Cybersecurity: The Beginner's Guide E-Book

Cybersecurity: The Beginner's Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Heramb BhavsarContent Development Editor: Shubham Bhattacharya, Deepti ThoreTechnical Editor: Rudolph AlmeidaCopy Editor:Safis EditingProject Coordinator: Nusaiba AnsariProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Nilesh Mohite

First published: May 2019

Production reference: 1210519

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78961-619-4

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Dr. Erdal Ozkaya is a leading cybersecurity professional with business development, management, and academic skills, who focuses on securing cyberspace and sharing his real-life skills as a security adviser, speaker, lecturer, and author.

He is passionate about reaching communities, creating cyber-awareness campaigns, leveraging new and innovative approaches, technologies that holistically address the information security, and privacy needs for people and organizations worldwide. He has authored many cybersecurity books, security certification courseware, and exams for different vendors.

He is an award-winning technical expert and speaker. His recent awards are as follows: Microsoft Circle of Excellence Platinum Club (2017), NATO Centers of Excellence (2016), Security Professional of the Year by MEA Channel Magazine (2015), Professional of the Year, Sydney (2014), and many Speaker of the Year awards awarded at conferences.

He holds Global Instructor of the Year awards from the EC-Council and Microsoft. He is also a part-time lecturer at the Charles Sturt University in Australia.

The following are Erdal's social media accounts for anyone who would like to stay in touch:

Twitter: https://twitter.com/Erdal_Ozkaya

LinkedIn: https://www.linkedin.com/in/erdalozkaya/

Facebook: https://www.facebook.com/CyberSec.Advisor

Instagram: https://www.instagram.com/learncybersecurity/

About the reviewers

Steve Hailey is President/CEO of the CyberSecurity Academy and an IT veteran of 36 years. He has 33 years of data recovery experience, and has been providing cybersecurity and digital forensics services professionally for 22 years. He is the founder and former President of the Washington State High Technology Crime Investigation Association, and has also held the office of Vice President of the Digital Forensics Certification Board. Steve is a trusted consultant to Fortune 500 companies, law firms, the Department of Defense (DoD), and law enforcement agencies worldwide. He is a cyberterrorism subject matter expert and has trained DoD and federal law enforcement personnel to protect some of the most aggressively targeted information systems in the world.

John Webb is an IT manager who holds both the CISSP and CEH certifications. He has over 15 years of IT experience and has been a student of cybersecurity for the entire time. He is a Linux expert and has been supporting enterprise RHEL systems for the past six years.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

Cybersecurity: The Beginner's Guide

Acknowledment

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewers

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the color images

Conventions used

Get in touch

Reviews

Disclaimer

Importance of Cybersecurity

The history of data breaches

Scenarios for security

Understanding the attack surface

The threat landscape

The importance of securing the network and applications

The history of breaches

1984 – The TRW data breach

1990s – Beginning of computer viruses and worms

The years 2000-2010

How security helps to build trust

Summary

Security Evolution — From Legacy to Advanced, to ML and AI

Legacy cybersecurity systems

Signature-based security systems

Network cyber attacks

Network security tools

Transformations in cybersecurity

Layered security

New security threats

Responses to the new threats

Advancements in security technology to security 2.0

Anomaly-based security systems

How ML and AI will play a larger role in cybersecurity

Summary

Further reading

Learning Cybersecurity Technologies

Mobile security

Loss or theft

Software-related security issues

Advanced data security

Cloud security

Modern day regulations

Incidence response and forensics

Enterprise security at scale

Penetration testing

TruSec training

CQURE Academy

Training with Troy Hunt

Have I Been Pwned ?

DevSecOps

IoT security

User behavior analytics (UBA)

Endpoint detection and response (EDR)

Summary

Further reading

Skills We Need for a Cybersecurity Career

General cybersecurity roles

Penetration testers and vulnerability testers

Cybersecurity consultants

Cybersecurity managers

Cybersecurity analysts

Cybersecurity engineers

Chief Information Security Officers (CISOs)

Chief Security Officers (CSOs)

Computer system administrators

Cryptographers

Computer forensic experts

Network security engineers

Information assurance technicians

Data security analysts

IT security compliance analysts

System security specialists

Skills to acquire in cybersecurity

Foundation skills

Risk management

Networking

Situational awareness

Toolkits

Security analyst skills

Threat assessment

Vulnerability assessment

Log collection and analysis

Active analysis

Incidence response

Disaster recovery

Forensics

Penetration testing skills

Intelligence gathering

Incidence reporting

Restraint

Security architecture skills

Identity and access management

Network configuration

System hardening

Choosing skills to pick up based on current professional experience and skills

Ethical hacking skills

Application security skills

Cloud security skills

DevSecOps skills

Threat and vulnerability assessment skills

Information security management skills

Cybersecurity litigation support skills

Regulatory compliance and auditing skills

Summary

Further reading

Attacker Mindset

The category of hackers

The traits of hackers

They are patient

They are determined

They are insensitive

They are risk-takers

They are careful

They are deviant

Social characteristics of hackers

Lack of social skills

They have an inferiority complex

They are radical

They are rebellious

They lack social support

How hackers think (motivators)

Getting money (monetary gain)

Greed

Political power

Religious extremism

Curiosity

What can be learned from the psychology of hackers?

