INFO SEC CAT1

Student Handbook– Security Analyst SSC/N0901 UNIT I Information Security and Threats This unit covers: Lesson Plan 1.1. Information Security 1.2. Information Assets & Threats (Virus, Worms, Trojans, Other Threats, Network Attacks) 33

Student Handbook– Security Analyst SSC/N0901 Le Pla Outcomes Performance Ensuring Measures Work Environment/ Lab Requirement To be competent, you must be able Peer group, faculty group and to: industry experts evaluation. PCs/ tablets/ laptops Projection facilities PC2. monitor systems and apply controls in line with information security policies, procedures and guidelines. You need to know and understand: KA4, KA5. Peer group, faculty PCs/ tablets/ laptops group and industry experts’ Availability of labs (24/7) KA4. the organizational evaluation. Internet with Wi-Fi (min 2 Mbps dedicated) systems, procedures and tasks/ KB1 - KB4. Group and faculty Access to all security sites like evaluation based on anticipated ISO, PCI DSS, Centre for Internet checklists within the domain and outcomes. Reward points to be Security etc. allocated to groups. how to use them. KB1. fundamentals of information security and how to apply these, including: • networks • communication • application security 34

Student Handbook– Security Analyst SSC/N0901 Lesson I d c i I f ma i Sec i With the pervasive growth and use of digital information, much of which is confidential, there has also been growth in incidents of information theft, including cyber attacks by hackers. This has happened both in governments and in private companies. This has neces sitated the need for the position of information security analyst. Those who work as information security analysts are responsible for keeping information safe from data breaches using a variety of tools and techniques. Information security analysts protect information stored on computer networks, in applications etc. They do this with special software that allows them to keep track of those who can access and who have accessed data. Also, they may perform investigations to determine whether or not data has been compromised, the extent of it and related vulnerabilities. Someone at an entry level position may operate the software to monitor and analyze information. At senior level positions, one may carry out investigative work to determine whether a security breach has occurred. At higher levels people design systems and architecture to address these vulnerabilities. The field of information security has seen significant growth in recent times, and the number of job opportunities in this area are likely to increase in the near future. Recent incidents of information theft from large companies like Target, Sony and Citibank has shown the risks and challenges of this field and this necessitates the growing need for information security and professionals in this field. We are now witnessing the rising background level of data leakage from governments, businesses and other organisations, families and individuals. A larger part of an information security analyst’s work involves monitoring data use and access on a computer network. Security analysts focus on three main areas: 1. risk assessment (identifying risks or issues an organization may face) 2. vulnerability assessment (determining an organization’s weaknesses to threats) 3. defense planning (designing the protection architecture and installing security systems such as firewalls and data encryption programs) Information security analysts can find themselves working with IT companies, financial and utility companies and consulting firms. They may also find positions with government organizations. Any company or organization with data to protect may hire information security analysts so they could find themselves working at a wide variety of different institutions. A number of companies operate 35

Student Handbook– Security Analyst SSC/N0901 ‘Security Operation Centres (SOCs)’ for carrying out data security services for captive or client services. Why information security? With the pervasive growth and use of digital information, much of which is confidential, there has been also a growth in incidents of information theft, including cyber-attacks by hackers. This has happened both in governments and in private companies. This has necessitated the need for keeping information safe from data breaches using a variety of tools and techniques. Role of a security analyst in information technology Protect information and information systems from unauthorized access; use; disclosure; disruption; modification; perusal; inspection; recording or destruction. Perform investigations to determine whether or not data has been compromised, the extent of it and related vulnerabilities. Ensure the confidentiality, integrity and availability of data to the 'right' users within/ outside of the organization. Risk assessment (identifying risks or issues an organization may face). Vulnerability assessment (to determine an organization’s weaknesses to threats). Defense planning (designing the protection architecture and installing security systems such as firewalls and data encryption programs). 36

Student Handbook– Security Analyst SSC/N0901 Major Skills of Security Analyst • Understanding security policy • Data & Traffic Analysis • Identifying Security Events –> How & when to alarm • Incident Response Foundation and Background • Network infrastructure knowledge • Diverse device configuration ability • Security configuration knowledge • Data management & teamwork Challenges for Security Analyst • Not tied to a product or solution • Complex knowledge – Not one specific process is correct or product solution • Diverse set of skills are needed 37

I f ma i A e Student Handbook– Security Analyst SSC/N0901 Th ea Security concerning IT and information is normally categorised in three categories to facilitate the management of information. Confidentiality Integrity Availability • Prevention of • Prevention of • Ensuring authorized unauthorized unauthorized access of information disclosure or use of modification of assets when required information assets information assets for the duration required Threats to information assets Risk is the potential threat, and process of understanding and responding to factors that may lead to a failure in the confidentiality, integrity or availability of an information system constitute risk management. The key concerns in information assets security are: theft fraud/ forgery unauthorized information access interception or modification of data and data management systems The above concerns are materialised in the event of a breach caused by exploitation of vulnerability. Vulnerabilities Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. ‘Threat agent or actor’ refers to the intent and method targeted at the intentional exploitation of the vulnerability or a situation and method that may accidentally trigger the vulnerability. A ‘threat vector’ is a path or a tool that a threat actor uses to attack the target. ‘Threat targets’ are anything of value to the threat actor such as PC, laptop, PDA, tablet, mobile phone, online bank account or identity. 38

Student Handbook– Security Analyst SSC/N0901 Threat classification Microsoft has proposed a threat classification called STRIDE from the initials of threat categories: Spoofing of user identity Tampering Repudiation Information disclosure (privacy breach or data leak) Denial of Service (D.o.S.) Elevation of privilege Threat agents (individuals and groups) can be classified as follows: Non-Target specific: Non-Target specific threat agents are computer viruses, worms, Trojans and logic bombs. Employees: staff, contractors, operational/ maintenance personnel or security guards who are annoyed with the company. Organized crime and criminals: criminals target information that is of value to them, such as bank accounts, credit cards or intellectual property that can be converted into money. Criminals will often make use of insiders to help them. Corporations: corporations are engaged in offensive information warfare or competitive intelligence. Partners and competitors come under this category. Unintentional human error: accidents, carelessness etc. Intentional human error: insider, outsider etc. Natural: Flood, fire, lightning, meteor, earthquakes etc. Types of attacks • Virus Virus is a malicious program able to inject its code into other programs/ applications or data files and the targeted areas become \"infected\". Installation of a virus is done without user's consent, and spreads in form of executable code transferred from one host to another. Types of viruses include Resident virus , non-resident virus; boot sector virus; macro virus; file-infecting virus (file- infector); Polymorphic virus; Metamorphic virus; Stealth virus; Companion virus and Cavity virus. • Worm Worm is a malicious program category, exploiting operating system vulnerabilities to spread itself. In its design, worm is quite similar to a virus - considered even its sub-class. Unlike the viruses though worms can reproduce/ duplicate and spread by itself. During this process worm does not require to attach itself to any existing program or executable. Different types of worms based on their method of spread are email worms; internet worms; network worms and multi-vector worms. • Trojan Computer Trojan or Trojan Horses are named after the mythological Trojan horse owing to their similarity in operation strategy. Trojans are a type of malware software that masquerades itself as 39

Student Handbook– Security Analyst SSC/N0901 a not-malicious even useful application but it will actually do damage to the host computer after its installation. Unlike virus, Trojans do not self-replicate unless end user intervene to install. Types of Virus Depending on virus \"residence\", we can classify viruses in following way: Resident virus - virus that embeds itself in the memory on a target host. In such way it becomes activated every time the OS starts or executes a specific action. Non-resident virus - when executed, this type of virus actively seeks targets for infections either on local, removable or network locations. Upon further infection it exits. This way is not residing in the memory any more. Boot sector virus _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Macro virus - virus written in macro language, embedded in Word, Excel, Outlook etc. documents. This type of virus is executed as soon as the document that contains it, is opened. This corresponds to the macro execution within those documents which under normal circumstances is automatic. Another classification of viruses can result from their characteristics: File-infecting virus (file-infector) – this is a classic form of virus. When the infected file is being executed, the virus seeks out other files on the host and infects them with malicious code. The malicious code is inserted either at the beginning of the host file code (prepending virus), in the middle (mid-infector) or in the end (appending virus). A specific type of viruses called \"cavity virus\" can even inject the code in the gaps in the file structure itself. The start point of the file execution is changed to the start of the virus code to ensure that it is run when the file is executed. Afterwards the control may or may not be passed on to the original program in turn. Depending on the infections routing the host file may become otherwise corrupted and completely non-functional. More sophisticated viral forms allow through the host program execution while trying to hide their presence completely (see polymorphic and metamorphic viruses). Polymorphic virus _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Metamorphic virus - this virus is capable of changing its own code with each infection. The rewriting process may cause the infection to appear different each time but the functionality of 40

