University of Engineering and

Technology, Taxila

CS408 Information Security

Introduction to Security

1
 Some Rules
• Follow Covid SOP (Wear Mask all the time)
• Mobile Phones:
• Switched off/ Mute and in your bag/ pocket

• Timekeeping:
• Don’t be late
• I expect you to stay till the end of lecture. If for some
reason you want to leave early, you have to ask for it
in advance.
 Dishonesty, Plagiarism

• Plagiarism in project or midterm/ final exam may

result in F grade in the course.
• Plagiarism in an assignment may result in zero
marks in the whole assignments category.
 Tentative Evaluation Breakdown
Grading Policy relative grading

Assignments (3 or 4) 5
Mid 25
Project 10
Final 50
Quiz 10

Total
100
 Introduction to Security

• Describe the challenges of securing information

• Define information security and explain why it is
important
• Identify the types of attacks that are common today
• List the basic steps of an attack
• Describe the five basic principles of defense

CompTIA Security+ Guide to Network Security Fundamentals, 5

Fifth Edition
 Books

• CompTIA Security+ Guide to Network Security

Fundamentals, Fifth Edition by Mark Ciampa

• Corporate Computer Security, by Randall J.

Boyle, 3th Edition.

6
 Certification
• Certified Information Systems Security Professional (CISSP) is
an independent information security certification granted by the
International Information System Security Certification Consortium,
also known as (ISC)².

• The CompTIA Security+ certification is an internationally

recognized validation of foundation-level security skills and
knowledge.

7
 Challenges of Securing Information

• Security figures prominently in 21st century world

– Personal security
– Information security (focused on protecting the electronic
information of organizations and users)
• Securing information
– No simple solution
– Many different types of attacks
– Defending against attacks often difficult
Information security continues to rank as the number one concern of IT managers
and tens of billions of dollars are spent annually on computer security, the number
of successful attacks continues to increase.
Security+ Guide to Network Security Fundamentals, Fourth 8
Edition
 Today’s Security Attacks

• Examples of recent attacks

– Fake anti-virus
– Taking control of wireless cameras
– ATM machine attacks (Malware called Ploutus)
– Taking over Twitter accounts (next slide)
– Attackers using online sites such as Craigslist and eBay
to lure victims to download malware

CompTIA Security+ Guide to Network Security Fundamentals, 9

Fifth Edition
 Taking over Twitter accounts

Amitabh Bachchan‘s Twitter account was allegedly hacked on

Monday (June 10) 2019 night by Ayyildiz Tim, which claimed to
be a Turkish hacker group.
https://apnlive.com/entertainment/bollywood/amitabh-bachchans-twitter-account-
hacked-profile-pic-changed-pak-pm-imran-khan/ 10
 Google blocks largest HTTPS
DDoS attack 'reported to date'

Google blocks largest HTTPS DDoS attack 'reported to date'

11
(bleepingcomputer.com)
 Today’s Security Attacks

CompTIA Security+ Guide to Network Security Fundamentals, 12

Fifth Edition
 The Sony Data Breaches

• Sony Corporation
– Japanese multinational corporation founded in 1946
that focuses on electronics, games, entertainment,
and financial services
– Employs about 146,300 people and has annual
revenues of about $72.3 billion
– Sony is widely known for its televisions, digital
imaging, audio/video hardware, PCs,
semiconductors, electronic components, and gaming
platform.

1-
13
 1.1: The Sony Data Breaches
• The First Attack
– April 17-19, 2011
– Attacks happened a few weeks after the large
earthquake, tsunami, and reactor meltdowns
– Used SQL injection to steal 77 million accounts
– Turned off access to PlayStation Network (PSN)
– Publicly acknowledges intrusion a week after the
intrusion, on April 26th
– CEO, Kazuo Hirai, issues public apology
– Hacking group “Anonymous” is suspected

1-
14
 The Sony Data Breaches
• The Second Attack
– May 1st, 2011 – Sony Online Entertainment
– Similar SQL injection attack used to steal additional
24.6 million accounts
– Turned off access to all Sony Online Entertainment
servers
– CEO, Kazuo Hirai, issues written response to US
Congress (May 4th) about steps to prevent future
attacks
– Some PSN services start to come online on May 15th

1-
15
 The Sony Data Breaches
• The Third Attack
– June 2nd, 2011 – SonyPictures.com
– Similar SQL injection attack used to steal additional 1
million accounts
– SonyPictures.com is immediately shut down
– Hacking group LulzSec claims responsibility and
issues press statement

1-
16
 • LulzSec press statement
“Greetings folks. We're LulzSec, and welcome to Sownage. Enclosed you
will find various collections of data stolen from internal Sony networks and
websites, all of which we accessed easily and without the need for outside
support or money.