Summary

Further reading

Understanding Reactive, Proactive, and Operational Security

Proactive cyber defense

Small and medium-sized enterprises

Large organizations

Worrying attack trends

Implementing proactive security

Vulnerability assessment

Penetration testing

Social-engineering assessment

Web-application security assessment

Reactive cybersecurity

Implementing a reactive security strategy

Monitoring

Response

Disaster-recovery

Forensic investigations

Overview of operational security

Implementing operation security

The significance of the three security pillars

Security operations and continuous monitoring

Captive SOC (self-managed SOC)

Co-managed SOC

Fully managed SOC

Proactive versus reactive security

The threat intelligence system and its importance

Digital forensics and real-time incident response with SIEM

Getting started with security automation and orchestration

Step 1 – start small

Step 2 – learn to analyze (incidents)

Step 3 – learn to monitor wisely

Three common security orchestration, automation, and response use cases

Phishing emails

Malicious network traffic

Vulnerability management

Summary

Further reading

Networking, Mentoring, and Shadowing

Mentoring

They provide knowledge and wisdom

They give insights on where you should improve

They give encouragement

Mentors create boundaries and ensure discipline

Mentors give unfiltered opinions

They are trustworthy advisers

They can be good connectors

They have lengthy experience that you can learn from

Mentors are satisfied by your success

How to choose a mentor

Compatibility

The mentor's strengths and weaknesses

Contrast

Expertise

Trust

Networking

Job opportunities

Career advice and support

Building confidence

Developing personal relationships

Access to resources

Discovery

Tips for establishing a professional network

Build genuine relationships

Offer to help

Diversify your events

Keep in touch

Shadowing

Regular briefings

Observation

Hands-on

Preparing for job shadowing

Preparing questions beforehand

Taking notes

Picking an appropriate time

Gratitude

Summary

Further reading

Cybersecurity Labs

ILT

VILT

Self-study

Self-study cybersecurity labs

The cross-site scripting (XSS) lab

The Secure Socket Layer (SSL) configuration lab

Acunetix Vulnerability Scanner

Sucuri

Valhalla

F-Secure Router Checker

Hacking-Lab

The Root Me password generator

CTF365

Mozilla Observatory

Free online training providers

IT master's degrees and Charles Sturt University

Microsoft Learn

edX

Khan Academy

Cybersecurity: Attack and Defense Strategies

Building your own test lab

Summary

Further reading

Knowledge Check and Certifications

The need to get a certification

They show employers that you take initiative

They reflect your abilities in a specific niche

They equip you with knowledge for a specific job

They can kickstart a career in cybersecurity

They give your clients confidence

They market you

Choosing certifications and vendors

The reputation of the vendor

The length of the course

Feedback from former learners

Support for learners

The credibility of the certification

Job market demands

Effective cybersecurity requires participation from all

What's in it for me?

A culture of continuous monitoring

CompTIA Security+

CompTIA PenTest+

CompTIA Cybersecurity Analyst (CySA+)

CompTIA Advanced Security Practitioner (CASP+)

EC-Council, Certified Ethical Hacker (CEH)

EC-Council, Computer Hacking Forensic Investigator (CHFI)

EC-Council cybersecurity career pathway

Certified Information Systems Security Professional (CISSP)

Certified Cloud Security Professional (CCSP)

Certified Information Systems Auditor (CISA)

Certified Information Security Manager (CISM)

Which (ISC)² Certification is right for you?

Global Information Assurance Certification (GIAC) Certifications

GIAC Information Security Fundamentals (GISF)

GIAC Security Essentials Certification (GSEC)

GIAC Certified Perimeter Protection Analyst (GPPA)

GIAC Certified Intrusion Analyst (GCIA)

SANS certifications

Cisco certifications

Cisco Certified Entry Networking Technician (CCENT)

CCNA Routing and Switching

Offensive Security Certified Professional (OSCP)/Offensive Security's Penetration Testing with Kali Linux (PwK)

Offensive Security's Penetration Testing with Kali Linux (PwK)

CertNexsusCybersec first responder (CFR)

The NIST cybersecurity framework

Identify

Protect

Detect

Respond

Recover

Summary

Further reading

Security Intelligence Resources

Checklist resources

Security Checklist

Cybersecurity advice and reliable information sources

Cybersecurity courses

SlashNext

Springboard

Cybrary

US Department of Homeland Security

Cybersecurity threat-intelligence resources

Structured Threat Information Expression (STIX)

Trusted Automated Exchange of Intelligence Information (TAXII)

OASIS Open Command and Control (OpenC2)

Traffic Light protocol (TLP)

Cyber Analytics Repository by MITRE (CAR)

IntelMQ by ENISA

Recorded Future

Anomali STAXX

Cyberthreat-intelligence feeds

Summary

Further reading

Expert Opinions on Getting Started with Cybersecurity

Ann Johnson

Dr. Emre Eren Korkmaz

Robin Wright

Ozan Ucar and Dr. Orhan Sari

Chaim Sanders

Yuri Diogenes

Dr. Ivica Simonovski

Dr. Mike Jankowski-Lorek

Judd Wybourn

Onur Ceran

Neil Rerup

Girard Moussa

Kaushal K Chaudhary

Will Kepel

Martin Hale

Ahmed Nabil Mahmoud

Deepayan Chanda

Dr. Erdal Ozkaya

How to Get Hired in Cybersecurity, Regardless of Your Background

Getting into cybersecurity from a technical background

Cybersecurity jobs to target

Hard versus soft skills

Getting started in cybersecurity with a non-technical background

Transitioning from your current technical role

Demonstrate your worth – before you apply

Read, listen, watch, and talk

What should be in your CV?