Student Handbook– Security Analyst SSC/N0901 the code remains the same. The metamorphic nature of this virus type makes it possible to infect executables from two or more different operating systems or even different computer architectures as well. The metamorphic viruses are ones of the most complex in build and very difficult to detect. Stealth virus - memory resident virus that utilises various mechanisms to avoid detection. This avoidance can be achieved for example, by removing itself from the infected files and placing a copy of itself in a different location. The virus can also maintain a clean copy of the infected files in order to provide it to the antivirus engine for scan while the infected version still remains undetected. Furthermore, the stealth viruses are actively working to conceal any traces of their activities and changes made to files. Armored virus _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Multipartite virus – this attempts to attack both the file executables as well as the master boot record of the drive at the same time. This type may be tricky to remove as even when the file executable part is clean it can re-infect the system all over again from the boot sector if it wasn't cleaned as well. Camouflage virus – this virus type is able to report as a harmless program to the antivirus software. In such cases where the virus has similar code to the legitimate non-infected files code the antivirus application is being tricked that it has to do with the legitimate program as well. This would work only but in case of basic signature based antivirus software. Nowadays, antivirus solutions have become more elaborate whereas the camouflage viruses are quite rare and not a serious threat due to the ease of their detection. Companion virus _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Cavity virus - unlike traditional viruses the cavity virus does not attach itself to the end of the infected file but instead uses the empty spaces within the program files itself (that exists there for variety of reasons). This way the length of the program code is not being changed and the virus can more easily avoid detection. The injection of the virus in most cases is not impacting the functionality of the host file at all. The cavity viruses are quite rare though. 41

Student Handbook– Security Analyst SSC/N0901 Let us discuss a recent news about a new version of a notorious virus that takes over a system until money is paid as ransom which has been detected by cyber experts. Version 2.0 of the TeslaCrypt ransomware encryptor family, say experts, is notorious for infecting computers of gamers. The malicious program is now targeting online consumers and businesses via email attachments which block access to a computer system until a sum of money, specifically in dollars, is paid as ransom. If the victim delays, the ransom is doubled. Detected in February 2015, TeslaCrypt began infecting systems in the US, Europe and Southeast Asian countries. It then occurred in Indian cities including Delhi and Mumbai. Two businessmen from Agra were targeted this year, from whom the extortionist demanded more than $10,000. In the last six months, two cases were reported in Agra, where the malware locked down its victim's most important files and kept them hostage in exchange for a ransom to unlock it. Source: News Articles Types of Worms The most common categorization of worms relies on the method how they spread: Email worms: spread through email messages, especially through those with attachments. Internet worms: spread directly over the internet by exploiting access to open ports or system vulnerabilities. Network worms: spread over open and unprotected network shares. Multi-vector worms: having two or more various spread capabilities. Types of Trojans Computer Trojans or Trojan horses are named after the mythological Trojan horse from Trojan War, in which the Greeks give a giant wooden horse to their foes, the Trojans. As soon as Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their soldiers to capture Troy. Computer Trojan horse works in way that is very similar to such strategy - it is a type of malware software that masquerades itself as not-malicious even useful application but it will actually do damage to the host computer after its installation. Trojans do not self-replicate since its key difference to a virus and require often end user intervention to install itself - which happens in most scenarios where user is being tricked that the program he is installing is a legitimate one (this is very often connected with social engineering attacks on end users). One of the other common method is for the Trojan to be spammed as an email attachment or a link in an email. Another similar method has the Trojan arriving as a file or link in an instant messaging 42

Student Handbook– Security Analyst SSC/N0901 client. Trojans can be spread as well by means of drive-by downloads or downloaded and dropped by other Trojans itself or legitimate programs that have been compromised. The results of Trojan activities can vary greatly - starting from low invasive ones that only change the wallpaper or desktop icons through Trojans which open backdoors on the computer and allow other threats to infect the host or allow a hacker remote access to the targeted computer system. It is up to Trojans to cause serious damage on the host by deleting files or destroying the data on the system using various ways (like drive format or causing BSOD). Such Trojans are usually stealthy and do not advertise their presence on the computer. The Trojan classification can be based upon performed function and the way they breach the systems. An important thing to keep in mind is that many Trojans have multiple payload functions so any such classification will provide only a general overview and not a strict boundary. Some of the most common Trojan types are: Remote Access Trojans (RAT) aka Backdoor. Trojan - this type of Trojan opens backdoor on the targeted system to allow the attacker remote access to the system or even complete control over it. This kind of Trojan is most widespread type and often has as well various other functions. It may be used as an entry point for DOS attack or for allowing worms or even other Trojans to the system. A computer with a sophisticated backdoor program installed may also be referred to as a \"zombie\" or a \"bot\". A network of such bots may often be referred to as a \"botnet\" (see part 3 of the Security 1:1 series). Backdoor. Trojans are generally created by malware authors who are organized and aim to make money out of their efforts. These types of Trojans can be highly sophisticated and can require more work to implement than some of the simpler malware seen on the Internet. Trojan-DDoS - this Trojan is installed simultaneously on a large number of computers in order to create a zombie network (botnet) of machines that can be used (as attackers) in a DDoS attack on a particular target. Trojan-Proxy - _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Trojan-FTP – this Trojan is designed to open FTP ports on the targeted machine allow remote attacker access to the host. Furthermore, the attacked can access as well network shares or connections to further spread other threats. Destructive Trojan – this is designed to destroy or delete data. It is much like a virus. Security Software Disabler Trojan – this is designed to stop security programs like antivirus solutions, firewalls or IPS either by disabling them or killing the processes. This kind of Trojan functionality is often combined with destructive Trojan that can execute data deletion or corruption only after the security software is disabled. Security Software Disablers are entry Trojans that allow next level of attack on the targeted system. Info Stealer (Data Sending/ Stealing Trojan) - this Trojan is designed to provide attacker with confidential or sensitive information from compromised host and send it to a predefined location (attacker). The stolen data comprise of login details, passwords, PII, credit card information etc. 43

Student Handbook– Security Analyst SSC/N0901 Data sending Trojans can be designed to look for specific information only or can be more generic like Key-logger Trojans. Nowadays more than ever before attackers are concentrating on compromising end users for financial gain. The information stolen with use of Info stealer Trojan is often sold on the black market. Info stealers gather information by using several techniques. The most common techniques may include log key strokes, screen shots and web cam images, monitoring internet activity often for specific financial websites. The stolen information may be stored locally so that it can be retrieved later or it can be sent to a remote location where it can be accessed by an attacker. It is often encrypted before posting it to the malware author. Keylogger Trojan – this is a type of data-sending Trojan that is recording every keystroke of the end user. This kind of Trojan is specifically used to steal sensitive information from targeted host and send it back to attacker. For these Trojans, the goal is to collect as much data as possible without any direct specification what the data will be. Trojan-PSW (Password Stealer) – this is a type of data-sending Trojans designed specifically to steal passwords from the targeted systems. In its execution routine, the Trojan will very often first drop a keylogging component onto the infected machine. Trojan-Banker – a Trojan designed specifically to steal online banking information to allow attacker further access to bank account or credit card information. Trojan-IM – a type of data-sending Trojan designed specifically to steal data or account information from instant messaging programs like MSN, Skype etc. Trojan-Game Thief – a Trojan designed to steal information about online gaming account. Trojan Mail Finder – a Trojan used to harvest any emails found on the infected computer. The email list is being then forwarded to the remote attacker. Trojan-Dropper - _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ Trojan-Downloader – a Trojan that can download other malicious programs to the target computer. Very often combined with the functionality of Trojan-Dropper. Most downloaders that are encountered will attempt to download content from the internet rather than the local network. In order to successfully achieve its primary function, a downloader must run on a computer that is inadequately protected and connected to a network. Trojan-FakeAV – ______________________________________________________________________________ ______________________________________________________________________________ ______________________________________________________________________________ 44