We recently broke into SonyPictures.com and compromised over 1,000,000

users' personal information, including passwords, email addresses, home
addresses, dates of birth, and all Sony opt-in data associated with their
accounts. Among other things, we also compromised all admin details of
Sony Pictures (including passwords) along with 75,000 ‘music codes’ and
3.5 million ‘music coupons’.”

1-17
 The Sony Data Breaches

https://portswigger.net/web-security/sql-injection
1-18
SQL injection
 Difficulties in Defending Against Attacks

• Universally connected devices

It is unthinkable today for any technology device—desktop computer, tablet, laptop, or smartphone
—not to be connected to the Internet.

• Increased speed of attacks

With modern tools at their disposal, attackers can quickly scan millions of devices to
find weaknesses and launch attacks with unprecedented speed.

• Greater sophistication of attacks

Attackers today use common Internet protocols and applications to perform attacks, making it more difficult to
distinguish an attack from legitimate traffic.

• Availability and simplicity of attack tools

Today’s software attack tools do not require any sophisticated knowledge on the part of the attacker.
In fact, many of the tools, such as the Kali Linux have a graphical user interface (GUI) that allows
the user to easily select options from a menu.

• Faster detection of vulnerabilities

Weakness in hardware and software can be more quickly uncovered and exploited with new software
tools and techniques.

19
 Next generation attacks

The DDoS attack on Dyn DNS was carried out using Mirai
malware botnet — Mirai is a DDoS nightmare turning
Internet of things (IoT) into a botnet of things.

https://www.imperva.com/blog/how-to-identify-a-mirai-style-ddos-attack/ Paras Jha 20

CompTIA Security+ Guide to Network Security Fundamentals, 21
Fifth Edition
 Difficulties in Defending Against
Attacks

CompTIA Security+ Guide to Network Security Fundamentals, 22

Fifth Edition
 What Is Information Security?

• Before defense is possible, one must understand:

– Exactly what security is
– How security relates to information security
– The terminology that relates to information security

CompTIA Security+ Guide to Network Security Fundamentals, 23

Fifth Edition
 Understanding Security
• Security is:
– The goal to be free from danger
– The process that achieves that freedom
• Harm/danger may come from one of two sources:
– From a direct action that is intended to inflict
damage
– From an indirect and unintentional action
• As security is increased, convenience is often
decreased
– The more secure something is, the less convenient it
may become to use
CompTIA Security+ Guide to Network Security Fundamentals, 24
Fifth Edition
 Understanding Security

CompTIA Security+ Guide to Network Security Fundamentals, 25

Fifth Edition
 Defining Information Security

• Information security - the tasks of securing

information that is in a digital format:
– Stored on a storage device
– Transmitted over a network
• Information security goal - to ensure that protective
measures are properly implemented to ward off
attacks and prevent the total collapse of the system
when a successful attack occurs

CompTIA Security+ Guide to Network Security Fundamentals, 26

Fifth Edition
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA

27
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA
– Confidentiality
• In general, for confidentiality to be maintained on a network,
data must be protected from unauthorized access, use, or
disclosure while in storage, in process, and in transit.

• Numerous attacks focus on the violation of confidentiality.

These include:
– capturing network traffic
– stealing password files
– social engineering
– port scanning,
– eavesdropping, sniffing, and so on.

