storage which increases employee's overall awareness of security and how it can be
strengthened.
We use security policies to manage our network security. Most types of security policies are
automatically created during the installation. We can also customize policies to suit our
specific environment. There are some important cybersecurity policies recommendations
describe below-
1. Virus and Spyware Protection policy
This policy provides the following protection:
 It helps to detect, removes, and repairs the side effects of viruses and security risks
by using signatures.
It helps to detect the threats in the files which the users try to download by using
reputation data from Download Insight.
It helps to detect the applications that exhibit suspicious behaviour by using SONAR
heuristics and reputation data.
2. Firewall Policy
This policy provides the following protection:
It blocks the unauthorized users from accessing the systems and networks that
connect to the Internet.
It detects the attacks by cybercriminals.
It removes the unwanted sources of network traffic.
3. Intrusion Prevention policy
This policy automatically detects and blocks the network attacks and browser attacks. It also
protects applications from vulnerabilities. It checks the contents of one or more data packages
and detects malware which is coming through legal ways.
4. LiveUpdate policy
This policy can be categorized into two types one is LiveUpdate Content policy, and another
is LiveUpdate Setting Policy. The LiveUpdate policy contains the setting which determines
when and how client computers download the content updates from LiveUpdate. We can
define the computer that clients contact to check for updates and schedule when and how
often clients computer check for updates.
5. Application and Device Control
This policy protects a system's resources from applications and manages the peripheral
devices that can attach to a system. The device control policy applies to both Windows and
Mac computers whereas application control policy can be applied only to Windows clients.
6. Exceptions policy
This policy provides the ability to exclude applications and processes from detection by the
virus and spyware scans.
7. Host Integrity policy
This policy provides the ability to define, enforce, and restore the security of client computers
to keep enterprise networks and data secure. We use this policy to ensure that the client's
computers who access our network are protected and compliant with companies? securities
policies. This policy requires that the client system must have installed antivirus.

Unit -4

Access Control Definition

 Access control is a data security process that enables organizations to manage who is
authorized to access corporate data and resources. Secure access control uses policies that
verify users are who they claim to be and ensures appropriate control access levels are
granted to users.
Implementing access control is a crucial component of web application security, ensuring only
the right users have the right level of access to the right resources. The process is critical to
helping organizations avoid data breaches and fighting attack vectors, such as a buffer
overflow attack, KRACK attack, on-path attack, or phishing attack.
What Are the Components of Access Control?
Access control is managed through several components:
1. Authentication
Authentication is the initial process of establishing the identity of a user. For example, when a
user signs in to their email service or online banking account with a username and password
combination, their identity has been authenticated. However, authentication alone is not
sufficient to protect organizations’ data.
2. Authorization
Authorization adds an extra layer of security to the authentication process. It specifies access
rights and privileges to resources to determine whether the user should be granted access to
data or make a specific transaction.
For example, an email service or online bank account can require users to provide two-factor
authentication (2FA), which is typically a combination of something they know (such as a
password), something they possess (such as a token), or something they are (like a biometric
verification). This information can also be verified through a 2FA mobile app or a thumbprint
scan on a smartphone.
3. Access
Once a user has completed the authentication and authorization steps, their identity will be
verified. This grants them access to the resource they are attempting to log in to.
4. Manage
Organizations can manage their access control system by adding and removing the
authentication and authorization of their users and systems. Managing these systems can
become complex in modern IT environments that comprise cloud services and on-premises
systems.
5. Audit
Organizations can enforce the principle of least privilege through the access control audit
process. This enables them to gather data around user activity and analyze that information
to discover potential access violations.
How Does Access Control Work?
Access control is used to verify the identity of users attempting to log in to digital resources.
But it is also used to grant access to physical buildings and physical devices.
Physical Access Control
 Common examples of physical access controllers include:
Barroom Bouncers
Bouncers can establish an access control list to verify IDs and ensure people entering bars
are of legal age.
Subway Turnstiles
Access control is used at subway turnstiles to only allow verified people to use subway
systems. Subway users scan cards that immediately recognize the user and verify they have
enough credit to use the service.
Keycard or Badge Scanners in Corporate Offices
Organizations can protect their offices by using scanners that provide mandatory access
control. Employees need to scan a keycard or badge to verify their identity before they can
access the building.
Logical/Information Access Control
Logical access control involves tools and protocols being used to identify, authenticate, and
authorize users in computer systems. The access controller system enforces measures for
data, processes, programs, and systems.
Signing Into a Laptop Using a Password
A common form of data loss is through devices being lost or stolen. Users can keep their
personal and corporate data secure by using a password.
Unlocking a Smartphone With a Thumbprint Scan
Smartphones can also be protected with access controls that allow only the user to open the
device. Users can secure their smartphones by using biometrics, such as a thumbprint scan,
to prevent unauthorized access to their devices.
Remotely Accessing an Employer’s Internal Network Using a VPN
Smartphones can also be protected with access controls that allow only the user to open the
device. Users can secure their smartphones by using biometrics, such as a thumbprint scan,
to prevent unauthorized access to their devices.
What Is the Difference Between Authentication and Authorization?
Authentication and authorization are crucial to access control in security. Authentication is the
process of logging in to a system, such as an email address, online banking service, or social
media account. Authorization is the process of verifying the user’s identity to provide an extra
layer of security that the user is who they claim to be.
Importance of Access Control in Regulatory Compliance
Access control is crucial to helping organizations comply with various data privacy
regulations. These include:
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that
protects the payment card ecosystem. An access control system is crucial to permitting or
denying transactions and ensuring the identity of users.
 HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was created to protect
patient health data from being disclosed without their consent. Access control is vital to
limiting access to authorized users, ensuring people cannot access data that is beyond their
privilege level, and preventing data breaches.
SOC 2
Service Organization Control 2 (SOC 2) is an auditing procedure designed for service
providers that store customer data in the cloud. It ensures that providers protect the privacy of
their customers and requires organizations to implement and follow strict policies and
procedures around customer data. Access control systems are crucial to enforcing these
strict data security processes.
ISO 27001
The International Organization for Standardization (ISO) defines security standards that
organizations across all industries need to comply with and demonstrate to their customers
that they take security seriously. ISO 27001 is the ISO’s gold standard of information security
and compliance certification. Implementing access controls is crucial to complying with this
security standard.
What Are the Different Types of Access Controls?
There are various types of access controls that organizations can implement to safeguard
their data and users. These include:
1. Attribute-based Access Control (ABAC)
ABAC is a dynamic, context-based policy that defines access based on policies granted to
users. The system is used in identity and access management (IAM) frameworks.
2. Discretionary Access Control (DAC)
DAC models allow the data owner to decide access control by assigning access rights to
rules that users specify. When a user is granted access to a system, they can then provide
access to other users as they see fit.
3. Mandatory Access Control (MAC)
MAC places strict policies on individual users and the data, resources, and systems they want
to access. The policies are managed by an organization’s administrator. Users are not able to
alter, revoke, or set permissions.
4. Role-Based Access Control (RBAC)
RBAC creates permissions based on groups of users, roles that users hold, and actions that
users take. Users are able to perform any action enabled to their role and cannot change the
access control level they are assigned.
5. Break-glass Access Control
Break-glass access control involves the creation of an emergency account that bypasses
regular permissions. In the event of a critical emergency, the user is given immediate access
to a system or account they would not usually be authorized to use.
6. Rule-based Access Control
 A rule-based approach sees a system admin define rules that govern access to corporate
resources. These rules are typically built around conditions, such as the location or time of
day that users access resources.
What Are Some Methods for Implementing Access Control?
One of the most common methods for implementing access controls is to use VPNs. This
enables users to securely access resources remotely, which is crucial when people work
away from the physical office. Companies can use VPNs to provide secure access to their
networks when employees are based in various locations around the world. While this is ideal
for security reasons, it can result in some performance issues, such as latency.
Other access control methods include identity repositories, monitoring and reporting applications,
password management tools, provisioning tools, and security policy enforcement services.