Student Handbook– Security Analyst SSC/N0901 This type of Trojan can be either targeted to extort money for \"non-existing\" threat removal or in other cases the installation of the program itself injects other malware to the host machine. FakeAV applications can perform fake scans with variable results, but always detect at least one malicious object. They may as well drop files that are then ‘detected’. The FakeAV application is constantly updated with new interfaces so that they mimic the legitimate anti-virus solutions and appear very professional to the end users. Trojan-Spy – this Trojan has a similar functionality to the Info stealer or Trojan-PSW and its purpose is to spy on the actions executed on the target host. These can include tracking data entered via keystrokes, collecting screenshots, listing active processes/ services on the host or stealing passwords. Trojan-ArcBomb - _____________________________________________________________________________ _____________________________________________________________________________ _____________________________________________________________________________ 45

Student Handbook– Security Analyst SSC/N0901 Trojan-Clicker or Trojan-AD clicker – a Trojan that continuously attempts to connect to specific websites in order to boost the visit counters on those sites. More specific functionality of the Trojan can include generating traffic to pay-per-click web advertising campaigns in order to create or boost revenue. Trojan-SMS – a Trojan used to send text messages from infected mobile devices to premium rate paid phone numbers. Trojan-Ransom (Trojan-Ransomlock) aka Ransomware Trojan ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Cryptolock Trojan (Trojan.Cryptolocker) – this is a new variation of Ransomware Trojan emerged in 2013, in a difference to a Ransomlock Trojan (that only locks computer screen or some part of computer functionality), the Cryptolock Trojan encrypts and locks individual files. While the Cryptolocker uses a common Trojan spreading techniques like spam email and social engineering in order to infect victims, the threat itself uses more sophisticated techniques likes public-key cryptography with strong RSA 2048 encryption. In an another incident detected by Kaspersky Labs, Pune, the TeslaCrypt Ransomware encryptor family exhibited a curious behaviour. In version 2.0 of the Trojan notorious for infecting computer gamers, it displays an HTML page in the web browser which is an exact copy of CryptoWall 3.0, another notorious ransomware program. TeslaCrypt were detected in February 2015 and the new ransomware Trojan gained immediate notoriety as a menace to computer gamers. Amongst other types of target files, it tries to infect typical gaming files: game saves, user profiles, recoded replays etc. That said, TeslaCrypt does not encrypt files that are larger than 268 MB. Few more examples of ransomware Trojans are - CryptoLocker, CryptoWall, CoinVault, TorLocker, CoinVault and CTB-Locker. Source: New articles 46

Student Handbook– Security Analyst SSC/N0901 Other security threats Malware refers to software viruses, spyware, adware, worms, trojans, ransomeware etc. They are designed to cause damage to a targeted computer or cause a certain degree of operational disruption. Rootkit are malicious software designed to hide certain processes or programs from detection. Usually acquires and maintains privileged system access while hiding its presence in the same time. It acts as a conduit by providing the attacker with a backdoor to a system Spyware is a software that monitors and collects information about a particular user, computer or organisation without user’s knowledge. There are different types of spyware, namely system monitors, trojans (keyloggers, banker trojans, inforstealers), adware, tracking cookies etc. Tracking cookies are a specific type of cookies that are distributed, shared and read across two or more unrelated websites for the purpose of gathering information or potentially to present customized data to you. Riskware is a term used to describe potentially dangerous software whose installation may pose a risk to the computer. Adware in general term adware is software generating or displaying certain advertisements to the user. This kind of adware is very common for freeware and shareware software and can analyze end user internet habits and then tailor the advertisements directly to users’ interests. Scareware is a class of malware that includes both Ransomeware (Trojan.Ransom) and FakeAV software. Also well known, under the names \"Rogue Security Software\" or \"Misleading Software\". This kind of software tricks user into belief that the computer has been infected and offers paid solutions to clean the \"fake\" infection. Spam is the term used to describe unsolicited or unwanted electronic messages, especially advertisements. The most widely recognized form of spam is email spam. Creepware is a term used to describe activities like spying others through webcams (very often combined with capturing pictures), tracking online activities of others and listening to conversation over the computer's microphone and stealing passwords and other data. Blended threat defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. Blended threat defines an exploit that combines elements of multiple types of malware components. Usage of multiple attack vectors and payload types targets to increase the severity of the damage causes and as well the speed of spreading. 47

Student Handbook– Security Analyst SSC/N0901 A. COHEN B. NORTON In 1983, this person was the first to offer the definition of 'Computer Virus'... C. SMITH D. McAfee ANSWER : ………………………………………………………….. Network attacks Network attack is usually defined as an intrusion on the network infrastructure that will first analyse the environment and collect information in order to exploit the existing open ports or vulnerabilities. This may include unauthorized access to organisation resources. Characteristics of network attacks: Passive attacks: they refer to attack where the purpose is only to learn and get some information from the system, but the system resources are not altered or disabled in any way. Active attacks: in this type of network attack, the perpetrator accesses and either alters, disables or destroys resources or data. Outside attack: when attack is performed from outside of the organization by unauthorized entity it is said to be an outside attack. Inside attack: if an attack is performed from within the company by an \"insider\" that already has certain access to the network it is considered to be an inside attack. Others such as end users targeted attacks (like phishing or social engineering): these attacks are not directly referred to as network attacks, but are important to know due to their widespread occurrences. 48

Student Handbook– Security Analyst SSC/N0901 What types of attack are there? Social Phishing Social Spear phishing Watering hole engineering attack phishing attack attack Whaling Vishing (voice Port scanning Spoofing Network phishing or sniffing VoIP phishing DoS attack ICMP smurf Buffer Botnet Man-in-the- overflow middle attack & DDoS attack Denial of serv attack Session Cross-side SQL injection Bluetooth hijacking scripting attack attack attack related attacks (XSS attack) *Denial of Service Attack *Distributed Denial of Service Attack Social engineering – refers to a psychological manipulation of people (employees of a company) to perform actions that potentially lead to leak of company's proprietary or confidential information or otherwise can cause damage to company resources, personnel or company image. Social engineers use various strategies to trick users into disclosing confidential information, data or both. One of the very common technique used by social engineers is to pretend to be someone else - IT professional, member of the management team, co-worker, insurance investigator or even member of governmental authorities. The mere fact that the addressed party is someone from the mentioned should convince the victim that the person has right to know of any confidential or in any other way secure information. The purpose of social engineering remains the same as purpose of hacking. Unauthorized access gain to confidential information, data theft, industrial espionage or environment/ service disruption. Phishing attack – this type of attack use social engineering techniques to steal confidential information. The most common purpose of such attack targets victim's banking account details and credentials. Phishing attacks tend to use schemes involving spoofed emails sent to users that lead them to malware infected websites designed to appear as real online banking websites. Emails received by users in most cases will look authentic sent from sources known to the user (very often with appropriate company logo and localised information). These emails will contain a direct request to verify some account information, credentials or credit card numbers by following the provided link and confirming the information online. The request will be accompanied by a threat that the account may become disabled or suspended if the mentioned details are not being verified by the user. Social phishing – in the recent years, phishing techniques evolved much to include social media like Facebook or Twitter. This type of Phishing is often called Social Phishing. The purpose 49