Checklist for what to include in a CV

Your journey from first contact to day one at work

Job interview types

Structured interviews

Unstructured interviews

Semi-structured interviews

Common cybersecurity interview questions

The general interview process

Commonly asked cybersecurity interview questions

Personal questions

Communication skills

Problem solving and judgement skills

Motivation and passion

Common tips

Consider these points before accepting a job

The view from a hiring manger or recruiter

What is the hiring process for recruiters?

How to get hired at Microsoft

How to get hired at Cisco

How to get hired at Google

How Google's CEO did his interview when he was first hired in 2004!

How to get hired at Exxon

Popular job search websites you should know

Summary

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

There are two types of organizations: those who know they have been hacked and those who don't. Nearly every day there is news about a hacked company, regardless of their size.

On the other hand, independent research firms, such as Gartner; Fortune companies, such as Microsoft and Cisco; respected magazines, such as Forbes; global non-profit organizations, such as ISACA; governments; and recruiters are talking about the cybersecurity skill shortage today, and they estimate that the talent gap is in the millions. There are many organizations and individuals that are passionate about closing this gap. There are also possibly endless resources, although very fragmented, on the internet. You will find many books and videos that have the essentials to get you started in cybersecurity, but none of them provide guidance from A to Z on what beginners need to know, what core technology they need to focus on, why they need to have a mentor, how they can network, which certifications they can take, how they can find the resources they need, and finally, how they can find a job.

Again, none of the resources have very well-known industry experts, or hiring managers' advice and suggestions on what a beginner needs to do.

This beginner's guide explores deep technical content pertaining to cybersecurity; however, it also provides real guidance on how to become a cybersecurity expert.

While this book is called a beginner's guide, it also offers a ton of information for professionals who want to switch their careers to cybersecurity.

Who this book is for

This book is targeted at anyone who is looking to venture in to the world of cybersecurity and explore its various nuances. With real-life recommendations from the field, this book is beneficial for everyone from beginners to career switchers.

What this book covers

 Chapter 1, Importance of Cybersecurity, focuses on the importance of cybersecurity, and will help anyone who wants to become a cybersecurity professional to understand what is expected of them.

Chapter 2, Security Evolution – From Legacy to Advanced, to ML and AI, discusses the evolution of cybersecurity and the future of the integration of cybersecurity with machine learning and artificial intelligence integration.

Chapter 3, Learning Cybersecurity Technologies, covers what you need to learn to be a cybersecurity professional, with all the paths that are available in the job market today.

Chapter 4, Skills We Need for a Cybersecurity Career, looks at the job market to find the cybersecurity roles that organizations are advertising and the in-demand skills that you can learn in order to change to or build your career in cybersecurity.

Chapter 5, Attacker Mindset, explores attackers, traits and their way of thinking to find out what drives a hacker.

Chapter 6, Understanding Reactive, Proactive, and Operational Security, covers what reactive, proactive, and operational cyber defenses are, what job the pillars of security are, and how you can position yourself to choose the optimal skills for you and your company.

Chapter 7, Networking, Mentoring, and Shadowing, discusses the importance of these three essentials to your career.

Chapter 8, Cybersecurity Labs, covers self-assessment and learning skills, ways to help you skill up fast, and some key resources to help you build your own practice lab.

Chapter 9, Knowledge Check and Certifications, looks at the need to be certified and how you can choose the right places and certifications to study, as there are far too many options based on the real-life experiences of the author and the experts who have contributed to the book.

Chapter 10, Security Intelligence Resources, focuses on existing security intelligence resources that can be publicly and commercially consumed to achieve higher standards of security for organizations. As a beginner in security, this information will always come in very handy from a ramp-up perspective.

Chapter 11, Expert Opinions on Getting Started with Cybersecurity, contains contributions by academics from universities, such as Oxford and Charles Sturt, and also experts from the field, such as Microsoft, FireEye, SAP, and Keepnet Labs, as well as training institutes, such as the Rochester Institute of Technology, and the privately owned Cqure and Dimension Data. In this chapter, they share their own journeys into cybersecurity, the steps they took, the training they had, and recommendations on how to keep your skills sharp. Besides this, some of them also share what skills they look at when they hire talent.

Chapter 12, How to Get Hired in Cybersecurity, Regardless of Your Background, covers tips and tricks on how to get a job in cybersecurity. This includes tips and tricks for interviews, how recruiters work, and how Fortune companies hire. This is the chapter that puts the book into practice.

To get the most out of this book

Read it carefully, decide which path you want to choose, and take the advice from the experts. Regardless of whether you are new to the cyber industry or you have some experience in IT, this book has everything that you need to be successful in the cybersecurity industry.

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://www.packtpub.com/sites/default/files/downloads/9781789616194_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "In order to calculate how much MB your x bit data is, you use four basic operations, and in order to classify your log data, you can use a discriminant function."