The administrator can take access to a router or a device through a console but it is very
inconvenient if he is sitting far from the place of that device. So, eventually, he has to take
remote access to that device.
But as remote access will be available by using an IP address, therefore, it is possible that an
unauthorized user can take access using that same IP address therefore for security
measures, we have to put authentication. Also, the packets exchanged between the device
should be encrypted so that any other person should not be able to capture that sensitive
information. Therefore, a framework called AAA is used to provide that extra level of security.

AAA (Authentication, Authorization, Accounting) –

AAA is a standard-based framework used to control who is permitted to use network
resources (through authentication), what they are authorized to do (through
authorization), and capture the actions performed while accessing the network
(through accounting).

1.Authentication –
The process by which it can be identified that the user, which wants to access the
network resources, valid or not by asking some credentials such as username and
password. Common methods are to put authentication on console port, AUX port, or
vty lines.
As network administrators, we can control how a user is authenticated if someone wants to
access the network. Some of these methods include using the local database of that device
(router) or sending authentication requests to an external server like the ACS server. To
specify the method to be used for authentication, a default or customized authentication
method list is used.
 2.Authorization –
It provides capabilities to enforce policies on network resources after the user has
gained access to the network resources through authentication. After the
authentication is successful, authorization can be used to determine what resources is
the user allowed to access and the operations that can be performed.
For example, if a junior network engineer (who should not access all the resources) wants to
access the device then the administrator can create a view that will allow particular
commands only to be executed by the user (the commands that are allowed in the method
list). The administrator can use the authorization method list to specify how the user is
authorized to network resources i.e through a local database or ACS server.

3.Accounting –
It provides means of monitoring and capturing the events done by the user while
accessing the network resources. It even monitors how long the user has access to
the network. The administrator can create an accounting method list to specify what
should be accounted for and to whom the accounting records should be sent.

AAA implementation: AAA can be implemented by using the local database of the
device or by using an external ACS server.

local database – If we want to use the local running configuration of the router or
switch to implement AAA, we should create users first for authentication and provide
privilege levels to users for Authorization.

ACS server – This is the common method used. An external ACS server is used (can
be ACS device or software installed on Vmware) for AAA on which configuration on
both router and ACS is required. The configuration includes creating a user, separate
customized method list for authentication, Authorization, and Accounting.
The client or Network Access Server (NAS) sends authentication requests to the ACS server
and the server takes the decision to allow the user to access the network resource or not
according to the credentials provided by the user.