Student Handbook– Security Analyst SSC/N0901 remains the same – to obtain confidential information and gain access to personal files. The means of the attack are bit different though and include special links or posts posted on the social media sites that attract the user with their content and convince them to click on them. The link redirects then to malicious website or similar harmful content. The websites can mirror the legitimate Facebook pages so that unsuspecting user does not notice the difference. The website will require user to login with his real information. At this point, the attacker collects the credentials gaining access to compromised account and all data on it. Other scenario includes fake apps. Users are encouraged to download the apps and install them, apps that contain malware used to steal confidential information. Facebook Phishing attacks are often much more laboured. Consider the following scenario - link posted by an attacker can include some pictures or phrase that will attract the user to click on it. The user clicks upon which he/ she is redirected to a mirror website that ask him/ her to like the post first before even viewing it. User not suspecting any harm, clicks on the \"like\" button but doesn't realise that the \"like\" button has been spoofed and in reality is \"accept\" button for the fake app to access user's personal information. At this point, data is collected and account is compromised. Spear phishing attack – this is a type of phishing attack targeted at specific individuals, groups of individuals or companies. Spear phishing attacks are performed mostly with primary purpose of industrial espionage and theft of sensitive information while ordinary phishing attacks are directed against wide public with intent of financial fraud. It has been estimated that in last couple of years targeted spear phishing attacks are more widespread than ever before. The recommendations to protect your company against phishing and spear phishing include: 1. Never open or download a file from an unsolicited email, even from someone you know (you can call or email the person to double check that it really came from them). 2. Keep your operating system updated. 3. Use a reputable anti-virus program. 4. Enable two factor authentication whenever available. 5. Confirm the authenticity of a website prior to entering login credentials by looking for a reputable security trust mark. 6. Look for HTTPS in the address bar when you enter any sensitive personal information on a website to make sure your data will be encrypted. Watering hole attack – this is a more complex type of a phishing attack. Instead of the usual way of sending spoofed emails to end users in order to trick them into revealing confidential information, attackers use multiple staged approach to gain access to the targeted information. In first steps, attacker is profiling the potential victim, collecting information about his or her’s internet habits, history of visited websites etc. In next step attacker uses that knowledge to inspect the specific legitimate public websites for vulnerabilities. If any vulnerabilities or loopholes are found, the attacker compromises the website with its own malicious code. The 50

Student Handbook– Security Analyst SSC/N0901 compromised website then awaits for the targeted victim to come back and then infects them with exploits (often zero-day vulnerabilities) or malware. This is an analogy to a lion waiting at the watering hole for his prey. Whaling – it is a type of phishing attack specifically targeted at senior executives or other high profile targets within a company. Vishing (Voice Phishing or VoIP Phishing) – it is a use of social engineering techniques over telephone system to gain access to confidential information from users. This phishing attack is often combined with caller ID spoofing that masks the real source phone number and instead of it displays the number familiar to the phishing victim or number known to be of a real banking institution. General practices of Vishing include pre-recorded automated instructions for users requesting them to provide bank account or credit card information for verification over the phone. Port scanning – an attack type where the attacker sends several requests to a range of ports to a targeted host in order to find out what ports are active and open, which allows them to exploit known service vulnerabilities related to specific ports. Port scanning can be used by the malicious attackers to compromise the security as well by the IT professionals to verify the network security. Spoofing – it is a technique used to masquerade a person, program or an address as another by falsifying the data with purpose of unauthorized access. A few of the common spoofing types include: IP Address spoofing – process of creating IP packets with forged source IP address to impersonate legitimate system. This kind of spoofing is often used in DoS attacks (Smurf Attack). ARP spoofing (ARP Poisoning) – process of sending fake ARP messages in the network. The purpose of this spoofing is to associate the MAC address with the IP address of another legitimate host causing traffic redirection to the attacker host. This kind of spoofing is often used in man-in-the-middle attacks. DNS spoofing (DNS Cache Poisoning) – an attack where the wrong data is inserted into DNS Server cache, causing the DNS server to divert the traffic by returning wrong IP addresses as results for client queries. Email spoofing – a process of faking the email's sender \"from\" field in order to hide real origin of the email. This type of spoofing is often used in spam mail or during phishing attack. Search engine poisoning – attackers take advantage of high profile news items or popular events that may be of specific interest for certain group of people to spread malware and viruses. This is performed by various methods that have in purpose achieving highest possible search ranking on known search portals by the malicious sites and links introduced by the hackers. Search engine poisoning techniques are often used to distribute rogue security products (scareware) to users searching for legitimate security solutions for download. 51

Student Handbook– Security Analyst SSC/N0901 Network sniffing (Packet Sniffing) – a process of capturing the data packets travelling in the network. Network sniffing can be used both by IT professionals to analyse and monitor the traffic for example, in order to find unexpected suspicious traffic, but as well by perpetrators to collect data send over clear text that is easily readable with use of network sniffers (protocol analysers). Best counter measure against sniffing is the use of encrypted communication between the hosts. Denial of Service Attack (DoS Attack) and Distributed Denial of Service Attack (DDoS Attack) – an attack designed to cause an interruption or suspension of services of a specific host/ server by flooding it with large quantities of useless traffic or external communication requests. When the DoS attack succeeds the server is not able to answer even to legitimate requests anymore, this can be observed in numbers of ways – slow response of the server, slow network performance, unavailability of software or web page, inability to access data, website or other resources. Distributed Denial of Service Attack (DDoS) occurs where multiple compromised or infected systems (botnet) flood a particular host with traffic simultaneously. DoS (denial-of-service) attack Few of the most common DoS attack types: ICMP flood attack (Ping Flood) – the attack that sends ICMP ping requests to the victim host without waiting for the answer in order to overload it with ICMP traffic to the point where the host cannot answer to them any more either because of the network bandwidth congestion with ICMP packets (both requests and replies) or high CPU utilization caused by processing the ICMP requests. Easiest way to protect against any various types of ICMP flood attacks is either to disable propagation of ICMP traffic sent to broadcast address on the router or disable ICMP traffic on the firewall level. Ping of Death (PoD) – this attack involves sending a malformed or otherwise corrupted malicious ping to the host machine for example, PING having size bigger than usual which can cause buffer overflow on the system that lead to a system crash. Smurf attack – this works in the same way as Ping Flood attack with one major difference that the source IP address of the attacker host is spoofed with IP address of other legitimate non malicious computer. Such attack will cause disruption both on the attacked host (receiving large number of ICMP requests) as well as on the spoofed victim host (receiving large number of ICMP replies). ICMP Smurf Denial of Service SYN flood attack – this attack exploits the way the TCP 3-way handshake works during the TCP connection is being established. In normal process, the host computer sends a TCP SYN packet to the remote host requesting a connection. The remote host answers with a TCP SYN-ACK packet confirming the connection can be made. As soon as this is received by the first local host it replies again with TCP ACK packet to the remote host. At this point the TCP socket connection is established. During the SYN flood attack, the attacker host or more commonly several attacker hosts send SYN packets to the victim host requesting a connection, the victim host responds with SYN-ACK packets but the attacker host never respond with ACK packets as a result the victim host is reserving the space for all those connections still awaiting the remote attacker hosts to respond, which never happens. This 52

Student Handbook– Security Analyst SSC/N0901 keeps the server with dead open connections and in the end effect prevent legitimate host to connect to the server any more. Buffer overflow attack – in this type of attack the victim host is being provided with traffic/ data that is out of range of the processing specs of the victim host, protocols or applications, overflowing the buffer and overwriting the adjacent memory. One example can be the mentioned Ping of Death attack where malformed ICMP packet with size exceeding the normal value can cause the buffer overflow. Botnet – a collection of compromised computers that can be controlled by remote perpetrators to perform various types of attacks on other computers or networks. A known example of botnet usage is within the distributed denial of service attack where multiple systems submit as many request as possible to the victim machine in order to overload it with incoming packets. Botnets can be otherwise used to send out span, spread viruses and spyware and as well to steal personal and confidential information which afterwards is being forwarded to the botmaster. Man-in-the-middle attack – the attack is form of active monitoring or eavesdropping on victims’ connections and communication between victim hosts. This form of attack includes interaction between both victim parties of the communication and the attacker. This is achieved by attacker intercepting all part of the communication, changing the content of it and sending back as legitimate replies. Both parties are not aware of the attacker presence and believing the replies they get are legitimate. For this attack to be successful, the perpetrator must successfully impersonate at least one of the endpoints. This can be the case if there are no protocols in place that would secure mutual authentication or encryption during the communication process. Session hijacking attack – this attack is targeted as exploit of the valid computer session in order to gain unauthorized access to information on a computer system. The attack type is often referred to as cookie hijacking as during its progress, the attacker uses the stolen session cookie to gain access and authenticate to remote server by impersonating legitimate user. Cross-side scripting attack (XSS attack) – the attacker exploits the XSS vulnerabilities found in web server applications in order to inject a client side script onto the webpage that can either point the user to a malicious website of the attacker or allow attacker to steal the user's session cookie. SQL injection attack – the attacker uses existing vulnerabilities in the applications to inject a code/ string for execution that exceeds the allowed and expected input to the SQL database. Bluetooth related attacks Bluesnarfing – this kind of attack allows the malicious user to gain unauthorized access to information on a device through its bluetooth connection. Any device with bluetooth turned on and set to \"discoverable\" state may be prone to bluesnarfing attack. Bluejacking – this kind of attack allows the malicious user to send unsolicited (often spam) messages over bluetooth enabled devices. Bluebugging – it is a hack attack on a bluetooth enabled device. Bluebugging enables the attacker to initiate phone calls on the victim's phone as well as read through the address book, messages and eavesdrop on phone conversations. 53