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "You can then click on the Start SSL test button to begin the test."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Disclaimer

The information within this book is intended to be used only in an ethical manner. Do not use any information from the book if you do not have written permission from the owner of the equipment. If you perform illegal actions, you are likely to be arrested and prosecuted to the full extent of the law. Packt Publishing does not take any responsibility if you misuse any of the information contained within the book. The information herein must only be used while testing environments with proper written authorizations from appropriate persons responsible.

Importance of Cybersecurity

In this fast-paced industry, digitization and staying connected are playing a vital role. This is further coupled with the proliferation of cloud-based and mobile technologies. "Why focus on security?" is a question that has moved from mere security team discussions to board room discussions, and it doesn't stop there either. This, now, is the talk of the industry today. Everyone we know around us, in our work places or otherwise, is talking about security, one way or the other. Security is no longer just a requirement of an IT administrator, or security administrators in an IT organization. It is now the requirement of all those entities who are connected in one way or the other with any type of data.

The importance of cybersecurity, as the name suggests, will be the crux of the discussion in this chapter, and we will closely look into the following:

The history of breaches

The importance of securing networks and applications

The threat landscape

How security helps

The history of data breaches

The general notion encircling hacking is that it started a few decades ago. However, in reality, hacking was in practice even before that. it goes as far back as 1834, yes almost two centuries back. Historically, it came to light in the year 1836 when two persons involved in the act were caught. During the last decade of 1700, France implemented its national data network to transfer data between Paris and Bordeaux, which was one of its kind at the time. It was built on top of a mechanical telegraph system, which was a network of physical towers. Each tower was equipped with a unique system of movable arms on the tower top.

The tower operators would use different combinations of these arms to form numbers and characters that could be read from a similar distant tower using a telescope. This combination of numbers and characters was relayed from tower to tower until it reached the far end. As a result, the government achieved a much more efficient mechanism of data transfer, which resulted in greater time saving. Interestingly, all this happened in the open. Even though the combinations were encrypted, and would've required an experienced telegraph operator to decode the message at the far end to bring up the original message, the risks were just around the corner. The following image is one such tower:

This operation was observed by two bankers, Francois and Joseph Blanc. They used to trade government bonds at the exchange in Bordeaux, and it was they who figured out a hack to poison the data transfer in between, and include an indicator of current market status, by bribing a couple of telegraph operators. Usually it took several days before the information related to Bond performance reached Bordeaux by normal mail, now, due to this hack, they had an advantage to get that same information well before the exchange in Bordeaux received it. In a normal transmission, the operator included a Backspace symbol to indicate to the other operator that he needed to avoid the previous character and consider it as mistake. The bankers paid one of the operators to include a deliberate mistake with a predefined character, to indicate the previous day's exchange performance, so that they could assume the market movement and plan to buy or sell bonds. This additional character did not affect the original message sent by the government, because it was meant to be ignored by the far end telegraph operator. But this extra character would be observed by another former telegraph operator who was paid by the bankers to decode it by observing through a telescope. Also, the Blanc brothers did not care about the entire message either; all they needed was the information related to market movement, which was well achieved through this extra piece of inert information. The Blanc brothers had an advantage over the market movement and continued to do this for another two years, until their hack was discovered and they were caught in 1836. You can read more about such attacks at https://www.thevintagenews.com/2018/08/26/cyberattacks-in-the-1830s/.

The modern equivalent of this attack would perhaps be data poisoning, man-in-the middle attack, misuse of the network, attacking, or social engineering. However, the striking similarity is that these attacks often go unnoticed for days or years before they get caught. This was true then, and it's true today. Unfortunately, the Blanc brothers could not be convicted as there were no laws under which they could be prosecuted at that time.

Maybe the Blanc brothers' hack was not so innovative compared to today's cyber attacks, but it did indicate that data was always at risk. And, with the digitization of data in all shapes and forms, operations, and transport mechanisms (networks), the attack surface is huge now. It is now the responsibility of the organization and the individuals to keep the data, network, and computer infrastructure safe.

Let's fast forward another 150 years, to the late 1980s. This is when the world witnessed the first ever computer virus—Morris worm. Even though the creator of the worm, Robert Tappan Morris, denied the allegation that it was intended to cause harm to computers, it did, indeed, affect millions of them. With an intention to measure the vastness of the cyber world, Tappan wrote an experimental program that was self-replicating and hopped from one computer to another on its own.

This was injected to the internet by Morris, but, to his surprise, this so-called worm spread at a much faster rate than he would have imagined. Soon, within the next 24 hours, at least 10% of the internet connected machines were affected. This was then targeted to ARPANET, and some reports suggested that the of connected computers at the time was around 60,000. The worm was using a flaw in the Unix email program, sendmail, which typically waits for other systems to connect to the mail program and deliver the email, and a bug in the fingerd daemon. This worm infected many sites, which included universities, military, and other research facilities. It took a team of programmers from various US universities to work non-stop for hours to get to a fix. It took a few more days to get back to a normal state. A few years later, in 1990, Morris was convicted by the court, for violating the Computer Fraud and Abuse Act; unlike at the time of Blanc brothers when there was no law to prosecute, this time there was.