28
Defining Information Security (cont’d.)
Confidentiality
– Violations of confidentiality are not limited to directed
intentional attacks.
– Events that lead to confidentiality breaches include
• by not encrypting it before sending it to another person,
• by falling prey to a social engineering attack,
• by sharing a company’s trade secrets, or by not using extra care
to protect confidential information when processing it.
– documents left on printers, or even walking away from an
access terminal while data is displayed on the monitor.
– Numerous countermeasures
• Encryption for data at rest (whole disk, database
encryption)
• Encryption for data in transit (IPSec, TLS, PPTP, SSH)
• Access control (physical and technical) 29
 A classic data breach

1. Employee is sent a phishing email with a link to a

realistic looking internal site.
2. Employee opens the email, clicks the link, and
types in her user name and password.
3. Malicious site collects the password and shows the
user that everything is actually fine so they are not
suspicious.
4. Malicious actor uses user name and password to
download sensitive files.

30
Do you see any problem here

31
 A classic data breach

• Prevention: detect phishing urls and mark as spam,

train employees to notice phishing, identify offsite
access of sensitive files and block, encrypt files so
useless if leaked.
• Detection: Identify that sensitive files have been
(past tense) accessed from off site
• Response: Change employee’s password, notify
CTO, notify insurer, begin post-breach plan.

32
33
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA
– Integrity
• Confidentiality and integrity depend on each other
• Integrity is upheld when the assurance of the
accuracy and reliability of information and systems
is provided and any unauthorized modification is
prevented.
• Environments that enforce and provide this attribute of
security ensure that attackers, or mistakes by users,
do not compromise the integrity of systems or data.
• Numerous attacks focus on the violation of integrity.
These include viruses, logic bombs, unauthorized
access, errors in coding and applications, malicious
modification, intentional replacement, and system back
35
doors.
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA
– Integrity
• Events that lead to integrity breaches include (non-
intentional)
– accidentally deleting files
– entering invalid data
– altering configurations
• Countermeasures
– Hashing (data integrity)
– Configuration management (system integrity)
– Access control (physical and technical)
– Software digital signing
– Transmission cyclic redundancy check (CRC) functions

36
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA
– Availability
• The third principle of the CIA Triad is availability, which
means authorized subjects are granted timely and
uninterrupted access to objects.
• If a security mechanism offers availability, it offers a high
level of assurance that the data, objects, and resources are
accessible to authorized subjects.
• There are numerous threats to availability.
– These include device failure, software errors, and
environmental issues (heat, static, flooding, power loss,
and so on).
– There are also some forms of attacks that focus on the
violation of availability, including DoS attacks, and
communication interruptions.
37
 Defining Information Security (cont’d.)
• Three types of information protection: often called CIA
– Availability
• Countermeasures
– Redundant array of independent disks (RAID)
– Load balancing
– Redundant data and power lines
– Software and data backups
– Co-location and offsite facilities
– Rollback functions
– Failover configurations

38
 Defining Information Security (cont’d.)
• Protections implemented to secure information

39
 – Identification
• Identification is the ability to identify uniquely a user of a
system or an application that is running in the system
• A subject must provide an identity to a system to start the
process of authentication, authorization, and accountability
(AAA).
– Providing an identity can involve typing in a username;
swiping a smart card;
– Authentication
• The process of verifying or testing that the claimed identity
is valid is authentication
• Authentication requires from the subject additional
information that must exactly correspond to the identity
indicated.
• This includes the password variations of PINs and
passphrases
For example, consider a user who logs on to a system by entering a user ID and password. The system
uses the user ID to identify the user. The system authenticates the user at the time of logon by checking
that the supplied password is correct. 40
– Authorization
• Grant ability to access information (After a person has
provided authentication she may have the authority to access the
credit card number or enter a room that contains the web server,
provided the person has been given prior authorization)
– Auditing
• Recording a log of the events and activities related to
the system and subjects.
• Auditing, or monitoring, is the programmatic means by
which a subject’s actions are tracked and recorded for
the purpose of holding the subject accountable for
their actions while authenticated on a system.

41
– Accounting (aka accountability) reviewing log files
to check for compliance and violations in order to
hold subjects accountable for their actions.

