Time: 20 Minutes
Concepts: Definition of Cybersecurity, Cybersecurity Threats, Countermeasures - Ways to protect your network and data. The responsibility of cybersecurity professionals.
This is a very short but free introduction to cybersecurity covering basic cybersecurity principles. This is designed for the beginner who wants a basic understanding of what Cybersecurity is, the threats that are out there in the wild, the bad actors behind these threats, and the duties and responsibilities of Cybersecurity professionals.
Cybersecurity can be defined as the science and methodology of protecting computer systems, hardware, software and data from malicious attack or intrusion from unauthorized entities. This differs from Information Security in that Information security protects all types of data, digital and non-digital. When we talk about Cybersecurity, we are mainly focusing on digital data. Cybersecurity is a subset of Information Security.
Why are computer systems so insecure? Much of it has to do with human error and poor design. Many programs have flaws in them. Coders write thousands of lines of code and there are bound to be mistakes somewhere. Hackers methodically poke and prod systems until they find the holes and weaknesses. The computer architecture we currently use is designed around old outdated systems that gave up security for better performance. It was a necessity back in the early days of computing to give up on some security measure because the processing power and memory were limited. Processors were much slower when computers were first being developed and because systems were not all connected to the internet cybersecurity was not such a big deal. We have just taken this old architecture and built on top of that. The computer architecture and operating system designs we used today make opening up communications simple rather than being built with security by default. We now find ourselves in a predicament where we have these open systems and we are trying to patch up the holes. We call this the patch and pray methodology. We apply patches to servers when flaws are found. We also put hardware and software in place. We monitor for intrusions and we pray that we have done enough to protect our networks.
Information Security Officers and Cybersecurity managers have to weigh the cost of protection against the value of the target. It does not make sense to spend millions of dollars to protect data that may only be worth a few hundred thousand dollars, unless there is a threat of a penalty or fine that could cost the organization more if the data is breached. There are laws such as HIPAA (Health Information Portability and Accountability Act) and Sarbanes Oxley, which are put in place to enforce how data is handled, stored and backed up to protect healthcare information and financial information. Organizations that handle healthcare and financial information can face hefty fines for not following proper procedures to protect patient and client data.
There are also organizations such as the International Organization for Standardization ISO, and the National Institute of Standards and Technology NIST which create frameworks and set standards for cybersecurity best practices. It is important to understand these best practices when implementing security within your organization.
The Image below outlines the NIST Cybersecurity framework:
NIST Cybersecurity Framework http://www.petermorin.com/2017/12/nist-releases-new-cyber-security-framework-draft/
Introduction to the NIST Cybersecurity Framework.
The threat landscape is constantly changing. The attackers are always coming up with new ways to get around security. It is a constant game where the defenders have to wait to see what new tactics the aggressors come up with and develop a new way to prevent the attack. This is pretty much the state of cybersecurity at this time. We patch our system as vulnerabilities are found and hope that we have done enough to stop whatever threats come our way. We call this the “Patch and Pray” methodology.
The recent rise in ransomware attacks has caused organizations a great deal of stress. These incidents have become so common that some companies have started stockpiling Bitcoin in order to pay the ransom. This may sound like a good idea, but if we pay the ransom, we are actually rewarding criminals for their success and enticing them to keep doing what they are doing. The important thing to remember is that we do not want this activity to continue, so we must make it unprofitable. The best strategy is to have robust security and a fast, easy recovery method.
With the rise of new technology to stop attacks, bad actors have turned to social engineering to get around security. A "Bad Actor" is the term used to describe those who carry out the threats. These can be hackers, script kiddies who are amateur hackers, nation states, and organized criminals. These bad actors may call on the phone claiming to be a technical support person. They may call or email someone pretending to be a person of authority. Organizations need to make their staff aware of the social engineering threats through what is called “end user security awareness training.” Knowing what important data you have, knowing where it lives, putting technology in place to detect and stop attacks, training your staff to recognize bad actors, having a good response plan and having a disaster recovery plan is the best way to prevent and/or recover from these threats.