Fast forward another two decades to 2010, and the world saw what it never imagined could happen: an extremely coordinated effort to create a specifically crafted piece of software, Yes Software, which was purpose-built to target the Iranian nuclear facility. It was targeting Industrial Control Systems, otherwise known as ICS. This was designed only to target a specific brand and make of ICS by Siemens, which controls centrifuges in a nuclear facility to manage their speed. It is presumed that it was designed to deliver onsite, as per some reports, because the Iranian facility that it was targeting was air-gapped. This was one of its kind industrial cyber espionage.The malware was purpose-built so that it would never leave the facility of the nuclear plant. However, somehow, it still made its way out to the internet, and there is still speculation as to how. It took researchers many months after its discovery to figure out the working principle of the malware. It's speculated that it took at least a few years to develop to a fully functional working model. After the Stuxnet, we have witnessed many similar attack patterns in forms of Duqu, and Flame, and it's believed by some experts in this field, that malware similar to these are apparently still active.

Currently, we are seeing extremely new variants of attack with new modus operandi. This is to earn money by using ransomware, or to steal data and then try to sell it or destroy it. Alternatively, they use victim infrastructure to run crypto miner malwares to mine cryptocurrencies. Today, security has taken center stage, not only because the attack surface has increased for each entity, or the number of successful high profile and mass attacks are a norm, but because of the fact that each one of us now knows that the need for securing data is paramount, irrespective of whether you are a target or not.

Scenarios for security

To make it more intuitive and simpler, let's look into a few scenarios as we proceed further with this chapter to discuss the need for security:

Scenario (organizations in general)

: Try to visualize an organization with standard digital and IT functions that caters to their business needs. As an organization, it is important that the digital and IT infrastructure that you use is always up and running. Also, the organization has the responsibility to secure the identity, data, network, equipment, and products that you deal with. Digitization is the norm today for all businesses and organizations. Digitization brings in connectivity and a mixture of all the various different technologies working together to achieve the set business goals for the organization. With the increase in digitization, the level of connectivity also increases, within the boundary and outside the boundary of the organization. This connectivity also poses a risk to the security of the organization (we will discuss this further in the following chapters).

Digitization and connectivity largely fits into three macro aspects, namely: identity (by which we allow the users to interact), data (individual, business, personal, or system), and network (the connection part). Furthermore, we should not forget the factors that bring them all together, namely: equipment, solutions, and various business processes and applications. Any organization today controls the level of access needed to view, modify or process data, or access a business application/system through identity. It is the de-facto requirement for the organization to secure these identities. You also need proper measures to secure the data you are handling, be it at rest, motion, or during compute. And it is an obvious fact that the network perimeter, be it physical or in the cloud, has to be secured with proper measures and controls. This scenario is to set the context; we will talk more about these aspects in the following chapters.

Scenario (everything is moving to cloud)

:

As most organizations

are moving to cloud at a rapid speed, the need for higher processing capability and reduced operating cost benefit is increasing. Cloud, as a technology, provides more scalability for businesses when it is required. Also, as the global footprint of each business is now increasing, the need for collaboration is important and cloud makes it possible. Employees nowadays prefer working remotely, thereby eliminating the need for office infrastructure. The other important benefit of cloud computing is that it takes away the burden from IT about constantly keeping track of new updates and upgrades of software and hardware components.

But, as it is true that technological advancements bring in more control, speed, power, accuracy, resiliency, and availability, they also bring in security concerns and risks. Cloud is no different when it comes to security concerns and the risks that are exposed if it is not properly implemented or used. The biggest boon of cloud is that the organizations are reaping the benefit of not owning any infrastructure or operations of their own. This boon also brings in security risks and concerns, such as who has access to the data that is positioned in the cloud, how do you maintain and manage security regulatory requirements, and how do you keep up with compliance mandates such as GDPR and others? Cloud computing also complicates the disaster recovery (DR) scenario for each organization because it depends on the service provider's terms and conditions and their business model around data recovery. Moreover, organizations have no control where the cloud provider will bring up their data center and operate from, which raises concerns around data sovereignty. There are many other challenges and risks around operating from cloud, which will be discussed in relevant portions of this book.

Understanding the attack surface

I am sure, by now, that you have a grasp of security and its importance to some extent. So, let's take a look at what attack surface is, and how we define it, as it's important to understand the attack surface so that we can plan well for our security. In very simple terms, attack surface is the collection of all potential vulnerabilities which, if exploited, can allow unauthorized access to the system, data, or network. These vulnerabilities are often also called attack vectors, and they can span from software, to hardware, to network,and the users (which is the human factor). The risk of being attacked or compromised is directly proportional to the extent of attack surface exposure. The higher the number of attack vectors, the larger the attack surface, and the higher the risk of compromise. So, to reduce the risk of attack, one needs to reduce the attack surface by reducing the number of attack vectors.

We witness all the time that attacks target applications, network infrastructure, and even individuals. Just to give you an extent of attack surface and the exposure, let's look into the Common Vulnerabilities and Exposure (CVE) database (https://cve.mitre.org/cve/). It has 108,915 CVE entries (at the time of writing this chapter), which are all those that have been identified so far over the past few decades. Certainly many of these are now fixed, but some may still exist. This huge number indicates how big the risk of exposure is.