– Nonrepudiation ensures that the subject of an

activity or event cannot deny that the event
occurred.
• Nonrepudiation is an essential part of accountability
• Nonrepudiation prevents a subject from claiming not
to have sent a message, not to have performed an
action, or not to have been the cause of an event.
• It is made possible through identification,
authentication, authorization, accountability, and
auditing.
42
 Information Security Terminology
• Asset
– Item of value
– In an organization, assets have the following qualities: they provide value to the
organization; they cannot easily be replaced without a significant investment in
expense, time, worker skill, and/or resources;

• Threat
– Actions or events that have potential to cause harm
• Threat agent
– Person or element with power to carry out a threat
• A threat agent could be a person attempting to break into a secure
computer network.
• It could also be a force of nature such as a hurricane that could damage
computer equipment and thus destroy information, or it could be malicious
software that attacks the computer network.

Security+ Guide to Network Security Fundamentals, Fourth 43

Edition
 Information Security Terminology

CompTIA Security+ Guide to Network Security Fundamentals, 44

Fifth Edition
 Information Security Terminology

• Vulnerability
– Flaw or weakness that allows a threat agent to
bypass security
• Threat likelihood
– Likelihood that threat agent will exploit vulnerability
• Risk
– A situation that involves exposure to some type of
danger

CompTIA Security+ Guide to Network Security Fundamentals, 45

Fifth Edition
Security+ Guide to Network Security Fundamentals, Fourth 46
Edition
 Figure 1-4 Information security components analogy
© Cengage Learning 2012

Security+ Guide to Network Security Fundamentals, Fourth 47

Edition
 Information Security Terminology
• Options to deal with risk:
– Risk avoidance - involves identifying the risk but not engaging
in the activity (i.e. not to buy the scooter)
– Acceptance - risk is acknowledged but no steps are taken to
address it (i.e. ignore the risk and buy the scooter any way)
– Risk mitigation - the attempt to address the risks by making
risk less serious (i.e. request the management to fix the fence
by making the risk less serious)
– Deterrence - understanding the attacker and then informing
him of the consequences of his actions (i.e. put a sign board to
warn the attacker of the consequences of stealing)
– Transference - transferring the risk to a third party (i.e.
insurance)

CompTIA Security+ Guide to Network Security Fundamentals, 48

Fifth Edition
 Information Security Terminology

CompTIA Security+ Guide to Network Security Fundamentals, 49

Fifth Edition
Sarah Palin email hack

https://www.wired.com/2008/09/palin-e-mail-ha/ 50
 Case study: Heartbleed!
• SSL is the main protocol for secure (encrypted) online
communication!.
• The SSL standard includes a heartbeat option, which allows a
computer at one end of an SSL connection to send a short
message to verify that the other computer is still online and get a
response back.
Researchers found that it's possible to send a cleverly formed, malicious
heartbeat message that tricks the computer at the other end into divulging secret
information.

51
 Case study: Heartbleed!

https://www.forumsys.com/api-security/how-to-fix-openssl-heartbleed- 52
security-flaw/
Case study: Heartbleed!

53
 Case study: Heartbleed!

• Malformed packet allows you to see server

memory!
– Passwords, keys, emails, visitor logs …..!
• The attacker can ask for around 64,000 characters
of plain text. And it doesn't just ask once, it can
send malicious heartbeat messages over and over
again, allowing the attacker to get back different
fragments of the server's memory each time.
• Fix: Don’t let the user tell you how much data to
send back!!
– This is a design flaw
54
The Marketplace for
Vulnerabilities
 Marketplace for Vulnerabilities

Option 1: bug bounty programs (many)

• Google Vulnerability Reward Program: up to $20K
• Microsoft Bounty Program: up to $100K
• Mozilla Bug Bounty program: $7500
• Pwn2Own competition: $15K

Option 2:
• Zero day initiative (ZDI), iDefense: $2K – $25K
Example: Mozilla
 Marketplace for Vulnerabilities

Option 3: black market

Source: Andy Greenberg (Forbes, 3/23/2012 )

 Understanding the Importance of
Information Security
• Information security can be helpful in:
– Preventing data theft
– Thwarting identity theft
– Avoiding the legal consequences of not securing
information
– Maintaining productivity
– Foiling cyberterrorism