Threat Intelligence is evidence-based information about cyber attacks that

cyber security experts organize and analyze. This information may include:
Mechanisms of an attack
How to identify that an attack is happening
 Ways different types of attacks might affect the business
Action-oriented advice about how to defend against attacks
Many forms of cyber attacks are common today, including zero-day exploits, malware,
phishing, man-in-the-middle attacks, and denial of service attacks. Different ways of attacking
computer systems and networks constantly evolve as cybercriminals find new vulnerabilities
to exploit. Cyber Threat Intelligence (CTI) helps organizations stay informed about new
threats so that they can protect themselves. Cyber security experts organize, analyze, and
refine the information they gather about attacks to learn from and use it to protect businesses
better.
Threat intelligence (or security intelligence) also helps stop or mitigate an attack that is in
progress. The more an IT team understands about an attack, the better they will be able to
make an informed decision about how to combat it.
What are the types of Threat Intelligence?
There are different types of threat intelligence, from high-level, and non-technical information
to technical details about specific attacks. Here are a few different kinds of threat intelligence:
 Strategic: Strategic threat intelligence is high-level information that puts the threat in context.
It is non-technical information that an organization could present to a board of directors. An
example of strategic threat intelligence is the risk analysis of how a business decision might
make the organization vulnerable to cyber attacks.
 Tactical: Tactical threat intelligence includes the details of how threats are being carried out
and defended against, including attack vectors, tools, and infrastructures attackers are using,
types of businesses or technologies that are targeted, and avoidance strategies. It also helps
an organization understand how likely they are to be a target for different types of attacks.
Cybersecurity experts use tactical information to make informed decisions about security
controls and managing defenses.
 Operational: Operational threat intelligence is information that an IT department can use as
part of active threat management to take action against a specific attack. It is information
about the intent behind the attack, as well as the nature and timing of the attack. Ideally, this
information is gathered directly from the attackers, which makes it difficult to obtain.
 Technical: Technical threat intelligence is specific evidence that an attack is happening or
indicators of compromise (IOCs). Some threat intelligence tools use artificial intelligence to
scan for these indicators, which might include email content from phishing campaigns, IP
addresses of C2 infrastructures, or artifacts from known malware samples.
 What Is AntiMalware Protection
Malicious software (malware) is a program designed to perform malicious activities. For
example, malware can be programmed to spy on browser activity, steal financial information,
or irreversibly encrypt data and demand a ransom.
There are many types of malware—the most common are viruses, worms, trojans,
ransomware, spyware and adware. We discuss each of these types in more detail below.
The majority of malware attacks are delivered through links to malicious websites or malicious
email attachments. Once a user clicks on the link or opens the file, the malware is activated
and starts performing the malicious action it was designed for.
Common Types of Malware
Here are some of the most common types of malware:
Ransomware—malware which is designed to infiltrate computers and encrypt key
files. After these files have been encrypted, the individual behind the ransomware
demands payment for access to the secret key required to decrypt the encrypted
files.
Viruses—malware that functions by infecting different computer programs. For
instance, a virus could overwrite the code of an affected program with its own code
or make the program import and use a malicious code.
Worms—malware that is created to sprawl out to additional infected systems. This
could include malware that spreads by releasing phishing emails or that scans for
different vulnerable computers.
Rootkits—malware that is created to be secretive and can watch a computer user.
Once it has been installed, the rootkit attempts to hide itself so as to avoid
detection by antivirus and other security programs, while exfiltrating and collecting
data for the operator.
Cryptomining malware—cryptocurrency mining programs are created to exploit
cryptocurrencies awards by solving Proof of Work computational puzzles.
Cryptomining malware makes use of the CPU tools of an infected computer to find
solutions to these problems. This enables criminals to win award money.
Botnet—a network of infected computers. Cybercriminals use and control botnets
in order to carry out large-scale, automated attacks, such as Distributed Denial of
Service (DDoS) and credential stuffing. Botnet malware is intended to infect
computers with a place a control and command structure that lets attackers send
commands to the malware so that it carries out the attacker’s intention.
Trojans—malware created to impersonate something. Trojans try to steal the
credentials of online accounts that may offer access to various streams of income
like online bank accounts.
Fileless—a form of malware that avoids detection by traditional antivirus
applications, which scan a computer’s files for indications of malware. This is
achieved by removing custom malicution code and using functionality built into the
system being targeted. This makes fileless malware difficult to detect, because it
doesn’t have the file that matches signatures previously retained by antivirus
applications.
Adware—malware that is created to serve malicious ads to computer users.
Malware developers gain revenue from the advertisers whose ads the author
serves.
How Does Antimalware Software Work?
Antimalware software is a core component of a malware protection strategy. There is a wide
range of antimalware solutions and vendors. The majority use the following security
strategies.
Signature-Based Malware Detection
This type of detection looks for known software components, identifying them using digital
signatures. These signatures are used to flag newly detected software as malware. The
signature-based malware approach can help defend against many common malware types,
like adware, keyloggers, and some types of ransomware.
It can be useful as a first line of defense against malware, but cannot safeguard a system if
threats are new and unknown, or use advanced evasion strategies.
Behavior-Based Malware Detection
This type of detection can support the efforts of security experts, helping them quickly identify,
block, and eradicate malware. Behavior-based malware detection processes employ active
malware analysis, which examines how the malware component behaves, to identify
suspicious processes running on a machine. Behavior-based malware detection is often
powered by machine learning (ML) algorithms.
Sandboxing
Sandboxing can isolate potentially malicious components, separating threats from
the rest of the system or network. Sandboxes are often used to filter potentially
malicious files, ensuring these files are removed before they can damage the
system.
For example, when a user opens an email attachment from an unknown source, a sandbox
can be used to run the file in a virtual environment. The file is not allowed to access the real
operating system or other programs running on the machine—it can only operate within a
safe, isolated environment. If the file behaves suspiciously, it is quarantined for further
analysis, and the user is not allowed to open it outside the sandbox. Traditional sandboxes
have many limitations including latency, detection accuracy, scalability and cost.
