CYBERSECURITY- IT NS 1

CHAPTER 1- 0VERVIEW
CYBERSECURITY PRINCIPLES AND EMERGING CHALLENGES

CYBERSECURITY
• means protection of information systems, a guarantee of confidentiality, integrity, and
availability of information, detecting of cyberattacks, reacting against detected cyberattacks,
and after cyber attacks reverting the systems to their condition before cyberattack.
• is important to people for the privacy of critical information as private life, id numbers,
passwords, credit card information, etc.
• At present, cyberattacks can be made by hackers, interior attackers, cyber activists, and
intelligence agencies. Although the targets for cyber attacks may vary widely, they are primarily
focused on money, intellectual property, and sabotage.
• is a collection of defensive technologies (hardware/software), processes, and practices
designed to protect networks, computers, programs, and information from attack, damage, or
unauthorized access to secure systems that are connected to the Internet.
•protects against threats using defensive measures, including information assurance,
computer systems, and applications hardening, malware protection, access control,
information infrastructure protection, and network security.
• Practical relationship between cybersecurity assets, risk, and security measures:
1. We have valuables (assets)
2. There is a possibility of something bad happening to them (risk)
3. We do things to protect them (security measures)

A FRAMEWORK FOR CHALLENGES

CIA Triad
1. Confidentiality. Measures are put in place to ensure that only authorized people can access
information and that the “wrong people” cannot get to it.
2. Integrity. Pertains to steps taken to prevent any unauthorized changes to data while in
transit and indeed, during its lifecycle.
3. Availability. Related to timely availability of information for use through proper maintenance
of hardware, ensuring adequate communication bandwidth, providing failover, redundancies,
and Disaster recovery plans.

A PRACTICAL EXAMPLE OF ACCOUNT SECURITY

CYBERSECURITY- IT NS 1

CYBERCRIME EVENT AROUND THE WORLD

Creeper and Reaper

In 1971, an employee of BBN Technologies Bob Thomas who is part owner of ARPA in advanced
Technologies wrote the first self-replicating program. Henamed the program “Creeper” and
installed the program DEC PDP-10computers which run on TENEX operating systems. Creeper
started to spread on ARPANET in a short time. The program was writing on the screen “I’m the
creeper, catch me if you can!” in computers it set off. When the problem was noticed Reaper
was written for deleting Creeper. Thus, the first worm in Arpanet had been the first pointer of
future threats about cybersecurity.

ARPANET attack
After the Cold War, ARPANET started to spread. First, it started to spread in universities then it
started to spread in personal computers. Providing cybersecurity became more complex with
the spread of the internet. Because of that, a new attack was made against ARPANET, and on
October 27, 1980, ARPANET stopped service for 72 hours because of a virus that setted-
offstatus messages.

Morris Worm
Robert Morris programmed a self-replicating and self-propagating worm that
can be installed on the internet as a master project when he was just 23 years old and he
named the program “Morris Worm”. Morris decided to test his program on the internet system
of Harvard University. After the loading of the program, he noticed speeds of copy and spread
of worm are more than he estimated. The worm exploited so many deficits in the target
system. One of them is Unix Send mail. Morris’ attacks caused so serious material damages.
Morris Worm is the first target-specific worm in history.

Stuxnet
The most notable and best-known example of cyberattacks is Stuxnet. Stuxnet is a worm that
was targeting the nuclear facilities of Iran. It is detected by a software corporation named
VirusBlokAda in Belarus in June 2010. It affected the nuclear facilities of Iran in Buşehr and
Natanz

Stuxnet showed industrial systems and self-enclosed systems can be targets of cyberattacks.
The common thought made as a result of research on Stuxnet is this worm has a very complex
form. The experts are thinking the worm wasn’t written by a simple crew, it was written by the
government-sponsored enterprise. Stuxnet especially targets the mainboard (PLC). This is the
most important feature of Stuxnet. This worm was especially spread by Microsoft Windows and
it was targeting Siemens’ S7 300 modules.