CompTIA Security+ Guide to Network Security Fundamentals, 61

Fifth Edition
 Preventing Data Theft

• Preventing data from being stolen is often the

primary objective of an organization’s information
security
• Business data theft involves stealing proprietary
business information
• Personal data theft involves stealing credit card
numbers

CompTIA Security+ Guide to Network Security Fundamentals, 62

Fifth Edition
 Thwarting Identity Theft

• Identity theft
– Stealing another person’s personal information
• Usually using it for financial gain
– Example:
• Steal person’s SSN
• Create new credit card account to charge purchases
and leave them unpaid
• File fraudulent tax returns

CompTIA Security+ Guide to Network Security Fundamentals, 63

Fifth Edition
 Avoiding Legal Consequences

• Laws protecting electronic data privacy:

– The Health Insurance Portability and Accountability
Act of 1996 (HIPAA)
– The Sarbanes-Oxley Act of 2002 (Sarbox)
– The Gramm-Leach-Bliley Act (GLBA)
– Payment Card Industry Data Security Standard (PCI
DSS)
– California’s Database Security Breach Notification
Act (2003)

CompTIA Security+ Guide to Network Security Fundamentals, 64

Fifth Edition
 Maintaining Productivity

• Post-attack clean up diverts resources away from

normal activities
– Time, money, and other resources

CompTIA Security+ Guide to Network Security Fundamentals, 65

Fifth Edition
 Foiling Cyberterrorism
• Cyberterrorism
– Any premeditated, politically motivated attack
against information, computer systems, computer
programs, and data
• Designed to:
– Cause panic
– Provoke violence
– Result in financial catastrophe
• May be directed at targets such as the banking
industry, power plants, air traffic control centers,
and water systems
CompTIA Security+ Guide to Network Security Fundamentals, 66
Fifth Edition
 Who Are the Attackers?
• Hacker - person who uses computer skills to attack
computers
• Black hat hackers
– Violate computer security for personal gain and the
goal is to inflict malicious damage
• White hat hackers
– Goal to expose security flaws, not to steal or corrupt
data
• Gray hat hackers
– Goal is to break into a system without owner’s
permission, but not for their own advantage
CompTIA Security+ Guide to Network Security Fundamentals, 67
Fifth Edition
 Who Are the Attackers?

• Categories of attackers
– Cybercriminals
– Script kiddies
– Brokers
– Insiders
– Cyberterrorists
– Hactivists
– State-sponsored attackers

CompTIA Security+ Guide to Network Security Fundamentals, 68

Fifth Edition
 Cybercriminals

• A network of attackers, identity thieves, spammers,

financial fraudsters
– More highly motivated
– Willing to take more risk
– Well-funded
– More tenacious
• The goal of a cybercriminal is financial gain
• Cybercrime - targeted attacks against financial
networks and the theft of personal information

CompTIA Security+ Guide to Network Security Fundamentals, 69

Fifth Edition
 Cybercriminals
• Financial cybercrime is divided into two categories:
– Individuals and businesses
• Use stolen data, credit card numbers, online financial
account information, or Social Security numbers to
profit from victims
– Businesses and governments
• Attempt to steal research on a new product so they
can sell it to a foreign supplier

CompTIA Security+ Guide to Network Security Fundamentals, 70

Fifth Edition
 Script Kiddies
• Script kiddies - individuals who want to attack
computers yet they lack the knowledge of
computers and network needed to do so
• They download automated hacking software
(scripts) from websites
• Over 40 percent of attacks require low or no skills
• Exploit kits - automated attack package that can
be used without an advanced knowledge of
computers
– Script kiddies either rent or purchase them

CompTIA Security+ Guide to Network Security Fundamentals, 71

Fifth Edition
 tools

• Nmap (Network Mapper) | Free

Used to Scan Ports and Map Networks
• Metasploit Penetration Testing Software | Free &
Paid
Vulnerability Exploitation Tool
• John The Ripper | Free
Password Cracking Tool (offline dictionary attack)
• THC Hydra | Free
Network login Password Cracking Tool (dictionary and brute
force)

CompTIA Security+ Guide to Network Security Fundamentals, 72

Fifth Edition
 tools
• Aircrack-ng | Free
Wifi Password Cracking Tool

• Acunetix is a web vulnerability scanner (WVS) that

scans and finds out the flaws in a website that could
prove fatal. This multi-threaded tool crawls a website
and finds out malicious Cross-site Scripting, SQL
injection, and other vulnerabilities.