A Host-Based Intrusion Detection System, or HIDS, is a type of cybersecurity solution that
monitors IT systems for signs of suspicious activity to detect unusual behaviors or patterns
associated either with human users or applications that could be a sign of a security breach or
attempted attack.
 HIDS systems are so-named because they operate on individual host systems. In this
context, a host could be a server, a PC, or any other type of device that produces logs,
metrics, and other data that can be monitored for security purposes.
Keep reading for everything you need to know about what a HIDS is, how HIDS solutions
work, and how HIDS compares to other types of security tools.
HIDS vs. NIDS
Host-Based Intrusion Detection Systems are similar in some ways to Network Intrusion
Detection Systems, or NIDS, but they are not the same type of solution.
A NIDS monitors for suspicious activity from the perspective of the network, using data
sources like network switch logs. By analyzing this data, a NIDS can look for suspicious
activity.
A HIDS may also monitor network activity, but it does so from the perspective of individual
hosts, not centralized networking equipment like switches. In addition, for a HIDS, network
data is just one of many data sources used for security analysis purposes.
How does Host-Based Intrusion Detection work?
Host-Based Intrusion Detection works by collecting data from servers, computers, and other
host systems, then analyzing the data for anomalies or suspicious activity.
The data that HIDS tools analyze may include security-centric data sources, such as
authentication logs (which record login events). However, a HIDS typically also analyzes other
types of data, like application and operating system logs. Even though the latter types of data
are not related to security specifically, unusual patterns within those data sets could be linked
to security issues.
For example, a HIDS could monitor network traffic flows to detect that an application has
suddenly begun receiving high volumes of requests from previously unknown external IP
addresses. This activity could be the sign of a brute-force login attempt or an effort to probe
the application for vulnerabilities that attackers could exploit. With this information, security
teams could block the offending IP addresses.
To deliver results that are as accurate as possible, a HIDS should link and correlate different
types of data sources, which makes it possible to gain deeper context on potential security
events.
For instance, network traffic logs can be analyzed in conjunction with application event logs
so that the HIDS can determine whether unusual activity on the network correlates with
unusual activity by the application.
In the former case, it’s possible that attackers are trying to find a vulnerability in the
application but have not yet succeeded. In the latter, it’s possible that they have breached the
application, which is why the HIDS detects anomalous behavior by the application as well as
unusual traffic patterns on the network.
Types of HIDS
Host-Based Intrusion Detection Systems can be broken into two main categories based on
how they are deployed:
  Agent-based HIDS: An agent-based HIDS relies on software agents that are installed
on each host to collect information from the host. This is a “heavier-weight” approach
because running agents on hosts increases the resource utilization of the hosts.
 Agentless HIDS: With an agentless HIDS, information from hosts is collected without
relying on agents, such as by streaming the data over the network. This type of HIDS is
more complex to implement, and agentless HIDS sometimes can’t access as much
data as agent-based solutions, but the agentless approach offers the benefit of
consuming fewer resources.
HIDS components
No matter which type of HIDS you deploy, your HIDS solution will typically include three main
components:
 Data collectors: Using either agents or an agentless approach, your HIDS deploys
sensors that collect data from hosts.
 Data storage: After being collected, the data is usually aggregated and stored in a
central location. The data is retained at least as long as is necessary to analyze it,
although organizations may also choose to keep the data on hand so they can
reference it at a later time if desired.
 Analytics engine: The HIDS uses an analytics engine to process and evaluate the
various data sources that it collects. The purpose of analytics is to look for patterns or
anomalies, then assess the likelihood that they are the result of security risks or
attacks.
What is application security?
Application security describes security measures at the application level that aim to prevent
data or code within the app from being stolen or hijacked. It encompasses the security
considerations that happen during application development and design, but it also involves
systems and approaches to protect apps after they get deployed.
Application security may include hardware, software, and procedures that identify or minimize
security vulnerabilities. A router that prevents anyone from viewing a computer’s IP address
from the Internet is a form of hardware application security. But security measures at the
application level are also typically built into the software, such as an application firewall that
strictly defines what activities are allowed and prohibited. Procedures can entail things like an
application security routine that includes protocols such as regular testing.
Why application security is important
Application security is important because today’s applications are often available over various
networks and connected to the cloud, increasing vulnerabilities to security threats and
breaches. There is increasing pressure and incentive to not only ensure security at the
network level but also within applications themselves. One reason for this is because hackers
are going after apps with their attacks more today than in the past. Application security testing
can reveal weaknesses at the application level, helping to prevent these attacks.
Types of application security
 Different types of application security features include authentication, authorization,
encryption, logging, and application security testing. Developers can also code applications to
reduce security vulnerabilities.
 Authentication: When software developers build procedures into an application to ensure
that only authorized users gain access to it. Authentication procedures ensure that a user is
who they say they are. This can be accomplished by requiring the user to provide a user
name and password when logging in to an application. Multi-factor authentication requires
more than one form of authentication—the factors might include something you know (a
password), something you have (a mobile device), and something you are (a thumb print or
facial recognition).
 Authorization: After a user has been authenticated, the user may be authorized to access
and use the application. The system can validate that a user has permission to access the
application by comparing the user’s identity with a list of authorized users. Authentication
must happen before authorization so that the application matches only validated user
credentials to the authorized user list.
 Encryption: After a user has been authenticated and is using the application, other security
measures can protect sensitive data from being seen or even used by a cybercriminal. In
cloud-based applications, where traffic containing sensitive data travels between the end user
and the cloud, that traffic can be encrypted to keep the data safe.
 Logging: If there is a security breach in an application, logging can help identify who got
access to the data and how. Application log files provide a time-stamped record of which
aspects of the application were accessed and by whom.
 Application security testing: A necessary process to ensure that all of these security
controls work properly.