Any software that is running in a system can potentially be exploited using vulnerabilities in the software, remotely or locally. This applies particularly to software which is web facing, as it is more exposed, and the attack surface is much larger. Often, these vulnerable applications and software can lead to the compromise of the entire network, and also pose a risk to the data it is managing. Apart from these, there is another risk that these applications or software are exposed to all the time: insider threat, where any authenticated user can gain access to the data that is unprotected due to badly implemented access controls.

On the other hand, an attack surface that exposes network attacks can be passive or active. These attack surfaces can allow the network services to collapse, make it temporarily unavailable, allow unauthorized access of the data flowing through the network, and so on.

In the event of a passive attack, the network can be monitored by the adversary to capture passwords, or to capture information that is sensitive in nature. During a passive attack, one can leverage the network traffic to intercept the communications between sensitive systems and steal the information. This can be done without the user even knowing about it. Alternatively, during an active attack, the adversary will try to bypass the protection systems by using malware or other forms of network-based vulnerabilities to break into the network assets; active attacks can lead to exposure of data and sensitive files. Active attacks can also lead to Denial-of-Service type attacks. Some common types of attack vectors are:

Social engineering, scams, and so on

Drive-by-downloads

Malicious URLs and scripts

Browser-based attacks

Attacks on the supply chain (which is rising day by day)

Network-based attack vectors

The threat landscape

The attack surface also brings in another term, threat landscape. We, in the cybersecurity community, talk about it every day. Threat landscape can be defined as the collection of threats that are observed, information about threat agents, and the current trends of threats. It is important that every security professional keeps track of the threat landscape. Usually, many different agencies and security vendors will release such threat landscape reports, for example, ENISA (European Union Agency for Network and Information Security), and NIST (National Institute of Standards and Technology), along with some of the big security corporations.

Moreover, the threat landscape is an extremely dynamic space; it changes very frequently, and is driven by many factors, such as available tools to exploit vulnerabilities, the knowledge base of available resources and vulnerabilities, and the skill requirements to place an attack. (This is becoming increasingly easy due to the freely available tools on the internet.) We will talk more about the threat landscape resources in following chapters in this book. The following is a list of different threats in 2016-2017 and their relative rankings:

The preceding image is the threat landscape for 2017 based on a report from ENISA. This brings us to a point where it is important to know a little bit about some common types of attacks:

Unstructured attacks

: These are one of those attacks where the adversary has no prior knowledge of the environment they are launching an attack on. Mostly, in such scenarios, they rely on all the freely available tools. Unstructured attacks are often targeted en masse, based on any common vulnerability and available exploitation.

Structured attacks

: In the case of a structured attack, unlike an unstructured one, the adversary is much more prepared and well planned in carrying out the attack. In most of the cases of structured attacks we notice that the attackers demonstrate their advanced skills of programming, and knowledge about the IT systems and applications they are targeting. These attacks can be highly organized in nature and mostly targeted towards an individual entity or industry vertical.

Social engineering (phishing, spear phishing, and so on)

: This attack is targeted towards one of the weakest links, humans. In this attack, the user is exploited in various ways. Often these attacks are successful because of a lack of knowledge or ignorance. Information is extracted from the user by tricking them one way or the other. The most common way is by phishing and spear phishing. In a phishing and spear phishing attack, data is extracted by impersonating something that looks authentic to the user, such as, posing as an administrator helping the user to reset their password, and other account details, via a web portal. These portals are specially crafted to suit the purpose of extracting data which the attacker wishes to collect. Users fall prey to those, and share sensitive information.

Eavesdropping

: This attack can be performed by gaining unauthorized access to the network and listening to the network communications. Commonly, all the traffic that is not encrypted can be easily targeted by the attacker.

Denial of Service (DoS and DDoS)

: This is one of the oldest forms of network-based attacks, where the attacker will attempt to overwhelm the processing or computing capacity of the application or device by sending such a flood of data that it is more than the application or the device can handle, thereby disrupting the system. On the other hand,

distributed denial of service

(

DDoS

), is launched from multiple sources towards a single victim application or system on a very large scale, more than the amount that can be handled. This is one of the hardest to mitigate without proper technologies in place.

Man-in-the-middle attack

(

MITM

): In this attack form, the session or the network is hijacked in between by manipulating the communication between server and client, and acting as a proxy server, often without the knowledge of the victim.

Malware

: Malware can be defined as disruptive software, which is intentionally designed to cause damage or achieve any other malicious intent by its creator. Most of the time, this access is gained by exploiting the computing system's security, or any vulnerabilities, with help from the malware. Worms and Trojans are different forms of malware, and these have a very specific capability to spread from computer to computer and replicate themselves. Malware can cause theft of data, mass destruction of computer systems, disruption of network activities, and also can help in corporate espionage. Most of the latest malware may have unique capabilities to hide itself extremely well from the security systems and detection mechanisms, and stay active for weeks to years.

Botnets

: When computer systems are infected with malware, or any other malicious remote tools, and these infected computer systems are controlled by the attacker remotely, it is known as a bot. Furthermore, when there are many computers which are compromised by this malware, and controlled by the attacker, this network, or collection of compromised computers, is called a

botnet

. The remote mechanism and the control method are also termed as

"Command and Control"

. Botnets can be used for various other purposes by the adversary, and, to achieve these, the botnet master will keep updating the malicious program's binary. Botnets used to be single-focused in terms of their mission. However, in the recent past, they have changed to become multiple-purpose malicious applications.