73
 tools
• Nessus Vulnerability Scanner
– Vulnerabilities that allow a remote hacker to control
or access sensitive data on a system.
– Misconfiguration (e.g. open mail relay, missing
patches, etc.).
– Default passwords, a few common passwords, and
blank/absent passwords on some system accounts.
Nessus can also call Hydra (an external tool) to
launch a dictionary attack.
– Denials of service against the TCP/IP stack by using
malformed packets

CompTIA Security+ Guide to Network Security Fundamentals, 74

Fifth Edition
 tools
• Nessus Vulnerability Scanner
– Vulnerabilities that allow a remote hacker to control
or access sensitive data on a system.
– Misconfiguration (e.g. open mail relay, missing
patches, etc.).
– Default passwords, a few common passwords, and
blank/absent passwords on some system accounts.
Nessus can also call Hydra (an external tool) to
launch a dictionary attack.
– Denials of service against the TCP/IP stack by using
malformed packets

CompTIA Security+ Guide to Network Security Fundamentals, 75

Fifth Edition
Social-Engineer Toolkit

76
hacking and security tools in multiple categories

77
 Brokers

• Brokers - attackers who sell knowledge of a

vulnerability to other attackers or governments
• Often hired by the vendor to uncover vulnerabilities
– Instead they do not report it to the vendor but sell the
information about the vulnerabilities to the highest
bidder

CompTIA Security+ Guide to Network Security Fundamentals, 78

Fifth Edition
 Insiders

• Employees, contractors, and business partners

• Over 48 percent of breaches attributed to insiders
• Examples of insider attacks:
– Health care worker may publicize celebrities’ health
records
• Disgruntled over upcoming job termination
– Stock trader might conceal losses through fake
transactions
– Employees may be bribed or coerced into stealing
data before moving to a new job

CompTIA Security+ Guide to Network Security Fundamentals, 79

Fifth Edition
 Cyberterrorists

• Cyberterrorists - an attacker whose motivation

may be ideological or for the sake of principles or
beliefs
– Almost impossible to predict when or where the
attack may occur
• Targets may include:
– A small group of computers or networks that can
affect the largest number of users
• Example:
– Computers that control the electrical power grid of a
state or region
CompTIA Security+ Guide to Network Security Fundamentals, 80
Fifth Edition
 Hactivists
• Hactivists - attackers who attack for ideological
reasons that are generally not as well-defined as a
cyberterrorist’s motivation
• Examples of hactivist attacks:
– Breaking into a website and changing the contents
on the site to make a political statement
– Disabling a website belonging to a bank because the
bank stopped accepting payments that were
deposited into accounts belonging to the hactivists

CompTIA Security+ Guide to Network Security Fundamentals, 81

Fifth Edition
 State-Sponsored Attackers

• State-sponsored attacker - an attacker

commissioned by the governments to attack
enemies’ information systems
– May target foreign governments or even citizens of
the government who are considered hostile or
threatening
• Examples of attacks:
– Malware targeting government or military computers
– Citizens having their email messages read without
their knowledge

CompTIA Security+ Guide to Network Security Fundamentals, 82

Fifth Edition
CompTIA Security+ Guide to Network Security Fundamentals, 83
Fifth Edition
Advanced Persistent Threats (APT)

84
Advanced Persistent Threats (APT)

85
 Advanced Persistent Threat (APT)
• As the name "advanced" suggests, an advanced
persistent attack (APT) uses continuous, and
sophisticated hacking techniques to gain access to
a system and remain inside for a prolonged period
of time, with potentially destructive consequences.

• APTs are usually leveled at high value targets,

such as nation states and large corporations, with
the ultimate goal of stealing information over a long
period of time.