What are the types of Threat Intelligence?

There are different types of threat intelligence, from high-level, and non-technical information
to technical details about specific attacks. Here are a few different kinds of threat intelligence:
 Strategic: Strategic threat intelligence is high-level information that puts the threat in context.
It is non-technical information that an organization could present to a board of directors. An
example of strategic threat intelligence is the risk analysis of how a business decision might
make the organization vulnerable to cyber attacks.
 Tactical: Tactical threat intelligence includes the details of how threats are being carried out
and defended against, including attack vectors, tools, and infrastructures attackers are using,
types of businesses or technologies that are targeted, and avoidance strategies. It also helps
an organization understand how likely they are to be a target for different types of attacks.
Cybersecurity experts use tactical information to make informed decisions about security
controls and managing defenses.
 Operational: Operational threat intelligence is information that an IT department can use as
part of active threat management to take action against a specific attack. It is information
 about the intent behind the attack, as well as the nature and timing of the attack. Ideally, this
information is gathered directly from the attackers, which makes it difficult to obtain.
 Technical: Technical threat intelligence is specific evidence that an attack is happening or
indicators of compromise (IOCs). Some threat intelligence tools use artificial intelligence to
scan for these indicators, which might include email content from phishing campaigns, IP
addresses of C2 infrastructures, or artifacts from known malware samples.