Student Handbook– Security Analyst SSC/N0901 Fig: Top Network Attacks as per McAfee Labs, 2015 Few recent cyberattacks (or Network attacks) that shook some big businesses around the globe: Primera Blue Cross March 2015 The company, a health insurer based in Washington State, said up to 11 million customers could have been affected by a cyberattack last year. Hackers gained access to its computers on May 5, and the breach was not discovered until Jan. 29, Primera said. The breach could have exposed members' names, dates of birth, Social Security numbers, mailing and email addresses, phone numbers and bank account information. The company is working with the F.B.I. and a cybersecurity firm to investigate. 54

Student Handbook– Security Analyst SSC/N0901 Anthem February 2015 One of the nation s largest health insurers said that the personal information of tens of millions of its customers and employees, including its chief executive, was the subject of a very sophisticated external cyberattack. The company added that hackers were able to breach a database that contained as many as 80 million records of current and former customers, as well as employees. The information accessed included names, Social Security numbers, birthdays, addresses, email and employment information, including income data. Sony Pictures November 2014 A huge attack that essentially wiped clean several internal data centers and led to cancellation of the theatrical release of \"The Interview,\" a comedy about the fictional assassination of the North Korean leader Kim Jong-un. Contracts, salary lists, film budgets, entire films and Social Security numbers were stolen, including -- to the dismay of top executives -- leaked emails that included criticisms of Angelina Jolie and disparaging remarks about President Obama. Staples October 2014 The office supply retailer said hackers had broken into the company s network and compromised the information of about 1.16 million credit cards. 55

Student Handbook– Security Analyst SSC/N0901 Common Vulnerabilities and Exposures (CVE) Common Vulnerabilities and Exposures (CVE) is a catalogue of known security threats. The catalogue is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures. According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. For example, the vulnerability may allow an attacker to pose as a super user or system administrator who has full access privileges. An exposure, on the other hand, is defined as a mistake in software code or configuration that provides an attacker with indirect access to a system or network. For example, an exposure may allow an attacker to secretly gather customer information that could be sold. The catalogue’s main purpose is to standardize the way each known vulnerability or exposure is identified. This is important because standard IDs allow security administrators to quickly access technical information about a specific threat across multiple CVE-compatible information sources. CVE is sponsored by US-CERT, the DHS Office of Cybersecurity and Information Assurance (OCSIA). MITRE, a not-for-profit organization that operates research and development centres sponsored by the U.S. federal government, maintains the CVE catalogue and public website. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs). 56

Student Handbook– Security Analyst SSC/N0901 Summary Information security analysts protect information stored on computer networks, applications, etc., using special software that allows them to keep a track of those who can access and who have accessed data. There are three categories of Information technology and information security: o confidentiality o integrity o availability Keys concerns in information assets security are theft, fraud/ forgery, unauthorized information access, interception or modification of data and data management systems. Vulnerability is a weakness in an information system, system security procedures, internal controls or implementation that could be exploited or triggered by a threat source. Microsoft has proposed a threat classification called STRIDE from the initials of threat categories. Types of attacks: virus, worms, Trojans and others. Network attack is usually defined as an intrusion on the network infrastructure that will first analyse the environment and collect information in order to exploit the existing open ports or vulnerabilities. This may include unauthorized access to organisation resources. The recommendations to protect against Phishing and Spear Phishing include: o Never open or download a file from an unsolicited email, even from someone you know. o Keep your operating system updated. o Use a reputable anti-virus program. o Enable two factor authentication whenever available. o Confirm the authenticity of a website prior to entering login credentials. o Look for HTTPS in the address bar when you enter any sensitive personal information on a website. 57

Student Handbook– Security Analyst SSC/N0901 Practical activities: Activity 1: List various types of attacks, and get examples of each type of virus, trojan, worm and other malware from the internet. Compare the list with your fellow students. Activity 2: Find out and study cases of attacks over the years and impact of those attacks on the organisations where these occurred. Share details of 2-3 most interesting ones in the class. Activity 3: Access the CVE and list all the types of information that they can get. Present the same in class and elaborate upon the various ways in which that information can be used. 58

Student Handbook– Security Analyst SSC/N0901 Check your understanding: 1. State the categories of security in IT security and information. __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 2. Explain how is a virus different from a Trojan horse? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 3. State the reason why a Cavity virus is difficult to detect unlike traditional viruses? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 4. State True or False: a) Trojans do not self-replicate. _________________ b) Scareware is also known as \"Rogue Security Software”.________________________ 5. Explain what is Riskware and Adware? __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 6. List few common network attacks. __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 59

Student Handbook– Security Analyst SSC/N0901 NOTES: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ _________________________________________________________________________________ 60

Student Handbook– Security Analyst SSC/N0901 UNIT II Fundamentals of Information Security This unit covers: Lesson Plan 2.1 Elements of information security 2.2 Principles and concepts – data security 2.3 Types of controls 61

Student Handbook– Security Analyst SSC/N0901 Le Pla Performance Ensuring Measures Outcomes Work Environment/ Lab Requirement QA session and a To be competent, you must be able descriptive write-up on PCs/ tablets/ laptops to: understanding. Availability of labs (24/7) Internet with Wi-Fi PC3. carry out security Peer group, faculty group (min 2 Mbps dedicated) assessment of information security and industry experts. Networking equipment (routers & systems using automated tools switches) Firewalls and access points PC8. provide inputs to root Access to all security sites like ISO, PIC cause analysis and the resolution of DSS etc. information security issues, where Commercial tools like HP Web required Inspect and IBM AppScan etc. Open source tools like sqlmap, Nessus etc. You need to know and understand: KA6, KA7, KA8. Peer PCs/ tablets/ laptops review with faculty with Availability of labs (24/7) KA5. how to analyse root causes appropriate feedback. Internet with Wi-Fi of information security issues (min 2 Mbps dedicated) Networking equipment (routers & KA6. how to carry out KB1 – KB4. switches) information security assessments Going through the security Firewalls and access points standards over internet by Access to all security sites like ISO, PIC KB4. how to identify and resolve visiting sites like ISO, PCI DSS etc. information security vulnerabilities DSS etc., and understand Commercial Tools like HP Web and issues various methodologies and Inspect and IBM AppScan etc. usage of algorithms. Open Source tools like sqlmap, Nessus etc. 62

Eleme Student Handbook– Security Analyst SSC/N0901 Lesson f I f ma i Sec i Network Security Network security refers to any activity designed to protect your network. Specifically, these activities protect the usability, reliability, integrity and safety of your network and data. Effective network security targets a variety of threats and stops them from entering or spreading on your network. No single solution protects you from a variety of threats. You need multiple layers of security. If one fails, others still stand. Network security is accomplished through hardware and software. The software must be constantly updated and managed to protect you from emerging threats. Wireless networks, which by their nature, facilitate access to the radio, are more vulnerable than wired networks and need to encrypt communications to deal with sniffing and continuously checking the identity of the mobile nodes. The mobility factor adds more challenges to security, namely monitoring and maintenance of secure traffic transport of mobile nodes. This concerns both homogenous and heterogenous mobility (inter-technology), the latter requires homogenization of the security level of all networks visited by the mobile. From the terminal’s side, it is important to protect its resources (battery, disk, CPU) against misuse and ensure the confidentiality of its data. In an ad hoc or sensor network, it becomes essential to ensure terminal’s integrity as it plays a dual role of router and terminal. The difficulty of designing security solutions that could address these challenges is not only to ensure robustness faced with potential attacks or to ensure that it does not slow down communications, but also to optimize the use of resources in terms of bandwidth, memory, battery, etc. More importantly, in this open context the wireless network is to ensure anonymity and privacy, while allowing traceability for legal reasons. Indeed, the growing need for traceability is now necessary for the fight against criminal organizations and terrorists, but also to minimize the plundering of copyright. It is therefore facing a dilemma of providing a network support of free exchange of information while controlling the content of the communication to avoid harmful content. Actually, this concerns both wired and wireless networks. All these factors influence the selection and implementation of security tools that are guided by a prior risk assessment and security policy. Finally, we are increasingly thinking about trust models in the design of secured systems, that should offer higher level of trust than classical security mechanisms, and it seems that future networks should implement both models: security and trust models. In fact, if communication nodes will be capable of building and maintaining a predefined trust level in the network, then the communication system will be trustable all the time, thus allowing a trusted and secure service deployment. However, such trust models are very difficult to design and the trust level is generally a biased concept presently. It is very similar to the human based trust model. Note that succeeding in building such trust models will allow infrastructure based networks but especially infrastructure-less or self-organized networks such as ad hoc sensors to be trusted enough to deploy several applications. This will also have an impact on current business models where the economic model would have to change in order to include new players in the telecommunication value chain 63