CompTIA Security+ Guide to Network Security Fundamentals, 86

Fifth Edition
APT Network Security Attack

87
 Advanced Persistent Threat
(Example: Stuxnet)
• Stuxnet had to target specific Siemens industrial control
systems and CPUs. Additionally, the program had to
determine that these systems were operating in Iran.
• https://www.sans.org/cyber-security-summit/archives/file/summit-
archive-1493920814.pdf

88
 Advanced Persistent Threat (APT)
• Examples of APTs include:
– A well-crafted e-mail with the subject line "2011
Recruitment Plan" tricked an RSA employee to
retrieve from a junk-mail folder and open a message
containing a virus that led to a sophisticated attack
on the company's information systems, a top
technologist at the security vendor

89
90
Cyber Kill Chain outlines the steps of an attack:

– 1. Reconnaissance - probe for information about the system:

type of hardware or software used
– 2. Weaponization - attacker creates an exploit (i.e. virus) and
packages it into a deliverable payload (i.e. Microsoft Excel)
– 3. Delivery - weapon is transmitted to the target (such as by an
email attachment or through an infected web server)
– 4. Exploitation - after weapon is delivered, the exploitation
stage triggers the intruder’s exploit
– 5. Installation - the weapon is installed to either attack the
computer or install a remote “backdoor”
 Steps of an Attack

• Cyber Kill Chain outlines the steps of an attack

(cont’d):
– 6. Command and Control - the comprised system
connects back to the attacker so that the system can
be remotely controlled by the attacker
– 7. Action on Objectives - now the attackers can start
to take actions to achieve their original objectives

CompTIA Security+ Guide to Network Security Fundamentals, 92

Fifth Edition
 Defenses Against Attacks

• Five fundamental security principles for defenses:

– Layering
– Limiting
– Diversity
– Obscurity
– Simplicity

CompTIA Security+ Guide to Network Security Fundamentals, 93

Fifth Edition
 Layering

• Information security must be created in layers

– A single defense mechanism may be easy to
circumvent
– Making it unlikely that an attacker can break through
all defense layers
• Layered security approach
– Can be useful in resisting a variety of attacks
– Provides the most comprehensive protection

CompTIA Security+ Guide to Network Security Fundamentals, 94

Fifth Edition
 Limiting

• Limiting access to information:

– Reduces the threat against it
• Only those who must use data should be granted
access
– Should be limited to only what they need to do their
job
• Methods of limiting access
– Technology-based - such as file permissions
– Procedural - such as prohibiting document removal
from premises

CompTIA Security+ Guide to Network Security Fundamentals, 95

Fifth Edition
 Diversity

• Closely related to layering

– Layers must be different (diverse)
• If attackers penetrate one layer:
– Same techniques will be unsuccessful in breaking
through other layers
• Breaching one security layer does not compromise
the whole system
• Example of diversity
– Using security products from different manufacturers

CompTIA Security+ Guide to Network Security Fundamentals, 96

Fifth Edition
 Obscurity

• Obscuring inside details to outsiders

• Example: not revealing details
– Type of computer
– Operating system version
– Brand of software used
• Difficult for attacker to devise attack if system
details are unknown

CompTIA Security+ Guide to Network Security Fundamentals, 97

Fifth Edition
 Simplicity

• Nature of information security is complex

• Complex security systems:
– Can be difficult to understand and troubleshoot
– Are often compromised for ease of use by trusted
users
• A secure system should be simple from the inside
– But complex from the outside

CompTIA Security+ Guide to Network Security Fundamentals, 98

Fifth Edition
 Summary

• Information security attacks have grown

exponentially in recent years
• It is difficult to defend against today’s attacks
• Information security protects information’s integrity,
confidentiality, and availability:
– On devices that store, manipulate, and transmit
information
– Using products, people, and procedures

CompTIA Security+ Guide to Network Security Fundamentals, 99

Fifth Edition
 Summary
• Main goals of information security
– Prevent data theft
– Thwart identity theft
– Avoid legal consequences of not securing
information
– Maintain productivity
– Foil cyberterrorism
• Different types of people with different motivations
conduct computer attacks
• An attack has seven general steps known as the
Cyber Kill Chain
CompTIA Security+ Guide to Network Security Fundamentals, 100
Fifth Edition