In the video below, Dr. Howard Shrobe from MIT discusses the current state of cybersecurity and the types of solutions he is looking for. This video is a few years old, but the information and ideas are still valid.
What can be done to combat these threats? Many tech companies have been working on this issue for quite some time. Firewalls and antivirus software have been around for a long time. Spam (unsolicited and/or undesired email) became a huge issue in the 90’s when everyone started connecting to the internet and email boxes were getting filled with unsolicited email. This became a huge problem. So much junk mail was coming through that email was almost becoming unusable. Spam filters resolved that issue. Web filters have been helpful with scanning websites for malicious downloads and also monitoring and restricting what websites workers are allowed to visit.
Intrusion detection and intrusion prevention systems can help detect and thwart malicious traffic on a network. Security engineers can configure special software or appliances that assist in detecting and stopping attacks using artificial intelligence. Attacks can be scripted and run by computer rather than a hacker typing commands, which make these attacks operate very quickly. It would be impossible for a human without special tools to be able to stop such attacks. Log files can become very large and take too much time to read through. Network Security Engineers can set up applications that read these log files and create alerts that notify them of threats. These are called Intrusion Detection Systems (IDS) and they can either send info to an administrator or their data can be collected by a Security Information Event Management (SIEM) system. An Intrusion Prevention System (IPS) is a bit more like a firewall. It is different from IDS which just creates alerts. It can make changes and control access to systems to protect them from malicious activity. It can detect unwanted activity as it is happening and make changes to the firewall to stop the activity as it is happening.
Encryption is a method of scrambling or encapsulating data into a bunch of code that can only be read and decrypted by authorized parties. To anyone performing unauthorized snooping, the data just looks like a jumble of characters, shapes and numbers. Some websites, like banking and shopping sites, use certificates to encrypt their data. VPN tunnels also use encryption to keep data safe as it moves from one location to another over the public internet. We will get into more detail about encryption in another course.
A Virtual private network (VPN) can connect private secure systems over public networks and keep data secure by means of encryption. A remote workstation may access a corporate network in a secure manner so that the remote worker can access data without the data being intercepted or manipulated. A VPN can also be used to connect remote offices without having to spend money on expensive leased lines between the two organizations. This keeps the data secure while also saving money. In a point-to-point VPN, two firewalls may handle the encryption between the two geographic locations. With a client VPN, the client has special software installed that allows it to connect with a firewall or server hosting the VPN connection. VPN tunnels use very strong encryption to keep the data secure.
Another measure that can be taken to ensure security is to configure multifactor authentication. This can be a combination of a password and a PIN (Personal Identification Number) from a key card where the PIN changes to random numbers at various times and is synchronized with a server. Another factor may be something that only the end user would know. Biometrics, such as fingerprints, can also be used as a factor. Having multiple factors reduces the chance of someone unauthorized gaining access to a secure system.
Password policies can ensure that a password is difficult to guess. They can also be set to change frequently so that in the event a password is compromised, the account will not be available for a period of time and passwords will change at certain intervals. One way to prevent unauthorized users from guessing passwords is to install a logon analyzer that alerts the administrator when someone enters a password incorrectly too many times. These systems can also alert an administrator when a single computer or application tries to access more than one account getting the passwords wrong over and over. Some viruses have been known to guess account names and passwords and send any successful attempts to an outside source. A logon or lockout analyzer would recognize this behavior and notify the administrator so they can take corrective action.