Student Handbook– Security Analyst SSC/N0901 such as users offering their machines to build an infrastructure-less network. For example, in the context of ad hoc networks, we could imagine that ad hoc users become distributors of content or provide any other networked services1, being a sort of service providers. In this case, an appropriate charging and billing system needs to be designed. A network security system usually consists of many components. Ideally, all components work together, which minimizes maintenance and improves security. Network security components often include: Anti-virus and anti-spyware Firewall to block unauthorized access to your network Intrusion Prevention Systems (IPS) to identify fast-spreading threats, such as zero-day or zero-hour attacks Virtual Private Networks (VPNs) to provide secure remote access Communication security Application Security Application security (AppSec) is the use of software, hardware and procedural methods to protect applications from external threats. AppSec is the operational solution to the problem of software risk. AppSec helps identify, fix and prevent security vulnerabilities in any kind of software application irrespective of the function, language or platform. As a best practice, AppSec employs proactive and preventative methods to manage software risk, and align an organization’s security investments with the reality of today’s threats. It has three distinct elements: 1) measurable reduction of risk in existing applications 2) prevention of introduction of new risks 3) compliance with software security mandates A software vulnerability can be defined as a programmatic function that processes critical data in an insecure way. These “holes” in an application can be exploited by a hacker, spy or cybercriminal as an entry point to steal sensitive, protected or confidential data. 64

Student Handbook– Security Analyst SSC/N0901 The severity and frequency of cyber-attacks is increasing which is making the practice of AppSec important. AppSec as a discipline is also becoming more complex the variety of business software continues to proliferate. Here are some of the reasons why (and see if these sound familiar): Today’s enterprise software comes from a variety of sources – in-house development teams, commercial vendors, outsourced solution providers, and open source projects. Software developers have an endless choice of programming languages to choose from – Java, .NET, C++, PHP and more. Applications can be deployed across myriad platforms – installed to operate locally, over virtual servers and networks, accessed as a service in the cloud or run on mobile devices. AppSec products must provide capabilities for managing security risk across all of these options as each of these development and deployment options can introduce security vulnerabilities. An effective software security strategy addresses both immediate and systemic risk. The Application Security market has reached sufficient maturity to allow organizations of all sizes to follow a well-established roadmap: Begin with software security testing to find and assess potential vulnerabilities: Follow remediation procedures to prioritize and fix them. Train developers on secure coding practices. Leverage ongoing threat intelligence to keep up-to-date. Develop continuous methods to secure applications throughout the development life cycle. Instantiate policies and procedures that instill good governance. Testing and remediation form the baseline response to insecure applications, but the critical element of a successful AppSec effort is ongoing developer training. Security conscious development teams write bulletproof code, and avoid common errors. For example, data input validation – the process of ensuring that a program operates with clean, correct and useful data. Neglecting this important step, and failing to build in standard input validation rules or “check routines” leaves the application open to common attacks such as cross-site scripting and SQL injection. When undertaken correctly, Application Security is an orderly process of reducing the risks associated with developing and running business critical software. Properly managed, a good application security program will move your organization from a state of unmanaged risk and reactive security to effective, proactive risk mitigation. 65

Student Handbook– Security Analyst SSC/N0901 Communications Security Communications Security (COMSEC) ensures the security of telecommunications confidentiality and integrity – the two information assurance (IA) pillars. Generally, COMSEC may refer to the security of any information that is transmitted, transferred or communicated. There are five COMSEC security types: Cryptosecurity: This encrypts data, rendering it unreadable until the data is decrypted. Emission Security (EMSEC): This prevents the release or capture of emanations from equipment, such as cryptographic equipment, thereby preventing unauthorized interception. Physical Security: This ensures the safety of, and prevents unauthorized access to, cryptographic information, documents and equipment. Traffic-Flow Security: This hides messages and message characteristics flowing on a network. Transmission Security (TRANSEC): This protects transmissions from unauthorized access, thereby preventing interruption and harm. 66

Student Handbook– Security Analyst SSC/N0901 P i ci le a d C ce Da a Sec i Critical Information Characteristics Confidentiality Integrity Availability Information States Information has three basic states, at any given moment, information is being transmitted, stored or processed. The three states exist irrespective of the media in which information resides. Transmission Information States Processing Storage Information systems security concerns itself with the maintenance of three critical characteristics of information: confidentiality, integrity and availability. These attributes of information represent the full spectrum of security concerns in an automated environment. They are applicable for any organization irrespective of its philosophical outlook on sharing information. 67

Student Handbook– Security Analyst SSC/N0901 Prevention vs. detection Basic information security concepts: Security efforts to assure confidentiality, • Identification integrity and availability can be divided • Authentication into those oriented to prevention and • Authorization those focused on detection. The latter • Confidentiality aims to rapidly discover and correct for • Integrity lapses that could not be (or at least were • Availability not) prevented. The balance between • Non-repudiation prevention and detection depends on the circumstances and the available security technologies. Identification is the first step in the ‘identify-authenticate-authorize’ sequence that is performed every day countless times by humans and computers alike when access to information or information processing resources are required. While particulars of identification systems differ depending on who or what is being identified, some intrinsic properties of identification apply regardless of these particular. Just three of these properties are the scope, locality, and uniqueness of IDs. Identification name spaces can be local or global in scope. To illustrate this concept, let’s refer to the familiar notation of email addresses. While many email accounts named Gaurav may exist around the world, an email address [email protected] unambiguously refers exactly to one such user in the company.com locality. Provided that the company in question is a small one, and that only one employee is named Gaurav. His colleagues may refer to that particular person by only using his first name. That would work because they are in the same locality and only one Gaurav works there. However, if Gaurav were someone on the other side of the world or even across town, to refer to [email protected] as simply Gaurav would make no sense because user name Gaurav is not globally unique and refers to different persons in different localities. This is one of the reasons why two user accounts should never use the same name on the same system — not only because you would not be able to enforce access controls based on non-unique and ambiguous user names, but also because you would not be able to establish accountability for user actions. Authentication happens right after identification and before authorization. It verifies the authenticity of the identity declared at the identification stage. In other words, it is at the authentication stage that you prove you are indeed the person or the system you claim to be. The three methods of authentication are what you know, what you have and what you are. Regardless of the particular authentication method used, the aim is to obtain reasonable assurance that the identity declared at the identification stage belongs to the party in communication. It is important to note that reasonable assurance may mean different degrees of assurance, depending on the particular environment and application, and therefore may require different approaches to authentication. Authentication requirements of a national security – critical system naturally differ from authentication 68

Student Handbook– Security Analyst SSC/N0901 requirements of a small company. As different authentication methods have different costs and properties as well as different returns on investment, the choice of authentication method for a particular system or organization should be made after these factors have been carefully considered. Authorization is the process of ensuring that a user has sufficient rights to perform the requested operation, and preventing those without sufficient rights from doing the same. After declaring identity at the identification stage and proving it at the authentication stage, users are assigned a set of authorizations (also referred to as rights, privileges or permissions) that define what they can do on the system. These authorizations are most commonly defined by the system’s security policy and are set by the security or system administrator. These privileges may range from the extremes of “permit nothing” to “permit everything” and include anything in between. Confidentiality means persons authorized have access to receive or use information, documents etc. Unauthorized access to confidential information may have devastating consequences, not only in national security applications, but also in commerce and industry. Main mechanisms of protection of confidentiality in information systems are cryptography and access controls. Examples of threats to confidentiality are malware, intruders, social engineering, insecure networks and poorly administered systems. Integrity is concerned with the trustworthiness, origin, completeness and correctness of information as well as the prevention of improper or unauthorized modification of information. Integrity in the information security context refers not only to integrity of information itself but also to the origin integrity i.e. integrity of the source of information. Integrity protection mechanisms may be grouped into two broad types: preventive mechanisms, such as access controls that prevent unauthorized modification of information, and detective mechanisms, which are intended to detect unauthorized modifications when preventive mechanisms have failed. Controls that protect integrity include principles of least privilege, separation and rotation of duties. Availability of information, although usually mentioned last, is not the least important pillar of information security. Who needs confidentiality and integrity if the authorized users of information cannot access and use it? Who needs sophisticated encryption and access controls if the information being protected is not accessible to authorized users when they need it? Therefore, despite being mentioned last in the C-I-A triad, availability is just as important and as necessary a component of information security as confidentiality and integrity. Attacks against availability are known as denial of service (DoS) attacks. Natural and manmade disasters obviously may also affect availability as well as confidentiality and integrity of information though their frequency and severity greatly differ. Natural disasters are infrequent but severe, whereas human errors are frequent but usually not as severe as natural disasters. In both cases, business continuity and disaster recovery planning (which at the very least includes regular and reliable backups) is intended to minimize losses. Non-repudiation in the information security context refers to one of the properties of cryptographic digital signatures that offers the possibility of proving whether a particular message has been digitally signed by the holder of a particular digital signature’s private key. 69