Unit – 5
Vulnerabilities in Endpoints and the Damage They Cause
Vulnerabilities are like holes in a fence — malware exploits them and uses these “holes” to
enter the organization unnoticed. Once inside, they can access an organization’s resources
and move laterally through the network to expand their reach.
The Need for Vulnerability Assessments
All companies have vulnerabilities in their IT environments. Companies use a wide array of
software solutions, and these programs can have bugs that might be exploited by an attacker.
Every time an organization adds a new system or updates its software, there is the potential
that new vulnerabilities will be introduced into its systems.
A vulnerability assessment gives an organization the opportunity to find these vulnerabilities
before an attacker does. By performing regular assessments and acting on the results, an
organization can dramatically reduce its cyber threat exposure by closing the security gaps
that an attacker is most likely to exploit or that pose the greatest threat to the business.
Challenges in Vulnerability Assessment
With a vulnerability assessment, the greatest challenge is ensuring that the
vulnerability assessment meets an organization’s needs. For example,
a vulnerability scan will likely find more issues than an organization can fix, and
prioritization is essential to addressing the most critical threats first. The
vulnerability assessment process should be carefully designed and implemented to
ensure that it meets the needs of an organization’s risk management program.
Types of Vulnerability Assessments
Vulnerability assessment is a general term for the practice of searching for vulnerabilities in
computer systems. Since an organization may have a diverse set of solutions, there are a few
different types of vulnerability assessments focused on different areas, including:
 Host Assessment: A host assessment will look for vulnerabilities in the company’s endpoints
with a focus on crucial systems.
 Network Assessment: A network assessment ensures that corporate networks have secure
policies and security controls in place to prevent unauthorized access to the company’s
networks and the systems connected to them.
 Database Assessment: A database assessment inspects a company’s databases
for security misconfigurations, unauthorized databases, misclassified data, and
similar data security threats.
 Application Assessment: An application assessment tests an organization’s web
applications and other software for potentially exploitable vulnerabilities such
as SQL injection, buffer overflows, and other common threats.
Vulnerability Assessment Process
Vulnerability assessments are typically considered a four-step process that includes the
following:
1. Identification: The first step of the vulnerability assessment process is identifying the
potential vulnerabilities in an organization’s systems. This typically involves running a
vulnerability scanner, which will produce a list of potential vulnerabilities.
2. Analysis: In this step, the list of provided vulnerabilities will be further analyzed, either
manually or automatically. For example, this analysis might determine if a result is a true
threat or false positive or look for a root cause of each vulnerability.
3. Prioritization: Most organizations lack the resources to fix every vulnerability, and the ROI of
doing so may be low for low-risk vulnerabilities. To maximize the benefit and effectiveness of
remediation efforts, vulnerabilities should be prioritized based on their likelihood of
exploitation and potential impacts on the business.
4. Remediation: After developing a prioritized list, the organization can work on fixing these
issues in order. This may involve applying patches or mitigating issues and should include
testing to verify that a fix worked.
Vulnerability Assessments vs. Penetration Tests
Vulnerability assessments and penetration tests are both designed to identify
vulnerabilities in an organization’s systems. However, they work in very different
ways. Some of the key differences include:
 Automated vs. Human-Driven: Vulnerability assessments typically use automated tools to
search for vulnerabilities. Penetration tests are human-driven exercises.
 Broad vs. Deep: Vulnerability scans typically try to identify all vulnerabilities in operating
systems, applications, etc. . Penetration testers drill deeper trying to achieve a particular goal
and may miss some vulnerabilities.
 Vulnerability Exploitation: Vulnerability assessments typically do not involve the exploitation
of discovered vulnerabilities, which can result in false positive detections. Penetration testers
may exploit vulnerabilities that they find while exploring an organization’s systems and trying
to achieve a particular objective.
In the end, vulnerability assessments and penetration tests are complementary tools, and
penetration testers will often begin their assessment with a vulnerability scan.
What are Network Profiling Tools?
Network profiling tools are software programs that analyze and monitor your network traffic.
They collect data on the devices connected to your network, the traffic that passes through
your network, and the performance of your network. This data is then used to create a profile
of your network, which can be used to identify potential problems and optimize performance.
How Do Network Profiling Tools Work?
Network profiling tools work by capturing and analyzing network traffic. They use a variety of
techniques to collect data, including packet capture, flow analysis, and SNMP polling. Once
the data is collected, it is analyzed using algorithms that identify patterns and anomalies in the
traffic.
The output of the analysis is then presented in a variety of ways, including graphs, charts, and
reports. This information can be used to identify network performance bottlenecks, security
threats, and other issues that may be impacting your network.
Why Do You Need Network Profiling Tools?
There are several reasons why you need network profiling tools. First, they can help you
identify potential problems before they cause downtime or lost productivity. By monitoring
your network traffic, you can identify performance bottlenecks, security threats, and other
issues that may be impacting your network.
Second, network profiling tools can help you optimize your network performance. By
analyzing your network traffic, you can identify areas where you can improve performance,
such as by upgrading equipment or adjusting network settings.
Finally, network profiling tools can help you ensure compliance with regulations and
standards. By monitoring your network traffic, you can identify potential security threats and
ensure that your network is in compliance with industry standards and regulations.
Popular Network Profiling Tools
There are many different network profiling tools available on the market today. Here are a few
examples of popular tools and how they can help you manage your network:
Wireshark
Wireshark is a popular packet capture tool that allows you to capture and analyze network
traffic. It is open-source and available for free, making it a popular choice for network
administrators. Wireshark can be used to identify network performance issues, security
threats, and other issues that may be impacting your network.
SolarWinds Network Performance Monitor
SolarWinds Network Performance Monitor is a comprehensive network monitoring tool that
allows you to monitor your network traffic, identify potential issues, and optimize performance.
It includes features such as packet capture, flow analysis, and SNMP polling, which allow you
to collect data on your network traffic and analyze it in real-time.
PRTG Network Monitor
PRTG Network Monitor is a powerful network monitoring tool that allows you to monitor your
network traffic, identify potential issues, and optimize performance. It includes features such
as packet capture, flow analysis, and SNMP polling, which allow you to collect data on your
network traffic and analyze it in real-time. PRTG also includes a variety of alerting and
reporting features, which allow you to stay on top of potential issues and optimize your
network performance.
 What is Common Vulnerability Scoring System (CVSS)
CVSS stands for the Common Vulnerability Scoring System. It's a way to evaluate and rank
reported vulnerabilities in a standardized and repeatable way. The goal of CVSS is to help
you compare vulnerabilities in different applications – and from different vendors - in a
standardized, repeatable, vendor agnostic approach.
CVSS generates a score from 0 to 10 based on the severity of the vulnerability. A score of 0
means the vulnerability is less significant than the highest vulnerability with a score of 10, if
you're only using CVSS. By using CVSS to prioritize vulnerabilities, you can focus on the
most critical ones first and reduce the overall risk to your organization.
CVSS values have been grouped as well into the rankings that you may have seen, of
Critical, High, Medium, and Low.For CVSS v3, they are as follows:
CVSS Base CVSS Severity
Score Level

0 None

0.1 - 3.9 Low

4.0 - 6.9 Medium

7.0 - 8.9 High

9.0 - 10.0 Critical

The above is what is defined within the CVSS documentation, which can be found
on the FIRST website.
What is all taken into account to generate the CVSS score?
That is a great question, and it is a slightly more complex question to answer than what is
CVSS. The CVSS score combines a lot of factors to be able to generate a score. Those
factors are:
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
That’s a lot of things that go into the mix. Now let’s dig a little deeper into each of these.
 Attack Vector
The attack vector has 4 different values that can be assigned to it:
Network,
Adjacent,
Local, or
Physical.
Think of these as how the attacker can access the system in system in question.
Ranging from anywhere to I need to physically connect something to the system. A
network value here will generate the highest CVSS value.
Attack Complexity
Attack Complexity comes down to how hard it is to exploit the vulnerability.Two possible
values exist for this, which are:
Low or
High.
The low attack complexity will generate the highest score.
Privileges Required
This outlines what privileges the attacker needs to have BEFORE exploiting the vulnerability.
Possible values are:
None,
Low, or
High.
None is no access to any settings or files on the system.Low is basic user capabilities.High is
administrative level privileges are needed.
User Interaction
This defines how a user needs to be engaged somehow to successfully exploit the
vulnerability. The options here are:
None or
Required.
When no user is required the impact on the CVSS score is highest.
Scope
This is a slightly harder sub-component to understand. Here it is trying to measure if the
vulnerability can impact items that are outside of the security authority of the affected
component. A security authority is something that controls access to objects under its control.
Examples of a security authority could be an application (controls how things work inside the
application), an operating system (controls how things work within the environment). Values
here are:
Unchanged or
Changed,
A scope change haS the largest impact.
Confidentiality
Confidentiality is the potential for unauthorized access to sensitive information. The possible
values are:
High,
Low, or
None.
The greatest impact comes from the High value, or total confidentially being lost.
Integrity
This component measures the potential for unauthorized modification, a data breach or
deletion of data. Potential values are:
High,
Low, or
None.
High is the most severe.
Availability
Availability attempts to measure the potential for denial of access to authorized users. This
could be the denial access to a service or processor cycles. Potential values for Availability
are:
High,
Low, or
None.
What is an ISMS?
An information security management system (ISMS) is a framework of policies and
procedures for systematically managing an organization’s sensitive data.
It includes the processes, people, technology, and procedures that are designed to protect
against unauthorized access, use, disclosure, disruption, modification, or destruction of
information.