Servers must be configured to be secure. This means turning off unnecessary services, enabling local software firewalls, closing any ports that do not need to be open, and making sure the server has the latest updates and patches. The server administrator account should be renamed and the password should be very strong and difficult to guess. Turn off unnecessary files shares and make sure antivirus software is installed and up to date. Servers should be kept in locked server rooms where only certain people have physical access to these machines. Systems that have extremely sensitive data can be put on air-gapped networks that are in locked areas and have no internet access. "Air-Gapped" in this case means that the servers have no connection to the outside. This ensures that only authorized employees on the premises can access the information on those systems. There has been some research on hacking air-gapped systems using techniques called "Van Eck Phreaking" and "Mouse Jack Attacks", but these are for a later and more advanced course on hacking air-gapped systems.
Data on laptops and mobile devices is at risk if the laptop or device is ever stolen. It is important to make sure that the data stored on mobile devices is encrypted. This lets you know that your data is secure even if the device falls into the wrong hands. There are many programs out there that will encrypt data on hard drives, USB thumb drives and other mobile devices. Sensitive data must always be encrypted while it is in storage and while it is in transit between devices, for instance, over a VPN tunnel. Even on local area networks, having your data encrypted while in transit between workstations or between a server and a workstation is a good idea.
Remember that both human error and malicious employees are a threat to your business. It is important to train employees to understand security issues and to recognize when something is out of compliance. If an employee is not following procedure or if someone looks like they are in a location they should not be, employees must report it. Train employees to recognize phishing schemes and social engineering tactics. It could save your organization.
Security professionals, especially those in leadership positions, are responsible for making sure an organization embraces a culture of security. Everyone must understand and be on board with the policies and procedures. It only takes one person not following the rules to cause a breach. Make sure everyone is informed of the policies and procedures and what to do if they believe data has been compromised. The earlier a breach is reported, the better your chances of stopping an attack and preventing data loss.
Security practitioners need to understand what types of data your organization handles and where it is stored. Healthcare and financial data , as well as company secrets about products and designs are extra sensitive and valuable to your organization. Data should be backed up regularly. A copy should be stored securely offsite in the event of a disaster such as a fire, flood, earthquake or tornado.
Make sure your security policy aligns with your company’s needs. Do not spend too little on security if your organization is holding highly valuable data. Also, do not spend too much if your organization's data is easily re-creatable and not that valuable. Be aware of what you have, where it is stored, how it is backed up and make sure you can restore data from backup. A test restore should be performed periodically.
Are there laws that regulate your industry such as HIPAA and Sarbanes Oxley? Is your organization compliant with all rules and regulations? If you handle sensitive patient or financial data and you are not sure if your organization is compliant, you should think about hiring an auditor or security professional to help you ensure your organization meets all regulatory standards.
How will your organization respond to a security threat? Is there is a plan in place? Does your organization have a disaster recovery plan? Identify the data that must be protected. Protect the data to the best of your ability. Have a system in place to detect incoming threats. Know when and how to respond to these threats. When all else fails, know how your organization plans to recover from a breach or a disaster.
Remember to have your system audited by a professional on a regular basis. A good auditor will let you know if you have gaps in your security. They will help you find the flaws. Make sure you have a penetration test performed regularly on your network. Have a certified ethical hacker test your network for weaknesses and phish your employees. This is a good way to find your organization's security flaws and find out if employees need more training.
As you can see, there is a lot to learn in the field of cybersecurity and this course explains only the basics. Cybersecurity professionals are in huge demand, but the knowledge needed to get a job in this field can be difficult and time consuming to obtain. Earning a degree and becoming certified in cybersecurity can be quite expensive. The image below from the Information Systems and Audit Control Association (ISACA) explains the need for more cybersecurity professionals.
To learn more about this topic please feel free to take our Intro to Cybersecurity course or our CompTIA S+ course. If they are not yet available, they will be coming soon.
The Cybersecurity Skills Crisis http://www.isaca.org
ISACA - https://www.isaca.org/
Interview with Dr. Howard Shrobe - https://www.youtube.com/watch?v=EmFRvIA8lug
MIT Professional Education Digital Programs - http://professional.mit.edu/
The Videos and Diagrams were used with permission from NIST, ISACA and MIT Professional Education Digital Programs.