Student Handbook– Security Analyst SSC/N0901 Non-repudiation is a somewhat controversial subject, partly because it is an important one in this day and age of electronic commerce, and because it does not provide an absolute guarantee. A digital signature owner, who may like to repudiate a transaction maliciously may always claim that his/ her digital signature key was stolen by someone who actually signed the digital transaction in question, thus repudiating the transaction. The following types of non-repudiation services are defined in international standard ISO 14516:2002 (guidelines for the use and management of trusted third party services). o Approval: non-repudiation of approval provides proof of who is responsible for approval of the contents of a message. o Sending: non-repudiation of sending provides proof of who sent the message. o Origin: non-repudiation of origin is a combination of approval and sending. o Submission: non-repudiation of submission provides proof that a delivery agent has accepted the message for transmission. o Transport: non-repudiation of transport provides proof for the message originator that a delivery agent has delivered the message to the intended recipient. o Receipt: non-repudiation of receipt provides proof that the recipient received the message. o Knowledge: non-repudiation of knowledge provides proof that the recipient recognized the content of the received message. o Delivery: non-repudiation of delivery is a combination of receipt and knowledge, as it provides proof that the recipient received and recognized the content of the message. 70

Student Handbook– Security Analyst SSC/N0901 Fun-Facts about Top Data Center Security-GOOGLE 71

Student Handbook– Security Analyst SSC/N0901 T e fC l Central to information security is the concept of controls, which may be categorized by their functionality (preventive, detective, corrective, deterrent, recovery and compensating) and plane of application (physical, administrative or technical). By functionality: Preventive controls Preventive controls are the first controls met by an adversary. These try to prevent security violations and enforce access control. Like other controls, these may be physical, administrative or technical. Doors, security procedures and authentication requirements are examples of physical, administrative and technical preventive controls respectively. Detective controls Detective controls are in place to detect security violations and alert the defenders. They come into play when preventive controls have failed or have been circumvented and are no less crucial than detective controls. Detective controls include cryptographic checksums, file integrity checkers, audit trails and logs and similar mechanisms. Corrective controls Corrective controls try to correct the situation after a security violation has occurred. Although a violation occurred, but the data remains secure, so it makes sense to try and fix the situation. Corrective controls vary widely, depending on the area being targeted, and they may be technical or administrative in nature. Deterrent controls Deterrent controls are intended to discourage potential attackers. Examples of deterrent controls include notices of monitoring and logging as well as the visible practice of sound information security management. Recovery controls Recovery controls are somewhat like corrective controls, but they are applied in more serious situations to recover from security violations and restore information and information processing resources. Recovery controls may include disaster recovery and business continuity mechanisms, backup systems and data, emergency key management arrangements and similar controls. Compensating controls Compensating controls are intended to be alternative arrangements for other controls when the original controls have failed or cannot be used. When a second set of controls addresses the same threats that are addressed by another set of controls, it acts as a compensating control. 72

Student Handbook– Security Analyst SSC/N0901 By plane of application: Physical controls include doors, secure facilities, fire extinguishers, flood protection and air conditioning. Administrative controls are the organization’s policies, procedures and guidelines intended to facilitate information security. Technical controls are the various technical measures, such as firewalls, authentication systems, intrusion detection systems and file encryption among others. Access Control Models Logical access control models are the abstract foundations upon which actual access control mechanisms and systems are built. Access control is among the most important concepts in computer security. Access control models define how computers enforce access of subjects (such as users, other computers, applications and so on) to objects (such as computers, files, directories, applications, servers and devices). Three main access control models exist: Discretionary Access Control model Mandatory Access Control model Role Based Access Control model Discretionary Access Control (DAC) The Discretionary Access Control model is the most widely used of the three models. In the DAC model, the owner (creator) of information (file or directory) has the discretion to decide about and set access control restrictions on the object in question, which may, for example, be a file or a directory. The advantage of DAC is its flexibility. Users may decide who can access information and what they can do with it — read, write, delete, rename, execute and so on. At the same time, this flexibility is also a disadvantage of DAC because users may make wrong decisions regarding access control restrictions or maliciously set insecure or inappropriate permissions. Nevertheless, the DAC model remains the model of choice for the absolute majority of operating systems today, including Solaris. Mandatory Access Control (MAC) Mandatory access control, as its name suggests, takes a stricter approach to access control. In systems utilizing MAC, users have little or no discretion as to what access permissions they can set on their information. Instead, mandatory access controls specified in a system-wide security policy are enforced by the operating system and applied to all operations on that system. MAC based systems use data classification levels (such as public, confidential, secret and top secret) and security clearance labels corresponding to data classification levels to decide in accordance with the security policy set by the system administrator what access control restrictions to enforce. Additionally, per group and/ 73

Student Handbook– Security Analyst SSC/N0901 or per domain access control restrictions may be imposed i.e. in addition to having the required security clearance level, subjects (users or applications) must also belong to the appropriate group or domain. For example, a file with a confidential label belonging only to the research group may not be accessed by a user from the marketing group, even if that user has a security clearance level higher than confidential (for example, secret or top secret). This concept is known as compartmentalization or ‘need to know’. Although MAC based systems, when used appropriately, are thought to be more secure than DAC based systems, they are also much more difficult to use and administer because of the additional restrictions and limitations imposed by the operating system. MAC based systems are typically used in government, military and financial environments where higher than usual security is required and where the added complexity and costs are tolerated. MAC is implemented in Trusted Solaris, a version of the Solaris operating environment intended for high security environments. Role-Based Access Control (RBAC) In the role based access control model, rights and permissions are assigned to roles instead of individual users. This added layer of abstraction permits easier and more flexible administration and enforcement of access controls. For example, access to marketing files may be restricted only to the marketing manager role, and users Ann, David, and Joe may be assigned the role of marketing manager. Later, when David moves from the marketing department elsewhere, it is enough to revoke his role of marketing manager, and no other changes would be necessary. When you apply this approach to an organization with thousands of employees and hundreds of roles, you can see the added security and convenience of using RBAC. Solaris has supported RBAC since release 8. Centralized vs. Decentralized Access Control Further distinction should be made between centralized and decentralized (distributed) access control models. In environments with centralized access control, a single, central entity makes access control decisions and manages the access control system whereas in distributed access control environments, these decisions are made and enforced in a decentralized manner. Both approaches have their pros and cons, and it is generally inappropriate to say that one is better than the other. The selection of a particular access control approach should be made only after careful consideration of an organization’s requirements and associated risks. Security Vulnerability Management Security vulnerability management is the current evolutionary step of vulnerability assessment systems that began in the early 1990s with the advent of the network security scanner S.A.T.A.N. (Security Administrator’s Tool for Analyzing Networks) followed by the st commercial vulnerability scanner from ISS. While early tools mainly found vulnerabilities and produced lengthy reports, today’s best-in-class solutions deliver comprehensive discovery and support the entire security vulnerability management lifecycle. A vulnerability can occur anywhere in the IT environment, and can be the result of many different root causes. Security vulnerability management solutions gather comprehensive endpoint and network intelligence, and apply advanced analytics to identify and prioritize the vulnerabilities that pose the most risk to critical systems. The result is actionable data that enables IT security teams to focus on 74