Cross-site scripting

: Cross-site scripting, commonly known as

XSS

attack, is an exploitation of flaws in web applications, which allows the adversary to inject malicious client-side script and compromise the user, without their knowledge in most cases. In general, these flaws exist due to poor input validation of web-based applications. Once the XSS is sent to the user, the browser will process it because the browsers have no mechanism to stop XSS based attacks. There are multiple forms of XSS attacks.

Stored

and

reflected

types of XSS are very common. Stored XSS allows the attacker to leave permanent malicious scripts in the victim's server, while reflected XSS usually takes place when the attacker sends a specially crafted link with a malicious query in the URL to the user, and the unsuspecting user clicks on the link, which then takes the user to a malicious site and captures the user's sensitive data, which is then sent to the attacker. Reflected XSS is possible only if the user clicks on the link. Or, another method is if the attacker tricks the user into clicking it.

Drive-by download attack

: This form of attack is very commonly seen over the internet. It has been one of the top threats in the past couple of years. In practice, attackers will compromise a well-known benign website and host their malware there, by embedding malicious links. Once users visit these non-suspecting websites, they get compromised by automatically being redirected to the malware download locations. Often, the links of compromised websites could be spread via spam or phishing emails, where a user might click a link out of curiosity, or unknowingly, and get the malware downloaded into the system.

SQL injection attack

: SQL injection attack is usually targeted towards the database exposed via the web. An attacker would execute malicious queries via poorly configured web applications, mostly in the data input mechanism to run SQL commands. The attacker, if successful, can gain access to the database, manipulate sensitive data, or, at times, also modify data. SQL injection can also allow arbitrary commands to manage the operating system remotely. This vulnerability is successful mostly due to the poor input sanitization at the web application, rather than at the database end, because databases are designed to execute queries as they receive them and return results accordingly. So, the developers must take care about input sanitization and only accept data input as desired, and check for any malicious inputs, before sending it to a database for query execution.

Advanced persistent threat

(

APT

): This attack has been on the rise over many years. The modus operandi of these attacks is mostly to launch highly targeted attacks against specific individual organizations, industry segments, or even a nation. These threats are called

"advanced persistent"

because the attacker, or the group of attackers, will use many advanced and stealthy techniques to stay undetected for a very long time. Often, it is found that the attack and persistent methods are specifically crafted for the particular attack and have never been used in any other attacks. APT based attacks are mostly well funded and they are mostly a team driven activity. APT is used to target intellectual property, any form of sensitive information, disruptive activities, or may even be for corporate espionage, or sabotage of data, and/or the infrastructure. APT attacks are entirely different from the other forms of attack; the adversary/adversaries take a very organized approach to know their target and the mission they want to achieve, and they do not rush to attack. The attack infrastructure is very complex at times. The main goal of the attacker/attackers is to stay in the compromised network as long as possible and stay hidden from security detection. One of the significant natures of APT, is that it can only impact certain parts of the network, or certain persons in the company, or just a few systems in the network that are the point of interest. This, therefore, makes it more challenging to detect APT activities by security monitoring systems.

Web-based attacks

: In these attacks, as the name suggests, the target systems are mostly those which are internet facing devices, applications, services, and so on. Practically, we can say that the majority of internet applications are exposed to web attacks. These can be attacked via flaws and vulnerabilities, not only in the applications, but, also, in the medium by which we access those applications, such as web browsers. Web browser exploits have been on the rise for many years. Web servers are always a very lucrative target for the adversary/adversaries. Some of the famous attack forms are drive-by downloads or watering hole attacks (where a legitimate web application, used by the target/targeted organizations, is compromised and then the attacker waits for the employees/users to visit the website and, thus, it becomes compromised).

Insider attacks

: Insider attacks are the human element of cybersecurity that are extremely vulnerable and very difficult to track, monitor, and mitigate. This threat indicates that the users with authorized access to the information assets will cause harm to the entity/business, or the organization. This is sometimes done unknowingly by becoming prey, or, sometimes, they are the ones conducting the attack. In general, there are no definitive ways to detect or monitor insider threat proactively; it can only be found when the damage has already been done in most cases. It's been a rising trend over many years, as the advanced attackers try to exploit insiders to gain access to the organization or businesses. This has been a major threat to governments and it's increasing day by day. Even if the organizations have a bullet proof network with a lock down environment, and strong perimeter defenses, insider attacks are considered to be the most effective. The mitigation of an insider threat is beyond the technical implementation. The organization also needs to include the social culture and education of its own users about how to treat security and stay vigilant.

Ransomware

: Ransomware has done a lot of damage recently and has come up as a prominent threat. The modus operandi of ransomware is mostly to gain monetary profit by holding the user's data/system in ransom by making it unusable. This is achieved by compromising the system with one or other form of existing exploits and vulnerabilities and then encrypting the data in the user's system. Once encrypted the attacker would demand money in exchange for the decryption key. The following screenshot shows an example of a ransomware message:

Ransomware attacks are extremely dangerous because of their mechanism. Anyone with a little knowledge and access to freely available exploitation tools can use them to gain access and encrypt data. This is mostly done on a wide scale to generate more profit by volume, and the process is entirely automated. There are dark net groups that have created ransomware-as-a-service to offer the infrastructure and tools needed to generate such a campaign. Ransomware attacks are now being targeted more at organizations, such as banks and other financial institutions, to generate huge profits by disrupting their business and asking for ransom. WannaCry and NotPetya are the two most disrupting examples of ransomware that we have seen recently.