Stuxnet was setting-off to computers by external hard drives, copying itself to the computer
drive directory, and searching for Siemens’ SCADA (Supervisory Control and Data Acquisition)
programs named WinCC and PCS7. After it found these programs, it integrates itself into the
program by using Siemens’ passwords and it changes control logics as malicious software
CYBERSECURITY- IT NS 1

programmer’s claims by attaching modules to the program. In this way, it can affect the control
mechanism of the whole facility. It introduced itself as aSystem32 file named “lsass.exe” and it
is distributed in this way.

Zero-Day Exploit
Another noteworthy aspect of Stuxnet is its use of four Zero-Day Exploit. A zero-day exploit is a
system exploit that isn’t noticed yet by software developers. In closed source software noticing
zero-day exploits harder than open-source software and this condition threat the system’s
security. Stuxnet isa unique program and it has a unique place in cybersecurity. Other
noteworthy aspects of the Stuxnet are it's signing its drivers with the root certificates stolen
from Realtek company to load its kernel drivers easily to hide and it’s trying to change physical
processes hidely in energy facilities. Creating this worm is about databases, root information,
PLC algorithms, stolen electronic signs of Realtek, and Siemens’ hardware.

Duqu
After a short time from Stuxnet, Budapest University of Technology and Economics declared to
the public a Trojan named “Duqu”. Several features of Duqu are very similar to Stuxnet’s
features therefore, experts claimed Duqu was produced by programmers that can reach
Stuxnet’s kernel. But Duqu’s main object was gathering intelligence about industrial control
systems. To do that Duqu was copying passwords, capturing screenshots to understand how
some special processes are being made, and stealing many documents.

Flame Malware
While discussions about using Duqu in cyber espionage Iran’s Computer Emergency Response
Team (CERT) declared on May 28, 2012 “Flame Malware” was founded. The objective of the
software was to gather intelligence. The software was recording every sound, screenshot,
keyboard key, and Skype talk and monitoring network traffic in setted-off computers.
Also, the software was making Bluetooth enabled and making a list of Bluetooth-enabled
devices. It was spreading in this way. It is claimed the software was collecting AutoCAD
drawings, PDFs, and text documents, also it was analyzing Arabic and Hebrew texts if these
documents have geotagging it was collecting them, too.

Threat Actors
1. Cybercriminals: They attack systems and steal data for profit.
2. Hackers: There are two types of hackers.
a. Professional hackers work to benefit corporations by improving security.
b. Malicious hackers who are skilled criminals aiming for financial gain employing obtaining
access to the bank account, personal passwords, faking antivirus, and blackmailing.
3. Hacktivists: Who is politically, religiously, or socially motivated with the aim to reveal
contentious truth concerning their opponents.
4. Cyber Terrorists: This kind isn't common yet, however, with the more evolution of
digitalization, there's an excellent likelihood cyber-terrorist may replace the standard notion of
terrorism and become the global challenge.
5. Nation-states: They are launching cyberattacks against other countries.
CYBERSECURITY- IT NS 1

Protection Layers of Cybersecurity

1. People: Users should perceive and go with basic data security principles like selecting sturdy
passwords, being cautious of attachments in email, and backing up data.
2. Processes: Organizations should have a framework for the way they manage each attempted
and successful cyberattacks. One well-respected framework will guide you. It
explains how you'll be able to determine attacks, defend systems, detect and respond to
threats, and recover from successful attacks.
3. Technology: Technology is crucial to giving organizations and individuals the computer
security tools required to safeguard themselves from cyberattacks.
Three main entities should be protected:
a. Endpoint devices like computers, smart devices, and routers.
b. Networks.
c. The Cloud.
CYBERSECURITY- IT NS 1

CHAPTER 2
ASSET IDENTIFICATION

Assets in the context of cybersecurity are (sensitive, valuable, and critical) digital information
and information systems.