Student Handbook– Security Analyst SSC/N0901 the tasks that will most quickly and effectively reduce overall network risk with the fewest possible resources. Security vulnerability management is a closed-loop workflow that generally includes identifying networked systems and associated applications, auditing (scanning) the systems and applications for vulnerabilities and remediating the vulnerabilities. Any IT infrastructure components may present existing or new security concerns and weaknesses i.e. vulnerabilities. It may be product/ component faults or it may be inadequate configuration. Malicious code or unauthorized individuals may exploit those vulnerabilities to cause damage, such as disclosure of credit card data. Vulnerability management is the process of identifying those vulnerabilities and reacting appropriately to mitigate the risk. Vulnerability assessment and management is an essential piece for managing overall IT risk because: Persistent threats Attacks exploiting security vulnerabilities for financial gain and criminal agendas continue to dominate headlines. Regulation Many government and industry regulations mandate rigorous vulnerability management practices. Risk management Mature organizations treat it as a key risk management component. Organizations that follow mature IT security principles understand the importance of risk management. Properly planned and implemented threat and vulnerability management programs represent a key element in an organization’s information security program, providing an approach to risk and threat mitigation that is proactive and business aligned, not just reactive and technology focused. Vulnerability Assessment Includes assessment the environment for known vulnerabilities, and to assess IT components, using the security configuration policies (by device role) that have been defined for the environment. This is accomplished through scheduled vulnerability and configuration assessments of the environment. Network based vulnerability assessment (VA) has been the primary method employed to baseline networks, servers and hosts. The primary strength of VA is breadth of coverage. Thorough and accurate vulnerability assessments can be accomplished for managed systems via credentialed access. Unmanaged systems can be discovered and a basic assessment can be completed. The ability to evaluate databases and web applications for security weaknesses is crucial, considering the rise of attacks that target these components. Database scanners check database configuration and properties to verify whether they comply with database security best practices. 75

Student Handbook– Security Analyst SSC/N0901 Web application scanners test an application’s logic for “abuse” cases that can break or exploit the application. Additional tools can be leveraged to perform more in-depth testing and analysis. All three scanning technologies (network, application and database) assess a different class of security weaknesses, and most organizations need to implement all three. Risk assessment Larger issues should be expressed in the language of risk (e.g. ISO 27005), specifically expressing impact in terms of business impact. The business case for any remedial action should incorporate considerations relating to the reduction of risk and compliance with policy. This incorporates the basis of the action to be agreed on between the relevant line of business and the security team. Risk analysis “Fixing” the issue may involve acceptance of the risk, shifting of the risk to another party or reducing the risk by applying remedial action, which could be anything from a configuration change to implementing a new infrastructure (e.g. data loss prevention, firewalls, host intrusion prevention software). Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes. Many processes and often several teams may come into play (e.g. configuration management, change management, patch management etc.). Monitoring and incident management processes are also required to maintain the environment. Vulnerability enumeration Common Vulnerabilities and Exposures (CVE) Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e. CVE Identifiers) for publicly known information security vulnerabilities. CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE identifiers, you may then quickly and accurately access fix information in one or more separate CVE compatible databases to remediate the problem. Common Vulnerability Scoring System (CVSS) The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable, accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. Thus, CVSS is well suited as a standard measurement system for industries, organizations and governments that need accurate and consistent vulnerability impact scores. Common Weakness Enumeration (CWE) The Common Weakness Enumeration Specification (CWE) provides a common language of discourse for discussing, finding and dealing with the causes of software security vulnerabilities as they are found in code, design or system architecture. Each individual CWE represents a single vulnerability type. CWEs are used as a classification mechanism that differentiates CVEs by the type of vulnerability they represent. For more details see: Common Weakness Enumeration. 76

Student Handbook– Security Analyst SSC/N0901 Remediation Planning Prioritization Vulnerability and security configuration assessments typically generate very long remediation work lists, and this remediation work needs to be prioritized. When organizations initially implement vulnerability assessment and security configuration baselines, they typically discover that a large number of systems contain multiple vulnerabilities and security configuration errors. There is typically more mitigation work to do than the resources available to accomplish it. Therefore, prioritization is important. Root Cause Analysis (RCA) It is important to analyse security and vulnerability assessments in order to determine the root cause. In many cases, the root cause of a set of vulnerabilities lies within the provisioning, administration and maintenance processes of IT operations or within their development or the procurement processes of applications. Elimination of the root cause of security weaknesses may require changes to user administration and system provisioning processes. What makes a good RCA? An RCA is an analysis of a failure to determine the first (or root) failure that cause the ultimate condition in which the system finds itself. For example, in an application crash one should be thinking, why did it crash this way? A security analyst’s job in performing an RCA is to keep asking the inquisitive \"why\" until one runs out of room for questions, and then they are faced with the problem at the root of the situation. Example: an application that had its database pilfered by hackers where the ultimate failure the analyst may be investigating is the exfiltration of consumer private data, but SQL Injection isn't what caused the failure. Why did the SQL Injection happen? Was the root of the problem that the developer responsible simply didn't follow the corporate policy for building SQL queries? Or was the issue a failure to implement something like the OWASP ESAPI (ESAPI - The OWASP Enterprise Security API is a free, open source web application security control library that makes it easier for programmers to write lower-risk applications.) in the appropriate manner? Or maybe the cause was a vulnerable open- source piece of code that was incorporated into the corporate application without passing it through the full source code lifecycle process? Your job when you're performing an RCA is to figure this out. Root cause analysis is super critical in the software security world. A number of automated solutions are also available for various types of RCA. For example, HP's web application security testing technology which can link XSS issues to a single line of code in the application input handler. Decision tree and algorithms may be used for further detailed analysis as tools. To learn more about it, visit: https://www.sans.org/reading-room/whitepapers/detection/decision-tree-analysis- intrusion-detection-how-to-guide-33678 . 77

Student Handbook– Security Analyst SSC/N0901 Ranking of Cyber security objectives in terms of business priority objective 5 4.4 4.7 4.5 4 3.5 3.5 3 2.8 2.5 1.9 2 1.5 1 0.5 0 65% of organizations had an average of 3 DDoS attacks in the past 12 months. 54 minutes downtime during one DDoS attack. Average cost per minute downtime is $22,000 Average annual cost of DDoS attacks is $3000,000 78

Student Handbook– Security Analyst SSC/N0901 Summary Elements of information security include network security, application security and communication security Types of communication security are Cryptosecurity, Emission Security (EMSEC), Physical Security, Traffic-Flow Security and Transmission Security (TRANSEC). Critical information characteristics are Confidentiality, Integrity and Availability. Information states include transmission, storage and processing. Basic information security concepts: o Identification o Authentication o Authorization o Confidentiality o Integrity o Availability o Non-repudiation Types of control for information security can be classified into: o Preventive o Detective o Corrective o Deterrent o Recovery o Compensating Three main access control models exist: o Discretionary Access Control model o Mandatory Access Control model o Role Based Access Control model A Root Cause Analysis is an analysis of a failure to determine the first (or root) failure that cause the ultimate condition in which the system finds itself. 79

Student Handbook– Security Analyst SSC/N0901 Practical activities: Activity 1: Investigate into the various types of threats to network security, application security and, communication security and prepare a white paper on the same. Also, list the various counter measures or security devices that may be used to address the same. Present it in class. Activity 2: Collect information about various information security service companies’ websites, and understand the various security services they offer. Carry out a comparison of the various services or products offered and list their features and benefits. Activity 3: Collect information about various categories of controls and state which various controls are within each category? Discuss in groups the benefits and limitations of examples of each type of control within a category. Activity 4: Collect information about various elements of a decision tree and an algorithm. Create algorithms and decision trees for various situations in case of planning for security of information assets. 80

Student Handbook– Security Analyst SSC/N0901 Check your understanding: 1. Write a short note on your understanding of the following basic information security concepts. • Identification __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ • Authentication __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ • Authorization __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ • Confidentiality __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ • Integrity __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ • Availability __________________________________________________________________________________ __________________________________________________________________________________ 81

Student Handbook– Security Analyst SSC/N0901 __________________________________________________________________________________ __________________________________________________________________________________ • Non-repudiation __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ 2. Which are the three states of Information? ______________________________________ ______________________________________ ______________________________________ NOTES: __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ __________________________________________________________________________________ _________________________________________________________________________________ 82