How does an ISMS work?

 An ISMS works by providing an organization with a structured framework for managing and
safeguarding its information assets.
It consists of policies and procedures that define how processes and activities related to
information security are to be managed.
The ISMS also outlines the roles and responsibilities of personnel involved in managing
information security and provides guidance on how to identify, assess, and mitigate risks.
It can also be used to monitor the effectiveness of security measures and to provide evidence
of compliance with applicable laws and regulations.

What are the benefits of an ISMS?

Cost savings: An ISMS can help organizations save money in the long run by
reducing the cost of responding to data breaches, ensuring compliance with
applicable laws and regulations, and reducing the cost of insurance premiums.
Risk reduction: An ISMS helps organizations identify and address potential security
risks before they have a chance to become a problem. This can help reduce the
risk of data breaches, financial losses, and reputational damage.
Enhanced competitiveness: An ISMS can help organizations gain a competitive
edge by demonstrating their commitment to data security and compliance. This
can help them stand out in a crowded market and attract more business.

Implementing an ISMS
There are numerous ways of approaching the implementation of an ISMS. The
most common method to follow is a ‘Plan Do Check Act’ process.
ISO 27001 is the international security standard that details the requirements of
an ISMS.
ISO 27001, along with the best-practice guidelines contained in ISO 27002, serve
as two excellent guides to get you started with implementing an ISMS.
An ISMS that is certified and audited can provide customers with the assurance that the
organization has taken steps to protect its information assets from risks that have been
identified.
The strength of an ISMS is based on the robustness of the information security risk
assessment, which is key to any implementation.
Recognizing the risks that the organization and its data may face in the future is necessary to
implement the mitigating measures (controls).
ISO 27001 provides a recommended list of controls that can help assess whether the
necessary controls have been considered for legislative, business, contractual, or regulatory
purposes.
What is the Cyber Kill Chain in Cybersecurity?
 Derived from a military model by Lockheed Martin in 2011, the cyber kill chain is a step-by-
step approach to understanding a cyberattack with the goal of identifying and stopping
malicious activity.
Also called the cyber attack lifecycle, the cyber kill chain can help organizations gain a deeper
understanding of the events leading up to a cyberattack and the points at which they can
prevent, detect, or intercept attackers in the future.
Although the original cyber kill chain model contained only seven steps, cybersecurity experts
expanded the kill chain to include eight phases: reconnaissance, weaponization, delivery,
exploitation, installation, command and control, actions on objective, and monetization.
Most of the time, organizations use the cyber kill chain to defend against the most
sophisticated cyberattacks, including ransomware, security breaches, and advanced
persistent threats (APTs).
How the Cyber Kill Chain Works
The term “cyber kill chain” was adapted from the military and describes the structure of an
attack (either offensive or defensive) broken into a pattern of identifiable stages, including
identifying a target, dispatch, decision, order, and destruction of the target.
In cybersecurity, the cyber kill chain is a model outlining the various phases of common
cyberattacks. Using the cyber kill chain, organizations can trace the stages of a cyberattack to
better anticipate and prevent against cyber threats in the future.
Each stage of the cyber kill chain is related to a specific type of activity in a cyberattack
(regardless of whether it’s an internal or external attack).
How Does the Cyber Kill Chain Protect Against Attacks?
The cyber kill chain is not a security system: it’s a framework that enables security teams to
anticipate how attackers will act so they can stop them as quickly as possible or intercept
them if the attack has already transpired.
The cyber kill chain maps out the exact path a typical attacker will take so cybersecurity
teams can recognize the starting point of common cyberattacks. Cyber kill chain simulations
allow security teams to gain firsthand experience in dealing with a cyber threat, and
evaluating simulation responses can help organizations identify and remediate any security
gaps that may exist.
It can guide strategy, training, and tool selection by revealing which parts of a security
strategy may or may not need updating, such as employee training, endpoint security
software, or VPNs.
Cyber Kill Chain Steps
Computer scientists at Lockheed Martin may have been the first to take this concept and
apply it to information security, but the cyber kill chain continues to evolve with the changing
nature of cyber threats.
At the core of the cyber kill chain is the notion that cyberattacks often occur in phases and
they can be disrupted through controls established at each phase.
1. Reconnaissance
 During what some call the observation phase, the reconnaissance phase is when attackers
begin to identify targets and make a plan of action. This stage often includes activities such as
researching potential targets, determining vulnerabilities, and exploring potential entry points.
The more information an attacker can glean during this phase, the more sophisticated and
successful the attack can be.
1. Weaponization
At this stage, attackers create the attack vector that will be used in the cyberattack. This could
include remote access malware, ransomware, or a virus or worm that can exploit a
vulnerability identified during the reconnaissance phase.
During the weaponization phase, attackers may also try to reduce the likelihood of being
detected by any security solutions in place.
1. Delivery
Attackers then deliver the attack vector through a medium like phishing emails or by hacking