INFORMATION AND DATA

Information is the perception of a subject about an object in an environment, it is data that is
interpreted within a given context and given meaningful structure within that context.
Information should not be confused with facts and data, which convey information. For
instance, “Yahoo customers’ details were hacked” is a fact. The fact conveys important
information to Yahoo customers, but provides no information to, for example, a farmer who is
not using the Internet.

The information has several characteristics:

 Information is subjective. The same sequence of facts may be perceived differently by
different subjects because the subject perception capability is different. The information
has value, which is temporal and context dependent. Due to its value, information can
be used to influence decision-making processes.
 Information can be created, stored, processed, and transmitted in different systems,
media, and formats. Digital information is created, stored, processed, and transmitted in
information systems.

INFORMATION SYSTEMS
Information systems are combinations of hardware, software, and telecommunications
networks that people build and use to collect, create, and distribute useful data, typically in
organizational settings.
Traditionally, Information systems include computing hardware systems (e.g., PCs, servers, and
mobile devices); networks (e.g. switches, routers, and access points), software programs (e.g.
operating systems and applications), and data.
Modern information systems should have peoples, procedures, policies, and security added to
the system component list and the scope of cybersecurity should be expanded to cover these
components.

ASSET IDENTIFICATION METHODS

• Many organizations use purchased asset inventory systems to keep track of their hardware,
network, and perhaps their software components. However, other assets such as human
resources, procedures, policies, and data are often not readily identified and documented.

• The most important thing is the asset identification is to determine which attributes of each
of these information assets should be tracked. When deciding which attributes to track for each
information asset, consider the following list of potential attributes:
• Hardware and software asset
CYBERSECURITY- IT NS 1

• People, procedure, and data assets

HARDWARE AND SOFTWARE ASSET:

• Name: Name of the asset
• Asset tag: unique tag used for asset management
• IP Address: Internet Protocol Address of the asset (if available)
• MAC Address: Media Access Control Address of the asset (if available)
• Asset type: this attribute describes the function of each asset
• Serial number: serial number of the asset (if available)
• Manufacture name: name of the asset manufacture
• Manufacturer part/serial number: serial number of the asset as given by the manufacture.
• Software version and update number: version/update number of the asset software.
• Physical location: physical location of the asset
• Logical location: e.g., network name or VLAN number (if available)
• Managing/controlling entity: the entity who manages/controls the asset

ASSET IDENTIFICATION (EXAMPLE)

HARDWARE AND SOFTWARE ASSET:
• Name: MSI GF63 Thin 11UCX
• Asset tag: Unique and determined by management ex. HW/SW-0004
• IP Address: 192.168.1.100
• MAC Address: 04-EC-C4-35-56-11
• Asset type: Laptop
• Serial number: 123ABCD456
• Manufacture name: MSI
• Manufacturer part/serial number: 15686-ABCDG
• Software version and update number: N/A
• Physical location: Centrum Lab 3
• Logical location: VLAN11
• Managing/controlling entity: Owner name/ IT Department

PEOPLE, PROCEDURE, AND DATA ASSETS:

A. People
 Position name/number/ID—Avoid names; use position titles, roles, or functions.
 Supervisor name/number/ID—Avoid names; use position titles, roles, or functions
 Special skills
 Security clearance (access) level
B. Procedures
 Description
 Intended purpose
 Software/hardware/networking elements to which the procedure is tied
 The location where procedure documents are stored for reference
 The location where it is stored for update purposes
CYBERSECURITY- IT NS 1

C. Data
 Classification
 Owner/creator/manager
 Size of data structure
 The data structure used (e.g., sequential or relational)
 Online or offline
 Location
 Backup procedures

ASSET CLASSIFICATION
CRITICAL ASSET IDENTIFICATION CLASSIFICATION

ASSET CATEGORIZATION
 Asset categories should be meaningful to the organization’s cybersecurity program. An
example of categories can be a public asset, internal asset, and protected asset. Existing
categories can be fine-tuned and new categories can be added to better meet the needs
of the cybersecurity program. For instance, the “Internal data” category can be sub-
divided for example into “Internal general-data” and “Internal-sensitive-data".
 Asset categories must also be comprehensive and mutually exclusive. “Comprehensive”
means that all inventoried assets fit into a category; “Mutually exclusive” means that
each asset is found in only one category.