One of the notorious examples of ransomware even had the modus operandi to make the system unusable, which implied that it not only encrypted the data on the systems, but also had overwritten the master boot record that makes the computer unusable if rebooted. The impact of ransomware is unimaginable when it comes to attack against infrastructure like airlines, hospitals, governments, and emergency services.

Espionage

: This is one of those serious issues that has always been there since the beginning of human warfare. Today, this is taking place between corporate, governments, and various other entities, and the battleground is cyberspace. It's beneficial, in a sense, because no one is directly coming in front to perform this espionage; they are all behind the hidden cyberspace, and the attackers can stay anonymous. We have already seen in the news in the past couple of years how one government is trying to damage or disrupt the other by using a cyber form of espionage, by compromising sensitive information, and then leaking it to the public, to cause chaos and disruption. Even corporations are not far behind. They do it to gain access to each other's intellectual property to stay ahead of the competition. Cyberspace is way more interesting and dangerous when we think from this perspective of cybersecurity.

The importance of securing the network and applications

With every passing day, the network of connected devices is increasing, and, while this growth of connectivity continues to grow bigger, the risk of exposure is also increasing. Furthermore, it is no longer dependent on how big or small the businesses are. In today's cyberspace it is hard to establish if any network of application is not prone to attacks, but it has become extremely important to have a sustainable, dependable, and efficient network system, as well as applications. Properly configured systems and applications will help reduce the risk of attack. But it might not ever be able to eliminate the risk of attack completely.

A modern IT security system is a layered system, as a single layer approach to security is not enough anymore. In the event of a network breach, the victim can sustain a huge impact, including financial, disruptions to operations, and loss of trust factors. In the recent past, the number of breaches has increased for various reasons. The attack vectors for these breaches could be many, such as viruses, Trojans, custom malware for targeted attacks, zero-day-based attacks, or even insider threats. The following table shows the biggest data breaches of the 21st century:

For instance, one of the biggest data breaches that happened with Target Stores in December 2013, was planned during the Thanksgiving holidays and the organization did not discover it until a few weeks after the actual attack. The attack was started from an internet enabled air conditioning system and then to the point of sale systems. Eventually this attack led to the theft of about $110 million in credit and debit card data. The after-effect of the attack led to the resignation of the, then, Target CEO and the cost impact to Target was in the region of $162 million. (For readers, a more detailed report can be found here: https://www.csoonline.com/article/2134248/data-protection/target-customers--39--card-data-said-to-be-at-risk-after-store-thefts.html)

The history of breaches

Attacks on computers, as we see today, may have evolved in terms of the techniques and sophistication of the attack itself, but one thing that has not changed is the reason for the breaches—data. Data has always been the center of attraction for all the hackers, both past and present.

1984 – The TRW data breach

Looking into the past for data breaches, one cannot miss the incident that was one of the most critical at the time, in 1984, which exposed personal and financial information of about 90 million users. TRW (today known as Experian), at the time, was hosting one of the largest databases of confidential records of about 90 million users and their credit history. TRW was responsible for providing information on users' credit history, employment details, banking and loan details, and, most importantly, social security numbers. These were transmitted over a telephone line to their many subscribers, who were mostly banks and department stores in remote locations. The following screenshot shows some online news coverage that this incident received:

Quite interestingly, the access to these databases was not so secured, and the subscribers could log in to the TRW database as needed to query the required information about a user. These details were confidential in nature, and only to be accessed by the bank officials or the department store operators. Even though the data accessed was read-only and no one could change any data, one could still expose it and misuse it, which is exactly what happened. The password and the manual on how to operate the TRW system and access the database was leaked from a department store in one location, and, once the adversaries got hold of the login and access information, they posted it in bulletin boards, (something equivalent of today's social media). Now, not only did the attackers have the login information, but also a whole profile of those who were connected and had access to the bulletin board.

Surprisingly, the incident was not detected by TRW officials for many months (it's not clear how long). The breach was reported to TRW by an external party. As per the investigation reports at the time, it was believed that the database was accessed via the store line, and TRW had no clue about how many times it had been accessed. Experts said during that time that a proper monitoring and detection could have flagged this activity (note that this is true even in today's environment). Investigators at that time also suggested that, if TRW had implemented a system to call back the telephone number via which access was requested, and verified before the information was transmitted (today we can compare this with our two-factor authentication), and rotated the user password frequently in conjunction with a few other methods, the attack could have been averted.

The points that we need to focus on in this incident of 1984, and compare with today's attack scenarios, are that the attack vectors, methods, and the mitigation that could have averted this, are quite unchanged. Firstly, one is that the attacker used some sort of social engineering to get hold of login credentials, which is still a very common method today. Secondly, they had full and complete information about the TRW systems by getting access to the manual, which might have helped them stay undetected for a very long time. Thirdly, they targeted user data not to damage or tarnish the company. It's the same as today, attackers get silent access to the systems with various methods, and try to stay undetected as long as possible, and make use of the stolen data.

1990s – Beginning of computer viruses and worms