into the target’s system or network. Regardless of the type of attack they intend to carry out,
this is the stage at which the attacker officially launches an attack against a target.
1. Exploitation
Next, the malicious code is executed within the target’s systems. By breaching the perimeter,
attackers now have the opportunity to further exploit the target’s systems by installing tools,
running scripts, or modifying security certificates. Common examples of exploitation attacks
include scripting, dynamic data exchange, and local job scheduling.
1. Installation
Immediately following the exploitation phase, the installation phase is when the attack vector
is installed on the target’s systems. During the installation stage, attackers may also create
back doors into the target’s systems or networks so they can continue to access them even if
the original point of entry is identified and closed.
1. Command and Control
During the command and control phase, attackers use the successfully installed attack vector
to control devices or identities remotely within the target’s network. Threat actors may
also move laterally during the command and control phase in order to avoid detection and
establish additional points of entry.
1. Actions on Objective
In the final phase of Lockheed Martin’s cyber kill chain, attackers take the final steps to carry
out their original objective, be it data theft, destruction, encryption or exfiltration.
The above steps are taken directly from Lockheed Martin’s cyber kill chain, which was
originally developed in 2011. Since then, cybersecurity experts have expanded on the seven
phases to include an eighth: monetization.
1. Monetization
During the monetization phase, attackers focus on deriving income from the successful
attack, whether through some form of ransom or selling sensitive information on the dark web.
 Since its inception, the cyber kill chain has evolved to better anticipate and understand
modern cyber threats. It has also been adopted by data security organizations and
professionals to help define the stages of an attack.
However, because of the constantly evolving nature of cyber threats, the future of the cyber
kill chain is unknown. As extended detection and response (XDR) becomes increasingly
important for modern cybersecurity strategy, a new XDR framework or kill chain that
leverages MITRE ATT&CK framework could be more beneficial to security teams.
Critiques of the Cyber Kill Chain
Current critiques can be bucketed into two main categories: perimeter security and attack
vulnerabilities.
Perimeter Security
One of the biggest critiques of Lockheed’s Cyber Kill Chain model is the fact that the first two
phases of an attack (reconnaissance and weaponization) often occur outside the target
network. This can make it difficult for organizations to understand or defend against any
actions occurring during these phases.
Attack Vulnerabilities
Some critics believe that the methodology also reinforces traditional perimeter-based and
malware-prevention-based defensive strategies, which aren’t enough in today’s cybersecurity
climate.
Additionally, some critics believe the traditional cyber kill chain isn’t a suitable model for
simulating insider threats. This potentially puts organizations at greater risk given the
likelihood of successful attacks that breach a target’s internal network perimeter.
Although many have adopted the cyber kill chain, acceptance is far from universal and there
are many critics that are quick to point to what they believe are fundamental flaws.
Fortunately, there are a number of other cybersecurity frameworks that may satisfy some of
the cyber kill chain’s shortcomings.
What is Diamond Model of Intrusion Analysis?
The Diamond Model of Intrusion Analysis is a model to describe cyber attacks. It contains 4
parts - adversary, infrastructure, capability, and target. It gives analysts a comprehensive view
of cyber attacks.
 Adversary: Where are attackers from? Who are the attackers? Who is the sponsor?
Why attack? What is the activity timeline and planning?
 Infrastructure: Infected computer(s), C2 domain names, location of C2 servers, C2
server types, mechanism and structure of C2, data management & control, and data
leakage paths
 Capability: What skills do the attackers have to do reconnaissance, deliver their
attacks, attack exploits and vulnerabilities, deploy their remote-controlled malwares
and backdoors, and develop their tools?
 Target: Who is their target country/region, industry sector, individual, or data?
Why Does It Matter?
 For various cyber attacks, the diamond model of intrusion analysis can help enterprise
cybersecurity teams find system breaches and deal with them. By doing so, they can
successfully achieve cybersecurity defense goals.

Diamond Model of Intrusion Analysis

Endpoint Vulnerability Assessment

Trust Application and Device Access to Critical Networks
Every device connected to your network is an endpoint. Each device is an entry point for
infection. Endpoint vulnerability is further multiplied by the number of applications on each
device and whether each application complies with security policies. Even a modest
enterprise can have thousands of potential vulnerabilities—due to compromised installed
applications and missing or outdated operating system patches.
OPSWAT’s Endpoint Vulnerability Assessment technology scans endpoints for vulnerabilities.
Applications and operating systems with outdated versions or missing patches can be
updated—automatically.

Endpoint Vulnerability Assessment

Trust Application and Device Access to Critical Networks
Every device connected to your network is an endpoint. Each device is an entry point for
infection. Endpoint vulnerability is further multiplied by the number of applications on each
device and whether each application complies with security policies. Even a modest
enterprise can have thousands of potential vulnerabilities—due to compromised installed
applications and missing or outdated operating system patches.
OPSWAT’s Endpoint Vulnerability Assessment technology scans endpoints for vulnerabilities.
Applications and operating systems with outdated versions or missing patches can be
updated—automatically.