ASSET PRIORITIZATION
 Assets are classified based on their level of sensitivity and criticality i.e. the impact of
the asset on the business should that asset security be compromised. It may be
impossible to know in advance, in economic terms, what losses will be incurred if an
CYBERSECURITY- IT NS 1

asset is compromised. However, the prioritization helps to ensure that the higher value
assets are protected first.
 Business Impact Analysis (BIA) and Weighted Factor Analysis (WFA) are powerful tools
for asset prioritization tasks. BIA helps to determine a relative sensitivity and criticality
value of an asset and WFA helps to rank the assets based on their sensitivity and
criticality

Posing the following basic questions like the following can help you develop
the weighting criteria to be used for information asset valuation or impact evaluation:

• Which information asset is the most critical to the success of the

organization?
• Which information asset generates the most revenue?
• Which information asset generates the highest profitability?
• Which information asset is the most expensive to replace?
• Which information asset is the most expensive to protect?
• Which information asset’s loss or compromise would be the most
embarrassing or cause the greatest liability?

ASSET CLASSIFICATION FRAMEWORKS

Every organization doing business in cyberspace should have its asset classification framework.
The following are example frameworks for asset classifications:

 Queensland Government information security classification framework: the framework

is accessible at
https://www.qgcio.qld.gov.au/documents/information-security-classification-framework-
qgiscf.
 South Australia Government information security classification framework: the
framework is accessible at
https://digital.sa.gov.au/resources/topic/policies-guidelines-and-standards/security/ismf-
guideline-8b-new-classification.
CYBERSECURITY- IT NS 1

 Southern Cross University information classification framework: the framework is

accessible at https://policies.scu.edu.au/view.current.php?id=00107#maj7.
CHAPTER 3
THREATS, HAZARDS, AND ATTACKS

 A threat is an intentional source of risk that causes a potential loss in the value of an
information asset. A threat has the threat carrier - who carries the threat. In this
context, a threat is an object, person, or other entity that represents a constant danger
to an asset.
 A threat that is materialized is called an attack. However, an attack is not necessarily
resulted in the loss of the asset value. An exploit is a technique or mechanism used to
compromise an information asset.
 A hazard, on the other hand, is an unintentional source of risk that causes a potential
loss in the value of an information asset. Natural disasters are considered hazards.

Cyber Threats and Hazards Categorizations

Common Cyber Attacks

 According to the Australian Cyber Security Centre report in 2017, the top recorded cyber attacks
are from the following threats:

1. Ransomware
2. Credential-harvesting malware
3. Social engineering
4. Threats associated with outsourcing and supply chain
5. Personally identifiable information
6. Malicious use of leaked tools
7. Router scanning
8. Distributed Denial of Service
9. Malicious use of Internet of Things (IoT) devices
CYBERSECURITY- IT NS 1

10.
 TCS's Cyber Security Community also lists the 21 Most Common Cyber Security Attacks, in which
Malware, Spam, Phishing, Denial of Service, and Brute Force attacks are the top five.

Cyber Attack Agents

An attack is accomplished by a threat agent - the specific instance of a threat - that damages or steals an
organization’s information or physical assets. In common terms, the threat agent is often called a
hacker. However, not all hackers are malicious.
There are different types of hackers i.e. White hats, Black hats, Grey hats, Green hats, Red hats, and
Blue hats.
It is important that as a cybersecurity practitioner you know what type of attack agents you have to deal
with because that will define your strategy and resources.

An important step in “knowing the enemy” is to find some method of prioritizing the risk posed by each
category of threat and its related methods of attack. Each threat must be further examined to
determine its potential to affect the targeted information asset. In general, this process is referred to as
a threat assessment.

Threat Assessment
Methods of Assessing Threats

 Any organization typically faces a wide variety of threats but not every threat will affect every
information asset. Therefore, threats are assessed and prioritized.
 Threat assessment can be done by adopting threat levels from an existing study of threats or by
creating your categorization of threats for your environment. A similar technique to the one
used in asset assessment can be used. The level of the potential effect on information assets of a
threat can be estimated by posing questions similar to the following:
1. Which threats present a danger to the organization's information assets in its current
environment? Note that not every threat will affect every information asset.
2. Which threats represent the gravest danger to the organization's information assets?
3. How much would it cost to recover from a successful attack?
4. Which threats would require the greatest expenditure to prevent?
 Once you have identified the list of information assets, the list of threats against each asset, and
the threat assessment criteria, you can begin to assess each threat. Weighted Factor Analysis
(WFA) can be used to estimate the impact factor of every possible threat on an information
asset by assigning a score to each threat assessment criteria and compute the weighted sum.
The weighted sum can be used to rank the threats of each asset.
CYBERSECURITY- IT NS 1

 Another approach to estimating the impact of a threat is scenario analysis. Multiple scenarios
are created by the organization to better understand the impact of a successful security breach.
The “worst-case/most-likely-outcome” analysis is commonly used by organizations to estimate
the magnitude of damage of a particular threat.
 One of the most important criteria in assessing a threat is the probability of occurrence i.e. the
chance the threat is materialized. This probability however depends on the asset and its
surrounding environment.
 The vulnerability of an asset is a security weak point that can be exploited by a threat agent to
compromise asset security. A vulnerability is exploitable or not depends mostly on the threat
agent capability. Therefore, vulnerability is always assessed against a specific threat.

Vulnerabilities exist in every component of information systems i.e. in hardware, software, network,
data, procedure policy, and people.

Vulnerabilities

 Identifying vulnerabilities of an asset is not an easy task and requires expert knowledge in
cybersecurity. Using reported vulnerability databases is a way to help organizations identify
vulnerabilities in their assets. Vulnerability databases are maintained by IT product
manufacturers e.g. Microsoft, Apple, and Cisco, and security organizations e.g. CERTs.

 Another approach to identifying the vulnerabilities of an asset is to work on potential

vulnerabilities against each threat category.
CYBERSECURITY- IT NS 1

The threat assessment is challenging because it requires expert knowledge from both security and
business areas. Therefore the process is often carried out by a team of experts from different parts of
organizations for better results.

Methods of Documenting Threat Assessment

 The three dimensions of the worksheet are T-Threat, V-Vulnerability and A-Asset are. Assets in
the worksheets are prioritized and Asset 1 has the highest priority in terms of sensitivity and
CYBERSECURITY- IT NS 1

criticality. Threats are also prioritized in the worksheet using values calculated based on the
threat assessment criteria. Threat 1 has the highest priority value. You can also use threat
categories in place of specific threats to make the sheet more compact. However, it is will be
easier to assess a specific threat compared to assessing a threat category.

 TVA worksheet is used as follows:

 If the intersection of T1 (Threat 1) and A1 (Asset 1) has no vulnerability, then you simply
cross out that box. It is much more likely, however, that one or more vulnerabilities exist
between the two, and as these vulnerabilities are identified, they are documented as
follows:

 T1V1A1—Vulnerability 1 that exists between Threat 1 and Asset 1

 T1V2A1—Vulnerability 2 that exists between Threat 1 and Asset 1… and so on.

 The TVA worksheet is useful for identifying dangerous threat-asset pairs, which will be used
later on to assess and control the risk to an organization's information assets.